MT1335 MX/WB unlocking

[manvslife12]

I use onboard intel 82801eb chip set  sata port.
Can you tell me how exactly how do you read 0225 key using slimkey? I tried it in and not in vendor mode, I got "slimkey fail" all the time.
Tomorrow I will try different PC.

I use slimkey with Via6421 card fail too, i use x360usb pro it can take key use slimkey

[oc]

I use onboard intel 82801eb chip set  sata port.
Can you tell me how exactly how do you read 0225 key using slimkey? I tried it in and not in vendor mode, I got "slimkey fail" all the time.
Tomorrow I will try different PC.

I use slimkey with Via6421 card fail too, i use x360usb pro it can take key use slimkey

Okay! This is my progress.( I had drilled chip and unlock ok)
I tried few different m/b without success. I got one VIA VT6421A pci to sata card and went good!
I use slimkey-no - yes- power off-probe wpx01-off/on then got KEY!
I put back to vendor mode -erase-write-  Lt 1.92 writing ok, reading back fail.
0x00 then lock ok.
put back to xbox and try read backup work!

now I got an other problem. The xbox power on 19 out 20 times, I got Play DVD! Original or backup.
When I got Play Game then all OK, why?

[galo911]

You should have done a full dump before writing the drive. you used a dummy.bin (slimkey only). Your info was incomplete. Since you already wrote to the drive there is no way to get it anymore. You will have to use a hex-editor to try to minimize it or maybe fix it. 19 out of 20 is bad... this is the tutorial (not mine, not trying to take credit for it, just trying to help) - Hope that helps:
link: http://www.megaupload.com/?d=3XU5FCPA

If the ones in the PDF don't work, THEN here are some more to try:

01 04 01 00 02 01 00 17 02 01 53 54 04 01 05 01
01 04 01 00 02 01 00 1A 02 01 53 54 04 01 05 01
01 04 01 00 02 01 00 1C 02 01 53 54 04 01 05 01
01 04 01 00 02 01 00 1E 02 01 53 54 04 01 05 01
01 04 01 00 02 01 00 1F 02 01 53 54 04 01 05 01
01 04 01 00 02 01 00 23 02 01 53 54 04 01 FF FF
01 04 01 00 02 01 00 26 02 01 53 54 04 01 05 01
01 04 01 00 02 01 53 54 04 01 05 01 FF FF FF FF

Credit belongs to: BraveH43 (Xecuter Forum)

[oc]

Lucky I saved CFW before flash. I use jf 1.87
In address of lt-1.92 01ff80: I got
01 04 01 00 02 01 00...
so I have these data already. So my maybe different issue.

Wonder lt-1.91 has this bug?

edit: I guess the data I have got is originally from LT 1.92, will try new data later on.

[galo911]

if you pay attention you will notice that they are all slightly different. you need to find the one that suits your drive better and you will get less or none playdvd anymore.

[oc]

if you pay attention you will notice that they are all slightly different. you need to find the one that suits your drive better and you will get less or none playdvd anymore.

Now I double checked data in the offset 1ff80 of my cfw LT1.92 I flashed:
it is
01 04 01 00 02 01 00 1D 02 01 53 54 04 01 05 01  --SAME IN MY DUMMY.BIN

01,04,01,00,02,01,53,54,04,01,05,01,FF,FF,FF,FF  ---THE ORIGINAL CFW 1.92

So I had got full dump and had my own string of laser calibration data.
So that's why I think this data is not the reason of my issue of Play DVD error.

[oc]

well , here` the problem ,

first of all i hacked my 0225 slim with this new hack solution
everything was ok till i decide to write 0225 lt1.9 on drive with JF , i got "write verify failed" but it could play copy dvd .

so i locked my drive again , packed my whole xbox and after that!!!! when i turn it on again i got play DVD error with original or copy dvd ....
and even sometimes it gets stuck on booting up!


did you fix your problem?  Oc
icant understand whats going on ... before packing up everything was fine but now ?!?!?
Any help appreciated....

well, if you get write verify failed, whyhave you packaged all? after that you have spi unlocked, it's just another try to write the firmware. so, what you have to do now is:

1- disassemble everything;
2- unlock the drive again (just put +5V in the hole with unlockspi launched);
3- rewrite firmware (until you get write verified SUCCESSFULLY)
4- package all

post feedback of your work.

i did all that u say ... but with Jungle flasher i got write verify failed again and again and again!
with dosflasher32 it`s ok ! without error ...
but as i said the first time that i unlock my drive i got "write verify failed "error but after that i test my copy DVD on Xbox ,that was ok and i could play copy on my xbox ... but after packing up everting gets reverse!....

could be the problem from DVDrom or laser or ... idon really know whats happend!:-??

[oc]

Currently I am looking a X360USB Pro. I wonder use it will completely fix Play DVD error.
Afaik VIA card can only read slim key and the Dummy file is not content all  information for CFW, there for got random Play DVD error. Am I right? 

[the-green]

VIA Card isn't the better choice to dump the slim liteon drive's
buy, a better motherboard with a recent Intel integrated chipset SATA
you can buy a lizard 360 too or the X360 USB PRO
but not VIA
 

[oc]

Can anyone tell me what is data actual  missing between full dump and Slimkey? The new JF 1.88 has any improve in Slimkey function?  I hope Slimkey can read same amount of information as READ function in JF 1.88.

[galo911]

Can anyone tell me what is data actual  missing between full dump and Slimkey? The new JF 1.88 has any improve in Slimkey function?  I hope Slimkey can read same amount of information as READ function in JF 1.88.

It will never read the same info, they are two distinct functions. For Slim 0225 and on it is necessary to dump the full fw. To release the full dump (after you unlock the chip) information is written to the drive in order to release the whole fw for you to dump (that's why the chip needs to be unlocked first).

The idea was if something goes bad, the key is safe already using "SLIMKEY". It works out pretty well on Slim 9504, but the other revisions of slim liteons just don't work that way. They need more info from the original dump from that particular drive. There are people (a few) who succeeded in rebuilding a Dummy from borrowed information from other drives. Geremia posted a couple of days back about Hex-editing 1F00 to 1FFF (not completely sure about the address) using borrowed info from another drive and it worked out for the guy he was helping. Remember: Those drives (0225 and on) were never flashed on the recent updates and they read XGD3 from factory stock fw, the console itself works different with the "realtime ram check ,realtime fw check ,realtime buffer check" amongst others...

Bottom line it is not a 100% rebuild method that will work for everybody, but have in mind that you need to screw up the kamikaze/mxic hack severely in order not to be able to make the full dump. You can loose the laser and eject but full dump is still possible in most cases. If you can't get it due to HW issues with SATA, GO USB! - Slim drives are an annoying experience over SATA in a lot of chipsets.

If you don't want to buy from the teams build your own, but get the full dump. After you write the CFW on the drive there is no way back. Make sure you get it

 

[oc]

Hi Galo911, can you tell me what is data need in 01f000 - 01ffff ? If it missing from OFW will the CFW still read XGD3? I've notice the laser calibration data is already in the Dummy.bin, and the data between 0225 OFW to LT 1.92/2.0 in this area are very same.
By the way I got one x360usb pro from dealextreme.com for US$57.50 sent to door.

[galo911]

Hi Galo911, can you tell me what is data need in 01f000 - 01ffff ? If it missing from OFW will the CFW still read XGD3? I've notice the laser calibration data is already in the Dummy.bin, and the data between 0225 OFW to LT 1.92/2.0 in this area are very same.
By the way I got one x360usb pro from dealextreme.com for US$57.50 sent to door.

It's not about XGD3, i was just mentioning that Liteon 0225/0401/1071 are built different. I've seen dummy.bin with only FF in calibration data places.
I have it too but for slims i prefer Lizard from Maximus. If you do have problems with the full dump with the X360, after you unlock the chip try closing JF, disconnect and connect again the X360, open JF
intro the drive and try to read again. Same thing happens with Lizard sometimes. Good Luck 

[mprace]

Is the full dump only for when you are using back the same drive in the same set?

If I swap-in and spoof a older 9504 drive to replace a 0225, all I need is the key right?

[galo911]

Is the full dump only for when you are using back the same drive in the same set?

If I swap-in and spoof a older 9504 drive to replace a 0225, all I need is the key right?

Sometimes it doesn't work. You will get "PLAY DVD". I did one today that worked with only the dummy.source.bin from Lizard, but i have the original board kept aside. During drilling i was getting only 0x3C on Lizard, it did go to 0x00 lots of times but when i power cycled the drive every time it went back to 0x3C. The customer decided to go with the TX board instead and kept the original, just in case.
My advise is test the CFW on another board/drive before trying to write CFW to the original board without getting a full dump to check if a "Play DVD" problem emerges.

[mprace]

Is the full dump only for when you are using back the same drive in the same set?

If I swap-in and spoof a older 9504 drive to replace a 0225, all I need is the key right?

Sometimes it doesn't work. You will get "PLAY DVD". I did one today that worked with only the dummy.source.bin from Lizard, but i have the original board kept aside. During drilling i was getting only 0x3C on Lizard, it did go to 0x00 lots of times but when i power cycled the drive every time it went back to 0x3C. The customer decided to go with the TX board instead and kept the original, just in case.
My advise is test the CFW on another board/drive before trying to write CFW to the original board without getting a full dump to check if a "Play DVD" problem emerges.

I was hoping to avoid all the risks and uncertainty of drilling holes by just grabbing the key and doing a drive swap with a 9504. 

I thought this was the safest and the only method before the kamikaze/sputnik hack came out.  Or did I missed some new security development that now affects this method, like you described, with the 'PLAY DVD' issue?

[galo911]

Is the full dump only for when you are using back the same drive in the same set?

If I swap-in and spoof a older 9504 drive to replace a 0225, all I need is the key right?

Sometimes it doesn't work. You will get "PLAY DVD". I did one today that worked with only the dummy.source.bin from Lizard, but i have the original board kept aside. During drilling i was getting only 0x3C on Lizard, it did go to 0x00 lots of times but when i power cycled the drive every time it went back to 0x3C. The customer decided to go with the TX board instead and kept the original, just in case.
My advise is test the CFW on another board/drive before trying to write CFW to the original board without getting a full dump to check if a "Play DVD" problem emerges.

I was hoping to avoid all the risks and uncertainty of drilling holes by just grabbing the key and doing a drive swap with a 9504. 

I thought this was the safest and the only method before the kamikaze/sputnik hack came out.  Or did I missed some new security development that now affects this method, like you described, with the 'PLAY DVD' issue?

You can always try to get the partial dump "Slimkey" on JF and build a CFW from that. Test the CFW on a swapped drive and see if it works. Keep your original just in case you ever need it. If you start getting "Play DVD" errors on the swapped drive you will have to get a full dump from your original drive. In order to get that you will have to unlock the SPI i.e. MXIC hack (simpler/safer but chipset must be MXIC) or Kamikaze hack for Winbond.

[mprace]

Is the full dump only for when you are using back the same drive in the same set?

If I swap-in and spoof a older 9504 drive to replace a 0225, all I need is the key right?

Sometimes it doesn't work. You will get "PLAY DVD". I did one today that worked with only the dummy.source.bin from Lizard, but i have the original board kept aside. During drilling i was getting only 0x3C on Lizard, it did go to 0x00 lots of times but when i power cycled the drive every time it went back to 0x3C. The customer decided to go with the TX board instead and kept the original, just in case.
My advise is test the CFW on another board/drive before trying to write CFW to the original board without getting a full dump to check if a "Play DVD" problem emerges.

I was hoping to avoid all the risks and uncertainty of drilling holes by just grabbing the key and doing a drive swap with a 9504. 

I thought this was the safest and the only method before the kamikaze/sputnik hack came out.  Or did I missed some new security development that now affects this method, like you described, with the 'PLAY DVD' issue?

You can always try to get the partial dump "Slimkey" on JF and build a CFW from that. Test the CFW on a swapped drive and see if it works. Keep your original just in case you ever need it. If you start getting "Play DVD" errors on the swapped drive you will have to get a full dump from your original drive. In order to get that you will have to unlock the SPI i.e. MXIC hack (simpler/safer but chipset must be MXIC) or Kamikaze hack for Winbond.

I recall at start of year, slims that had spoofed phat drives were randomly hit with "PLAY DVD" issue and the actual cause was never found?  Leaving 9504 the only safe drive for spoofing on slims. 

But based on what you said and what I'm reading, this "PLAY DVD" issue is also bugging the slim drives.  It looks like JF is missing some data when dumping, creating much uncertainty and worries when modding slims.  Is ODD emulators like Wasabi going to be the future for safe modding?

[arielzadi]

i have drilled my srive and unlocked it/ after flashing cfw i locked it again
now since lt 2.0 is coming is there any method to unlock it again? should i use a 3.3 v line and try to poke the uncoverd trace?
or any other piece of hardware?
and if so ca i have a ling to where to buy it?
thabks alot

[galo911]

i have drilled my srive and unlocked it/ after flashing cfw i locked it again
now since lt 2.0 is coming is there any method to unlock it again? should i use a 3.3 v line and try to poke the uncoverd trace?
or any other piece of hardware?
and if so ca i have a ling to where to buy it?
thabks alot

If you only used a "soft lock" i.e. 0x0C you just send the pulse to unlock it and it will do so right away, but if you did the "hard lock" i.e. 0x8C like it was originally you will need to:
- Recommended is use the piezoelectric lighter to send a spark 1 cm approximately from the hole or
- Pass a cue-tip with a little bit of alcohol over the hole while sending the pulse (i know some people say it's wrong but i never had any problems and i am lazy and don't have the lighter, etc...).