Firmware question

[xboxleech]

I think I'm right in saying that the commodore4eva firmwares look near the "end" of the disc (outer track of second layer) for the SS. Doing this means people have to burn DL discs and their iso need to be large = longer burn time.

Wouldn't it be possible to look for the SS at the "start" of the disc, thus allowing for smaller iso sizes and possibly SL discs? I haven't looked at the firmware (my assembly is poor) but I would have thought this wouldn't require much change to the released firmware.

Has anyone else been thinking the same thing or am I missing something?

Thanx

Oh, one more thing. Would a hacked HL 0046DH firmware work fine if replacing a 0047DJ or vice versa i.e. are the drives the same and hacked HL firmware will work for all current HL drives?

[Arakon]

the SS is in fact pretty close to the start of the disk, about 250 megs into the image. single layer disks are NOT possible, simply because an image with security placeholders will ALWAYS be stetching to the second layer.
and without the placeholders, the burn can not function.

[MacDennis]

I think I'm right in saying that the commodore4eva firmwares look near the "end" of the disc (outer track of second layer) for the SS.

That's not correct in the first place. It's placed just before the start of the game partition on the first layer. This is true for the Xtreme firmware.

[xboxleech]

Ah ok. Is this the same story for both the xbox1 and x360 hacks?

Thanx

[xDREAM]

Maybe someone can answer my q.. If my key is @ 4444 should i paste the key in xtreme.bin @ 4444 also? Isit the firmware that knows the location or the 360 itself?

[Alec]

I personally copied every byte, starting from 4000 until the end of my original key.

[bigmack]

same,i copied everything from 4000 until the FFFFs

[TheSpecialist]

the SS is in fact pretty close to the start of the disk, about 250 megs into the image. single layer disks are NOT possible, simply because an image with security placeholders will ALWAYS be stetching to the second layer.
and without the placeholders, the burn can not function.

Why wouldn't it function without the placeholders ? I know it works for xbox 1 (single layer) since I've tested it myself. I have never tested it for xbox 360 (I still don't own one, hehe), but I can't think of any reason why it wouldn't work (given that you have a table with responses of course, like commodore's FW makes and patched the FW to accept SL)

BTW, for xbox 1 it is VERY easy to create a (DL) disc *without* placeholders. Just rip all game files via FTP, create an iso with them (this method will only work if size of this iso < 3.5 gb by the way), add 405,798,912 bytes to byte 0 of the ISO and add about 4 gb of data to the end of the iso (till the iso is big as a 'normal' iso). Insert the SS and burn to disc in the same was as you'd 'normally' do. Has been tested and proven to work.

[Arakon]

cause the placeholder data is apparently required for the 360. rips that have zeroed out placeholders immediately give a DRE.

[TheSpecialist]

cause the placeholder data is apparently required for the 360. rips that have zeroed out placeholders immediately give a DRE.

Arakon, I think you mean rips that don't contain the placeholders at all, right ? Instead of having them 'zeroed out'. This won't work because of the PFI in the SS that's being used (read: 'wrong' layer breakpoint, since the placeholders are missing, so layer 1 will be wrong)

C4E's hack has the response type 1,3,5,7 saved to the SS, so if you rip a disc and zero out the placeholders (replace them with zeroes, but keep them in the same location), then it should work.

[Arakon]

the image has the correct size, but there's large areas of 00, while in a proper rip of the same game those areas will be filled with (I am guessing) the placeholder "garbage" data.
the reason to do that would be to achieve a higher compression when raring them up.

[xboxleech]

The reason i raised this query originally was because of TheSpecialists query about the need for DL discs in another thread. Since i though he managed to get a 360 hack working I assumed that it was possible to do the hack with SL discs.

Now im really curious. Is it possible to get a 360 hack working on SL discs? Has anyone managed it?

Thanx

[TheSpecialist]

The reason i raised this query originally was because of TheSpecialists query about the need for DL discs in another thread.

 Since i though he managed to get a 360 hack working I assumed that it was possible to do the hack with SL discs.

Now im really curious. Is it possible to get a 360 hack working on SL discs? Has anyone managed it?

Thanx

The very first xbox 1 hack (not 360 hack) that I made, worked on SL. I created it that way, because I didn't had any DL discs at home when I wanted to test it, hehe Haven't tested it for the 360 but I really can't think of a reason why it wouldn't be possible on the 360 to get it working on SL (as long as the game data fits on SL of course )

the image has the correct size, but there's large areas of 00, while in a proper rip of the same game those areas will be filled with (I am guessing) the placeholder "garbage" data.
the reason to do that would be to achieve a higher compression when raring them up.

My best guess would be that this large blocks of 00 are due to a bad rip. The release team couldn't test the ISO at the time they released it

Now, about the placeholders, we are 100% sure that the only reason they CURRENTLY are being used are for retrieval of the responses. One hack we did skipped ALL disk reading (laser showed no movement during disc authentication), we just fed the FW the responses and it worked perfectly.

If someone is interested in making the 360 compatible with SL discs, here's again *ALL* the relevant information: After disc insertion, the drive first checks if the disc is a DL DVD-ROM. If this is not the case, it will skip everything (it won't even bother reading the SS, which is logical, since it's on layer 1 normally ) So, you'd have to kill that check (make it accept SL DVD-ROM too, or even better, make it accept DVD+R, DVD-R too). There are 2 ways to find that check. First one is to trace backwards from the SS reading routine. This is the actual way I did it for the xbox 1. You'll want to find that piece of code that ALWAYS gets executed after disc insertion, regardless of disc type. What I used, was a simple 'jmp to itself' instruction, to see if a part the 'upper routine' gets executed (with 'upper' routine i mean the routine that calls the code you are looking into). If the drive hangs, you know that it executed your instruction Yes, it's a pretty boring way to figure it out (flash, reboot, flash reboot etc) hehe, but it is also simple. So, tracing it backwards will lead you to that check (and finally the drive will 'hang' after insert of both DL DVD-ROM's and other media, meaning you have found what you were looking for )

The second method would be to trace it 'forward'. Find the routine that reads the "real" PFI, since this contains of course the disc type. Trace the mem location where the disc type is stored trough the code and find the part where it checks that info.

After you killed the check, you'll want to kill the 'unlock' routine. Why ? Because if the drive is unlocked, it will use the PFI from the SS and you don't want that (because it is signed and you can't change that PFI).

It goes without saying that you'll need to have the SS on layer 0. First time I patched the disc type check, I hadn't relocated the SS (i had saved it to FW and hadn't killed the SS disc read routine) and man ... The sound that your drive will make when it tries to read the second layer on a disc that only contains 1 layer... That sound is REALLY scary It sounds like your drive is fighting against a slow and painfull dead and it sounds like it is losing that fight, hehe

Anyway, that's about it ! Happy hacking !

[Alec]

The reason i raised this query originally was because of TheSpecialists query about the need for DL discs in another thread.

 Since i though he managed to get a 360 hack working I assumed that it was possible to do the hack with SL discs.

Now im really curious. Is it possible to get a 360 hack working on SL discs? Has anyone managed it?

Thanx

The very first xbox 1 hack (not 360 hack) that I made, worked on SL. I created it that way, because I didn't had any DL discs at home when I wanted to test it, hehe Haven't tested it for the 360 but I really can't think of a reason why it wouldn't be possible on the 360 to get it working on SL (as long as the game data fits on SL of course

What about your 360 hack? From the way you talk about it, it seems like your's worked off DL, as well.

[TheSpecialist]

What about your 360 hack? From the way you talk about it, it seems like your's worked off DL, as well.

Exactly. Like I said, I only did it for the xbox 1, haven't tested a SL-hack for the 360 and I don't know of anybody who did. But since the hitachi xbox 1 FW is almost the same as the 360 (they took the existing xbox 1 HL firmware and they only added some routines, the majority of the code is EXACTLY the same), I wouldn't know why it wouldn't work for the 360. And it's pretty easy to check for someone who knows assembler, like described, it isn't very hard to do So maybe someone who DOES own a 360 could verify it

And to make it even more easier, for ppl who haven't really studied the FW, I'll explain briefly how to find that routine that gets executed after disc insertion. Only for HL though, but it won't be much different for the TS =>

Run the IDC file from DJ Huevo. It will ID all the ATAPI handlers. Then find the 'read dvd structure handler'. This handler returns the PFI (and ofcourse the PFI from the SS). So, it will use a certain mem location where that is stored. Trace that mem location through the code and you'll find the routine that writes the mem to that location. That routine will be part of that 'disc insertion' routine. Once you found that one, you can proceed as described above.

[evestu]

so has anybody started to test this

 can you add your patch to the firm with winhex once you have found the correct place that the mod is needed

and the patch you add is to replace the DL DVD-rom with SL DVD-rom or add that so you have both media detected

but you have to hard code the ss responces in the firm so they are not read from the disc or because you want to skip the reading of the ss but would this need to be changed for every back up ?

sorry still leaning



thanks

[Arakon]

since the SS is unique to the game and game revision, yes, you'd always have to change it every time you want to play another game.