Alternative FW for Samsung SH-D162C V0.5 released...

[kreon]

June 23rd 2006

***************************************************************************
*  XBOX 360 enabled alternative FW for the Samsung SH-D162C drive - V0.5  *
***************************************************************************

Well ok...it's not fully completed yet, but I thought it was time to release some of the goodies I've made for the SH-D162C
during the last month. The challenge/response functionality ISN'T included in this release, so you will NOT be able
to make complete backups of 360 games unless you can obtain the SS from some other source. This said I'm quite certain,
that you'll appreciate the other features that have been completed and included in this release.


This is what you get..
--------------------------------
- Two types of unlock for XBOX 360 game discs. One for making xtreme style images and one for making wxripper style images.
  Both types of iso can be made using isobuster. Ripping using wxripper isn't supported for the time being
- A 'lock' function that will cancel any enabled unlock state. This can be very useful for custom applications.
- 'Error skipping' which basically speeds up the error handling of the drive. A complete wxripper style image (including video)
  can be obtained in 15-16 minutes, when error skipping is enabled. Getting through the critical area of LBA 19408-20479 will take
  you more than 20 minutes alone, if error skipping is disabled
- Read and decrypt of SS. The SS returned from the drive is complete except for the missing C/R data at offset 0x200. This is very
  handy since you can compare the SS from the game in the drive to a SS found on the internet. No more coasters due to an incorrect SS.
- A much more streamlined command interface which is good news if you intend to write an application that makes use of the drives
  extra features.
- The drive will default to unlock state 2 and error skip enabled when a 360 media is inserted. You can in other words use isobuster to
  obtain a wxripper style image without issuing any commands to the drive

 
This is what you'll have to wait for..
-----------------------------------------------
- Full challenge/response functionality.
- RPC1 support


I've been working hard on the challenge response part for a couple of weeks now, and I have to admit that there's still a lot of work left to do.
More than 6000 C/R related lines of code have been extracted, and well.....I do expect the implementation and debugging to take some time
I don't know when this part will completed, but I can assure you, that I'll be working to complete this as my main priority.


Ripping using Isobuster..
---------------------------------
Not much to add here except for the number of LBA to read when using unlock 2 is 3697696 as opposed to 3567872 for unlock 1.
A successful wxripper style image will have a size of 7.572.881.408 bytes, while a successful xtreme style image will have
a size of 7.307.001.856 bytes.


And now some technical stuff....

Command set additions found in this FW..
-----------------------------------------------
FF 08 01 01               , 'Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives.
                    This command is supported for legacy reasons only. Custom applications should use the new
                    'Set lock state' instead.
                                                            
FF 08 01 11 xx               , 'Set Lock State'
                    xx=00 - Drive locked (no unlock state)
                    xx=01 - Unlock State 1 (xtreme) enabled
                    xx=02 - Unlock state 2 (wxripper) enabled

FF 08 01 15 xx               , 'Set Error Skip State'
                    xx=00 - Error skip is disabled
                    xx=01 - Error skip is enabled

AD 00 FF 02 FD FF FE 00 08 00 xx C0      , This is the well known SS extract commands from the xtreme fw.
                    Since C/R hasn't been implemented yet, xx is don't care and the drive will return the decrypted
                    SS without any C/R data at offset 0x200

FF 08 01 10               , 'Get Feature List'
                    This command will return a list of the additional features supported by the drive.
                    All values returned are 16 bit values, and the list is terminated with null (0x0000)
                    The two first words of the returned list always reads as 0xA55A 0X5AA5 in order to guarantee
                    that a reply from a drive not supporting this command correctly isn't mistaken for a feature list.
                                    
                    An example feature list could be:
                    0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000
                                          
                    This list would indicate that the drive supports Unlock 1, Lock and Error Skip, as it can be seen
                    from the values defined below:
                                                         
                    XBOX 360 related features..                                                   
                    0x0100 : The drive supports the unlock 1 state (xtreme)
                    0x0101 : The drive supports the unlock 2 state (wxripper)
                    0x0120 : The drive can read and decrypt the SS
                    0x0121 : The drive has full challenge response functionality
                                                         
                    General drive features..
                    0xF000 : The drive supports the lock (cancel any unlock state) command
                    0xF001 : The drive supports error skipping
                                                
                    This is the complete list of defined features at the moment. If you're working on a custom application you
                    might want to contact me in order to get the latest list.
                                                         

To those of you that might be wondering if this release will work with XBOX games.....well it probably will.... in theory at least. No extensive testing
has been made at this point, so I guess you will have to test that part by yourself



That's just about it for now. I hope to be back with more goodies soon and that this release will be helpful to you all.

A big thanks must go to FlexyZ for letting me borrow, destroy and finally repair his TS-H943 . Without this kind of help this release wouldn't be possible.
I would also like to thank all of the other guys working hard on making the 360 a little more user friendly Keep up the good work!

Have fun!
Kreon

[Perphide]

Sounds impressive!
I don't have the drive so I can not test it... but it sounds very impressive!

[moontan]

"Read and decrypt of SS. The SS returned from the drive is complete except for the missing C/R data at offset 0x200. This is very
  handy since you can compare the SS from the game in the drive to a SS found on the internet. No more coasters due to an incorrect SS"


How exactly are you meant to read the ss?


Great work btw

[Romps]

Well i thought i would join to say thx for the work u have put into this and anyone else who has helped or whos advice u have used on the way....

I have flashed the drive went ok and dumped a disk using both unlock methods and both work fine
I have also extracted the ss and it matches 100% apart from the c/r at offset 0x200 as stated from the ss extracted using sammy drive in 360..

So very handy apart from having to still connect 360 for extracting ss but im sure u will get there soon

Again thx to u Kreon and all others who advice and work u have used to get to this stage...

[twicko]

thank you 

[TheSpecialist]

I've been working hard on the challenge response part for a couple of weeks now, and I have to admit that there's still a lot of work left to do.
More than 6000 C/R related lines of code have been extracted, and well.....I do expect the implementation and debugging to take some time
I don't know when this part will completed, but I can assure you, that I'll be working to complete this as my main priority.

What difficulties are your experiencing with the construction of the C/R table ? And I'm curious, what exactly are you doing with 6000 lines of C/R related code ?

[uberfry]

check this out guys (good for Europeans):
http://www.hardwareschotte.de/hardware/preise/proid_8013837/preis_SAMSUNG+SH-D162C

[Pandor]

Works great man.
Even on linux!

i've just succesfully ripped a game and all came out just as it should.

i've used plscsi to make sure the drive was set wxripper style unlock:

Code:

# ./plscsi /dev/hda -x "FF 08 01 11 01"

Code:

$ dvd+rw-mediainfo /dev/hda
INQUIRY:                [TSSTcorp][DVD-ROM SH-D162C][TS04]
GET [CURRENT] CONFIGURATION:
 Mounted Media:         10h, DVD-ROM
GET [CURRENT] PERFORMANCE:
 Write Performance:     0.0x1385=0KB/s@[0 -> 3697695]
 Speed Descriptor#0:    00/3697695 R@0.0x1385=0KB/s W@0.0x1385=0KB/s
READ DVD STRUCTURE[#0h]:
 Media Book Type:       01h, DVD-ROM book [revision 1]
 Legacy lead-out at:    2704*2KB=5537792
READ DISC INFORMATION:
 Disc status:           complete
 Number of Sessions:    1
 State of Last Session: complete
 Number of Tracks:      1
READ TRACK INFORMATION[#1]:
 Track State:           complete
 Track Start Address:   0*2KB
 Free Blocks:           0*2KB
 Track Size:            3697696*2KB
FABRICATED TOC:
 Track#1  :             14@0
 Track#AA :             14@3697696
 Multi-session Info:    #1@0
READ CAPACITY:          3567872*2048=7307001856

ripping the disc:

Code:

$ sg_dd blk_sgio=1 bs=2048 coe=1 verbose=2 if=/dev/hda of=xbox360.iso

that spit out a few read errors and eventually came out as a 7572881408 bytes iso file.


Great work! keep it up.

[FlexyZ]

When a Xbox 360 dvd is inserted, the drive automatically use "Unlock state 2 (wxripper)" mode (is default option), so need to send any unlock cmd's

And of course it works under Linux, the drive is doing all the work

[moontan]

http://cgi.ebay.de/Samsung-DVD-CD-Laufwerk-16-48x-SH-D162C-Schwarz_W0QQitemZ230006348387QQihZ013QQcategoryZ3754QQrdZ1QQcmdZViewItem

Cheap aswell for germans/europeans

[kreon]

Link removed, could be illegal under DMCA/EUCD

[GoldenGraham]

ive flashed ok. but after i put the commands in it still shows the xbox game as an xboxdvd... i was pretty f***ed up when i was trying

[probutus]

Great Job! I have the file and will test it together with my GDFS filesystem driver for linux ...

[kreon]

I forgot to mention that the SH-D162C is identical to the TS-H352C. You should be able to cross flash TS352C to a 162C using the -nocheck option.

This haven't been tested, but the fw of the two drives is identical except for a few ID strings.

[Enj]

Could someone post the md5 hashcode.
(I got DB2DF154AB92FE9D32C7A0D55EE2031B)

I downloaded the firmware, but the readme speaks about:

TSSTcorpCD/DVDW SH-W162CTS10

I got
TSSTcorpDVD-ROM SH-D162CTS04

and when i want to load the firmware it says "firmware not compatible"

Do I have a wrong firmware or do i just have to override the compatibity checking?

@Kreon great Job!

[kreon]

Could someone post the md5 hashcode.
(I got DB2DF154AB92FE9D32C7A0D55EE2031B)

I downloaded the firmware, but the readme speaks about:

TSSTcorpCD/DVDW SH-W162CTS10

I got
TSSTcorpDVD-ROM SH-D162CTS04

and when i want to load the firmware it says "firmware not compatible"

Ehm...yes... you definately have the wrong FW. The SH-W162C is a DVD writer while the SH-D162C is a standard DVD-ROM drive

[Enj]

Does it normaly work without -nocheck?

When I start it with nocheck and load the file, is seems to be correct but maybe i should look for another firmware.

[FlexyZ]

You MUST have "SH-D162C"  OR "TS-H352C", don't flash your "SH-W162CTS10" with the KREON_FW.

[Enj]

I got a SH-D162C, what i mentionend above and what you can see on the screenshot I attached.
The problem is do i have the correct firmware

[FlexyZ]

Screenshoot look good

The "How to upgrade firmware.txt" for the flashing, is a general readme, so don't confuse it with the rest.

This firmware is ONLY for  "SH-D162C"  OR "TS-H352C" - and "TS-H352C" has not been testet yet, but hardware is the same, so should be good.