Dumping Security Sector with H-943A

[xDREAM]

Hey guys i would like yo know something. In plscsi you can get the end sector (maxlba) by using x25 (READ CAPACITY) so i was thinking can you use the x0B op which is (SET CAPACITY) to read the wanted FD021E sector or can only the drive itself modify maxlba? I would really like to patch my samsung (MT1358) to do this but i cant find a disasm for it dunno if ida has signatures for it.

[MacDennis]

Hey guys i would like yo know something. In plscsi you can get the end sector (maxlba) by using x25 (READ CAPACITY) so i was thinking can you use the x0B op which is (SET CAPACITY)

Set capacity? Which standard describes this command ??

to read the wanted FD021E sector or can only the drive itself modify maxlba?

Tear your x360 apart and try! If someone would have tried it then it probably would have been mentioned on this forum don't you think? But I doubt it will work. It most probably also checks your LBA against the end PSN of the data area.

I would really like to patch my samsung (MT1358) to do this but i cant find a disasm for it dunno if ida has signatures for it.

This has been discussed in the firmware hacking thread.

[xDREAM]

Set capacity? Which standard describes this command ??

Tear your x360 apart and try! If someone would have tried it then it probably would have been mentioned on this forum don't you think? But I doubt it will work. It most probably also checks your LBA against the end PSN of the data area.

I would really like to patch my samsung (MT1358) to do this but i cant find a disasm for it dunno if ida has signatures for it.

This has been discussed in the firmware hacking thread.

http://www.t10.org/lists/op-num.htm
Set Capacity
0X0B The command sets the available medium for the currently mounted volume to a proportion of the total capacity of that volume. Any excess space shall be unavailable on the volume after successful completion of this command until changed by a new SET CAPACITY command.

I dont think you need to tear your 360 apart this should work on any ide drive if it works.

Regarding the MT1358 i could not find it only for MT1359 (script) dunno the difference but ida didnt give me good code, maybe i did something wrong.

[MacDennis]

http://www.t10.org/lists/op-num.htm
Set Capacity

That's not a specification or a standard. This command isn't explained in ATA-3/ATA6, SAM4, SBC3 or SPC3. Conclusion, this command does not exist in our dvd-rom drives.

[xDREAM]

http://www.t10.org/lists/op-num.htm
Set Capacity

That's not a specification or a standard. This command isn't explained in ATA-3/ATA6, SAM4, SBC3 or SPC3. Conclusion, this command does not exist in our dvd-rom drives.

Then this command is probably for hdd's or something else. Thanks.

[robby2000]

Hi robinsod,
(my english is VERY bad - sorry)
1) You connected H-943A to PC with this scheme http://www.kev.nu/360/dvdshort.html as LG drive ?
2) Reading FLASH from DVD-ROM to PC, (archivery) +  hacked (with SecuritySector) and REFLASH this FW with ... (progs. utility from http://www.kev.nu/360/dvdshort.html) ?
3) THX --- ehmm ... I am NOT stupid ... I am only NOT perfect english ... Sorry 

[robinsod]

Hi robby2000

No problems, I AM stoopid AND my foreign is rubbish

I removed the flash from the PCB and wired it to an external socket, it is tricky but I removed most of the glue with a hot soldering iron. BE AWARE I damaged my drive and it took some repairing, eventually it died on me. SeventhSon and Tiros had some good info on connecting the drive to a PC but I did not do this.You can download the TS firmware from this site and I recommend you wait for software tools. My first 360 will soon be on sale on Ebay "Faulty 360, dead DVD drive"

[LordX]

Hi robby2000

No problems, I AM stoopid AND my foreign is rubbish

I removed the flash from the PCB and wired it to an external socket, it is tricky but I removed most of the glue with a hot soldering iron. BE AWARE I damaged my drive and it took some repairing, eventually it died on me. SeventhSon and Tiros had some good info on connecting the drive to a PC but I did not do this.You can download the TS firmware from this site and I recommend you wait for software tools. My first 360 will soon be on sale on Ebay "Faulty 360, dead DVD drive"

I just finished to repair my Samsung-Toghiba Drive , also tryed to remove the flash from the PCB but this glue holding it very good ! was easy to remove glue from sides but under the chip is like inpossible I can use force but I can demage the PCB tracks . I used hot air on 500c and noting not help .

guys how I can make a backup of Security Sector and firmware in H-943 ? my Linux can detect it and I can use it like normal drive for any disks , I have Dynebolic Linux OS .

[burgemaster]

Hi robby2000

No problems, I AM stoopid AND my foreign is rubbish

I removed the flash from the PCB and wired it to an external socket, it is tricky but I removed most of the glue with a hot soldering iron. BE AWARE I damaged my drive and it took some repairing, eventually it died on me. SeventhSon and Tiros had some good info on connecting the drive to a PC but I did not do this.You can download the TS firmware from this site and I recommend you wait for software tools. My first 360 will soon be on sale on Ebay "Faulty 360, dead DVD drive"

Still mate, cant u still rip the chip off and dump it? at least u will have your key then and i drive replacement will turn up somewhere?

[LordX]

Hi robby2000

No problems, I AM stoopid AND my foreign is rubbish

I removed the flash from the PCB and wired it to an external socket, it is tricky but I removed most of the glue with a hot soldering iron. BE AWARE I damaged my drive and it took some repairing, eventually it died on me. SeventhSon and Tiros had some good info on connecting the drive to a PC but I did not do this.You can download the TS firmware from this site and I recommend you wait for software tools. My first 360 will soon be on sale on Ebay "Faulty 360, dead DVD drive"

Still mate, cant u still rip the chip off and dump it? at least u will have your key then and i drive replacement will turn up somewhere?

yes very possible , you have programmer ? if yes make a backup !

[robinsod]

Did I make a backup of my key? hahaha what do you think?

>>guys how I can make a backup of Security Sector and firmware in H-943 ? my Linux can detect it and I can use it like normal drive for any disks , I have Dynebolic Linux OS .

You cant, you need to extract it from the drives memory, it's in the leadout and therefore not accessable from the host. I hacked the firmware to write the security sector (and anything else that was useful) to an empty area of flash. Then I could read the flash in my programmer (it was socketed) to extract the information.

With this in mind, why not start analysising the firmware and see if you can identify the routines that handle erasing and writing the flash? Top Tip for n00bs: its a good start point since if you read the datasheets (SST 39SF020A see their website) the code to control flash devices sticks out like a sore thumb, if you read the datasheet & still dont understand the commands or how they work then ask questions & perhaps I canl help you. Find a 8051 disasm tool and be sure to split the firmware into 4 of 64KB chunks. Most of the action is in the first chunk.....

Of course the other useful thing to find is the ATAPI command handlers, you can find all the important command handlers (ReadDVDStruct & Mode Sense) plus the much talked about debug commands! These are very useful since they seem to be there for no other reason than testing the authentication protocol and point to very interesting memory and code. Find and understand that code and you will know when and what to copy to flash in order to capture the security sector, CPR_MAI bytes and the CR data you will need (you could write them to flash if you know how to control it!!!)

So perhaps a little less worrying about how to back up in case you f**k up? A little less enthusiasm for soldering irons? And maybe a little more static analysis of what's already available? No one seems to have started to analyse the code here yet, I reversed most of the TS software and understood the security without once connecting my DVD drive to my PC (thats not the case for the hard core LG dev though) and to this day I still cant get the bloody thing to work with XP

Just my opinion - sorry if you don't like it. Of course, there are/will be better techniques (maybe discovered by you) so feel free to ignore/flame at you discreton

[Slack3er]

(thats not the case for the hard core LG dev though) and to this day I still cant get the bloody thing to work with XP

Robinsod, Great Work!

Have you checked out the linux thread, probutus is making great progress with the lg drive and his patches. Plus we have a new way to get the lg drive detected under windows.  Like what was said in the thread, boot with a modded knoppix cd, lg drive is detect, set to modeB. Then reboot to windows. LG drive will keep ModeB and Drive should be detect. So far only with a Sil 3112 Chipset.

[probutus]

with a slight modification the 3114 works also...

[robinsod]

with a slight modification the 3114 works also...

Cool

I pulled the flash out of my new TS drive. My first TS was labelled Part No: X800473-010 but a sticker with the number 015 had been stuck over the 010 (a version number for the firmware? probably). The new TS was originally labelled Part No: X800473-011 but this had also been changed to 016. I assumed this was a newer firmware BUT when I dumped the flash and diffed it with "old" versions the only difference was the 16 byte key, weird! So whatever that number is it is not a version number.

Tip: remove the epoxy with a hot iron, be very careful not to damage the tracks but do remove as much glue as possible from under the corners. Get the chips pins as clean as possible and run bead of solder along the pins on each side such that they are all 'bridged' together. Apply your iron to each side in turn until the solder holding the chip in place melts, there isn't a lot of glue under the chip and when it gets hot enough it  lets go. After a minute or so the chip will simply fall off - no damaged tracks and with a little cleaning up the flash is reusable. I recommend you get some good solder wick or braid. Now the flash can be mounted on the back of the drive in a socket - see Darkfly's pictures of his excellent setup in the original thread, thats what we're aiming for (if you do damage a track there's also a picture of the PCB with the tracks, and handy vias, with the signals labelled). This is still a bad idea if you're not 100% sure what you're doing and/or would be unhappy selling your 360 as "faulty" on Ebay

When you dump the flash make sure you compare it to the binaries already available (mods, I cant find the drive binaries anymore, have they gone? Just in case heres the standard firmware http://rapidshare.de/files/16264678/H943.BIN.html ). There may still be some glue on one or more of the pins and the dump may not be correct. I use Scooter softwares Beyond Compare, the registered version can use the Hex viewer plugin. When you've got a good dump the files should match except for the 16 byte key @ 0x401A. If they dont match there's a good chance that the key may also be corrupt. As an extra check make sure you can see the drive ID string "TSSTcorpDVD-ROM TS-H943Ams25" @ 0x20BC 

More shortly

[BlueCop]

robinsod: are you interested in a H-943 mainboard minus its flash with some striped pads on the flash pad. i soldered a PLCC socket up with some 30 gauge wire but couldn't accurately solder the DQ0- DQ6 pins directly on the processor. If you want it you can have it. i don't think i can fix it personally. I am geting another drive from someone who has a broken 360 which has heat/video problems/crash problems. waiting on my willem programer to extract my keys from the flash.

[Arakon]

it may be easier to scratch the protective layer off the traces and solder to the traces at different spots instead of trying to solder directly to that chip.

[robinsod]

All but one of the data pins except for one are available at vias and are easy to solder, have a hunt for darkflys picture - get a fibre glass pencil to remove the solder resist.

[darkfly]

Yep, just follow the traces back from where the pads are laid, scrape off the mask with a fiberglass pencil (or a hobby knife if you want to be crude about it). Lay down a bead of solder right on top of the trace and you can tack some 30awg wire right onto it if you pretin it and get a little bead on the wire. Then put a drop of hot melt glue on it to hold it in place. Its not worth it trying to solder to that IC, if you have already bridged some pins you should be able to clean it up with some wick.

[darkfly]

Also, robinsod, the firmware revision on my drive was marked right next to the -016 sticker. Mine was labeled F/W: MS25 which was on a sticker over the old revision. I would assume FW = firmware.

[robinsod]

Its all try Darkfly, the drive string contains the version number at the end too "TSSTcorpDVD-ROM TS-H943Ams25" ms25

I guess the numbers are not important to us