Media checks

[Penta]

It's not my fault that i havnt yet..

I'll let you know if I do, but untill then i will be playing my backups online..

They could still be looking for that info even though Hitachi dont support stealth mode cant they?

--
Penta

[Avenger 2.0]

Maybe you're all looking to hard and microsoft has just made a bug in the checking process that randomly not bans all modded consoles 

[thesakotys]

I just want to say that my brother and i have a Hitachi-LG Xbox360 V47 & V46. We updated before the sping update to C4e 2.4 stealth, waited a few days after the spring update was out and then went online.  We play only Rainbow SIX Vegas with stealth patch and Verbatim cd. We are until now not banned. Our z=000000. 

So i personally think its more a Media check but its also confusing bec. people say that Hitachi isnt stealth !!!

We play together on the same router wireless.

I dont know and have not actual idea but 6 million users online to keep a trace backup and update of what they are playing and doing is a hell lot of info !!

[peterg60]

i ant played my 360 for what 4 months now online been away for a while seen whats been happaing just tryed my on live banned 078 drive

[xordef]

Some info about checking if your backup contains the DMI/PFI sectors:

Check if your backup contains the DMI/PFI sector by using DVDinfo.
Insert the disc in your PC drive, select "read blocks from media" and enter "1FB1D", click read.

you should see this: (the PFI)
01 02 31 10 00 03 00 00 00 FC F8 9E 00 03 0A 8F
the rest is filled with zero's.
Click read once more to go to the DMI sector.

This sector is filled with data, somewhere near the end it says "XBOX".

If you get a blank PFI/DMI sector, i would not use that game on Xbox live....

Most of my games have this on 1F1B1C or 1F1B1E instead - but all of them, including one that has zeroes there, passes the Stealth check in Xbox Backup Creator 2.5 when looking at the isos.

Only one of my games, Crackdown, hasn't got stealth info. I'm indeed banned - while I never downloaded the Halo 3 beta I've played it a lot.

(That's on a Hitachi DJ47. When we've resolved what actually has taken place I'm going to modify a 360 with Samsung MS25 to check the theories)

[HungLO]

Some info about checking if your backup contains the DMI/PFI sectors:

Check if your backup contains the DMI/PFI sector by using DVDinfo.
Insert the disc in your PC drive, select "read blocks from media" and enter "1FB1D", click read.

you should see this: (the PFI)
01 02 31 10 00 03 00 00 00 FC F8 9E 00 03 0A 8F
the rest is filled with zero's.
Click read once more to go to the DMI sector.

This sector is filled with data, somewhere near the end it says "XBOX".

If you get a blank PFI/DMI sector, i would not use that game on Xbox live....

I also use this method:

I use XDVD Mulleter.

1. Insert back-up
2. Start DVD Mulleter
3. Toggle view ISO details
4. Click Next
5. Select "Load from DVDR" tab
6. Select Drive from drop down menu
7. Click Load disk
8. ISO loaded successfully
9. Next
10. Look at "Extreme Compatability" box
     a. Video partition present - ticked
     b. Security sector present - ticked
     c. Stealth sector present - ticked
 
If all those are ticked, your backup should be ok.

[Penta]

I have checked with two more that are banned and two other that aint.. The banned ones all have i common that they have run backups on theyr machines that where missing the DMI/PFI and the last two that i checked with that aint banned had i common that they have only run backups on theyr machines with the DMI/PFI in place..

So my list is now

Banned 6 - Have all run one or more backups with missing DMI/PFI
Unbanned 4 - Have not run any backups with missing DMI/PFI

Im pretty sure this is the case.... Even though most of these user have Hitachi im pretty sure MS could be looking for this. Still think its bull$#!t XFear?

HungLo thanks for recomending XDVD Mulleter, have tested it and it shows up correctly on each and everyone backup that was allready tested with DVDInfo

--
Penta

[XFear]

Im pretty sure this is the case.... Even though most of these user have Hitachi im pretty sure MS could be looking for this. Still think its bull$#!t XFear? Wink

Yes, GaryOPA himself said: No media-stealth at this moment for hitachi drives. So it doesn't make sense there are PFI and DMI sectors on the disc.

I have played backups without DMI and PFI and i'm not banned... Explain that...

[growlley]

Maybe of no use whatsoever (ie they may have just not got around to me yet)  but a couple of odd cases if Im wasting your time my apologies.

bought my first 360 box (premium) last year used free 1 month trial on xbl - never played multiplayer.
Attempted to flash it  (MS 28) screwed up killed it by losing key.

Bought second hand core from game looks like it had been returned as the case had been opened even thu the sticker was intact. I think someone was looking for a MS25 instead of the MS28 it contained.

Extracted key From new drive flashed with 5.2  ( not sure if a,b,c etc as I didnt know the diff. at the time) .

Naively attempted to flash original drive  with duplicate copy of flashed firmware from the second box. Beyond that never flashed them since.

Both boxes where powered from the 360, no video cable connect  with sata to pc motherboard ). Allso both boxes Have been powered on without the dvd connected whilst attempting to connect to XBL.

Each box  have had the fall update  and now the spring update. I do regret that fact on the one I lost the key for !

That box has been connected to  XBL but obviously it cant play  games.

The still working box has been on xbl  but I have never played multiplayer games on-line. I have played crackdown ie rented from Blockbuster but not halo 3 beta and the odd errm '100 years before the mast and then its the locker for me !' game .

As of yet Im not banned on either box.   

[TheSpecialist]

I have played backups without DMI and PFI and i'm not banned... Explain that...

Again, not being banned doesn't mean they haven't detected you.

[FuzzyLogic]

Im pretty sure this is the case.... Even though most of these user have Hitachi im pretty sure MS could be looking for this. Still think its bull$#!t XFear? Wink

Yes, GaryOPA himself said: No media-stealth at this moment for hitachi drives. So it doesn't make sense there are PFI and DMI sectors on the disc.

I have played backups without DMI and PFI and i'm not banned... Explain that...

Although i would recommend to make the backup as identical as possible to the original, so that means adding the DMI/PFI data, it seems that GaryOpa is right.
I added a serial output on my Hitachi drive, and modified the Atapi handler to log the ATAPI CMD's, send to the drive by the Xbox.
In my log, there is currently no cmd that reads the PFI and/or DMI sector.

I logged on a 01-2006 Xbox, which still had the 4548 kernel, then upgraded to the latest kernel 5759.

The logs are identical.

I tried Xbox Live,  but no checks for PFI/DMI were send to the drive.

Code:

000000000000000000000000
030000001200000000000000
000000000000000000000000
030000001200000000000000
000000000000000000000000
030000001200000000000000
000000000000000000000000
030000001200000000000000
000000000000000000000000
030000001200000000000000
000000000000000000000000
030000001200000000000000
000000000000000000000000
000000000000000000000000
55000000000000003A000000
5A003B00000000003A000000
5A003E00000000002A000000
AD00FF02FDFFFE00066800C0
55000000000000002A000000
5A003E00000000002A000000
55000000000000002A000000
5A003E00000000002A000000
55000000000000002A000000
5A003E00000000002A000000
55000000000000002A000000
5A003E00000000002A000000
55000000000000002A000000
5A003E00000000002A000000
55000000000000002A000000
5A003E00000000002A000000
5A0020000000000014000000
550020000000000014000000
000000000000000000000000

So what's left??
- The C-R seek time check.

Challenge type 1,3,5 and 7 all read data from the disc, which takes some time.

MS might have added a trigger for these Challenges, any response below (for example) 50-100ms would raise a flag. As it is impossible to seek this fast for the DVD-ROM drive.
Originals will pass this test, but currently all Drive firmwares will send the response immediately (as it is stored in a table, already loaded from the SS) and fail this test.

Bad lasers will not make any difference, as the seek time only increases not decreases.



- The Drive Inquiry

Removing the Sata cable for flashing your drive, will be detectable by MS, as it is possible to detect if the drive is connected.
Ofcourse only if you are using the XBOX as the power supply for the drive.

Problem might be that they need to store this information somewhere. If you disconnect the HD/storage device and ethernet cable, they can still store it on the on-board Flash, and send this information later when you're back on line.

I will test this theory by write protecting the Flash, and test to see if the WRite line is activated.

[delain]

The PFI/DMI checks may be implemented in a recent game(s) rather than in the kernel, but it is good news to hear that the dash itself isnt checking this.

[Zak]

Sorry I can't add something more constructive to this discussion but great research FuzzyLogic!
I wonder why it took so long to detect some users though, maybe they wait until it failed X times...

[Dzgx216]

Im pretty sure this is the case.... Even though most of these user have Hitachi im pretty sure MS could be looking for this. Still think its bull$#!t XFear? Wink

So what's left??
- The C-R seek time check.

Challenge type 1,3,5 and 7 all read data from the disc, which takes some time.

MS might have added a trigger for these Challenges, any response below (for example) 50-100ms would raise a flag. As it is impossible to seek this fast for the DVD-ROM drive.
Originals will pass this test, but currently all Drive firmwares will send the response immediately (as it is stored in a table, already loaded from the SS) and fail this test.

Bad lasers will not make any difference, as the seek time only increases not decreases.

  Fuzzy, this is exactly what I had arrived at last night.  Posted here: http://www.xboxhacker.net/index.php?topic=7613.msg46983#msg46983
I'm assuming they built the check into the dash and store data about what you're doing even offline in the consoles flash to be retrieved whenver they want as well.  I'm also assuming that the reason people with legit boxes are getting hit is either scrathed/dirty discs.  As far as those souls using hacked FW and backups that aren't getting caught, it's been postulated that the check is run a number of times and an average value is calculated which is then compared to an "acceptable range".  Eventually, your media will fall outside of the the accepted range unless the image is a good original, or well engineered backup image.

  It is my belief that the check is not a new ATAPI command being sent to the drive.  It would be too easy to make a new firmware that modifies the response to the command.  I belive that the check is in the new kernel.

[FuzzyLogic]

I just logged the DMI/PFI requests.

When trying different original discs, i had DOA4 laying around.
Put it in the drive, booted ok,  and finally froze on me in the demo movie. I noticed later it had a big circular scratch on it.

I ejected, and reinserted the disc and logged the following data:

Code:

000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
5A0020000000000014000000 MODE SENSE(10)
550020000000000014000000 MODE SELECT(10)
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
250000000000000000000000 READ CAPACITY
030000001200000000000000 Request sense
1200000024C0000000000000 DRIVE INQUIRY
AD0000000000000080000000 READ DVD STRUCTURE (PFI) length 0x8000
030000001200000000000000 Request sense
AD0000000000000480000000 READ DVD STRUCTURE (DMI) length 0x8000
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
030000001200000000000000 Request sense
000000000000000000000000 Test unit ready
000000000000000000000000 Test unit ready
55000000000000003A000000 MODE SELECT(10)
5A003B00000000003A000000 MODE SENSE(10)
5A003E00000000002A000000 MODE SENSE(10)
AD00FF02FDFFFE00066800C0 READ DVD STRUCTURE (SS) length 0x0668
55000000000000002A000000 MODE SELECT(10)
5A003E00000000002A000000 MODE SENSE(10)
55000000000000002A000000 MODE SELECT(10)
5A003E00000000002A000000 MODE SENSE(10)
55000000000000002A000000 MODE SELECT(10)
5A003E00000000002A000000 MODE SENSE(10)
55000000000000002A000000 MODE SELECT(10)
5A003E00000000002A000000 MODE SENSE(10)
55000000000000002A000000 MODE SELECT(10)
5A003E00000000002A000000 MODE SENSE(10)
55000000000000002A000000 MODE SELECT(10)
5A003E00000000002A000000 MODE SENSE(10)
5A0020000000000014000000 MODE SENSE(10)
550020000000000014000000 MODE SELECT(10)
000000000000000000000000 Test unit ready
250000000000000000000000 READ CAPACITY
550020000000000014000000 MODE SELECT(10)
000000000000000000000000 Test unit ready
AD0000000000000000180000 READ DVD STRUCTURE (PFI) length 0x0018
AD0000000000000000180000 READ DVD STRUCTURE (PFI) length 0x0018
AD0000000000000480000000 READ DVD STRUCTURE (DMI) length 0x8000
1200000024C0000000000000 DRIVE INQUIRY
250000000000000000000000 READ CAPACITY
AD0000000000000080000000 READ DVD STRUCTURE (PFI) length 0x8000

As you can see, the PFI/DMI , drive inquiry (Reads ascii string from drive), and capacity (reports capacity of disc) are requested.
Both before, and after the disc has passed the challenge response (Mode select/sense) sequence.

Weird is the lenght of 0x8000 for the DMI and PFI, normally just one sector, 0x0800 is requested.


Ok some extra info:

Just rebooted the Xbox. It displayed a normal log, no DMI/PFI requests whatsoever.
Once i logged in to Xbox live, it immediately requested the capacity, did a drive inquiry, and read the DMI/PFI !!

Code:

250000000000000000000000
1200000024C0000000000000
AD0000000000000480000000
AD0000000000000080000000

[TheSpecialist]

Good job, nice to have the suspicion now confirmed, FL The 0x8000 bytes is interesting, I think this might be an interesting test developed by MS, if the drive replies with DMI (which is 0x800) AND the remaining 0x7800 bytes, then they can spot right away it's a backup because that remaining 0x7800 contains the relocated SS and PFI


So to summarize:

* All images without DMI/PFI will fail the test and might result in a ban
* All Hitachi's will fail the read capacity and might result in a ban
* Maybe (more tests are needed) *ALL* backups are being detected because of the relocation of the DMI (detected by reading 0x8000 bytes)

[BurnOmatic]

has anyone given a thought about , MS checking the speed that the games are running at , by default it would be what MS had selected, which would be normal, but with the new firmwares , the owner is able to select what speed they are read at ! feel free to comment on this thanks

[leo5111]

well we will see if im still unbanned in like 2 more weeks cause all my backups are full stealth made with sh162 drive 

[Iriez]

Just wanted to say a big thanks to all contributors. We've been thinking over the past few days that it is definitly ss/dmi/pfi/timings related, but had no proof yet ....so big kudos to FuzzyLogic *beer*

[Man1fest]

Nobody has answered me on this.  Is it possible that MS can read the media ID off of the backup?  Ie.) The media reads "ritek" in dvdinfo, but on an original it reads "pressed".

I also had questions if ms could detect the speed of the drive and wondered if the variation between A, B, C, D firmware could be calculated and detected.