Dumping Security Sector with H-943A

[robby2000]

Hi robinsod and all ...
My TS was labelled Part No: X800473-015

1) I´m read FLASH from my DVD-Drive to PC
2) Backuping this BIN file
3) Modifing
4) Flashing 2 my SST 39SF020A in TS drive
5) My drive in X360 NOT WORKING 
6) ReFlashing 2 backup BIN file ... and X360 WORK FINE  - but ONLY ORIG. DISC.

My modifing BIN is very BUGY, my X360 with this BIN file FREEZY.


And NOW SORRY for my STUPID Question:
Normal H943 BIN file downloading from here: http://rapidshare.de/files/16264678/H943.BIN.html
and MODIFING BIN file - downloading from .... ?

PLS Help ME ...
Sorry for my VERY BAD English ... 

[robinsod]

Normal H943 BIN file downloading from here: http://rapidshare.de/files/16264678/H943.BIN.html

If you load this firmware without changing the 16 byte key to match your 360 then it will not boot games. If the keys dont match it wont work

and MODIFING BIN file - downloading from .... ?

Not available

[robby2000]

OK robinsod
THX ... 

[dandoom]

 ,So dumping the samsung firmware is the same as dumping the hitachi drive then??Thanks in advance!!

[MacDennis]

,So dumping the samsung firmware is the same as dumping the hitachi drive then??Thanks in advance!!

No. You need a flash programmer/reader device to do this if you have a TS drive.

[robby2000]

Hi everybody
I got another question: did anyone manage to run modified FW on your x360???
Thanks to all , mange tak

[MacDennis]

Hi everybody
I got another question: did anyone manage to run modified FW on your x360???
Thanks to all , mange tak

What do you mean with modified FW ? The hacked one? That one is not available. Everyone can patch their original firmware to whatever they want and run it with the right tools.

[BlueCop]

I was comparing the dump of my firmware chip to the the one posted here. i did a direct compare and they were different 401A-429F and the key doesn't look correct ethier if it is supposed to be at 401A. it is only that range that is different between them. did I lose my key? or is it just a firmware difference.

on the dvd-rom itself it says F/W=ms25 H/W:005 Ver.A

to me it looks like my actual dvd key is stored at 4290 in my firmware. at least that is what looks like the dvd key within 401A-429F range.

i might have just screwed up dumping the chip or damaged it somehow. i reread it twice with verify and it was all good.

here is the hex from 4000-429F so you can see what i mean. I included from 4000 where you can see the repeating pattern with a counting before it gets to my key.

00004000   01 11 11 11 11 FF FF FF  FF FF FF FF FF FF FF FF
00004010   FF FF FF FF FF 02 EE EE  EE EE BB BB BB FF FF FF
00004020   FF FF FF FF FF FF FF FF  FF FF 03 11 11 11 11 FF
00004030   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF 04
00004040   EE EE EE EE BB BB BB FF  FF FF FF FF FF FF FF FF
00004050   FF FF FF FF 05 11 11 11  11 FF FF FF FF FF FF FF
00004060   FF FF FF FF FF FF FF FF  FF 06 EE EE EE EE BB BB
00004070   BB FF FF FF FF FF FF FF  FF FF FF FF FF FF 07 11
00004080   11 11 11 FF FF FF FF FF  FF FF FF FF FF FF FF FF
00004090   FF FF FF 08 EE EE EE EE  BB BB BB FF FF FF FF FF
000040A0   FF FF FF FF FF FF FF FF  09 11 11 11 11 FF FF FF
000040B0   FF FF FF FF FF FF FF FF  FF FF FF FF FF 0A EE EE
000040C0   EE EE BB BB BB FF FF FF  FF FF FF FF FF FF FF FF
000040D0   FF FF 0B 11 11 11 11 FF  FF FF FF FF FF FF FF FF
000040E0   FF FF FF FF FF FF FF 0C  EE EE EE EE BB BB BB FF
000040F0   FF FF FF FF FF FF FF FF  FF FF FF FF 0D 11 11 11
00004100   11 FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
00004110   FF 0E EE EE EE EE BB BB  BB FF FF FF FF FF FF FF
00004120   FF FF FF FF FF FF 0F 11  11 11 11 FF FF FF FF FF
00004130   FF FF FF FF FF FF FF FF  FF FF FF 10 EE EE EE EE
00004140   BB BB BB FF FF FF FF FF  FF FF FF FF FF FF FF FF
00004150   11 11 11 11 11 FF FF FF  FF FF FF FF FF FF FF FF
00004160   FF FF FF FF FF 12 EE EE  EE EE BB BB BB FF FF FF
00004170   FF FF FF FF FF FF FF FF  FF FF 13 11 11 11 11 FF
00004180   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF 14
00004190   EE EE EE EE BB BB BB FF  FF FF FF FF FF FF FF FF
000041A0   FF FF FF FF 15 11 11 11  11 FF FF FF FF FF FF FF
000041B0   FF FF FF FF FF FF FF FF  FF 16 EE EE EE EE BB BB
000041C0   BB FF FF FF FF FF FF FF  FF FF FF FF FF FF 17 11
000041D0   11 11 11 FF FF FF FF FF  FF FF FF FF FF FF FF FF
000041E0   FF FF FF 18 EE EE EE EE  BB BB BB FF FF FF FF FF
000041F0   FF FF FF FF FF FF FF FF  19 11 11 11 11 FF FF FF
00004200   FF FF FF FF FF FF FF FF  FF FF FF FF FF 1A EE EE
00004210   EE EE BB BB BB FF FF FF  FF FF FF FF FF FF FF FF
00004220   FF FF 1B 11 11 11 11 FF  FF FF FF FF FF FF FF FF
00004230   FF FF FF FF FF FF FF 1C  EE EE EE EE BB BB BB FF
00004240   FF FF FF FF FF FF FF FF  FF FF FF FF 1D 11 11 11
00004250   11 FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
00004260   FF 1E EE EE EE EE BB BB  BB FF FF FF FF FF FF FF
00004270   FF FF FF FF FF FF 1F 11  11 11 11 FF FF FF FF FF
00004280   FF FF FF FF FF FF FF FF  FF FF FF 20 EE EE EE EE
00004290   XX XX

[xDREAM]

should i edit out my key? if it is the key

Yes and fast, one word: BigBrother... no just kidding =)

[robby2000]

hello there!
Did you manage to run your hacked FW? Is the key same for all x boxes 360 or has every single one it´s own key.
Thank You, gracias, obrigado, merci,danke,tak, spasibo

[Arakon]

he has no hacked firmware and the key is different for each drive and box. that's already known and talked about.

[robby2000]

OK arakon 

Hi ALL 
I know i look like an IDIOT, but i have more questions.

After comparing 2 of the FW (1st "CLEAN" and 2nd incl. 16 bit code) i will find the code at the 401A adress.

But what shall ido with the code once i have it?
Is it enough to put it (insert) in to the "CLEAN" one at the 401A adress and save into the DVD-ROM ?

Or do i have to do more.

Sorry for my questions, I am just curious and NOT a hacker, I like EXPERIMENTS.

THANK YOU.

[n8thegr8]

well you could do that, but that would do absolutely nothing. It would be exactly like before you flashed it. you have to modify the firmware by hardcoding responses to the challenges issued by the machine in order to trick the machine into thinking that the backup is an original. The key only makes the machine accept the drive/firmware. I'm still having trouble dissassembling my firmware for my TS drive. Is there a module for the mt1359 for IDA somewhere that I'm missing, or do you select a different processor when you decompile it? Or do you use a totally different program? thanks.

[darkfly]

You should try dis8051 - I couldn't get IDA to do the whole thing. Im not sure if you need to use the FirmCrypt program first though.

[n8thegr8]

sweet, I got it to dissassemble using dis8051, and I tried with and without decrypting using firmcrypt, but the .src file that comes out still is missing a bunch with unresolved address reference list at the bottom. also, what happened to the comments that ms left in? was that only the hitachi?

[BlueCop]

has anyone tried playing with Emulator 8051? The Program is a demo but the companies website is gone so i couldn't register it. It is registerable by other means. I personally consider it abandoned.

I converted my firmware to hex format so i could load it in the program.

I have been steping through the execution. Seems pretty interesting

[BlueCop]

So i seperated my firmware into its 4x64kb banks. I am now working on identifing relevant parts of the firmware.

I was wondering if someone could inform me how the firmware switches banks?

I am sure links to various 8052 resources have been posted but i just read
http://www.8052.com/tut8051.phtml
it is pretty interesting. the whole site is very informative.

I also found it interesting that about 33.3% of the firmware is blank(00,nop) sections at the end of each bank.
The 4 banks contain the same code from 0000-1FFF. thats about 12.5% that is repeated
the the rest of the code takes up about 54.2%. to me it just seems like its ineffeicent

[ChaosBoy]

Hi robinsod and all ...
My TS was labelled Part No: X800473-015

1) I´m read FLASH from my DVD-Drive to PC
2) Backuping this BIN file

@robby2000
i have too the ts drive on my 360..
do u need to desoldering the chip, or do u have found a way to read/write the chip on the board??

Greets
ChaosBoy

[MacDennis]

So i seperated my firmware into its 4x64kb banks. I am now working on identifing relevant parts of the firmware.

Maybe it's a better idea to start a new thread because this discussion has become a bit off-topic now. The original firmware hacking thread should have some information about bank switchting.

[BlueCop]

robinsod: thanks for the patches. i successfully dumped my halo 2 security sector.

I am going to attempt to modifying your code to output the security sector over the serial port because i wanted a way to quickly dump several discs with out having to readout the flash each time. Plus i wanted to try some to see if the serial port even works.