PLDS DG-16D4S 0225 - dump without anything???

[HOMiE7]

Hi! Did you saw this? Dunno if it fake or not. Quality isn't good though.

http://www.youtube.com/watch?v=3rkOp5jZCh4

Looks like guy dump it with DosFlash without any troubles and/or manipulation at all!

My drive returns status 0x51-0xD1 and couldn't be dumped.

[MoDInside]

It is possible, I've done it with an intel X58 based motherboard (ICH10R) and DOSFlash 1.9, but didn't work with my nforce or via6421.

[MODFREAKz]

Dumping DVD-Key with Dosflash v1.9 from DG-16D4S fw 0225 is nothing special!!

The magic unlock can be done by few rare SATA chipsets.

[morenomdz]

Now lets talk about writing back... ><

[Gazcoigne]

Now lets talk about writing back... ><

thats all i care about!! how do we write the damn thing coz we sure as hell aint spoofing a different drive in

[xboxbreaker]

Now lets talk about writing back... ><

thats all i care about!! how do we write the damn thing coz we sure as hell aint spoofing a different drive in

Does the drive board perform the hash of the FW and send it back to the MB or does the kernal actually dump the FW on boot and perform the hash check?
I am just curious if there will ever be a way round the FW hash in slims. If the xbox is actually reading the FW off the drive could a modchip be used that sends spoof retail FW data for the hashcheck on boot? Then routes further traffic to the hacked FW actually on the drive.

Even then this doesn't effect the cat and mouse nature of keeping up with AP2.5 media checks.

Just thinking out loud.

[xboxbreaker]

I wasn't aware of that, I have fallen a bit behind the times since XBH went down. So he has added that function into the drive FW? I didn't think it would be possible to prevent the FW dump using code residing on the drives flash.

[danthaman]

The other thread on slim drive hacking got spammed by noobs, I was trying to follow it - Anyway: I was just wondering if anyone could tell me what the latest on why/how the 0225 is currently unwritable. (yes I have done some searching on the topic already) Also has anyone played with the spi on it yet (Can anyone recommend a suitable off-the shelf interface to talk to 1335we?)

[danthaman]

Oh, I see .. Yes of course, the usual cashing-in :-( Such a pity I was keen to work the problem open-source style..... They still get their cha-ching either way, just look at  pmt or MRA for example, hell it probably saves them a bit of work:-) I would think they would be keen to contribute here (assuming they had something to contribute) as at the end of the day, anyone can reverse engineer, but the chinese sure make lovely cheap pcb's  u just have to order a few - 'They' will always make their $$ at that end as most of us think that market is crowded enough as is (let alone advertising/supporting the nubz etc..)

 So I would think it in everyone's best interest... I already have a couple of ideas, but not being up on 'the 0225 writing barrier' I'm keeping them to myselves currently as I am running thin on flame-retardant gel. And they are in the  realm of HW, and the news today (plus some research) has me thinking it's possibly more on the FW side of things ..?..? If it is HW then much of the hard work has been done for us.

BTW, I would guess that they drive is running a crc check, hashing it somehow (TEA or something quick like that) and send to mobo perhaps, as there doesn't seem to be enough time during boot for it to be doing a full dump ala SATA... (With the obvious exception of updates)

[xboxbreaker]

BTW, I would guess that they drive is running a crc check, hashing it somehow (TEA or something quick like that) and send to mobo perhaps, as there doesn't seem to be enough time during boot for it to be doing a full dump ala SATA... (With the obvious exception of updates)

My guess was that it just reads a few areas of the flash memory to perform a check. I suppose that this "rootkit" just spews back the right sections of the retail FW when asked for it. Now that this update attempts a full dump it causes the update to fail as there is no way to hide from a full dump of the drives flash?

I'm still a bit surprised after all this time they could have flashed the drives even on phat machines!

[l_oliveira]

My guess was that it just reads a few areas of the flash memory to perform a check. I suppose that this "rootkit" just spews back the right sections of the retail FW when asked for it. Now that this update attempts a full dump it causes the update to fail as there is no way to hide from a full dump of the drives flash?

I'm still a bit surprised after all this time they could have flashed the drives even on phat machines!

Now their decision to keep using flash memory on the DVD drives DO MAKE SENSE.

[danthaman]

BTW, I would guess that they drive is running a crc check, hashing it somehow (TEA or something quick like that) and send to mobo perhaps, as there doesn't seem to be enough time during boot for it to be doing a full dump ala SATA... (With the obvious exception of updates)

My guess was that it just reads a few areas of the flash memory to perform a check. I suppose that this "rootkit" just spews back the right sections of the retail FW when asked for it. Now that this update attempts a full dump it causes the update to fail as there is no way to hide from a full dump of the drives flash?

I'm still a bit surprised after all this time they could have flashed the drives even on phat machines!

The area that the 'rootkit' lives in might be in an extended area perhaps? perhaps the same flash/rom area that locks writing, maybe the drive could even challenge the FW and say yay or nay on reserved sata comands. I wish we had a bit more of a chipset layout/schematic, I will have to put aside some time to buzzing out some of the paths. I'm curious where the orange TXD/RXD (on the pinout) goes amongst others. I have always reasoned/maintained that they would have the capability to read/write the FW from the mobo (from memory some drives still need power cycling to get vendor, so I guess they will have to keep it to the updates:-)