Understanding the HOTDOG files on DVD of California electronics

classic Classic list List threaded Threaded
135 messages Options
1234567
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 2)

woid
How did you make the DVD? Do you have to do something special or will any DVD burner program do it? (I have read somewhere that the files on the dvd has to be located physically in a certain order).

With my updates of dvd2Midi I think it will be easier to figure out where to change bytes (see my previous post).
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 2)

bigboss97
Administrator
It's very easy, but slow process. I use Nero (or any other) and burn a disk image. Nero image is not compressed. So, it's easy to find the right sequence of bytes in the image file. Then I burn it on a RW to try.
Btw, even a sequence of 5 bytes seems to be able to reappear very often. So, when you try to locate a song in the image search for the 4 bytes clear text and subsequent 2 bytes. It seems to be a good way.

woid wrote
How did you make the DVD? Do you have to do something special or will any DVD burner program do it? (I have read somewhere that the files on the dvd has to be located physically in a certain order).
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 3)

bigboss97
Administrator
In reply to this post by bigboss97
I used following 4 songs:
 More Than A Woman (very bad, because it already contains incorrect characters originally)
 Sweat (5 bytes)
 Yesterday (3 bytes)
 Diana (3 bytes)
(values increased by 1)

Not all patches showed effect, that's the reason I patch several bytes. On the other hand, I can't figure out which byte does the effect  :-)  But what I found:
some 'A' were patched to ' '
some 'E' were patched to 'D'

looks like we are dealing with reverse alphabet.
More experiment will follow...

Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 3)

woid
The lower case letters seem to be in alpabetical order:
33 (0x21) => 'a' , 34 => 'b' ... 'z'

But once again, the mapping is NOT one-to-one. Something more is needed.
E.g. Most of the the time 45 maps to 't', but somtimes 45 maps to 'u'.
   
Reply | Threaded
Open this post in threaded view
|

Re: DVD2MIDI (fixed !!!)

woid
In reply to this post by woid
Here is a new version of dvd2Midi. I realised that the 0/0a byte affects the mapping so this version use different mapping tables depending on the 0/0a byte. Still far from perfect...

Dvd2Midi.zip
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 2)

woid
In reply to this post by bigboss97
I have looked closer to your changes to "SWEAT".
This is my explaination:

B5 => B6: This is the last byte of the XOR-mask. This byte will be used on timecodes so probably no visual effect. The "header part" of the lyrics (song title etc) always have timecode 0000 and maybe carries a different meaning. Maybe this caused the newline in the title?

81 => 82: This is the forth byte in the first block-of-4-bytes. forth byte usually carries timecode so probably no effect in the "header part".

09 => 0A: This is probably the interessting change. It is the first byte in the 6th block-of-4-bytes. My theory is that the first byte in the block-of-4-bytes is the byte that carries the character information. This change probably caused the change from ' ' to '#'. This would mean that the song title is stored first in the "header part", one letter in each block-of-4-bytes and the first byte in each block-of-4-bytes is the character information.
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 2)

bigboss97
Administrator
I didn't mention the details about SW in exp3 because I couldn't conclude anything. I did this:
E1 8B<B6>53 DD 40 7E EF 7C<26>81<67>6D 9B 62 AF B9 58 98 28 2B 0A 00<0A>00
It became following in the title:
SWDAT#(A LA LA LA L LONG)
E ==> D as I mentioned
'A' and line break disappeared. So, I have to explain around 0x81 must be the line break. But where does the D come from? Since I'm not sure whether I missed the D in exp1 I didn't want to do too much analysis on that.
If it's true that the 'D' wasn't in exp1 then 26 81 67 must be a mask (or key) in order to affect two places by a single change.

woid wrote
I have looked closer to your changes to "SWEAT".
This is my explaination:

B5 => B6: This is the last byte of the XOR-mask. This byte will be used on timecodes so
...
81 => 82: This is the forth byte in the first block-of-4-bytes. forth byte usually carries
...
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 4)

bigboss97
Administrator
In reply to this post by bigboss97
A new candidate: More Than I Can Say
In this experiment, the visual changes only occured in YE.

1) There's one thing in common in the first 2 songs, all changes are on the last byte of a block (based on the re-occuring of the same sequence).
2) In YE, the changes were +1, +2, +3, +1...
    Results: S==> P in BEATLES (title) I might missed this in exp3. I think I need to record the video :-)
    The first E in the first word became F which was D in exp3. I can only tell that one of the +1 in exp3 cause E->D, and +2 OR +3 causes E->F.

P.S. Since all these are made manually human error is likely which could make our results not making sense  :-(

SW e83a550 714624
 00 00 B7 60 00 00 24 6C 00 53 00 57 23 DD 40 7E
 88 7C 25 81 13 6D 9B 62 DE B9 58 98 4D 2B 0A 00
 24 0A A5 4E A2 67 CA 94 6B 39 22 5F AC 8D 51 04
 33 70 6B 49 40 15 FB 5A 1A 39 01 AE FB B5 17 5F
 34 3F FD 8B 0D E1 8B B5 53 DD 40 7E EF 7C 25 81
 66 6D 9B 62 AF B9 58 98 28 2B 0A 00 09 00 A5 4E
 CA 67 CA 94 6A 39 22 5F BC 8D 51 04 4F 70 6B 49
 41 15 FB 5A 0B 39 01 AE 85 B5 17 5F 78 35 FD[8B]
 6D E1 8B B5 4C DD[40]7E F9 7C 25[81]03 6D 9B 62
 A2 B9 58 98 3D 2B 0A 00 09 00 A5 4E AE 67 CA 94
 64 39 22 5F D2 8D 51 04 44 70 6B 49 29 15 FB 5A
 26 33 01 AE 89 B5 17 5F 34 3F FD[8B]0D E1 8B B5
 40 DD[40]7E B5 76 25[81]6A 6D 04 63 C9 B9 C7 99
6 bytes

MO ec2f490
 00 00 5E 60 00 00 0C 4C 00 4D 00 4F AC 1F 31 75
 E7 45 15 10 09 57 9B 62 DE B9 58 98 4D 2B 0A 00
 24 0A A5 4E A2 67 CA 94 6B 39 22 5F AC 8D 51 04
 33 70 6B 49 40 15 FB 5A BE 1F 31 75 E5 45 15 10
 34 5D 9B 62 AE B9 58 98 31 2B 0A 00 66 00 A5 4E
 B0 67 CA 94 6E 39 22 5F BC 8D[51]04 57 70[6B]49
 48 15 FB[5A]CE 1F 31 75 99 45 15 10 19 57 9B 62
 A7 B9 58 98 5C 2B 0A 00 6A 00 A5 4E A3 67 CA 94
 65 39 22 5F BC 8D[51]04 50 70[6B]49 41 15 FB[5A]
6 bytes

YE efee290 714922
 00 00 35 80 00 00 0A 8C 00 59 00 45 4A D9 3A 3B
 BE B1 2C A2 AA D6 7E 8A AB 01 00 DD 9F 6C C1 3A
 D4 E3 4C 6D 19 92 7C 2B 1C 4B A0 80 B8 1F 3F 80
 45 15 32 86 1E 22 9B 62 58 D9 3A 3B BC B1 2C A2
 97 DC 7E 8A DB 01 00 DD F7 6C C1 3A 9C E9 4C 6D
 0A 92 7C 2B 08 4B A0 80 CD 1F 3F 80 27 15 32 86
 1A 22 9B 62 28 D9 3A 3B D7 B1 2C A2 97 DC 7E 8A
 DB 01 00 DD A3 66 C1 3A 99 E9 4C 6D 19 92 7C 2B
 1E 4B A0 80 CD 1F 3F 80 34 15 32 86 0A 22 9B 62
 25 D9 3A 3B CB B1 2C A2[C9]D6 7E 8A 96 0B 00[DD]
 F7 6C 5C 38[BC]E9 EE 6F 2A 92 DB 29 28 4B 0C 82
 ED 1F 8F 82 07 15 87 84 3A 22 24 60 08 D9 FE 39
 F7 B1 E4 A0 97 DC 7E 8A FA 01 58 DE C2 6C 9C 39
 B5 E9 2E 6E 79 92 1E 28 31 4B CB 83 F1 1F 4F 83
 55[15]42 85 2A 22[E5]61 1B D9 B9[38]E1 B1 A4 A1
6 bytes
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 4)

bigboss97
Administrator
Just double checked exp3, it was:
C9<D6>7E 8A 96 0B 00<DD>F7 6C 5C 38<BC>E9 EE 6F

D6 was changed instead of C9. So, S->P must be caused by C9.
bigboss97 wrote
2) In YE, the changes were +1, +2, +3, +1...
    Results: S==> P in BEATLES (title) I might missed this in exp3.
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 4)

bigboss97
Administrator
Based on C9 causing S->P and the assumption BC causing E->F,
These are the results according to the values of Exp3 and Exp4:


The xor-masks 0x9a and 0xf9 were found.
Of course, DD could be causing E->F as well (which doesn't support my theory)  :-)
Have to wait and see whether the next expirement will break all these.


bigboss97 wrote
Just double checked exp3, it was:
C9<D6>7E 8A 96 0B 00<DD>F7 6C 5C 38<BC>E9 EE 6F

D6 was changed instead of C9. So, S->P must be caused by C9.
Reply | Threaded
Open this post in threaded view
|

Re: Facts & Summary: Layout of HOTDOG00.DAT

bigboss97
Administrator
In reply to this post by bigboss97
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 2)

woid
This post was updated on .
In reply to this post by bigboss97
This is my explaination:

xx E1 8B<B6>   53 DD 40 7E   EF 7C<26>81  <67>6D 9B 62   AF B9 58 98   28 2B 0A 00   <0A>00

xx E1 8B<B6>: B6 is the last byte of the 60-byte XOR mask. Probably no visual effect on the title. Maybe effects the timing of the lyrics.

53 DD 40 7E: First charater of title. No changes.  

EF 7C<26>81: Second character of title. 26 is the 3rd byte. 3rd byte have probably no effect in the title.

<67>6D 9B 62: Third character of title: 67 is the first byte. This bytes is the character encoding. This probably caused 'E' => 'D'.

AF B9 58 98: 4th character of title. No changes.

28 2B 0A 00: 5th character of title. No changes.

<0A>00 yy yy: 6th character of title. 0A is the first byte, character encoding. This probably caused ' ' => '#'
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 2)

woid
Lets look more careful at the change of "66 6D 9B 62" => "<67>6D 9B 62"

"66 6D 9B 62" is the 8th-11th byte of the title.

8th-11th byte of the XOR mask is:
"13 6D 9B 62"

Original:
"66 6D 9B 62" XOR "13 6D 9B 62" = "75 00 00 00"  

Changed:
"<67>6D 9B 62" XOR "13 6D 9B 62" = "74 00 00 00"

Conclusion:
Adding 1 to the encoding information (66=>67) resulted in this case in -1 after the XOR mask have been applied. The character encoding (after XOR mask have been applied) 74='D' and 75='E' seems reasonable.

Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 4)

woid
In reply to this post by bigboss97
Success!!!
I have broken the code! I can now decipher the lyrics of all songs to ASCII. I will soon publish the updated dvd2midi program.

There is a second XOR mask involed which also needs to be applied. The second XOR mask seems to be the same for all songs. The second XOR map is only applied to every 4th byte (the byte which carries the character encoding, 1st byte in each block of 4 bytes).
The value of the second XOR mask is:
23 30 30 30 31 0d 40 40 30 30 40 31 32 0d 40

This is how I found it out:

          S  W  E  A  T  _  (  A  _  L  A  _  L  A  _| L  A  _  L  A  _  L  O  N  G  )
Ascii:   53 57 45 41 54 20 28 41 20 4c 41 20 4c 41 20|4c 41 20 4c 41 20 4c 4f 4e 47 29
Org:     53 ef 66 af 28 09 ca 6a bc 4f 41 0b 85 78 6d|4c f9 03 a2 3d 09 ae 64 d2 44 29
A XOR O: 00 B8 23 EE 7c 29 E2 2b 9c 03 00 2b c9 39 4d|00 B8 23 EE 7c 29 E2 2b 9c 03 00
Mask:    23 88 13 de 4d 24 a2 6b ac 33 40 1a fb 34 0d|23 88 13 de 4d 24 a2 6b ac 33 40
0 XOR M: 70 67 75 71 65 2d 68 01 10 7c 01 11 7e 4c 60|6f 71 10 7c 70 2d 0c 0f 7e 77 69
A X OXM: 23 30 30 30 31 0d 40 40 30 30 40 31 32 0d 40|23 30 30 30 31 0d 40 40 30 30 40

Notice that "A X OXM" (Ascii XOR Org XOR Mask) repeats after 15 bytes. Thís is the second mask. (With a fixed size font everything lines up...)

Outstanding:
+ Find the length of the masks. Different songs use different lengths. I have found a quick-n-dirty way to find out the length by searching for patterns (as discribed previously) but it would be nice to figure out the "real" way. If we want to add new songs to the DVD we must find out this.

+ It would be nice to find the second mask somewhere on the disc. It would also be nice to be able to verify that the second mask only needs to be applied to the character byte (i.e. no extra XOR is needed for the 00/0a-byte and the 2 timecode bytes, 2nd-4th byte in block-of-4-bytes).
Reply | Threaded
Open this post in threaded view
|

Re: DVD2MIDI (fixed !!!)

woid
In reply to this post by woid
Here is the new version of dvd2Midi that will convert the lyrics to readable ASCII!!!

Dvd2Midi.zip
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Experiment 4)

bigboss97
Administrator
In reply to this post by woid
Well done!
Based on exp2(2), the 2 letters (clear text) must have something to do with the coding (mask). This might determine the length of the mask.

We shouldn't worry about the 2nd mask at this point if it's fixed.
I'm going to have a closer look to the timecode.

woid wrote
Success!!!
I have broken the code! I can now decipher the lyrics of all songs to ASCII. I will soon publish the updated dvd2midi program.

Outstanding:
+ Find the length of the masks. Different songs use different lengths. I have found a quick-n-dirty way to find out the length by searching for patterns (as discribed previously) but it would be nice to figure out the "real" way. If we want to add new songs to the DVD we must find out this.

+ It would be nice to find the second mask somewhere on the disc. It would also be nice to be able to verify that the second mask only needs to be applied to the character byte (i.e. no extra XOR is needed for the 00/0a-byte and the 2 timecode bytes, 2nd-4th byte in block-of-4-bytes).
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Mask Length)

bigboss97
Administrator
Since they are the first two letters of the song title they will re-appear at the spot where the song title is stored and that's also the end of the mask, right?
But then we need the right mask to match those 4 bytes.

bigboss97 wrote
Based on exp2(2), the 2 letters (clear text) must have something to do with the coding (mask). This might determine the length of the mask.
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Mask Length)

woid
I have already figured out a work around to find out the length. What I am looking for is the real way to determine the length so that we can add new songs to the dvd.

This is the work around:

Eg: the decoded beginning of SWEAT looks like this:

<song length><midi offset> 00 S 00 W < ... mask ...> S 00 00 00 W 00 00 00

Since X xor 0 = X, the 2nd - 4th bytes of the mask will reoccur as the first 2nd-4th bytes of the beginning of the title. E.g if the beginning of the mask looks like "11 22 33 44" the "?? 22 33 44" will reoccur and that is the work around.

This work around have already been implemented in the latest posted version of Dvd2Midi.
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Mask Length)

bigboss97
Administrator
What I want to say is...
Maybe there's no length. The mask is terminated by the start of the first 2 characters, i.e. for our own DVD, if we want we can move the start of the song title to the front until one byte left for the mask.
Reply | Threaded
Open this post in threaded view
|

Re: Lyrics (Mask Length)

woid
I doubt this is the case but it is easy to verify with a new experiment...
I would rather think that the length is stored somewhere or can be calculated somehow (from the first 2 letters of the title? or from the 2 length in the beginning? Start adress or somthing like that...)

Have you tired if the player accepts DVD-RWs or DVD+RWs? Time to make my first experiment soon...
1234567