Project to dump the new BenQ drive - VAD6038

[rossmichael]

OK this is really wierd

 2 - Benq VAD6030-64930C

dumped and both dumps are quite different,
I thought maybe a bad eeprom read so I re-dumped.

Results are the same as the first dump, both drives same firmware is offset and quite different.
I have a feeling serial eeprom  read on same drive maybe offset at random.
same drives same firmare version and data,key,ID can be anywhere.

Someones playing "funny buggers"

Garryopa are you there would you like a look at these or maybe its old news

[lasonnette]

Can all those who managed to dump their firmware send me a pm with their firmware please? Trying to figure out where my own key is...

[rossmichael]

>FF00 to >FF30 on identical drives is different.
Seems the key may be anywhere in the dump 

[MODFREAKz]

ok people!!!

there is a way how to dump and flash the SPI rom on VAD6038 drive!!!

its very easy like in samsung drive (resistor trick), on benq drive you have to cut one wire (3,3V power supply only for SPI) and solder a switch. thats all!
The drive should go into recovery mode if none flash present.

we have no VAD6038 drive, all tests was done on our PC sata drive with original benq firmware (see other topic).
But we are very sure it will also work on retail drive yet.
to read and write the SPI you need the DosFlash tool. MTKflash doesn`t work!! Special thanks to Schtrom!!
note: you have to erase the chip befor flashing, otherwise you will get an error.
http://www.xboxhacker.net/index.php?topic=8334.0

also thanks to Tiros, TheSpecialist, uberfry and TheXone

original state
 


reading SPI flash (wire cut trick)
 


writing SPI flash after erasing (wire cut trick)
 


btw. if some one could scan both sides of the logicboard without SPI chip, than we could make a diagram.

[Ellex80]

The drive should go into recovery mode if none flash present.

do i understand right ?

if the flash is present ->no recovery mode -> no firmware reading ?

how do you receive the key if you have to erase the flash before reading ?

can you explain me please ?

[MODFREAKz]

The drive should go into recovery mode if none flash present.

do i understand right ?
if the flash is present ->no recovery mode -> no firmware reading ?
how do you receive the key if you have to erase the flash before reading ?
can you explain me please ?

you have to erase befor writing/flashing!!!!!! not reading

if the flash chip is present the drive reads the firmware and activate FirmGuard
so if the flash is emply or not installed the drive goes into recovery mode.

[safety]

hm..  maybe somekind of rolling code?

[Ellex80]

oh that`s nice .
i will try this method next weekend.

[Dater]

ok people!!!

there is a way how to dump and flash the SPI rom on VAD6038 drive!!!

its very easy like in samsung drive (resistor trick), on benq drive you have to cut one wire (3,3V power supply only for SPI) and solder a switch. thats all!
The drive should go into recovery mode if none flash present.

Until now I didn't dare to add any messages to this thread. I didn't want to disturb the masters at work

But I just have to tell THANK YOU for everyone who is working hard on flashing the BENQ drives!

T H A N K   Y O U ! ! 

I got my refurbished Xbox360 back this week. It has the new cooler (i guess you all saw the photos) but sadly with a BENQ drive... I just pray there will be a working firmware soon...

Have a nice day ^^

[MODFREAKz]

there are always three pins whitch are directly connected to 3,3V (VCC pin 8, /HOLD pin 7 and /WP pin 3)
you have to find it and cut this 3,3V wire(s) which only belongs to the SPI flash.
here is also the app with dosflash.typ modification: DosFlash v1.0



that is only an example!!! here we show you that you have to do if you can not wait for the final diagram.

[glaze83]

Could we not try using a via card and dos flash---turning it on as we hit enter on dos flash, turning off the 360, selecting the port, and then turning on the 360 when its waiting.

Isn't this the same concept as flashing the ms28?

I don't have a benq to test, but thought I'd just throw that out there

[Iriez]

Could we not try using a via card and dos flash---turning it on as we hit enter on dos flash, turning off the 360, selecting the port, and then turning on the 360 when its waiting.

Isn't this the same concept as flashing the ms28?

I don't have a benq to test, but thought I'd just throw that out there

Such methods were tried and tested long ago.

TM - Very very nice! commodore4eva has had ixtreme done on benq for a little while now, I think he was just waiting on obtaining a actual drive to test on. This is fantastic news.

[MODFREAKz]

thanks for the retail Benq drive pictures caster420 and radsy.
poor quality but I think thats enough!

howto:
1. cut that wire (3,3V power supply for SPI) and solder a simple switch (or use wires) to the blue and red locations. Set the switch to “Off.”
2. Power on your PC and boot from USB-Stick or floppy disc.
3. Connect the SATA cable to the drive.
4. Type "dosflash" to use the auto mode.
5. Now power on your Xbox360 (VCC switch is still in “Off” position).
6. Then one second later quickly flip the VCC switch to “On”, and hit the enter key on your keyboard.
7. Select the drive and type the file name.
8. It should dump your original firmware now!!

same way to write the firmware back!!


             

[caster420]

TMF,

I cut that trace and created two pads for soldering the leads to my switch.  I checked for continuity between the two pads, which there was none (trace properly cut).  I installed my switch and attempted to dump.  It didnt work.  I then check the voltage going through my switch when at either position.  One side had 3.3V (a good closed connection) and the other had 2.7V when open.  The flash is still geting 2.7V and is still functioning properly.  I completely removed my switch and wires, booted, checked legs 3,7, and 8, still 2.7V.  Bridged the pads and it went back to 3.3V.  So, it must have another source.

I have to go to work but will do more testing tonight.

Caster.

[Tiros]

The device is powering itself up thru input protection diodes. Not a good thing.
Try the same thing using pin #1 instead. The wiring is a little different:

Do not cut 3.3 volt trace. Only cut the pin #1 trace.
Wire pin #1 to switch it between 3.3 volts for recovery mode or its original source for normal operation.
It may be harder to do but its electrically safer.

[lasonnette]

has anyone considered pulling CS# high?

[caster420]

The device is powering itself up thru input protection diodes. Not a good thing.
Try the same thing using pin #1 instead. The wiring is a little different:

Do not cut 3.3 volt trace. Only cut the pin #1 trace.
Wire pin #1 to switch it between 3.3 volts for recovery mode or its original source for normal operation.
It may be harder to do but its electrically safer.

Pin 1 is already operating at 3.3v.

Caster.

[MODFREAKz]

got my one benq drive today!! 

now I can confirm that both Vcc cut trick and Tiros pin #1 trick are working fine!!


firmware 64930C (July 2007) is very new and not supported by maximus ToolBox
the key is stored @E030

now there are three dumps with different key offsets
@B040
@C020
@E030


thats all, go sleep now!

[NEO_X]

this is nice

[NeoBrain]

Is there any tutorial on how to dump the firmware and get the right key out of it, that i can spoof my hitachi or samsung to be a benq ?

@Team MODREAKZ
My drive is from June 2007 firmware 64930C
If you could tell me how to dump ... I could send you my dump then ...Would you be able to tell me the key then


I WANT TO START MY XBOX ELITE