Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Closed Thread
 
Thread Tools Search this Thread Display Modes
Old 8th April 2007, 19:30   #61  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
thnx a lot

i'll compile on cygwin and i'll test
Geremia is offline  
Old 8th April 2007, 19:30   #62  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
Ok, just a small modification
Try compiling and running this, giving it an argument of a filename:
Code:
#include <stdio.h>


int main(int argc, char **argv)
  {


int foo = 0, bar = 0;
FILE *outfid;


 if (argc > 1)
     {
           if ((outfid=fopen(argv[1],"wb"))==NULL)
             {
                fprintf(stderr,"Error: cannot write to '%s'\n",argv[1]);
                return(1);
             }
     }

  if (argc > 1)
  {
    fprintf(outfid,"set PLSCSI=\\\\.\\E:\n");
    fprintf(outfid,"plscsi.exe -v -p -x \"1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00\" -f DFenable.bin -o x8\n");
  } else 
  {
    fprintf(stdout,"set PLSCSI=\\\\.\\E:\n");
    fprintf(stdout,"plscsi.exe -v -p -x \"1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00\" -f DFenable.bin -o x8\n");
  }

   for (foo = 2097152; foo < 3145728; foo = foo + 2048) 
   {
       if (argc > 1)
       {
          fprintf(outfid,"plscsi.exe -v -p -x \"DF00E20000 %x %x\" -i x800 -t %x.bin\n",foo, (foo+2048-1), foo);
       } else
       {
          fprintf(stdout,"plscsi.exe -v -p -x \"DF00E20000 %x %x\" -i x800 -t %x.bin\n",foo, (foo+2048-1), foo);
       }
   } 


if (argc > 1)
{
  fclose(outfid);
}

return 0;
}
Code:
hostname$ gcc -o plscsi_foo plscsi_foo.c
hostname$ ./plscsi_foo runme.bat
hostname$ head runme.bat 
set PLSCSI=\\.\E:
plscsi.exe -v -p -x "1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00" -f DFenable.bin -o x8
plscsi.exe -v -p -x "DF00E20000 200000 2007ff" -i x800 -t 200000.bin
plscsi.exe -v -p -x "DF00E20000 200800 200fff" -i x800 -t 200800.bin
plscsi.exe -v -p -x "DF00E20000 201000 2017ff" -i x800 -t 201000.bin
plscsi.exe -v -p -x "DF00E20000 201800 201fff" -i x800 -t 201800.bin
plscsi.exe -v -p -x "DF00E20000 202000 2027ff" -i x800 -t 202000.bin
plscsi.exe -v -p -x "DF00E20000 202800 202fff" -i x800 -t 202800.bin
plscsi.exe -v -p -x "DF00E20000 203000 2037ff" -i x800 -t 203000.bin
plscsi.exe -v -p -x "DF00E20000 203800 203fff" -i x800 -t 203800.bin
hostname$
awhitehead is offline  
Old 8th April 2007, 19:38   #63  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
As for putting each 2K firmware chunk togeher, either cat *bin > fulldump (under unixish environment), or copy /b under DOS should probably work.
awhitehead is offline  
Old 8th April 2007, 19:42   #64  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
thnx, just tried the first souce, now i'll reassemble under cygwin, hoping that it will take them in filename order
Geremia is offline  
Old 8th April 2007, 19:48   #65  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
WORKS !
thanks awhitehead

the software dumped fw is exactly the same as my flash reading with external programmer.
Geremia is offline  
Old 8th April 2007, 19:52   #66  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
So is byte swapping necessary afterwards?
awhitehead is offline  
Old 8th April 2007, 19:53   #67  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Geremia View Post
WORKS !
thanks awhitehead

the software dumped fw is exactly the same as my flash reading with external programmer.
WOW
arnezami is offline  
Old 8th April 2007, 19:59   #68  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
@Geremia: I know you're busy doing something else. But maybe you can answer this when you have time for it:

This is regarding checksum bytes and where they are stored in the fw:

I can find the 16 checksum bytes for 0000-3FFF (starting at 00003FF0)
I can find the 16 checksum bytes for 10000-DFFFF (starting at 000DFFF0)
I can find the 16 checksum bytes for the bootloader (starting at 000FDBF0).

I guess these are the most important areas.

But when looking at the region 8000-BFFF there appear to be no valid 16 checksum bytes at the end. And when checking myself (with proggy) they don't validate (while the above three do). Also with E0000-EFFFF.

Any idea if these areas really are XOR checksummed (aswell as SUM)? And if so where these 16 bytes should be?

I guess this is low priority .

arnezami

Last edited by arnezami; 8th April 2007 at 20:22.
arnezami is offline  
Old 8th April 2007, 20:35   #69  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
Thanks awhitehead for the bat creator

i've added the cat stuff

http://www.sendspace.com/file/cezdih

fwdump.bat driveletter

it dumps all the firmware, included unique areas

P.S.: byteswapping is only needed if you read the flash by external programmer

@ arnezami
fwpart4 is unknown for me, but i'll take a look after dinner (10minutes lol)
Geremia is offline  
Old 8th April 2007, 21:48   #70  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
about fwpart4, it's weird.
during flashing is xor and sum calculated, but skips the AES part.

in boot sequence, it's not checked

i think it's not so important at the moment
Geremia is offline  
Old 8th April 2007, 21:58   #71  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Geremia View Post
about fwpart4, it's weird.
during flashing is xor and sum calculated, but skips the AES part.

in boot sequence, it's not checked

i think it's not so important at the moment
Ok. Its not so important.

Here is fwchecksum.exe.

It will calculate the (new) 16 bytes checksum and the (new) sum correction value. It ignores the current 16 byte checksum and sum correction values (the old ones still present in the file). It does this for three different areas:



In other words: when you change something in any of these areas and run this proggy you can replace the 16 bytes + sum correction value and it should flash without error .

I'm a bit sleepy at the moment so I hope I didn't make any mistakes . Fingers crossed...

Regards,

arnezami

PS. Currently I'm not actually doing the scrambling stuff which limits this proggy to this revision atm.

[edit] Almost forgot: the flash dumper (+script) works!!!

Last edited by arnezami; 8th April 2007 at 22:30.
arnezami is offline  
Old 8th April 2007, 22:45   #72  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71


your fwchecksum works!!!!!

just flashed a patched and rechecksumed fw

great job man!

BTW, there is another DF command to dump the flash without unique area, i'll check it, it can be usefull to compare with a modified fw to see if it's safe to flash, or if is another fw revision etc...
Geremia is offline  
Old 8th April 2007, 22:56   #73  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Geremia View Post


your fwchecksum works!!!!!

just flashed a patched and rechecksumed fw

great job man!

BTW, there is another DF command to dump the flash without unique area, i'll check it, it can be usefull to compare with a modified fw to see if it's safe to flash, or if is another fw revision etc...
This really is a good day .

Seems we have beaten the Xbox 360 HD DVD hands down.

We should be proud.

arnezami
arnezami is offline  
Old 8th April 2007, 22:58   #74  |  Link
bcrabl
Registered User
 
Join Date: Feb 2007
Posts: 49
Quote:
But this does not allow you to do anything with the video/audio on the disc (like demux/recompress whatever). Its just for backup and playback.

Does that answer your question?
Thanx arnezami for the reply. What I imagined is a last resort if all the other part becomes unhackable (dont think so ) . But maybe after this hack the AACS LA would give up upgrading the MKB every time a proseccing or even worse for them a device key (from a software player) is found. They could just admit they lost and game over.

Also when the HD-DVD recorders become accessible and the media price is lowered, it would be preferable to just record it than to reencode it to x264.

EDIT: Great news!!!

Last edited by bcrabl; 9th April 2007 at 09:14.
bcrabl is offline  
Old 8th April 2007, 23:01   #75  |  Link
lightshadow
Registered User
 
Join Date: Feb 2007
Posts: 123
Quote:
Originally Posted by arnezami View Post
We should be proud.
It's well deserved =)

That would you say is left to be done?

Is the goal still a Private Host Key less firmware or perhaps a bootloader that accepts all firmwares?
lightshadow is offline  
Old 8th April 2007, 23:38   #76  |  Link
osix
Registered User
 
Join Date: Mar 2007
Posts: 1
I like you all !

AACS must be hacked !

It's an important demonstration who has got the MIGHT !

Can some intelligent guys win the fight against the consortium of five or six gobal companies with billions of money ?

It's in a certain sense like a "war". Can the companies build the "walls" that high, that nobody can go over it ?

And it's the "second war", after the "first war" the industry lost because of DeCSS....But this time, with AACS, the "weapons" on both sides are even stronger than before...

I BELIEVE IN YOU ALL, nothing is more exciting to read the news on doom9...
osix is offline  
Old 9th April 2007, 00:06   #77  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
Geremia, arnezami - wow, you're the giants here, guys.

Quote:
Originally Posted by Geremia View Post
Thanks awhitehead for the bat creator
Yay! Glad that it worked.
(In case someone asks, my source code above is public domain. Go right ahead and use it or modify it if you want to - I'll just be happy)
awhitehead is offline  
Old 9th April 2007, 00:38   #78  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
The volumeID patch is not something usefull, it's just a proof of concept, anyway if anyone interested, here it is (rechecksumed with great arnezami app)

*removed, not needed anymore*

Dump your own firmware, store a copy in safe place, apply the ppf on a copy of your firmware, flash it back with WinVUP.

If your drive fw is different from the fw the patch was build for (MC08), the patched firmware will have the sum and xors incorrect and will not be flashed, so it's quite safe.

to take a look at VolumeID:

plscsi.exe -v -x "AD 00 00 00 00 00 00 80 00 24 00 00" -i x24

Last edited by Geremia; 17th April 2007 at 14:58.
Geremia is offline  
Old 9th April 2007, 00:54   #79  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
member xt5 from xboxhacker provided a tool to automatically enable DF and dump any area space , much appreciated

http://www.xboxhacker.net/index.php?...44556#msg44556

to dump fw:

dump.exe driveletter firmware.bin 0x200000 0x100000
Geremia is offline  
Old 9th April 2007, 03:27   #80  |  Link
mb2696
Registered User
 
Join Date: Jan 2007
Posts: 39
how do you apply the ppf to the bin?

edit: nm used ppf-o-matic

Last edited by mb2696; 9th April 2007 at 03:51.
mb2696 is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 13:06.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2017, vBulletin Solutions Inc.