Raw Dump Extractor released.

[anita999]

Based on what I found on xbox1, the kernel will use "mode sense" and "mode select" to perform a kind of "challenge and response" actions with DVDROM firmware. Once the challenge and response sequences completed, then you may access the disk content by reqular ATAPI command such as read sectors, etc..
I believe that in XBOX 360 there must be similar scheme exists, and this time the scheme include the hardware signature so that's the reason why you can't read the original disk once you swap the DVD drive between two xboxes.
but with a simple protocol analyzer, one can easily intercept the "challenge and response" sequence in the xbox 360 system, then they can duplicate the sequence then get the access authority to read raw disk content. And the raw disk content is the ISO files we see on the internet. Then the so called "dumper" is simply a xbox-file-system dumper which extracts the files from the ISO file.
I have very high confidence of this dumper and the released ISO file because I have done it before with xbox1. But unfortunately I couldn't try it with xbox 360 since I don't have one on hand, and I am in far east which means I will have to wait till Mar. 2006. Hope anyone there could use this idea to explore more inside the xbox 360.

[TheSpecialist]

Based on what I found on xbox1, the kernel will use "mode sense" and "mode select" to perform a kind of "challenge and response" actions with DVDROM firmware. Once the challenge and response sequences completed, then you may access the disk content by reqular ATAPI command such as read sectors, etc..

Very interesting ! Do you have logs of the specific commands/data these commands send/receive (for a paticular game disk, original XBOX I mean of course) ? Do they use the 10 byte or 6 byte version of mode sense/select ?

[anita999]

#quote
Very interesting ! Do you have logs of the specific commands/data these commands send/receive (for a paticular game disk, original XBOX I mean of course) ? Do they use the 10 byte or 6 byte version of mode sense/select ?
#end quote

well, my skill using LA is not well, and the XBOX uses DMA while using ATAPI command, so the data might not be 100% correct. The mode sense and mode select are implemented with 12 bytes command format. and right after mode select command, the kernel will send out a data string to DVD drive, and the DVD drive will response a data string right after a mode sense command.
here is a general scheme:
1. READ SMART
2. Mode Sense, ret 0x51 error.
3. Request sense
4. Mode sense
5. read DVD structure
6. Mode select and mode sense sequences
7. Read capacity
8. Read block#20h, length 02h,  (this shall be the root directory of xbox disk file system).
9 Read TOC/PMA/ATIP
10. Read blocks based on the info of block#20h.

if you put a burned disk in the xbox, then steps 5,6 and 9 will be skipped.
this will be interesting if the similar scheme were implememted in xbox360. If someone can figure out the hardware signature scheme, then one might be able to fool the xbox360 with a virtual DVD drive by emulating the challenge and response sequence then sending out the backuped or modified data.
well, that's what I know so far. Hope it help.

[anita999]

here is a sample log which I monitor the xbox while inserting the original Panar Dragon Orta.
Sorry the log file is in excel file format, here I can only put it in a table like text format.
As I mentioned, my skill in using LA is not well, so there might be some duplicated logged
data. Anyway, this is for your reference only. note that the mode select and mose sense
sequence loops are different per game disk. The splinter cell has one loop less than Panar Dragon
Orta.

ATA CMD   Description
B0   Read HDD SMART
A0   PKT CMD 5A Mode Sense
   5A 00 3E 00 00 00 00 00 1C 00 00 00
   page code 3E, subpage code 00, page_0 format required
   Ret Status 51 Error
A0   PKT CMD 03 Request Sense
   03 00 00 00 12 00 00 00 00 00 00 00
   DESC=0 for fixed format, alloc length =12h
   "Return 06 00 06 00 00 0A 00 0A 00 00  00 00
               00 00 00 00 00 00 00 00 00 00 00 00"
A0   PKT CMD 5A Mode Sense
   5A 00 3E 00 00 00 00 00 1C 00 00 00
   page code 3E, subpage code 00, page_0 format required
   "RET 00 00 00 00 00 00 00 00 00 01 00 01
                01 00 01 00 00 00 00 00 00 00 00 00
                00 00 00 00"
   Ret Status 50
A0   PKT CMD AD Read DVD Structure
   AD 00 FF 02 FD FF FE 00 06 64 00 0C
   664h bytes allocated
A0   PKT CMD 55 Mode Select
   55 00 00 00 00 00 00 00 1C 00 00 00
   Data out
   "00 1A 00 00 00 00 00 00 3E 12 00 01 00 D1 01 00
                51 A4 29 F4 00 00 00 00 00 00 00 00"
A0   PKT CMD 5A Mode Sense
   5A 00 3E 00 00 00 00 00 1C 00 00 00
   page code 3E, subpage code 00, page_0 format required
   "RET 00 00 00 00 00 00 00 00 00 03 00 01
                01 00 01 00 29 F4 29 F4 A6 00 A6 00
                00 00 00 00"
A0   PKT CMD 55 Mode Select
   55 00 00 00 00 00 00 00 1C 00 00 00
   Data out
   "00 1A 00 00 00 00 00 00 3E 12 00 01 01 D1 01 27
                51 A4 29 F4 00 00 00 00 00 00 00 00"
A0   PKT CMD 5A Mode Sense
   5A 00 3E 00 00 00 00 00 1C 00 00 00
   page code 3E, subpage code 00, page_0 format required
   "RET 00 00 00 00 00 00 00 00 00 01 00 01
                01 27 01 27 29 F4 29 F4 7A 00 7A 00
               00 00 00 00"
A0   PKT CMD 55 Mode Select
   55 00 00 00 00 00 00 00 1C 00 00 00
   Data out
   "00 1A 00 00 00 00 00 00 3E 12 00 01 01 D1 01 1E
                51 A4 29 F4 00 00 00 00 00 00 00 00"
A0   PKT CMD 5A Mode Sense
   5A 00 3E 00 00 00 00 00 1C 00 00 00
   page code 3E, subpage code 00, page_0 format required
   "RET 00 00 00 00 00 00 00 00 00 00 00 00
                00 01 00 01 01 1E 01 1E 29 F4 29 F4 3B 00 3B 00 00 00 00 00"
A0    PKT CMD 55 Mode Select
   55 00 00 00 00 00 00 00 1C 00 00 00
   Data out
   "00 1A 00 00 00 00 00 00 3E 12 00 01 01 D1 01 cc
                51 A4 29 F4 00 00 00 00 00 00 00 00"
A0   PKT CMD 5A Mode Sense
   5A 00 3E 00 00 00 00 00 1C 00 00 00
   page code 3E, subpage code 00, page_0 format required
   "RET 00 00 00 00 00 01 00 01 01 cc 01 cc
                00 01 00 01 01 1E 01 1E 29 F4 29 F4"
A0   PKT CMD 55 Mode Select
   55 00 00 00 00 00 00 00 1C 00 00 00
   Data out
   "00 1A 00 00 00 00 00 00 3E 12 00 01 01 D1 01 46
                51 A4 29 F4 00 00 00 00 00 00 00 00"
A0   PKT CMD 5A Mode Sense
   5A 00 3E 00 00 00 00 00 1C 00 00 00
   page code 3E, subpage code 00, page_0 format required
   "RET 00 00 00 00 00 01 00 01 01 46 01 46
                29 F4 29 F4"
A0   PKT CMD 55 Mode Select
   55 00 00 00 00 00 00 00 1C 00 00 00
   Data out
   "00 1A 00 00 00 00 00 00 3E 12 01 01 01 D1 01 46
                51 A4 29 F4 00 00 00 00 00 00 00 00"
A0   PKT CMD 5A Mode Sense
   5A 00 3E 00 00 00 00 00 1C 00 00 00
   page code 3E, subpage code 00, page_0 format required
   "RET 00 00 00 00 00 00 00 00 01 01 01 01 01 46 01 46
                29 F4 29 F4 F5 00 F5 00 00 00 00 00"
A0   PKT CMD 25 Read Capa
   25 00 00 00 00 00 00 00 00 00 00 00
   RET 5B 5F 5B 5F 08 00 08 00
A0   PKT CMD 28 READ
    28 00 00 00 00 20 00 00 02 00 00 00
   Read block#20h, total 2 blocks
A0   PKT CMD 43h READ TOC/PMA/ATIP
   43 02 00 00 00 00 00 03 24 00 00 00
   "RET 01 03 01 01 01 00 01 00 02 00
                02 00 AA 00 AA 00 3B 4E 3B 4A"
A0   PKT CMD 28h READ(10)
   28 00 00 13 D6 82  00 00 02 00 00 00
   Read block#13D682h, total 2 blocks
A0   PKT CMD 28h READ(10)
   28 00 00 13 D6 84  00 00 02 00 00 00
   Read block#13D684h, total 2 blocks
A0   PKT CMD 28h READ(10)
   28 00 00 16 01 60  00 00 02 00 00 00
   Read block#160160h, total 2 blocks
A0   PKT CMD 28h READ(10)
   28 00 00 16 01 60  00 00 02 00 00 00
   Read block#160160h, total 2 blocks

[TheSpecialist]

here is a sample log which I monitor the xbox while inserting the original Panar Dragon Orta.

Cool ! Thanks ! What kind of hardware do you use to log these messages ?

ATA CMD   Description
   5A 00 3E 00 00 00 00 00 1C 00 00 00

Opcode '$5A' is the 10 bytes version of "mode sense". I think the last 2 bytes ( $00,$00) can be left out.

[lantus]

a bit of xbox1 history:

one of the best kept secrets was the ability for certain PC-DVD rom drives, a custom firmware and a small exe to be able to rip files directly from original xbox discs without the need for ftp at all. The majority of the scene groups used these tools to race each other for releases.

i would say the 360 dumps you are seeing is from similar tools and *not* devkits

[SharkUW]

These dumps are no more then what it says they are. They are raw dumps. A drive does not need to read a file system or anything at all. With some modified frimware and software that can use it then it simply needs a start point and an end point. Everything inbetween is called 'raw data'. After the dump has been made then software can be used to read the raw image. This process allows for trying new/different ways to access the file system w/o worrying about what the drive is capable of seeking on command. The only complication would be if the file system was encrypted which they have said it is not. That would have made it hard to find the names and seperations of files.

[oz_paulb]

These dumps are no more then what it says they are. They are raw dumps. A drive does not need to read a file system or anything at all. With some modified frimware and software that can use it then it simply needs a start point and an end point. Everything inbetween is called 'raw data'. After the dump has been made then software can be used to read the raw image. This process allows for trying new/different ways to access the file system w/o worrying about what the drive is capable of seeking on command. The only complication would be if the file system was encrypted which they have said it is not. That would have made it hard to find the names and seperations of files.

Xbox1 DVDs are copy protected.  Normal DVD drives are physically incapable of reading the entire disc (because they are fooled to think the disc has a lot less burned onto it than it really does).  The Xbox1 DVD drive can 'see' all of the data - but only after sent a special sequence of commands from the Xbox (so you can't just take the Xbox1 DVD drive and make it work inside a normal PC).

I assume Xbox360 DVDs are also copy protected.  I also assume normal PC DVD drives are not capable of reading the entire disc/extracting "raw dumps", and that an Xbox360 drive won't work "as is" in a PC.

- Paulb

[lantus]

i can confirm that the same tools will work on xbox360 discs.  i got a source to rip Ridge Racer with his hitachi drive and it appears to have worked

[xor37h]

I hope you guys remember to change the layer breakpoint in the original xbox1 dumper tool aswell, else all your layer two files will be broken.

[anita999]

Okay, seems this is a well known in part of the scene. So is it possible to release it to the "normal place" since now everyone knows about this "tool" and "special firmware"?

[BlueCop]

anita999: you would still need the specific drive that the firmware was for which i don't think is in production anymore. i might be wrong though.

[anita999]

BlueCop:
   thanks for your reminding. I simply want to reverse engineering the tool and firmware to understand it more clearly. Actually I was trying to develop such kind of tool by myself there unfortunately there was no sufficient resource available especially for those DVD driver controllers.

[defnator]

anita999:

did you begun with developing a moded firmware for pc dvd-rom to can read xbox 360 discs?
or what you developing?

thanks

defnator

[klexen]

Can someone tell me what my key is?