Hitachi GDR-3120L v0078FK thread

[pablot]

okay, I just split off all the idiotic firmware requests and noob questions I could find (sorry if anything relevant got split off). So listen carefully now..

THIS IS THE TECHNICAL SECTION. NOBODY f****** MAKE ANY MORE FIRMWARE REQUESTS OR STATUS QUESTIONS. JUST QUIT IT!!!

to the rest of you, good luck and keep it up!

/pablot

[LittleJonny]

first we wanted make only soldering/desoldering video, (so this part was made befor).
of course on some 78fk contoller boards there are epoxy underneath the chip but the desoldering procedures is same!!

btw under my chip there was no epoxy at all. 

Well you are a lucky bunny if you had no epoxy underneath your chip then

To be honest I cannot quite see how you say removing the TSOP is the same even if it has epoxy underneath it, ie removal with your soldering iron?, if thats the case then I would be quite concerned about what you may do to the chip substrate ie you have the joints liquidus but your chip is still epoxied to the PCB, so therefore you are going to lever the chip away from the epoxy whilst it is still hard?.

Anyway I am all ears and if you can make my life and others easier removing these then I will of course listen


[/quote]


I don't think it is the same epoxy that is on top...but yes it is stuck down quite hard and is a bitch to get off...unless super heated like what you see on the video.  Personally i think the youtube vid is quite dangerous cos it looks so easy, when clearly it is not unless you've done a few already (in which case you dont need a vid ).  Having said that, kudos for the video it was overall very well done, but i think that the makers need to please point out the dangers, ie killing the chip.  Remember if the tsop is heated too much then you wont be able to dump the firmware and you effectively have a total brick on your hands, an expensive mistake for watchers of a 6:30sec video clip.

[thecheekymonkey]

will have to agree, the removal of the chip is not easy at all, heating epoxy has been around for ages, (de-potting) etc etc, the video will help alot of people, however it does make it look easier that it actually is.

i removed one a couple of weeks ago, and like modfeaks (sorry if i got your name wrong), there was epoxy on the chip, but not under it, removed it very easily (at least without any major hassle).


second atempt when stupidly wrong lol, completely butchered the board and chip (i`m too embarrassed to post a photo of the chip, it snapped in half) , this was due to me sneezing whilst trying to removed, which ended up with a snapped chip, and loads of track damage.


third attempt just now, went very well, took ages though, not for the faint hearted, whoever says its easy is having a laugh.


some piccys below.

thrid attempt, success  :-



second attempt  AARRRGGGhhhh!  :-





people, before you go buying your expensive programmer, and such toolz, have a look at the picture below to see just exactly what your working with,





relevant dumps will be posted to the people who need / want them once my new programmer has arrived, bleeding stood on my last one , not having much look  lol.

[LittleJonny]

any chance of other peopl who have removed there chips, posting  how they overcome the removal of it off the board?

mine was heat + a bit of brute force, angle a very thin blade under each side of one end of the chip , just enough to make a small gap, which then enabled me to get my right-angled tweezers under there, and then with heat on the chip, and one side of the chips pins liquidated    and a few tugs it eventually came up.

be under no illusions, this wasnt for the faint hearted, and not a method i really wish to repeat, but it worked for me with no track damage.


anyways, any one else care to elaborate on there methods, or as i fear where all using the same methods, i.e. heat and a strong arm.


i may try to bond something like say a nail to the top of the chip on one side to aid removal of the next one, say using super glue, something strong enough to aid lifting (without the threat of scratching the tracks), but also something thats relatively easy to remove once the chip has been lifted.

these are just ideas.


also anyone any thoughts on a decent solvent to remove the epoxy cleanly?  siranol?  attack epoxy?  although these may not only remove the epoxy, but everything else as well 

the epoxy is actually a two part epoxy otherwise known as aryldite.  The only thing that works effectively without destruction is heat treating  (ive looked into it quite heavily way back when we we firmware hacking the old 616-e drive for xbox1.  As far a removing and positioning goes....well its an art that needs to be mastered, particularly on the ones with glue on the bottom too.

Try to avid the "strong arm"  and apply heat more evenly.

[carranzafp]

If LG have just a few sets of different firmwares... (I have received some that matches ones to others just differing the key value) that will mean that could be possible to build a modchip that can handle all different combinations (assuming they are just a few ones). But without dumping the flash the only way to get the working configuration would be trial and error. 

Another idea that could work is add more wires to the modchips... not just 1 wire (sarcastic) but a few more that can do a "smart" mapping of the SS loading routine. (Moreless is like ask to a fixed location that always contains the address of the changing location). 

It is like the location 0x01AD70 that always contain the address of the keys not matter if they change or not

[turkey]

If LG have just a few sets of different firmwares... (I have received some that matches ones to others just differing the key value) that will mean that could be possible to build a modchip that can handle all different combinations (assuming they are just a few ones). But without dumping the flash the only way to get the working configuration would be trial and error. 

Another idea that could work is add more wires to the modchips... not just 1 wire (sarcastic) but a few more that can do a "smart" mapping of the SS loading routine. (Moreless is like ask to a fixed location that always contains the address of the changing location). 

It is like the location 0x01AD70 that always contain the address of the keys not matter if they change or not

From the fact we have seen matching firmware and the presumtion m$ must check every possibly drive fw it could be assumed there are 5-10 revisions?. If it was truly random then any future checks by m$ against firmwareswould be worthless as they could not predict what will be there bar revision strings in there at some point.

Also it has been said that there is a single point that references the code. Could their chip monitor for this address and then monitor the key being sent to the xbox, then they could use the v2 working dump and do a full per address substitution with the newy learnt key on the fly. Its not a elegent fix and time consuming but its what I came up with whilst driving to work.

[carranzafp]

From the fact we have seen matching firmware and the presumtion m$ must check every possibly drive fw it could be assumed there are 5-10 revisions?. If it was truly random then any future checks by m$ against firmwareswould be worthless as they could not predict what will be there bar revision strings in there at some point.

Also it has been said that there is a single point that references the code. Could their chip monitor for this address and then monitor the key being sent to the xbox, then they could use the v2 working dump and do a full per address substitution with the newy learnt key on the fly. Its not a elegent fix and time consuming but its what I came up with whilst driving to work.

To the Console point of view there is no matter if they are 1, 10 or infinite possible 78 firmwares, the console just do a CDB command (always same command) to retrieve the version string. 

Using rolling code on the 78 version probable means that M$ is not interested on dumping the fw to know if it is hacked or not. (But I can't say they will not do that)

About learning key on the fly yes, that is what I was meanning on my previous post, maybe this would be the way to go for next gen dvd-drive modchips

[LittleJonny]

If LG have just a few sets of different firmwares... (I have received some that matches ones to others just differing the key value) that will mean that could be possible to build a modchip that can handle all different combinations (assuming they are just a few ones). But without dumping the flash the only way to get the working configuration would be trial and error. 

Another idea that could work is add more wires to the modchips... not just 1 wire (sarcastic) but a few more that can do a "smart" mapping of the SS loading routine. (Moreless is like ask to a fixed location that always contains the address of the changing location). 

It is like the location 0x01AD70 that always contain the address of the keys not matter if they change or not

From the fact we have seen matching firmware and the presumtion m$ must check every possibly drive fw it could be assumed there are 5-10 revisions?. If it was truly random then any future checks by m$ against firmwareswould be worthless as they could not predict what will be there bar revision strings in there at some point.

Also it has been said that there is a single point that references the code. Could their chip monitor for this address and then monitor the key being sent to the xbox, then they could use the v2 working dump and do a full per address substitution with the newy learnt key on the fly. Its not a elegent fix and time consuming but its what I came up with whilst driving to work.

is that more or less than what the current patch style mods do?

or are you suggesting that you use a full parallel modchip 32+ wires that still lets the key fly through....so you don't need to do any firmware editing?

could someone please explain to me exactly how this method would differ from the patch style mods such as nme?

is carranzafp suggesting that you record the key...overide all the read data lines and patch in on the same data lines...or something to that effect?

Please don't slap me eeprom functionality is not my forte

[carranzafp]

NME is simple, because of its reduced wire count only can change some bits on the data stream.  I dont have all the details but in big picture it monitors the data and changes the address to load the SS.  When it is a backup changes from FD021E to FC021E (only 1 bit) but that bit makes that the SS gets loaded from a data section of the dvd.

Complex things like stealth, media patch, etc can not be done with that low wire count.

And no, you can not place a parallel eeprom (like the globe360 does) on the 78 since you need to know the exact location of the key on the onboard flash. What I am telling it is that some smarter modchip can determinate the key location based on monitoring some more lines and then reconfigure itself to know when to do its job.

In the case of the NME, that modchip does not care where the keys are located, but need another location equal of important: the location where the SS address is loaded by the MN, wich it is not on a fixed location cause of the rolling code

Well, this discussion gots a little offtopic, and I personally dont care about the develop of the NME 2 / GLOBE 360 2.

[stonersmurf]

Well, this discussion gots a little offtopic, and I personally dont care about the develop of the NME 2 / GLOBE 360 2.

Exactly
Please keep this thread on topic, all backup support and most useless speculation about firmware mod-chips has been removed.

[sarge123]

I have removed 7 drive chips so far and read them. Only ound 2 diferent variations of the code if it was possible for someone to hack each varation of the bios and include them with an original bios it would be quite easy to pick what hacked bios you needed using windiff.

[LittleJonny]

so, back to a question i asked a while ago....just how many codes are we dealing with right now?  it seems to be a fairly finite number.

[LittleJonny]

I think its time we had a F.A.Q.  ---I'll keep updating this, so bare with me on the beta, please pm me with any errors or post it in the main forum.

To sum up what we have so far:

1.  rolling firmware code is possibly infinite...we don't know this for sure and ...but lets bank on the possibility there could be more.(insert confirmed sightings)

2.  we can get a dump of the original without soldering  (insert program name and where from).

3.  we can crypt and decrypt the firmware.  (insert programs used).

4.  we can extract and insert the unique key between firmware's (insert programs used).

5.  we can use older firmware's on the drive (insert which ones worked, insert credit).

4.  we could sec flash the entire chip in theory if someone could be bothered writing a program to do this  (beg someone to do it).


ways that we could possibly mod this in the future:

1.  Make a sec flash that translated from the entire firmware hex?  This way it would not matter where the key was, we could manually patch the key the same way we do with the samsung.  Sure its easier said than done...but seriously why not..its the most future proof solution.

2.  if the rolling code is finite, then we could have a bunch of firmware's that are flashed to the drive after doing a dump of the orig and comparing which one yours is then flashing to the drive.  More room for error, but refer to suggestion 1. as a potential recovery method.

The way we can currently mod the drive:

1.  Remove the epoxy (insert you tube link), remove the chip, dump the firmware of the chip and de-crypt it, buy a new chip cos the heat from the gun will likely make the chip unstable, then with key and en-crypt, flash the new chip with the rev. 2 78 hacked firmware (insert credit) .

2.  Use a commercial patch chip?  They say it works.......but that's just marketing bull$#!t.  Fact is rolling code makes it not possible for a generic patcher.


Again if there are any errors on theis faq please inform me and i will correct them.

I will update this with credits and so forth shortly.

[sentinel0]

How does the xbox know where to find the key?  Forgive me I'm a little drunk tonight if this has been answered aready.  If so I do deserve a flame for not searching.

[LittleJonny]

The firmware is interpreted by the DVD-ROM's processor on behalf of the console.  (Possibly a more basic answer to the question that you were looking for  )

[sarge123]

Am i missing something here? from the bios that i have removed i can only find 2 variations from 7 drives 5 have the same bios as the hacked one available and 2 have a different one although those 2 are the same as each other.
as far as i can see there is no reason to believe that there is any rolling code just2 revisions.
i need more bios's to compair to the ones i have can anyone help me with this? i will be getting more xboxes to play with this weekend however it will be limited to about 2 as i haven't got the money to keep buying them.

[carranzafp]

Well I have some dumps and found

keys at 4B00 (3 dumps)
keys at 4E10 (1 dump)
keys at 4C30 (2 dumps)
keys at 4D20 (1 dump)

All SAME-LOCATION are the same between them so I think it is safety to identify the 78 versions by its key location. 

Any more versions ?

[xboxto]

Am i misreading???

Is there an early release available for flashing 0078's via windows other than chip removal/willem programmer?

Good luck Garyopa in developing some tools! I dont envy the amount of stress you'll be getting of people etc! but glad to see you in action! We have 1 spare hitatchi drive to work on and will help out anyway! We worked with a few expert members on here to pioneer the ms28's with vcc trick and sure this will be done and dusted soon!

regards
xboxto

[ghost]

Well I have some dumps and found

keys at 4B00 (3 dumps)
keys at 4E10 (1 dump)
keys at 4C30 (2 dumps)
keys at 4D20 (1 dump)

All SAME-LOCATION are the same between them so I think it is safety to identify the 78 versions by its key location. 

Any more versions ?

I have the same on 6

4B00 and  4E10

[scotty2k8]

I have two, one on 4b00 and the other on 4c30

the manufacturing dates are diffferent tho.. one is aug 2006 the other is sept 2006..

oh and i have a idea how to flash the firmware back onto it.. if we encrypt the firmware using a program, and the drive is unlocked and visiable through windows and used dvd info pro to send the "Media" command that being able to unlock all media reading capabilities.. then couldnt we just send the firmware over like normal? because if we made the drive visible in windows, and so we could read all media on and off the drive we should be able to flash it just like we would a normal pc drive correct?