New type of Error 66 - Possible LT CFW flaw discussion

[wmxp]

First off, let me say that I KNOW what Error 66 is. This is not another "noob tard who can't read the documentation" thread.

-Purchased never modded, never banned 360 Xenon first gen, with a Samsung MS25. XBL updated a few days ago to dash 13604, system still stock.

-Dumped drive firmware with JungleFlasher 0.1.90; reported as MS28 spoofed as MS25. Flashed with Samsung LT 2.01 with spoof carried over as MS25.

-System boots and plays games just fine with new CFW, still on 13604.

-Attempt XBL update to 14699 today, and within the first update progress bar, the system crashes to the classic E66 black error screen from 2006: http://forums.xbox-scene.com/index.php?showtopic=559583

-Reflashed with original dumped firmware, and update installs correctly.


Now, I hit XS searching for answers of course immediately after because this struck me as very bizarre behavior. E66 has always been a console boot error, and seeing it on a system update is very new. I started looking over the firmware files in a hex editor carefully to see if I could shed some light:

1) My MS25 dumped firmware, and the "iXtreme_LTplus_v2.0-v2.01-hitachi_2.0b_added\Stock firmware\Samsung\Samsung_Post_13141" reference firmware are *VERY* different. I expected only the drive key, and Inquiry/Identify areas to be different, but there's massive blocks of data very much unique to each. This flys directly in the face of the notion that all the drive firmwares are identical post XGD3 firmware update.

2) Over on Xbox-Scene, a user named Ruhllatio offers his input the problem lies with the spoofing, and that he successfully updated with LT 2.01 still installed, sans MS25 spoof. I compared an output CFW with and without the spoofing, and the only difference is the Inquiry/Identify areas:



3) My original MS25 dump has exactly the same Inquiry/Identify data, at exactly the same offsets as the spoofed CFW that failed the update.



Conclusion: There IS a difference between the firmware flashed to the MS25 vs the MS28, and running LT 2.01 right now on a MS25 will surely lead to a detection on XBL.

Either that, or C4E's rootkit tech is reporting something faulty? This needs to be looked into, and I would follow the general advice of staying off XBL for now, regardless of what drive you have.


Side note question / discussion:
A few years back, the general consensus of the classic CFW's was, they were invisible to the 360 host itself, and all the detection was related to how the discs were handled. This year's updates have radically changed this standing it seems, with the system itself now flashing the dvdrom firmware, and system updates which require multiple reboots, cold booting the hardware again, and in theory gaining access to the same boot sequence hijacking of the MTK chips that was exploited in the early days of DOS flashing CFW.

Now the Liteon drives do not have a user dump able firmware, and all the progress on that end was done through the acid decanting projects of the Jungle team and co. These drives I presume are still invisible to a host read, and are only "blind" flashed by the system with the console specific information embedded.

The Samsung drive on the other hand, along with the BenQ, always had means of being completely dumped from the user end. JungleFlasher itself, now has the master unlocking command of both drives, and this same command works verbatim on iXtreme LT. What is to stop the 360 itself from simply dumping the drive firmware in the same manner, when it pleases, to have a nice inspection of?

Also, was there ever any info available that the system logged an Error 66 somewhere? A Xval test still reports a clean secdata in the NAND, so there doesn't appear to be any direct flags associated with it, but I'm still wondering if it will come back later to bite us in the ass.

[mattjk]

Was the box purchased by yourself from new?

Dumped an ms25 not so long back on the latest dash and its very different to the stock dump that comes with C4Es FW pack. (based on ms28 as is the modified FW)

The Samsung FW is definitely different on the latest dash between revisions, I think only certain banks/sections were patched in the XGD3 update. (Unfortunately I don't have a pre-dump) the ms25 can still be put in vendor mode with a standard MTK intro where as the ms28 cannot, which would reaffirm the point.

I have had E66 before when I quit to dash and pressed the eject button at the same time, I wouldn't worry to much about it it happens.

If you want to send me you OFW I can reference it to the 2 (latest) stock ms28 and ms25 dumps I have and let you know how it looks.

Edit: Just had a read of the link you pasted, particularly the bit about "Apparently MS has been storing drive info on consoles manufactured starting around end of May/begin of June 2006. Consoles made before that date will probably work with any drive model/version."

I wonder if there is any truth in that, someone must have a JTAG'd Xenon from 2005 and can check the KV. I'm not sure I believe it to be honest.

Oh and the "rootkit" is only in the slim FW's to overcome the realtime hash checks etc... Not a problem on fats

[wmxp]

The system was a refurb from EB Games, with their "seal of approval" on the back. Updated GPU heatsink, and thermal pads for the older ram chip style underneath the board. Date on the back is May 9th 2006, but we don't know if MS set the system to store the vendor info at a later date. Sadly, the dash was 13146 , so I have no pre spring update firmware dump either.

However, I have secured yet another first gen Sammy and this one is very much virgin. Girl had it in her closet for a couple years; present from her father. Still has the original MS seal on it, and running dash 8955. Production date is Aug 2nd, 2006 - so recorded vendor data most likely. I'll dump, update, and redump the box when I get a pocket of time.

I forgot about the small detail with the official Samsung update being only partial bank flashing. Each drive, still appears to get it's own specific patch though:

Phat Samsung: TSSTcorp DVD-ROM TS-H943A ms25 -> ms25p---
Phat Samsung: TSSTcorp DVD-ROM TS-H943A ms28 -> ms28p2f9

Samsung drives are updated with files from $install_extender.xex which contains 4 smaller patches rather than full fw files: ms25p1f9, ms25p2f9, ms28p1f9, ms28p2f9. Each patch is 48.4 KB and makes some changes in parts of the firmware. Therefore you must obtain the new OFW dumped from an actual Samsung drive. It appears that 13146 patches ms28 drives with ms28p2f9.

==> http://forums.xbox-scene.com/index.php?showtopic=730311


Check your PM inbox

[mattjk]

Been doing some searching on type 1 KV's it would seem some of the very old ones didn't contain an OSIG, so perhaps the information on XS is correct. Unfortunately I'm guessing without the CPU key there is no way we can decrypt it to see if the KV was updated when the drives were patched..? (I have a 2005 Xenon so in theory mine should be blank unless it was patched)

Are we presented with an error now when we try and put a different brand DVD model in an updated box? I seem to recall on the TX forums that you don't get an E66 til you try and boot a XGD3 game. (something to do with AP2.5 and osig validation iirc) I have a Falcon with a BenQ in, if I have time tonight I will mess around with various settings/changes and report back..

I got your PM also, I will have a look tonight also and let you know.

I would make an educated guess that the reason people were getting E66 when updating a ms25 with C4E's FW (based on ms28) is that the box was doing vendor specific commands which the drive cant respond to... (ie as I mentioned above the MS28 requires a special unlock - when the console was sending a simple ms25 "standard" intro.)

This would confirm the host does somehow check the drive on updates - I always flash to stock before updating anyway for the very reason.

[wmxp]

This thread I found VERY interesting:
http://forums.xbox-scene.com/index.php?showtopic=734376

I know a couple people with Xenon/Zeph refurbs from MS, that had the drive replaced with a Liteon. I'd be curious to test out a few things on it, but I imagine this guy might have triggered the AP flag at some point. Dangerous waters to sail in. =\

[mattjk]

I had a look at your FW last night, it looked quite a bit different to the OFW from my ms25 (2005 launch model)

I think the Major update (13146) which updated the drive, would have only worked if you didn't have a spoofed drive. (MS refurbs are never spoofed, not sure if KVs are updated?)

Do we know if the OSIG in the KV is updated on 13146 if we put a different drive in? (not spoofed) - It would make sense that they are certainly... Unfortunately both consoles I own are on latest dashes else id try.

[GHR]

No OSIG changes, They just take the current key off of the drive (Whatever drive) and based on the Vendor use their procedure to flash it.
For those that spoofed, the error resulted from the wrong Vendor Intro.

[mattjk]

No OSIG changes, They just take the current key off of the drive (Whatever drive) and based on the Vendor use their procedure to flash it.
For those that spoofed, the error resulted from the wrong Vendor Intro.

Cheers GHR. I think that concludes the issue

[Grandmaster56]

As far as i could tell there is no LT+ for MS25 drives.Iv always just flashed the MS28 fw onto the MS25 drive im flashing.Never had any issues.