hacking DVD firmware ?

[darkfly]

Will take some tonight, currently at work. Any specific areas you want photographed or just the label and board.

[Takires]

Some notes about the MN103:

1) There is (probably external) RAM at 0x80000000, size is at least 256K.
2) There is most likely an internal ROM at 0x40000000. Reason for this assumption is the missing reset vector.
3) The entire flash is mapped to 0x90000000.
4) During a reset the internal ROM will call 0x90000020. If a flash went bad code at 0x90001000 will be executed,
which contains emergency code for such situations.
5) It is possible to read 0x90004F80-0x90004FFF by sending a READ BUFFER command, Mode = data, Buffer ID = 0x80.
This area contains a 20-byte number which is probably locking a drive to a specific xbox. A WRITE BUFFER command can
be used to permanently change this number.

[MacDennis]

And risk destroying a XBOX360 drive by using a samsung xbox1 605 firmware utility?

I don't think there is much risk using the MTK utility to READ the FW. If I had one I would try it!

I wasn't aware of the fact that the utility can be used to also dump a firmware. Well, it's probably worth a shot if it is.  
About your 'flash emulator'. Are you talking about a software or hardware solution? A custom software solution can be made by analyzing the various 8163 / 8050 flashers out there. You could even log the ATA bus and decypher the flashing algorithm to make your own. I'm not sure if you have seen the following thread, but the last page has a download link to a flashup2 tool which can be used to flash a dld (firmware) file to the 8163B and probably 8050 too.
http://forum.rpc1.org/viewtopic.php?t=27703&postdays=0&postorder=asc&&start=0

See the following thread for another way to reflash your 8163B back to original status after flashing it with the 8050 XBOX flash:
http://forums.xbox-scene.com/index.php?showtopic=325005&st=600

Again, the 8163B is selling out fast so if anyone wants one, hurry!

[Tiros]

Some notes about the MN103:

1) There is (probably external) RAM at 0x80000000, size is at least 256K.
2) There is most likely an internal ROM at 0x40000000. Reason for this assumption is the missing reset vector.
3) The entire flash is mapped to 0x90000000.
4) During a reset the internal ROM will call 0x90000020. If a flash went bad code at 0x90001000 will be executed,
which contains emergency code for such situations.
5) It is possible to read 0x90004F80-0x90004FFF by sending a READ BUFFER command, Mode = data, Buffer ID = 0x80.
This area contains a 20-byte number which is probably locking a drive to a specific xbox. A WRITE BUFFER command can
be used to permanently change this number.

Please detail the source of this information as it conflicts with my LA testing.
1) I don't see any external ram.
2) I see external execution starting @40000020, but am testing your irom theory later as I speculated a few posts back this may be the case.
5) Permanant? Private key? Could be bad news.
Excuse my specualtion, but you have a real crumb here. Just wanted to know wher you got it.

[Tiros]

About your 'flash emulator'. Are you talking about a software or hardware solution?

Hardware, will work with no worries for 8051 or MN103.

[MacDennis]

I have plenty of experience working with surface mount components. I have no qualms about removing and replacing hardware, but I appreciate for the concern. I have access to lots of fun tools just didnt know what I would need to get ahold of besides what I have on hand to do the dump.

Cool! 

Maybe Geremia can help you with the dump. He has dumped the firmware of his X360, see this posts in the start of this thread. He mentioned the following Url, very nice project:
http://webpages.charter.net/tvickers89/camcorder.htm 

From that Url, this might help too ..
http://www.schmartboard.com/index.asp?page=products_sm&id=6

[djhuevo]

About your 'flash emulator'. Are you talking about a software or hardware solution?

Hardware, will work with no worries for 8051 or MN103.

please tell me more about that solution, are those emulator cheaps?

[Stealth]

Where can I find the appropriate mtk fw tools?  I can try dumping mine tonight if I have a chance.  Though I doubt it would work from windows, as windows can't recognize the drive.  Perhaps a dos version would work.

[Geremia]

Where can I find the appropriate mtk fw tools?  I can try dumping mine tonight if I have a chance.  Though I doubt it would work from windows, as windows can't recognize the drive.  Perhaps a dos version would work.

http://digi.rpc1.org/mtkflash.htm

Only for mediatek chipset drives, not panasonic/matsu$#!ta.

Supposing that mtkflash would works only for IDE drives, you should probably have more success with a sata-pata converter, or with an intel chipset motherboard that can remap sata controllers to primary master or secondary master.

[Tiros]

This is the dos version, good for only 1mbit rom I'm afraid.
There is a windows version too, but I don't think it can dump, only flash, the dos one can dump and since it's so small maybe a simple mod to work for larger memory.
BTW:
You have to rename .png to .zip.

IIRC:
I got both from the "usual" places.
Also don't think bios has to know about the drive, it uses direct port I/O.

Just noticed there is an address parameter to read more than one 64K chunk, looks more promising now:
http://forum.rpc1.org/viewtopic.php?t=3175

Prolly need the IDE to SATA converter to make it work.

[MacDennis]

Supposing that mtkflash would works only for IDE drives, you should probably have more success with a sata-pata converter, or with an intel chipset motherboard that can remap sata controllers to primary master or secondary master.

Geremia, could you share with us how you actually were able to dump the firmware from your X360 DVD-ROM drive? It might help others. I'd like to do the same one day but I'm now too busy with the Philips XBOX1 drive and the 8163B drive.

[MacDennis]

Some notes about the MN103:

1) There is (probably external) RAM at 0x80000000, size is at least 256K.
2) There is most likely an internal ROM at 0x40000000. Reason for this assumption is the missing reset vector.
3) The entire flash is mapped to 0x90000000.
4) During a reset the internal ROM will call 0x90000020. If a flash went bad code at 0x90001000 will be executed,
which contains emergency code for such situations.
5) It is possible to read 0x90004F80-0x90004FFF by sending a READ BUFFER command, Mode = data, Buffer ID = 0x80.
This area contains a 20-byte number which is probably locking a drive to a specific xbox. A WRITE BUFFER command can
be used to permanently change this number.

Could you share with us how you were able to gather this information?
As it seems, all evidence points to offset 0x20 in the firmware as the 'reset vector'.

The part about the READ BUFFER is interesting. Two people in this thread have dumped a 0047 version ROM (XBOX360). Geremia and zobyone.
Posting by zobyone:
http://www.xboxhacker.net/forums/index.php?topic=76.msg955#msg955

As you can see, there are only a few differences and all differences are in the 0x4F80 and 0x4FFF region. At 0x4F82 there are only 6 differences. If you compare 0x4F82 between a 0046 dump and a 0049 dump then there are only 4 differences.

My theory:

• The DVD-ROM drive serial number is stored (encoded) at 0x4F80, the 4 / 6 byte difference could be because the serial number 0f a 0046 differs more than a 0047 version.
• 0x4F00 might contain the serial number of the console or the console ID. Notice that the 0046 version starts with 0x2A and the 0049 versions with 0x3A and 0x3B. Newer version, newer console, higher (console) serial number?

We could verify this if we knew all serial numbers involved.

[QuiescentWonder]

Next batch of 360s I come across, I'll get a few and swap the drives and see the results. No one has yet confirmed that it is serial number. I'm guessing (hoping really) that it's firmware version or drive manufacturer that's tied to the console and not a serial number

Perhaps Geremia and zobyone would be kindly enough to exchange drives so we can see the results.

[Tiros]

The part about the READ BUFFER is interesting. Two people in this thread have dumped a 0047 version ROM (XBOX360). Geremia and zobyone.
Posting by zobyone:
http://www.xboxhacker.net/forums/index.php?topic=76.msg955#msg955

As you can see, there are only a few differences and all differences are in the 0x4F80 and 0x4FFF region. At 0x4F82 there are only 6 differences. If you compare 0x4F82 between a 0046 dump and a 0049 dump then there are only 4 differences.

My theory:

• The DVD-ROM drive serial number is stored (encoded) at 0x4F80, the 4 / 6 byte difference could be because the serial number 0f a 0046 differs more than a 0047 version.
• 0x4F00 might contain the serial number of the console or the console ID. Notice that the 0046 version starts with 0x2A and the 0049 versions with 0x3A and 0x3B. Newer version, newer console, higher (console) serial number?

We could verify this if we knew all serial numbers involved.

A good theory. Should be trivial to mod the Unlocker code to try this out on a few drives. Would also be interesting to swap those bytes out and see if transplant to another motherboard becomes possible. If those bytes are the only difference, it really should work. Another idea is to send the WRITE command, dump again, and see if any other bytes changed. Could be very revealing.

[smo]

A good theory. Should be trivial to mod the Unlocker code to try this out on a few drives.

Does Linux/Windows/any OS detect the Xbox 360 yet enough to send it ATAPI commands?

[Tiros]

Does Linux/Windows/any OS detect the Xbox 360 yet enough to send it ATAPI commands?

If the software does direct port i/o it does not need to be detected. Probably will need IDE to SATA to try it.
Not sure where we are on windows/dos detecting the 360 drive, think the guy who tried it fried his unit
Anybody got current info on this?

[darkfly]

Thought I would mention that Buy.com has a bundle of the Addonics SATA -> PATA and PATA -> SATA converter boards for approximately $50 US if anyone was interested.

[darkfly]

Just finished taking high res pics and scans of the drive label and logic board just waiting on somewhere to host them. Upon closer inspection this is definately no hot melt glue over the SST, but some hard clear epoxy.

I dont have much hope for removing the part unless there are solvents that wont damage the rest of the board.

I have managed to use a drill press with a 1/32 inch bit to drill down next to the legs of the IC so that I can solder wires to the legs if need be.

[Geremia]

Supposing that mtkflash would works only for IDE drives, you should probably have more success with a sata-pata converter, or with an intel chipset motherboard that can remap sata controllers to primary master or secondary master.

Geremia, could you share with us how you actually were able to dump the firmware from your X360 DVD-ROM drive? It might help others. I'd like to do the same one day but I'm now too busy with the Philips XBOX1 drive and the 8163B drive.

As far as i know, there is no software to extract flash content from MN103 chipset drive. Me and (supposely) other people desoldered the flash and dumped with a flash burner.
The chip is a 14mm/0,5mm TSOP package, it's shorter than usual 19mm TSOP flash, so i had to selfbuild an adapter. I used the pcb of an old 20GB maxtor HD, it has free pads for 14mm TSOP flash and quite all pins are traced to a soldering-confortable raw of pins.
Here is a $#!tty pic of it http://www.dvb-upload.com/index.php?action=download&pid=37190

I think this can be used as well http://www.distrelec.com/ishop/ImagesProduct/distrelec/451415F.JPG

...and sorry, i have only 1 xbox360 and is actually dead with an empty NAND flash.

I actually power my 3120 drive with pc powersupply, and seems that intel chipset motherboard is recognizing better than Via, i'll try the linux unlocker on intel motherboard as soon as possible with an xbox1 game disk.
Here is the pinout i'm using for external power supply, eject works but don't know if it's safe to quickly drive 5v to the eject pin, it opens for now, maybe it will flame next times http://www.dvb-upload.com/index.php?action=download&pid=37202

[darkfly]

The scan of the top of the board didnt come out, all you could see were the capacitors so I took a shot with a camera.