TS-H943 firmware dump by software

[k0mpresd]

i have 2 sata ports on my mb and the ide > sata adapter i got @ a local computer store..not sure what brand

just tried a game..works fine..so it looks like it flashed back ok

[BlueCop]

Woo I got a method that works with reading and writing from a ms25 drive without any ide>sata adapter or swaping with sata dvd-roms i don't have.

what you need is a sata harddrive and your Toshiba-Samsung Drive

since the via chipset i have always chokes on ms25 you have to hook up a sata harddrive to the sata controller. i used my xbox 360 harddrive but i tested with another sata harddrive and the method worked with it as well.

you start the computer to dos using bootdisk or other method(i used a usb stick to boot into dos)

you will of course need mtkflash 1.83c on the booted media

start your 360 with just the power cable connected to the dvd drive.

disconnect the sata cable from your harddrive and plug it into your dvd drive

i then ran mtkflash r backup.bin to backup a copy of the firmware
or do mtkflash w firmware.bin to write a firmware

after you backup/write the firmware you can't backup/write a firmware again untill you redo the whole process.

so if you do a backup of your firmware and then want to write a new firmware to the drive you would have to shutdown the computer and the 360 and start the process over.

I tested this multiply times and it worked fine each time.

Peace
BlueCop

Edit: i forgot to mention. i didn't need a second dvd-rom connected for a selection menu. it simply detected the ms25 drive and would do whatever operation i selected on it.

[k0mpresd]

ha...awesome..that makes sense though i guess..youre still hotswapping in a way..

[Lash444]

Heh, I tore apart my 360 hard drive casing in order to hook this thing up figuring it wouldnt auto detect the dvd drive. 

I can report that the Promise Sata controller on the P4C800E-Deluxe, does not properly detect the hard drive with mktflash, but does indeed detect the TS-H943  H/W:004  F/W: ms25 properly.
I have not put the thing together yet and ran it, but it did dump the bin and the process to write it back appears to have updated it correctly.  Thanks for the help guys.

[ChaosBoy]

@BlueCop

i have tried your way and works fine...
i have here one asus mb with sata an ide port...
i connected one excelstor 80 gb hd on port 1 and hotswap with my sammy, started mktflash and i have succesfully dumped my fw...
i shutdown and restart my pc and my xbox360 and tried to write the firmware to the sammy... it workz...

good news...

so, now we can try to hack this firmware..

Greets
ChaosBoy

[nokaktsawa]

so, now we can try to hack this firmware..

Right. But first: one simple question. If we experiment modifying the firmware, and flash a badly modified one, can we ALWAYS reflash the original firmware, no matter what the bad firmware is?

[ChaosBoy]

i think so...
Bluecop / Geremia??? what do u mean??

Greets
ChaosBoy

[MacDennis]

Right. But first: one simple question. If we experiment modifying the firmware, and flash a badly modified one, can we ALWAYS reflash the original firmware, no matter what the bad firmware is?

This is definately NOT the case for the LG drives. I'm not sure but the TS could also have a recovery mode.

Great work guys!! 

[BlueCop]

since i have a socketed flash on my drive i can easily recover from bad flashes.

I will try to do some testing with bad flashes with mtkflash and report back with success failures.

[ChaosBoy]

thnxx BlueCop

Greets
ChaosBoy

[k0mpresd]

yes..thanx bluecop for doing some more testing ...soo..whats next? 

[ChaosBoy]

@k0mpresd

take a look at http://www.xboxhacker.net/forums/index.php?topic=359.60

Greets
ChaosBoy

[uberfry]

hi...i know this might have nothing to do with this thread, but i couldn't think of any better thread to post in...
is it possible to hack the fw without having to put it in the xbox360? maybe an rs232 port available?
i don't wanna give up the warranty...

[MacDennis]

is it possible to hack the fw without having to put it in the xbox360? maybe an rs232 port available?
i don't wanna give up the warranty...

Did you spot a rs232 port on your console? If you want to dump / flash the TS-H943 or LG firmware by software or hardware then you WILL have to open the console. Basically, if you want to do any x360 hacking at all then you WILL have to give up your warranty. That's the price you will have to pay for being a hacker. 

[patx]

On another note. i have been trying the tiros method of grounding the eject pin on startup to get the drive recognized by windows.

i have tried this several times and my via sata controller always chokes on ms25 firmware no matter what i try. i was abled to get the drive recognized by my my via software in windows using this method to startup the drive and then pluging the sata cable in while windows was running. i couldn't get the drive to populate though.

I tried mtkflash win with ms07 and ms25 running on my drive and it didn't find my drive as a compatible target.

Just an idea, but did you consider my method to get the drive detected and working in Windows? I did try this method succesfully with the original LG Windows software flasher for the 8163B drive. Perhaps the same method works with mtkflash. I don't have a Samsung drive so I can't try. The nice thing is, the inquiry command to detect the drive can be faked and you can specify whatever inquiry data you like. The inquiry command seems to be the root cause for a drive not being detected by Linux / Windows ..

http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=663.0

Has anyone tried this yet ?!? I have ordered the usb.brando adapter and a sammy drive... I will test it as soon as I receive those.

[uberfry]

is it possible to hack the fw without having to put it in the xbox360? maybe an rs232 port available?
i don't wanna give up the warranty...

Did you spot a rs232 port on your console? If you want to dump / flash the TS-H943 or LG firmware by software or hardware then you WILL have to open the console. Basically, if you want to do any x360 hacking at all then you WILL have to give up your warranty. That's the price you will have to pay for being a hacker. 

heard about replacement drives?
because normally u have 2 pads marking "TX" and "RX"
think about it before making fun of me

[MacDennis]

heard about replacement drives?

Yes.

because normally u have 2 pads marking "TX" and "RX"

Where are these pads located? Let's imagine you are able to flash the replacement drive with a hacked firmware. How are you going to connect it to your console?

think about it before making fun of me

Dude, I'm not making fun out of you. I'm only stating the obvious.

To be fair, yes it's possible to hack the firmware without a console or any other hardware. A disassembler or a tool like IDA is enough. Firmware is just software. But how are you going to test a patches without the drive being connected to an actual console? Yes you can send commands to the drive by using plscsi for example but commands related to the authentication of x360 discs need to be encrypted first by using AES. I assume that you would like to test your final patches on an actual console in the end right? If people are too scared to brick the drive/console or if they don't want to void their warrenty then they should find another hobby IMHO.

[BlueCop]

Where are these pads located? Let's imagine you are able to flash the replacement drive with a hacked firmware. How are you going to connect it to your console?

there are four header holes next to the ram on the TS mainboard. underneath the 2 center ones are labled RX, TX. one of the side ones is ground. the other side i tested with a multimeter and didn't get any voltage with it was on. i didn't look ot hard at it so i am not sure what that pin is.

I did wire up a max232 chip to the rx,tx and gnd lines. I tried some code to output the security sector to the SBUF(serial output). I had some luck with it outputing information on the serial port but the main problem i am having is geting an accurate baud rate. i discussed it more in another thread. i haven't found a solution yet. i was trying to get a 9600bps baud within a + or - 2-3%.

I soldered a 4 pin header to the spot and cut a small square hole in the bottom of my drive casing. i can plug in the serial port cable easily now.

I thought it might be usefull to embeded some serial output cues that might be able to help understand the flow of how things are working in the drive but i was using the Security Sector output as a test case that would be usefull to be able to dump several of them without having the dump the flash each time to extract it.

[BlueCop]

OK i used MTKFlash to Erase my flash chip to test if a currupted flash on a drive would still be able to be flashed again.

I could not get MTKFlash to work with the drive anymore using the method with the harddrive. I don't have the tools to try the other methods of swaping with another dvd drive. That might still work. the problem i was having was that mtkflash wouldn't detect my drive after i currupted the flash.

So be carefull and don't flash anything bad to your chip because you might not be able to recover by software. There is always the option of desoldering though.

[Zenofex]

I can also confirm that a bad flash WILL ruin your drive, I toasted my first TS today and am having a friend of mine remove the epoxy and chip from the board so that i can wire a socket to the back of my drive.  Luckily if this fails i have already aquired my key and dumped the firmware, Ill probably order a replacement just to have 2 drives. I knew my drive was toasted when i was using mktflash and it got to "UPDATING BANK 12" (I knew it was gone after it didn't stop at bank #4 but i was trying to be hopefull). lol, well as someone on this board has said "Dont try to hack the 360 if your afraid you might ruin it".  Now i just need to wait till i either get the socket set up or my replacement in.