Cracked Samsung SDG-605B/616T/616F Firmware for Xbox 1 - V2

[carranzafp]

If you wanna spin down the drive you can use plscsi..

first do.. plscsi -w .. this will list all your drives

select your drive in my case:
set PLSCSI=\\.\F:  // @ SAMSUNG  DVD-ROM SD-616Q  F404

now make a bat file stop.bat or somthing and put in

set PLSCSI=\\.\F:
plscsi -x "1B 0 0 0 00 0"

this will spindown the drive

A quicker way (assuming you have installed dvdinfo pro wich is the tool of choice here) :

Open dvdinfo pro and send the custom command 1B 00 00 00 (fill all other bytes with 00 also).  And the drive will stop.  To start again just browse it with windows explorer

[john]

Ive ripped the game and inseterted the security sector but can i edit the diles on the image and repack it per say.  If so, what tools should i use.  I would just use Qwix but this is a RAW image and  idon't know if that makes a difference.

[carranzafp]

Ive ripped the game and inseterted the security sector but can i edit the diles on the image and repack it per say.  If so, what tools should i use.  I would just use Qwix but this is a RAW image and  idon't know if that makes a difference.

I think you must open a new thread for this, honestly... I dont want this possible because there will be a lot of cheaters on Live, hopefully Live detects file differences on other files than .xbe to avoid cheaters.

[SniperKil]

If you wanna spin down the drive you can use plscsi..

first do.. plscsi -w .. this will list all your drives

select your drive in my case:
set PLSCSI=\\.\F:  // @ SAMSUNG  DVD-ROM SD-616Q  F404

now make a bat file stop.bat or somthing and put in

set PLSCSI=\\.\F:
plscsi -x "1B 0 0 0 00 0"

this will spindown the drive

A quicker way (assuming you have installed dvdinfo pro wich is the tool of choice here) :

Open dvdinfo pro and send the custom command 1B 00 00 00 (fill all other bytes with 00 also).  And the drive will stop.  To start again just browse it with windows explorer

why does everyone try to reinvent the wheel lol, just hit the big stop and start button in wxripper

[carranzafp]

why does everyone try to reinvent the wheel lol, just hit the big stop and start button in wxripper

You are right    but the problem is that will require the ".net" $#!t and is very easy just to type "1B" on dvdinfo pro

[Interloper]

Flashing a samsung drive with atapi mode with MTKwinflash..
I got something i haven't seen in a while: "blue screen of death" during flashing.
I was suspicous of contracting a virus earlier today.. not sure accessing the drive for flashing, along with this "virus" triggered the bluescreen, but I am assuming the drive is shot? The computer is thrashed though.. it kills at bootloader(don't care to look into it now-was prolly virus)
Now im on a new computer with a fresh/new 605B.. it shows a samsung in device manager, but querying from MTK doesn't find anything.. IDE mode doesn't work either.. I've tried all jumper and IDE combos

Anyhow, not much testimony although ripping Hitman2 took about 15 minutes on my drive(external).. I got the green fog 'XboX' video mounting it with alcohol to verify (assuming that means success)

Cheers/thx for the 1B stop drive command   

[Interloper]

If anyone else gets blue screen of death during fw flash, plz report
Also, for what reason don't non-Dual Layer drives work for ripping?
Report in Duder, report

[loon]

just followed arakons guide and found my 3 bytes, does this sound right FCFAA8-F9FA00 =300A8 X 800 =18054000 ?

can anyone please help with this?

[Arakon]

If anyone else gets blue screen of death during fw flash, plz report
Also, for what reason don't non-Dual Layer drives work for ripping?
Report in Duder, report

there's no such thing as a non-DL reader.
you can try reflashing the drives in DOS using mtkflash instead of mtkwinflash.

just followed arakons guide and found my 3 bytes, does this sound right FCFAA8-F9FA00 =300A8 X 800 =18054000 ?

can anyone please help with this?

sounds about right.

[loon]

Thanks for the reply arakon but i do'nt understand this part.result (in this case 1567D000) is how far you have to go from the END of the raw dump to find the location of where to put the security sector. I use Winhex for that, in direct edit mode..
where he has 1567d000 i have 18054000. what should i do with this? i am nearly there now i have flashed the xbox and just need the last few steps.Thanks again.Also i used clone cd to rip my halo2 and done it in about half an hour and also got the ss from my original halo 2 and it is exactly the same as the 1 provided by comodore4eva.

[Arakon]

if it ripped in only 30 mins, there might be something wrong with the rip.. but it's also possible that clonecd skips the bad sectors better.
in winhex, select "goto" and enter your value (18054000) and check the "end (back from) checkbox, then click ok to make it jump to the right position. it should end up in blank or dummy data, somewhere in the last fourth of the file.

[Interloper]

if it ripped in only 30 mins, there might be something wrong with the rip.. but it's also possible that clonecd skips the bad sectors better.

I've been trying different dvd-roms, all of which produce different results.
One worked fine (15mins for Hitman2), one didn't work at all (laptop    ), one has been stuck at 0% for about 20 mins now
When you've completed the image copy, does mounting it and letting windows autoplay the  XBOX vid with green fog verify the image is complete? What other method is there since there aren't checksums to compare to.. I ask because im in a bind and can't flash a drive with the appropriate fw and ripping dvds just to compare with other ppls rippings

[Arakon]

http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=707.new#new

Please use this thread from now on for discussions related to the tutorial, so it doesn't clutter up the thread. This thread should mostly be used to discuss the technical aspects of the hack.

@Interloper: it's a good indicator at least that the first part of the data is good, of course there could still be issues later in the rip (i.e. read errors etc).

[Geremia]

Just for notice, the first fw by commodore4eva doesn't seems full fake, it really read SS from flash, it unlocks the drive using tsunlocker and xiso1.1.5 can browse the game partition in my backup disk, using the ebedded SS and also changing it with my SS.
Anyway, it doesn't unlock into xbox console, don't know exactly what challenge type tsunlocker uses, anyway tried to poweron/off the console many times to let all challenge type come out, but everytime failed.

[TheSpecialist]

Just for notice, the first fw by commodore4eva doesn't seems full fake, it really read SS from flash, it unlocks the drive using tsunlocker and xiso1.1.5 can browse the game partition in my backup disk, using the ebedded SS and also changing it with my SS.
Anyway, it doesn't unlock into xbox console, don't know exactly what challenge type tsunlocker uses, anyway tried to poweron/off the console many times to let all challenge type come out, but everytime failed.

I'm guessing he didn't INTEND to release a non-working firmware (as I first thought ) I think the FW actually did work for him, for a specific game he tested it on. You see, for XBOX 1, sometimes the SS is linked to the XBE (at least known to be true for ALL 'second generation' xbox 1 games). So, I'm guessing that this FW actually DOES work (since you're saying that the unlocker works correctly with it), but only for 1 game, due to the SS/XBE linking ..

[Geremia]

[So, I'm guessing that this FW actually DOES work (since you're saying that the unlocker works correctly with it), but only for 1 game, due to the SS/XBE linking ..

on evolutionx dashboard, it says the disk is a Video and not game, but evolutionx dashboard doesn't startup the xbe on the disk, so where is the difference between your unlocker procedure and console procedure, xbe excluded?.
when i insert the disk, the drive stays some time reading someplace and retry a few times prior to giveup, so it is not retrying in reading a possibly corrupted SS (because it's in flash), he trys to read somewhere else on disk, maybe SP?.
I've not cognition of what is the code flow in the fw, but it let me simply guessing:
are we sure the security placeholder on xbox1 are ignored at all? doesn't challenge type 1 and 3 of xbox1 looks for data inside SP like 360 does?
what kind of challenge type uses your unlocker?

I know i should study some asm to answer myself, but it's too out of my work

[TheSpecialist]

I've not cognition of what is the code flow in the fw, but it let me simply guessing:
are we sure the security placeholder on xbox1 are ignored at all? doesn't challenge type 1 and 3 of xbox1 looks for data inside SP like 360 does?
what kind of challenge type uses your unlocker?

The xbox kernel I studied, only uses 1 type of challenges, the type that requests responses from the table. The unlocker does the same. The only part where my unlocker differs from that xbox 1 kernel, is that the xbox 1 kernel verifes the signature for the SS.

BTW, you can verify the 'non usage' of the SP's by zeroing hem out before burning them to disk.

What I did: rip all game files via FTP, creat a SL ISO with it, burn ISO to a SL disc and play. Everything worked like a charm, meaning there were only files on disc and no security data at all (only the SS that i saved to FW).

But of course, I learned that I must be a bit prudent about what I say, hehe, so I can't rule out the possibility that you have a newer kernel, that actually DOES check the SP's..

[Dzgx216]

Which kernel version were you studying?  Maybe we can get a range of different kernel versions from different users of the board, and see what we come up with after zeroing out the SP's?  This would give us an idea of when/how they started using the SP's in the first place. (if they ever did on Xb1).

All this Xb1 hacking is tickling me.  I keep looking at my old thompson drive and it appears to have a large, bright red bullseye on it.  Must focus on 3120 though, TGM can come later.

[TheSpecialist]

Which kernel version were you studying?  Maybe we can get a range of different kernel versions from different users of the board, and see what we come up with after zeroing out the SP's?  This would give us an idea of when/how they started using the SP's in the first place. (if they ever did on Xb1).

All this Xb1 hacking is tickling me.  I keep looking at my old thompson drive and it appears to have a large, bright red bullseye on it.  Must focus on 3120 though, TGM can come later.

Don't have it currently at hand, will check later for you. Anyway, about zeroing out the placeholders, I think the easiest way to do this is: don't rip the placeholders at all. How ? Well, you must keep in mind that the XBOX is going to use the dvd layer descriptor from the SS, once the drive is unlocked. So, what you do:
1. FTP to your xbox, rip all files (this way you won't rip any security data and/or the video partition, only game files)
2. Create an ISO with these files (make sure your iso creation software doesn't autopatch the XBE)
3. Insert $30600 'filler' bytes at byte 0 of the ISO => This is the difference between the 'locked' and 'unlocked' first byte of the disc
4. insert a block of 'filler' bytes after the last byte of the ISO. This block should be AT LEAST as big as the ISO including these $30600 bytes. This will make sure that the game data will be burned to layer 0 and the 'filler' data to layer 1. Keep in mind that the ISO should not become bigger than your DVD DL capacity
5. Insert the SS

Your burner software will divide the ISO in 2 equally big parts and burn each part to a layer. If you didn't insert the big block of filler bytes after the last byte of the ISO, you have a problem,  because the xbox uses the breakpoint from the DVD layer descriptor in the SS. That's why you have to insert that block: to make sure that all game data is on layer 0, this avoides all problem with the breakpoint.

Of course, this method will only work if the game data fits on a single layer (but this is usually the case)

[uberfry]

should be ok then, can only imagine that something went wrong during flashing then. have you tried reflashing it with mtkflash (using a boot floppy/CD, not mtkwinflash)?

tried it...
bios hangs for some time, then continues
i then booted from diskette, and tried flashing...says it can't open the file

then i rebooted, tried booting windows, but it hangs...

then i removed the drive again...
any more idea? :X