Quote:
Originally Posted by Galileo2000
Yeah, and we wanna guide to the hack too  |
Essentially here is what happened the way I understand it. Geremia will correct me, I am sure
Geremia is a highly respected firmware engineer on xboxhacker.net forums. He was one of the folks who collaborated on breaking the protection of the normal Xbox 360 DVD drive.
One day he bought an HD-DVD drive, and asked on xboxhacker.net forums if anyone else got got one, and is interested in reverse engineering it's firmware. At the same time he "dumped" the drive - opened the HD-DVD case apart, removed the drive, then desoldered the flash chip (containing drive's operating system) and read it using standard "flasher" - device designed to read and write to flash memory chips.
Then he had a copy of the firmware in the flash memory of his drive.
At that time noone knew what is the core of the drive based on - in plain words, what processor architecture is used by Toshiba in SD-S802A HD-DVD drives. Without knowing this, it was not possible to make sense of the actual data that Geremia recovered from the drive. Geremia took high resolution photos of the drive's logic board, and looked at the similar Toshiba drives, that might use similar architecture and similar firmware.
Around the same time, Geremia discovered the post by arnezami on doom9 forum on snooping USB connection between the drive and the operating system. Since he already had means of restoring his drive to original condition (he made a backup of drive's flash before), he could play around with the flash "dump". By watching the interations between the flashing utilities and other Toshiba drives, he discovered some of the vendor specific CDBs - commands sent over the USB bus (or actually over any sort of encapsulated SCSI connection - ATAPI over USB, over IDE or over SCSI itself) needed to flash the drive with new firmware.
He attempted to duplicate the same commands but with his own drive and his own firmware, and after some attempts succeeded. So by this point he knew how to flash the firmware onto the drive, but not how to modify firmware.
By this point someone else on xboxhacker.net forums got an HD-DVD drive, and desoldered his flash chip (Usually people desolder the flash, and solder a socket in it's place, allowing easy removal and reprogramming of the chip), and read the contents. That person sent Geremia his own copy of the flash dump, and Geremia was able to see what the differences are between the two copies of the same firmware. That's the data that is not checksummed by the firmware, btw.
Around the same time, after some misdirections by people without a clue (read: after awhitehead told Geremia a bunch of bullshit), Geremia figured out that the architecture used by Toshiba in SD-S802A drives is based on Fujitsu FR 32 architecture. More over, disassemblers for this exist, both commercial and free, so it's possible to see to which assembly instruction each opcode matches.
At this point Geremia spent a long time tracking down how the drive is supposed to react to certain CDB commands.
Your copy of PowerDVD sends a bunch of authentication data using CDBs (Well, encapsulated in CDBs) to the drive, and then asks for specific data (Volume ID) from the drive again using a CDB command (plscsi.exe -v -x "AD 00 00 00 00 00 00 80 00 24 00 00" -i x24 command means "Send CDB containing AD 00 00 00 00 00 00 80 00 24 00 00 to the drive, and expect back 24 bytes of reply"), he was able to modify the firmware so that the drive executes the actual disk read without the need to the cryptographic exchange between the drive and the player software beforehand.
Now there are two things that remain to be solved:
1) Geremia and others (I can't say 'we", since I am not qualified) is searching for a way to be able to dump the firmware from the drive using CDBs. This way no complicated desoldering is required, and no flasher hardware is necessary. This is needed so that you could make a backup of your own firmware before hand.
2) Testing needs to be done, to make sure that the firmware modification is not noticed by the software, etc.
All of the above is probably wrong. :-)
Hope this helps.