 Show Posts
|
|
Pages: 1 2 3 »
|
|
1
|
Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: Trying to track down EDC inside 8164b firmware. Any pointers?
|
on: June 02, 2007, 03:19:58 PM
|
thought i would revive this thread again hopefully get the project/firmware completed ... ok as for getting the firmware out of the flasher, ive done that well i cheated, if u use the 360 firmware toolbox, and use the direct drive dump of GDR drives and use the classic method it works and u get a dump.. loooks good, has things like the ""HL-DT-STDVD-ROM GDR8164B0L060BLBA 05/06/01"" strings in there ... presumable you can also flash it this way too ! it may even lead to what kev was doing, a replacement 360 drive ?(like it canbe a xbox replacemnet) im sure there was a reason why this was not a option ?? so is a start... and for a review of what needs fixing.... -fix the ability to gain access to second layer of games (first layer can be accessed fine) -'fix' the ability of dumping the SS sectors of xbox/360 games (did work on previous builds) once these two are fixed this drive can be used ... -as a replecment in a xbox (partially does now, with layer problems) -usded in a PC for dumping 360 games (partially does now, with layer problems) -used in a PC for dumping xbox games (partially does now,with layer problems) -used in a PC to dump Wii games -usind in a PC to dump gamecube games future, who knows maybe even a 360 replacement so its a worth while project ! were do we go from here, is it a lost project? as in, only the people who got the firmware to this stage can help ? if it is doable, point me in the right directions... (what software do i need to dissassemble the firmware etc) cheers Mick ... (maybe then i will start a new thread as its a new line/project from the original question) if you want to do it, I advice you it is not so easy. for example, If you want to fake the PFI of a disk with the 8164B is only matter of overwrite it in RAM at certain moment. but what about XBOX/360 disks?? it is very diferent as you have to set the start LBA at 60600h and not 30000h and that is no trivial on the 8164B firm. although possible  as for use the drive to read XBOX/360 partitions and GC/WII disk it is already possible using only software without any firm mod. the tool recomended are: -IDA 5 -groepaz pluggin for mn103 http://hitmen.c02.at/html/xbox360_releases.html-djhuevo IDC scripts -binutils/gcc and some utils from http://www.ingenieria-inversa.cl/ (you could even write massive patched/own code in C with it) |
|
|
|
|
3
|
Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: HD-DVD addon Toshiba SD-S802A
|
on: April 08, 2007, 03:09:58 PM
|
hello, very nice work Geremia and arnezami here is yet another proggie to dump the firm (I still don't get one HDDVD for myself so it is untested), it used SPTI layer thats mean it doesn't rely on PLSCSI. http://rapidshare.com/files/24985414/dump.rar.htmlsorry for continue the thread here, but doom9 forums says you can't post until you got 5 days from registration  here I've found a complete manual about the FR30 MCU: http://www.ffarc.com/pdf/91101a.pdfI've lot of questions about the H802A firm: -where is the function 002F0BB8 called?? I've traced lot of code and references and still can found where it is called. that function is the one that memcpy the checksum function to 0x18000 and execute it through the "sections" of the firm (dunno if is the same for the XBOX360 HDDVD drive??) ROM:002F0BE8
ROM:002F0BE8 loc_2F0BE8:
ROM:002F0BE8 st r10, @(r14, 0xFC)
....................................
....................................
ROM:002F0C80 ldi:8 #0xEC, r6
ROM:002F0C82 asr #2, r5
ROM:002F0C84 ld @(r14, 0xFC), r0 ; rescata r0 del stack
ROM:002F0C86 extsb r6 ; r6 dentro del stack
ROM:002F0C88 call:D @r0 ; llama a fnc_checksum
ROM:002F0C8A add r14, r6
ROM:002F0C8C cmp #0, r4 ; compara la suma con zero
ROM:002F0C8E beq loc_2F0C94
ROM:002F0C90 bra:D loc_2F0C9E ; return 0
ROM:002F0C92 ldi:8 #0, r4 -in that code sniped r6 is passed to fnc_checkum to store the "columns xors" values, but seems to not been used at least for this function, also the r14 pointer is used as local storage for the fnc_checksum ptr, at first I though that r14 was a "frame pointer", but that make no sense because the value of r6 is discarded. -do you know what are those vectors at start of the firm? ROM:00200040 off_200040: .long sub_200060 ; DATA XREF: sub_2FF67C:loc_2FF6A2�o
ROM:00200044 off_200044: .long sub_2137F8 ; DATA XREF: sub_2FF73A+6�o
ROM:00200048 off_200048: .long sub_215456 ; DATA XREF: sub_2FF75A+6�o
ROM:0020004C off_20004C: .long sub_2007BE ; DATA XREF: sub_2FF77A+6�o
ROM:00200050 off_200050: .long nullsub_4 ; DATA XREF: sub_2FF71A+6�o
ROM:00200054 off_200054: .long sub_21161C ; DATA XREF: sub_2FF6FA+6�o
ROM:00200058 off_200058: .long sub_2125BA ; DATA XREF: sub_2FF6DA+6�o
ROM:0020005C off_20005C: .long sub_200070 ; DATA XREF: sub_2FF6BA+6�o sorry my crappy english |
|
|
|
|
4
|
Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: Trying to track down EDC inside 8164b firmware. Any pointers?
|
on: February 06, 2007, 03:11:07 PM
|
there are some scripts for IDA in this same board (from djhuevo) to find the handlers for ATAPI cmds that works with 8164B. the slow part of the whole process of read "raw" data is the speed of memdump. if you read with the stream bit set it read without care of EDC, and transfer fast (DMA) to the host, you only need to find a way to extract the missing data in fast way, "cache prediction" + memdump works ok, but the memdump part uses about 80% of the time with this combination  |
|
|
|
|
5
|
Xbox 360 / XboxHacking - General / Re: kingkong exploit???german hacker hacks xbox360 in front of crowd to run home
|
on: January 03, 2007, 11:08:54 AM
|
But to all the people that say that it was only a shader thing, can you explain how to do animation like that in shaders ?
Nope I can not. I'm not a pro in shader modelling etc...but what I know latest shader model version used in xbox 360 and dx10 are quite flexible... so that don't impress me at all... U can read more about them for i.e in wiki http://en.wikipedia.org/wiki/Shader#Geometry_shadersdoes those shaders let you read/write to any arbitrary address on user memory space?? if so, looks very promising quote from http://wiki.free60.org/RandomNotesea001000: bus control
ea001010: UART
ea00102x: GPIO
............
SLOT 1, device 10 @(ea001000) Bus Control (0x0C), Serial Port (0x10),
GPIO (0x20..0x40), SMI (0x50..0x80)
580d1414 02000002 00000000 00000000
ea001000 00000000 00000000 00000000 <-- really has no interesting stuff here. final config: same.
00000000 00000000 00000000 00000000
00000000 00000000 00000000 00000100
............
Device 10: serial port, gpio! Also accessible from user space
|
|
|
|
|
6
|
Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: Hitachi Fun
|
on: December 21, 2006, 10:56:53 PM
|
This is all about trying to get a Hitachi pc drive to read the SS on 360 discs if you want to read a SS with a 63B or 64B I suggest you to look at "read DMI" in "read DVD structures", look for PSN 0x2F280 in the code and chage for the one where is the SS, If I remember correctly you have to XOR it with 0x01000000 to tell the read that you want to read from layer 1 instead of 0 (if isn't 0x01000000 is just 0xFF000000). that will read a comple "Recording Frame", to change the sector within the Recording Frame you want to read, change the 1 (DMI is 0x2F281) to 0xE that is the SS position within the RF. that parameter is pass before call the "read RF" function, for example in 8164 it is @9002C5B4 If you have trouble with that please askme what you want |
|
|
|
|
7
|
General / General Discussion (non-Xbox) / Re: Questions about Dos flasher for Hitachi 8163 drive
|
on: December 21, 2006, 07:53:52 PM
|
Love answering my own questions! I should have remembered sooner about the checksum in the .dld I figrued it out for the windows flasher when the 8050L to 8163B conversion first started! http://forums.xbox-scene.com/index.php?showtopic=325005&st=630Anyway hope this helps someone else: Once the your patched .dld code is overwritten - you must FIRST generate a Checksum-16 from addresses x40 through x41C27 which will give you 'XXXX'. This needs to be entered into addresses x2 and x3. Then another Checksum-16 needs to be generated from addresses x2 through x41C27 which will give 'XXXX'. This needs to be entered into addresses x0 and x1 Re-save and you are good to go! look in my page http://www.ingenieria-inversa.cl/ there is a "firmware hacking toolkit" that includes a proggie named dld-gen.exe, that mess with all DLD stuff for you |
|
|
|
|
8
|
Xbox 360 / XboxHacking - General / Re: linux to repair bricked drive
|
on: September 18, 2006, 10:59:14 AM
|
for sure I can say it respond to ATA_PACKET_CMD and ATA_ATAPI_IDENTIFY but in very few circunstances, and I don't know really the mix of correct factors. I think that the best way to archieve this is make it like I did writing ourself to the IO ports, but there are sligth differences for example how a 8163/64B handle the IO than a 3120L, a LA loggin of comunication can clear some interrogants in low level stuff, but I don't have access to one  |
|
|
|
|
11
|
Xbox 360 / XboxHacking - General / Re: linux to repair bricked drive
|
on: August 22, 2006, 09:42:52 AM
|
sad to know just now your trick to get in "panic mode", I've intentionally corrupted my flash for that some time ago, and next to that I have fried my drive with a switch  from that time I haven't a 3120L anymore. This mod is very easy : If is a drive physicaly present than linux make a scsi entry in /dev/ (sda .. sdb or another)
But than the kernel make nothing else, no inquiry, nothing
In this way the kernel give us only a way to send command to the drive. ok, but I think that a simply INQUIRY won't work because the "request sense" is still there and the drive don't support it. that is why any "normal" atapi layer don't work with panic mode, please test doing a INQUIRY to see if it works. I have read in this thread that bricked drive fail in bios, the reason is that the drive is not in 'recovery mode' (because the checksum is set to 0).
The bios wait for only for inquiry, this function work in real recovery mode. many cards also don't detect the drive and hang in his normal status, like my vt6421, I think that it is because the "non normal INQUIRY CMD" in modeA, many SATA CARDs seems to do an "ATAPI INQUIRY" instead of an "ATA IDENTIFY PACKET DEVICE" like any IDE unit, that is why a 8163/4B get detected by almost all motherboards when they are in panic mode. |
|
|
|
|
12
|
Xbox 360 / XboxHacking - General / Re: linux to repair bricked drive
|
on: August 21, 2006, 10:50:47 PM
|
Back to topic: Has someone a list of supported commands and needed modifications for the recovery mode available? (commands supported in mode a would also be interesting...)
ATA CMDS supported in panic mode:
08h DEVICE RESET (only 8163/4B)
A1h IDENTIFY PACKET DEVICE
90h EXECUTE DEVICE DIAGNOSTIC (only 3120L)
ATAPI CMDS supported in panic mode:
E7h VENDOR SPECIFIC
E7 XX XX XX 3B 06 XX XX XX XX LL LL (copy code to the 0x80000000 region)
LL LL = PAYLOAD LENGTH
the payload must come with his checksum (sum16 LE) in the last 2 bytes.
E7 XX XX XX 3B 07 P0 P1 P2 P3 P4 P5 (exec code @0x80000000 region)
P0...P5 = customs parameters
12h INQUIRY
12 XX XX XX LL
LL length of data expected (upto 96 bytes)
the questions are: does the birdy mod to libata-core works can perform flawlessly a "ATAPI INQUIRY" CMD? does that mod disable the automatic "REQUEST SENSE" after ATAPI CMDs? If the response to that 2 question is positive, I don't see any problem in repair/upgrade/downgrade a firm (I've done it succefully in a "panic mode" 8164B). about put the drive in panic mode using a simple JUMP to 90001000 wont work because the MCU state is really unknown when you jump to that location, to figure how to "softreset" into panic mode, a deep look at 0x40000000 can give us some clues (but seems a very hard task). a way to force the drive to get in panic mode can be putting ground to the higher address line to make the checksum test to fail without corrupting the flash, but I really don't know how to do this electrically safe. the other way can be patching the code when it calculate the checksum and check for tray status to select "panic mode", reading birdy's documentation on his hack seems to be 0xD930 bit 1, and that guide me to another question, has anybody figured the MN103 internal registers?? I only know at the moment: 0xD930: port XX input data register bit 1: tray status 0xD990: port YY output data register bit 8: LED (on 8163/4B) 0xDC00-0xDCFF: timers related registers |
|
|
|
|
14
|
Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: tell me your "panic mode" experiences on 3120L
|
on: July 18, 2006, 04:14:31 PM
|
i had the experience when working on the ide-cd driver that the ide.c (containing the detection routines for attached drives) can be modified in any way you like it; e.g. not sending anything back
I don't have any experience with linux but seems to be highly customizable for that kind of test, any "easy to mod" distro (for somebody that don't have experience) ?? yeah, If we can get rid of "REQUEST SENSE" maybe a simple linux proggie can do the work. I have done an app in the past that sends custom cdb commands, I can help If you tell me wich commands needs to be sent sending a simple INQURY to a "panic mode" drive can tell you if it works or not "0x12, 0x00, 0x00, 0x00, 0x24, 0xc0, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00" (that will generate a 36 bytes response) I've done some simple ATA/ATAPI tests with a GDR8163B drive in normal/panic mode, the ATA test do an "ATAPI IDENTIFY" and the ATAPI one do a "INQUIRY" the test were performed in DOS and WINDOWS with to diferent PATA controllers the test programs are here http://rapidshare.de/files/26220006/test.rar.htmlVIA VT82C571 (integrated into the motherboard):
"normal status" in WinXP: ATA OK, ATAPI OK
"normal status" in Dos: ATA OK, ATAPI OK
just after bricking in WinXP: ATA BAD , ATAPI (retrive only 50% of data)
"panic mode" in WinXP: ATA BAD, ATAPI OK
(ATA test works OK until ATAPI TEST is tried)
"panic mode" in Dos: ATA BAD, ATAPI OK
(ATA test works OK until ATAPI TEST is tried) VIA VT6421 PCI card (2 SATA interfaces and 1 PATA):
"normal status" in WinXP: ATA OK ATAPI BAD
"normal status" in Dos: ATA OK ATAPI OK
"panic mode" in WinXP: no detected in bios
"panic mode" in Dos: no detected in bios
"panic mode" hotpluggin in WinXP: ATA OK, ATAPI OK
the computer freeze for about 3 sec after tests (1/5 ATA don't work)
"panic mode" hotpluggin in Dos: ATA OK, ATAPI BAD seems that we have lot of factor to "talk" with dead drives: the Controller, the BIOS, the SO, the ATAPI layer, etc |
|
|
|
|
15
|
Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / tell me your "panic mode" experiences on 3120L
|
on: July 16, 2006, 02:56:22 PM
|
|
some time ago I was working with flashers and stuff on GDRs drives.
I can succefully bring to life deads 8163B when they are in panic mode with my own ATA/ATAPI layer, the 3120L are really very similar and the procedure seems to be exactly the same.
I can't tell you that the main problem with ATAPI layer is that they do a "REQUEST SENCE" after any CMD, and beacause isn't an handler for "REQUEST SENCE" in panic mode the ATAPI layer fails.
unfortunately my 3120L is dead for about 2 weeks, I can't test anymore.
I like to know yours experiencies with the 3120L in "panic mode" (checksum testd failed), seems that SATA BIOS are someway crapy, even with working drives.
is there any setup that allways pass the ATA cmd "ATAPI IDENTIFY" and the ATAPI cmd "INQURY" when the drive is in "panic mode"??
or is there a way to enable a SATA channel when you "hotplug" the drive?
|
|
|
|
|
16
|
Xbox 360 / XboxHacking - General / Re: Bad media read...Hitachi possible solution...but need some hacking to do !
|
on: July 16, 2006, 01:03:44 PM
|
the mn103 used in the 3120L and the other used in 816X have an internal mask ROM, and those are a kind of ODD base chips, in the masked ROM at 0x40000000 (some references to 0x40000000 memory space seems that can't be readed with "HIT" commands) are all code at that location are ODD specific functions, I think that HL provide to OEMs some ODD devkit, because the XBOX/360 specifics drives for instances change some handlers (originally done by code at 0x40000000) by customs ones to make it XBOX specific, and the firmwares were not done from scratch the code is based on PC GDRs drives (for intances modeB is simply a "PC drive mode"). If somebody want to look at speed thing a nice entry point would be study the Dangerous Brothers riplock patches for GDR drives (they only change the setting of a flag), but you can start looking from there  |
|
|
|
|
17
|
Xbox 360 / XboxHacking - General / Re: Search source code from Firmcrypt
|
on: July 14, 2006, 03:46:39 PM
|
the loser's page is at http://www.xorloser.com/ (but firmcrypt is not posted) I've a copy on my page http://www.ingenieria-inversa.cl/ (inside the toolkit) if you want to read the content of eeprom you can disable/enable the scramble with this code: eeprom_disable_scrambler:
movbu (0xD904), D0
and 0x80, D0
bne eeprom_disable_scrambler
nop
nop
mov 1, D0
movbu D0, (0xDF00)
nop
nop
mov 0, D0
movbu D0, (0xDF01)
nop
nop
mov 0x9A, D0
movbu D0, (0xDF28)
rets
eeprom_enable_scrambler:
movbu (0xD904), D0
and 0x80, D0
bne eeprom_enable_scrambler
nop
nop
mov 0, D0
movbu D0, (0xDF00)
nop
nop
mov 0, D0
movbu D0, (0xDF01)
nop
nop
mov 0x9A, D0
movbu D0, (0xDF28)
rets |
|
|
|
|
19
|
Xbox 360 / XboxHacking - General / Re: Flash a 47 to a 59, possible?
|
on: July 09, 2006, 09:16:03 PM
|
Hear me out.
1) Copy the firmware upgrade code of the firmware to a seperate (unused) space in the firmware that's unused on BOTH v47 and v59.
2) Rewrite the v47 code to use the copy of the firmware and not the original (change a jump).
3) Rewrite the v47 flash code copy to stay in a loop and never break out of there while flashing.
4) Flash the correct sectors to the drive.
5) Reboot the drive if needed.
What we have now is a modified v47 firmware that doesn't actually DO anything special... YET - it works just like it did before we did anything except for when flashing.
6) Since the drive will now stay in that loop and only use one sector of the drive we now use the flashcode copy (that's in a loop) to flash the v59 firmware to the drive.
7) Reboot the drive if needed. that don't make sense, and sure wont work. the HI-RAM in the 3120L is 256KB, the entire firmware is only 228KB, you can fill the HI-RAM with the whole firm and a very little -and easy to do- code to flash it, IIRC somebody in this board have done it already, the problem is that you have only one chance to write the firm in that way, but you can safe a bit this writing a flasher code that check the writted content and if something was writed wrong rewrite it until it get OK. but stay away of the flashing stuff if you don't have a willen near you, is really easy brick drives otherwise |
|
|
|
|
