Cracked Samsung SDG-605B/616T/616F Firmware for Xbox 1 - V2

[Dzgx216]

Just a quick note to the specialist and others

1 - No cpr mai - not required in this firmware, backups boot fine on unmodified xbox

       How does the drive generate a response table without the CPR_MAI bytes? How about a bit of explanation behind the science of it, eh?  Forgive me for being skeptical but such is the way of the academic world from which I come.

[v3gaS]

So can a X-Hacker with cred here verify this?

[elitedev]

i have misplaced my tools somewhere and its getting late. i will do this tommorow and let you all know!

[TheSpecialist]

       How does the drive generate a response table without the CPR_MAI bytes? How about a bit of explanation behind the science of it, eh?  Forgive me for being skeptical but such is the way of the academic world from which I come.

Well, it IS possible to get it working without a CPR_MAI: you create your own response table and feed this to the drive. But why bother creating a new table when you can just use the one from the SS ?

Anyway, I just saw that he changed some bytes in the included Halo SS, so, he might have done this. And like he says, there is indeed a jump to his code, program flow seems to be correct ... So if he's faking this, he did a much better job than last time But I'd have to take a closer look at what exactly is going on, but since it is 5:00 AM here, it's bed time fist

[Dzgx216]

Well, it IS possible to get it working without a CPR_MAI: you create your own response table and feed this to the drive. But why bother creating a new table when you can just use the one from the SS ?

Anyway, I just saw that he changed some bytes in the included Halo SS, so, he might have done this. And like he says, there is indeed a jump to his code, program flow seems to be correct ... So if he's faking this, he did a much better job than last time But I'd have to take a closer look at what exactly is going on, but since it is 5:00 AM here, it's bed time fist

True, but I agree with you.  Why go through the hassle of creating and Hexing in the table *AND* the SS when you can hex in the SS and the CPR_MAI and have it make the table itself. (of course, then you have to code the switch for the CPR_MAI location)  I've got a few hours of studying to do and I'm gonna take a closer look (It's 12am here). (after I saw that there was no inclusion for CPR_MAI I never looked at the Disassembly further)

[twizter]

Well disassemble this to prove definitively if this would work or not
oh and document the methods hes using so we can all understand his attack on the protection

[loon]

if someone tells me what to do with all the other files (halo 2 etc) i will use it. I have all the nessasary bits and pieces and also need to know if i rip the game from the from the xbox the normal way via ftp, can i just create an iso with craxtion and play away? I will post pics when i have finished as proof if someone helps me please.

[twizter]

Loon, as far as i know, this is what you need to do:
make a direct 1:1 copy of the disc which will end up being a DVD9 i think
then you need to insert the SS data at $f9fa00 (which is on the second layer) for the FW that commodore4eva released to read and respond to the console with.

so im pretty sure you cant do this with the traditional method you described using FTP to get the files.

[twizter]

The 0x661 bytes from the SS, and the CR table for the given game.
You don't really need the CPR_MAI bytes, the entire SS, or the SS placeholders.

Well, this is true, you don't REALLY need them, but having them makes life easier. The FW compares the CPR_MAI bytes with the challenge the 360 sends. So if you don't have the CPR_MAI, you'd have to do some extra patching. And about not having the complete SS => for 360 games you are right, but having the complete SS makes life much easier if you want to play xbox 1 games on your 360, since there are about 12 responses being used (don't have any data here at hand to check the actual amount, but I think it were 12) and these are all in the SS (for xbox 1), so this will save you quite some time logging all these 12 responses.

--
so commodore's firmware might be working fine.

[burgemaster]

If it wasnt a daul layer firmware, im sure every1 would be testing this..... i would for one

[ReX]

Loon, as far as i know, this is what you need to do:
make a direct 1:1 copy of the disc which will end up being a DVD9 i think
then you need to insert the SS data at $f9fa00 (which is on the second layer) for the FW that commodore4eva released to read and respond to the console with.

so im pretty sure you cant do this with the traditional method you described using FTP to get the files.

How to test this, step by step please? and particular how to identify and insert the SS data to ISO backup?

Thanks

[Arakon]

I'll probably get a DL blank later today and test this, if I can convince my second PC to read the halo 2 disk without turning off randomly.

[uberfry]

How to test this, step by step please? and particular how to identify and insert the SS data to ISO backup?

Thanks

you need an unlocked drive to read out the SS, but commodore4eva has included the SS for some popular games...
to insert the SS, you can find old tools that were meant for dreamcast isos which can be used

[Arakon]

well, looks like it's not gonna happen. my samsung drive constantly resets after being unlocked (hooked up over an IDE->USB adapter), or just doesn't work at all (straight IDE, gets recognized as a cdrom in PC bios, not at all in windows). my modified hitachi (8163b) works at first, but after about 200 MB, it errors out with "unknown recorder error" in any ISO making app I tried. if anyone has any other ideas, let me know.

I'm using TS's unlocker, btw.

[lynzoid]

Trust me, it werks, telling you 3rd time.

616T drive i have, used verbatim dl media(5$ a piece in Moscow's stores).

Injected provided ss to location specified using hexeditor (messy but t'was all i had).

Seamless boot.
Havent tryed to get other games working, firstly cos i hate Xb1 and dont have lot of games, secondly - it's useless =) Will wait for 360..

[elitedev]

also, i can confirm it works indeed! great job mate! any chance of a dvd5 version for all of us without dl burners?

[burgemaster]

also, i can confirm it works indeed! great job mate! any chance of a dvd5 version for all of us without dl burners?

how u get it to work without owning a DL-DVD Burner mate?

[lynzoid]

Most peculiar indeed =)

Myself used trusty nec2510b with x.18 fware by TDB i think (got it from their site) but i don't think it matters.

[TheSpecialist]

Most peculiar indeed =)

Myself used trusty nec2510b with x.18 fware by TDB i think (got it from their site) but i don't think it matters.

If I find the time, I'll take a look at it this evening. Can you boot originals using this firmware ?

[nokaktsawa]

@ TheSpecialist:

Security sector now read from  PSN $fd021e (originals) AND  PSN $f9fa00 (backups. This is the next sector after end of xbox game data.)