hacking DVD firmware ?

[anita999]

Nayr,  could you please do one more thing. put the disk in the 360. shut it down. start LA, then turn on 360. So we can log all communication between 306 and the drive then we might understand whether it's possible to switch DVD drive or not. If it's not, then we may also know how the 360 tells the difference between different drive. ie. via a serial #(that's a easy case) or a more complicate approach. this will be critical to this project becuase if we can't switch the drive, then we will not be able to developa general altered firmware.

[FuzzyLogic]

Ah that explains why i could't get it to work, i used 2 PATA->SATA converters 

[Takires]

I believe the 'code' at $B185 to be part of this routine, BUT there's no code at that location -> this location is part of a block, filled with stringdata "COPYRIGHT ACER PERIPHERALS, INC.  632ACOPYRIGHT ACER PERIPHERALSINC.  632A' etc... I don't have any idea what this could be, as far as I know there's not even any Acer hardware used in the Philips drive.... Why would Philips put this string into their FW anyway ? Maybe this is part of some 'firmware protection scheme' that was developed by Acer ?

Anyone any ideas on this ?

Keep in mind that the cpu in the philips drive does only have an address space of 64K and that is not enough for the whole firmware,
so bank switching will be used. Bank switching will only affect the upper 32K of the address space, the lower 32K are always the
first 32K of the firmware image. IIRC memory location F8 or FA is responsible for the bank switching, look for a big region of jumps.
These jumps go to code that loads a register with a 16-bit value and does another jump. This second jump will go to a routine
that switches the bank and calls the routine.

Oh and if that wasn't confusing enough, there are at least two memory locations that are responsible for bank switching of
RAM. Data access to $Exxx is subject to this bank switching.

Your address of $B185 can be $B185, $13185, $1B185 or $23185. Thats why I really start to hate 8051 code

[Serie]

Lo all guys

Really nice post, it remainds me that im too far to understand almost anything about hacking well in the other hand maybe i could help u ...
i have acess to the ORIGINAL kiosk disc and 2 premium pal consoles, if u need some tests just tell me it , keep the good work.

BTWN nice to c ur working on the x360 loser

[MacDennis]

Really nice post, it remainds me that im too far to understand almost anything about hacking well in the other hand maybe i could help u ...
i have acess to the ORIGINAL kiosk disc and 2 premium pal consoles, if u need some tests just tell me it , keep the good work.

Note down the DVD-ROM details and swap the drives. 

[darkfly]

I was under the assumption the Toshiba / Samsung FW had already been dumped?

It not, I would be more than happy to try to do it later this evening.

[anita999]

darkfly, the Toshiba/Samsung FW is not dumped yet. Please provide a dump if you can. that shall help.

[Tiros]

What do you think is the entry point for the 360 decrypted rom?
I hooked up my LA yesterday to the 8163, and something is funny. Didn't get a lot of testing done yet, It was a HUGE wiring project. Also I will now be able to hook up flash emulator too. That should be fun If only I had 360
Are we pretty sure the decryption method is 100%?

[Tiros]

I believe the 'code' at $B185 to be part of this routine, BUT there's no code at that location -> this location is part of a block, filled with stringdata "COPYRIGHT ACER PERIPHERALS, INC.  632ACOPYRIGHT ACER PERIPHERALSINC.  632A' etc...

Maybe this part of the code is stored somewhere else than on the flash chip, maybe in the chip's own memory (if it has some.. comparable to Xbox1's "secret code in MCPX, rest in flash" way)? Maybe you could create your own ATAPI command to dump the code as it is in memory (not an easy feat though).

8051 can't execute from ram. Probly bank switched as suggested.
You could pretty easily right some code based on mode sense, just have that command dump the rom. I was thinking of doing that for the MN103 to see what the CPU actually sees in it's code space, to clarify this decryption issue.

[darkfly]

What type of hardware am I going to need to get ahold of. I have standard soldering equipment and a hot air station. If I need an eeprom reader or LA I am going to have to borrow one so let me know ASAP so I can try to get it tonight.

[MacDennis]

What do you think is the entry point for the 360 decrypted rom?
I hooked up my LA yesterday to the 8163, and something is funny. Didn't get a lot of testing done yet, It was a HUGE wiring project. Also I will now be able to hook up flash emulator. That should be fun
Are we pretty sure the decryption method is 100%?

Can you share some of your results?
Did you use a standard PC DVD-ROM or did you flash it to make it XBOX1 compatible?
Which decryption source are you using on a 8163 dump?

Reset vector for the 360 ROM is unknown.
Please note that different MN103 based dumps seem to use different XOR masks.

I believe that the firmware contains several sections. For examle: a header, an unencrypted reset vector including decrypter , a decrypted image, a flasher. The posted source code decrypts the whole image right? I think it shouldn't do that.

I plan to do some tests/logging myself on the 8163 ..

[Tiros]

What type of hardware am I going to need to get ahold of. I have standard soldering equipment and a hot air station. If I need an eeprom reader or LA I am going to have to borrow one so let me know ASAP so I can try to get it tonight.

I was kind of hoping you could use the 605 firmware utility. It can read/write without solder, I hope. Worth a shot anyway. Sure would be nice to see an 8051 dump.

[MacDennis]

What type of hardware am I going to need to get ahold of. I have standard soldering equipment and a hot air station. If I need an eeprom reader or LA I am going to have to borrow one so let me know ASAP so I can try to get it tonight.

I was kind of hoping you could use the 605 firmware utility. It can read/write without solder, I hope. Worth a shot anyway. Sure would be nice to see an 8051 dump.

And risk destroying a XBOX360 drive by using a samsung xbox1 605 firmware utility? Darkfly, if you don't have any experience with desoldering TSOP chips then please don't try. Or at least practice first on some broken equipment. 

What do you mean with 8051 dump? Do you perhaps mean XBOX1 8050 DVD-ROM firmware dump?

[Tiros]

Can you share some of your results?
Did you use a standard PC DVD-ROM or did you flash it to make it XBOX1 compatible?
Which decryption source are you using on a 8163 dump?

Reset vector for the 360 ROM is unknown.
Please note that different MN103 based dumps seem to use different XOR masks.
I believe that the firmware contains several sections. For examle: a header, an unencrypted reset vector including decrypter , a decrypted image, a flasher. The posted source code decrypts the whole image right? I think it shouldn't do that.

It's an 8163 flashed with XB firmware. But I can soon load any with flash emulator

Only limited info so far, I just got the "grunt" work part finished late last night. Lots of wires . Did fire it up with the LA though and looks like execution begins @20h (4000 0020), but something doesn't make sense. More testing later.

Ya know, sometimes the manufacturer has a small amount of rom built in, that init's I/O and performs basic system housekeeping/flashing, and the external rom contains customer "expansion" code. Also read that the "S" in 103S means custom peripheral devices on die.

Yea , the source code does the whole image, that didn't seem right to me either.
I wasn't aware of different XOR masks. If this is true, then the decrypt software is wrong. I agree with your "sectional" analysis that's why I hook up LA. I suspect that decryption, if needed, is done by MPU, therefore decrypting beforehand would not be correct procedure since it would then ENCRYPT the valid code.

[Tiros]

What do you mean with 8051 dump? Do you perhaps mean XBOX1 8050 DVD-ROM firmware dump?

No, now they are saying they got MTK chipsets on new (tosh/sam) 360 drives. Since 605 (SammyXB1) was also MTK, very similar number, and 605 was 8051, figured maybe those MTK FW tools might work, and further hoped it is also 8051 processor.

[MacDennis]

Yea , the source code does the whole image, that didn't seem right to me either.
I wasn't aware of different XOR masks. If this is true, then the decrypt software is wrong. I agree with your "sectional" analysis that's why I hook up LA. I suspect that decryption, if needed, is done by MPU, therefore decrypting beforehand would not be correct procedure since it would then ENCRYPT the valid code.

At least for the MN103 based chipsets they seem to use different XOR masks:
http://www.xboxhacker.net/forums/index.php?topic=76.msg868#msg868
Sometimes I re-read this whole thread all over again and still discover something new. 

[darkfly]

I have plenty of experience working with surface mount components. I have no qualms about removing and replacing hardware, but I appreciate for the concern. I have access to lots of fun tools just didnt know what I would need to get ahold of besides what I have on hand to do the dump.

[Tiros]

And risk destroying a XBOX360 drive by using a samsung xbox1 605 firmware utility?

I don't think there is much risk using the MTK utility to READ the FW. If I had one I would try it!

Dark,
If you do "sweat" it off, you'll need a TSOP to Dip adaptor to read in most programmers.

[marvin]

What do you think is the entry point for the 360 decrypted rom?
I hooked up my LA yesterday to the 8163, and something is funny. Didn't get a lot of testing done yet, It was a HUGE wiring project. Also I will now be able to hook up flash emulator. That should be fun
Are we pretty sure the decryption method is 100%?

Can you share some of your results?
Did you use a standard PC DVD-ROM or did you flash it to make it XBOX1 compatible?
Which decryption source are you using on a 8163 dump?

Reset vector for the 360 ROM is unknown.
Please note that different MN103 based dumps seem to use different XOR masks.

I believe that the firmware contains several sections. For examle: a header, an unencrypted reset vector including decrypter , a decrypted image, a flasher. The posted source code decrypts the whole image right? I think it shouldn't do that.

I plan to do some tests/logging myself on the 8163 ..

on xbox1 dvd replacement firmware for LG GDR-8163B
8050l.dld
at 0x00040040 there's machine code that isn't scambled - no need to run bitswap/XOR to see it
it's quite long, 6kb  perhaps it's flasher ?

equivalent part can be seen on other firmware, ie LG GDR-8161B
http://forum.rpc1.org/dl_file.php?site=firmx&file=lg8161b0102.ZIP
this time it's smaller, about 4kb

last 4 bytes before this section seems to be another checksum, at 0x004003C

[Tiros]

Any pics of the Tosh/Sammy 360 drive?