hacking DVD firmware ?

[MacDennis]

I did some more digging.
ATA/ATAPI commands (for communicating with the DVD-drive) are derived from the SCSI Primary Commands (SPC-3):
http://www.t10.org/ftp/t10/drafts/spc3/spc3r23.pdf

SCSI Architecture Model (SAM-4) is explained in this document:
http://www.t10.org/ftp/t10/drafts/sam4/sam4r04.pdf
It explains the control byte on page 55. Some bits are vendor specific/reserved and some are standard.

Another standard is the SCSI Block Command (SBC-3) which is explained in this document:
http://www.t10.org/ftp/t10/drafts/sbc3/sbc3r03.pdf
Page 1 explains the relationship between these three standards.

And the SCSI Multimedia Command (SMC-3) standard sits on top of the these standards.
http://www.t10.org/ftp/t10/drafts/mmc3/mmc3r10g.pdf
"This standard defines the SCSI command set extensions to access multimedia features for all
classes of SCSI devices. The applicable clauses of this standard when used in conjunction with the
SCSI Primary Commands specification, SCSI Block Commands, and other applicable command set
documents pertaining to the subject device class, define the full standard set of commands available
for that device in the SCSI environment."

[anita999]

Hi, Specilialist:
I also noticed the double logged word in my LA log data and that's the reason why I suspected my LA didn't work correct. The main reason is that the xbox1 uses PIO mode to send out ATA command, but DMA mode to send out ATAPI cmd block and the transmit/receive data section. The PIO and DMA use different clock reference, totally in 4. it's a little bit difficutl to setup the correct trigger. Also there are some data transmition error during the log process, so the DRIVE tends to resend the data again, I think that's probably the root cause of double log. Anyway, if anyone have the access to the ATA/SATA protocol analyzer that would be great. I know there are solutions called BusDoctor. But it's not cheap.

[TheSpecialist]

Hehe, don't mind Anita999, your log was very useful. I've made some good progress tonight, I succesfully dumped the control data block and wrote a decryptor for it and ... it works !  YESSS !!! Hehe. Was a *hell* of a job to get everything working, it's 8:47 AM in the morning here I'm going to bed now, later

[anita999]

Well, that means we have done one of our actions, to fully reverse engineer the xbox1 kernel DVD drive access routing. and now we also have meaningful input regarding to how this procedure works in the DVD drive side. thanks for everyone who contribute his efforts. next step shall be gathering the MN103S controller info and reverse engineer the firmware. And more over, to log the SATA activities in xbox 360 while it is accessing the DVD drive. hopefully MS uses similar scheme in this new system then we could probably modify the DVD drive firmware to do more things.
good job, Speciallist.

[tser]

onto some bad news :

The emulator seems to be continiuosly checking wheter or not a xbe is supported. For example, in fuzion frenzy, you cannot launch the "game demos" (that would have been a greate entry point , to launch an other non game ms signed .xbe )

after launching the demos it tells you that version 1.2 does not support that.

So the emulator has really a closed list of things it is allowed to do., even inside a game.
---
But then offcourse..who wants to be in the emulator annyway

[TheSpecialist]

I was too tired this morning to write a routine that tries to 'unlock' the drive by sending the mode sense/select sequences based on the decrypted challenge response table, hehe. However, I just tried it and everything works like a charm

Before unlocking, reading block 20 from disc would result:

00000000 01 00 02 00 5B 00 00 00 E4 63 F0 01 20 00 00 00 ....[....c.. ...
00000010 00 00 00 00 00 00 00 00 08 53 45 50 31 33 30 31 .........SEP1301
00000020 31 30 34 32 30 37 32 00 00 00 00 00 00 00 00 00 1042072.........

After unlocking, the exact same operation results:

00000000 4D 49 43 52 4F 53 4F 46 54 2A 58 42 4F 58 2A 4D MICROSOFT*XBOX*M
00000010 45 44 49 41 B4 1E 1A 00 CC 01 00 00 C0 D0 E8 7A EDIA...........z

And after unlocking you can read all sectors on disk and dump them. However, windows explorer still shows the video partition, this is probably due the fact that explorer assumes the 'old' info is still correct (and it uses cached info). However, if you want to access files, just write your own 'disc explorer', by reading the TOC from disk or use an explorer that does this.

I won't release the unlock tool today, some changes have to be made (there's no error handling at *all* for example, hehe), but I think I'll release it next week.

Anyway, we still have a long way to go, but we're a step further in the process now Where team PI 'unlocks' the drive by just patching the disc size in the drive's memory, this tool unlocks the drive in the exact same way as the xbox does and understanding that process was an important step in this hacking adventure

I would like to thank all the people contributing to the thread and especially Anita999, Bluecop, loser,  MacDennis, swolsten and Takires, who all helped a lot: I would not have been able to write this unlock tool without their input.

[SiliconIce]

I have pruned some off-topic posts from this thread - some were "chatter", and there are other threads on the other topics (or please feel free to start new threads).

Newbies are welcome to read and learn, but please refraine from posting chatter. We all appreciate the work being done, let's not interrupt the flow. Chat discussion is welcome in the "General" section of the forums.

Thanks!

[MacDennis]

The BCA is located on the inner ring of the XBOX1 disc, picture:
http://www.elektronik-kompendium.de/sites/com/fotos/05071711.jpg

I assume it's the area with the visible barcode.

What happens when we put a sticker / black marker on the barcode to hide this area from the XBOX1 drive?
Answer: nothing, the discs boots normally

[Crosseye]

You guys might find the demo released by PI as useful in checking into the way the DVD drive responds. Seeing as how there's no media flag or signature, I'd think you would have more room to play around and see the responses from the drive. I don't feel the demo in itself will be anything super, but I feel it would work much better for your testing.

By the way, excellent work you guys have done. This is useful stuff and could actually go somewhere far and beyond the other stupid hype going round. Good job guys! 

EDIT: It appears as though PI may have made a mistake. Logic should have caught this, but I can not confirm just yet. Retail 360s can not run unsigned code of any type. This would therefore have to be signed unlike what PI has stated. There is no media flag which allows it to be burned to any media and play.

[Phantasm]

I believe they said that the data files are unsigned, but the xex is signed.

It would be a huge flaw if there was a way to get the 360 to run unsigned xex's

Still it might be possible to make some kind of exploit by manipulating the data files (unfortunately though the hypervisor would probably rule out
a buffer overrun attack).

[Crosseye]

you are correct phantasm, they did say the data files, so no mistake. That'll teach me not to go back and read lol. Back to the firmware though, this disc could still be useful to you guys as you may be able to mess with it a little to see how the drive reacts.

[TheSpecialist]

Here's the unlocker (for XBOX 1). It's currently a VERY user unfriendly and ugly program and to make things worse, it hasn't really been tested so it's probably very buggy too hehe, but a better version will follow

www.barendb.herejezus.nl/zooi/unlockerv01.exe

Attach your xbox dvd player to your PC (I use power from the XBOX, only connected the IDE cable to my PC), insert an original XBOX game disc and run this thing. It should unlock the drive and you can read/dump the complete game partition ! Like said before, windows explorer will still show the video partition because it uses cached data, but you can read the complete disk now (use DVDinfopro for example to read a block at some adress > 2000, before and after unlocking).

I will add an option to dump the decrypted table and the both the encrypted and unencrypted complete command data block in the next version.

Since I have only 1 xbox game disk (hehe), I could not really test it, so I'd like to hear if it works for other games (it should of course).

Note: this works at least for the Samsung SDG605B drive. For this program to work, windows has to be able to see your drive (so you should be able to browse the video partition). I heard from some people that windows doesn't recognize the Philips for example, if this is true, then this program will not work.

I hope someone with a Samsung drive and some original games can test this thing

[SiliconIce]

Given the rather technical audience, it might benefit people more if you released the source code as well.

Indeed :-)

If anyone ever has code or data they would like posted/hosted/linked permanently, please let me know, I would be happy to oblige. I can add it to the "links" or "articles" sections. Eventually, we will have "downloads" as well.

[parasven]

I just tested ur little unlocker there and it works i made an iso of Halo1 pal version with clone cd. it took 1h O_O but you can load that iso with ultraiso and see als the data it contains. ill test another game later but for now ill go to bed ...


btw. i also have a Samsung dvd drive

[TheSpecialist]

I just tested ur little unlocker there and it works i made an iso of Halo1 pal version with clone cd

Hehe, good to hear

Given the rather technical audience, it might benefit people more if you released the source code as well.

I agree. Maybe the source code can function as input for others in this great hacking adventure I'll post the sourcecode soon, I have to clean it up first, it's currently one big mess

[parasven]

I just tested another game (Sega GT 2002/JSRF multi disk) and it works with no error or something. now we should make this little nice programe to work with xbox360 games


Very nice work here keep it going TheSpecialist

[ChaosBoy]

@TheSpecialist

when you read the xbox1 dvd with your unlocker, its possible to burn this iso so u can play this game with the emulator on the xbox360?

Thnxx 4 @all the work.

Greets
ChaosBoy

[MacDennis]

when you read the xbox1 dvd with your unlocker, its possible to burn this iso so u can play this game with the emulator on the xbox360?

No. It's a 1:1 dump. The XBE still has the same signature. You can't change the XBE and this XBE probably tells the xbox / xbox360 that it's only allowed to run from a DVD-ROM. The xbox360 could also check that each xbox1 XBE is actually stored on a DVD-ROM.

[TheSpecialist]

can the unlocked xbox1 dvd drive be used to rip xbox360 disks?

No. Not yet at least I'm still waiting on my 360 This thing was done mainly to see if we completely understood the process. This is important, since the 360's authentication process will probably be based on this procedure.

We now completely understand the authentication process on the kernel side. I'm a bit busy with some other things the next few days, but I'll release the sourcecode with a very complete documentation, so it can function as a kind of 'summary' of the knowledge we acquired about the way the authentication process (and the unlocking, which is the same process) works on the XBOX 1.

Now, it's about time to move on to the 360, tha'ts were the fun really starts I heard that the 360 drive doesn't get recognized by windows ?

i tried it with condemned but the unlocker gives me an error

Do you see the drive in windows ? Can you browse the video partition ? What error does the unlocker give ?

Like I said, the authentication process of the xbox 1 kernel is now fully documented. However, the drive firmware still has some secrets and the main secret is: how exactly does the drive calculate the responses ?

Furthermore, there's something that really might be an edge in all this. Think of it. After unlocking the drive, the 'structure' of the disk as seen by the xbox is completely different. Reading sector 20 for example yields different info, before and after the unlock, while it's of course still the same disc in the drive This means the drive does some kind of 'remapping' of the data and presents some other 'disc structure' to the xbox than the 'real' disc structure and that is just EXACTLY what we need !! So, hopefully, we can use these routines to emulate any disk 'structure' to the xbox ! Like for example, we could rip the command data block save it to some sector and then use this process to 'remap' it to the sector the 360 thinks it should be on. This way we can make it look like the disc is exactly the same as the original, so that even XBE checks will pass succesfully.

Has anybody with a LA already dumped some traffic on the 360 ?

One last thing: there are some really good posts in this thread about the drive's side of the process. For example the post on page 9 by Takires, explaining the unlocking process on the drive's side. I hope people like him (and all the others, almost every post in this thread was VERY useful), will keep contributing to this thread with their brilliant work. I hope this thread becomes a collection of all the information that's useful for this hacking process. And again, I want to thank everybody for contributing.

Like I said, i'm quite busy the next few days with some other things. Everybody keep up the good work !

[andele]

@ Specialist...
Hey... I was just wondering..(and I'm sure this questiuon will be moved by SiliconIce to the "Idiot-section")  ...is it not possible to do an exact image of the 360 games once we've cracked the problem with the dumping of original games? I mean... 1's ans 0's.. if a a certain data is at an exact place on the original DVD, then why couldn't we place it at an exact place on a copy of the original disc?    Hmm.. let me rephrase that question... is it so hard to pace all the ones and zeroes at the same place on a backup?

I.e: If an exact replica of the original game is placed in the 360:drive, all the code is exactly as it was before? Therefore, how could the 360 know it's a copy?
This has problably already been asked earlier in this thread.. but.. alas.. I still need to practice my English...so.. 

You and your friends in here are doing a great job! I just wish I could contribute in any way... hmm.. hey... I could give you my 360 Premium!  But on the other hand... I had to haul my ass all over Sweden just to get THIS one..
Keep up the good work!