New BenQ drive found DG-16D2S FW 74850C

[bonzo pl]

DH-16D3S photo PCB ?
procesor ?
 Download org firmware

[RoadRunner]

<c4eva> if you would like to see some of the work we have been doing on the liteon have a look here: http://www.megaupload.com/it/?d=CMAWW567

[noob6969]

Moi thinks someone should go on a banning spree, too much nonsensical crap.

But on topic

I don't see two die there, plus I have never heard of any semiconductor company stacking one die on top of the other. The bond out machine would have a fit, its bad enough manufacturing a hybrid where there are two die next to each other in the same package let alone stacking them. How would it be bonded? what about heat differential are just a few problems that come to mind...+ there is no fabrication reason to put a spi on a separate chip, the real estate occupied by a SPI would be barely visible. Manufactures only put two die in a package as a very last resort, usually because different functions require fundamentally different silicon processes to make it practical to put on one die....or for floor plan reasons....but not to accommodate a SPI FFS

Also that does not look like a decaped package, it looks more like a xray image, usually nitric acid is used to eat away the package material. Awesum picture never the less, decaped under a electron microscope might be more interesting, though its not like ur gonna be able to read the EEROM..lol

[asapreta]

c4eva showed up some pictures of the chip today too at #fw.

[brill]

Yes Yes !!! im confirm the die on mt chip is 2 the top is the spi and im try try try try try try to read it whit external programmer !!!!!!!
Geremia take my high res pic here not possible attach is big
go to in the link for take it:
 http://www.megaupload.com:80/it/?d=CMAWW567

... I don't see two die there, plus I have never heard of any semiconductor company stacking one die on top of the other ...

Somewhat aligned lower res image for anyone who can't be bothered using megaupload:

[misterfly]

lol !!!! the mine is a perfect decap not "xray" my pics show perfect the mtchip
now im decap a classic mx25l2005. and check the pin out for compare whit die upper of mtchip......

[theurn15]

c4eva latest statments
[11:09] <DCP> c4eva now u have teh controller chip stripped down have u been able to read the fw off it
[11:11] <c4eva> soon, work is progressing
[11:11] <kolor> c4eva if u r able to read fw off it, does it means that fw is identical on all liteons, and we all can erase current/write hacked one to our liteons using software
[11:12] <c4eva> yes, but key must still be dumped, but once fw is read, will look for other holes, software erase/write already done
[11:17] <c4eva> once we have fw, and create ixtreme, you just put your key in and flash back!
[11:17] <DCP> throught the sata
[11:18] <c4eva> flash-yes
[11:18] <DCP> nice
[11:18] <kolor> nice idd
[11:18] <c4eva> once we have fw, will look for easy way to get key

[Iriez]

Yes Yes !!! im confirm the die on mt chip is 2 the top is the spi and im try try try try try try to read it whit external programmer !!!!!!!
Geremia take my high res pic here not possible attach is big
go to in the link for take it:
 http://www.megaupload.com:80/it/?d=CMAWW567

Great the writing, erasing flash secret is revealed now, but how about reading
The flash maybe using benq fw with other liteon pc drives fw like liteon DH-16D2S and
DH-16D3S is the solution .

but Wait a minute man , does this mean that we have to melt
Chipset in-order to reach the spi flash in future flashing operations for liteon 

If MS patches the cdb to readout key, and we cannot find another software solution to extract/read the key, then YES, you would have to physically dump it in-order to get the key.

This is why we did NOT want to release the serial based key extractor method that Geremia made public. We prefer to keep such things a secret until EVERYTHING is ready, so that the penetration rate is much higher. When you are playing cat and mouse with MS, you have to time your findings correctly to achieve the best result. And releasing a way to extract the key, when spoofing will not even work correctly with samsung or hitachi drives, was absolutely pointless and even more so....very harmful. Do you know how many people are using samsungs or hitachi's in place of the liteon right now on xboxlive, not even knowing that their SS returns are not handled correctly?

Hopefully we will have this liteon dumped in the next week or two.

[Geremia]

Yes Yes !!! im confirm the die on mt chip is 2 the top is the spi and im try try try try try try to read it whit external programmer !!!!!!!
Geremia take my high res pic here not possible attach is big
go to in the link for take it:
 http://www.megaupload.com:80/it/?d=CMAWW567

ehhehehe, very interesting pic

I'm sure you disconnected all the connection before tryring to read the flash, right?
VCC and GND can be easily spotted, the other wires...don't know, could be that CLK MOSI MISO are shared with exernal SPI pins of the MTK chip, have you checked with a multimeter is some internal SPI wires goes to external pins?

[n00bpwner360]

I was thinking it is going to just be an amount of time before someone takes this $#!t apart like Bunnie does on his website for all of the chips he does, but he does little microcontroller chips and stuff.

Take a look at this. There are 4 seeming connections, that go to the corners of the chips, but don't lead out of it into a little solder leg, what are those for?

[bonzo pl]

Pin photo where pin proceror?

[callousedlabia]

 Do you know how many people are using samsungs or hitachi's in place of the liteon right now on xboxlive, not even knowing that their SS returns are not handled correctly?

Hopefully we will have this liteon dumped in the next week or two.

Just to confirm, does the BENQ respond with the correct SS returns when used in place of the Liteon? I have been reading up on this a bit and found recently  some at other sites suggested that it is an assumption.

Thanks to everybody making the flashing and other hacks possible.

[Iriez]

 Do you know how many people are using samsungs or hitachi's in place of the liteon right now on xboxlive, not even knowing that their SS returns are not handled correctly?

Hopefully we will have this liteon dumped in the next week or two.

Just to confirm, does the BENQ respond with the correct SS returns when used in place of the Liteon? I have been reading up on this a bit and found recently  some at other sites suggested that it is an assumption.

Thanks to everybody making the flashing and other hacks possible.

Benq is fine.

[keglevich]

I'm mostly doing a lit of reading here and keep myself quiet, but this time I have a question. It's been well known that inside 1319L there's a SPI flash which is MX25L2005 as I read on one of those first pages here. The chip was already decapped so the reading shouldn't be a big problem after reading tech specs (http://www.semiconductorstore.com/pdf/Macronix/Serial2.pdf) of that SPI flash.
Therefore I'm wondering, what's really the problem to read-out that SPI flash in that particular case? Is it definitely that SPI flash inside a MX25L2005 os we have maybe something else inside? I'm just asking, cause I have here plenty (maybe 30pcs) of those liteon drives and I can contribute a few of them to someone who's willing to decap some and try to rad that damn thing. I would try doing this myself, but I don't have the right equipment and knowledge so all I can contribute are those pieces of hw if someone need them...
However, I would still like some "technical" explanation why reading is such a big problem if we have a exposed SPI MX25L2005 here?

Thanks, keglevich.

[noob6969]

Ok there is two die in there, mega upload would not work for me the other night, all I saw was the xray.

Still, what a mess, the mind boggles over the manufacturability of such a device and I wonder if it is indeed a MX25L2005. That looks like a hacked up prototype not a mass produced production package. But I guess I will have to concede but I wonder how they are making it cost effectively.

if that extra die in there is a serial EE memory then its possible it has its own security bit set, I am not sure if the MX25L2005 has a security option, but I know Catalyst used to make secure serial EEroms for nix and would supply die for hybrids. I wonder why they did not put the EEROM on the same die as the controller, one would just assume. There are zillions of MCU about with on board EEROM.

If its not secured then...pfftttt

[theurn15]

For those who have questions about what c4eva said lately
this is the latest development in liteon hacking this is an updated version
Of his chat with our friends he says that:
o   A team of hackers are working now to dump the fw.
o   liteon flashing will be easier than benq flashing (through sata) .
o   key must be dumped in all cases.
o   dumping using rs-232 could be replaced by dumping through sata.

Full irc chat:
1.<DCP> c4eva now u have teh controller chip stripped down have u been able to read the fw off it
2.<c4eva> soon, work is progressing
3.<DCP> nice work
4.<kolor> c4eva if u r able to read fw off it, does it means that fw is identical on all liteons, and we all can erase current/write hacked one to our liteons using software
5.* Ivory21 has joined #Stealth360
6.* Ivory21 has quit IRC (Connection closed )
7.<DCP> i think u will need to read the key and spoof off then write it back with a ix fw
8. GeorgeJ has joined #Stealth360
9.<kolor> yeah def need a spoof+key
10.<c4eva> yes, but key must still be dumped, but once fw is read, will look for other holes, software erase/write already done
11.<c4eva> a team of people being working on it
12.<c4eva> once we have fw, and create ixtreme, you just put your key in and flash back!
13.<c4eva> once we have fw, will look for easy way to get key
14.<c4eva> via sata if possible
15.<c4eva> yes, it will be easier than benq
16.<DCP> was it acid dipped c4eva
17.<DCP> or just heat
18.<c4eva> yes, very hard to get type 
19.<c4eva> they think either terrorist or hitman
20.<c4eva> important thing is flash is still intact, including wires
21.<DCP> can u read the flash direct now
22.<DCP> or are teh point not on the board to let u do that
23.<DCP> points*
24.<c4eva> thats the idea, move wires to external pins if necessary
25.<c4eva> attach direct to flash, no need for the controller
26.<c4eva> wires will be re-routed to external pins
27.<c4eva> bit of a cheap ass solution, just putting the flash on top like that!
28.<votality> c4eva do you think the next step will be embedded flash
29.<c4eva> upon researching, there are more secure designs, yes 

[reaper527]

o   liteon flashing will be easier than benq flashing (through sata) .

15.<c4eva> yes, it will be easier than benq

wow, i can't image a drive being easier to mod. through all the tools that have been released, modding a benq drive is a cakewalk for the end user.

its great to see progress being made on this drive.

[keglevich]

Oh yeah, and another thing. Beside my first post (two posts above), I'm wondering how is it possible to erase/write to that liteon's 1319l as everybody is talking about. I've read through all posts and many other forums where people are claiming that erasing and writing liteon isn't a problem and that even dosflash 1.6 can do it. As I mentioned, I have here many LITEON drives so it would be nice if someone can write a tutorial or just tell the correct way to use dosflash or any other app so I can try to erase and write some of the chips. I would like to experiment, that's all. Maybe I'll even try to decap one chip and try to read it using willem 5.0 PCB (sivava), which is said to be compatible with MX25L2005 SPI flash...
However, after all the reading of claiming that erasing/writing is possible (and was already done), nobody mentioned a way or an application (or picture, movie, etc.) which can do this in practice. So, was writing/erasing really done or is this just speculation or maybe a thing which was done but nobody wants to publish it until it's finished? I'm just curious...

[Arakon]

it's fact. If geremia and c4e say they did it, then they did it. I assume it's done by sending specific CDB commands to the drive.

[Geremia]

The erase method is not secret, it's near 3 months old

http://www.xboxhacker.net/index.php?topic=9647.msg65348#msg65348