hacking DVD firmware ?

[Geremia]

Anybody got the pin out for the sammy(s) ram?
416256A
Some say dram but it has 40 pins.
Is it 32kx8?

full datasheet http://www.taxan.com/PDF/M11B416256A.pdf

[jumba]

Anybody got the pin out for the sammy(s) ram?
416256A
Some say dram but it has 40 pins.
Is it 32kx8?

Its actually 256k x 16 EDO Page Dram

[MacDennis]

Spec, what Takires mean is that the placeholder does exist on the disk physically. But in the code of authentication, it's not necessary to check it. maybe MS uses this placeholder to prevent the disk from being dumped with raw read method.

I already mentioned this some time ago. Did anyone actually read the message/patent? 
http://www.xboxhacker.net/index.php?option=com_smf&Itemid=32&topic=76.msg1351#msg1351
Security placeholders are used to *hinder* dumping, if we should believe the patent. I don't believe much has changed between the physical security of a XBOX1 disc and a X360 disc. Why? Money! XBOX1 games are still being pressed and are still quite popular. It's more cost effective to use the same machinery/procedures to fabricate XBOX1 and X360 discs. Remember that the XBOX1 hasn't made any profit yet. So, the X360 should be made as cost effective as possible. It seems that they only added another layer of protection between the communication of the console and the DVD-ROM drive.

[Tiros]

Thanks for the Ram info.
Not sure quite how it works yet but I do know that the data bus is not shared with the prom.
Also for sammy, bank switching is handled by p1.0 for the 605 (2 banks of 64k), and p1.0 & P1.1 for the 360 sammy (4 banks).
I recommend you split the file into 64k chunks before you try to disassemble.

http://bit.kuas.edu.tw/~8051/

I am using Dis8051. Dos based, you can create a "tag" file to somewhat control disassembly. Use a different lable character for each bank.

[Takires]

Spec, what Takires mean is that the placeholder does exist on the disk physically. But in the code of authentication, it's not necessary to check it. maybe MS uses this placeholder to prevent the disk from being dumped with raw read method.

Takires, can you elaborate on this ?

What I meant is that if the placeholders only exist to prevent dumping (that is indeed what I currently believe), then the placeholders are not being used (by the xbox). However, This seems like a really lame protection, I almost can't believe that this could be true

They are kind of used. From testing with my dvd burner I can read the xbox partition but there are large block ranges that are simply unreadable. According to the file system there should be data where these unreadable blocks are. So my current guess is that the FW in the drive remaps LBA ranges to get around these placeholders.

[MacDennis]

They are kind of used. From testing with my dvd burner I can read the xbox partition but there are large block ranges that are simply unreadable. According to the file system there should be data where these unreadable blocks are. So my current guess is that the FW in the drive remaps LBA ranges to get around these placeholders.

Well, if you look at the patent then you will notice that the security placeholders are placed *in between* files on the disc. So, if the host relies on the TOC for reading files then the security placeholders aren't accessed at all. Also, 'dumping' a disc with a xbox tool like DVD2XBOX works fine. Such a tool doesn't do a sector dump to create an ISO but simply copies single files of the disc, placeholders are bypassed. If you do a real 1:1 sector dump then yes, you will encounter errors.

Also, the position of the security placeholders is different from disc to disc. Kernal and DVD-ROM firmware don't know were to look for them. Well, it's actually possible in theory. Then the disc should contain a data table with pointers to the location of the placeholders.

Correct me if I'm wrong. 

[Takires]

Also, the position of the security placeholders is different from disc to disc. Kernal and DVD-ROM firmware don't know were to look for them. Well, it's actually possible in theory. Then the disc should contain a data table with pointers to the location of the placeholders.

Correct me if I'm wrong. 

The disc has such a data table, it is in the very same sector that has the data for the READ DVD STRUCTURE command.
Basically the FW is doing three memcpys after reading the sector:

memcpy((void *)0x6E35C, &Sector[0x0C], 0x65F);
memcpy((void *)0xAE55F, &Sector[0x66B], 0xD1);
memcpy((void *)0xAE406, &Sector[0x73C], 0xD0);

The upper word of the destination addresses is the memory bank that is being mapped to E000-EFFF. Sector is the raw
sector buffer (i.e. Data Unit 1). The first part of the sector is the data that is returned by READ DVD STRUCTURE, the second part is
used at least for checking LBA ranges and the third part is used in MODE SELECT.

[TheSpecialist]

The disc has such a data table, it is in the very same sector that has the data for the READ DVD STRUCTURE command.
Basically the FW is doing three memcpys after reading the sector:

memcpy((void *)0x6E35C, &Sector[0x0C], 0x65F);
memcpy((void *)0xAE55F, &Sector[0x66B], 0xD1);
memcpy((void *)0xAE406, &Sector[0x73C], 0xD0);

The upper word of the destination addresses is the memory bank that is being mapped to E000-EFFF. Sector is the raw
sector buffer (i.e. Data Unit 1). The first part of the sector is the data that is returned by READ DVD STRUCTURE, the second part is
used at least for checking LBA ranges and the third part is used in MODE SELECT.

Agreed, first part is the data that 'read dvd structure' returns. The third part is used by the FW to create a table with responses and corresponding Challenge ID's (using the challenge to decrypt that block with), so that's why 'mode select' needs it. I however have missed that second part, going to look into that this weekend, thanks for bringing this up, VERY interesting

BTW, about that third part (creation of the table with responses) -> i ripped that decryption routine out of the firmware and loaded it into a 8051 simulator to see if it works: it does However, I don't have the correct data to feed it yet (since I haven't succesfully extracted the complete sector yet). So, about that sector: you said it was sector 21E (lead-in), however I believe it to be sector FD021e (leadout), can you confirm this ?

BTW, I'm sure you noticed, but to make your analysis complete: &Sector[0x07] -&Sector[0x0A]  contain the unencrypted challenge.

[TheSpecialist]

So, to have the complete XBOX 1 authentication process summarized (this time both from the xbox and the drive's side of the process) ->

1a. Firmware reads sector (FD0)21E after a disc is inserted. Bytes $7 to byte $A contain the challenge. Starting at byte $C is the block that it sends to the XBOX in response to a 'read dvd structure request'. Firmware decrypts the block starting at byte $73C of this sector, with the challenge. This results in a table with challenge ID's and corresponding responses that the drive uses in it's mode select' routine.

1b. Firmware checks a few bytes from the 'layer descriptor' part of the control data block (from that sector (FD0)21E) -> Disc category, disc size, number of layers/trackpath/layer type, linear/track density must be correct. If so, it sets the 'ControlblockValid' byte to 1. This byte is always returned in the 'mode sense' replies from drive to xbox. This is a basic check, done to see if the disc is a correct DVD-ROM disc. 

2a. XBOX checks that this ControlblockValid byte is set to 1.
2b. Xbox sends a 'read dvd structure request' and decrypts the block it got back: this results in a table with the challenge, challenge ID's and responses.
2c. Xbox compares the 'disc category' that's in this block to the one that it received in reply to the first mode sense. These must be the same (both $D1)

3. in mode sense/mode select session the challenge/challengeID's/responses are exchanged. Drive verifies that the challenge it received from the XBOX is correct and looks up the challenge ID in the table and sends the corresponding response back.

So, that's now 100% complete authentication process from both the drive and the xbox 1 side Well, only that sector number is still in question from my point of view But this post contains all the info needed to mod a xbox 1 FW to get a backup authenticated ->

1. set ControlblockValid in the drive to one
2. set disc category to $D1
3. save a control data block to the FW (that it can return to the xbox). Save a challenge and a table with ChallengeID's and corresponding responses to the FW that it can use in the mode select handler.
4. make sure that the drive doesn't enter state B (otherwise sector nr's will be added and we don't want that when a backup is in the drive, hehe). Also, we don't want state B, because we don't want it to use that table for rerouting the 'bad sectors', as there aren't any on our backup

This hack is still pretty easy to beat by M$, so some improvement is needed, but that's of later concern

I'm still trying to get my hands on a VAD6011, I want to mod it as pointed out above, but I'm quite sure that it will work

[robinsod]

Anybody out there know where the reset pin on the MTK chip is? I want to hook a microcontroller, probably a pic - 16f877 probably,  onto the flash (via connectors) and hold the mtk processor in reset so that I can read/erase/program the flash. That will tell us very quickly if the firmware's signed (unlikely IMHO)

Also, can anyone confirm the pinout of the power/eject connector on the DVD drive - a XBox1 cable has the same connector - are the pinouts the same?

[Tiros]

Anybody out there know where the reset pin on the MTK chip is?

I just use the IDE pin for reset, think it's pin #1 or #2, One is ground, the other reset, so connecting the 2 will reset the MTK.

[robinsod]

Just to be clear, I mean the mtk chip reset in the '360 TS-H943 DVD drive

[Geremia]

Also, can anyone confirm the pinout of the power/eject connector on the DVD drive - a XBox1 cable has the same connector - are the pinouts the same?

No, the connectors are the same but pinout is diferent, and 360 uses less pins than xbox1. I already posted pinout of GDR-3120L, but file is on a $#!tty upload center, http://www.dvb-upload.com/index.php?search=3120L&date=0
Not sure if drive will damage driving eject pin to 5v, use on your risk, and be quick

[anita999]

Spec., the manual is in your mailbox, check it. btw, why not starting from Samsung T943 firmware, it's also 8051 based.

[TheSpecialist]

Spec., the manual is in your mailbox, check it. btw, why not starting from Samsung T943 firmware, it's also 8051 based.

Thanks ! I was just re-reading the thread and found someone who posted a link to the instruction manual, just what i was looking for Hope Siliconice can get that wiki up soon

I don't know yet on what firmware i'm going to focus, want to check them both out this weekend. I'm kind of fed up with 8051 and its memory bank swaps, hehe, so that's why I'm looking at the MN10300 now, but I'm not sure yet If IDA could handle MN10300 I would pretty much choose that for sure I love the hyperlinking in IDA ...
I'm just looking at the instruction set, reminds me of good old 68k commodore Amiga assembly

[smo]

If IDA could handle MN10300 I would pretty much choose that for sure I love the hyperlinking in IDA ...

I could add a HTML output mode with hyperlinking to my MN103 disassembler, if that would help

[Geremia]

Just for your interest, xbox1 samsung SDG-605F (not the first 605B, totally different inside) differs from xbox360 TS-H943 only in the MT single chip (MT1358E instead of MT1359SE) and 1Mbit flash instead of 2Mbit, i think it could be of interest for comparing.
I searched the internet and found firmware and pics  http://venus.wsb-nlu.edu.pl/~bciazyns/Bios/

[anita999]

Spec, what if to modify the DVD burner firmware or the DVD burning soft to burn the control blocks in the same location (leadout or leadin)? will this fool the drive to recognice it as an original disk? Or dose the drive check the actual dvd format(d9) before it actually read the control blocks?

[anita999]

in case for any new comers wanna RE the samsung drive's firmware, I made a IDC file to rename all cross bank functional call and keil C routines. All you have to do is to seperate the bin file into 64K banks (totally 4 banks), then load each bank one at a time into IDA, then execute this IDC file. it will shortern the time you need to spend in tracing the cross bank function calls and let you focus on the key portions. Unfortunately I havn't find any specific handlers for command 55h. If you need this IDC file, just drop me a message with your email, then I will send the file to you. Or if someone would like to host it, then please drop me a message.

OK, here it is, please download the MT1359.idc in web page below

http://360.j005u.net

thanks for j005u to host this file.

[MacDennis]

Spec., the manual is in your mailbox, check it. btw, why not starting from Samsung T943 firmware, it's also 8051 based.

Thanks ! I was just re-reading the thread and found someone who posted a link to the instruction manual, just what i was looking for Hope Siliconice can get that wiki up soon

I don't know yet on what firmware i'm going to focus, want to check them both out this weekend. I'm kind of fed up with 8051 and its memory bank swaps, hehe, so that's why I'm looking at the MN10300 now, but I'm not sure yet If IDA could handle MN10300 I would pretty much choose that for sure I love the hyperlinking in IDA ...
I'm just looking at the instruction set, reminds me of good old 68k commodore Amiga assembly

I think we should concentrate on a common platform. Our best bet is the Samsung drive. Why?
- Based on 8051 / 8052 / 8032 (?)
- Firmware / disassembly tools available
- PC flasing tool available, MTKflash: http://digi.rpc1.org/mwf.htm
- Datasheet Instruction manual available
- Stock PC drives can still be bought and converted to be a XBOX1 compatible drive, maybe X360 also soon
- You can use it in WindowsXP, unlike the Philips drive. Besides that, the Philips isn't present in the X360
- Unlocking works in WindowsXP
- Reading the dvd structure of a X360 disc partially works with a Samsung in WindowsXP
- IDA IDC files available according to anita

We will make more progress if we all focus on the Samsung. There's no real need to work on the X360 yet, the XBOX1 firmware needs some work first. First have to proof the concept. 

If anyone needs real-time firmware access logs of the Philips VAD6035 XBOX1 drive then PM me with your event/activity request.