Commodore4eva's Xbox1 DVDROM hack discussion

[Master-Chief]

Ok, I decided to give this hack a try. I tried all the way up to the hex calculation in Arakon's Tutorial (much props to you man!) and then let Carranza's SS Patcher to the rest. Arakon, that picture that you have of the WinHEX .. is that BEFORE or AFTER you Hex-edited it? It looks just like the one I dumped from my Halo 2 disc. Is Carranza's program supposed to modify the .bin file we dump from our disc? Also, it took about 8 hours to get up to 71% and then 10 minutes later CloneCD said it was done. The disc doesn't play the video in my computer and it gets detected by the Xbox, but the Xbox tells me to insert a valid disc. I'll try another burn overnight because I really feel that I did everything right, but that the burner just crapped out on me. It could have been buffer issues considering the computer was being used heavily through the burn. If anyone has any suggestions, let me know on AIM at bombzhome. Thanks!

[stonersmurf]

Try this meathod http://www.xboxhacker.net/index.php?option=com_smf&Itemid=33&topic=707.msg7290#msg7290
its way faster and easyer

[Master-Chief]

I understand it's faster and easier, but does anyone understand why my burner just crapped out? I'm burning another copy.. overnight so nobody uses the computer to mess with the buffer. Hopefully, it will work!

[stonersmurf]

I understand it's faster and easier, but does anyone understand why my burner just crapped out? I'm burning another copy.. overnight so nobody uses the computer to mess with the buffer. Hopefully, it will work!

Mount the iimage with daemon tools or alcohol 120, if it plays the video then you know it was your burner...

[xxnoobiexx]

quick question so far i have able to make some really nice coasters and wonder what im doing wrong.   i have followed everyones instructions so far.  im using two different 605b drives one with v2 commadores firmware one with factory firmware.  i have made several rips and my final rip goes like this.  i rip the video file with drive locked. then unlock drive to so that windows sees all sectors then rip game.iso.  i then rip the ss.bin file using 1.2 program and ive ripped ss.bin with dvdinfopro using akakrons instructions and compared thos ss.bin files in winhex and they are the same.  now ive built my final iso using prog 1.2 and bluecops method with the .bat file edited to make sure it was compiling the right files.  and still no boot.  i have checked the iso's with a program and the folder structure is there so i know my iso is correct just think im having a problem with my ss.bin file.   btw im backing up halo 2 ntsc original.  now my question is when ripping or creating the ss.bin file does it matter if your samsung drive is locked or unlocked, original or 1.2 firmware. because when i do various rips with both drives locked and unlocked the data changes some in the ss.bin files when i open them in the hex editor and compare.

[Textbook]

Glad somebody started a non-technical discussion on the firmware hack.  Thanks to everybody for helping all of us out here.  Alright, here we go...

1.  Flashed the firmware to my 605B fine, it was really easy to find the firmware and flash it.
2.  Tried hotswapping with the eject hole and finally realized my drive detects the emergency eject and it won't happen.
3.  Found out bluecop got the unlock method to work for him, so I figured I would try that.
4.  I used my 605B (with original and hacked firmware), a 605A, and my friend's 605A.  All drives are unlocking fine, but I'm getting the sector read errors at 2% and the dumps are finishing under an hour.  This is all really weird, as I was told by somebody else (who got it to work) that his errors were at 7% and that the dump took 2-3 hrs.
5.  Nevertheless, I went forward with it anyways, hoping it would work.

Attempt 1
Flashed my 605B with the SS firmware and dumped the SS.  Sent that to my friend, he confirmed the SS was correct.  Used Arakon's ISObuilder batch file to make the ISO and burned using CloneCD.  Xbox said disc not recognized.  Switched to modded and it showed no files.

Attempt 2
Decided to try using the swap method.  This time, I took the drive apart and would take off the lid and swap the discs.  Did that, used Carranza's SS Patcher to patch the SS to the raw image, burned with CloneCD.  Again, same thing.  Xbox said disc not recognized.  Switched to modded and it showed no files.

I ask my friend to throw his backup in while his box is in modded mode and browse with a file manager.  He says he can see the game and video files fine.  So then I'm thinking it is the bitsetting.  I check on here and it tells me to throw my discs back into my computer and check using DVDInfoPro.  Sure enough, both are +R DL.

Attempt 3
Try changing my bitsetting to DVD-ROM in DVD Decrypter and burning the .dvd file in DVD Decrypter instead of CloneCD.  Burn fails halfway through and I get an I/O error.

Attempt 4
Burn the "concatenated" image using my friend's laptop.  Check it in DVDInfoPro and it shows up as DVD-ROM.  So I throw it in my Xbox and it's another coaster.  Disc not recognized, no files when browsed.  Must be my dump is bad.

Attempt 5
Burn the hotswapped image using my friend's laptop.  Throw it in my Xbox and it starts playing the Video which tells me to put the disc in the Xbox.  Check in modded and it shows the VIDEO_TS, but that's it, no game files.

Actually, there was a few more attempts in there, just can't remember what I did differently.  So far I have made 8 coasters of these crazy expensive double layer discs.  I've only got 2 left, so I'm hoping you guys can guide me along so I can get one of these discs booting.  First, I have a couple of questions:

1.  Why are my dumps using the unlock method incorrect?  They are erroring out at 2% and completing within an hour, never seeming to freeze up or get another sector read error again.  It seems like it's just filling out the rest of the image with dummy data.  My friend said his was erroring out at 7% and took 2-3 hours to finish.  Can anybody tell me where they got an error while using the unlock method?  Whether I used a standard 605B, the hacked firmware 605B, or a 605A, all the dumps were the same.

2.  I have a Memorex DVD+/- DLRWL1F16 drive.  It is based on the Lite-On SOHW-1633S.  I have updated the firmware to the latest version, BWSE.  This is suppossed to allow bitsetting so I'm not sure why CloneCD didn't set it to DVD-ROM automatically.  I really don't want to have to rely on my friend's laptop, so do you guys think using the Lite-On Bitsetter will work?

3.  Anybody know why my hotswapped image burned the VIDEO_TS folder just fine but left out the game data?  I used SniperKil's instructions and it worked for him.  What I did was place in my Sin City dvd, and then start playing it, then stopped it.  Open up WXRipper, hit Hotswap>Stop Drive.  Took off the lid, swapped my game with Halo 2, then hit Hotswap>Spin Drive.  Loaded up IsoBuster and extracted the image.  Anybody have any ideas why it only ripped the video part?

4.  Is there any way to check and make sure my ISO will work before I burn it?  Wasting these DL discs isn't too much fun.  I think I remember somebody telling me to opne up the game.iso in in xISO and it should play the video.  But even then, I still don't know if I'm ripping the game data right.

So yeah, 8 coasters sucks, so I'm hoping you guys can help me out with my last two tries.  I don't see what I'm doing wrong.  I think the bitsetting/booktype was a big problem, but I'm not sure why the discs didn't work when set to DVD-ROM.

[xxnoobiexx]

easy mistake on my part. wasnt using the correct firmware when ripping ss.bin.  fixed that and works perfectly now. thanks to everyone who helped and thanks to the really smart people who figured all of this out. wow. 

[Master-Chief]

For some reason after I patched the image.000 file, when I mount the image now it detects all 7.67gb on the disc and doesn't play any xbox video.

[Textbook]

Anybody have any idea why I can't seem to make these ISO's?  I'm following all the instructions correctly.  In fact, if I open the ISO in wx360, I can see all the game files, extracted a map from Halo 2, ftp'ed it over to my modded Xbox, and the map played fine.  So, it's definitely backing up the game data.  This was for both the hotswapped ISO and the concatenated ISO.  Both images contained the game data.  So I patch them with the SS and burn it as DVD-ROM booktype, but only the VIDEO_TS is showing up on the disc, and therefore only the video is playing.  Just wondering if anybody else had a problem with burning the game data.  I have confirmed with somebody else, it sounds like I'm doing everything right, the ss is correct (confirmed), and the file sizes are correct.  I just don't understand why the game data can be seen by wx360 but isn't detected on any of the discs I'm wasting.

[Arakon]

are you absolutely sure your SS is valid?
your halo 2 could have a different SS than the one included in the archive, and also, make sure you actually use the SS dumper FW to read it, and the hacked game firmware to play it.

[BlueCop]

i have been looking at the xbox 1 samsung firmware and i think i might know how it sets the layer to read from.

i think the value of external memory location 803D determines which layer it reads from. if we set this to 0 then it will read from layer0 or 1 to read from layer 1.

I am not sure if this is correct but if someone wants to try it. you would need to insert code in fdaf to write 0 to 803d and patch the PSN at offset fdb4 from 00f9fa00 to a PSN in layer 0.

I would try this myself but i fried my samsung drive when a power sparked when i was pluging it into a live power supply by accident.  I was just looking at his patches in hopes it would help me understand my TS-H943A.

write 0 to external memory 803d

Code:

mov dptr,#X803d
clr a
movx @dptr,a

write 1 to external memory 803d

Code:

mov dptr,#X803d
mov a,#1
movx @dptr,a

If this is wrong please enlighten me on how the layer to read from is set.

If someone wants to hook me up with any broken or working 605b then pm me. i would like to try to bring mine back to life. maybe i will just a get a new one but most places way over charge for them.

[Textbook]

are you absolutely sure your SS is valid?
your halo 2 could have a different SS than the one included in the archive, and also, make sure you actually use the SS dumper FW to read it, and the hacked game firmware to play it.

Finally!  Now...to admit some faults, and point out some information. Hopefully it will help other people.

I burned 10 discs before I got the pleasure of seeing a backup of Halo 2 booting on a retail kernel.

The very first problem I had was I was burning my discs without bitsetting or changing the book type.  I had updated my DVD burner's firmware to the latest setting, which was suppossed to auto-bitset DVD+R DL's to DVD-ROM.  Unfortunately, this wasn't happening.  I figured this out after putting my media back into the computer and using DVDInfoPro to check the book type.  Sure enough, half of my discs were burned as DVD+R.  This is unreadable by the Samsung Xbox Drive and therefore, I wasted many hours and $10 worth of DVD's (I got them on sale!).  For anybody looking to do this hack, here is what I recommend.  First, upgrade your DVD burner's firmware to the latest version.  Then, check and see if your drive allows bitsetting or changing the book type.  Some drives will set the book type automatically, while others need a special bitsetting utiltity.  My drive was a LITE-ON, so I used the LITE-ON Bitsetting Utitlity.  Other tools include Nero CD-DVD Speed and DVD Decrypter or ImgBurn.  One way or another, you will need your discs to be burned in DVD-ROM book type or you will be making some expensive coasters.

So, at this point, half of my 10-pack of discs are trash.  Now that I realized that my drive's firmware isn't setting the book type automatically like it should, I downloaded the LITE-ON Bitsetting Utitlity and Nero CD-DVD Speed so that I could set it myself.  I had already wasted half of my stack and really didn't want to make any more coasters, I wanted these next ones to work just so I could have a couple discs left over.  By this time, I have created a hotswapped image as well as a concatenated image.  Dumped my own ss.bin using the ss dumping firmware (available at the usual place).  Sent the ss.bin to somebody who had already had success with the hack, and he confirmed it to be correct.  And...here's a good check for anybody who doesn't like to waste discs.  First, if it's a hotswapped image, rename your .tao to a .iso image and mount it with Daemon Tools.  Open up your favorite media player and it should play a 13 second video of the Xbox logo and at the end it tells you to put the disc in the Xbox.  The same check can only be performed on concatenated images if you used Bluecop's original method by dumping the video file and combining it with the game data.  The best check of all can be performed on both hotswapped images and concatenated images.  Rename your IMAGE.000 file to a .iso image and open it up with wx360.  What you should see is the game files from the original disc.  An even better check is to extract a file, FTP it over to a modded Xbox and play something that uses that file (a map in Halo for example).  So this is what I did.  Everything is looking good, I'm seeing the video with my hotswapped image and game data with both images, even extracted a map and played it fine.  So here I go, burning once again.  This time, I burn 3 discs.  One using the concatenated image on my friend's laptop, then one of each image on my computer.  Booktypes were all good, so I give it a shot.  None of them worked, and I posted back here.  I trashed the discs earlier today, before I came back to XBH to check this topic.  Arakon was right.  It wasn't the SS, I dumped that myself with the correct firmware.

I HAD FORGOTTEN TO FLASH MY DRIVE!

See, I had flashed my drive with the hacked firmware earlier, but then decided to flash it back to normal to create my concatenated image.  I just figured it would be best to use the original firmware to dump the game data with.  Only problem is I forgot to flash the drive back with the hacked firmware.  Doh!  Man, do I feel like an idiot.  Even worse, I just trashed a few discs that probably worked just fine.

So here we go again, last two discs, my computer, 1 hotwapped, 1 concatenated.  Flashed the firmware back to the hacked, rebooted, and flashed it again just to make sure (probably not recommended, firmware flashing can be dangerous)  So I burn these images and try to boot them.  The last of my DVD's, the final chance to have this hack running.  Both fail to boot, but in a very interesting manner.  Each disc is being detected as an Xbox disc, because it's going to the Xbox logo screen with the Microsoft splash logo at the bottom, but they seem frozen there for 5 minutes before telling me the disc is unrecognizable.  During this 5 minutes, the laser moves from the inner region of the disc to the outer region of the disc.  It's trying to boot from one of these regions, and keeps switching, but never boots.  So I switch to modded and load up a file manager.  Both discs nearly lock up my entire Xbox, background music for Avalaunch just stops, and my screen is stuck for a short while.  Finally, the file manager opens and the disc's contents reveal the game files.  Same story for both discs.  So I switch back to unmodded and figure I'll keep trying to boot these discs, because it looks like it's close.  Hotswap...no, Concatenated....no, Hotswap....no, Concatenated...no, Hotswap...no.  The laser is still acting funny, so I decide to record it with my digital camera to see what you guys think of it.  Throw in my disc, try to boot, laser is still acting weird, but woah!  It booted!  The same exact disc I just tried 4 times in a row less than five minutes ago.  Didn't clean the disc or anything.  So, my concatenated disc booted up to Halo 2.  I log in to Halo, then run out of my room  down the hallway telling every body in my dorm I got the firmware hack working.  They all know I have been working on this for over a week and have wasted many discs on it.  When I come back, the Halo 2 video is playing and lagging really bad.  Like skipping and locking up.  So there you have it...the reason why my final set of discs were not working.  Bad media.  I tried playing, and everything was messed up, the game kept locking up in menus.  So...what about my hotswapped image?  I put that one in, and started messing with the disc as it's spinning.  I used a marker to touch the disc and move it down a little bit and the laser must have caught something, because it showed the Loading 0% screen of Halo 2.  It never got past this screen, but at least at that point I knew the image was correct, and that the disc was just not being read at all.

If anybody wants to know....

Computer's DVD Writer:

Memorex DVD+/- DLRWL1F16 based on the Lite-On SOHW-1633S
Firmware is latest revison (BWSE)
Bitsetting/Book type set to DVD-ROM using LITE-ON Bitsetting Utitlity, Nero CD-DVD Speed, and ImgBurn
Discs burned using CloneCD 5.2.8.1

Media:

Verbatim 2.4x 8.5GB DVD+R DL

Yeah, I know, it is a long post, but after everything that I have went through, I needed to document it.  Maybe somebody gets something out of this, prevents a problem that I had, saves a disc or two.  I would just like to say thanks to everybody because right now the list of names who helped me get this working is too long.  I would ask that people share what media worked for them, as I now need some more discs!  I may write up a tutorial myself for this hack, and if I do, I will try to make it as clear as possible, with an FAQ and everything.  Right now, I have to get to bed, it's been a long journey getting this thing finally working.

[Textbook]

@Bluecop, keep going at it with that single-layer hack, because that would be amazing.   I can buy 4 dvds for the price of 1 double layer.

[Interloper]

uh, more like 12 dvds for the price of one DL.

but whos counting ? 

btw, textbook is a good name for you 

[blakcat]

hi, this is my first post here.
i'm from spain and i've read about the xbox 1 hacked firm and i decided to try it.
like others i'm trying concatenated method and fail to boot. i followed the instructions step by step:
-flashed my 605b with 605b0800.bin to read my own ss.bin
-reflashed my 605b with commodore4eva's firm.
-using the samsung and my pc i read the dvd ido with isobuster. renamed the dvd.tao to dvd.iso (deleted dvd.cue)
-unlocked my samsung with tsunlocker and readed the track01.tao with isobuster and renamed to game.iso (deleted track01.cue) 7gb aprox.
-now i try isobuilder pack, sspatcher soft,hex edit .... to make image000.iso
-all seems to be ok . game start at 18300000h and ss is just after game.iso
-burned isos with clone cd 5.2.8.1. using image.dvd included in isobuilder or generated by sspatcher.
-the burned dvdrdl is not recognized , pc dvdinfo no medium message , and xbox not recognized disc message
I dont understand what happen, no errrors in process, well, only one, in sspatcher when i make concatenated iso it says something like "the game.iso seems to be smaller ...." i dont remember exactly and i go on.

Any help, perhaps my hard?
i used lg dvd burner and ritek dvdr dl disc by ritek

One more thing to say, i have 2 samung 605b and one 605f, with 605f i use sspather soft with no problem but when i use both 605b with any firm the minidvdinfo option hang my pc. but orig dvdinfo works well. Any idea?

[blakcat]

now i will try hotswap method

[blakcat]

i have been looking at the xbox 1 samsung firmware and i think i might know how it sets the layer to read from.

i think the value of external memory location 803D determines which layer it reads from. if we set this to 0 then it will read from layer0 or 1 to read from layer 1.

I am not sure if this is correct but if someone wants to try it. you would need to insert code in fdaf to write 0 to 803d and patch the PSN at offset fdb4 from 00f9fa00 to a PSN in layer 0.

I would try this myself but i fried my samsung drive when a power sparked when i was pluging it into a live power supply by accident.  I was just looking at his patches in hopes it would help me understand my TS-H943A.

write 0 to external memory 803d

Code:

mov dptr,#X803d
clr a
movx @dptr,a

write 1 to external memory 803d

Code:

mov dptr,#X803d
mov a,#1
movx @dptr,a

If this is wrong please enlighten me on how the layer to read from is set.

If someone wants to hook me up with any broken or working 605b then pm me. i would like to try to bring mine back to life. maybe i will just a get a new one but most places way over charge for them.

bluecop i'd like to test not only this modifycation. My intention is to disass de firm to know how commo makes the hack. testing ss.bin in layer0 is a good first step. i have all necessary but i'm blocked with iso. First i need a correct raw iso then i'll try modifying bin.

[jeff_rae]

I have read all the forums but have been unable to find a commented listing of the Samsung firmware used in this Hack. It would be a great head start for others if some one could post.
Original or patched would be great

This has been a very interesting journey with help of many but a listing or two may allow some shortcuts

Keep up the great work

Jeff

[BlueCop]

I don't think any has publicly posted a commented firmware. i was comparing the orginal vs the patched.

I used dis52 on the orginal and the patched firmware. you can easily use dis52 to get the complete disasm. i am just posted the differences.

O= Orginal Firmware
P = Patched Firmware

Code:

7C40: E54B > 7414
O
mov a,4bh ; 7c40   e5 4b
P
mov a,#14h ; 7c40   74 14

 7C43:  E54C > 747E
O
mov a,4ch ; 7c43   e5 4c
P
mov a,#7eh ; 7c43   74 7e

I think these patches are for the checksum of bank 0 commodore4eva mentioned

Code:

8F61: 029007 > 000000
O
ljmp X9007 ; 8f61   02 90 07
P
nop ; 8f61   00 00 00

 8F6B: 029007 > 000000
O
ljmp X9007 ; 8f6b   02 90 07
P
nop ; 8f6b   00 00 00

 8FFD: BFD107 > 02FDA0
O
cjne r7,#0d1h,X9007 ; 8ffd   bf d1 07
P
ljmp Xfda0 ; 8ffd   02 fd a0

 9018: 703D > 0000
O
jnz X9057 ; 9018   70 3d
P
nop ; 9018   00 00

 9024: 7031 > 0000
O
jnz X9057 ; 9024   70 31
P
nop ; 9024   00 00       

 9030: 7025 > 0000
O
jnz X9057 ; 9030   70 25
P
nop ; 9030   00 00       

 9039: BFAC1B > 000000
O
cjne r7,#0ach,X9057 ; 9039   bf ac 1b
P
nop ; 9039   00 00 00

 9043: BF5611 > 000000
O
cjne r7,#56h,X9057 ; 9043   bf 56 11
P
nop ; 9043   00 00 00

 904D: BFE207 > 000000
O
cjne r7,#0e2h,X9057 ; 904d   bf e2 07
P
nop ; 904d   00 00 00

 9067: F0 > 00
O
movx @dptr,a ; 9067   f0
P
nop ; 9067   00

 C24E: 904088740C > 12FE090000
O
mov dptr,#X4088 ; c24e   90 40 88
mov a,#0ch ; c251   74 0c
P
lcall Xfe09 ; c24e   12 fe 09
nop ; c251   00 00

 C26D: 904088740D > 12FE1D0000
O
mov dptr,#X4088 ; c26d   90 40 88
mov a,#0dh ; c270   74 0d
P
lcall Xfe1d ; c26d   12 fe 1d
nop ; c270   00 00 

 C7D0: 904088740D > 12FE1D0000
O
mov dptr,#X4088 ; c7d0   90 40 88
mov a,#0dh ; c7d3   74 0d
P
lcall Xfe1d ; c7d0   12 fe 1d
nop ; c7d3   00 00

 D26E: 904088740D > 12FE1D0000
O
mov dptr,#X4088 ; d26e   90 40 88
mov a,#0dh ; d271   74 0d
P
lcall Xfe1d ; d26e   12 fe 1d
nop ; d271   00 00
 
 D3E3: 904088740C > 12FE090000
O
mov dptr,#X4088 ; d3e3   90 40 88
mov a,#0ch ; d3e6   74 0c
P
lcall Xfe09 ; d3e3   12 fe 09
nop ; d3e6   00 00

 D41C: 904088740D > 12FE1D0000
O
mov dptr,#X4088 ; d41c   90 40 88
mov a,#0dh ; d41f   74 0d
P
lcall Xfe1d ; d41c   12 fe 1d
nop ; d41f   00 00

These are the rest of the overwriten patches. lots of noping =)

Code:

FDA0: inserted code(overwrites 00s)

Xfda0: cjne r7,#0d1h,Xfdaf ; fda0   bf d1 0c   ?Q.
mov r7,#0ffh ; fda3   7f ff      ..
mov r6,#42h ; fda5   7e 42      ~B
mov r5,#66h ; fda7   7d 66      }f
lcall Xa7bf ; fda9   12 a7 bf   .'?
ljmp X9000 ; fdac   02 90 00   ...
;
Xfdaf: mov r0,#94h ; fdaf   78 94      x.
lcall X1f55 ; fdb1   12 1f 55   Reads 00f9fa00 into 94-97? then jumps to fdb8
; fdb4:   00f9fa00 <- PSN to read SS from
mov dptr,#X8080 ; fdb8   90 80 80   ...
movx a,@dptr ; fdbb   e0         `
orl a,#2 ; fdbc   44 02      D.
movx @dptr,a ; fdbe   f0         p
clr a ; fdbf   e4         d
mov dptr,#X801f ; fdc0   90 80 1f   ...
movx @dptr,a ; fdc3   f0         p
Xfdc4: setb 2ch.5 ; fdc4   d2 65      Re
lcall Xd3b4 ; fdc6   12 d3 b4   .S4
jc Xfdd7 ; fdc9   40 0c      @.
mov dptr,#X801f ; fdcb   90 80 1f   ...
movx a,@dptr ; fdce   e0         `
inc a ; fdcf   04         .
movx @dptr,a ; fdd0   f0         p
xrl a,#7fh ; fdd1   64 7f      d.
jz Xfdd7 ; fdd3   60 02      `.
sjmp Xfdc4 ; fdd5   80 ed      .m
;
Xfdd7: mov dptr,#X8080 ; fdd7   90 80 80   ...
movx a,@dptr ; fdda   e0         `
anl a,#0fdh ; fddb   54 fd      T}
movx @dptr,a ; fddd   f0         p
mov r7,#0 ; fdde   7f 00      ..
mov r6,#2ah ; fde0   7e 2a      ~*
mov r5,#0 ; fde2   7d 00      }.
lcall Xaacc ; fde4   12 aa cc   .*L
mov r7,#0 ; fde7   7f 00      ..
mov r6,#2ah ; fde9   7e 2a      ~*
lcall Xa801 ; fdeb   12 a8 01   .(.
cjne r7,#0d1h,Xfdfd ; fdee   bf d1 0c   ?Q.
mov r7,#0ffh ; fdf1   7f ff      ..
mov r6,#42h ; fdf3   7e 42      ~B
mov r5,#77h ; fdf5   7d 77      }w
lcall Xa7bf ; fdf7   12 a7 bf   .'?
ljmp X9000 ; fdfa   02 90 00   ...
;
Xfdfd: mov r7,#0ffh ; fdfd   7f ff      ..
mov r6,#42h ; fdff   7e 42      ~B
mov r5,#0 ; fe01   7d 00      }.
lcall Xa7bf ; fe03   12 a7 bf   .'?
ljmp X9007 ; fe06   02 90 07   ...

Xfe09: mov r7,#0ffh ; fe09   7f ff      ..
mov r6,#42h ; fe0b   7e 42      ~B
lcall Xa801 ; fe0d   12 a8 01   .(.
mov dptr,#X4088 ; fe10   90 40 88   .@.
mov a,r7 ; fe13   ef         o
xrl a,#77h ; fe14   64 77      dw
jz Xfe1b ; fe16   60 03      `.
mov a,#0ch ; fe18   74 0c      t.
ret ; fe1a   22         "
;
Xfe1b: clr a ; fe1b   e4         d
ret ; fe1c   22         "

Xfe1d: mov r7,#0ffh ; fe1d   7f ff      ..
mov r6,#42h ; fe1f   7e 42      ~B
lcall Xa801 ; fe21   12 a8 01   .(.
mov dptr,#X4088 ; fe24   90 40 88   .@.
mov a,r7 ; fe27   ef         o
xrl a,#77h ; fe28   64 77      dw
jz Xfe2f ; fe2a   60 03      `.
mov a,#0dh ; fe2c   74 0d      t.
ret ; fe2e   22         "
;
Xfe2f: mov a,#1 ; fe2f   74 01      t.
ret ; fe31   22         "

This is the bulk of the new code.

If someone wants to start a publicly commented disasm that would be great. I would try to contribute if i am capable.

I think the calls to Xa801 will read external memory location r6 + r7 and return that value in r7. calls to Xa7bf will write r5 to memory location r6 + r7. when i say r6 + r7 i don't mean adding the values together. i mean the 2 bytes combined to 2 byte address

jeff_rae: i am not sure if this is what you were looking for but thought i would post it. If you start by comparing the disasm of the patched firmware with the orginal you can see the function of the patches.

don't assume the accuracy of what i am posting. i could easily be wrong because i am just an amatuer.

[john]

I have 3 coasters now. Im trying to make the disc to make with the modified firmware.  My procedure is as follows.  FTP in and grab files off of halo 2 disc, insert 30600 filler bytes at byte 0 of the iso that i made with Qwix (As instructed by the Specialist). insert filler bytes at the end of the iso to equal the suize of the big DVD im using and have the .dvd file for, insert ss using security sector patcher v2, burn with clone cd.  I cant' figure out why this isn't working!!!  This seems the ideal way to create the disc and the Specialist told me that this would work earlier.  Please help me or tell me what im doing wrong.