hacking DVD firmware ?

[svenhag]

Nice work everyone.

next step shall be gathering the MN103S controller info and reverse engineer the firmware.

I've actually been looking at this for a while now and I have to admit that I haven't really 'found the flow' yet. I've been able to reverse some routines but I can't say that it has made me understand much more.

I also don't know where the reset or interrupt vector is at. The stuff att 0x00000000 doesn't make sense.

Anyway, there are three code parts in the file as I see it. The first one starts at offset 0x20, the second one at 0x1000 and the third one at 0x6040. The first part seems to be setting up some tables and finally reach this

(The firmware is for the GDR-3120L_0047DH drive.)

Code:

//
// branch to 0x400000bc (jmp to 0x40006040) if (0x9003e7fc) == 0
//
40000090: fc dc fc e7 mov -1878792196,a0 // 0x9003e7fc
40000094: 03 90
40000096: 70          mov (a0),d0
40000097: a0 00        cmp 0,d0
40000099: c8 23        beq 0x400000bc


//
// compute the sum of all dwords from 0x90006000 to 0x9003e800
//
// if the sum of all dwords is 0 then jump to 0x40006040 and if
// it's not 0 jump to 0x40001000 (after enabling interupts)
//
4000009b: fc dc 00 60 mov -1879023616,a0 // 0x90006000
4000009f: 00 90
400000a1: fc dd 00 e8 mov -1878792192,a1 // 0x9003e800
400000a5: 03 90
400000a7: 85 00        mov 0,d1
400000a9: 70          mov (a0),d0
400000aa: e1          add d0,d1
400000ab: 50          inc4 a0
400000ac: b4          cmp a1,a0
400000ad: c4 fc        bcs 0x400000a9
400000af: a5 00        cmp 0,d1
400000b1: c8 0b        beq 0x400000bc
400000b3: fa fd 00 0f or 3840,psw // IE=1 IM=111
400000b7: cb          nop
400000b8: cb          nop
400000b9: cc 47 0f    jmp 0x40001000
400000bc: fa fd 00 0f or 3840,psw // IE=1 IM=111
400000c0: cb          nop
400000c1: cb          nop
400000c2: cc 7e 5f    jmp 0x40006040

When the second part (0x1000) is reached, I think that it finally comes to some kind of main loop at 0x108a to 0x10e1.

The really interesting stuff is probably in the third part since that part is 207384 bytes. There seems to be some interrupt routines in this part and there are also many parts that could be switch blocks, which are pretty interesting.

I've searched for different kinds of comparisons for 0x5a (mode sense) but I can't seem to find any so I'm doubting that it's the same scheme as for the xbox1.

One thing that would help alot would be a log of the stuff sent from dvd to 360 so if anyone can fix this I think that it would make this stuff much easier.

[QuiescentWonder]

For those with a Thomson drive at least, UltraISO can make images of discs... I couldn't get anything else to work.

Now I'll butt out of the conversation and let you guys get back to your ultra-hardcore stuff that I don't understand.

[svenhag]

Oh also, when using objdump. Use the -m am33-2 option and not the mn10300 or you will get alot of unknown instructions.

[anita999]

Anita9999:  or anyone

What signals on a parallel ide bus are best to trigger captures with?

I'm thinking that triggering on transitions of DIOR or DIOW should work.

DIOR/DIOW is the strobe for PIO mode. There are other data transmition using IORDY and other signals for DMA transfer. Please check the ATA/ATAPI spec. for detail protocol. I couldn't remember it now.

[Dark_Neo]

TheSpecialist: *bows* that's all I can say really!

Anyway as far as making 1:1 copies goes, on CD-Rs there's the ATIP information, contains details about the manufacturor, dye type, speeds, power, etc, I'm pretty sure DVD-Rs would have a similar data area (if not the same), so any basic copy protection just needs to check for the existence of this information. Not sure if this is already known but it hasn't been mentioned yet.

btw BCA = Burst Cutting Area (not BarCode Area) 

[loser]

can someone try logging the commands sent to the drive when windows is started?
maybe we can see if certain commands (such as eject) are sent and are causing problems.

ive noticed that with my phillips drive plugged in windows xp will take a really long time on the loading screen, and that once it gets past this screen the drive will no longer eject when i press the eject button (as if the drive has turned itself off, or maybe timed out due to an unsupported eject command?)

if this is the case, the eject command may be patchable in the firmware to return 'success' whether or not it actually ejects...

[joedodgy]

The Specialist, I had a play with your 'unlocker' app and a Samsung SDG-605.. must say, major props

just incase its still of interest.. here is the readout from jet set radio future pal, - extracted with clonecd to ~6gb-ish

Code:

Read capacity io succesful. Returned data ->
00 00 1B 4F 00 00 08 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Mode sense io succesful. Returned data ->
00 1A 00 00 00 00 00 00 - 3E 12 00 01 00 D1 01 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Read DVD structure IO succesful. Returned data (only first few bytes) ->
06 64 00 00 D1 0F 31 10 - 00 06 06 00 00 F9 F9 FF
00 20 33 AF 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Decryption of challenge responsetable seems to be succesful !
Number of entries in challenge responste table = 23
Mode select IO succesful
Mode sense io succesful. Returned data ->
00 1A 00 00 00 00 00 00 - 3E 12 00 01 01 D1 01 E6
EF 8A 7A BC 8D C7 3A 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Mode select IO succesful
Mode sense io succesful. Returned data ->
00 1A 00 00 00 00 00 00 - 3E 12 00 01 01 D1 01 89
EF 8A 7A BC C0 68 6B 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Mode select IO succesful
Mode sense io succesful. Returned data ->
00 1A 00 00 00 00 00 00 - 3E 12 01 01 01 D1 01 89
EF 8A 7A BC C0 68 6B 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
Read capacity io succesful. Returned data ->
00 34 5B 5F 00 00 08 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00
00 00 00 00 00 00 00 00 - 00 00 00 00 00 00 00 00

- clonecd, had to ignore some error in order to dump the disc - slow coz of no fast error skipping, found heaps of unreadable sectors etc - 50 mins to dump ~6gb
- alcohol 120%, reported correct 'xbox' toc size after unlocking and happily started ripping the disc.. again, found heaps of unreadable sectors - slow for same reasons as above.
- xiso 1.1.5 - reads the xbox part of the disc fine - and will extract the files..(a lot faster, less to read - doesnt get tripped by bad sectors)
- isobuster 1.9 - shows full sized xbox toc, displays replace unreadable sector box
- dvddecrypter - set to iso mode, sees the full xbox sized toc and starts ripping..didnt wait around to see what happens when it hits a bad sector
- nero7 - showed correct toc, but kinda froze before it started, so i ended it
- discjuggler (old) - showed correct toc, but couldnt back it up coz it didnt support creating a dvd image bigger than 4.7g, new version might work better
- recordnowdx 4.61 - showed dvd video toc
- windows no longer shows the video_ts folder

i dont suppose any of the drives support fast error skipping either? heh.. but other that.. awesome work

[wildje]

can someone try logging the commands sent to the drive when windows is started?
maybe we can see if certain commands (such as eject) are sent and are causing problems.

ive noticed that with my phillips drive plugged in windows xp will take a really long time on the loading screen, and that once it gets past this screen the drive will no longer eject when i press the eject button (as if the drive has turned itself off, or maybe timed out due to an unsupported eject command?)

if this is the case, the eject command may be patchable in the firmware to return 'success' whether or not it actually ejects...

It surely seems like the xbox360's dvd drive needs an alternate initialization method to continue functioning. Probably to stop ppl from using the drive in non xbox360's systems. Windows tries the standard way(offcourse) which could be blocked/detected by the drive's firmware.. Not sure this is true actually but it really makes sense It would sure help if we could see a log of commands send/received from the drive at windows bootup

[MacDennis]

Has anyone tried to hook the dvd drive to a sata -> ide converter, and then vice versa with an ide -> sata? I'd like to try that, sniffing the data over the parallel port will be much easier. Furthermore, i think it could be possible to emulate the whole dvd drive.... Hmm, whats the frequency on a pata port? I think 33mhz and 32 bits wide. If theres a handshaking, it wouldn't matter how fast the emulation is... You could possibly mount an iso on your win/linux box, and "feed" die virtual drive with the data the xbox requests.....

Well, just try it! Do you have have a LA you can use?
Check this thread a few pages back for some links to ATA / ATAPI command specs.
If you need any help setting up your LA, PM me.

[MacDennis]

- clonecd, had to ignore some error in order to dump the disc - slow coz of no fast error skipping, found heaps of unreadable sectors etc - 50 mins to dump ~6gb
- alcohol 120%, reported correct 'xbox' toc size after unlocking and happily started ripping the disc.. again, found heaps of unreadable sectors - slow for same reasons as above.

i dont suppose any of the drives support fast error skipping either? heh.. but other that.. awesome work

Why are so many errors reported? To make it harder to dump a disc? Or .. do the ECC bytes actually contain data? Which would make a sector 'bad'. Hmmm
Food for thought .. http://en.wikipedia.org/wiki/CD/DVD_copy_protection

[Deviate]

Why not give the drive power, but not plug it in until Windows or Linux has fully initialised... Perhaps this would bypass the problems found in the BIOs.

[Pec]

Have to ask again... Has anyone tried to hook the x360 dvd to a sata->pata and with an other pata->sata back to the xbox360?

[tser]

I don't know if you guys have already this information :


But in case you need it, i have now access to the entire dvd standarization documents :-)
don't know if i can distribute the document though, it is stating some copyright info here and there
but i sure can quote from it.

also :
The Length of the BCA Information is in the range of 12 to 188 bytes for DVD.


"When a READ DISC Structure with a Format code field value of 03h is presented for a dvd Media without
BCA, the command shall be terminated with check condition status, 5/24/00 Invalied field in cdb

Ah! a document derived from This document is public also at ftp.seagate.com/sff/INF-8090.PDF

[MacDennis]

Have to ask again... Has anyone tried to hook the x360 dvd to a sata->pata and with an other pata->sata back to the xbox360?

No. No one in this thread has tried that yet. If you can try, please do! It would really help if we could verify if this is possible or not. It should work in theory if the adapters would pass each and every command, even the undocumented / reserved ones.

[cja100]

Why not give the drive power, but not plug it in until Windows or Linux has fully initialised... Perhaps this would bypass the problems found in the BIOs.

i didnt know you could do that, how would you go about this?!?

[MacDennis]

Why not give the drive power, but not plug it in until Windows or Linux has fully initialised... Perhaps this would bypass the problems found in the BIOs.

i didnt know you could do that, how would you go about this?!?

How could that possibly work? In that case the BIOS can't detect the drive so it isn't available to the operating system. I haven't tried it yet but I doubt it would work. It would mean that a DVD-ROM drive is hot swapable right? Or are you talking about the xbox360 drive? The unlocker is currently meant to be only used with a xbox1 drive.

[amadeus]

Ah! a document derived from This document is public also at ftp.seagate.com/sff/INF-8090.PDF

I have just tried searching Google for INF-8090.PDF, and there might be very interesting stuff here?

This one is about decrypting:
http://members.aol.com/plscsi/tutorial/

The Google search for INF-8090.PDF
http://www.google.com/search?q=INF-8090.PDF

[Deviate]

Why not give the drive power, but not plug it in until Windows or Linux has fully initialised... Perhaps this would bypass the problems found in the BIOs.

i didnt know you could do that, how would you go about this?!?

How could that possibly work? In that case the BIOS can't detect the drive so it isn't available to the operating system. I haven't tried it yet but I doubt it would work. It would mean that a DVD-ROM drive is hot swapable right? Or are you talking about the xbox360 drive? The unlocker is currently meant to be only used with a xbox1 drive.

I just tried it with an IDE LG DVD-RW drive... Left the PSU cable in, left the IDE cable unplugged from the DVD-RW... Plugged the IDE cable in when Windows was fully loaded. Device Manager did not notice it.. However, I clicked on the 'Scan for Hardware Changes' button in Device Manager and the DVD-RW drive initialised.

It was just a suggestion... I have not tested it with an Xbox or Xbox 360 drive at all.

It's probably just a n00b idea, but the problems regarding the drives getting noticed in Windows brought me to this thought...

[raglin]

How could that possibly work? In that case the BIOS can't detect the drive so it isn't available to the operating system. I haven't tried it yet but I doubt it would work. It would mean that a DVD-ROM drive is hot swapable right? Or are you talking about the xbox360 drive? The unlocker is currently meant to be only used with a xbox1 drive.

It's not 'hot swappable' in the technical sense, i.e. electronically safe to plug and unplug while running. Modern OS's however don't need the info in the BIOS to enumerate drives, it's only necessary for the bootdrive.
Other drives can be marked 'Not available' in the BIOS and the OS will still pick it up. The 'Rescan Disks' option in Disk Management (or the "Scan for hardware Changes" Deviate mentioned) usually suffice to let the OS recognize it.

[FuzzyLogic]

Has anyone tried to hook the dvd drive to a sata -> ide converter, and then vice versa with an ide -> sata? I'd like to try that, sniffing the data over the parallel port will be much easier. Furthermore, i think it could be possible to emulate the whole dvd drive.... Hmm, whats the frequency on a pata port? I think 33mhz and 32 bits wide. If theres a handshaking, it wouldn't matter how fast the emulation is... You could possibly mount an iso on your win/linux box, and "feed" die virtual drive with the data the xbox requests.....

Well, just try it! Do you have have a LA you can use?
Check this thread a few pages back for some links to ATA / ATAPI command specs.
If you need any help setting up your LA, PM me.

I just received a couple of PATA-SATA converters. i'm soldering them together right now. Will first test with converters in place, then i'll hookup my LA.