Liteon secrets? I'll share something with you

[d05register]

Did you miss the Freekey joke by maximus and me? http://forums.xbox-scene.com/index.php?showtopic=689567

About the future fix, consider that MS does not produce drives or firmwares(or fw fixes), it just pay liteon to produce them with MS custom atapi commands.
Liteon does not produce chips, it takes them from Mediatek.

Yeah I missed that post, because it was holiday time for me and don't read X-S very often anyway. Nice post
My comment about future fix was ironic about Iriez and c4eva... I haven't learned anything from him so it doesn’t matter for me.
All I have learned is from this board and from people like you, Redline99, Tiros, robinsod, tmbinc, SeventSon, TheSpecialist etc.

Why don't you (Geremia) release a fw and send c4eva to history once and for all? We all know (well, let change that to "I know") that c4eva's "research" about live and LT are all BS. In this thread http://www.xboxhacker.net/index.php?topic=4227.0 I read that what we call Stealth fw was done from Maximus. I think c4eva is unable to do any research on his own, and just removed the "stealth backups checks" and will present that as a "new" fw (LT)... Of course I will understand, if you don’t do it because you don't want any direct involvement in just helping noobs play backups...

[Arakon]

And what makes you say that? Maximus did the hitachi FW, but not samsung, liteon, benq.

[d05register]

Yes but I don't believe that this is so, because c4eva is more skilled, just because nobody else was interested in releasing a fw. You know better than me Arakon that c4eva "hacked" the first drive reading this board and the TheSpecialist's "Hacking DVD fw" thread... And it took him about 2 months to repeat the hack 

Of course he hacked the next drives too, but I don't believe that the guys I mentioned can't do the same job, or even better...

EDIT: And if you ask me why c4eva hasn't the skill to do any serious research... hmm just a feeling... His posts at Twitter http://twitter.com/TeamJungle are not exactly what I call hacking.....

[jelle2503]

http://www.*.com

advertising selling backup games on xbox hacking forums now are we.. you gotta be kidding me

[360experts]

http://www.*.com

advertising selling backup games on xbox hacking forums now are we.. you gotta be kidding me

Sorry sweetheart, No one was advertising selling backup games on this forum! I simply stated I would help anyone who was having problems.

I DID NOT MENTION THAT THERE WAS A BACKUP GAMES SERVICE!!!

Most people have the intelligence to burn their own games. If there is a select few who can't then this isn't the place that they will find me.

I'm sure you will agree.

[Arakon]

It doesn't matter that you mentioned it, the site you linked sells backups. Which actually counts as a crime. And for that same reason, you are gone.

[danthaman]

The key is never sent over SATA.

Sorry perhaps I should have been more clear, As long as there is an exchange there will be a way to sniff key. I thinks M$'S next move will prolly be to just put a seperate,small rom that will allow FW read-out or something similar that garuntees they can detect and ban from live. Some countries it is legal to backup so R&D firms will put money into making that possible as long as there is money to be made (I'm suprised more havent so far). I reckon they'll give-up on trying to prevent key-dumping.
Surely one could just attach t-piece, power,run known game and by then have enough to get the key on most Pc's after a day or 2 decrypting??

[n00bpwner360]

My idea - instead of sending some command over SATA that will dump the key over serial, you send a long key to the drive via SATA, the drive takes the MD5, or some other checksum of the key, and compares this key against a key stored in the FW. If the keys are the same, the drive key goes over serial, if they're not the same, you get no key. Of course the SATA key that MD5's to the FW key is very very long and only MS knows it...problem solved...(right?)

[l_oliveira]

What they needed to do was put the WHOLE firmware on ROM and have a small EEPROM on die that then would be write only for the outside world and readable only for the internal processor. Having the processor being ROM would mitigate completely they being usable for piracy. Then making it tough to impossible to dump the key would be required preventing replacements. 
It's easy but they don't want to do it "because on DIE ROM is expensive"

[Shaun]

What planet are you on if you think if an exchange happens between the console & drive then that mean we can sniff the key to how the data was generated ?
Thats simply untrue and is the basis of any successful encryption accross the world and is how internet banking is kept safe (usually )
The key is used to generate a hash or some data based on multiplying prime numbers which are ridiculously long to which you have no way to reverse.
The only way to defeat this is via brute forcing which would probably take hundreds of years on the fastest of supercomputers for a key which is random and changes every boot - it simply cant happen.
Thats how the signing of the exe and the majority of the system works and is pretty damn good

[richard1972]

I've followed all the instructions for the 93450 drive and managed to get the key off the drive and re-flash with Ixtreme but when i turn the console on it now says the drive is opening but doesn't actually open, even when i press the eject button. Has anyone else had this problem or know of a solution? Or could i spoof to a Benq drive and if so how?
Thanks to everyone that got me this far.

[NEO_X]

someone has a live picture of the install

i can solder this easily but dont know of electric schematics

i have the switch the transistor would be really nice if someone post a picture of the install

[n00bpwner360]

I also like the ROM idea with an EEPROM for the key, as long as (of course) the EEPROM isn't readable to anything other than the controller chip. However I was under the impression that ROM was more expensive than flash...

[Rogero]

I've followed all the instructions for the 93450 drive and managed to get the key off the drive and re-flash with Ixtreme but when i turn the console on it now says the drive is opening but doesn't actually open, even when i press the eject button. Has anyone else had this problem or know of a solution? Or could i spoof to a Benq drive and if so how?
Thanks to everyone that got me this far.

I had this problem too with one drive so far, it was dumped correctly, then flashed with Ixtreme, traces were soldered again and everything cleaned but the drive is totally dead, no more eject, tried powering it from the Maximus-Xtractor and from the 360,the same.
So i had to exchange it with another Liteon 74850 Drive, the resistor used was a combination of 11 Ohm + 10 Ohm in series, i think 21 Ohm is still on the safe side and also the same resistors were used to dump many drives now with no problem.
I prefer now to use the 360 itself  to power the drives while dumping instead of the Xtractor chip to protect it from any damage in case..

As for spoofing to BenQ, you can open the BenQ fw in JungleFlasher,use the manual spoof option and insert your key without spoofing the fw to any other drive model,and save the FW, then u need to do it manually for now,use a hex-editor and compare 2 BenQ firmwares spoofed each to different drive models so u get the locations where u need to add the 93450 info, etc...

I hope there will be another safer method to dump these drives because i dont wanna lose other drives randomly in the process,(knowing that i have old skills in soldering so everything was done clean without user errors )

[thuanz]

So here is some advice for all who are still having problems and especially for all of you who think the might have a board with Winbond SPI flash:

You should check your soldering again and again before trying one of these things!

-If you get status 0x52 instead of 0x72 it is very likely that the voltage for the SPI isn´t pulled down strong enough. Maybe your resistor is a little bigger than 22 Ohm? If it´s not try a slightly (!) smaller one, about 20 Ohm should be OK for you.


-If you have a Winbond SPI Flash inside (i know, you can´t be sure about this from the outside) you will probably get status 0x72 but instead of recognizing the Winbond flash it will be recognized as unknown flash chip (manufacturer and device ID 0xFF). If that is the case you can´t use Dosflash anymore, you have to use JF!

-start JF
-put the switch in position 1
-power drive
-in the MTKFlash Tab click "intro"
-it shoudl get "recognized" as unknown flash chip with status 0x72 like it was in Dosflash
-put switch in position 2
-click onto "intro" again
-now JF should recognize the Winbond SPI with status 0x72 and you can dump the whole drive

IMPORTANT: Don´t power the drive down between the 2 intros!

Thannk you man!!

Ive dumped several mx drives (74850 8830 94950) using the lift pin but im having problems with a winbond drive. ll check using the resistor method with 20 and 22 ohm. i have one more doubt.
im using JF and whtn i click INTRO it asks to power off and then on the drive so i do it. You say you dont have to power the drive between the two intros, but how can i do a intro without powering the drive off and on?

The winbond ive triiying goes from 0x80 to 0x52 in stead of 0x80 to 0x72

I think its the same problem my friend is having I mentioned some posts above.
He also gets 0xD2 when drive is powered off.

did you two find a solution for this? I've ran into a drive with exact same problem, 0xd2, switch on I get x52 to x80

edit: did some more probing and for some stupid reason this drive still runs games with traces cut and also tried lifting both 101 and 122 pins, is it tied to ANOTHER power source?
I don't understand how the drive is running perfectly with both 3.3 pins lifted,

[wang]

i'm having some problems with this. tried with dos flash and i get "no identity possible" under device properties-name (correct port as JF shows the drive there). i know the drive is hooked up right because under JF it shows the correct drive (DG-16D2S) and firmware, but when i try through JF, i get "LO83info extraction failed".

i noticed nobody is mentioning the "half open tray" part, does that still apply to the 93450 with MRA's method of dumping the key (thanks MRA btw)?

i am going to double check my cutting of the tracks with my multimeter, but figured i'd ask first

[Rogero]

i'm having some problems with this. tried with dos flash and i get "no identity possible" under device properties-name (correct port as JF shows the drive there). i know the drive is hooked up right because under JF it shows the correct drive (DG-16D2S) and firmware, but when i try through JF, i get "LO83info extraction failed".

i noticed nobody is mentioning the "half open tray" part, does that still apply to the 93450 with MRA's method of dumping the key (thanks MRA btw)?

i am going to double check my cutting of the tracks with my multimeter, but figured i'd ask first

the half open tray is not needed while using MRA method, you are now dumping the whole firmware and not just extracting the key like we used to do before.

[uron1000]

quick question

Is it ok to disconnect the board from the drive and dump it or does the drive need to be connected when dumping i.e all ribbons plugged in so the drive laser and motors are functional, as i guess it would make life easier?

Thanks in advance

[idog]

Quick question. Have a 93450 here, dumped ok with the MRA / boxxdr diagram. Did it first in JF 1.67 (mtkflash, intro). Then did it again with dosflash. Both times same binary dump file, same key.

I then load the bin as target in JF 1.67, shows me the key. Strange thing is, it shows me that it is a 74850 ? Is this normal ?

Anyway, I want to use a Samsung as test subject, so I copy the key and load the iXtreme 1.6.1 samsung as target. Spoof that to 84350 (only possible option) and put the key in it.
Test it and E66... Obviously something is wrong, but how do I spoof it as 93450c ? When I try firmtool, it tells me the original firmware has 'no valid version' and aborts.

Any help would be greatly appreciated, since I hate venturing my original 93 drive without testing it first ?

edit : did a few more dumps. Also with dosflash32 (used the 16bit first) and the status was 0x72, and it dumped correctly. I hexcompared all the dumps I took so far (all with a checksum of 1450) and they all matched. Even tried one with the switch left on and of course that gives an empty bin.

I'm guessing the dump is correct then. But I see everyone talking about a dummy.bin which is generated by loading the ixtreme template from carranza as target and then put the key and serial in there. Ok, that works and I can save the file, but is this the dummy ? I still don't know how to use a spare samsung for testing and spoof it as my 93450c ? (should I hexedit it ? )

[Rogero]

quick question

Is it ok to disconnect the board from the drive and dump it or does the drive need to be connected when dumping i.e all ribbons plugged in so the drive laser and motors are functional, as i guess it would make life easier?

Thanks in advance

yes, doesn't need to be connected to the lens and motor, u only need the SPI Flash to be powered and Sata connected to dump it.