|
uberfry
|
 |
« Reply #200 on: May 14, 2006, 12:02:05 PM » |
|
bluecop: do you know by any chance wether the eprom is read into memory on start up of the drive or not?
if it isn't it'd be great because i'm building an eprom emulator...
|
|
|
|
|
Logged
|
|
|
|
|
BlueCop
|
|
« Reply #201 on: May 14, 2006, 12:03:55 PM » |
|
no it isn't. the 8052 can't execute from ram. you might want to look at http://www.8052.com/tutmemor.phtmlI would love to attempt to build a romulator or eprom emulator. I am not skilled enough to design one so i searched for some schematics and found a few but nothing that did 39SF020. if you get it working pleas share your design. |
|
|
|
« Last Edit: May 14, 2006, 12:12:19 PM by BlueCop »
|
Logged
|
|
|
|
|
probutus
|
|
« Reply #202 on: May 14, 2006, 12:16:29 PM » |
|
bluecop: that's a great idea;
in the last few days I was searching the internet for a patched dvd-drive firmware which does not care about the real data zone size but has hardcoded values instead but tough luck...
Just a summary of my most recent thoughts (about the hitachi drive):
- the hitachi drive stores the security sector in a specific ram address after a disc is inserted (so we could probably dump it with seventhsons tools)
- the last time I thought about bypassing the unlocking mechanism I was told to poke "1" into 0x070E (the partition selection byte) the problem was that if a disc was in the drive we could not execute code to patch that byte but in the meantime it is possible
so, if this method works we should have 1) the security sector and 2) access to the video and the game partition
The very big advantage of your method with the samsung drive is that we can modify a out-of-the-stock samsung drive connect it to the pc and read out the game data (so that we do not need to open the 360 for grabbing the game discs...)
Please correct me if I am wrong...
|
|
|
|
|
Logged
|
|
|
|
|
uberfry
|
|
« Reply #203 on: May 14, 2006, 12:18:02 PM » |
|
there is nothing hard about it  all you have to do is read the 39SF010/20 datasheet and see where the data, address, xCE, xWE, xOE are then using a few d-latches, make a shift-register (parallel port can only provide 8 bit, using a shift register you can use 2 of those outputs to control the sram  ) the only probably difficult part would be to make it fit on the pcb :/ i'm making the pcb design right now, i will post it later in the evening |
|
|
|
|
Logged
|
|
|
|
Rooney
Newbie
Posts: 5
|
|
« Reply #204 on: May 14, 2006, 02:48:19 PM » |
|
Does anyone know if you get banned from xbox live using this hack
|
|
|
|
|
Logged
|
|
|
|
|
uberfry
|
|
« Reply #205 on: May 14, 2006, 03:08:10 PM » |
|
rooney: not sure, but it shouldn't get you banned
bluecop: do you have any 128kB/1Mbit sram pieces lying around? so i can fit the design to your needs
|
|
|
|
|
Logged
|
|
|
|
|
xt5
|
|
« Reply #206 on: May 14, 2006, 03:36:40 PM » |
|
probutus: i was thinking about that myself. i am going to attempt to patch the code that reads the Physical format information from PSN 02F200 to replace the data zone allocation information to hardcoded values large enough to encompass the entire real data zone. this way i think we could just use WXRipper with the disk inserted like it was a hotswaped disc but without hotswaping. WxRipper automaticly detects and skips the bad sectors so this would make ripping really quick. I need to find out where it stores these values below when reading the sector and write the hardcoded values to those memory locations. quote from http://www.ecma-international.org/publications/files/ECMA-ST/Ecma-267.pdfBytes 4 to 15 - Data Zone allocation
Byte 4 shall be set to (00).
Bytes 5 to 7 shall be set to (030000) to specify the Sector Number 196 608 of the first Physical Sector of the
Data Zone
Byte 8 shall be set to (00).
Bytes 9 to 11 shall specify the Sector Number of the last Physical Sector of the Data Zone
Byte 12 shall be set to (00)
Byte 13 to 15 shall be set to (00) on SL disks and DL disks in PTP mode, and to the Sector Number of the last
Physical Sector of Layer 0 on DL disks in OTP mode. Phisical Format Information is in fact as ECMA doc say it is duplicated in sectors: 02f200 02f210 02f220 ... 02f2d0 02f2e0 02f2f0 ... ... ... 02fDF0 Manufacturer Information is duplicated in sectors: 02f201 02f211 02f221 ... 02f2d1 02f2e1 02f2f1 ... ... ... 02fDF1 CSS disc keys seems to be in, but I don't have any CSS scrambled disc here to confirm that: 02f202 02f212 02f222 ... 02f2d2 02f2e2 02f2f2 ... ... ... 02fDF2 an very easy idea of hack a drive, would be search for 02fXX0 in the firm (where XX is between 20h and DFh) and replace that with FD021E, some drives pad MSBs with 0xFF for layer 1 PSNs, and some need to specific somehow the layer to read it, but I think patching that would be the easiest way to mod any DVD reader to read XBOX(360) DVDs. talking about Physical Format Information: anybody know how the hell is possible you can rewrite partially a sector like when you change BOOK TYPE, changing some bytes will also change the EDC, the PI-PO, and the EFM at all, I can't imaginate how that can be done, Im waiting to GSA-H20L (a writer with the MN103 Chipset) arrives to Chile to look that. |
|
|
|
|
Logged
|
|
|
|
|
BlueCop
|
|
« Reply #207 on: May 14, 2006, 03:46:48 PM » |
|
Does anyone know if you get banned from xbox live using this hack
This would depend on if MS can detect the use of the hack. I would say you will be baned if it is detected. uberfry: i don't think so. are they common to a certain type of hardware? i have lots of old and unused hardware laying around i could rip apart. i can order the parts needed. you don't have to design to fit my needs. thanks for puting that togehter. also i can get free sram samples from maxim. in fact i can get free samples of lots of chips from maxim so if you want to use maxim chips in your design that would be great. http://www.maxim-ic.com/probutus: i will try some things with my 360 drive later tonight. i am about to take my mom to lunch and a movie. i think someone is going to be able to get me a xbox 1 samsung logic board where i can fix my xbox 1 drive. it is currently broken. xt5: thanks thats a great idea. it would just be like the drive was unlocked. |
|
|
|
|
Logged
|
|
|
|
|
probutus
|
|
« Reply #208 on: May 14, 2006, 04:52:52 PM » |
|
@xt5:
The sector fd021e contains the security sector. If we replace the PFI address in a normal drive with the adress of the security sector which contains no format information but the c/r data don't we mess the drive up then?
What about finding the range check inside the read(10) or read(12) command and nop'ping it out?
I am currently searching a firmware file from a 8163b/8164b since that seem to be very common drives but the only thing i could find are exe files including the firmware but even if we get it we have to "deobfuscate" the fw, find the location of the read commands and patch the range checks out. This has been done by some guys on this forum already but no one wanted to share their firmware images...
|
|
|
|
« Last Edit: May 14, 2006, 05:01:23 PM by probutus »
|
Logged
|
|
|
|
|
xt5
|
|
« Reply #209 on: May 14, 2006, 05:13:27 PM » |
|
@xt5:
The sector fd021e contains the security sector. If we replace the PFI address in a normal drive with the adress of the security sector which contains no format information but the c/r data don't we mess the drive up then?
In fact the SS is some kind of PFI, the 8050L use the first 14h byte of it as PFI What about finding the range check inside the read(10) or read(12) command and nop'ping it out?
that would work, but seems to be a complicate and no clean hack I am currently searching a firmware file from a 8163b/8164b since that seem to be very common drives but the only thing i could find are exe files including the firmware but even if we get it we have to "deobfuscate" the fw, find the location of the read commands and patch the range checks out. This has been done by some guys on this forum already but no one wanted to share their firmware images...
the firm is inside the LG executable, If you have a 8163B check your PMs |
|
|
|
|
Logged
|
|
|
|
|
uberfry
|
|
« Reply #210 on: May 15, 2006, 05:38:24 AM » |
|
uberfry: i don't think so. are they common to a certain type of hardware? i have lots of old and unused hardware laying around i could rip apart. i can order the parts needed. you don't have to design to fit my needs. thanks for puting that togehter. also i can get free sram samples from maxim. in fact i can get free samples of lots of chips from maxim so if you want to use maxim chips in your design that would be great. http://www.maxim-ic.com/you need at least 1mbit...maxim doesn't have those samsung has them, but i can't get the prices... you can find them on a bunch of old hardware...hdd and similar...maybe also mp3 players...portable media players...basically anything that needs sram... they mostly end in "*1024" check the datasheets... btw, it won't take TOO much work to fit to your IC... |
|
|
|
|
Logged
|
|
|
|
Textbook
Member
Posts: 46
Future Hacker
|
|
« Reply #211 on: May 20, 2006, 03:51:26 PM » |
|
Hey, just wanted to say I shipped out the logic board to BlueCop, so hopefully he gets that soon (he should get it Monday). So he should be able to start hacking the Xbox 1 Samsung Drive again. I'd love to see the firmware hack for single layer discs (saves a lot of money). The 360 ripping with the Xbox 1 drive is awesome too. Keep hacking the old stuff for people who don't have a 360 yet (me).
|
|
|
|
|
Logged
|
|
|
|
|
LD50 420
|
|
« Reply #212 on: May 23, 2006, 09:39:35 PM » |
|
Arakon, your link no longer works man. I have already created a successful backup, but I am now wanting to make another and I do not remember the exact steps, because your webpage is down. Please post the instructions of your tutorial again please. Thanks man.
|
|
|
|
|
Logged
|
|
|
|
|
LD50 420
|
|
« Reply #213 on: May 23, 2006, 10:45:37 PM » |
|
Hello? Could anyone please tell me what to do again? Come on guys, being helpful is always nice.
|
|
|
|
|
Logged
|
|
|
|
|
stonersmurf
|
|
« Reply #214 on: May 23, 2006, 10:48:27 PM » |
|
|
|
|
|
|
Logged
|
|
|
|
|
LD50 420
|
|
« Reply #215 on: May 23, 2006, 10:50:49 PM » |
|
Great, man. I said his link doesn't work. It still does not work. I need the instructions from Arakon, not Bluecop.
|
|
|
|
|
Logged
|
|
|
|
JUGSY
Newbie
Posts: 5
|
|
« Reply #216 on: June 03, 2006, 02:21:35 AM » |
|
Hey Specialist, a quick question about your method of doing it.
I FTP'ed into my box and took the entire contents off of my D: Drive. I made it into an ISO with Quix and started the hew editing process.
I added 405798912 bytes at the very begining just like you said. And then at the very end i added the amount of bytes the entire thing was. It ended up being about 1 Gig to big after i did that so i just cut off bytes untill it reached its max.
I'm just woundering if that is right so far...
And so now i have that ISO and the SS.bin file, and i'm unclear of exactly where to put the SS.bin inside of it. If you could help me out it'd be much apreciated.
|
|
|
|
|
Logged
|
|
|
|
sketchiesk8er
Newbie
Posts: 1
|
|
« Reply #217 on: July 06, 2006, 11:13:37 AM » |
|
Well i got everyting down but bluecops tutorial said: Then use theSpecialist unlocker to unlock the drive.
rip the iso like arakon instructions(don't swap just the software part). name it game.iso but when it says don't swap does it mean dont do the disk swapping? if so is it supose to freeze the whole time cuz i had it going for almost 18 hours and it only went 70% and it kept freezing and it just wouldnt work.... so is there any other program that works like isobuster or does any1 no wut my problem may be. Note: i did put the rety's on 1. |
|
|
|
|
Logged
|
|
|
|
|
