hacking DVD firmware ?

[reise]

At last my first post!

I can't to that because the drive reports the kind of media to the box and the xbe is signed only to a certain media. So if you do that you'll have a xbe signed for DVD-ROM in a DVD-R media.
I think I didn't say anything wrong.

Keep the good work, I love this things on hacking, even if I can't contribute to the thread.

[TheSpecialist]

@ Specialist...
Hey... I was just wondering..(and I'm sure this questiuon will be moved by SiliconIce to the "Idiot-section")  ...is it not possible to do an exact image of the 360 games once we've cracked the problem with the dumping of original games? I mean... 1's ans 0's.. if a a certain data is at an exact place on the original DVD, then why couldn't we place it at an exact place on a copy of the original disc?    Hmm.. let me rephrase that question... is it so hard to pace all the ones and zeroes at the same place on a backup?

This is in fact a good question. There seem to be some parts on a disc that are not writable with a standard dvd burner (BCA ? don't know about that section). Some parts can (I think) be written to (I mean, own data of course) with a burner with modded firmware (like lead in/lead out). But there'll be still physical differences between a DVD-ROM and a burned disc. I hope someone could elaborate on the exact differences, all I can say is that there are some When they developed the DVD +/- R standard they made sure that a 100% exact copy would not be possible.

Furthemore, it seems that there's 'data' on the disc that a normal writer can't burn, like the 'ring' on xbox 360 dvd's. Again, if someone know the reason why a burner can't do this -> would be interesting to hear

[parasven]

can the unlocked xbox1 dvd drive be used to rip xbox360 disks?

Now, it's about time to move on to the 360, tha'ts were the fun really starts I heard that the 360 drive doesn't get recognized by windows ?

i tried it with condemned but the unlocker gives me an error

Do you see the drive in windows ? Can you browse the video partition ? What error does the unlocker give ?

all the iso i have made were made with my xbox1 samsung drive. I insert the 360 game in that drive and i could browse the video partion but when u hit unlock in your little program an error appears(i didnt expect it to work but is was curious).

[QuiescentWonder]

I'm not sure about this, but somewhere I read (I think in this thread) that burning software can be modified (and has on occasion) to write a different media type to the disc so readers think it's a DVD-ROM or whatever other kind of media you want it to be. If we can make a 1:1 backup of a disc and write a fake DVD-ROM media type then couldn't we run software signed for DVD-ROM even with with all the media checks and possible XEX specific disc checks? I'm not really sure what I'm talking about so I'm trying to just observe the conversation but this seemed worth throwing in there.

If someone is actually going to modify the firmware maybe some sort of standard should be set before hand if it requires specific different things to happen. I can just see different versions of firmware out there being able to run certain ISOs from groups but then another firmware only running certain other ISOs.

Say we can place everything in exactly the same place on the disc except the Challenge/Response table. So throw the Challenge Response table and/or the other data we can't write to a normal disc way out there at some specific point on the disc towards the end which will always be the same. If the DVD-Drive doesn't find the table and/or data at the beginning of the disc where it's supposed to be, check at that specific point we put it at. If it's found in the second place do the procedure as it normally would be handled except spoof the DVD+/-R to DVD-ROM. This way a DVD+/-R standard for 360 can be set.

Yes, I realize I'm looking way ahead and do understand that it's propably going to be an excruciating task but I've been reading all the posts and ideas keep building up in my head. I'm sorry if any of this isn't possible and I'm just ignorant of certain aspects of this but I've been trying to keep up with it all along.

[TheSpecialist]

all the iso i have made were made with my xbox1 samsung drive. I insert the 360 game in that drive and i could browse the video partion but when u hit unlock in your little program an error appears(i didnt expect it to work but is was curious).

Ah, ok, you used the xbox 1 drive, i had hoped you used the 360's drive. It heard that it doesn't get detected by windows. But maybe we can dump the disc with the xbox 1 drive.

[TheSpecialist]

I'm not sure about this, but somewhere I read (I think in this thread) that burning software can be modified (and has on occasion) to write a different media type to the disc so readers think it's a DVD-ROM or whatever other kind of media you want it to be.

The media type can indeed be changed to DVD-ROM, for DVD+R media (not for DVD-R). The media type is called 'disc category' (= book type) and is specified in the 'DVD layer descriptor" section that is part of the lead-in. This gets checked by the xbox, but only is a small part of the authentication process.

If we can make a 1:1 backup of a disc and write a fake DVD-ROM media type then couldn't we run software signed for DVD-ROM even with with all the media checks and possible XEX specific disc checks? I'm not really sure what I'm talking about so I'm trying to just observe the conversation but this seemed worth throwing in there.

100% exact copies are not possible. Like i just posted, hope someone can elaborate on this.

Say we can place everything in exactly the same place on the disc except the Challenge/Response table.

Maybe there's more that we can't place on the exact same location.

[MacDennis]

Hey... I was just wondering..(and I'm sure this questiuon will be moved by SiliconIce to the "Idiot-section")  ...is it not possible to do an exact image of the 360 games once we've cracked the problem with the dumping of original games? I mean... 1's ans 0's.. if a a certain data is at an exact place on the original DVD, then why couldn't we place it at an exact place on a copy of the original disc?    Hmm.. let me rephrase that question... is it so hard to pace all the ones and zeroes at the same place on a backup?

I.e: If an exact replica of the original game is placed in the 360:drive, all the code is exactly as it was before? Therefore, how could the 360 know it's a copy?
This has problably already been asked earlier in this thread.. but.. alas.. I still need to practice my English...so.. 

Forget about the idea that you can make a 1:1 replica of a DVD-ROM disc tot DVD-R, even if you have access to the complete structure / data of a XBOX / XBOX360 disc, you simply can't! DVD-ROM discs can contain data written by special machinery at a replication plant which can't be written to a normal DVD-R. Fact. A really simple example, the BCA. You can see it, some DVD-ROM drives can read it but can you write a BCA yourself to a DVD-R? No, you can't. Read this thread for more info about the BCA.

Besides that, the DVD drive can report to the host that you inserted a DVD-ROM or a DVD-R and take action accordingly. As far as I know, a DVD-R already contains the media type / book type on the disc when you buy it which tells a DVD drive that it's a DVD-R. This is read-only. Should be the same story for a DVD-ROM. A program like DVDInfoPro can read this information.

People first need a good understanding about the XBOX1 authentication before it's even worthwile to start messing with the XBOX360.

[TheSpecialist]

Forget about the idea that you can make a 1:1 replica of a DVD-ROM disc tot DVD-R, even if you have access to the complete structure / data of a XBOX / XBOX360 disc, you simply can't! DVD-ROM discs can contain data written by special machinery at a replication plant which can't be written to a normal DVD-R. Fact. A really simple example, the BCA. You can see it, some DVD-ROM drives can read it but can you write a BCA yourself to a DVD-R? No, you can't. Read this thread for more info about the BCA.

BCA is one section that is not writable. Are there more differences between a DVDR and a DVD-ROM ?

Besides that, the DVD drive can report to the host that you inserted a DVD-ROM or a DVD-R and take action accordingly. As far as I know, a DVD-R already contains the media type / book type on the disc when you buy it which tells a DVD drive that it's a DVD-R. This is read-only. Should be the same story for a DVD-ROM. A program like DVDInfoPro can read this information.

It's in the leadin and can be changed with most burners.

[smo]

Good information about the writeability of different sections on the Google Answers thread linked earlier by tser:
http://answers.google.com/answers/threadview?id=348912

If I have any spare moments in the next few days and unless someone does it first, I'll port TheSpecialist's disc dumper application to Linux (either as an userland or maybe a kernel patch, so discs get automatically authenticated, that would be nice). It's probably much more easier to start trying to get the Xbox 360 DVD drive visible on Linux than trying to make Windows see it.

[TheSpecialist]

BTW, most of the answers about the physical differences between discs can be found in the FW. It's all in the section that calculates the responses, because that's the 'real' authentication part. The drive will probably read the 'security placeholders' that are probably placed in the BCA section.

The Philips FW is much easier to reverse engineer than the samsung (in my opinion), I think that the samsung's FW was coded in C and the Philips in ASM. I'll try to look into this and see if I can find the specific routine that calculates the responses.

[smo]

BTW, most of the answers about the physical differences between discs can be found in the FW. It's all in the section that calculates the responses, because that's the 'real' authentication part. The drive will probably read the 'security placeholders' that are probably placed in the BCA section.

Isn't BCA = Bar-Code Area? I think it was posted earlier that it doesn't prevent games from working if you place stickers over it. Somewhere it was mentioned that Gamecube used this area, but I don't think that's correct. Gamecube's "bar codes" are "burned" on the actual data area.

[MacDennis]

Besides that, the DVD drive can report to the host that you inserted a DVD-ROM or a DVD-R and take action accordingly. As far as I know, a DVD-R already contains the media type / book type on the disc when you buy it which tells a DVD drive that it's a DVD-R. This is read-only. Should be the same story for a DVD-ROM. A program like DVDInfoPro can read this information.

It's in the leadin and can be changed with most burners.

Start DVDInfoPro, and let it read the media info.

Info returned for an original XBOX1 disc:
Media code/Manufacturer ID                                N/A Pressed DVD
Book Type                                                         DVD-ROM
Media Type                                                        DVD-ROM

Info returned for a DVD-R
Drive doesn't support media code
Book Type                                                           DVD-R
Media Type                                                          DVD-R

More info: http://www.netfarer.com/forums/index.php?showtopic=8
Seems that you can change the book type but not the media type ..

[TheSpecialist]

Besides that, the DVD drive can report to the host that you inserted a DVD-ROM or a DVD-R and take action accordingly. As far as I know, a DVD-R already contains the media type / book type on the disc when you buy it which tells a DVD drive that it's a DVD-R. This is read-only. Should be the same story for a DVD-ROM. A program like DVDInfoPro can read this information.

It's in the leadin and can be changed with most burners.

Start DVDInfoPro, and let it read the media info.

Info returned for an original XBOX1 disc:
Media code/Manufacturer ID                                N/A Pressed DVD
Book Type                                                         DVD-ROM
Media Type                                                        DVD-ROM

Info returned for a DVD-R
Drive doesn't support media code
Book Type                                                           DVD-R
Media Type                                                          DVD-R

More info: http://www.netfarer.com/forums/index.php?showtopic=8
Seems that you can change the book type but not the media type ..

It can only be changed for DVD+R media. There are FW patches for specific burners out there that change the media type to 'DVD-ROM' automatically when you burn a DVD+R, but there is also software that can do this for specific burners

[MacDennis]

BTW, most of the answers about the physical differences between discs can be found in the FW. It's all in the section that calculates the responses, because that's the 'real' authentication part. The drive will probably read the 'security placeholders' that are probably placed in the BCA section.

Well, if the BCA (bar code area) is the same as the clearly visibile bar code area in the inner ring, then the drive doesn't use it for authentication. Use some black marker on a XBOX1 dvd-rom and you will see.

About the gamecube BCA, read more about it here, scroll down a bit: http://forums.afterdawn.com/thread_view.cfm/24/61273
It seems that is 'bar code' is not the same as the visible bar code, I don't have a gamecube to test.

There's another part of a DVD disc which you can't write to but could contain data. ECC bytes! Each sector contains an error correction block. This block could hold real data when burned with special burning machinery. These sectors become 'bad sectors' but a custom DVD firmware could in theory threat this ECC block as actual data. Well, even as 'security placeholders' maybe ..

Taken from: http://www.gearsoftware.com/support/documentation/glossary.cfm
ECC: "The system that is used to add data to a digital signal in order to allow playback errors that are detected by the Error Detection Code (EDC) to be corrected. DVDs use Reed-Solomon Product Code (RS-PC) for the ECC. For each data sector containing 2048 bytes, 302 bytes of ECC are added. On playback and decoding of the ECC, within the capability of the code, errors are repaired and the original data is recovered perfectly. If the rate or size of the errors is too great, the Error Correction Code will not have sufficient data to repair the error, resulting in an uncorrectable error. On DVDs corrected errors are known as PI errors and uncorrected errors are known as PO fails."

A standard burner will always write the correct ECC, so you can't write real data in the ECC.

[MacDennis]

It can only be changed for DVD+R media. There are FW patches for specific burners out there that change the media type to 'DVD-ROM' automatically when you burn a DVD+R, but there is also software that can do this for specific burners

Aren't we confusing 'book type' with 'media type'? I'm under the impression that you can change the book type (some burning software offer this option) and that you can't change the 'media type'. You can set a DVD+R to a 'DVD-ROM' book-type and leave the media-type to 'DVD+R' so they should be two different things right? All the information I have read and the software which supports it talks about the book-type.

[Nayr]

Anita9999:  or anyone

What signals on a parallel ide bus are best to trigger captures with?

I'm thinking that triggering on transitions of DIOR or DIOW should work.

[TheSpecialist]

Aren't we confusing 'book type' with 'media type'? I'm under the impression that you can change the book type (some burning software offer this option) and that you can't change the 'media type'. You can set a DVD+R to a 'DVD-ROM' book-type and leave the media-type to 'DVD+R' so they should be two different things right? All the information I have read and the software which supports it talks about the book-type.

You're right.

There's another part of a DVD disc which you can't write to but could contain data. ECC bytes! Each sector contains an error correction block. This block could hold real data when burned with special burning machinery. These sectors become 'bad sectors' but a custom DVD firmware could in theory threat this ECC block as actual data. Well, even as 'security placeholders' maybe ..

Interesting ! Well, there's only one way to find out for sure: reverse engineering the FW. In the Philips FW I already found all the routines that do the 'state changing' and the routines that handle the mode select/mode sense part, hopefully it shouldn't be too hard to find the response calculation part.

[cja100]

ok i can see the video partition and unlocking the drive works but when i try dvd decrypter this happens

I 20:17:07 DVD Decrypter Version 3.5.4.0 started!
I 20:17:07 Microsoft Windows XP Media Center Edition (5.1, Build 2600 : Service Pack 2)
I 20:17:07 Initialising SPTI...
I 20:17:07 Searching for SCSI / ATAPI devices...
I 20:17:07 Found 2 DVD-ROMs!
E 20:17:08 [0:3:0] SAMSUNG DVD-ROM SDG-605B x010 (D:) (ATA) - UDF File System Parsing Failed!
E 20:17:08 Reason: Function 'UDFFindPartition' returned 0

from unlocker.

Read capacity io succesful. Returned data ->
00 34 5B 5F 00 00 08 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Mode sense io succesful. Returned data ->
00 1A 00 00 00 00 00 00 - 3E 12 01 01 01 D1 01 55
99 A5 72 DF 7F 28 B4 74 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Read DVD structure IO succesful. Returned data (only first few bytes) ->
06 64 00 00 D1 0F 31 10 - 00 06 06 00 00 F9 F9 FF
00 20 33 AF 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Decryption of challenge responsetable seems to be succesful !
Number of entries in challenge responste table = 23
Mode select IO succesful
Mode sense io succesful. Returned data ->
00 1A 00 00 00 00 00 00 - 3E 12 01 01 01 D1 01 C0
99 A5 72 DF 65 2D B6 F0 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Mode select IO succesful
Mode sense io succesful. Returned data ->
00 1A 00 00 00 00 00 00 - 3E 12 01 01 01 D1 01 55
99 A5 72 DF 7F 28 B4 74 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Mode select IO succesful
Mode sense io succesful. Returned data ->
00 1A 00 00 00 00 00 00 - 3E 12 01 01 01 D1 01 55
99 A5 72 DF 7F 28 B4 74 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Read capacity io succesful. Returned data ->
00 34 5B 5F 00 00 08 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00

Reported capacity bigger than standard xbox video partition. Unlocking seems to be succesful !

[Pec]

Has anyone tried to hook the dvd drive to a sata -> ide converter, and then vice versa with an ide -> sata? I'd like to try that, sniffing the data over the parallel port will be much easier. Furthermore, i think it could be possible to emulate the whole dvd drive.... Hmm, whats the frequency on a pata port? I think 33mhz and 32 bits wide. If theres a handshaking, it wouldn't matter how fast the emulation is... You could possibly mount an iso on your win/linux box, and "feed" die virtual drive with the data the xbox requests.....

[TheSpecialist]

Read capacity io succesful. Returned data ->
00 34 5B 5F 00 00 08 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00

capacity $345B5F,  that's the xbox game partition length, (the video partition is only about $1300 long ) unlocking has surely been succesful. I don't know why your dvddecryptor screws up. Does it work correctly before unlocking ? I haven't tried dvddecryptor, but it seems that it's using cached data and that's why it won't work. Did you start it up before unlocking the disc ? You should first unlock the disc and then start the dumping software.

You can use dvdinfopro instead (or some other software or write some routines yourself to dump the disc: use deviceiocontrol and the ATAPI read command)