hacking DVD firmware ?

[anita999]

In the newly released paper " 17 mistakes made by MS in xbox security system", it mentioned that the source code of xbox 1 kernel have been released for a period of time. I am very interesting of this info. To study this kernel source will certainly help us understand the xbox1 security system in further detail then we might have additional ideas about the xbox 360 system. Is there any "way" direct to this released source code?
If we can get this kernel source code then we can fully understand the challenge/response sequence and then a program can be developed to access the xbox1 DVDrom in PC system. Hopefully this can bring us more idea about the xbox 360 DVD drive.

[Geremia]

Just dumped the SST39SF020A of my 360 dvdrom, very similar to LG GDR-8162B, 8163B and maybe others, no copyright notice inside so i uploaded here

http://www.dvb-upload.com/index.php?action=download&pid=35908

maybe people from rpc1.com can help

[cjack]

Nice! Just downloaded the bin file. Disassembled using DIS8051 that created 226500 rows of assembly  Really hard to understand! I have mirrored the firmware here: http://www.darkmoon.org/GDR-3120L_0047DH.rar if the previous link doesn't work.

[TheSpecialist]

Nice! Just downloaded the bin file. Disassembled using DIS8051 that created 226500 rows of assembly  Really hard to understand! I have mirrored the firmware here: http://www.darkmoon.org/GDR-3120L_0047DH.rar if the previous link doesn't work.

I also just disassembled it with 8051, but it's not correct code, the reset vector jump isn't even there. It's very good possible that it's not even 8051 (and/or encrypted/packed). Do we have any info on the MCU in the drive yet ? Manufacturer etc ? Would be really great if someone could open his drive and make a photo of the chips inside.

[Geremia]

...and here is the scan, excuse me for poor quality
http://www.dvb-upload.com/index.php?action=download&pid=35913

[TheSpecialist]

...and here is the scan, excuse me for poor quality
http://www.dvb-upload.com/index.php?action=download&pid=35913

Great work, Geremia ! So we're dealing with a 32 bit Panasonic (Matsus hita)  MN103 serie (like used in the 8050L drive).

*EDIT* it seems that under Linux, the GNUPro debugging tools can handle MN10300 ...

[TheSpecialist]

So, to summarize: the kernel clears the authentication bit in the beginning of the 'kernel init process' (and if the tray opens). After a DVD is inserted, it's going to start the authentication routine. If authentication is succesful, the authentication bit is set to 1.

Authentication process ->
1. kernel sends 'read dvd structure command', which returns always 664h bytes (which are read from the Lead-in). These 664h bytes seem to consist of 2 parts: a (SHA-encrypted) table and a signature for it. The signature gets verified and if it's correct, the table gets decrypted.
2. The decrypted table is input data for the following looped mode sense/mode select routine. The table seems to hold challenge/response entries which are used in the mode send/select communication with the drive.

If this routine is succesful, the authentication bit is set to 1.

[Nayr]

standard gnu binutils has MN103 support

configure --target=MN10300

something like
objump -D -b binary -m mn10300  flashdump.bin
should work...

However a quick look at this file didn't look like good code.
Also there are no readable ascii strings in it.  Usually you would see at least a device id string.

The next step is to see if there are any reset or interupt vectors with understandable code.

Nayr

[anita999]

Here is a log of another original game disk insertion. I will put a log of a burned DVD on my next post


Splinter Cell Original DVD detection      
Sample#      Description
15   B0   Read HDD SMART
547   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      Ret Status 51 Error
573   A0   PKT CMD 03 Request Sense
      03 00 00 00 12 00 00 00 00 00 00 00
      DESC=0 for fixed format, alloc length =12h
      "Return 06 00 06 00 00 0A 00 0A 00 00  00 00
            00 00 00 00 00 00 00 00 00 00 00 00"
613   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      "RET 00 02 00 00 00 00 00 00 00 03 00 01
        01 08 01 00 00 00 00 00 00 00 00 00
        00 00 00 00"
      Ret Status 50
657   A0   PKT CMD AD Read DVD Structure
      AD 00 FF 02 FD FF FE 00 06 64 00 0C
      664h bytes allocated
1505   A0   PKT CMD 55 Mode Select
      55 00 00 00 00 00 00 00 1C 00 00 00
      Data out
      "00 1A 00 00 00 00 00 00 3E 12 00 01 00 D1 01 A6
92 42 4D 8D 00 00 00 00 00 00 00 00"
1549   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      "RET 00 00 00 00 00 00 00 00 00 01 00 01
        01 A6 01 A6 4D 8D 4D 8D 66 74 66 74
        00 00 00 00"
1595   A0   PKT CMD 55 Mode Select
      55 00 00 00 00 00 00 00 1C 00 00 00
      Data out
      "00 1A 00 00 00 00 00 00 3E 12 00 01 01 D1 01 21
92 42 4D 8D 00 00 00 00 00 00 00 00"
1644   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      "RET 00 00 00 00 00 01 00 01 01 21 01 21
        4D 8D 4D 8D EE 1E EE 1E "
1684   A0   PKT CMD 55 Mode Select
      55 00 00 00 00 00 00 00 1C 00 00 00
      Data out
      "00 1A 00 00 00 00 00 00 00 00 3E 12 00 01
00 01 00 01 01 D1 01 47
92 42 4D 8D 4D 8D 00 00 00 00 00 00 00 00"
1741   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      "RET 00 00 00 00 01 00 01 00 01 47 01 47
        4D 8D 4D 8D 53 DA 53 9A 00 00 00 00"
1783   A0   PKT CMD 55 Mode Select
      55 00 00 00 00 00 00 00 1C 00 00 00
      Data out
      "00 1A 00 00 00 00 00 00 3E 12 00 01 01 D1 01 C9
92 42 4D 8D 00 00 00 00 00 00 00 00"
1826   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      RET 01 C9 01 C9
1858   A0   PKT CMD 55 Mode Select
      55 00 00 00 00 00 00 00 1C 00 00 00
      Data out
      "00 1A 00 00 00 00 00 00 3E 12 01 01 01 D1 01 C9
92 42 4D 8D 00 00 00 00 00 00 00 00"
1901   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      "RET 00 00 00 00 01 01 01 01 01 C9 01 C9
         4D 8D 4D 8D 7E 2C 7E 2C"

[anita999]

Here is the log of a burned DVD. please note that my LA is not stable while logging the DMA transfered data. So some data words are logged twice or even more. all DMA transmitted data in the 3 logs are for reference only. But the command string shall be correct.

Doom backup DVD detection      
Sample#      Description
14   B0   Read HDD SMART
546   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      Ret Status 51 Error
572   A0   PKT CMD 03 Request Sense
      03 00 00 00 12 00 00 00 00 00 00 00
      DESC=0 for fixed format, alloc length =12h
      "Return 06 00 06 00 06 00 06 00 00 0A 00 0A
            00 00 00 00 00 00 00 00 00 00 00 00"
614   A0   PKT CMD 5A Mode Sense
      5A 00 3E 00 00 00 00 00 1C 00 00 00
      page code 3E, subpage code 00, page_0 format required
      "RET 00 00 00 00 00 00 00 00 00 00 00 00
01 00 01 00 00 00 00 00 00 00 00 00
 00 00 00 00"
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
      
660   A0   PKT CMD 25 Read Capa
      25 00 00 00 00 00 00 00 00 00 00 00
      RET 91 8F 91 8F 08 00 08 00
2093   A0   PKT CMD 28 READ
       28 00 00 00 00 20 00 00 02 00 00 00
      Read block#20h, total 2 blocks
      
      
      
2818   A0   PKT CMD 28 READ
       28 00 00 00 00 22 00 00 02 00 00 00
      Read block#22h, total 2 blocks
4903   A0   PKT CMD 28 READ
       28 00 00 01 FD 90 00 00 02 00 00 00
      Read block#1FD90h, total 2 blocks
4903   A0   PKT CMD 28 READ
       28 00 00 01 FD 92 00 00 02 00 00 00
      Read block#1FD92h, total 2 blocks
   B0   Read HDD SMART
      
      

[BlueCop]

i was comparing the 8050L firmware with GDR-3120L_0047DH it has alot of simialarties.
they have 18,051 equal bytes at the same offsets. some sectiosn in the 8050L that are all FF FF FF FF are alll 99 9B 9F 08 in GDR-3120L_0047DH and vice versa i beleive

i did some searching and saw an interesting post on xbox-scene forums
http://forums.xbox-scene.com/index.php?showtopic=325005&st=704

I'm pretty sure that it is scrambled...
Look at the filler... in the DLD we have a sequence of
0x08 0x99 0x9B 0x9F
in the plain rom image it's all filled with 0xFF

The decripted version has some plain text string embedded (Eg: HL-DT-STDVD-ROM
at positions 0x20BA, 0x6000, 0x3c8ac)

at offsets 0x20BA, 0x6000 the hex values are identical between the 8050L and GDR-3120L_0047DH so they are using the same or similar scramble

also I noticed lots of 99 9B 9F 08 and 66 64 60 F7 repeating through the file and thought it might just be xored. so i xored the whole file with 66 64 60 F7 because that would convert the 99 9B 9F 08 to FF FF FF FF like i thought they should be and the 66 64 60 F7 to 00 00 00 00 which i thought it should be but then the offsets listed didn't have clear text so it wasn't just something simple like that


but still i thought i would let you guys know the information about 8050L firmware and the offsets where clear text would be. i don't know $#!t about scrambling =/

Also i couldn't find info on the decrypted version the poster was speaking off. i read through the thread a while but 60 pages is alot to sort through. wish search was working on their forum

[anita999]

Also summarizing: it seems it's not going to be too hard to hack this old samsung firmware to get that 'authentication bit' to 1 if we're not gonna hack the 360's firmware, this thread might at least lead to the development of a firmware to boot backups on the original xbox without any chip/softmod, hehe But at the moment I assume we're going to succeed in creating new firmware for both the original xbox AND the 360: you gotta have ambition

totally agree. to reverse engineer/understand the authentication process of xbox1 is only half the way. But with this practice, we might get more idea about the xbox360 DVD drive and we could also get more ideas about the DVD drive firmware. Eventually we might be able to modify the firmware of xbox360 drive or simply modify a PC dvd drive and put it in xbox360.
good job, Specialist. please chekc your message box, I might need your help.

[wildje]

i was comparing the 8050L firmware with GDR-3120L_0047DH it has alot of simialarties.
they have 18,051 equal bytes at the same offsets. some sectiosn in the 8050L that are all FF FF FF FF are alll 99 9B 9F 08 in GDR-3120L_0047DH and vice versa i beleive

i did some searching and saw an interesting post on xbox-scene forums
http://forums.xbox-scene.com/index.php?showtopic=325005&st=704

I'm pretty sure that it is scrambled...
Look at the filler... in the DLD we have a sequence of
0x08 0x99 0x9B 0x9F
in the plain rom image it's all filled with 0xFF

The decripted version has some plain text string embedded (Eg: HL-DT-STDVD-ROM
at positions 0x20BA, 0x6000, 0x3c8ac)

at offsets 0x20BA, 0x6000 the hex values are identical between the 8050L and GDR-3120L_0047DH so they are using the same or similar scramble

also I noticed lots of 99 9B 9F 08 and 66 64 60 F7 repeating through the file and thought it might just be xored. so i xored the whole file with 66 64 60 F7 because that would convert the 99 9B 9F 08 to FF FF FF FF like i thought they should be and the 66 64 60 F7 to 00 00 00 00 which i thought it should be but then the offsets listed didn't have clear text so it wasn't just something simple like that


but still i thought i would let you guys know the information about 8050L firmware and the offsets where clear text would be. i don't know $#!t about scrambling =/

Also i couldn't find info on the decrypted version the poster was speaking off. i read through the thread a while but 60 pages is alot to sort through. wish search was working on their forum

Offsets 0x20BA, 0x6000 should contain the same textstrings but their data is different. If it was all encrypted with one xor hash it should have contained the same bytes..

[MODFREAKz]

here is a Hi-res foto of LG GDR-3120L Drive electronic

http://www.free-hp.com/userdaten/38928917/bilder/xbox360/lg_platine.jpg

for more hi-res Fotos visit team-modfreakz.de

[BlueCop]

wildje: if the xor is 32 bit then if the text would have been xored begining at different places in those 4 bytes but that doesn't matter because it wasn't a xor hash

[tser]

Comparing the Drive it's firmware agianst a almost similair module of a manufactor, will also help searching the way out of the rabit hole
This plot will work. but life would be easier, if somebody with access to a sata analyzer did some dumping.

But is is possible, that there has to be done a lot more modifications to the firmware.

Maybe we even need to create something like

                            [Personal Flash for /Header Storage "X360OVerDrive"]
                                 |      
[ Pc] -> EtherNet-> [Controler-A] ||  -[ Memory of Dvd drive] -[Controler-B]  - DVD Drive|| ----- sata----xbox360
                                 |                                                                      |
                            [ Flash for Firmware ]  ---------------------------------------------/


By a) Creating an Alternative Flash for the dvd control (with a toggler to play boot with original firmware or not)
    b) By Adding a Second Access interface into the dvd it's internal memory -- If there is external memory chips on it ? they might as well have included that into 1   untouchable package.


This way we could for example stream the correct "dvd header" response in, from a pc to the personal NIC of the controler-A it's X360OVerDrive location.

The alterned firmware, will Scan the dvd-r itself, and locate, matching "original" headers into the X360OVerDrive location
the alterned firmware will response, with those headers
The rest of the flow will remain the same,
unless special header request are there, then the X360OVerDrive location is touched.

This would be a relative cheap mod (some chips) with only some Surgery into the dvddrive and the case, for the ethernet output
-------------------------------------------------------------


on the otherside.. some will allways say just altering the firmware is enough (but you never know.... )

[amadeus]

here is a Hi-res foto of LG GDR-3120L Drive electronic

http://www.free-hp.com/userdaten/38928917/bilder/xbox360/lg_platine.jpg

for more hi-res Fotos visit team-modfreakz.de

Covering the S/N have no effect when the bar codes are not covered. The square pattern is also a bar code, whch I think IBM invented for their Aptiva desktop computer series.

[BlueCop]

the GDR-8163B (which can be reflashed to 8050L for use in the xbox1) has some firmwares moded by the dangerous brothers over at rpc1.

http://tdb.rpc1.org/#GDR8163B

I have been comparing orginal GDR-8163B, Moded GDR-8163B, 8050L, and the new 360 dump.

I droped them an email asking for any assistance they are willing to offer(i attached the GDR-3120L_0047DH.BIN, 8050L.bin, and the high res scan of the board).

hopefully they will give me a response.

additionally i found a block diagram of a dvd-rom using the MN103S89F and the AN22023 at panasonics website
I attached a jpeg extracted from the pdf
http://www.semicon.panasonic.co.jp/cat/pdf/A000008E02.pdf

additionally does anyone know how the xbox security sectors are used when reading the xbox media.
quote from http://www.xbox-linux.org/docs/gdfs.html

Xbox media also appear to have regular 8MB spaces reserved for “security placeholders”. It is hypothesised that these are where Microsoft will place digital signatures for each data area on the disk, thus guaranteeing security from corruption or tampering.

Edit: here is an article on xbox-scene which says the so called security sectors are

After looking around on my xbox dvds, I have discovered that the so called security sectors are a type of "burst-cutting"

http://www.xbox-scene.com/xbox1data/sep/EpEyuVZpFyqxFLLiEC.php

and more info here http://www.dvdburning.biz/terms/bca-burst-cutting-area.htm or
here http://www.geocities.com/columbiaisa/dvd_specs1.htm#bca

[jefferystone]

In the old forum posts, someone (can't remember for the life of me) posted information on this challenge/response that would "unlock" the DVD drive.  AFAIR it seemed that this information was discussed a bit, but wasn't useful once modchips were a reality.  I remember that a certain sequence of bytes could be sent to "unlock" the DVD drive, but each game had its own sequence that had to be sent.  I also remember that the poster (I wish i could remember the name) voluntarily stopped pursuing this stating it may lead to piracy efforts.

If the old forum posts could be "resurrected", this may help; although I feel that the information in the current posts is more detailed.

Sincerely,

Jeffery Stone

[BlueCop]

I have an old xbe that was used by some developers to run read retail discs in XDKs. It essentially sent the commands to the drive for you. This was before the modified xdk bioses came out which used the routines from the retail bios to unlock the discs. It would be illegal to distrubute it though

It is called xboxloader.xbe it is 126KB and would unlock a DVD drive in a XDK to read a retail disc by sending the correct commands.