hacking DVD firmware ?

[jumba]

I think your being confused by the loose referance to the core being 8051 in truth it's a 8032 with 224 internal ram plus registers. No-one today develops any new micro controllers using an 8031 core every one now has 8032 with their own enhancements.

You're totally right Jumba, thanks for clearing that up So, since internal memory and SFR's are 'overlapping', the only way the MPU knows if it should access internal ram or a SFR is by looking at the way it's being adressed (direct=SFR, indirect = internal memory), right ? so:

mov $80,#1=SFR

mov R0,#$80
mov @R0,1 = internal memory

Right ?

You bet that's it

[jumba]

Something also slightly off-topic, but I feel it might help: someone mentioned getting up a site or FTP server with all our files. It might come in handy now, since we now have several FW's, 'encrypted' and 'decrypted', tools (smo's disassembler for example) and these are scattered all over this (large and fast growing) thread. I don't know if xboxhacker will/can host them, otherwise we'd need some external space. I was also thinking: is it even legal to post firmwares ? Aren't they copyrighted ?

rpc1.org host many rom firmwares some are modified to make them region free. Very few f/w have CR notices on them many manufactures don't expect the f/w to be hacked. By playing with the rom the warranty is compromised so it's no skin off their nose.

[jumba]

I don't know where we stand on this (that's exactly why we need the wiki, hehe), but did someone already try modding some code in the FW and reflashing it to see if there's some kind of signature check ? Also, can the sammy 360 FW be flashed with the standard MTK flasher ?

I don't have a 360 sammy . Does the 360 rom fitted with SATA to IDE converter make the rom appear to  a IDE unit?

[jumba]

just a quick note to the dvd drives after lifting the chip on my prem system i lifted some pads

anyway went and got a core system today

it was the same drive numbers etc except mabe 2 number diffent on serial

i put it in to the premum and put in game and it said please put this game in a 360 console

so the drives are mapped to each system and in this case did not work


sorry for off topic but thought it mabe of intrest

drive from prem was x800473-015

drive from core was  x800473-015

same date same ms25 firm ?

This is a very important finding given that the firmware versions are identical, ie. it ends the (hopeful) speculation that the marriage is between a firmware version and the console.  The premium <--> core swap should not matter, but that speculation can also be addressed by writing the image from one of the drives to the other.  From there it would be ideal to find the mapping between 360 serial number and the non-constant bits in a given firmware version, but that algorithm might be well hidden or could in fact be random, assigned at the factory...

Me thinks the rom is locked to the console!

[darkfly]

Posted by: jumba
Does the 360 rom fitted with SATA to IDE converter make the rom appear to  a IDE unit?

Yes, it is detected by the BIOS on my board and under Linux. I posted the findings some pages back in this thread.

[MacDennis]

Me thinks the rom is locked to the console!

All clues seem to indicate that a shared 'secret' key between console and DVD-ROM is being used to exchange data as smo pointed out earlier. If you swap the DVD-ROM then probably the authentication fails because the exchanged data can't be decrypted/encrypted correctly. Note that it seems that only the exchanged data is encrypted, not the actual (cdb) command.

If the authentication fails then the drive can't be unlocked, it then probably defaults to the standard 'partition', which is the video parition. This theory explains why XBOX1 discs also fail, this is because encryption/decryption of data also fails in this case when trying to authenticate the disc. As mentioned earlier in this thread, this key is probably stored at location 0x4F00 in the Hitachi firmware as reported earlier.

To everyone decoding the different firmwares. Please note that a DVD-ROM drive is also a DVD player. The DVD-ROM drive can also be used to decrypt DVD video content, the CSS algorithm. So if you spot any routines which look like 'decryption' routines then this doesn't have to mean they are being used to authenticate XBOX discs, it could be part of the CSS algorithm. Each DVD player contains a 'Player Key'. There are 409 keys in total, one for each manufacturer if I am not mistaken. This key is used to decrypt DVD video, besides the 'disc key' and 'title key' but those last two keys are present on the disc itself. This system was hacked and open in the wild after the release of the DeCSS tool.

Another nice test for anyone being able to dump their firmware. Dump a fresh copy of your firmware. Play a DVD movie which has a region which does not match the region of the drive. Dump the firmware again and find the differences. This will show you were the region code is located. Is assume also in the 0x4000 - 0x4F00 range ..

[jesperkn]

MacDennis that seems reasonable. Is it plausible that the key exchange is done in the following manner?

1st time ever bootet: DVDrom has not encryption key so the communication is done unencrypted (at MS office), an encryption key is exchanged. This would also ease repairs since a brand new DVDrom drive can be swapped once without any problems.

2nd time ++ booted: DVDrom uses encryption key from previous boot to communicate with X360 a new key may or may-not be exchanged.

 

[darkfly]

Another nice test for anyone being able to dump their firmware. Dump a fresh copy of your firmware. Play a DVD movie which has a region which does not match the region of the drive. Dump the firmware again and find the differences. This will show you were the region code is located. Is assume also in the 0x4000 - 0x4F00 range ..

Why would attempting to play a DVD Movie from a different region affect the Firmware at all? I am not sure I understand what you mean by that.

From the pinouts I traced on the controller board for the Sammy, Write Enable is connected to a resistor. I have not tested with the drive powered up but this would imply that WE is pulled high, therefore disabling write access to the device in the first place. (Although I assume the MCU has control to pull this pin low when it wants).

[MacDennis]

Another nice test for anyone being able to dump their firmware. Dump a fresh copy of your firmware. Play a DVD movie which has a region which does not match the region of the drive. Dump the firmware again and find the differences. This will show you were the region code is located. Is assume also in the 0x4000 - 0x4F00 range ..

Why would attempting to play a DVD Movie from a different region affect the Firmware at all? I am not sure I understand what you mean by that.

I'm not sure if it also holds true for the X360 drive, but because it's almost the same like a PC DVD-ROM drive it might be. When using a normal PC DVD-ROM drive (RPC2) you are only allowed to change regions 5 times. This counter is stored in the firmware. It could be that the X360 drive doesn't operate this way but it's worth a shot IMHO.

[darkfly]

I'm not sure if it also holds true for the X360 drive, but because it's almost the same like a PC DVD-ROM drive it might be. When using a normal PC DVD-ROM drive (RPC2) you are only allowed to change regions 5 times. This counter is stored in the firmware. It could be that the X360 drive doesn't operate this way but it's worth a shot IMHO.

Ok, I see where you are going with that now. But, do you not usually need an application to set the region code on the drive, I mean it isn't done automatically when another region's disc is inserted.

[evestu]

emm i tested a region 1 dvd in the 360 and it works ok np before the dvd i tested was region 2 also works so yes it play region 1  and 2
 

[Geremia]

I don't think that serial number and other variable stuff can be into flash memory, in some old dvdrom i opened, it was into external I2C eeprom. In flash memory if you want to modify 1 byte, you have to erase and rewrite an entire block area and this is dangerous if you powerdown.
During firmware upgrade, in pc drives the rpc seting doesn't change, so supposely there must be some internal non volatile area

[dmozk]

There are a couple of tools that are made for liteon ODD that can access the eeprom, since they use MTK chipset it may be worth looking at them..

(or not)

http://club.cdfreaks.com/showthread.php?t=112103
http://www.liteon.neostrada.pl/ltnflash124.exe

[jumba]

I don't think that serial number and other variable stuff can be into flash memory, in some old dvdrom i opened, it was into external I2C eeprom. In flash memory if you want to modify 1 byte, you have to erase and rewrite an entire block area and this is dangerous if you powerdown.
During firmware upgrade, in pc drives the rpc seting doesn't change, so supposely there must be some internal non volatile area

Yes, thats true, I have looked at the code and there is a rouintine to flash bytes my guess is that these lock code locations are blank ie ff's in a virgin condition. With a brand spanking new rom from the rom manufacter on power up; the console would ID that is unattached and would then attach it to itself. Else one would need a program like the one thats used to unlock or lock HD in the xbox1. The best way to find the lock locations would be for someone else other than darkfly to unload a 360 rom f/w.

[darkfly]

Wouldn't it make more sense for 360 to have the region check in the DVD player software, perhaps with the region changes stored somewhere not on the drive itself?

[jumba]

Wouldn't it make more sense for 360 to have the region check in the DVD player software, perhaps with the region changes stored somewhere not on the drive itself?

My experience with both xbox1 sammies is they donot check regions they play all region discs using windows. It's only PC roms that do this region checking and setting. The 360 rom, 605b, and 605f still have the ablility to write bytes to the 020. Thinking about it the sata drive only needs to be commanded to write bytes in blank areas. Foreample a PC drive like 616e needs to do a sector erase ( 16 bytes) to rewrite a region code. But in the case of the 360 sammy if these locations are blank all the console needs to is to write a lock code in the f/w and hey presto the rom is lock to it!

[TheSpecialist]

My experience with both xbox1 sammies is they donot check regions they play all region discs using windows. It's only PC roms that do this region checking and setting. The 360 rom, 605b, and 605f still have the ablility to write bytes to the 020. Thinking about it the sata drive only needs to be commanded to write bytes in blank areas. Foreample a PC drive like 616e needs to do a sector erase ( 16 bytes) to rewrite a region code. But in the case of the 360 sammy if these locations are blank all the console needs to is to write a lock code in the f/w and hey presto the rom is lock to it!

Don't know about the sammy, but in the Philips xbox 1 drive, there is actually a procedure to set the region key (well, I didn't really check it out, but I just saw there is a 'handler' for atapi A3 (send key) with key format 6 (=set region). This normally is the routine (together with the A4, key format 8 ('report region settings) that you want to patch if you want to make a player 'region free'.

[MacDennis]

I don't think that serial number and other variable stuff can be into flash memory, in some old dvdrom i opened, it was into external I2C eeprom. In flash memory if you want to modify 1 byte, you have to erase and rewrite an entire block area and this is dangerous if you powerdown.
During firmware upgrade, in pc drives the rpc seting doesn't change, so supposely there must be some internal non volatile area

I'm pretty sure that most of the DVD-ROM drives store variables like region code, changes left, player key, etc in de firmware. The latest DVD-ROM mainboards I have seen don't contain an EEprom. Yes, sometimes it's stored in an EEprom. I noticed years ago that Philips and Thoshiba stand-alone dvd players used an EEprom. Others simply used the flash. An EEprom is too easy to patch ..

Food for thought, all about region code firmware patching ..
http://xvi.rpc1.org/files/Patching%20DVD%20firmware.pdf
"Some people may be tempted to patch a firmware by simply removing the change counter decrement of the A3/06
command (a.k.a. the infinite lives patch, in reference to games patched so that your lives aren’t decremented anymore).
I warn you against this, as most non volatile memory have a limited number of write cycle lifetime (sometimes
as low as 100). Such a patch will lead a drive to write and write again this memory, and this will sooner or
later cause a NVRAM or Flash Memory breakdown."

And Takires mentioned the following about the X360 LG DVD-ROM:
"It is possible to read 0x90004F80-0x90004FFF by sending a READ BUFFER command, Mode = data, Buffer ID = 0x80.
This area contains a 20-byte number which is probably locking a drive to a specific xbox. A WRITE BUFFER command can
be used to permanently change this number."

I'm suprised to see the console accepting region 1 and 2 movies? This would mean that it's region free? Will try some movies myself later tonight.

[Takires]

Don't know about the sammy, but in the Philips xbox 1 drive, there is actually a procedure to set the region key (well, I didn't really check it out, but I just saw there is a 'handler' for atapi A3 (send key) with key format 6 (=set region). This normally is the routine (together with the A4, key format 8 ('report region settings) that you want to patch if you want to make a player 'region free'.

The funny thing about these handlers in the philips FW is:
- REPORT KEY will always reports 5 vendor resets and 3 user changes left
- SEND KEY will always fail

[anita999]

Some rookie question:
 Is there any signature or standard command/pattern to locate the handler of each command? I try to use
XRL A, #AD
to find the handler for read dvd structure in Samsung's firmware, but no help. maybe someone here can provide input.