The Challenge Response Protocol

[SuperMario]

I might be talking of my ass here and I hope I wont offence anyone.

How can the console detects that the disc is a copy if u return exactly the same response to the challenges as the original?

Well I guess for challenges 5 & 7 the console compute the time it takes the drive to answer the challenge and compare it to the time the drive reports in a challenge response.
If the time it take the drive to answer the challenge is smaller than time in the the Challenge response, the console can conclude that the response is doctored.

I have full copies of the disc, many variations, as kindly provided by Ezekiel...  As far as I can tell, everything was replicated (also as far as he can tell) so the only difference is in the physical location and denisty of the security regions. 

To clarify:  Yes, that means Lead In, Lead Out, Middle Areas and all errors/overwritten content.  Said content was overwritten in many ways, even with the same EFM+ patters.

He's also given me his Japanese unit to work with, so atleast now I have access to a unit that can return results, specifically the physical timing and offsets that Mode 0x05 and 0x07 utilise.

I'll report what I find when I finally have the Japanese unit opened and its drive working in a PC - but this far, from what I've seen in the firmware, there is definately a correlation between the physical offsets and timing of the distance/density between regions.

SuperMario.

[MacDennis]

I'll report what I find when I finally have the Japanese unit opened and its drive working in a PC - but this far, from what I've seen in the firmware, there is definately a correlation between the physical offsets and timing of the distance/density between regions.

Agreed. Some physical properties of the disc are checked. Yes, this is related to timing. The security regions are also called security placeholders. They weren't used in the first xbox discs/kernels but they are definately being used this time around.

[robinsod]

"How can the console detects that the disc is a copy if u return exactly the same response to the challenges as the original?"

It cant, the type 5 & 7 response handlers can be spoofed with fixed, hard coded values.

"Well I guess for challenges 5 & 7 the console compute the time it takes the drive to answer the challenge and compare it to the time the drive reports in a challenge response.If the time it take the drive to answer the challenge is smaller than time in the the Challenge response, the console can conclude that the response is doctored."

The drive is making the timing measurement and returning the result to the console. Im 99% sure this measuring read or seek times across a range of place holders. Timing how long the drive takes to perform this measurement makes no sense IMHO. Whether I read this value from a look up table on a dvdr (slow), from fixed tables in flash (faster) or I copy them to RAM and read them from there (slightly faster) makes no difference if the hardcoded response is correct, the console's happy

[SuperMario]

Robinsod:   Maybe we're at cross purposes here. 

Are you saying that you can replay the Mode0x05/Mode0x07 challange responses when using a different disc in the drive to the one that they came from? 

SuperMario.

[Dzgx216]

Robinsod:   Maybe we're at cross purposes here. 

Are you saying that you can replay the Mode0x05/Mode0x07 challange responses when using a different disc in the drive to the one that they came from? 

SuperMario.

Sounds like that's exactly what he's saying to me....

[nokaktsawa]

Now I have the feeling that everybody understimated x360 dvd drive protection mechanism... Looks like it's much harder than xbox1's after all. Speaking of which, I don't know how many people can tell by personal experience how simple it was. Oh well.

[MacDennis]

Are you saying that you can replay the Mode0x05/Mode0x07 challange responses when using a different disc in the drive to the one that they came from? 

First of all, the 'response' is actually the 4-byte 'response value'.
Second, the timer value (which is part of the response value) is the same on different revisions/models/brands of dvd-rom drives. So, it's only related to physical disc properties of the security placeholders ..
Third, the actual response value depends ofcourse on the actual CID(challenge ID) being issued

[SuperMario]

MacDennis:

Are the timer values you have witnessed different from different original discs/discs from different regions?

Maybe it's an issue of semantics:  I am only refering to being able to make a 1:1 replicas so as to get the timer value to be exactly identical to what it would be on an original disc.

SuperMario.

[Dzgx216]

MacDennis:

Are the timer values you have witnessed different from different original discs/discs from different regions?

Maybe it's an issue of semantics:  I am only refering to being able to make a 1:1 replicas so as to get the timer value to be exactly identical to what it would be on an original disc.

SuperMario.

      Supermario,

             Are you postulating that it's possible to make the 1:1 replica somehow with a standard burner with possible physical and/or FW mods made to the burner?  Would be very interesting to see.

Danzig

[MacDennis]

Are the timer values you have witnessed different from different original discs/discs from different regions?

First of all, I didn't witness anything.
Second, yes it seems like the physical properties of a particular security placeholder are the same as the same placeholder on a disc from a different region .. I hope you can follow that sentence. 

And for the general audience, a drive firmware hack does NOT defeat any game region coding at all

Maybe it's an issue of semantics:  I am only refering to being able to make a 1:1 replicas so as to get the timer value to be exactly identical to what it would be on an original disc.

Fact is, 99% of the hobbyist hackers on this forum don't have the same resources like you and because of that are following a completely different path to Rome. It's just what you prefer really. With enough money, time, energy and resources anything can be 'achieved'. But is that fun? No, not in my eyes.

You are determined to make an exact 1:1 replica. Why If I may ask? If we had the hardware which could burn a 1:1 replica down to the physical level, what do we learn from it? Nothing at all IMHO.

[TheSpecialist]

Now I have the feeling that everybody understimated x360 dvd drive protection mechanism... Looks like it's much harder than xbox1's after all. Speaking of which, I don't know how many people can tell by personal experience how simple it was. Oh well.

If the 360 uses only a handful of different challenges and the responses to these challenges can be hardcoded ... Then what exactly is so hard about the protection mechanism ? Looks like a VERY sloppy job to me In fact, if Bill would hear that the 'unbreakable protection' in the 360 basically relies on a few responses you can just hardcode and to make things even easier, they left all debug routines in the drive ... I'm quite sure he would fire some of his staff IMMEDIATELY I mean, come on, a protection like that can't be taken seriously ...

[PC_Arcade]

And yet it still hasn't been broken (or has it now...??)

[TheSpecialist]

And yet it still hasn't been broken (or has it now...??)

Naah.. probably the info Robinsod posted here is fake. I think he's just trying to be interesting. I don't buy it. It can't be THAT easy

[robinsod]

Hands up you got me there. I get my jollys posting BS on forums and initiating flame wars with other ignorant McNuggets. Being tragically inadequate and incapable of original work it's the only way I can hope to enjoy the all too fleeting adulation of my peers

Or could it be you and i spec, are secret, undercover M$ agents, spreading misinformation and acting as agent provocateurs?  Seeking to cause civil war between the various hacking groups with our outspoken views on 'offset timing' and 'uploading authentication patches to RAM'. If I can offend SuperMario sufficiently he may loose interest and that should put a kink in development.

BTW, you guys are ruining the environment with all these backups, burning dvds releases B2S into the atmosphere and contributes to global warming - stop it for the sake of the children! This is particularly improtant if you live in a low country (relative to sea level, not morally OK?)

No doubt I will be exposed as a fraud and a phoney soon enough

[TheSpecialist]

Hehehe. Well, I don't know much about techical stuff so the info in this thread isn't really interesting to me anyway. If someone could try it and release a hacked firmware if it works, because all i want to do is pirate games ! Pleaaaaase ? Normally I would buy originals but I'm saving to buy a Lotus, I have that strange desire since I got an Amiga 500, dunno ...

[burgemaster]

could i ask a few Q`s pls? its my first post so be gentle

1) As you cant swap DVD drives, some1 releasing a hacked firmware wouldnt help you as you would need to mod your OWN dump ?? this correct?
2) Before i viod my warrenty has it been confirmed that this hack is 100% viable? (tried to read though as much as i could but couldnt find straight answer)
3) What do you do if your 360 DVD Drive breaks? with xbox1 you could ebay a new drive? as they cant be swapped is there anything you can do here??
4) Ive got a willem and 32tsop adaptor, is this the correct chip where the firmware is stored on the hitachi drive? tsop32 adaptor correct one?
5) Instead of removing the chip, has any1 managed to not only dump the firmware, but reflash it back to the drive without removing the chip? via PC etc?
6) are my questions stupid and dont deserve answering 

Cheers in advance and good luck to all

[robinsod]

no worries, we'll use lots of lube since its your first time

1) As you cant swap DVD drives, some1 releasing a hacked firmware wouldnt help you as you would need to mod your OWN dump ?? this correct?
You can, but you need to dump your own 16 byte key - probably you will need the CSS key too but I dont know about that, I never tried to watch a movie on a 360. I believe you can do all this with plscsi, others know more about this than me
2) Before i viod my warrenty has it been confirmed that this hack is 100% viable? (tried to read though as much as i could but couldnt find straight answer)
Keep your warranty until a publicly available firmware appears, if it ever does. No point getting the top off if you cant do any more
3) What do you do if your 360 DVD Drive breaks? with xbox1 you could ebay a new drive? as they cant be swapped is there anything you can do here??
I went to the shop and bought another one, eventually hacks will appear that allow other devices than the original DVD drive to be attached but for now I have an exciting off white paperweight. This is the price of hacking - If you cant afford to destroy it, dont hack it
4) Ive got a willem and 32tsop adaptor, is this the correct chip where the firmware is stored on the hitachi drive? tsop32 adaptor correct one?
Yes, thats a flash memory. Its where the Firmware hides. No, the TSOP in the LG is of the skinny type - see data sheet http://www.sst.com/products.xhtml/parallel_flash/39/x8/SST39SF020A. You could replace the skinny type with a normal TSSOP (the pads are present) but see 5
5) Im sure a windows based flasher will appear before long, unless you have good soldering skills please wait
6) No such thing

[PC_Arcade]

And yet it still hasn't been broken (or has it now...??)

Naah.. probably the info Robinsod posted here is fake. I think he's just trying to be interesting. I don't buy it. It can't be THAT easy

Err?? Excellent, Nice sarcasm.

I didn't see a post where it was stated a backup had been run (although I can blatantly see the progress being made), I must have missed it, although it could well be in the first post as I'm not at a level that I understand it  - If it is the case then congratulations

I was under the (mis?)apprehension that you were VERY close, but hadn't got there yet

[MacDennis]

6) are my questions stupid and dont deserve answering 

No, not stupid. Way off-topic? Yes they are ..

[TheSpecialist]

Err?? Excellent, Nice sarcasm.

I didn't see a post where it was stated a backup had been run (although I can blatantly see the progress being made), I must have missed it, although it could well be in the first post as I'm not at a level that I understand it  - If it is the case then congratulations

I was under the (mis?)apprehension that you were VERY close, but hadn't got there yet

No, it's no where stated and it's not interesting at all. This board is for technical security info only. If you're interested in that, then this thread might be very interesting to you. If not, please post on a general board like XS. I know I also cluttered this thread with a lot of garbage, hehe, hoping that some mod will be friendly enough to clean it and delete non-technical posts. In the end, that's what's this board is all about. So don't take my sarcasm personal, but please stick to technical info only. And mods, please moderate a bit harder Or supply a way to let a user delete his own garbage