New BenQ drive found DG-16D2S FW 74850C

[ybarra]

Noob question here, but why would they go through the trouble of covering the chip with epoxy (an obvious attempt at physical security) if the MISO and MOSI pins don't respond to anything.  It would seem to me that the epoxy is an attempt to keep someone from using the SPI pins (much like jtag is used in the Linksys routers) to dump the drive firmware as well as nvram contents.  And yes, I read the thread and saw that SPI attempts so far have failed but I'm questioning the use of the epoxy if SPI was truly impossible.

[centaur2]

Furthermore, I doubt that these chips have specifically been developed for use in the 360.
I expect them to appear in regular PC drives soon aswell, maybe they are already used
at the moment. It's simply a matter of cost reduction.

Having a PC drive with a MT1319 chip and an updater program would be nice to check
how to communicate with the controller.

[Geremia]

i've got a liteon, there is some activity on what should be SPI bus, but seems not good stuff, for example sometimes activity on MOSI with clk fixed low.
I connected an external spi flash on it, the drive does not care.
I've pulled high or low MOSI and MISO, seems to not care about it.

So, at first impression, i would think the internal flash probably is not spi but standard rom or flashrom (why bother with SPI protocol if it's embedded, you could have all the interconnection you want, right?).

Still wondering if this mtk chip has some kind of decision on boot source based on external switches

[noob6969]

So, at first impression, i would think the internal flash probably is not spi but standard rom or flashrom (why bother with SPI protocol if it's embedded, you could have all the interconnection you want, right?).

Still wondering if this mtk chip has some kind of decision on boot source based on external switches

No way they would make this a 2 die controller. You can safely assume it is embedded flash.

It might be configurable to determine boot source, but that won't do any good without being able to read the firmware out of its internal memory, which according to the patent assuming it applies to this chip is impossible.

Still not seen one of these drives myself, then I am a hardware guy anyway.

Datasheet would be nice..

[Geremia]

It might be configurable to determine boot source, but that won't do any good without being able to read the firmware out of its internal memory, which according to the patent assuming it applies to this chip is impossible.

If there is a way to boot from external SPI, you can boot your own code or a modified similar fw with some custom CDB to explore inside, this is just a low level aproach.

I've not already started to disassemble the Benq fw (well, never reversed any 8051 code, ut it's time to start ), but presumibly there could be some vendor specific CDB for debug stuff.
At first look, the liteon respond with sense 05 81 to unknown CDB opcodes (strange, 81 is vendor specific), but for example it responds with sense 05 24 to opcode FD (so good opcode but wrong parameters).
Don't know for MTK, but for hitachi and the hd-dvd there were vendor specific CDBs to upload and execute code....and this would be an higher level approach.

[justmeee]

how do you send cdb´s to the drive and recive what it responds?
are there any standard tool to do this??

[itsfakemon]

plscsi

[justmeee]

why does plscsi dont find any drive on my nforce board??

[Tiros]

why does plscsi dont find any drive on my nforce board??

Due to the non standar INQ command you dont get a drive letter.
Try plscsi for dos.

[bradsystem]

tryed serial interface with MT1319L and MTK Tool 1.31
software make some communication with mcu,
result is: unknown flash
so this MTK Tool cant handle with MT1319L, i think this sw is made for mcu with external flash.
so probably theres way.. need datasheet..

[n00bpwner360]

Alright back to hacking.



Why not try hooking up a serial cable to your computer to Rx and Tx. You will have to make a cable IDK how you would, there are tuts on the web.

Then try one of these programs.

http://personal.inet.fi/cool/mediatek/programs/mtktool.html
http://personal.inet.fi/cool/mediatek/programs/mtkflasher.html
http://personal.inet.fi/cool/mediatek/programs/mtkdump.html

I doubt it will be as easy as that. You might need to pull some pins high or low (Like the MSI pins IDK) or something that I wouldn't know what to do or how to do it. If MTK DID implement a backdoor or something, it wouldn't be easy to access. There might be a code you have to send to the Rx and Tx pins or something to "trigger" (or more pun intended, unlock and open) the back door, allowing hte firmware to be read.

Anyone tried this? Why is there a Rx and Tx when reading firmware is not enabled? Why are they covered in epoxy? Hmmm...I wonder. O wait, one pin is used for flashing the firmware and one will send you teh checksum of the flash...maybe that is why.

I still can't see the firmware not being able to be read out. Someone pleaes try this.

[bradsystem]

already made post about serial interface but ppl here bullsh1ting forum with stupid posts like disc swapping....

here is once again:
tryed serial interface with MT1319L and MTK Tool 1.31
software make some communication with mcu (have LEDs on rx/tx lines),
result is: unknown flash
so this MTK Tool cant handle with MT1319L, i think this sw is made for mcu with external flash.
but probably theres way.. need datasheet..

[Geremia]

Are you sure that "unknown flash" means that some comunication occurs?
You could start some "serial port monitor" and see if some comunication is in place.

About bul$#!tting, i agree.

[bradsystem]

with disconnected mcu sw doesnt show "unknow flash" and wo mcu interdace leds blink just once (TX)
yes i can also scan communication.. i try to do in 1 hour..

[Geremia]

Got enought of deleting bull$#!t and reply to bull$#!t.

Please stay on topic, this is a technical area.

[Geremia]

I've disassembled the Benq fw to find debug CDBs, not so many and not so usefull (not yet traced the ATA level to see if there is also some ATA debug command).

Anyway, the Liteon it's just a new Benq, it responds to FD xx 42 45 4E 51 (ascii "BENQ") command, where xx is a "subcommand".

some subcommands are not recognized, but at least this works

FD 04 42 45 4E 51 xx xx 10 xx aa xx seems to dump from 0xFF00, aa can be 00, 01, 02 (seems 10bytechunk number starting at 0xFF00), if 02 it reports kind of ascii serial number

Other FD xx related to ascii "Wisely loves lan" (0xFF30)seems not to work (sense 05 81), someother works but reports no data.

If anyone knows the meaning of FF00-FF60, the FD cmd could be interesting, but at first look seems not.

[caster420]

If anyone knows the meaning of FF00-FF60, the FD cmd could be interesting, but at first look seems not.

C4eva states that 0xFF00-0xFFFF is the drive's serial number.  This typically has the 'Wisely Loves Lan' string and the rest of the data seems to be drive specific.  I'll ask him if he has any more information.  If you look at generic iXtreme firmware, he blanks out this section.  During the patching of the hacked firmware from a retail source, firmtool copies this information.

Caster.

[Greger08]

No, the Key isn't sent over SATA. It works like this if I understand it right:

DVD-Drive encrypt Data with DVD-Key => Send encrypted Data over SATA => Console decrypt this Data with DVD-Key.

If you send encrypted data and know the dvd-key and decrypt the data and then send the same encrypted data with the unknow key and compare it whit dectypt data to generate the key?.

[towerblocks]

Was just in #fw channel on efnet and a quote from c4eva.

<c4eva> i have found some things that are not yet known about the lite-on, it will be done!

Lite-On hack Possibility-O-Meter [50.1%]'

So things are looking up hopefully 

[nelex]

your opinion:

This one is gonna be modchip or firmware flash ?