Project to dump the new BenQ drive - VAD6038

[brikro]

can i flash my benq or not?

[sentinel0]

There is no firmware for it also the only method of flashing is to desolder the chip and flash externaly some one please correct me I havn't been on in 24hrs

[LordX]

Thanks to a customer in Vancouver, them mailed me their "Elite" BenQ VAD6038 drive
and I will be dumping this drive ASAP, and suppling the retail firmware needed to the
needed parties.

More news later this week...

So... you get the drive or what ? 
Any news ?

[carranzafp]

I just received a retail 360 with BENQ drive.

At this moment I have done the following tests:

a) Reading the flash
b) Cloned the FW over an "Engineer Sample" BENQ Drive that I got from good friends several months ago
c) The Cloned Drive works fine on the console (console starts, game starts).

Sorry for not more testing, this was a very busy day with the hitachi release

[Cadillacs57]

man, just take your time and thanks for the work you are doing.
same for garyopa

[carranzafp]

I got a few minutes to lookup the key on the fw, it appears to be on offset 0xC020
but not time to test them yet.

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

0000C000   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0000C010   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0000C020   77 B5 84 36 AB 74 7G AF  61 B7 A1 1B 75 58 86 FD   .µ„#ªt{¯Q·¡.e\.ý
0000C030   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0000C040   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ
0000C050   FF FF FF FF FF FF FF FF  FF FF FF FF FF FF FF FF   ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

by the way, the keys are changed on purpose on the above sample 

More info tomorrow when I do more test

[carranzafp]

I am glad to confirm that the Keys are at offset 0xC020, at least on my dump (I have not received another dumps to test and compare).

I tested the keys with the following method:

a) I take a xtreme 5.3 fw file (based on samsung MS28)
b) Spoofed the FW as a VAD6038
c) put the "suspected" keys into that fw
d) Flashed the resulting fw on a spare Samsung drive
e) Attached the samsung drive to the console that cames with benq drive
f) Tested 360 game, original and its backup, both of them booting fine.

[Schtrom]

Nice work!
How do you read the flash? Do you use a programmer or any customized tool?

[jas0nuk]

Nice progress

[carranzafp]

I used an external programmer, none of the software tools I have read worked

[WAB]

carranza,


Which brand programmer did you use or have? Can you use SOIC clips on the Benq drive to prevent unsoldering and resoldering?

[Darmur]

I just received a retail 360 with BENQ drive.

At this moment I have done the following tests:

a) Reading the flash
b) Cloned the FW over an "Engineer Sample" BENQ Drive that I got from good friends several months ago
c) The Cloned Drive works fine on the console (console starts, game starts).

Sorry for not more testing, this was a very busy day with the hitachi release

do you tried to put VAD6038 firmware onto a old Philips VAD6037 ?

[garyopa]

do you tried to put VAD6038 firmware onto a old Philips VAD6037 ?

It would kill the drive. The VAD6037 is a Philips design, using a completely different chipset and flashrom.

The VAD6038 is more like the Toshiba/Samsung drive, same chipset, just a SPI serial rom instead.

[commodore4eva]

BenQ Status

Firmware almost complete, waiting for drive to test. Benq code has been written to make less obvious the important bits. (Didnt matter!)

Read SS/Decrypt SS
Challenge Response
PFI/DMI Stealth Media
Speed Control
Inquiry routine for Windows

All patched. Ready for testing. Now just the software flash/dump left to work out. More soon!

[Flash o Light]

wow good job guys!
I dont have a BenQ, just a 79, software flashing that will be cool!

[Noyze]

BenQ Status

Firmware almost complete, waiting for drive to test. Benq code has been written to make less obvious the important bits. (Didnt matter!)

Read SS/Decrypt SS
Challenge Response
PFI/DMI Stealth Media
Speed Control
Inquiry routine for Windows

All patched. Ready for testing. Now just the software flash/dump left to work out. More soon!

Good job man! I have an Elite BenQ drive and also a VIA 6124a sata chipset. If you would like me to do any software testing of the dump/flash let me know, I'll be glad to help.

[jumba]

Here is a correction and additions to MTKFLASH.TYP change the two first entries to:
0xBF  0x44  WRT_SERIAL 0x80000    0x1000  "SST(SST25VF040)(Serial)"
0x20  0x13  WRT_SERIAL 0x80000   0x10000  "ST(M25P40V6)(Serial)"
0xEF  0x11  WRT_SERIAL 0x40000    0x1000  "Winbond(25B20A)"
0x20  0x12  WRT_SERIAL 0x40000   0x10000  "ST(M25P20)(Serial)"
0x20  0x11  WRT_SERIAL 0x20000    0x1000  "ST(M25P10)(Serial"
With no flash fitted on the 943 MTKFLASH c cmd now comes back with the correct message.
MTKFLASH by Joseph Lin, MTK 1998 (Ver 1.83c)
please wait...
Drive Scaned:
1: NV nForce3 Pri Master
2: NV nForce3 Pri Slave
choose one drive:1
Port: 9f0, Master/Slave: a0

ManuId : 0    ManuId1 : 3    bDevId : 1   

ManuId : 0    ManuId1 : 3    bDevId : 2   

ERR:fail to identify the flash type!
Fitted 943 with an SPI and MTKFLASH gave the same screen as above.  Can confirm MTKFLASH behaves similar way to VAD when accessing DROM 6316 There must be  some H/W difference in Philips/Benq roms!

[grendel master]

Any updates on this situation? Are people still working on this?

[zillionare]

Any updates on this situation? Are people still working on this?

Any updates on this situation?  None from me (many other projects here) some not envolving the 360.

Are people still working on this? Yes (but just no public posts yet) people are working on it. this is a new drive, so new techniques are needed.

Only a matter of time!

peace,
zil

[glaze83]

I really hope garyopa hasn't made any progress because I sent him a benq 2 months back with the promise of a samsung sent back with my key... and..... no benq...

Gary man... whats goin on?