Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion. Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules. |
7th April 2007, 17:52 | #41 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
I'm on the right track, i got a dump of firmware but without the unique areas. I've to trace something more.
BTW, the CDB opcode is DF and it's disabled by default, or at least it works only if the drive is in a certain state, which i really don't know. I patched the firmware to enable this CDB. |
7th April 2007, 22:48 | #42 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
Code:
E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 07 FF" -i x801 x 00000000 DF:00:E2:00 00:20:00:00 20:07:FF .. .. .. .. .. "_@b@@ @@ G?" x 00000000 56:31:59:4C 28:22:2D:23 02:01:02:00 00:00:00:00 "V1YL("-#BAB@@@@@" x 00000010 40:40:00:79 1E:02:4A:14 00:00:00:00 00:00:00:00 "@@@y^BJT@@@@@@@@" x 00000020 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@" x 00000030 4D:43:30:38 31:30:2F:30 33:2F:30:36 00:21:7C:E4 "MC0810/03/06@!|d" x 00000040 00:20:00:60 00:21:3B:E2 00:21:58:06 00:20:07:A8 "@ @`@!;b@!XF@ G(" x 00000050 00:21:3C:28 00:21:16:52 00:21:26:48 00:20:00:70 "@!<(@!VR@!&H@ @p" x 00000060 17:81:9F:8C 00:21:8C:9A 9F:1C:C0:04 07:81:97:20 "WA_L@!LZ_\@DGAW " x 00000070 17:81:9F:80 00:40:00:00 9B:0D:03:0C 02:04:CC:E0 "WA_@@@@@[MCLBDL`" x 00000080 82:40:E3:08 9F:80:00:40 00:00:C3:11 9B:0D:03:0C "B@cH_@@@@@CQ[MCL" x 00000090 F0:45:12:01 C0:20:82:40 E2:02:D0:45 E0:3F:C0:40 "pERA@ B@bBPE`?@@" x 000000A0 82:40:E2:02 D0:A4:E0:3A C0:80:82:40 E2:31:9F:8C "B@bBP$`:@@B@b1_L" x 000000B0 00:04:01:24 06:C0:A8:00 E3:18:9F:8C 00:04:01:21 "@DA$F@(@cX_L@DA!" x 000000C0 06:C0:A8:00 E3:12:9F:80 00:40:00:00 9B:0D:03:06 "F@(@cR_@@@@@[MCF" x 000000D0 02:00:C1:01 82:10:AA:10 E3:08:9F:80 00:40:00:00 "B@AABP*PcH_@@@@@" x 000000E0 C0:81:9B:0D 03:0C:F0:1A 12:01:9F:80 00:40:00:00 "@A[MCLpZRA_@@@@@" x 000000F0 9B:0D:03:07 02:04:A8:84 E3:09:9F:80 00:40:00:00 "[MCGBD(DcI_@@@@@" x 00000100 C0:81:9B:0D 03:0C:D8:73 12:01:E0:08 D0:FF:E0:06 "@A[MCLXsRA`HP?`F" x 00000110 C4:00:82:04 E2:02:D1:53 E0:01:D2:62 CF:E1:C4:00 "D@BDbBQS`ARbOaD@" x 00000120 16:01:07:81 97:20:17:08 17:81:9F:88 00:04:05:D6 "VAGAW WHWA_H@DEV" .... ..... x 000007F0 A6:06:05:A4 9B:00:F0:00 82:40:E3:1C 9B:00:40:01 "&FE$[@p@B@c\[@@A" x 00000800 AE .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. "." // 1 = plscsi.main exit int DF 00 E2 00 00 ba ba ba ea ea ea where bababa is baseaddress and eaeaea is end address (endaddress-baseaddress)<=FFE after all dumped data, it adds 1 byte (sort of checksum) There seems to be other interesting CDB during tests, it seemed that DF 00 E2 05 searches for data from disc inserted....i've to look deeply Can anyone code a little app to dump memory space with easy? For example it should be helpfull to have an app that takes as imput a base address and a lenght (>FFF) and sends multiple CDB to collect all data required. Somethign more about enabling this CDB: Code:
ROM:0023AFD0 CDB_table_D0_DF:.long 0xD0000000 ; DATA XREF: Process_incoming_CDB:loc_2236FEo ROM:0023AFD4 .long ATAPI_D0_unknown ROM:0023AFD8 .long 0x80000000 ROM:0023AFDC .long 0xD1000000 ROM:0023AFE0 .long ATAPI_D1_unknown ROM:0023AFE4 .long 0x80000000 ROM:0023AFE8 .long 0xD2000000 ROM:0023AFEC .long ATAPI_D2_unknown ROM:0023AFF0 .long 0x80000000 ROM:0023AFF4 .long 0xD3000000 ROM:0023AFF8 .long ATAPI_D3_unknown ROM:0023AFFC .long 0x80000000 ROM:0023B000 .long 0xD4000000 ROM:0023B004 .long ATAPI_D4_unknown ROM:0023B008 .long 0x80000000 ROM:0023B00C .long 0xD5000000 ROM:0023B010 .long ATAPI_D5_unknown ROM:0023B014 .long 0x80000000 ROM:0023B018 .long 0xDF000000 ROM:0023B01C .long ATAPI_DF_unknown ROM:0023B020 .long 0x88000000 ; patched to 80000000 to enable it ROM:0023B024 .long 0xF9000000 ROM:0023B028 .long ATAPI_command_not_supported Code:
ROM:00223726 mov r4, r0 ROM:00223728 add #8, r0 ROM:0022372A btstl #8, @r0 ROM:0022372C beq loc_223744 ; branch if bit4 is 0 ROM:0022372C ; go on if is set ROM:0022372C ; disabled CDB has 88 ROM:0022372E ldi:32 #0x404B4, r12 ; don't know, maybe an hardware pin ROM:0022372E ; maybe can be changed with another CDB ROM:00223734 ld @r12, r0 ROM:00223736 cmp #0, r0 ROM:00223738 bne loc_223744 ROM:0022373A ldi:32 #ATAPI_command_not_supported, r12 ROM:00223740 call @r12 Code:
ROM:0022588E ldub @(r13, r8), r0 ; 3rd cdb byte ROM:00225890 ldi:8 #0xD7, r1 ROM:00225892 sub r1, r0 ROM:00225894 ldi:8 #0x19, r12 ROM:00225896 cmp r12, r0 ROM:00225898 bc loc_2258A2 ; branch if CDB was from DF 00 D7 to DF 00 EF ROM:0022589A ldi:32 #ATAPI_DF_00_error, r12 ; seems to go to cdb error ROM:002258A0 jmp:D @r12 ROM:002258A2 ROM:002258A2 loc_2258A2: ; CODE XREF: ATAPI_DF_unknown+30j ROM:002258A2 mov r0, r13 ; from 0 to 18 ROM:002258A4 ; --------------------------------------------------------------------------- ROM:002258A4 ldi:32 #DF_00_table, r12 ROM:002258AA lsl #2, r13 ; multiply by 4 ROM:002258AC ld @(r13, r12), r12 ROM:002258AE jmp @r12 ; jumps to ROM:002258AE ; 002258B0 for DF 00 D7 ROM:002258AE ; 00225D08 error ROM:002258AE ; 002258F6 for DF 00 D9 ROM:002258AE ; 00225CD0 for DF 00 DA ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 0022597C for DF 00 E0 ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225BBC for DF 00 E2 dumps area ROM:002258AE ; 00225B2C for DF 00 E3 ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225D08 error ROM:002258AE ; 00225CD8 for DF 00 EF ROM:002258B0 ; --------------------------------------------------------------------------- As soon as i can verify my flash content, i can share a patched (and not dangerous) fw for VolumeID+DFenable Last edited by Geremia; 8th April 2007 at 09:49. |
8th April 2007, 10:19 | #43 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
|
|
8th April 2007, 12:26 | #44 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
Btw. Just to keep everybody updated. I found something regarding the checksum function. This is the part of memory that is used in the one-way function: Code:
7C637B776BF2C56F01302B67D7FE76AB 82CA7DC959FAF047D4ADAFA2A49CC072 FDB726933F36CCF7A534F1E5D8711531 C704C32396189A051207E28027EB75B2 83091A2C6E1BA05A3B52B3D6E329842F D153ED00FC205BB1CB6A39BE4C4ACF58 EFD0FBAA4D438533F9457F023C50A89F A3518F409D92F538B6BC21DAFF10D2F3 0CCDEC13975F1744A7C43D7E5D647319 8160DC4F2A228890EE4614B85EDEDB0B 32E00A3A06495C24D3C262AC959179E4 C8E76D37D58DA94E566CEAF47A6508AE 78BA2E25A61CC6B4DDE81F74BD4B8A8B 3E7066B503480EF63561B957C1869E1D F8E11198D969948E1E9BE98755CEDF28 A18C0D89E6BF684299410F2D54B016BB So this is confirmation AES is indeed involved. Although right now it doesn't seem to be AES-G. Possibly simpler. For those who want to know a little bit more about AES here is a really nice visual presentation. Regards, arnezami Last edited by arnezami; 8th April 2007 at 12:56. |
|
8th April 2007, 13:20 | #45 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
seems you are on the right track too
the CDB to dump any memory space is DF 00 E2 00 00 ba ba ba ea ea ea where bababa is baseaddress and eaeaea is end address, max lenght is FFE, but it's disabled by default. Instead of patching the fw to enable it, i'm actually looking for an already enabled CDB that can poke a byte into ram, this way i could enable the DF command on an original firmware and dump it prior to any flashing. |
8th April 2007, 13:45 | #46 | Link | |
Registered User
Join Date: Sep 2006
Posts: 390
|
Quote:
Anyway. Great work! I think I've figured out the "one-way" function. Its not AES-G (used by AACS): But something very similar: Which I will call AES-J from now on . Interestingly in this configuration its not one-way... This is now the complete picture again: If all this is correct and if I can replicate the "scrambling" stuff I should be able to re-create the 16 byte checksum values . arnezami [edit] Mind the E (as opposed to D) in the schematic of AES-J... Last edited by arnezami; 8th April 2007 at 22:51. |
|
8th April 2007, 15:57 | #47 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
when @(0x404B4) is not 00000000 the DF command will be accepted.
there is ony a place where this is set to 1, but it's hard to trace back and see how to invoke it, atm i'm suspecting something related to 1D/1C command, these commands are vendor specific and are used by the WinVUP flasher, to retrieve some parts of the fw (btw FDC18, FDC04...) and to make the code jump to bootloader. |
8th April 2007, 17:43 | #48 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
GOT IT!!
firmware dump by software included unique area, without patching anything. Don't know if all firmware is dumped correctly, because must run plscsi 512times to dump all fw area, but at randomly dump, it seems correct. Is there anyone that can make a something like a script to issue 512 plscsi commands to dump 512 0x800bytes chunk and reassemble all them into 1 file? |
8th April 2007, 18:00 | #49 | Link | |
Registered User
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
|
Quote:
|
|
8th April 2007, 18:02 | #50 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
Try to dump first 0x100 bytes of firmware with original firmware
Code:
E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x101 x 00000000 DF:00:E2:00 00:20:00:00 20:00:FF .. .. .. .. .. "_@b@@ @@ @?" x 00000000 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................" ... x 000000F0 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................" x 00000100 AE .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. "." x 00000000 70:00:05:00 00:00:00:0A 00:00:00:00 20:00 .. .. "p@E@@@@J@@@@ @" // x 5 20 sense // x101 (257) residue // -x0102 = -258 = plscsi.main exit int Then i send this specific command (hard work to trace it, but with some coffeine an nicotine i've found) Code:
E:\HD-DVD\PLSCSI>DFenable.bat E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00" -f DFenable.bin -o x8 x 00000000 1D:00:00:00 08:00:00:00 00:00:00:00 00:00:00:00 "]@@@H@@@@@@@@@@@" x 00000000 88:00:00:04 02:6F:01:00 .. .. .. .. .. .. .. .. "H@@DBoA@" // 0 = plscsi.main exit int With plscsi i send 1D command and the addictional data is taked from DFenable.bin, which contains bytes 88 00 00 04 02 6F 01 00 Now that (0x404B4 is set to 1, all disabled commands will be enabled, let's take a look at the DF command to dump areas, let's try again: Code:
E:\HD-DVD\PLSCSI>plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x101 x 00000000 DF:00:E2:00 00:20:00:00 20:00:FF .. .. .. .. .. "_@b@@ @@ @?" x 00000000 56:31:59:4C 28:22:2D:23 02:01:02:00 00:00:00:00 "V1YL("-#BAB@@@@@" x 00000010 40:40:00:79 1E:02:4A:14 00:00:00:00 00:00:00:00 "@@@y^BJT@@@@@@@@" x 00000020 00:00:00:00 00:00:00:00 00:00:00:00 00:00:00:00 "@@@@@@@@@@@@@@@@" x 00000030 4D:43:30:38 31:30:2F:30 33:2F:30:36 00:21:7C:E4 "MC0810/03/06@!|d" x 00000040 00:20:00:60 00:21:3B:E2 00:21:58:06 00:20:07:A8 "@ @`@!;b@!XF@ G(" x 00000050 00:21:3C:28 00:21:16:52 00:21:26:48 00:20:00:70 "@!<(@!VR@!&H@ @p" x 00000060 17:81:9F:8C 00:21:8C:9A 9F:1C:C0:04 07:81:97:20 "WA_L@!LZ_\@DGAW " x 00000070 17:81:9F:80 00:40:00:00 9B:0D:03:0C 02:04:CC:E0 "WA_@@@@@[MCLBDL`" x 00000080 82:40:E3:08 9F:80:00:40 00:00:C3:11 9B:0D:03:0C "B@cH_@@@@@CQ[MCL" x 00000090 F0:45:12:01 C0:20:82:40 E2:02:D0:45 E0:3F:C0:40 "pERA@ B@bBPE`?@@" x 000000A0 82:40:E2:02 D0:A4:E0:3A C0:80:82:40 E2:31:9F:8C "B@bBP$`:@@B@b1_L" x 000000B0 00:04:01:24 06:C0:A8:00 E3:18:9F:8C 00:04:01:21 "@DA$F@(@cX_L@DA!" x 000000C0 06:C0:A8:00 E3:12:9F:80 00:40:00:00 9B:0D:03:06 "F@(@cR_@@@@@[MCF" x 000000D0 02:00:C1:01 82:10:AA:10 E3:08:9F:80 00:40:00:00 "B@AABP*PcH_@@@@@" x 000000E0 C0:81:9B:0D 03:0C:F0:1A 12:01:9F:80 00:40:00:00 "@A[MCLpZRA_@@@@@" x 000000F0 9B:0D:03:07 02:04:A8:84 E3:09:9F:80 00:40:00:00 "[MCGBD(DcI_@@@@@" x 00000100 AE .. .. .. .. .. .. .. .. .. .. .. .. .. .. .. "." // 1 = plscsi.main exit int Now an automatic process for all this is needed, anyone can do it? |
8th April 2007, 18:03 | #51 | Link | ||
Registered User
Join Date: Feb 2007
Posts: 123
|
Quote:
Quote:
In Linux a for-loop is done like this: Code:
for i in $(seq -w 512); do echo "plscsi $i" done When you have the 512 files, you can join them by Code:
cat * > ../complete_fw.bin This was just to get you started, if you have Linux, otherwise I would be happy to help out =) |
||
8th April 2007, 18:29 | #53 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
heeheh, thanks
set PLSCSI=\\.\E: where E: is my toshiba drive letter plscsi.exe -v -p -x "1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00" -f DFenable.bin -o x8 where DFenable.bin contain these hex bytes: 88 00 00 04 02 6F 01 00 plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 07 FF" -i x800 -t 0.bin plscsi.exe -v -p -x "DF 00 E2 00 00 20 08 00 20 0F FF" -i x800 -t 800.bin plscsi.exe -v -p -x "DF 00 E2 00 00 20 10 00 20 17 FF" -i x800 -t 1000.bin ..... .... 512times don't know if this is easy to script, anyway for fw dump will be ok, but for exploration of all memory space of the CPU a dedicated app will be appreciated. This DF command is most interesting for exploration than simply fw dumping |
8th April 2007, 18:32 | #54 | Link |
Registered User
Join Date: Sep 2006
Posts: 390
|
YES! YES!
I figured it out too! Coool. More info later. Still working out some details. But I've recreated one 16 byte value from another. This means I can create a 16 byte value from xor columns too. This is a good day! arnezami Last edited by arnezami; 8th April 2007 at 18:36. |
8th April 2007, 18:36 | #55 | Link | |
Registered User
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
|
Quote:
So in essence you want Code:
plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x101 plscsi.exe -v -p -x "DF 00 E2 00 00 20 01 00 20 01 FF" -i x101 plscsi.exe -v -p -x "DF 00 E2 00 00 20 02 00 20 02 FF" -i x101 [etc] How far ahead do you want it? Do you want an argument to plscsi to dump each chunk to file? Anything else? Based on my cursory farting around with printf and seq, all you need are three commands: Code:
hostname$ for ii in `seq -f %1.f 0 15 | xargs printf %x'\n'` ; do echo "plscsi.exe -v -p -x "DF 00 E2 00 00 20 0$ii 00 20 0$ii FF" -i x101" ; done plscsi.exe -v -p -x DF 00 E2 00 00 20 00 00 20 00 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 01 00 20 01 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 02 00 20 02 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 03 00 20 03 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 04 00 20 04 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 05 00 20 05 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 06 00 20 06 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 07 00 20 07 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 08 00 20 08 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 09 00 20 09 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 0a 00 20 0a FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 0b 00 20 0b FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 0c 00 20 0c FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 0d 00 20 0d FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 0e 00 20 0e FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 0f 00 20 0f FF -i x101 Code:
hostname$ for ii in `seq -f %1.f 16 255 | xargs printf %x'\n'` ; do echo "plscsi.exe -v -p -x "DF 00 E2 00 00 20 $ii 00 20 $ii FF" -i x101" ; done plscsi.exe -v -p -x DF 00 E2 00 00 20 10 00 20 10 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 11 00 20 11 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 12 00 20 12 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 13 00 20 13 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 14 00 20 14 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 15 00 20 15 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 16 00 20 16 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 17 00 20 17 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 18 00 20 18 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 19 00 20 19 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 1a 00 20 1a FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 1b 00 20 1b FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 1c 00 20 1c FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 1d 00 20 1d FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 20 1e 00 20 1e FF -i x101 [...] Code:
hostname$ for ii in `seq -f %1.f 256 512 | xargs printf %x'\n'` ; do echo "plscsi.exe -v -p -x "DF 00 E2 00 00 2$ii 00 2$ii FF" -i x101" ; done plscsi.exe -v -p -x DF 00 E2 00 00 2100 00 2100 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2101 00 2101 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2102 00 2102 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2103 00 2103 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2104 00 2104 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2105 00 2105 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2106 00 2106 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2107 00 2107 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2108 00 2108 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2109 00 2109 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 210a 00 210a FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 210b 00 210b FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 210c 00 210c FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 210d 00 210d FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 210e 00 210e FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 210f 00 210f FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2110 00 2110 FF -i x101 plscsi.exe -v -p -x DF 00 E2 00 00 2111 00 2111 FF -i x101 [...] |
|
8th April 2007, 18:55 | #56 | Link |
Registered User
Join Date: Feb 2007
Posts: 71
|
I was sure you had capacity to figure out all that crypto stuff, good job
0x100 chunks or 0x800 chunks makes not difference, maybe 100 is easy for scripting. -i x100 (not 101, my mistake, the last byte seems to be a checksum) and -t chunknumber.bin plscsi.exe -v -p -x "DF 00 E2 00 00 20 00 00 20 00 FF" -i x100 -t 0.bin plscsi.exe -v -p -x "DF 00 E2 00 00 20 01 00 20 01 FF" -i x100 -t 100.bin plscsi.exe -v -p -x "DF 00 E2 00 00 20 02 00 20 02 FF" -i x100 -t 200.bin then a total reassembly well, is needet till 2F FF FF damn, i'm so ignorant about this stuff Last edited by Geremia; 8th April 2007 at 18:58. |
8th April 2007, 18:58 | #57 | Link |
Registered User
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
|
How picky is plscsi about the spaces between bytes in commands? Will something like this work?
(Sorry, I am in a middle of a studying session for quantum physics, so I am far away from an HD-DVD drive!) Code:
plscsi.exe -v -p -x "DF00E20000 200000 2007ff" -i x800 -t 200000.bin plscsi.exe -v -p -x "DF00E20000 200800 201fff" -i x800 -t 200800.bin [etc] Last edited by awhitehead; 8th April 2007 at 19:01. Reason: Edit : Erp, corrected a typo in my code |
8th April 2007, 19:23 | #59 | Link | |
Registered User
Join Date: Feb 2007
Posts: 123
|
Quote:
Do there have to be white spaces between the hex values? I.e. "DF00E200002000002007FF" is just a good as "DF 00 E2 00 00 20 00 00 20 07 FF"? That would simplify the problem a lot! =) |
|
8th April 2007, 19:24 | #60 | Link | |
Registered User
Join Date: Jan 2007
Location: Tel-Aviv, Israel
Posts: 185
|
Quote:
Code:
#include <stdio.h> int main() { int foo = 0, bar = 0; fprintf(stdout,"set PLSCSI=\\\\.\\E:\n"); fprintf(stdout,"plscsi.exe -v -p -x \"1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00\" -f DFenable.bin -o x8\n"); for (foo = 2097152; foo < 3145728; foo = foo + 2048) { fprintf(stdout,"plscsi.exe -v -p -x \"DF00E20000 %x %x\" -i x800 -t %x.bin\n",foo, (foo+2048-1), foo); } return 0; } Code:
set PLSCSI=\\.\E: plscsi.exe -v -p -x "1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00" -f DFenable.bin -o x8 plscsi.exe -v -p -x "DF00E20000 200000 2007ff" -i x800 -t 200000.bin plscsi.exe -v -p -x "DF00E20000 200800 200fff" -i x800 -t 200800.bin plscsi.exe -v -p -x "DF00E20000 201000 2017ff" -i x800 -t 201000.bin plscsi.exe -v -p -x "DF00E20000 201800 201fff" -i x800 -t 201800.bin plscsi.exe -v -p -x "DF00E20000 202000 2027ff" -i x800 -t 202000.bin plscsi.exe -v -p -x "DF00E20000 202800 202fff" -i x800 -t 202800.bin plscsi.exe -v -p -x "DF00E20000 203000 2037ff" -i x800 -t 203000.bin plscsi.exe -v -p -x "DF00E20000 203800 203fff" -i x800 -t 203800.bin plscsi.exe -v -p -x "DF00E20000 204000 2047ff" -i x800 -t 204000.bin plscsi.exe -v -p -x "DF00E20000 204800 204fff" -i x800 -t 204800.bin plscsi.exe -v -p -x "DF00E20000 205000 2057ff" -i x800 -t 205000.bin plscsi.exe -v -p -x "DF00E20000 205800 205fff" -i x800 -t 205800.bin plscsi.exe -v -p -x "DF00E20000 206000 2067ff" -i x800 -t 206000.bin plscsi.exe -v -p -x "DF00E20000 206800 206fff" -i x800 -t 206800.bin [...] |
|
|
|