MT1335 MX/WB unlocking

[HKFenixgamesDD]

Seems the chip had re-locked somehow, dabbed the hole with a bit of isopropyl alcohol on a sock (I'm all out of cotton buds/q-tips lol), and it unlocked again.

Write verified OK !
Restore verified OK !

Happy days

Just a few twists of the iron each time, with a bit of pressure. Started hearing crackling through the speakers in time with the twisting of the iron, thought it was taking too long so stopped for a while, thought I had gone too far.

Decided to carry on, because if it was already f***ed....

Few more twists of the iron and I heard the beep. I think JungleFlasher uses Windows default beep, so maybe you should make sure you haven't disabled windows sounds.

And there are people who do not believe this was possible with no soldering iron and 3.3 v 

[Acton1]

Thanks for this new way to hack the slim drive's

other forum's now call this the thermal nuclear hack

cool name

[rockmetal]

Solder iron= the first drive, open tray error. Second drive work great.


Saludos desde Chile

[tingedace]

For the last few days after avidly watching the details of this hack emerge, I decided there was NO WAY I'd be trying this and that I'd wait for a safer method to be discovered. But something inside me gradually started to say "Do it!", "Do it!", "DO IT!!!"

So I did, and I used the soldering iron method and by all accounts it seems successful with no side effects. Phew!

Thing is though, it didn't go exactly as I thought it would. As I continued to melt the hole in the MTK chip, JF kept reporting 0x8C but at some point it changed to 0xBC. I continued on for a minute or so more and then decided to stop.

I turned off the the power to the drive and killed JF. Then restarted JF and verified that the drive was still detected correctly, which it was. However, I Intro'd and it was now showing SPI status 0x00

Code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JungleFlasher 0.1.86 Beta (267)
Session Started Mon Aug 08 21:54:02 2011

This is a 32 bit process running on 2 x 32 bit CPUs
X360USB PRO detected, Version 0.18

Found 1 I/O Ports.
Found 1 Com Ports.
Found 7 windows drives A: C: D: E: H: I: M:
Found 3 CD/DVD drives E: H: I:

Drive is Slim Lite-On..

Key found in KeyDB at record (105 - Post13599Dump)
Key is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key has been tested and verified, thanks C4eva !
Sending Vendor Intro to port 0x0000
Status 0x51
Re-sending Vendor Intro:
......................................
Serial flash found with Status 0x72

Sending Device ID request to port 0x0000
Spi Status: 0x00
Manufacturer ID: 0xEF
Device ID: 0x11
Flash Name:  Winbond/NEX(W25P20/NX25P20)
Flash Size:  262144 bytes

Not surprisingly I flashed LT+1.91 and it worked fine. Been playing for about an hour and no side effects.

At this point I noticed that JF had not re-locked the drive after flashing. Must be because I had power cycled and messed up the process, so I just used my version of the russian tool to lock it again:



Now JF reports:

Code:

Serial flash found with Status 0x72

Sending Device ID request to port 0xD400
Spi Status: 0x8C
Manufacturer ID: 0xEF
Device ID: 0x11
Flash Name:  Winbond/NEX(W25P20/NX25P20)
Flash Size:  262144 bytes

And finally, here's a pic of my work. Not the smallest soldering iron tip in the world but did the job.
I found that the hole fills up with dust that I had to keep scraping out and then back in with the iron.



Just a final word. If anyone sees their status change from 0x8C to 0xBC during the process, stop there, restart JF and Intro.

[unforgiven64]

just for the record , i think the sata socket on the bvoard was the problem ...
but after that  i erased my OFW With JF , and suddenly power off the console!....
now apparently the drive stuck in vendor mode , and openning mode!.....
the sata chipset is VIA  6421 , and it`s not compatible with 0225!
so i should use a sata to USB coverter to connect my drive to pc with sata to usb method and for thease things i need to open tray and close one time! ...
but drive stuck in openning and noting happens when i touch open tray ...
i try to write LT1.91 with dosflasher32 too ... and i can press the write flash button but it will stuc in "Erase..." mode...

any help ? or should i open a new topic ?

[saas474]

is there any guide for via owners ??
anyone ??

[morenomdz]

Not so good, two pcbs f***ed, one working. I will stick with the dremmel like a pro.

[iLLNESS]

well i went ahead and tried out this method on my drive tonight (not sure why, i have 0 need for LT lol. suppose for the fun of it).

either way, marked the pcb, went ahead and dremel'd it. got spi status of 0x00 and away i went.

problems arise (using latest JF):
intro reveals drive is 0x00, but when i click on read to dump ofw it takes a minute and stalls. introing now shows either status 0x3c or 0x3e. i can relock the drive to 0x8c and repeat the process. issue here is a lighter nor isopropyl alcohol will unlock the drive again. to unlock i have to connect the broken line to 3.3V with the 100ohm resistor in which case it unlocks.

i can repeat this process over and over with the same results. reading kicks the status to 3c or 3e after im prompted to remove power and repower within 1 second, to get back to 0x00 i have to lock and unlock again.

needless to say, i gave up on attempting to read full OFW. i decided to just write using lt spoofed from slimunlock dummy.bin from before. same process except i write the CFW instead of trying to read. it fails verification and drive no longer reads originals (playdvd).

end result? bricked. drive no longer intros, detects, ejects, spins, etc. pro ic repacement now needed (i think).

im assuming this IC is toast and i'd recomend anyone else in the same situation to not attempt writing if the reads are failing regardless of the 0x00 status.

perhaps someone here knows of a way to revive this drive. in the meantime, learning mistake

[morenomdz]

Ok, updating, there was a come back.

The first two I made did not work, because JF do not beep fast enough. You must be watching for status change to 3 (yes 3 not 3c), stop right there, re-intro, and you are set.

AND, a big and here, I did use a resistor to have the 3.3v being injected there, it did fasten the process a lot.

Did 4 boards this way and all are working perfectly, will start using that method from now on, if the results change later ill update here.


We should call it Samba Unlock, as it started with some crazy Br.

[iLLNESS]

well just a minor update. i decided to play with the drive again, and managed to revive it to the point there jf detects it/etc but i still cant get a proper write to the drive as it keeps failing verification.

[mespo365]

well i went ahead and tried out this method on my drive tonight (not sure why, i have 0 need for LT lol. suppose for the fun of it).

either way, marked the pcb, went ahead and dremel'd it. got spi status of 0x00 and away i went.

problems arise (using latest JF):
intro reveals drive is 0x00, but when i click on read to dump ofw it takes a minute and stalls. introing now shows either status 0x3c or 0x3e. i can relock the drive to 0x8c and repeat the process. issue here is a lighter nor isopropyl alcohol will unlock the drive again. to unlock i have to connect the broken line to 3.3V with the 100ohm resistor in which case it unlocks.

i can repeat this process over and over with the same results. reading kicks the status to 3c or 3e after im prompted to remove power and repower within 1 second, to get back to 0x00 i have to lock and unlock again.

needless to say, i gave up on attempting to read full OFW. i decided to just write using lt spoofed from slimunlock dummy.bin from before. same process except i write the CFW instead of trying to read. it fails verification and drive no longer reads originals (playdvd).

end result? bricked. drive no longer intros, detects, ejects, spins, etc. pro ic repacement now needed (i think).

im assuming this IC is toast and i'd recomend anyone else in the same situation to not attempt writing if the reads are failing regardless of the 0x00 status.

perhaps someone here knows of a way to revive this drive. in the meantime, learning mistake

Try drilling just a tad more. Almost sounds like the 2 traces arent completely cut threw yet. I think this just because the ligher/alcohol wont unlock it again.  I've seen alot of people run into a similar problem for either drilling not enough or too much(yea i know). But again I think you should just drill a tad more

[saas474]

For the last few days after avidly watching the details of this hack emerge, I decided there was NO WAY I'd be trying this and that I'd wait for a safer method to be discovered. But something inside me gradually started to say "Do it!", "Do it!", "DO IT!!!"

So I did, and I used the soldering iron method and by all accounts it seems successful with no side effects. Phew!

Thing is though, it didn't go exactly as I thought it would. As I continued to melt the hole in the MTK chip, JF kept reporting 0x8C but at some point it changed to 0xBC. I continued on for a minute or so more and then decided to stop.

I turned off the the power to the drive and killed JF. Then restarted JF and verified that the drive was still detected correctly, which it was. However, I Intro'd and it was now showing SPI status 0x00

Code:

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JungleFlasher 0.1.86 Beta (267)
Session Started Mon Aug 08 21:54:02 2011

This is a 32 bit process running on 2 x 32 bit CPUs
X360USB PRO detected, Version 0.18

Found 1 I/O Ports.
Found 1 Com Ports.
Found 7 windows drives A: C: D: E: H: I: M:
Found 3 CD/DVD drives E: H: I:

Drive is Slim Lite-On..

Key found in KeyDB at record (105 - Post13599Dump)
Key is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key has been tested and verified, thanks C4eva !
Sending Vendor Intro to port 0x0000
Status 0x51
Re-sending Vendor Intro:
......................................
Serial flash found with Status 0x72

Sending Device ID request to port 0x0000
Spi Status: 0x00
Manufacturer ID: 0xEF
Device ID: 0x11
Flash Name:  Winbond/NEX(W25P20/NX25P20)
Flash Size:  262144 bytes

Not surprisingly I flashed LT+1.91 and it worked fine. Been playing for about an hour and no side effects.

At this point I noticed that JF had not re-locked the drive after flashing. Must be because I had power cycled and messed up the process, so I just used my version of the russian tool to lock it again:



Now JF reports:

Code:

Serial flash found with Status 0x72

Sending Device ID request to port 0xD400
Spi Status: 0x8C
Manufacturer ID: 0xEF
Device ID: 0x11
Flash Name:  Winbond/NEX(W25P20/NX25P20)
Flash Size:  262144 bytes

And finally, here's a pic of my work. Not the smallest soldering iron tip in the world but did the job.
I found that the hole fills up with dust that I had to keep scraping out and then back in with the iron.



Just a final word. If anyone sees their status change from 0x8C to 0xBC during the process, stop there, restart JF and Intro.

thx m8
i followed ur way unlocked my drive (225) then write CFW (like 9504)   ....
but how can i lock it again ??  

[iLLNESS]

thx m8
i followed ur way (but) using X360USB Pro     unlocked my drive (225) then write CFW (like 9504)    ....
but how can i lock it again ??   

control+shift+f11 in jungleflasher.

[saas474]

thx m8
i followed ur way (but) using X360USB Pro     unlocked my drive (225) then write CFW (like 9504)    ....
but how can i lock it again ??   

control+shift+f11 in jungleflasher.

i love u 

[cypher21]

Can the ppl who used the soldering iron trick please check one thing.
Is your soldering iron (and wall plug) grounded or not?

Because on most soldering irons the tip is grounded which makes the 3.3v go directly to ground and (in my opinion) that causes the unlock to fail

[miskan]

Just use a dremel with very light pressure and stop every second if you want to. Can't screw it up this way, at least I haven't thus far (except for eject troubles on 1st one, which is fixable). 5 consoles done.

[cypher21]

i know dremel method works...
I was just wondering about the solder method, especially with the grounded tip.. hence the question, so your remark about the dremel doesn't answer my question

[ferid]

Is anyone covering the hole when closing up the drive?

[dangal]

Hello to everyone and sorry with me english
I make one slim 0225 with geremias metod,eveything is ok with the backup game,but i cant read original games,any ideas?
thanks a lot!!!

[the-green]

If original give you Read DVD error, it looks to be a problem with the calibration-data
We need that team jungle make full-dump option avaible on JF, this will fix the read DVD errors, every OFW has it's own calibration data
That's what I've understand from maximus & Geremia (thanks to them)


Please guys, I had a question, I don't have this dremler so I manage to use A solid needle for making the whole, I saw the soldering iron method's too, it looks good !!!
SO he real question is do those methods need the 3.3V line to be kept in all time
or we can make the whole & than apply the 3.3V with the 100 Ohms resistor into-it ??

I had the idea to use an external source for the 3.3V, not the PCB one's I think this will work, I am wrong

thanks in advance for your answers