hacking DVD firmware ?

[TheSpecialist]

"loser" (I hate calling someone with these very good posts 'loser', hehe ) -> so you mean you can just use the aspi layer and send commands from within ring3 to the drive ? So we don't even need a device driver ? Sorry for my lack of knowledge on this part, I never did this before, hehe. Did you try sending the exact data that Anita999 intercepted for example (for these specific games) ? If you did, the drive should 'unlock' itself in my opinion.

BTW I'd like to add that the data that was posted by Anita999 is not completely correct, like he says himself, the data was not completely correctly ripped (I know, because I know what the packets should look like, by studying the way the kernel creates these packets)

[TheSpecialist]

And something else: is there any standard software out there, that can read specific sectors on a disc ? Because I'd like to extract the control data in the leadin and write a decryptor for it.

[loser]

DvdInfoPro can be used to send misc commands to a drive (check google for it), however i was rewriting the xbox kernel routines in my own code on the pc in order to emulate the whole process. you could then send teh required commands to read sectors form the disc. im not sure if you can read the lead-in tho.

aspi uses wnaspi.dll to send aspi commands (can be installed on win nt versions - look for "ForceAspi")
however spti is better for win nt versions.

main parts of sending a scsi command with spti:
(read up on spti and the associated commands below on msdn and other similar sites.)

char drive[16] = "\\\\.\\D";
HANDLE fileHandle = CreateFile(drive, GENERIC_WRITE|GENERIC_READ, FILE_SHARE_READ, NULL, OPEN_EXISTING, 0, NULL);

BOOL success = DeviceIoControl(fileHandle, IOCTL_SCSI_PASS_THROUGH_DIRECT, &sptdwb, sizeof(SCSI_PASS_THROUGH_DIRECT),
   &sptdwb, sizeof(SCSI_PASS_THROUGH_DIRECT),
   &returned, NULL);

CloseHandle(fileHandle);

see pretty easy!

[Obiwantje]

@TheSpecialist,

You may also want to look at this tool, it will give you direct access to the content.
Glad I finally may have been able to contribute something to this very useful thread !

CD/DVD DIAGNOSTIC, CD/DVD INSPECTOR, AND CD STRUCTURE SOFTWARE

These useful programs support quality evaluation of CD and DVD discs. Error Summary determines error rates. Sector level error correction and retries can be turned off for many drives. Conducts analysis for logical defects. Reads Table of Contents. Displays volume info, multisession directories, file structure, and sector contents. Fourteen-day free trial evaluation version of CD/DVD Diagnostic is available from InfinaDyne (formerly Arrowkey) at http://www.infinadyne.com/.

This software examines information transferred from the drive to the host, and cannot conduct parameter and error rate tests conducted by dedicated equipment. Supports Win95, Win98, WinNT, and WinXP. Contact InfinaDyne (formerly Arrowkey) at http://www.infinadyne.com/ to register a downloaded copy.

CD/DVD Inspector includes features of CD/DVD Diagnostic and adds a graphic error summary, multi-volume directory display, CD+G analysis, and search capability. Contact InfinaDyne (formerly Arrowkey) at http://www.infinadyne.com/ for more information or to purchase the software.

CD Structure intensively tests logical CD-ROM quality to the ISO 9660 standard, and its El Torito, Joliet, HFS, Rock Ridge Extensions, and XA. CD-DA discs are qualified to Red Book. The Table of Contents and gaps are also evaluated. Contact InfinaDyne (formerly Arrowkey) at http://www.infinadyne.com/ for more information or to purchase the software.

[tser]

In the past, people have used modified Burning software /burner firmware /sometimes , to let the DVD-Burner write "DVD-ROM" instead of the DVD+/-R bitsetting on a DVD Media. It migth be of interrest, for those, working on this project to see, if this Bit change trick, also works for the XBOX, to get the first response about the media type correct, for information :

See for example : http://www.k-probe.com/bitsetting-booktype-faq.php

Use the bitsetting (Set Booktype) feature in your bitsetting software to set your DVD+R/DVD+RW/DVD+R DL Media (Only DVD+R/+RW Media) backup to DVD-ROM for much higher compatibility with older DVD players and Game Consoles such as XBOX and PS2. Bitsetting is done during the burning process when bitsetting DVD+R Media

[Crosseye]

changing the bitsetting will not fool the 360. It still can read the disc for what it is. It needs to believe the discs have been pressed and are authentic 360 games. Bitsetting just writes a lead-in that says this disc is a DVD-ROM. When the system actually checks, it will find the real meadia.

[InterestedHacker]

Sorry to go off topic here, but can anyone recommend a hex editor that displays these character strings properly.  I have used Hex Edit for ions now and never had a problem, but for the life of me it won't display any ASCII when I can clearly read the hex values correctly.

[TheSpecialist]

Sorry to go off topic here, but can anyone recommend a hex editor that displays these character strings properly.  I have used Hex Edit for ions now and never had a problem, but for the life of me it won't display any ASCII when I can clearly read the hex values correctly.

I always use HIEW (hackers view), it's a bit old software (runs in a dos box), but it's a piece of very neat software, written for us 'hackers' Start it up and press F4 to go to 'hex mode'.

[MacDennis]

Sorry to go off topic here, but can anyone recommend a hex editor that displays these character strings properly.  I have used Hex Edit for ions now and never had a problem, but for the life of me it won't display any ASCII when I can clearly read the hex values correctly.

I haven't seen anything better than Hex Workshop .. it's great ..
http://www.hexworkshop.com/

Just look at those features, what else do you need? 
http://www.hexworkshop.com/features.html

[Phantasm]

What I want to know is how did you work out the bit swap positions?  I did a complete bit flip so 31 = 0, 30 = 1,  29 = 2 etc.  Very nice work =D

I wrote a program that defined a matrix of the 32 possible bit positions and their corresponding bit positions (eg. 32x32) and then
narrowed down the possibilities based on the known data and the xor'd data.

What I ended up with was this

bit 01 00000000011000000000000001100100=5 possibilities
bit 09 00000000011000000000000001100100=5 possibilities
bit 15 00000000011000000000000001100100=5 possibilities
bit 17 00000000011000000000000001100100=5 possibilities
bit 25 00000000011000000000000001100100=5 possibilities

bit 11 00000100000100000000000010000000=3 possibilities
bit 16 00000100000100000000000010000000=3 possibilities
bit 23 00000100000100000000000010000000=3 possibilities

bit 02 00000000000000000000000100001000=2 possibilities
bit 26 00000000000000000000000100001000=2 possibilities

bit 03 00000000000010100000000000000000=2 possibilities
bit 27 00000000000010100000000000000000=2 possibilities

bit 04 00000001000000000000001000000000=2 possibilities
bit 28 00000001000000000000001000000000=2 possibilities

bit 06 00000000100000010000000000000000=2 possibilities
bit 20 00000000100000010000000000000000=2 possibilities

bit 07 00000000000000000001000000000001=2 possibilities
bit 12 00000000000000000001000000000001=2 possibilities

bit 10 10010000000000000000000000000000=2 possibilities
bit 22 10010000000000000000000000000000=2 possibilities

bit 14 00000000000000001000010000000000=2 possibilities
bit 30 00000000000000001000010000000000=2 possibilities

bit 19 00000000000000000100100000000000=2 possibilities
bit 21 00000000000000000100100000000000=2 possibilities

bit 29 00100000000000000000000000010000=2 possibilities
bit 32 00100000000000000000000000010000=2 possibilities

bit 05 01000000000000000000000000000000=1 possibilities
bit 08 00000000000000000010000000000000=1 possibilities
bit 13 00000000000001000000000000000000=1 possibilities
bit 18 00001000000000000000000000000000=1 possibilities
bit 24 00000000000000000000000000000010=1 possibilities
bit 31 00000010000000000000000000000000=1 possibilities

I then wrote some software apply all the total combinations of those posibilities to the data at $6000 and filtered out
those where the string wasnt exactly correct and fortunately that left only the 24 possibles that you would expect
with 7 bit ascii codes.

[oz_paulb]

Phantasm -

Very nice work!  I was thinking along the same path (bit flipping), but since I'm on vacation, I haven't had time to write a tool to test the theory.

How did you figure out which of the 24 remaining bit combinations were correct?  Are you 100% sure of your final bit combinations?  I ask because in the decoded output (using "loser's" most recently posted version of the code), the start (offset 0) doesn't look like reasonable code to me (other example MN10300 code I saw started with real code at offset 0).  But, I see 'good' code at offset $1000, so maybe the stuff at 0 isn't really code in this particular hardware.

Something to consider (if we think offset 0 should be code): address-line flipping.

Again, great work (to everyone involved in this discovery)!

- Paulb

[Stealth]

regarding the problems with objdump, it likely isn't compiled with mn10300 as a target.

Here is what I did just now to be able to disassemble the firmware (in windows):

1. Install cygwin (Make sure you include the binutils source as well)
2. Run cygwin bash shell
3. cd /usr/src/binutils-20050610-1 (modify based on your source version)
4. ./configure --target=mn10300
5. make
6. make install
7. /usr/local/bin/mn10300-objdump.exe -D -b binary - m mn10300 <your firmware bin file>

[Phantasm]

I havent looked into the final 24 combinations yet, I have only just got in from work.

Others have looked at these and ruled out several variations. Not sure if anyone has 100%
for sure determined which bit combination is correct.

Something else to consider if we think that address 0 should be code.
I think its possible that not all of the dump needs to be xor'd.

[Stealth]

I just glanced at the disassembly (assuming that whatever code someone posted earlier in the thread does the appropriate bitswapping) and really I know nothing about the mn103 processor, but it looks like there might be some command handling starting around 0x11059.  It looks like a large switch statement follows.

Anyone have any handy mn103 datasheets that list all the registers and opcodes and such?

[oz_paulb]

How many people have dumped their flash?  Do we only have the one image?

I see 'interesting' stuff at offsets like $4f00 and $4f80 that "stand out" as possibly being something like a serial number.  (maybe someone else already noticed this earlier in the thread - sorry if I missed it).

Since we know that you can't swap drives between Xbox's, maybe we could determine if these values are either the drive's serial #, or the Xbox's serial # that the drive came from.

Having more than one flash dump would help find 'unique' data in each drive.

- Paulb

[cancerboy]

Hi I've been following this thread since the start but I've had nothing to contribute. Well today I was curious so I took apart my 360 and recorded with my cell phone the laser activity that occurs when a orginal 360 game gets entered and when a backedup xbox game is entered. I don't have anywhere to host these files if anyone knows of a site that can let me know. So basically what happens is after the disk is entered the laser reads from the center of the disk for a second then in the case of the orginal it contiues to read but in the backup it just stops. I know all I have done is confirmed what is already known about the disk checking but is a good thing to just double check and provide more evidence. I'm trying to get my hands on a better camera to take pictures of the pcb of the dvd drive cause you can't make anything out with my crappy cell phone. Keep up the great work guys, if you want anything tested and don't wanna tear apart you 360 just let me know and I'll try to help.

[marvin]

I havent looked into the final 24 combinations yet, I have only just got in from work.

Others have looked at these and ruled out several variations. Not sure if anyone has 100%
for sure determined which bit combination is correct.

Something else to consider if we think that address 0 should be code.
I think its possible that not all of the dump needs to be xor'd.

First of all, congrats for your information.


I've look at files from http://tdb.rpc1.org/#GDR8163B
which at interesting for few reasons

Once unscrambling applied, i've run objdump on it and diff'ing output
objdump --adjust-vma 0x40000000 -m mn10300 -D -b binary

unsure if this adress is correct
https://www.semicon.panasonic.co.jp/micom/manual/pdf/13250-040e.pdf
p11 - p12, internal program ROM 0x40000000

SS24
< SS24RPC1:     file format binary
---
> SS24AUTO:     file format binary
< 4002a739:   cd cd 01 a0    call   0x4002a906,[d2,a2],16
< 4002a73d:   10
< 4002a73e:   10             extb   d0
< 4002a73f:   a0 00          cmp   0,d0
< 4002a741:   c9 07          bne   0x4002a748
< 4002a743:   80 15          mov   21,d0
< 4002a745:   02 00 06       movbu   d0,(0x600)
< 4002a748:   dd af 06 ff    call   0x4001adf7,[d2,d3],12
< 4002a74c:   ff c0 0c
< 4002a74f:   14             extbu   d0
< 4002a750:   a0 00          cmp   0,d0
< 4002a752:   c9 12          bne   0x4002a764
< 4002a754:   00             clr   d0
< 4002a755:   02 3c 06       movbu   d0,(0x63c)
< 4002a758:   02 3d 06       movbu   d0,(0x63d)
< 4002a75b:   02 3e 06       movbu   d0,(0x63e)
< 4002a75e:   2c ff 00       mov   255,d0
< 4002a761:   02 3f 06       movbu   d0,(0x63f)
---
> 4002a739:   34 38 06       movbu   (0x638),d0
> 4002a73c:   02 3c 06       movbu   d0,(0x63c)
> 4002a73f:   34 39 06       movbu   (0x639),d0
> 4002a742:   02 3d 06       movbu   d0,(0x63d)
> 4002a745:   34 3a 06       movbu   (0x63a),d0
> 4002a748:   02 3e 06       movbu   d0,(0x63e)
> 4002a74b:   34 3b 06       movbu   (0x63b),d0
> 4002a74e:   02 3f 06       movbu   d0,(0x63f)
> 4002a751:   cb             nop   
> 4002a752:   cb             nop   
> 4002a753:   cb             nop   
> 4002a754:   cb             nop   
> 4002a755:   cb             nop   
> 4002a756:   cb             nop   
> 4002a757:   cb             nop   
> 4002a758:   cb             nop   
> 4002a759:   cb             nop   
> 4002a75a:   cb             nop   
> 4002a75b:   cb             nop   
> 4002a75c:   cb             nop   
> 4002a75d:   cb             nop   
> 4002a75e:   cb             nop   
> 4002a75f:   cb             nop   
> 4002a760:   cb             nop   
> 4002a761:   cb             nop   
> 4002a762:   cb             nop   
> 4002a763:   cb             nop   

Once unscrambling is applied we can see a bunch of nop : which makes sense.

[thecheekymonkey]

if there is a way to dump the firmware via a sata cable in a pc (or is it removal of the chip only), then let me know, ive got 2 premiums heres

[BlueCop]

j005u: it is possible any "testing" could break your 360 permanently. so i wouldn't offer unless you're really willing

oz_paulb: 2 versions have been dumped. the 47DH by germania and the 46DH by reamfmodfreaks. also has anyone else independently confirmed the swaping dvd drive thing? i mean the guy who tried was using 2 different rom versions on his drives. That might have had something to do with it.

Has anyone done the 8163B flashed to a 8050L firmware? I would be interested to know if that changes the drive serial number.

cancerboy: there have already been scans of the pcb by teammodfreaks

it seems some people like to skim =P

by the way the deobfuscator seems to work on the 8050L as well. didn't know if anyone has tested

thecheekymonkey: what are the rom versions on your drives? could you attempt to swap them just to confirm the information about the drives being locked to each 360?

[Geremia]

As i wrote, looking to 3 different MN103 firmware with 3 diferent xor masks, the first 0x1C bytes are (quite) the same

Code:

Pioneer DVD121 dvdrom (xor mask 8E7A29FF)(not applied here)
00000000 D5 6E B9 12 15 D2 2C 62 1C 91 EE 78 F7 09 F9 00 .n....,b...x....
00000010 50 F8 A3 FE 94 6A AC 36 B4 9B 24 3E 12 05 B1 6D P....j.6..$>...m
00000020 8E 7A 29 7D BA 72 A9 BF 9C 7A 05 FE BE 3A 23 E7 .z)}.r...z...:#.
00000030 67 20 B8 D3 C7 18 68 DB 27 53 A0 FF 8E 32 29 9E g ....h.'S...2).
00000040 38 7E B1 DF 65 01 B2 93 55 C5 D6 D2 2A 22 3F 97 8~..e...U...*"?.
00000050 7F 24 BE 92 02 0F 35 8F 8F 10 08 11 01 00 10 D1 .$....5.........

LG GDR-8163B (xor mask 666460F7)(not applied here)
00000000 D5 6E B9 12 15 D2 28 22 1C 91 EE 78 F7 09 F9 00 .n....("...x....
00000010 50 F8 A3 FE 94 6A AC 36 B4 9B 24 3E 3F AE A1 41 P....j.6..$>?..A
00000020 9F 1B BF 48 A2 20 41 82 6A 0D 68 98 E9 1F 49 D9 ...H. A.j.h...I.
00000030 F4 BA 36 DD 77 67 61 C3 F2 62 38 D1 20 B4 64 CE ..6.wga..b8. .d.
00000040 27 E4 50 D6 C6 2E BB FD F6 70 1D D1 60 B4 64 CF '.P......p..`.d.
00000050 BE D1 14 D6 63 44 61 B3 C6 2E BB FD F6 50 55 D1 ....cDa......PU.

LG GCC-4241N combo dvd/cd-rw (xor mask 16FAACF7)(not applied here)
00000000 D5 6E B9 12 15 D6 2E 22 1C 91 EE 78 F7 09 F9 00 .n....."...x....
00000010 50 F8 A3 FE 94 6A AC 36 B4 9B 24 3E DF 82 10 61 P....j.6..$>...a
00000020 FF 05 53 4A 9A 9E EC 05 13 90 8D 1B 99 81 85 D9 ..SJ............
00000030 85 26 92 DE F8 9F 85 8A 1E D8 CC 44 B3 14 B4 D7 .&.........D....
00000040 5B 4D E9 F0 3E 93 A0 76 3A CF EA F5 24 DA 85 E0 [M..>..v:...$...
00000050 16 D3 AC FF 5B 2D AD EB 0E 5B E4 C7 52 7C 98 97 ....[-...[..R|..