Doom9's Forum - View Single Post - Processing Key, Media Key and Volume ID found!!!

Geremia · 20th February 2007, 00:36

Hi all

first, congrats to all, very interesting reading here

just got an xbox360 dvd drive and started playing a little.

firmware: actually unable to know what cpu inside the main big chip, it'a unnamed, no brand, no model number...actually unable to deassemble. If any good firmware hackers out here, pm me to help find the main cpu.

just sniffed usb trafic between drive and powerdvd 7.2, unfortunally the authentication can not be reproduced, because every time i send the same host certificate challenge, i receive different drive certificate challenge and different drive key, then if i send the host key it returns error, so i suppose anydvd has the host private key (i've not sniffed anydvd, are you sure it asks aacs authenitcation to the drive?)
Sniffed drive keys and drive certificate challenge data are not present in firmware, at least not in clear, so i guess the drive has something like a master private key (i'm not cripto specialist, i'm not specialist in nothing, just hobbyst).

I'm using plscsi to send cdb commands, it's nice.

here some example of using plscsi:

plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 10 00 00" -i x8 // request Authentication Grant ID
plscsi.exe -v -x "A3 00 00 00 00 00 00 02 00 74 01 00" -o x74 -f hostchal1.bin // send host certificate challenge
plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 74 01 00" -i x74 // request drive certificate challenge
plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 54 02 00" -i x54 // request drive key
plscsi.exe -v -x "A3 00 00 00 00 00 00 02 00 54 02 00" -o x54 -f hostkey1.bin // send host key

plscsi.exe -v -x "AD 00 00 00 00 00 00 03 00 50 00 00" -i x50 // read BCA

About control data zone, it's hidden from the simple "read" cdb command, the drive forbid you to read negative LBA sectors.

Read command accept positive LBA sectors, LBA sector 0 is PSN (phisical sector number) 30000, so you can't read control data zone that is PSN 2F200-2FDFF, unless you hack the firmware to skip the LBA positive check.
I don't know what Kend00 have tried, anyway the read disc structure - (15h) read Copyright data section works, but output all zeroes

, at least for kingkong, miami vice and the bourne supremacy.

plscsi.exe -v -x "AD 00 00 00 00 00 00 15 F8 04 00 00" -i xF804 -t CDS.bin

P.S.
i've tried to send read disc structure - read volume ID cdb command when powerdvd plays, but i was not luck.
plscsi.exe -v -x "AD 00 00 00 00 00 00 80 00 24 00 00" -i x24
It seems that the drive does not accept repetition of authentication procedure steps, in fact powerdvd repeats the procedure 3-4 times.
For procedure i mean:
- clear AGID
-request an AGID
-send host certificate challenge
-request drive certificate challenge
- request drive key
- send host key
- read disc structure, volume id (format code 80h) (btw, it seems to not read other stuff here, like pre recorded media serial number or MKB in the leadin)

20th February 2007, 00:36	#314 \| Link
Geremia Registered User Join Date: Feb 2007 Posts: 71	Hi all first, congrats to all, very interesting reading here just got an xbox360 dvd drive and started playing a little. firmware: actually unable to know what cpu inside the main big chip, it'a unnamed, no brand, no model number...actually unable to deassemble. If any good firmware hackers out here, pm me to help find the main cpu. just sniffed usb trafic between drive and powerdvd 7.2, unfortunally the authentication can not be reproduced, because every time i send the same host certificate challenge, i receive different drive certificate challenge and different drive key, then if i send the host key it returns error, so i suppose anydvd has the host private key (i've not sniffed anydvd, are you sure it asks aacs authenitcation to the drive?) Sniffed drive keys and drive certificate challenge data are not present in firmware, at least not in clear, so i guess the drive has something like a master private key (i'm not cripto specialist, i'm not specialist in nothing, just hobbyst). I'm using plscsi to send cdb commands, it's nice. here some example of using plscsi: plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 10 00 00" -i x8 // request Authentication Grant ID plscsi.exe -v -x "A3 00 00 00 00 00 00 02 00 74 01 00" -o x74 -f hostchal1.bin // send host certificate challenge plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 74 01 00" -i x74 // request drive certificate challenge plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 54 02 00" -i x54 // request drive key plscsi.exe -v -x "A3 00 00 00 00 00 00 02 00 54 02 00" -o x54 -f hostkey1.bin // send host key plscsi.exe -v -x "AD 00 00 00 00 00 00 03 00 50 00 00" -i x50 // read BCA About control data zone, it's hidden from the simple "read" cdb command, the drive forbid you to read negative LBA sectors. Read command accept positive LBA sectors, LBA sector 0 is PSN (phisical sector number) 30000, so you can't read control data zone that is PSN 2F200-2FDFF, unless you hack the firmware to skip the LBA positive check. I don't know what Kend00 have tried, anyway the read disc structure - (15h) read Copyright data section works, but output all zeroes , at least for kingkong, miami vice and the bourne supremacy. plscsi.exe -v -x "AD 00 00 00 00 00 00 15 F8 04 00 00" -i xF804 -t CDS.bin P.S. i've tried to send read disc structure - read volume ID cdb command when powerdvd plays, but i was not luck. plscsi.exe -v -x "AD 00 00 00 00 00 00 80 00 24 00 00" -i x24 It seems that the drive does not accept repetition of authentication procedure steps, in fact powerdvd repeats the procedure 3-4 times. For procedure i mean: - clear AGID -request an AGID -send host certificate challenge -request drive certificate challenge - request drive key - send host key - read disc structure, volume id (format code 80h) (btw, it seems to not read other stuff here, like pre recorded media serial number or MKB in the leadin) Last edited by Geremia; 20th February 2007 at 02:16.