New BenQ drive found DG-16D2S FW 74850C

[Grim187]

its difficult for me to believe M$ has done away with the DVD key (if its not being transferred to the motherboard then there's no use for it), they would have to do a considerable amount of work on the nand if they did and i just don't see m$ working that hard on something they have shown almost no regard for.

i think that patent is either BS (no offence Iriez), pertaining to something else or just meant to scare us off.

has anyone tried a spi programmer?

[itsfakemon]

has anyone tried a spi programmer?

yes, it didn't work
plus, there's a recovery disc they (can) use

[loser]

MS has not done away with the dvd key. as my post a couple above yours says: the key is there, it is just never sent across the bus as that makes the whole idea of having a key pointless. instead both the xbox360 and the drive know the key and so can use it to encrypt information before sending and then decrypt the information when received.

all xbox360 dvd drives support the same special commands to write a key to their drives at any time. in the factory when the keyvault is generated the drive key is set to random data, then this same random data is programmed in as teh drive key on the xbox360 dvd drive through the use of this special command.

i have not tested on the new drives to ensure that this command works, but i would assume that it does as there is no reason for it not to. these commands are write only, so you cannot read the key out in this way so there is no security breach by having such commands.

[noob6969]

i think that patent is either BS (no offence Iriez), pertaining to something else or just meant to scare us off.

The Patent is not BS

And the key is still there. It is a bit like finding the CPU key now (but should be easier because the DVD drive CPU does not have the grunt to do any real encryption so I doubt there is any complex math on the validation data).

With the key we can use/spoof any DVD drive. This countermeasure is all about protecting the DVD drive key....not to mention it also stops use from pulling the CPU key because we can't run altered KK shaders even if we do manage to implement successful timing attack on the new mobos.

[n00bpwner360]

Wouldn't it be possible like someone said earlier, to sniff the SATA data and somehow get the drive key out of that, and then just flash a already flashable drive (Sammy, Hitachi, BenQ) with that drive key and spoof the drive? That seems a lot easier than trying to hack this drive...but IDK hardly anything.

[damn!]

No, the Key isn't sent over SATA. It works like this if I understand it right:

DVD-Drive encrypt Data with DVD-Key => Send encrypted Data over SATA => Console decrypt this Data with DVD-Key.

[Geremia]

Any activity on the SPI pins? It would be great to boot some code from there
What should be the purpose of the UPSEN# pin? sorry i've not 8051 knowledge, a fast googling shows "external ROM is only enabled when a pin on the 8051 named the PSEN (program store enable) is pulled low. ".

[Tiros]

PSEN is used typically for rom output enable.
EA is used for external address mode.
This chip doesnt have enuf pins for extern operation.

 

[LordX]

If only we could trigger the Hypervisor exploit from a hard drive, we could have linux running dump the CPU key and change out the keyvault for a DVD key we know and all we would have to know is how to spoof a current drive to this new drive....

But alas it is not possible, well ya it most certainly is just no one has found out how yet.

a only way to use exploit from a hard drive is by using demo game same like kingkong but not patched ... anyone ? 

[Martin_sw]

If only we could trigger the Hypervisor exploit from a hard drive, we could have linux running dump the CPU key and change out the keyvault for a DVD key we know and all we would have to know is how to spoof a current drive to this new drive....

But alas it is not possible, well ya it most certainly is just no one has found out how yet.

Ehm, if you had your CPU key you would be able to extract you DVD key and (in type 2 keyvaults) extract/change the DVD spoof string.
There is absolutely no need to replace your entire keyvault (if that was what you meant). But since all repaired Xenons come with 2Bl version 1921 the downgrade won't work on them, and with the Falcons the downgrade does indeed work, just not the base kernel (1888) so you can't upgrade to 4532/48 that as far as i know would work on those boards.

And the reason 1888 does not boot on Falcon boards are that, as I'm sure have been stated before, the GPU AsicID number does not match what the kernel expects it to be and it panics.
Later kernel revisions instead just check that the vendor id is 0x1414 (Microsoft).

And about being able to exploit from the hdd, I'm looking into that, according to angerwound FFXI does indeed boot from CON packages (these i can build/recreate), but i have been unable to find the game in any of my local game shops... (ended up buying a bunch of other games instead ).

[LordX]

If only we could trigger the Hypervisor exploit from a hard drive, we could have linux running dump the CPU key and change out the keyvault for a DVD key we know and all we would have to know is how to spoof a current drive to this new drive....

But alas it is not possible, well ya it most certainly is just no one has found out how yet.

Ehm, if you had your CPU key you would be able to extract you DVD key and (in type 2 keyvaults) extract/change the DVD spoof string.
There is absolutely no need to replace your entire keyvault (if that was what you meant). But since all repaired Xenons come with 2Bl version 1921 the downgrade won't work on them, and with the Falcons the downgrade does indeed work, just not the base kernel (1888) so you can't upgrade to 4532/48 that as far as i know would work on those boards.

And the reason 1888 does not boot on Falcon boards are that, as I'm sure have been stated before, the GPU AsicID number does not match what the kernel expects it to be and it panics.
Later kernel revisions instead just check that the vendor id is 0x1414 (Microsoft).

And about being able to exploit from the hdd, I'm looking into that, according to angerwound FFXI does indeed boot from CON packages (these i can build/recreate), but i have been unable to find the game in any of my local game shops... (ended up buying a bunch of other games instead ).

and this CON packages are not signed ? if you edit it possible to run unsigned code ?  how about FFXI Demo ? or better downloadable demo ( if exist ) so we can execute it from HDD ?

[Arakon]

con packages are signed. downloadable demos also are, as far as I am aware.

[Martin_sw]

con packages are signed. downloadable demos also are, as far as I am aware.

Yup, Arakon is right, the good thing (not for LIVE though) with the CON packages is you can extract the private key from your keyvault and sign your own CON packages.

But most if not all? demos are signed to only run from PIRS or LIVE signed packages, and this is where FFXI comes into the picture, according to angerwound it has the "run from CON package" flag set. And if it stores it's shaders unsigned inside the CON package it would be possible to use it to launch the shader exploit on 4532/48 without a DVD drive (unless of course the game XEX itself requires the DVD disk to be in the drive).

[n00bpwner360]

So wait, you can't upgrade to a vulnerable kernel on newer motherboards with base kernel 1921 or w/e?

I am thinking this.

Buy a NEW never been on live Xbox 360.

It has the new drive.

It is at the base kernel out of box.

Insert the 4532 update disc, it updates, all is good.

Launch exploit from hard drive. (Still have to figure out how to do this)

Dump CPU key.

Attach Infectus dump NAND.

Extract key vault.

Get DVD Key and spoof string? (I Have no clue what the spoof string is)

Flash old drive (sammy, hit, ben) with DVD key and spoof the firmware to Lite on (has to be worked out as well)

You are playing game backups.

So you are saying this could NOT work? I am not saying downgrade, I am just saying upgrade from the base kernel when you get the xbox new.

[Arakon]

forget it. the consoles are sold with the (at the time of manufacturing) latest kernel already flashed.

[Arakon]

repaired units also come at the very least with a 5xxx kernel.

[damn!]

Here in Germany with 6683 atm...

[lexie]

is it possible to see if you have the lite-on drive without opening up your xbox 360 ??

[Spider85]

is it possible to see if you have the lite-on drive without opening up your xbox 360 ??

Almost All repaired unit have one, Unit with a MFD of late April have one and you can see it at the LOT number on the box (not the xbox360 but the box where is is in ) if your lot number is higher then 813 (in europa) you have one

Greetz

[wisp]

if you remove the front of your xbox, you can see under de dvd drive,(trough a hole) 2 wires. if the wires are yellow you have a lite-on, if the wires are white you have a Benq.

hope the lite-on will be flasheble soon:D

greetz. ww