Latest posts of: BlueCop

Home

Help

Search

Login

Register

	Welcome, Guest. Please login or register. Did you miss your activation email?	May 24, 2013, 01:14:14 PM
		Login with username, password and session length

Show Posts
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 »

241	Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: Firmware Bank Switching on TS-H943A	on: April 08, 2006, 03:46:35 AM
Thanks for the responses. I will figure it out some other time. xbox is going on the back burner. i had a tornado hit my area today. there is a good amount of damage to my place. I will be without power for a while. a friend is dead =(. I am out. Peace

242	Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: Firmware Bank Switching on TS-H943A	on: April 07, 2006, 07:59:43 AM
wait i don't understand. if they only have 16bits for the address to jump it isn't enough to address the whole thing. i think i misunderstood when first reading the post. could someone explain bank switching to me? thanks.

243	Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: The Challenge Response Protocol	on: April 07, 2006, 07:36:22 AM
Quote from: 360videoguy on April 07, 2006, 07:29:30 AM Here's a video of someone playing a burnt copy of Project Gotham 3 http://www.youtube.com/watch?v=XyZQ4k7Bi-8 don't know if this is thr right thread. HAHAHAHAHAHAHAHA. you are telling many of the people in the thread who developed the hack about the hack video. The orginal video link was actually posted in another section of this forum. This is all quite humrous to me.

244	Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Firmware Bank Switching on TS-H943A	on: April 07, 2006, 05:47:44 AM
So i am playing with the firmware. I split it up 4x64kb banks for disasm and simulation I was just curious how the firmware switches banks? I guess its set by a bit in some SFR on one of the ports. i read that P0 and P2 are used for ram and flash(don't know which is which). So is it like changing a bit in the SFR for the specific port? Thanks for the replies. i am new to this and don't really know how stuff works just learning it. i normally don't like starting new threads because i don't feel what i am asking/posting is worthy of its own thread but i was directed to start a new thread so here i am. I found it interesting that about 33.3% of the firmware is blank(00,nop) sections at the end of each bank. The 4 banks contain the same code from 0000-1FFF. thats about 12.5% that is repeated the the rest of the code takes up about 54.2%. to me it just seems like its ineffeicent Edit: i found a relevant post in the "big thread". its hard to navigate sometimes =/ http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=76.msg1808#msg1808

245	Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / How does it change firmware banks?	on: April 07, 2006, 03:23:25 AM
So i seperated my firmware into its 4x64kb banks. I am now working on identifing relevant parts of the firmware. I was wondering if someone could inform me how the firmware switches banks? I am sure links to various 8052 resources have been posted but i just read http://www.8052.com/tut8051.phtml it is pretty interesting. the whole site is very informative. I also found it interesting that about 33.3% of the firmware is blank(00,nop) sections at the end of each bank. The 4 banks contain the same code from 0000-1FFF. thats about 12.5% that is repeated the the rest of the code takes up about 54.2%. to me it just seems like its ineffeicent

246	Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: Dumping Security Sector with H-943A	on: April 06, 2006, 05:44:17 PM
has anyone tried playing with Emulator 8051? The Program is a demo but the companies website is gone so i couldn't register it. It is registerable by other means. I personally consider it abandoned. I converted my firmware to hex format so i could load it in the program. I have been steping through the execution. Seems pretty interesting

247	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 04, 2006, 10:34:04 PM
It seems an attempt to upgrade the harddrive to anything larger will fail. loser informed us in another thread that at 0x2058 it contains the sector count. This is part of the hashed area for the 256bit key. so even if we clone the needed items to a disk it still wouldn't increase the available capacity..

248	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 04, 2006, 06:59:37 PM
sorry about the image but the text wasn't selectable from the manual so i took a screen shot. It is from the Salvation Seagate HDD Repairer manual. They have specialized utilities for other drive manufactors as well but i don't know if this model/serial change stuff is possible with them. That program connects to the drive using the same terminal interface. we now know its possible to change the information we want with this seagate terminal but just not the commands to do it. I have a demo of the Salvation Seagate HDD Repairer but it says it will only run in Windows 98 in safe mode with command prompt. I think i am going to take an old cheap pc and just build it as a terminal for the program to run then connect it to my kvm. I hope the demo will do the Serial/Model stuff i haven't run it yet so i don't know its restrictions Edit: I just had an idea. Setup a PC as a monitor between the computer running HDD Repairer and the serial cable connected to the harddrive. I have some old pc with dual serial ports. perhaps it is possible to monitor all commands sent so as to make it possible to run the same commands from hyperterminal or other such program within windows I also found a simple RS232 monitor on the site below http://www.riccibitti.com/quickdesigns.htm

249	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 04, 2006, 05:28:54 AM
muuh: the only difference is a power the chip from the 5 volts of my power supply rather then its more complicated circuit. I was playing. throwing some commands at the terminal. Some of the output is interesting. I am manually babblefishing eash part of the command manual to keep the table structure and make sure stuff is correctly spaced to make good translations. Quote CurrentCHS=3fff/10/3f MltSiz=10 DMAMod=42 MLITE - 1_Disk 3.01 03-15-05 20:19 Built for MLITE,PITKIN,Redback,TI1922 PreAmp,STA053 PreAmp,InternalSpin,SVC133,OneToOne,2Disk,LowDelta,148 Servos,5400RPM,NonModGray,2x,100MHz,Code DRAM,Ramp Load,Stall Converter,RwFeat=0004,HeadPol=0001,SeaDex,VBAR,MDW Jumper:00 Free Q:LBA Len Tag Flags FUA 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 00000000 0000 00 00 0000 New Q:LBA Len Tag Flags FUA RO Q:LBA Len Tag Flags FUA FUA Q:LBA Len Tag Flags FUA InUse:00 InProgress:00 TagsInProgress:00000000 LowOverhead:00 FUA 00000000 00 ReadLogExtData: 80 00 50 00 00 00 00 00 00 00 00 00 00 00 (( VALID Cert Disk Code Detected - Revision # .019 AT Stuff 0000: 0c5a 3fff c837 0010 0000 0000 003f 0000 0008: 0000 0000 2020 2020 2020 2020 2020 2020 0010: 3550 5730 3437 594e 0000 1000 0004 332e 0018: 3031 2020 2020 5354 3932 3032 3137 4153 0020: 2020 2020 2020 2020 2020 2020 2020 2020 0028: 2020 2020 2020 2020 2020 2020 2020 8010 0030: 0000 2f00 4000 0200 0200 0007 3fff 0010 0038: 003f 0000 0000 0010 2980 0254 0000 0007 0040: 0003 0078 0078 00f0 0078 0000 0000 0000 0048: 0000 0000 0000 0000 0502 0000 0040 0040 0050: 00fe 0000 346b 7d01 6003 0061 3c00 4003 0058: 003f 0000 0f0f fefe fffe 0000 fe00 0000 0060: 0000 0000 0000 0000 2980 0254 0000 0000 0068: 0000 0000 0000 0104 0000 0000 0000 0000 0070: 0000 0000 0000 0000 0000 0040 0f41 0000 0078: 0000 0000 0040 0000 0440 0400 0280 0180 0080: 0001 2980 0254 2980 0254 2020 0002 c2b6 0088: 0002 0000 01ff 3cff ffff 07c6 0100 0000 0090: 090b 0500 0002 0080 0000 0000 00a0 0000 0098: 0000 0000 0000 0000 0000 0000 0d00 000b 00a0: 000f 0022 0003 0000 0032 0014 0033 0024 00a8: 000f 001e 0032 0000 0013 0022 0032 0014 00b0: 0032 0000 003a 0000 0022 002d 0032 0000 00b8: 0032 0000 0022 0000 001a 0000 0012 0000 00c0: 0010 0000 003e 0000 0000 0000 0032 0000 00c8: 0000 0000 0000 0000 0000 0000 0000 0000 00d0: 0000 0000 0000 0000 0000 0000 0000 0000 00d8: 0000 0000 0000 0000 0001 0002 ffff ffff 00e0: 0000 0000 0000 03fc 2134 0015 0025 0000 00e8: 0000 0000 0000 0000 0000 0000 0000 0096 00f0: 0001 0000 0000 0000 0001 0000 0000 0000 00f8: 0000 0000 0000 0690 0000 0000 0000 0000 Configured-1 Part #: 100374044 Interface task reset 1024k x 16 buffer detected MLITE - 1_Disk 3.00 03- Buzz - 15-05 20:16 Head Mask FFFF - Switch to full int. Spin Ready 3.01 03-15-05 20:19 (P)SATA Reset (H)SATA Reset Buzz - Head Mask FFFF - Switch to full int. Spin Ready It looks like I'll be up all night Addition: I was looking at some of the hex it output and noticed 3 interesting things. my serail, firmware revision, and model number contained within what the terminal output. 5PW047YN 3.01 ST920217AS i am still trying to figure out these commands. i hope i don't mess up the drive. i am trying to stay away from write commands and keep it on the reading side. I have a full image backup of the drive just in case i currupt something on that part of the drive. I am going to shop around for a good price on a Seagate ST910021AS 2.5" 100GB 7200RPM 8MB Buffer SATA then see if i can figure out how to fiddle with Model,Serial, Firmware stuff. doing CTRL-T within the ST Mem Win when connected to the harddrive with give you a prompt T> haren't found what the terminal prompt is for exactly but its all very interesting to me but i feel like i am poking a dinosaur with a stick and expecting it to have a conversation with me. Wow i am blazed out of my skull too many cannaboids in my system. Its a great feeling. i think i will go actually sleep a bit.

250	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 04, 2006, 02:42:26 AM
well i couldn't sleep. so i decied to use one of the previously built RS232 circuits i had made for various applications(cable modem terminal, smart card emulator, dumping my dvd player firmware) and put something together that was an even simpler cricuit then the ones i posted about. It was great no soldering =) here is the output when i turn on the 360 while the hard drive is connected . i will attempt more in the morning. i am getin tired. Quote Interface task reset 1024k x 16 buffer detected MLITE - 1_Disk 3.00 03- Buzz - 15-05 20:16 Head Mask FFFF - Switch to full int. Spin Ready 3.01 03-15-05 20:19 (P)SATA Reset any fellow russian hackers out there? i need some help translating a help document from the linked archive below. thanks for any assistance http://files.hddguru.com/index.php?action=downloadfile&filename=st_mem_win_free.zip&directory=_soft/Seagate&

251	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 04, 2006, 01:27:27 AM
muuh: i don't mean to be a idiot here but i am still confused. if you could just lay it out in simple terms. am i going to use one of these chips how? I am sure i can build anything needed but i don't understand how a 25C05 + AVR + program code = dump of the chip.

252	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 04, 2006, 01:05:29 AM
ok i am going to bed tonight but in the morning. i am going to build one of these seagate terminal adapters. i found a couple different schematics. and I found a program called STMem Win which can interface with the drive(hypertermnial would work fine as well). This STMen win has a document that lists the commands and their function. the problem is its all in russian. I am using babblefish to translate as much as i can. It should be something exciting to play with and after reading the HDDguru forums there seems to be several other drives that have terminal interfaces and similar cables work for them. Edit: i forgot to mention that the RX TX lines that you connect the device to are the 2 pins in the jumper settings that i posted about before. Salvation DATA has a commercial product that sells for 600 that uses one of these cables and it boasts a big list of capabilites. i got a demo of the software. http://www.salvationdata.com/view/product_detail.asp?pn=00011 I am hoping that most of the seagate commands with the STMen are usefull it is also probably possible to extract some commands from the demo program.

253	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 04, 2006, 12:02:58 AM
uberfry: i am confused on the application. what hardware am i going to use in conjunction with this code? yes dos, windows, linux. anye would be fine but dos would be great. its been years since i have even touched pascal =)

254	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 03, 2006, 11:00:04 PM
I had another Seagate 300GB PATA drive i took a look at today. it also has a 25P05VP 512Kbit serial flash similar to the one on my 360 drive. they both also have a ST chip that is labled SMOOTH. i think it is this http://www.st.com/stonline/prodpres/dedicate/datastor/powcomb/powcomb.htm looking at the datasheet. i think it is the chip even though it isn't labeled with that part number. I have been trying to lookup the ST controller used in my Seagate drive without luck. i found this page on ST's website http://www.st.com/stonline/prodpres/dedicate/datastor/hdctrl/nova.htm its a harddisk controller that seems similar. one of its features is "512KB external ROM or Flash" i don't know if they mean kilobit or kilobyte this is like the back of my 360 drive. i would like to start using a jumpers and see what if i can explore any factory modes. anyone know what tools i might use to experiment with these modes? I traced where they go to 1 2 3 4 Pin 1= goes to the the smooth chip. Pin #29 from datasheet: CalCoarse Description:I5 VCM BEMF coarse calibration Pin 2=ground Pin 3&4= to the blank IC slot on the top of the board here are some images i made from the boardscan i previously posted. There is a similar blank IC spot on my 300GB it has jumper settings as well. here is an image its pins 3 & 4 trace to the exact same spots on that empty ic spot as the pins 3&4 do on my 360 drives. i don't know if this information is usefull at all. i just found it interesting. Germania or uberfry: message me if you might be able to help guide me to dump these chips(one from 360 drive and the other from the 300GB). i have not had much luck with my willem and i am confused about how to use what uberfry posted Edit: Found something interesting for Seagate drives. i already have the parts to build it but don't know where the rx and tx lines are. http://hddguru.com/content/en/articles/2005.10.01-Seagate-RS-232-adapter-schematic/

255	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 03, 2006, 07:52:32 PM
Quote from: anita999 on April 01, 2006, 11:07:32 PM Hi, * for a reference data: 1. All HDDs store SN and Model# in the plates, areas called UBA which is not accessible via LBA. but there are special HDD low levle tools which can access these area. in most case you can modify these info. 2. The FW revision # are mostly stored in the FW flash, whether it's inside the controller, or in the plates, depends on the HDD model. in most case you can't modify it. If you can, you will need to modify the checksum in the same time. I don't believe that the SDRAM contents any info like these. In the mean time, I am preparing a FPGA to emulate the HDD info which I did months ago. I want to emulate the model#, SN, and FW revision#, but keep all the other data un changed with the new and "larger" HDD. This will only work if the 360 checks model#, SN, and FW rev# only. but this shall be true in most cases. I will be back when I got some results. ^from earlier in the thread. PC3000 software/hardware is capable of puting many harddrive models into factory mode. it costs like $600 bucks though. In the factory mode it can read/write firmwares and hidden areas on the disk. http://www.acedre.com/pc3000.html Germania: what settings did you use to read out such chips. i only really want reading anyway. uberfry: forgive me ignorance but i need a little direction on how to use your program

256	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 03, 2006, 01:50:32 AM
I just tried hooking it up to my willem on the 25CXX slot and it didn't read the chip. i tried various settings. anyone know of something cheap i could build the read this SPI FLASH? I took about a 3.5 SATA harddrive i have. it is manfactored by western digital. it also has a SPI flashrom on it as well.

257	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 02, 2006, 10:15:46 PM
I don't have another seagate but i plan to buy another premium perhaps i willl get lucky. if someone else has a seagate then perhaps we can exchange dumps of the flash chips if i can figure out something simple to dump them

258	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 02, 2006, 07:44:22 PM
what about the 512 Kbit flash memory on the Seagate? what do you think it stores. as arakon pointed out it is a 25P05avg http://www.st.com/stonline/products/literature/ds/8624.pdf i would attempt to dump this chip from my seagate but i am not sure if my willem can read that type of chip. I just got the thing and am not very famialiar with it. I might try to build something to work with ponyprog. i know it supports SPI eeproms perhaps this spi flash might be readable.

259	Research & Technical XboxHacking (Xbox 360) / Hard Disk / Re: experiments with HDD logicboards	on: April 02, 2006, 07:10:00 PM
why couldn't the harddrive firmware be stored on the platter?

260	Research & Technical XboxHacking (Xbox 360) / DVD-ROM Drive and Media / Re: Replacement drives if youve butched yours !!!	on: April 02, 2006, 03:35:03 PM
I ordered myself a Toshiba-Samsung model. I will dump the flash chip before i start up the drive. If there is in some virgin unmarried state we should be able to tell from that dump or at least tell if this drive is or isn't in a virgin state. my plan right now if use the soldering iron to scrape as much of the epoxy off the top and sides to expose the pins. I had no problem doing this before with my other TS. It was when i attempted to desolder it that I damaged the board. I was going to try to modify this PLCC socket to clamp over the flash chip.Then have a small switch on the needed pins to enable programing or normal operation from the mainboard. the modified socket will then have something that will connect directly to my willem. Does anyone know which pins/traces i would need to cut and put a switch on? I thought it would be VCC and like CE but i really don't know. is my idea even possible? Another thing i wanted to try was to try to desolder the chip from the board completely. I have some of this ChipQuik surface mount removal stuff (http://www.emulation.com/catalog/off-the-shelf_solutions/lab&rework/chipquik.html) I wanted to try to use some of that low heat solder and see if i can keep all the pins molten and then perhaps it will come off without damaging pads.

Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 »

Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC

Dilber MC Theme by HarzeM