Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Closed Thread
 
Thread Tools Search this Thread Display Modes
Old 7th April 2007, 17:52   #41  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
I'm on the right track, i got a dump of firmware but without the unique areas. I've to trace something more.
BTW, the CDB opcode is DF and it's disabled by default, or at least it works only if the drive is in a certain state, which i really don't know. I patched the firmware to enable this CDB.
Geremia is offline  
Old 7th April 2007, 22:48   #42  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
Code:
E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 07 FF" -i x801
x 00000000 DF:00:E2:00 00:20:00:00 20:07:FF .. .. .. .. .. "_@b@@ @@ G?"
x 00000000 56:31:59:4C 28:22:2D:23 02:01:02:00 00:00:00:00 "V1YL("-#BAB@@@@@"
x 00000010 40:40:00:79 1E:02:4A:14 00:00:00:00 00:00:00:00 "@@@y^BJT@@@@@@@@"
x 00000020 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000030 4D:43:30:38 31:30:2F:30 33:2F:30:36 00:21:7C:E4 "MC0810/03/06@!|d"
x 00000040 00:20:00:60 00:21:3B:E2 00:21:58:06 00:20:07:A8 "@ @`@!;b@!XF@ G("
x 00000050 00:21:3C:28 00:21:16:52 00:21:26:48 00:20:00:70 "@!<(@!VR@!&H@ @p"
x 00000060 17:81:9F:8C 00:21:8C:9A 9F:1C:C0:04 07:81:97:20 "WA_L@!LZ_\@DGAW "
x 00000070 17:81:9F:80 00:40:00:00 9B:0D:03:0C 02:04:CC:E0 "WA_@@@@@[MCLBDL`"
x 00000080 82:40:E3:08 9F:80:00:40 00:00:C3:11 9B:0D:03:0C "B@cH_@@@@@CQ[MCL"
x 00000090 F0:45:12:01 C0:20:82:40 E2:02:D0:45 E0:3F:C0:40 "pERA@ B@bBPE`?@@"
x 000000A0 82:40:E2:02 D0:A4:E0:3A C0:80:82:40 E2:31:9F:8C "B@bBP$`:@@B@b1_L"
x 000000B0 00:04:01:24 06:C0:A8:00 E3:18:9F:8C 00:04:01:21 "@DA$F@(@cX_L@DA!"
x 000000C0 06:C0:A8:00 E3:12:9F:80 00:40:00:00 9B:0D:03:06 "F@(@cR_@@@@@[MCF"
x 000000D0 02:00:C1:01 82:10:AA:10 E3:08:9F:80 00:40:00:00 "B@AABP*PcH_@@@@@"
x 000000E0 C0:81:9B:0D 03:0C:F0:1A 12:01:9F:80 00:40:00:00 "@A[MCLpZRA_@@@@@"
x 000000F0 9B:0D:03:07 02:04:A8:84 E3:09:9F:80 00:40:00:00 "[MCGBD(DcI_@@@@@"
x 00000100 C0:81:9B:0D 03:0C:D8:73 12:01:E0:08 D0:FF:E0:06 "@A[MCLXsRA`HP?`F"
x 00000110 C4:00:82:04 E2:02:D1:53 E0:01:D2:62 CF:E1:C4:00 "D@BDbBQS`ARbOaD@"
x 00000120 16:01:07:81 97:20:17:08 17:81:9F:88 00:04:05:D6 "VAGAW WHWA_H@DEV"
....
.....
x 000007F0 A6:06:05:A4 9B:00:F0:00 82:40:E3:1C 9B:00:40:01 "&FE$[@p@B@c\[@@A"
x 00000800 AE .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. "."
// 1 = plscsi.main exit int
here is the CDB to dump areas, it also dumps external ram and internal ram, hardware registers, flash area (unique data included).....i've not explored so much, but it looks very interesting

DF 00 E2 00 00 ba ba ba ea ea ea where bababa is baseaddress and eaeaea is end address
(endaddress-baseaddress)<=FFE
after all dumped data, it adds 1 byte (sort of checksum)

There seems to be other interesting CDB
during tests, it seemed that DF 00 E2 05 searches for data from disc inserted....i've to look deeply

Can anyone code a little app to dump memory space with easy?
For example it should be helpfull to have an app that takes as imput a base address and a lenght (>FFF) and sends multiple CDB to collect all data required.

Somethign more about enabling this CDB:

Code:
ROM:0023AFD0 CDB_table_D0_DF:.long 0xD0000000        ; DATA XREF: Process_incoming_CDB:loc_2236FEo
ROM:0023AFD4                 .long ATAPI_D0_unknown
ROM:0023AFD8                 .long 0x80000000
ROM:0023AFDC                 .long 0xD1000000
ROM:0023AFE0                 .long ATAPI_D1_unknown
ROM:0023AFE4                 .long 0x80000000
ROM:0023AFE8                 .long 0xD2000000
ROM:0023AFEC                 .long ATAPI_D2_unknown
ROM:0023AFF0                 .long 0x80000000
ROM:0023AFF4                 .long 0xD3000000
ROM:0023AFF8                 .long ATAPI_D3_unknown
ROM:0023AFFC                 .long 0x80000000
ROM:0023B000                 .long 0xD4000000
ROM:0023B004                 .long ATAPI_D4_unknown
ROM:0023B008                 .long 0x80000000
ROM:0023B00C                 .long 0xD5000000
ROM:0023B010                 .long ATAPI_D5_unknown
ROM:0023B014                 .long 0x80000000
ROM:0023B018                 .long 0xDF000000
ROM:0023B01C                 .long ATAPI_DF_unknown
ROM:0023B020                 .long 0x88000000        ; patched to 80000000 to enable it
ROM:0023B024                 .long 0xF9000000
ROM:0023B028                 .long ATAPI_command_not_supported
Code:
ROM:00223726                 mov     r4, r0
ROM:00223728                 add     #8, r0
ROM:0022372A                 btstl   #8, @r0
ROM:0022372C                 beq     loc_223744      ; branch if bit4 is 0
ROM:0022372C                                         ; go on if is set
ROM:0022372C                                         ; disabled CDB has 88
ROM:0022372E                 ldi:32  #0x404B4, r12   ; don't know, maybe an hardware pin
ROM:0022372E                                         ; maybe can be changed with another CDB
ROM:00223734                 ld      @r12, r0
ROM:00223736                 cmp     #0, r0
ROM:00223738                 bne     loc_223744
ROM:0022373A                 ldi:32  #ATAPI_command_not_supported, r12
ROM:00223740                 call    @r12
processing of DF 00 CDB is divided in different functions

Code:
ROM:0022588E                 ldub    @(r13, r8), r0  ; 3rd cdb byte
ROM:00225890                 ldi:8   #0xD7, r1
ROM:00225892                 sub     r1, r0
ROM:00225894                 ldi:8   #0x19, r12
ROM:00225896                 cmp     r12, r0
ROM:00225898                 bc      loc_2258A2      ; branch if CDB was from DF 00 D7 to DF 00 EF
ROM:0022589A                 ldi:32  #ATAPI_DF_00_error, r12 ; seems to go to cdb error
ROM:002258A0                 jmp:D   @r12
ROM:002258A2
ROM:002258A2 loc_2258A2:                             ; CODE XREF: ATAPI_DF_unknown+30j
ROM:002258A2                 mov     r0, r13         ; from 0 to 18
ROM:002258A4 ; ---------------------------------------------------------------------------
ROM:002258A4                 ldi:32  #DF_00_table, r12
ROM:002258AA                 lsl     #2, r13         ; multiply by 4
ROM:002258AC                 ld      @(r13, r12), r12
ROM:002258AE                 jmp     @r12            ; jumps to
ROM:002258AE                                         ; 002258B0 for DF 00 D7
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 002258F6 for DF 00 D9
ROM:002258AE                                         ; 00225CD0 for DF 00 DA
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 0022597C for DF 00 E0
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225BBC for DF 00 E2  dumps area
ROM:002258AE                                         ; 00225B2C for DF 00 E3
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225D08 error
ROM:002258AE                                         ; 00225CD8 for DF 00 EF
ROM:002258B0 ; ---------------------------------------------------------------------------
To enalbe this CDB, i've patched the fw and flashed back, so this command works only with a patched fw.

As soon as i can verify my flash content, i can share a patched (and not dangerous) fw for VolumeID+DFenable

Last edited by Geremia; 8th April 2007 at 09:49.
Geremia is offline  
Old 8th April 2007, 10:19   #43  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by awhitehead View Post
I might be misinterpreting what you mean by "unencrypted", however this post on AVSforum by President of R&B Films indicates that none of their HD-DVDs use AACS due to costs. In practical means that means "Chronos".

In addition I can think of a couple other commercially pressed HD-DVD disks that were reported to not utilize AACS: "Running Scared" in Germany, and "Nature's Colors".

To the best of my knowledge, these titles are currently playable by Xbox 360 with an HD-DVD add-on.
I'm sorry. I meant unencrypted recorded discs (inlcuding all menu features etc). I haven't had time to follow the reauthoring/remuxing threads for a long time. Can this be done? (assuming anybody has a HD DVD recorder...)
arnezami is offline  
Old 8th April 2007, 12:26   #44  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Geremia View Post
with a criptographic specialist like you, we are all in good hope

BTW, i'm tracing a vendor specific CDB, it smells of "memory space dump", hope to be on the right track.

keep up the good work!
Seems you're making progress with the reading of the flash stuff.

Btw. Just to keep everybody updated. I found something regarding the checksum function. This is the part of memory that is used in the one-way function:

Code:
7C637B776BF2C56F01302B67D7FE76AB
82CA7DC959FAF047D4ADAFA2A49CC072
FDB726933F36CCF7A534F1E5D8711531
C704C32396189A051207E28027EB75B2
83091A2C6E1BA05A3B52B3D6E329842F
D153ED00FC205BB1CB6A39BE4C4ACF58
EFD0FBAA4D438533F9457F023C50A89F
A3518F409D92F538B6BC21DAFF10D2F3
0CCDEC13975F1744A7C43D7E5D647319
8160DC4F2A228890EE4614B85EDEDB0B
32E00A3A06495C24D3C262AC959179E4
C8E76D37D58DA94E566CEAF47A6508AE
78BA2E25A61CC6B4DDE81F74BD4B8A8B
3E7066B503480EF63561B957C1869E1D
F8E11198D969948E1E9BE98755CEDF28
A18C0D89E6BF684299410F2D54B016BB
And guess what. This is the S-box used in AES (mind the byte swap):



So this is confirmation AES is indeed involved.

Although right now it doesn't seem to be AES-G. Possibly simpler.

For those who want to know a little bit more about AES here is a really nice visual presentation.

Regards,

arnezami

Last edited by arnezami; 8th April 2007 at 12:56.
arnezami is offline  
Old 8th April 2007, 13:20   #45  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
seems you are on the right track too

the CDB to dump any memory space is DF 00 E2 00 00 ba ba ba ea ea ea where bababa is baseaddress and eaeaea is end address, max lenght is FFE, but it's disabled by default.
Instead of patching the fw to enable it, i'm actually looking for an already enabled CDB that can poke a byte into ram, this way i could enable the DF command on an original firmware and dump it prior to any flashing.
Geremia is offline  
Old 8th April 2007, 13:45   #46  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Geremia View Post
seems you are on the right track too

the CDB to dump any memory space is DF 00 E2 00 00 ba ba ba ea ea ea where bababa is baseaddress and eaeaea is end address, max lenght is FFE, but it's disabled by default.
Instead of patching the fw to enable it, i'm actually looking for an already enabled CDB that can poke a byte into ram, this way i could enable the DF command on an original firmware and dump it prior to any flashing.
That sounds like a good plan. Is it also possible there is a command to enable this dumping command somehow? You were talking about a possible hardware jumper or something?

Anyway. Great work!

I think I've figured out the "one-way" function. Its not AES-G (used by AACS):



But something very similar:



Which I will call AES-J from now on . Interestingly in this configuration its not one-way...

This is now the complete picture again:



If all this is correct and if I can replicate the "scrambling" stuff I should be able to re-create the 16 byte checksum values .

arnezami

[edit] Mind the E (as opposed to D) in the schematic of AES-J...

Last edited by arnezami; 8th April 2007 at 22:51.
arnezami is offline  
Old 8th April 2007, 15:57   #47  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
when @(0x404B4) is not 00000000 the DF command will be accepted.

there is ony a place where this is set to 1, but it's hard to trace back and see how to invoke it, atm i'm suspecting something related to 1D/1C command, these commands are vendor specific and are used by the WinVUP flasher, to retrieve some parts of the fw (btw FDC18, FDC04...) and to make the code jump to bootloader.
Geremia is offline  
Old 8th April 2007, 17:43   #48  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
GOT IT!!

firmware dump by software included unique area, without patching anything.

Don't know if all firmware is dumped correctly, because must run plscsi 512times to dump all fw area, but at randomly dump, it seems correct.
Is there anyone that can make a something like a script to issue 512 plscsi commands to dump 512 0x800bytes chunk and reassemble all them into 1 file?
Geremia is offline  
Old 8th April 2007, 18:00   #49  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
Quote:
Originally Posted by Geremia View Post
GOT IT!!

firmware dump by software included unique area, without patching anything.

Don't know if all firmware is dumped correctly, because must run plscsi 512times to dump all fw area, but at randomly dump, it seems correct.
Is there anyone that can make a something like a script to issue 512 plscsi commands to dump 512 0x800bytes chunk and reassemble all them into 1 file?
If you post the sequence information for the chunks, and the exact command you want repeated (basically what plscsi arguments you want), I can probably whip together a quick script (or heck, write a C wrapper to plscsi) in a few minutes.
awhitehead is offline  
Old 8th April 2007, 18:02   #50  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
Try to dump first 0x100 bytes of firmware with original firmware
Code:
E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x101
x 00000000 DF:00:E2:00 00:20:00:00 20:00:FF .. .. .. .. .. "_@b@@ @@ @?"
x 00000000 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................"
...
x 000000F0 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................"
x 00000100 AE .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. "."
x 00000000 70:00:05:00 00:00:00:0A 00:00:00:00 20:00 .. .. "p@E@@@@J@@@@ @"
// x 5 20 sense // x101 (257) residue
// -x0102 = -258 = plscsi.main exit int
Does not work, the sense data tell the CDB is not supported

Then i send this specific command (hard work to trace it, but with some coffeine an nicotine i've found)

Code:
E:\HD-DVD\PLSCSI>DFenable.bat

E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00" -f DFenable.bin -o x8
x 00000000 1D:00:00:00 08:00:00:00 00:00:00:00 00:00:00:00 "]@@@H@@@@@@@@@@@"
x 00000000 88:00:00:04 02:6F:01:00 .. .. .. .. .. .. .. .. "H@@DBoA@"
// 0 = plscsi.main exit int
1D command sends addictional data that contain a subcommand. Subcommand 02 6F with parameter 01 sets (0x404B4) to 1, while 02 6F with parameter 00 clears it.
With plscsi i send 1D command and the addictional data is taked from DFenable.bin, which contains bytes 88 00 00 04 02 6F 01 00

Now that (0x404B4 is set to 1, all disabled commands will be enabled, let's take a look at the DF command to dump areas, let's try again:

Code:
E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x101
x 00000000 DF:00:E2:00 00:20:00:00 20:00:FF .. .. .. .. .. "_@b@@ @@ @?"
x 00000000 56:31:59:4C 28:22:2D:23 02:01:02:00 00:00:00:00 "V1YL("-#BAB@@@@@"
x 00000010 40:40:00:79 1E:02:4A:14 00:00:00:00 00:00:00:00 "@@@y^BJT@@@@@@@@"
x 00000020 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@"
x 00000030 4D:43:30:38 31:30:2F:30 33:2F:30:36 00:21:7C:E4 "MC0810/03/06@!|d"
x 00000040 00:20:00:60 00:21:3B:E2 00:21:58:06 00:20:07:A8 "@ @`@!;b@!XF@ G("
x 00000050 00:21:3C:28 00:21:16:52 00:21:26:48 00:20:00:70 "@!<(@!VR@!&H@ @p"
x 00000060 17:81:9F:8C 00:21:8C:9A 9F:1C:C0:04 07:81:97:20 "WA_L@!LZ_\@DGAW "
x 00000070 17:81:9F:80 00:40:00:00 9B:0D:03:0C 02:04:CC:E0 "WA_@@@@@[MCLBDL`"
x 00000080 82:40:E3:08 9F:80:00:40 00:00:C3:11 9B:0D:03:0C "B@cH_@@@@@CQ[MCL"
x 00000090 F0:45:12:01 C0:20:82:40 E2:02:D0:45 E0:3F:C0:40 "pERA@ B@bBPE`?@@"
x 000000A0 82:40:E2:02 D0:A4:E0:3A C0:80:82:40 E2:31:9F:8C "B@bBP$`:@@B@b1_L"
x 000000B0 00:04:01:24 06:C0:A8:00 E3:18:9F:8C 00:04:01:21 "@DA$F@(@cX_L@DA!"
x 000000C0 06:C0:A8:00 E3:12:9F:80 00:40:00:00 9B:0D:03:06 "F@(@cR_@@@@@[MCF"
x 000000D0 02:00:C1:01 82:10:AA:10 E3:08:9F:80 00:40:00:00 "B@AABP*PcH_@@@@@"
x 000000E0 C0:81:9B:0D 03:0C:F0:1A 12:01:9F:80 00:40:00:00 "@A[MCLpZRA_@@@@@"
x 000000F0 9B:0D:03:07 02:04:A8:84 E3:09:9F:80 00:40:00:00 "[MCGBD(DcI_@@@@@"
x 00000100 AE .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. "."
// 1 = plscsi.main exit int
IT WORKS

Now an automatic process for all this is needed, anyone can do it?
Geremia is offline  
Old 8th April 2007, 18:03   #51  |  Link
lightshadow
Registered User
 
Join Date: Feb 2007
Posts: 123
Quote:
Originally Posted by Geremia View Post
firmware dump by software included unique area, without patching anything.
Very impressive! =)

Quote:
Originally Posted by Geremia View Post
Is there anyone that can make a something like a script to issue 512 plscsi commands to dump 512 0x800bytes chunk and reassemble all them into 1 file?
Would a Linux Script be okay? If not, give me the exact command you want to be issued, and how it output is produced; E.g. default filename scheme or desided by plscsi parameter, and I make a Linux script that produces a Dos script.

In Linux a for-loop is done like this:
Code:
for i in $(seq -w 512); do
echo "plscsi $i"
done
This will print 512 lines of "plscsi 000" ... "plscsi 512". When you feel confident remove the "echo" and it will execute each line.

When you have the 512 files, you can join them by
Code:
cat * > ../complete_fw.bin
which will join all the files in the current directory and place the joined file in the perent directory.

This was just to get you started, if you have Linux, otherwise I would be happy to help out =)
lightshadow is offline  
Old 8th April 2007, 18:20   #52  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
Quote:
Originally Posted by Geremia View Post
Then i send this specific command (hard work to trace it, but with some coffeine an nicotine i've found)
Haha! It helps huh.

Congratulations (again)!! This is really cool.
arnezami is offline  
Old 8th April 2007, 18:29   #53  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
heeheh, thanks

set PLSCSI=\\.\E: where E: is my toshiba drive letter

plscsi.exe -v -p -x "1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00" -f DFenable.bin -o x8

where DFenable.bin contain these hex bytes: 88 00 00 04 02 6F 01 00

plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 07 FF" -i x800 -t 0.bin
plscsi.exe -v -p -x "DF 00 E2 00 00 20 08 00 20 0F FF" -i x800 -t 800.bin
plscsi.exe -v -p -x "DF 00 E2 00 00 20 10 00 20 17 FF" -i x800 -t 1000.bin
.....
....
512times

don't know if this is easy to script, anyway for fw dump will be ok, but for exploration of all memory space of the CPU a dedicated app will be appreciated.
This DF command is most interesting for exploration than simply fw dumping
Geremia is offline  
Old 8th April 2007, 18:32   #54  |  Link
arnezami
Registered User
 
Join Date: Sep 2006
Posts: 390
YES! YES!

I figured it out too!

Coool. More info later. Still working out some details. But I've recreated one 16 byte value from another. This means I can create a 16 byte value from xor columns too.



This is a good day!

arnezami

Last edited by arnezami; 8th April 2007 at 18:36.
arnezami is offline  
Old 8th April 2007, 18:36   #55  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
Quote:
Originally Posted by Geremia View Post
Code:
E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x101

So in essence you want
Code:
plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x101
plscsi.exe -v -p -x "DF 00 E2 00 00 20 01 00 20 01 FF" -i x101
plscsi.exe -v -p -x "DF 00 E2 00 00 20 02 00 20 02 FF" -i x101
[etc]
right?

How far ahead do you want it? Do you want an argument to plscsi to dump each chunk to file? Anything else?

Based on my cursory farting around with printf and seq, all you need are three commands:
Code:
hostname$ for ii in  `seq -f %1.f 0 15  | xargs printf %x'\n'`  ; do echo "plscsi.exe -v -p -x "DF 00 E2 00 00 20 0$ii 00 20 0$ii FF" -i x101" ; done 
plscsi.exe -v -p -x DF 00 E2 00 00 20 00 00 20 00 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 01 00 20 01 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 02 00 20 02 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 03 00 20 03 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 04 00 20 04 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 05 00 20 05 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 06 00 20 06 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 07 00 20 07 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 08 00 20 08 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 09 00 20 09 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 0a 00 20 0a FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 0b 00 20 0b FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 0c 00 20 0c FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 0d 00 20 0d FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 0e 00 20 0e FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 0f 00 20 0f FF -i x101
Code:
hostname$   for ii in  `seq -f %1.f 16 255  | xargs printf %x'\n'`  ; do echo "plscsi.exe -v -p -x "DF 00 E2 00 00 20 $ii 00 20 $ii FF" -i x101" ; done  
plscsi.exe -v -p -x DF 00 E2 00 00 20 10 00 20 10 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 11 00 20 11 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 12 00 20 12 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 13 00 20 13 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 14 00 20 14 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 15 00 20 15 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 16 00 20 16 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 17 00 20 17 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 18 00 20 18 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 19 00 20 19 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 1a 00 20 1a FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 1b 00 20 1b FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 1c 00 20 1c FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 1d 00 20 1d FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 20 1e 00 20 1e FF -i x101
[...]

Code:
hostname$  for ii in  `seq -f %1.f 256 512  | xargs printf %x'\n'`  ; do echo "plscsi.exe -v -p -x "DF 00 E2 00 00 2$ii 00 2$ii FF" -i x101" ; done  
plscsi.exe -v -p -x DF 00 E2 00 00 2100 00 2100 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2101 00 2101 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2102 00 2102 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2103 00 2103 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2104 00 2104 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2105 00 2105 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2106 00 2106 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2107 00 2107 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2108 00 2108 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2109 00 2109 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 210a 00 210a FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 210b 00 210b FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 210c 00 210c FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 210d 00 210d FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 210e 00 210e FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 210f 00 210f FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2110 00 2110 FF -i x101
plscsi.exe -v -p -x DF 00 E2 00 00 2111 00 2111 FF -i x101
[...]
awhitehead is offline  
Old 8th April 2007, 18:55   #56  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
I was sure you had capacity to figure out all that crypto stuff, good job

0x100 chunks or 0x800 chunks makes not difference, maybe 100 is easy for scripting.
-i x100 (not 101, my mistake, the last byte seems to be a checksum)

and -t chunknumber.bin

plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x100 -t 0.bin
plscsi.exe -v -p -x "DF 00 E2 00 00 20 01 00 20 01 FF" -i x100 -t 100.bin
plscsi.exe -v -p -x "DF 00 E2 00 00 20 02 00 20 02 FF" -i x100 -t 200.bin

then a total reassembly

well, is needet till 2F FF FF

damn, i'm so ignorant about this stuff

Last edited by Geremia; 8th April 2007 at 18:58.
Geremia is offline  
Old 8th April 2007, 18:58   #57  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
How picky is plscsi about the spaces between bytes in commands? Will something like this work?

(Sorry, I am in a middle of a studying session for quantum physics, so I am far away from an HD-DVD drive!)

Code:
plscsi.exe -v -p -x "DF00E20000 200000 2007ff" -i x800 -t 200000.bin
plscsi.exe -v -p -x "DF00E20000 200800 201fff" -i x800 -t 200800.bin
[etc]

Last edited by awhitehead; 8th April 2007 at 19:01. Reason: Edit : Erp, corrected a typo in my code
awhitehead is offline  
Old 8th April 2007, 19:03   #58  |  Link
Geremia
Registered User
 
Join Date: Feb 2007
Posts: 71
FFF is too high for end address, must be <=FFE, that's why i choosed 800

anyway plscsi doesn't care of spaces in CDB, it's ok with or without or with some spaces

EDIT: ah that's ok

what about reassembling?
Geremia is offline  
Old 8th April 2007, 19:23   #59  |  Link
lightshadow
Registered User
 
Join Date: Feb 2007
Posts: 123
Quote:
Originally Posted by Geremia View Post
plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 07 FF" -i x800 -t 0.bin
plscsi.exe -v -p -x "DF 00 E2 00 00 20 08 00 20 0F FF" -i x800 -t 800.bin
plscsi.exe -v -p -x "DF 00 E2 00 00 20 10 00 20 17 FF" -i x800 -t 1000.bin
.....
....
512times
One question=)

Do there have to be white spaces between the hex values? I.e. "DF00E200002000002007FF" is just a good as "DF 00 E2 00 00 20 00 00 20 07 FF"? That would simplify the problem a lot! =)
lightshadow is offline  
Old 8th April 2007, 19:24   #60  |  Link
awhitehead
Registered User
 
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
Quote:
Originally Posted by Geremia View Post
FFF is too high for end address, must be <=FFE, that's why i choosed 800

anyway plscsi doesn't care of spaces in CDB, it's ok with or without or with some spaces

EDIT: ah that's ok

what about reassembling?

Code:
#include <stdio.h>


int main()
  {


int foo = 0, bar = 0;

  fprintf(stdout,"set PLSCSI=\\\\.\\E:\n");
  fprintf(stdout,"plscsi.exe -v -p -x \"1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00\" -f DFenable.bin -o x8\n");


   for (foo = 2097152; foo < 3145728; foo = foo + 2048)
   {
       fprintf(stdout,"plscsi.exe -v -p -x \"DF00E20000 %x %x\" -i x800 -t %x.bin\n",foo, (foo+2048-1), foo);
   }  

return 0;
}
Output (which sould be redirected to a file) looks like this:
Code:
set PLSCSI=\\.\E:
plscsi.exe -v -p -x "1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00" -f DFenable.bin -o x8
plscsi.exe -v -p -x "DF00E20000 200000 2007ff" -i x800 -t 200000.bin
plscsi.exe -v -p -x "DF00E20000 200800 200fff" -i x800 -t 200800.bin
plscsi.exe -v -p -x "DF00E20000 201000 2017ff" -i x800 -t 201000.bin
plscsi.exe -v -p -x "DF00E20000 201800 201fff" -i x800 -t 201800.bin
plscsi.exe -v -p -x "DF00E20000 202000 2027ff" -i x800 -t 202000.bin
plscsi.exe -v -p -x "DF00E20000 202800 202fff" -i x800 -t 202800.bin
plscsi.exe -v -p -x "DF00E20000 203000 2037ff" -i x800 -t 203000.bin
plscsi.exe -v -p -x "DF00E20000 203800 203fff" -i x800 -t 203800.bin
plscsi.exe -v -p -x "DF00E20000 204000 2047ff" -i x800 -t 204000.bin
plscsi.exe -v -p -x "DF00E20000 204800 204fff" -i x800 -t 204800.bin
plscsi.exe -v -p -x "DF00E20000 205000 2057ff" -i x800 -t 205000.bin
plscsi.exe -v -p -x "DF00E20000 205800 205fff" -i x800 -t 205800.bin
plscsi.exe -v -p -x "DF00E20000 206000 2067ff" -i x800 -t 206000.bin
plscsi.exe -v -p -x "DF00E20000 206800 206fff" -i x800 -t 206800.bin
[...]
Just compile this, run once, redirect to file, and you are golden.
awhitehead is offline  
Closed Thread

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 01:30.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2019, vBulletin Solutions Inc.