hacking DVD firmware ?

[InterestedHacker]

oz_paulb: 2 versions have been dumped. the 47DH by germania and the 46DH by reamfmodfreaks. also has anyone else independently confirmed the swaping dvd drive thing? i mean the guy who tried was using 2 different rom versions on his drives. That might have had something to do with it.

Hit the nail on the head there, that's crossed my mind more than once.  I suspect that the drives will work once swapped.  Do we by chance have two copies of the same version of firmware to make sure they are identical?

[MacDennis]

Something to consider (if we think offset 0 should be code): address-line flipping.

IF adress-line flipping is being used, wouldn't all the bits be scattered all around in the firmware file? Strings of text can be identified after descrambling, that wouldn't be possible if address-line flipping is used. Or am I missing something?

[Phantasm]

if only a few of the higher end address lines were flipped then you would end up with blocks of code transposed.

[thecheekymonkey]

i`ll try swap the drives from each premium tomorrow if i get chance, bit busy here at the moment.

incidently, theres no way of popping an xbox drive in a pc and using that to get any info? (i`m clueless with regards to this, so if i`m being thick, tell me    )


but i will swap the drives over, just get people playing on the xbox360s at the  moment (namely the kids) and regardless of the importance i dont think they`ll appreciate it)

[MacDennis]

if there is a way to dump the firmware via a sata cable in a pc (or is it removal of the chip only), then let me know, ive got 2 premiums heres

I haven't heard about a way to dump the firmware by sata yet. But could you possibly try to swap the drives and check if it works then?

cjack tried to swap the drives between a core and a premium but that did't work, might be because of firmware differences.
http://www.xboxhacker.net/forums/index.php?topic=6.msg356#msg356

[marvin]

Anyone want to pm me the disassembly? as I dont have cygwin installed

get it here,
built w/o cygwin so no dependency.

http://rapidshare.de/files/9655049/objdump-mn10300-win32.zip.html

[BlueCop]

thecheekymonkey: apparently the dangerous brother have a utility to dump the firmware from a parrellel ata intereface  if you read back on that old xbox-scene thread about the conversion of a 8163B to an 8050L. Before anyone took the chip off and dumped it manually the brothers supplied a tool to dump the firmware to a guy. everyone who tried it said they couldn't get it to work though. I beleive this is because it was specificly looking for a 8163B drive and not the 8050L which they had connected. If we could get a hold of this thing it might be possible it could be of use or modified to be of use. Still waiting on a pm back from the guy who orginally got the thing for them.

marvin: thanks i having trouble geting it compiled

[Phantasm]

Anyone want to pm me the disassembly? as I dont have cygwin installed

get it here,
built w/o cygwin so no dependency.

http://rapidshare.de/files/9655049/objdump-mn10300-win32.zip.html

many thanks.

[MacDennis]

I just downloaded Dvdinfo pro and started it up. I sent a Read DVD structure 'physical format information' (code 00h) command to an original XBOX dvd in my pc drive. Layer 1 and block 0x00FD0200, agid 0, just like the XBOX does. It came up with a control block that only contained a few bytes. Then I changed the block number and it returned the same data.

I then thought about something i read in the MMC-4 specs, that the 'adress field' (sector number) is reserved in this specific command. I read that some time ago, and wondered why the xbox supplied a blocknumber, if it is reserved ! So, it means that a xbox DVD contains 2 control blocks -> the 'regular' one, as returned by software like DVD pro and the control block used for authentication ! That last block is at sector 0x00FD0200, Layer 1 and can't be accessed from a normal PC drive (under normal circumstances), since it's outside of the 'visible' partition.

When I looked at the 'regular' control block something strange hit me: the end sector is different from the end sector that the 'media info' option in dvdinfo supplies. DVDinfo says (in the 'info drive' section) that the end sector is 31AAF (which is 'correct' from the PC's point of view -> that's the end sector of the video partition) but in the control block it says its FCE5EF (which probably is the 'REAL' end sector)

I tried the exame same thing. I noticed that '31AAF' is actually present in the regular control block! It's on the second line. Maybe you overlooked it? Or does it mean something else? What's the structure of the regular control block anyway?

[thecheekymonkey]

thecheekymonkey: apparently the dangerous brother have a utility to dump the firmware from a parrellel ata intereface  if you read back on that old xbox-scene thread about the conversion of a 8163B to an 8050L. Before anyone took the chip off and dumped it manually the brothers supplied a tool to dump the firmware to a guy. everyone who tried it said they couldn't get it to work though. I beleive this is because it was specificly looking for a 8163B drive and not the 8050L which they had connected. If we could get a hold of this thing it might be possible it could be of use or modified to be of use. Still waiting on a pm back from the guy who orginally got the thing for them.

marvin: thanks i having trouble geting it compiled

ok well its now impossible for me to exchange the drives, ive been told in no uncertain terms not to open the childs 360.

however i can open mine and do a `dump` of whatever anyone wants.

i know this is unrelated but i`m gonna try also to clone the hdd to a 60 gig laptop sata drive whilst i`m bored, using acronis true image 

if ya get me the toolz i`ll give it a go.





edit 

or are we talkin about xbox`s here lol.

either way ive got pleanty xboxs at hand with H-L drives so whatever anyone wants 

  `ozpaulb` he`s the guy that brought LBA48 to the xbox  .

gday paul 

[Helltick]

To unlock the debug commands of the MN10200 the following commands need to be sent...

FF 01 4D 41 54 53 48 49 54 41 02
FF 00 44-56 44 2D 47 41 4D 45 03

Or

FF 01 'M 'A 'T 'S 'H 'I 'T 'A 02 00
FF 00 'D 'V 'D '- 'G 'A 'M 'E 03 00

[InterestedHacker]

i know this is unrelated but i`m gonna try also to clone the hdd to a 60 gig laptop sata drive whilst i`m bored, using acronis true image 

if ya get me the toolz i`ll give it a go.

I am sure you already know, but incase you don't you're gonna need a 12v supply from somewhere external to power the drive to test it.

[batmark]

I was also wondering how the correct option for the bit changing was chosen.

Any who..... i think i'm a bit out of my league now!!!

Keep doing good things guys!!!!

[Phantasm]

There are some areas of data that follow a pattern towards the end of the dump (at offsets $3c68a and $3c28e for example).

[loser]

yes i too am interested in whether each eeprom is unique, or if its the same for every drive.
and for the record, i use ultraedit as my text and hex editor.

as for the bit patterns, use the version of the source code i posted that generates all 24 possible permutations, then look at offset 0x3c68c in each resultant file. you will see a 'character table' (what im going to call it anyway), this character table counts up from 01 to E2.
the only files where this character table is 'correct are: 09.bin and 23.bin

there are a many little things that then make me choose 23 over 09.
at offset 0x3c890, just after the character table, you will see groupings of 32bit numbers that all have 00 as their high byte in 23, but mixed in 09.
at offset 0x3d110 there are patterns where entire vertical 'lines' have 0x90 in 23, but are mixed in 09.
at offset 0x3d260 there are groupings of 2 byte values in 23, but in 09 they are mixed.

try looking through these yourself if you need convincing to believe my result
i am quite sure the resultant bit pattern i settled on is the correct one.

[Phantasm]

also if you look at the disassembly starting at offset $20 it all seems to make sense

40000020:   fa fc ff fd    and   65023,psw
40000024:   cb             nop   
40000025:   cb             nop   
40000026:   00             clr   d0
40000027:   81             mov   d0,d1
40000028:   82             mov   d0,d2
40000029:   83             mov   d0,d3
4000002a:   f1 e0          mov   d0,a0
4000002c:   f1 e1          mov   d0,a1
4000002e:   f1 e2          mov   d0,a2
40000030:   24 fc 0d       mov   3580,a0
40000033:   f2 f0          mov   a0,sp
40000035:   80 14          mov   20,d0
40000037:   01 a0 d9       mov   d0,(0xd9a0)
4000003a:   2d 00 0e       mov   3584,d1
4000003d:   a5 00          cmp   0,d1
4000003f:   c3 1f          ble   0x4000005e

40000041:   90 00          mov   0,a0
40000043:   00             clr   d0
40000044:   60             mov   d0,(a0)
40000045:   50             inc4   a0
40000046:   29 fc          add   -4,d1
40000048:   c1 fc          bgt   0x40000044

4000004a:   2d 00 04       mov   1024,d1
4000004d:   a5 00          cmp   0,d1
4000004f:   c3 0f          ble   0x4000005e

40000051:   fc dc 00 d0    mov   -2147233792,a0 //8003D000
40000055:   03 80
40000057:   00             clr   d0
40000058:   60             mov   d0,(a0)
40000059:   50             inc4   a0
4000005a:   29 fc          add   -4,d1
4000005c:   c1 fc          bgt   0x40000058

4000005e:   85 7c          mov   124,d1
40000060:   a5 00          cmp   0,d1
40000062:   c3 16          ble   0x40000078
40000064:   fc dc 80 e7    mov   -1878792320,a0 //9003E780
40000068:   03 90
4000006a:   fc dd bc d3    mov   -2147232836,a1 //8003D3BC
4000006e:   03 80
40000070:   70             mov   (a0),d0
40000071:   50             inc4   a0
40000072:   61             mov   d0,(a1)
40000073:   51             inc4   a1
40000074:   29 fc          add   -4,d1
40000076:   c9 fa          bne   0x40000070

40000078:   f8 fe fc       add   -4,sp
4000007b:   fc ff 4a 00    calls   0x400000c5
4000007f:   00 00
40000081:   f8 fe 04       add   4,sp
40000084:   f8 fe fc       add   -4,sp
40000087:   fc ff 67 00    calls   0x400000ee
4000008b:   00 00
4000008d:   f8 fe 04       add   4,sp
40000090:   fc dc fc e7    mov   -1878792196,a0 //9003E7FC
40000094:   03 90
40000096:   70             mov   (a0),d0
40000097:   a0 00          cmp   0,d0
40000099:   c8 23          beq   0x400000bc

4000009b:   fc dc 00 60    mov   -1879023616,a0 //90006000
4000009f:   00 90
400000a1:   fc dd 00 e8    mov   -1878792192,a1 //9003E800
400000a5:   03 90
400000a7:   85 00          mov   0,d1
400000a9:   70             mov   (a0),d0
400000aa:   e1             add   d0,d1
400000ab:   50             inc4   a0
400000ac:   b4             cmp   a1,a0
400000ad:   c4 fc          bcs   0x400000a9

400000af:   a5 00          cmp   0,d1
400000b1:   c8 0b          beq   0x400000bc

400000b3:   fa fd 00 0f    or   3840,psw
400000b7:   cb             nop   
400000b8:   cb             nop   
400000b9:   cc 47 0f       jmp   0x40001000

400000bc:   fa fd 00 0f    or   3840,psw
400000c0:   cb             nop   
400000c1:   cb             nop   
400000c2:   cc 7e 5f       jmp   0x40006040

[batmark]

I wasn't dobuting you guys, I just want to learn how to do cool things like this for myself.

Now i'll see if i can find what you are talking about. 

[Tiros]

The start of the program (reset) must be on a page boundry in the ROM. ie:Reset vector is @00000000.
and it's gonna be a JMP since the NMI vector is @00000008.

[TheSpecialist]

Guys,

We might have a serious problem, I didn't think of before. While it certainly seems that it's possible to defeat the kernel and get a backup 'authenticated' from the kernel's point of view, there still can be checks done from within the XBE's. A game programmer could, for example, check for existance of the security placeholders on disk, from within the XBE ... I don't want to demotivate anyone, but I think we should really think about a way to defeat XBE checks, because I'm pretty sure they're going to do something like that, as soon as our 'mod' is ready (or even already now, while reading this thread, hehe)

[TheSpecialist]

One possible solution is to save the data, that's can't be copied onto the same sectornr on a DVD +/- R (because that area is not writeable for example) to some other location and reroute the FW to look for that data in another location. But something like this will be VERY hard to code I guess ...