Cracked Samsung SDG-605B/616T/616F Firmware for Xbox 1 - V2

[Arakon]

should be ok then, can only imagine that something went wrong during flashing then. have you tried reflashing it with mtkflash (using a boot floppy/CD, not mtkwinflash)?

tried it...
bios hangs for some time, then continues
i then booted from diskette, and tried flashing...says it can't open the file

then i rebooted, tried booting windows, but it hangs...

then i removed the drive again...
any more idea? :X

if it said it can't find the file, you had an error in your syntax, not with the drive.
the correct syntax is mtkflash x W /b /m sdg605.bin
x being the location on the IDE port, i.e. 1 is primary master, 2 secondary master, etc.

[uberfry]

ahhhhhhh now it's working
thanks alot

[loon]

if it ripped in only 30 mins, there might be something wrong with the rip.. but it's also possible that clonecd skips the bad sectors better.
in winhex, select "goto" and enter your value (18054000) and check the "end (back from) checkbox, then click ok to make it jump to the right position. it should end up in blank or dummy data, somewhere in the last fourth of the file.

it plays fine in daemon tools, so does that mean it successfull?

[TheSpecialist]

http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=707.new#new

Please use this thread from now on for discussions related to the tutorial, so it doesn't clutter up the thread. This thread should mostly be used to discuss the technical aspects of the hack.

[TheSpecialist]

I was just looking at his hack again, and there is something 'odd' at least. If you look at his patch location (FDa0), then my IDA disassembles this as follows:

code:0000FDA0 code_FDA0:                              ; CODE XREF: code:00008FFDj
code:0000FDA0                 cjne    R7, #0xD1, code_FDAF ; '-'
code:0000FDA3                 mov     R7, #0xFF
code:0000FDA5                 mov     R6, #0x42 ; 'B'
code:0000FDA7                 mov     R5, #0x66 ; 'f'
code:0000FDA9                 lcall   code_A7BF
code:0000FDAC                 ljmp    code_9000
code:0000FDAF ; ---------------------------------------------------------------------------
code:0000FDAF
code:0000FDAF code_FDAF:                              ; CODE XREF: code:code_FDA0j
code:0000FDAF                 mov     R0, #0x94 ; 'ö'
code:0000FDB1                 lcall   code_1F55
code:0000FDB4                 nop
code:0000FDB5                 mov     R1, A
code:0000FDB6                 mov     R2, A
code:0000FDB7                 nop

However, at FDB4 starts the adress of the relocated SS (as confirmed by Geremia, this is indeed the SS pointer), but this seems part of the program code ! How is this possible ? Does my IDA make a mistake here ?

[darkfly]

Now I am by no means an assembly expert but I think this is similar to what happens in the 360 T/S Firmware as well, the PSN just happens to be 2 opcodes that gets translated by the assembler but the code is never run through, just used as values read from the flash.

He is jumping back to 1F55 @ FDB1, so those instructions FDB4 - FDB7 never get 'executed' and are just read off as values somewhere else?

[uberfry]

i know this might be off-topic, but i don't want to start a new thread either...
now that the modded sd616 works, it has a small problem...
i put in a disc, and it tries to spin, but no luck
then i opened it up and figured that the spindle is too low, so i push it up
then i put in a disc again, then it reads fine
but then i eject, and it goes back, but doesn't go to that height again and i have to push it by hand again...
anyone got a solution?

[TheSpecialist]

Now I am by no means an assembly expert but I think this is similar to what happens in the 360 T/S Firmware as well, the PSN just happens to be 2 opcodes that gets translated by the assembler but the code is never run through, just used as values read from the flash.

He is jumping back to 1F55 @ FDB1, so those instructions FDB4 - FDB7 never get 'executed' and are just read off as values somewhere else?

FDB1 is not a jump, but a call and a call should always be returned (in other words, execution should continue after the call). Something that I'm now thinking of is that he is obfuscating his own hack, but even then, there should be a pointer to FDB4 and I don't see one .. So, it seems that IDA is messing up somehow !?!?!

*EDIT* aah, wait, it of course is possible that a call DOESN'T return, all you have to do is pop the return adress from the stack
*EDIT 2* Lol, first instruction of 1F55 is a POP

Ok, so that is cleared up. Next thing: where is the pointer to FDB4 ? Going to look into that now ...
*EDIT 3* Duhhh In 1F55 he is moving the code memory after the original call (containing the pointer to the new SS)

[Arakon]

i know this might be off-topic, but i don't want to start a new thread either...
now that the modded sd616 works, it has a small problem...
i put in a disc, and it tries to spin, but no luck
then i opened it up and figured that the spindle is too low, so i push it up
then i put in a disc again, then it reads fine
but then i eject, and it goes back, but doesn't go to that height again and i have to push it by hand again...
anyone got a solution?

your drive needs some extra modification of the plastic part in front to make it detect properly when the laser unit is fully up.

http://pirate.sparkhost.com/~arakon/samsung/

[uberfry]

what do you mean?
the problem is that the laser unit doesn't come up entirely, i have to push it by hand
you think cutting + resoldering the trace will do the job?

[Arakon]

what do you mean?
the problem is that the laser unit doesn't come up entirely, i have to push it by hand
you think cutting + resoldering the trace will do the job?

I am talking about the white plastic part, see the link in my post above.

[TheSpecialist]

Ok, it indeed is pretty easy after all, hehe: 1F55 moves the location of the SS (to mem at R0). That SS location is in the 4 bytes after the original caller (so in the original Fimware, that is location 8F79 and indeed, if you look at that location with a hex editor, you'll see 00 FD 02 10 It's not even Commodore who is obfuscating the hack, but the samsung coder used the same routine I don't think it creates very 'clean' code, using a call as a jump, but of course it works

[Dzgx216]

Ok, it indeed is pretty easy after all, hehe: 1F55 moves the location of the SS (to mem at R0). That SS location is in the 4 bytes after the original caller (so in the original Fimware, that is location 8F79 and indeed, if you look at that location with a hex editor, you'll see 00 FD 02 10 It's not even Commodore who is obfuscating the hack, but the samsung coder used the same routine I don't think it creates very 'clean' code, using a call as a jump, but of course it works

  Thanks for clearing that up.  Every time I stared at that disassembly my jaw dropped and I began to drool.  Nice one TS!!!

[TheSpecialist]

  Thanks for clearing that up.  Every time I stared at that disassembly my jaw dropped and I began to drool.  Nice one TS!!!

Hehe, I had the same, even after Geremia confirmed the hack to be working, I still couldn't believe it But's all in that damn call that should be a jmp But we're not there, next thing is to find out what technique commodore used to kill the CPR_MAI. Most obvious seems that he rescrambled the SS, but why are there only 7F bytes different then ? That is the next thing to find out But I'm out for a beer first, will look at this tomorrow

[Interloper]

i can't get the samsung to boot as IDE master.. only slave
what would the syntax be for that?

@Uber, you did get it recognised on Master???

SCRATCH THAT

NERO makes a fine CD boot disk.. No problems this time around in DOS

[BlueCop]

The drives always want to be slave.
I think this is because they are slaves in the xbox itself. the harddrive being master.

my samsung has always set itself up as slave. it works on my ide-usb adapter though normally i have to set things to master for them to work on it.

[uberfry]

i can't get the samsung to boot as IDE master.. only slave
what would the syntax be for that?

@Uber, you did get it recognised on Master???

SCRATCH THAT

NERO makes a fine CD boot disk.. No problems this time around in DOS

can you read any disc after flashing?
because my sd 616 needs some cutting :X

[Interloper]

After reflashing with sdg605b, i put dvdrom back into my hardmodded xbox.. (waiting for friend to bring back my softmod so i may put orig HD and Bios back in) still says fw ver is x010
I put AUF in and it played. when i eject i get the "dirty disk error" instead of falling back to my dashboard.
Still don't have DL dvds yet, but have ripped a few titles. it'll be hours before i fully test on Live, maybe days

Edit: All originals still work
Edit: I tried the drive that the flashing failed on and get SuperFros error 7.. it claims that error 7 is a HDD problem.. Guess he was wrong

[carranzafp]

A little bit offtopic but I have posted a little app here:

http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=708.0

[Arakon]

actually the bad flash may be blocking communication to the HDD (timeout), causing error 7.

I'd appreciate if you'd move this discussion to the other thread to keep this one to tech talk.