TS-H943 firmware dump by software

[Feflicker]

Germia, do you have a CD drive? You could always burn a bootable CD instead if you don't have a floppy drive...

[patx]

Why people don't want to spend a little time reading the forum?

I did, but I guess I got to exited with the release and I started posting to get more infos before reading further and even before looking a what I was asking  I was pressing "Post" !! lolll !! anyway, have anyone try wih this before: http://www.cooldrives.com/moseata2poca.html

[loon]

yes you could make a bootable cd but i need help doing it because i have never done one, i used to have a different pc which had a floppy and was easy to mabe a bootable dos disc but now i have a phillips ls1400 which cost a grand and it aint much cop
.Can you tell me how to make a bootable cd

[Feflicker]

well, since you don't have a floppy drive, it gets harder lol. Honestly, just download a "super boot" type CD of the internet and try to edit it. You can probably add files to iso with an iso tool or something (worth looking into)... Maybe someone on here will feel your pain and just make the disc for people without floppy drives...

[patx]

Did anyone try with Dosbox ?!? If you succeeded dumping your FW with a DOS boot disk, would you please try with Dosbox and report results !!!

let's say you extracted commodore hack to C:/HACK360

1-Launch Dosbox

2-mount C C:\HACK360

now the virtual DOS set C: to C:/HACK360

3-dir C:\ (to see it went well)

4-mount your 360 drive (refer to readme file)

5-C:\MTKFLASH...




Thankx !!!

[syd41]

So close....

Can anyone tell me how to get the CDB window open in dvdinfopro?

If I select "Send Custom Command" from the drop down listbox it flashes up on the screen but then disappears and gives me a window full of 00 00 00

I've tried 3 versions now, so it's probably me but damn it's frustrating to be hung up on this of all things...

[tbirdguy]

blue cop... im trying your method using the 360 HD to swap with, using a PCI controller with via vt6421l chipset, and get no drive detected everytime,  i have disable the onboard controller, using bootfloppy. no matter what i try, every combination of hdd on either port, hot swapped with 360's DVD drive every way possible, just having no luck at all. i dont have any other sata devices to try to swap with, mtkflash doesent seem to detect the sata controller, i have no option to disable the boot rom on the card,


believe it or not, though i just registered, ive been reading these threads for long time, mad about having TS drive until i seen you had flashed it without too many problems. i used to hack sat cards few years back and this reminds me of that alot, with the whole "3m" deal pointing the channells auth code to a channel that is authorized to get all stations. "jump points" and the like. all makes sense to me through out the hack. been reading and reading and rereading, now that i am trying to do things, albiet the ready made easy way, i just cant even get started.

any help is greatly appreciated and much needed.

thanks for being here for people like me to learn from

[patx]

doyou think his pcmcia card will do ?!?

http://www.newegg.com/Product/Product.asp?Item=N82E16815124012

Model :

Brand SYBA
Model SD-PCB-SATA

Specifications :

Type Serial ATA PCMCIA Card
Data Rates up to 1.5Gb/s
Other Ports 2x SATA
Interface 32-bit CardBus Type II

Features:

Features compatibility - Based on SIL3112 chipset


Anyone had succes with SIL3112 chipset ?!?

[lithiumC]

I too am interested in any PCI SATA cards that work at reading and writing the firmware without hangups!

Or if anyone knows if the SATA controller found on the NF7-S ver2.0 works, which is a silicon image 3112 sata raid controller. The one thing I most worried about is hangups!

[Arakon]

the SIL3112 is incapable of flashing from the hardware side, you can not use it, period.

[syd41]

So close....

Can anyone tell me how to get the CDB window open in dvdinfopro?

If I select "Send Custom Command" from the drop down listbox it flashes up on the screen but then disappears and gives me a window full of 00 00 00

I've tried 3 versions now, so it's probably me but damn it's frustrating to be hung up on this of all things...

Fair dinkum I'm a dickhead. For anyone silly as me that gets caught by this, don't have your dvdinfopro window bordering on the right side of your desktop when trying the above, coz then you won't see the cdb window trying to open to the right of the main prog window and seemingly dissappearing... It ONLY opens to the right.

Live & learn... 

[robinsod]

I was sent a firmware dump by an ozzy a few days ago, he wanted to know if it was valid since the key appeared to be garbage. When I looked I found the following


Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00004000   01 11 11 11 11 FF FF FF  FF FF FF FF FF FF FF FF   
00004010   FF FF FF FF FF 02 EE EE  EE EE BB BB BB FF FF FF   
00004020   FF FF FF FF FF FF FF FF  FF FF 03 11 11 11 11 FF   
00004030   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF 04   
00004040   EE EE EE EE BB BB BB FF  FF FF FF FF FF FF FF FF   
00004050   FF FF FF FF 05 11 11 11  11 FF FF FF FF FF FF FF   
00004060   FF FF FF FF FF FF FF FF  FF 06 EE EE EE EE BB BB   
00004070   BB FF FF FF FF FF FF FF  FF FF FF FF FF FF 07 11   
00004080   11 11 11 FF FF FF FF FF  FF FF FF FF FF FF FF FF   
00004090   FF FF FF 08 EE EE EE EE  BB BB BB FF FF FF FF FF   
000040A0   FF FF FF FF FF FF FF FF  09 11 11 11 11 FF FF FF   
000040B0   FF FF FF FF FF FF FF FF  FF FF FF FF FF 0A EE EE   
000040C0   EE EE BB BB BB FF FF FF  FF FF FF FF FF FF FF FF   
000040D0   FF FF 0B 11 11 11 11 FF  FF FF FF FF FF FF FF FF   
000040E0   FF FF FF FF FF FF FF 0C  EE EE EE EE XX XX XX XX   
000040F0   XX XX XX XX XX XX XX XX  XX XX XX XX FF FF FF FF   
00004100   FF

Where XX are bytes in the key and obscured for obvious reasons. In all the other TS FWs I have looked at the key is located at 0x401a but in his it has moved. This is the only difference between the 2 FWs

I haven't analysed the encryption routines in any great detail so I dont know for certain how they work and how they are implemented. However looking at the dump I see what looks like a table and the key is in the last entry in the table, hmmmmm, here is a snippet from mine:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00004000   01 11 11 11 11 FF FF FF  FF FF FF FF FF FF FF FF   .....ÿÿÿÿÿÿÿÿÿÿÿ
00004010   FF FF FF FF FF 02 EE EE  EE EE XX XX XX XX XX XX   ÿÿÿÿÿ.îîîî“Bâç¹u
00004020   XX XX XX XX XX XX XX XX  XX XX                     P.ÃÛþS7V¥

So, I think we can say that my key is in table entry 1 (and there is only 1) and the ozzy's is in entry 6. I have no idea why this is unless it's something to do with region locks....

Has anyone successfully tested this xtreme firmware? I am a little curios about how it can work. Nowhere in the instructions do I see any mention of the CPR_MAI bytes (are they somehow extracted with the SS?) and I cannot see how the C/R data is being spoofed, in particular the timings for types 5 & 7. Probably I am being stooopid, perhaps I should just disasm and find out but I am also lazy

[intox]

final got my firmware to dump
i used a dfi nf4 mb pluged pioneer 110 into ide channel
the i plugged x360 dvd into nf4 sata 4
then in bios i disabled raid on nf4 and also internal nf4 sata 1&2
then final boot from floppy and used patched nf4 mtkflash
then all i did was boot into dos and type mtkflash r /m orig .bin (but i had to make sure i put a space after the letter r for it to dump)
and that was it

[MacDennis]

Has anyone successfully tested this xtreme firmware? I am a little curios about how it can work. Nowhere in the instructions do I see any mention of the CPR_MAI bytes (are they somehow extracted with the SS?)

Good to see you back!  I looked at the SS data, the CPR_MAI bytes are located at offset 0x2D0.

and I cannot see how the C/R data is being spoofed, in particular the timings for types 5 & 7. Probably I am being stooopid,

Yeah, I prefer a technical discussion instead of all the 'how do I burn my ISO' / 'my drive is not detected' crap. I though this was a technical hacking forum but I don't see any technical hacking information, only warez kiddies. This thread needs some cleaning. Oh well, back to topic. It seems that offset 0x200 holds a custom table. Also, the drive C/R table is completely different. Not sure what is going on there. It can't be descrambled with the CPR_MAI value and also 0x00000000 as default value does not work.

It would be nice if a LG compatible firmware hack could be made, knowing the details about this hack would help. At this moment a backup is only Samsung 'compatible'.

perhaps I should just disasm and find out but I am also lazy

Same problem here .. 

[boulie]

i was wondering if any of you succeded to recognize the TS drive with a Silicon Image SIL3122A Serial ATA (SATA) host controller chipset ??
Thanks in advance

[Arakon]

how often is that question gonna get asked, for f***s sake? the 3112 chipset WILL NOT WORK, period. the chipset itself does not support the flashing of drives.

@robinsod: the firmware is indeed confirmed to work fine. I think the challenge types are dumped into the SS somehow because you need to send four CDB commands to the drive and the final result is the working SS.

[boulie]

i was asking about the 3122A not the 3112

[Geremia]

robinsod:

when i dumped my fw, i found 2 keys and played a little:

http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=648.msg6293#msg6293

btw, my valid key was at position 04, now i'm using it at position 02 and FF all after and works no problem.

[BlueCop]

robinsod: thats similar to my firmware. several people have has varialbe position keys

00004000   01 11 11 11 11 FF FF FF  FF FF FF FF FF FF FF FF
00004010   FF FF FF FF FF 02 EE EE  EE EE BB BB BB FF FF FF
00004020   FF FF FF FF FF FF FF FF  FF FF 03 11 11 11 11 FF
00004030   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF 04
00004040   EE EE EE EE BB BB BB FF  FF FF FF FF FF FF FF FF
00004050   FF FF FF FF 05 11 11 11  11 FF FF FF FF FF FF FF
00004060   FF FF FF FF FF FF FF FF  FF 06 EE EE EE EE BB BB
00004070   BB FF FF FF FF FF FF FF  FF FF FF FF FF FF 07 11
00004080   11 11 11 FF FF FF FF FF  FF FF FF FF FF FF FF FF
00004090   FF FF FF 08 EE EE EE EE  BB BB BB FF FF FF FF FF
000040A0   FF FF FF FF FF FF FF FF  09 11 11 11 11 FF FF FF
000040B0   FF FF FF FF FF FF FF FF  FF FF FF FF FF 0A EE EE
000040C0   EE EE BB BB BB FF FF FF  FF FF FF FF FF FF FF FF
000040D0   FF FF 0B 11 11 11 11 FF  FF FF FF FF FF FF FF FF
000040E0   FF FF FF FF FF FF FF 0C  EE EE EE EE BB BB BB FF
000040F0   FF FF FF FF FF FF FF FF  FF FF FF FF 0D 11 11 11
00004100   11 FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
00004110   FF 0E EE EE EE EE BB BB  BB FF FF FF FF FF FF FF
00004120   FF FF FF FF FF FF 0F 11  11 11 11 FF FF FF FF FF
00004130   FF FF FF FF FF FF FF FF  FF FF FF 10 EE EE EE EE
00004140   BB BB BB FF FF FF FF FF  FF FF FF FF FF FF FF FF
00004150   11 11 11 11 11 FF FF FF  FF FF FF FF FF FF FF FF
00004160   FF FF FF FF FF 12 EE EE  EE EE BB BB BB FF FF FF
00004170   FF FF FF FF FF FF FF FF  FF FF 13 11 11 11 11 FF
00004180   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF 14
00004190   EE EE EE EE BB BB BB FF  FF FF FF FF FF FF FF FF
000041A0   FF FF FF FF 15 11 11 11  11 FF FF FF FF FF FF FF
000041B0   FF FF FF FF FF FF FF FF  FF 16 EE EE EE EE BB BB
000041C0   BB FF FF FF FF FF FF FF  FF FF FF FF FF FF 17 11
000041D0   11 11 11 FF FF FF FF FF  FF FF FF FF FF FF FF FF
000041E0   FF FF FF 18 EE EE EE EE  BB BB BB FF FF FF FF FF
000041F0   FF FF FF FF FF FF FF FF  19 11 11 11 11 FF FF FF
00004200   FF FF FF FF FF FF FF FF  FF FF FF FF FF 1A EE EE
00004210   EE EE BB BB BB FF FF FF  FF FF FF FF FF FF FF FF
00004220   FF FF 1B 11 11 11 11 FF  FF FF FF FF FF FF FF FF
00004230   FF FF FF FF FF FF FF 1C  EE EE EE EE BB BB BB FF
00004240   FF FF FF FF FF FF FF FF  FF FF FF FF 1D 11 11 11
00004250   11 FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF
00004260   FF 1E EE EE EE EE BB BB  BB FF FF FF FF FF FF FF
00004270   FF FF FF FF FF FF 1F 11  11 11 11 FF FF FF FF FF
00004280   FF FF FF FF FF FF FF FF  FF FF FF 20 EE EE EE EE
00004290   XX XX

[Seth]

Hey guys! 
Well after 2 days of reading most of the board about the dumping of the org firmware and all the problems some ppl had, and wich chipsets won´t work etc.. and almost 2 days of trying to dump my firmware..
i had to register and ask..

My problem is i got a MSI-945P Neo with intel ICH7 chipset, it detects the drive in bios as 4th master ide drive, but won´t be able to flash it as u know it mtkflash won´t detect it..
I really tried it myself to resolve the thing with all infos i got here, but i´m stuck hehe.. my question now:
Is there any1 that could help me to patch mtkflash for my chipset ? Or gimme a short "how to" in private, i would really apriciate it guys..

Thanks in advance,
Seth