Got VolumeID without AACS authentication :)

[Geremia]

Seems a software update for the hd player that afaik is on the 256MB nand inside the external box, nothing about drive fw update, but i've not yet installed.

anyway i'm curious to check out, as soon as i've a working nand reader/writer

[oeschmar]

Quote:

Originally Posted by Geremia

Seems a software update for the hd player that afaik is on the 256MB nand inside the external box, nothing about drive fw update, but i've not yet installed.

anyway i'm curious to check out, as soon as i've a working nand reader/writer

yes, it's only a software update for the player to version 2.0.4629.0

the firmware on the hd-dvd-drive is exactly the same as before the update (i've made a flash dump befor the update and after it and compared them)

[jetmuzer]

where can i get new version??

[Zotty]

Quote:

Originally Posted by Geremia

the firmware is contained in the first half of the flash memory, the second half if blank (all FF), i'll be not surprised if it will be used to store host revocation list.

Just made a dump of my xbox drive that has the PowerDVD certificate revoked and the 2nd half is still completely blank (0xFF). So the revocations must be stored somewhere else.

Comparing a non revoked firmware with the new one, would that yield some differences that we can use to our advantage? Don't have the original fw, so can't test this.

[qubic]

Quote:

Originally Posted by Zotty

Comparing a non revoked firmware with the new one, would that yield some differences that we can use to our advantage? Don't have the original fw, so can't test this.

Is it possible to use a fw dump, from another drive (xbox drive)?

--qub

[Zotty]

I may have got something. While browsing through the firmware I ran into this when looking for the revocation list:

Code:

000d:fff0 89 03 eb 4d 79 f7 f1 03 c2 04 0b 6a 8d 11 bf f4 ..ëMy÷ñ.Â..j..¿ô
000e:0000 10 00 00 0c 00 04 10 03 00 00 00 03 21 00 00 64 ............!..d
000e:0010 00 00 00 06 00 00 00 06 00 09 ff ff 00 00 00 0b ..........ÿÿ....
000e:0020 00 02 ff ff 00 00 00 21 00 03 ff ff 00 00 00 26 ..ÿÿ...!..ÿÿ...&
000e:0030 00 03 ff ff 00 00 00 35 00 02 ff ff 00 00 00 4e ..ÿÿ...5..ÿÿ...N
000e:0040 00 03 ff ff 00 00 00 54 34 37 5b 04 53 32 17 4e ..ÿÿ...T47[.S2.N
000e:0050 46 14 89 68 73 1f 49 92 93 29 b3 9f 55 fd 79 55 F..hs.I..)³.UýyU
000e:0060 a8 fe 65 3b 25 0c 1a b0 a2 cb 14 18 81 68 4b 5d ¨þe;%..°¢Ë...hK]
000e:0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

The block is followed by a block of zero's which would allow room for more revocations as it won't be overwriting anything meaningfull. Total size including zero's is 65 KB.

The MKB version record is in there:

Code:

000e:0000 10 00 00 0c 00 04 10 03 00 00 00 03

Then the HRL record:

Code:

at offset 000e:000c
type:            21 
length:          00 00 64
# of entries:    00 00 00 06 
# in this block: 00 00 00 06 
HRL:
00 09 ff ff 00 00 00 0b 
00 02 ff ff 00 00 00 21 
00 03 ff ff 00 00 00 26 
00 03 ff ff 00 00 00 35 
00 02 ff ff 00 00 00 4e 
00 03 ff ff 00 00 00 54

A v3 MKB. Spot the similarities

Code:

->	ffff0000000b:9
->	ffff00000021:2
->	ffff00000026:3
->	ffff00000035:3
->	ffff0000004e:2
->	ffff00000054:3

Now look at the MKB of a v4 disc:

Code:

Host ID ffff0000000b to ffff00000014 (ranges 9 devices)
Host ID ffff00000021 to ffff00000029 (ranges 8 devices)
Host ID ffff00000035 to ffff00000038 (ranges 3 devices)
Host ID ffff0000004e to ffff00000052 (ranges 4 devices)
Host ID ffff00000054 to ffff00000057 (ranges 3 devices)
Host ID ffff0000005e to ffff00000061 (ranges 3 devices)

ffff00000026 is missing as it;s now covered by the adjusted range. ffff0000005e is not listed as it's completely new. Ranges are different compared to the v3 MKB.
Not a 100% match. Which is strange, since the drive has had MKB v4 discs in it. But since authentication fails these discs have never played.... coincidence?

But now I'd need someone to look at this aswell and verify these findings. And the real question is what can we do with this new info? What would happen if you update the MKB version in the fw to a high number? Will the drive think the MKB on disk is older and thus never update it's HRL anymore?

Quote:

Originally Posted by qubic

Is it possible to use a fw dump, from another drive (xbox drive)?

--qub

Possibly yes. If it never had new discs in it, it would be interresting to compare.

[KenD00]

Quote:

Originally Posted by Zotty

What would happen if you update the MKB version in the fw to a high number? Will the drive think the MKB on disk is older and thus never update it's HRL anymore?

Maybe. But maybe the drive checks the signature of its stored HRL every time and won't accept a hacked one. Did you find a signature block too? This check could be disabled too, of course, but maybe this isn't the only place where the HRL is stored? Could it be stored in another, safe, crypto unit which can't be accessed by external means? The spec says this stuff should be safely stored, well, is a firmware that can be dumped by design a safe place? Hmm, but why should it be in the firmware too? Just some thoughts of a weird mind .

[qubic]

Quote:

Originally Posted by Zotty

Possibly yes. If it never had new discs in it, it would be interresting to compare.

My drive has only had MBKv1 discs in.

Tell me what to do, and I'll send you a dump.

regards qub

[Geremia]

hum, interesting

I've a couple of drive, both played only a couple of old discs, both have he same
seems an empty hrl + 40byte (of signature?!?!?)

Code:

000E0000 10 00 00 0C 00 03 10 03 00 00 00 01 21 00 00 34 ............!..4
000E0010 00 00 00 00 00 00 00 00 1B 0B F2 6D 47 9E 77 62 ...........mG.wb
000E0020 3D 91 FC 78 B1 59 C9 52 CA A4 C7 41 85 24 96 64 =..x.Y.R...A.$.d
000E0030 8D 1D 95 8E 9B 84 C6 FA 4A DD 43 9B 42 98 FE FF ........J.C.B...
000E0040 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000E0050 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................
000E0060 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

anyway, this location can't be flashed directly with the fwupgrader app, but i'm sure a workaround can be done, i've to remove some dust on my /hd-dvd/ folder

[Zotty]

The leading and trailing bytes is something I haven't been able to match with anything yet. But it's not the AACS_verify of the version and HRL record mentioned in the specs.

Also tried reading some other memory areas aswell (with MKB v3 disc in the drive). Here are the results:

Block 0x000000-0x100000

Code:

000d:fff0 89 03 eb 4d 79 f7 f1 03 c2 04 0b 6a 8d 11 bf f4 ..ëMy÷ñ.Â..j..¿ô
000e:0000 10 00 00 0c 00 04 10 03 00 00 00 03 21 00 00 64 ............!..d
000e:0010 00 00 00 06 00 00 00 06 00 09 ff ff 00 00 00 0b ..........ÿÿ....
000e:0020 00 02 ff ff 00 00 00 21 00 03 ff ff 00 00 00 26 ..ÿÿ...!..ÿÿ...&
000e:0030 00 03 ff ff 00 00 00 35 00 02 ff ff 00 00 00 4e ..ÿÿ...5..ÿÿ...N
000e:0040 00 03 ff ff 00 00 00 54 34 37 5b 04 53 32 17 4e ..ÿÿ...T47[.S2.N
000e:0050 46 14 89 68 73 1f 49 92 93 29 b3 9f 55 fd 79 55 F..hs.I..)³.UýyU
000e:0060 a8 fe 65 3b 25 0c 1a b0 a2 cb 14 18 81 68 4b 5d ¨þe;%..°¢Ë...hK]
000e:0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Block 0x100000-0x200000
Completely blank (filled with 0xFF)

Block 0x200000-0x300000 (as in above post)

Code:

000d:fff0 89 03 eb 4d 79 f7 f1 03 c2 04 0b 6a 8d 11 bf f4 ..ëMy÷ñ.Â..j..¿ô
000e:0000 10 00 00 0c 00 04 10 03 00 00 00 03 21 00 00 64 ............!..d
000e:0010 00 00 00 06 00 00 00 06 00 09 ff ff 00 00 00 0b ..........ÿÿ....
000e:0020 00 02 ff ff 00 00 00 21 00 03 ff ff 00 00 00 26 ..ÿÿ...!..ÿÿ...&
000e:0030 00 03 ff ff 00 00 00 35 00 02 ff ff 00 00 00 4e ..ÿÿ...5..ÿÿ...N
000e:0040 00 03 ff ff 00 00 00 54 34 37 5b 04 53 32 17 4e ..ÿÿ...T47[.S2.N
000e:0050 46 14 89 68 73 1f 49 92 93 29 b3 9f 55 fd 79 55 F..hs.I..)³.UýyU
000e:0060 a8 fe 65 3b 25 0c 1a b0 a2 cb 14 18 81 68 4b 5d ¨þe;%..°¢Ë...hK]
000e:0070 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................

Block 0x300000-0x400000
Completely blank (filled with 0xFF)

Block 0x400000-0x500000
not found

Block 0x500000-0x600000
not found

Block 0x600000-0x700000 (same area where authentication hack is performed)

Code:

0000:a9f0 10 00 00 0c 00 04 10 03 00 00 00 03 21 00 00 64 ............!..d
0000:aa00 00 00 00 06 00 00 00 06 00 09 ff ff 00 00 00 0b ..........ÿÿ....
0000:aa10 00 02 ff ff 00 00 00 21 ff dc fb ff bb de ee 2f ..ÿÿ...!ÿÜûÿ»Þî/
0000:aa20 3f ff ee b7 fb ff fc bb 73 df cf ff fe ff 9f 7f ?ÿî·ûÿü»sßÏÿþÿ..
0000:aa30 12 21 2d c3 00 00 00 00 00 00 00 00 00 00 00 00 .!-Ã............
0000:aa40 00 00 00 00 b3 df df 73 ff fd fd 33 3f fe fd 7f ....³ßßsÿýý3?þý.

0004:a9f0 10 00 00 0c 00 04 10 03 00 00 00 03 21 00 00 64 ............!..d
0004:aa00 00 00 00 06 00 00 00 06 00 09 ff ff 00 00 00 0b ..........ÿÿ....
0004:aa10 00 02 ff ff 00 00 00 21 ff dc fb ff bb de ee 2f ..ÿÿ...!ÿÜûÿ»Þî/
0004:aa20 3f ff ee b7 fb ff fc bb 73 df cf ff fe ff 9f 7f ?ÿî·ûÿü»sßÏÿþÿ..
0004:aa30 12 21 2d c3 00 00 00 00 00 00 00 00 00 00 00 00 .!-Ã............
0004:aa40 00 00 00 00 b3 df df 73 ff fd fd 33 3f fe fd 7f ....³ßßsÿýý3?þý.

0008:a9f0 10 00 00 0c 00 04 10 03 00 00 00 03 21 00 00 64 ............!..d
0008:aa00 00 00 00 06 00 00 00 06 00 09 ff ff 00 00 00 0b ..........ÿÿ....
0008:aa10 00 02 ff ff 00 00 00 21 ff dc fb ff bb de ee 2f ..ÿÿ...!ÿÜûÿ»Þî/
0008:aa20 3f ff ee b7 fb ff fc bb 73 df cf ff fe ff 9f 7f ?ÿî·ûÿü»sßÏÿþÿ..
0008:aa30 12 21 2d c3 00 00 00 00 00 00 00 00 00 00 00 00 .!-Ã............
0008:aa40 00 00 00 00 b3 df df 73 ff fd fd 33 3f fe fd 7f ....³ßßsÿýý3?þý.

000c:a9f0 10 00 00 0c 00 04 10 03 00 00 00 03 21 00 00 64 ............!..d
000c:aa00 00 00 00 06 00 00 00 06 00 09 ff ff 00 00 00 0b ..........ÿÿ....
000c:aa10 00 02 ff ff 00 00 00 21 ff dc fb ff bb de ee 2f ..ÿÿ...!ÿÜûÿ»Þî/
000c:aa20 3f ff ee b7 fb ff fc bb 73 df cf ff fe ff 9f 7f ?ÿî·ûÿü»sßÏÿþÿ..
000c:aa30 12 21 2d c3 00 00 00 00 00 00 00 00 00 00 00 00 .!-Ã............
000c:aa40 00 00 00 00 b3 df df 73 ff fd fd 33 3f fe fd 7f ....³ßßsÿýý3?þý.

This last area is different. The HRL is there, but the trailing bytes differ. All 4 copies in there seem equal. Version record is also there. Also the HRL is not completely there it appears, only the first 2 host IDs. And I haven't been able to find the missing ones in the same area.
Since the last area is the same as where the authentication part is bypassed. Would it be possible to write there instead of flash. After the disc is inserted, but prior to performing authentication. Assuming the drive reads the HRL from discs immediately after a disc is inserted, but not afterwards (e.g. when the host initiates authentication).

[Geremia]

It's about 1 year that i don't open the fw disassembling, let me take confidence again with it

About reflashing the E00000-EFFFFF area is possible, but first needs a patched "boot" fw running on the drive.
The boot part of the fw can be flashed with a sligh different CDB than the one used by the windows flashing app.

Patching ram could be a soluton too, let me check

[Geremia]

I've reversed a little the A3 sendkey related function, seems it loads the hrl from 2E0000. If it finds word @2E0014 =00000000 it skips furher checks (number of entries = 0).

2E0000 area is acccessed also during disc insertion, specially during reads of P-MKB, so i suppose the HRL @2E0000 is updated during disc insertion, then the aacs auth CDBs refers just to the (just updated) hrl in the fw @ 2E0000

For now, a simple ram patch on the fly seems not possible, a patched fw seems not a problem.

[Zotty]

Guess we'll need to do some testing don't we

Btw, has anyone very tried to send a fake host certificate to the drive? I mean make your own certificate with a different host ID and recalculate the signature. Possibly using own generated keys.

Also I've aquired a Toshiba HD-EP30 standalone and am currently looking through the latest firmware update. Anyone interrested in this? Trying to find device keys and so on. Should have a seperate topic though.

Quote:

Originally Posted by qubic

My drive has only had MBKv1 discs in.

Tell me what to do, and I'll send you a dump.

regards qub

Might not be needed, but in case you want to play around with it: you're using linux right? I've added a firmware dumper to decrypthd's SVN respository (in tools/xbox360/). So if you can compile that (it uses libaacs and thus indirectly openssl which you already ran into before), run "firmwaredump /dev/sr0 firmware.bin 0x200000 0x100000".

[bcrabl]

Hmmm. Better start looking for Blu-ray standalones since they could revoke all the device keys of HD DVDs in the future MKB versions.

[Zotty]

Quote:

Originally Posted by bcrabl

Hmmm. Better start looking for Blu-ray standalones since they could revoke all the device keys of HD DVDs in the future MKB versions.

Funny thing is (although funny is pretty relative considering recent events) I was thinking exactly the same today. However, I don't think that will be likely since that would piss off a lot of owners. If they do this, the xbox360 drive will probably be their primary target, looking at our efforts and the M$ shift to BR.

Since processing keys are derived from device keys, will this also mean our processing keys won't work anymore? Right now we use the 2 known processing keys, but these still use the UV mask/U number. And since these are used in combination with the subset difference will this affect it? Need to do some reading up on the subject.

[bcrabl]

Quote:

Originally Posted by Zotty

Funny thing is (although funny is pretty relative considering recent events) I was thinking exactly the same today. However, I don't think that will be likely since that would piss off a lot of owners. If they do this, the xbox360 drive will probably be their primary target, looking at our efforts and the M$ shift to BR.

Well all the HD DVDs that will be out will most probably have MKBv4 or less so nobody would get hurt with the revocation.

[Geremia]

btw, i found a tricky way to flash the entire flash, and i'm looking to block the hrl update on disc insertion......but, is there still interest in hd-dvd? cause i personally left this drive into dust just after a few months

I hope MS will really release a bluray addon for the 360 in May, not cause movies are better (same s**t as hddvd), just to have a new toy...

[Zotty]

Quote:

Originally Posted by Geremia

btw, i found a tricky way to flash the entire flash, and i'm looking to block the hrl update on disc insertion......but, is there still interest in hd-dvd? cause i personally left this drive into dust just after a few months

From a personal standpoint, it's just a fun hobby and a learning experience. If corporations back out, it doesn't take the fun of hacking these devices away. I've learned a lot from this and still am. And that's what makes me tick. Try out new things and find out how this stuff works. And with a bit of luck punch some holes in that DRM from hell system.
Even writing a drive flasher as we speak... never would have guessed that. So yes, bring on the goods

As for BR, from a movie watching point of view, it's our worst nightmare. Watching movies has little to do with BR, it's all about making more profit and shoving it down our throats. HD DVD was on the edge with AACS, but BR also has BD+ and region coding. And that's something I'll never accept when watching movies. Still can't watch MKB v4 discs and that annoys the hell out of me.
But from decrypting point of view, BR is just another nasty gadget begging to be sliced and diced. Maybe if a cheap addon comes along I'll get it, but I'll leave the discs alone. Long live the internet as it allows me to actually watch the movies.

[Geremia]

Just some notes about flashing the firmware

firmware is divided in 7 parts
The itnernal flashing function will check each part against a sort of checksum (if presen/needed for that fw part), and checks a value @0x4011C which will cause each part to be flashed or skipped.

1st pass: base 0 len 4000 (0-3FFF) main firmware (checksumed)

2ns pass: base 10000 len D0000 (10000-DFFFF) main firmware (checksumed)

3rd pass: base 6000 len 2000 (6000-7FFF) unique data, S/N, RPC2 region... (not checksumed)
0x6008 serial number
0x6060 RPC2 region

4th pass: base 8000 len 4000 (8000-BFFF) don't know what's inside, probably DSP firmware?!? (checksumed?!?!?!)

5th pass: base F0000 len 10000 (F0000-FFFFF) bootloader (checksumed)

6th pass: base E0000 len 10000 (E0000-EFFFF) AACS HRL (few bytes,then 00 and a sort of 0x10byte checksum at bottom), same data in 2 other MC08 dumps i've

7th pass: base 4000 len 2000 (4000-5FFF) unique data, probably AACS related (not checksumed)
0x4040-409F unique data, seems "usb-box" marriage
0x43A0-53A9 unique data, probably AACS stuff

----------the CDB sequence to flash the firmware-------

Code:

out
1B 00 00 00 02 00 00 stop unit, open tray

out
1D 00 00 00 06 00 00 00 00 00 00 00 00 00 00 00
out
88 00 00 02 03 41  // enters in "boot mode" (maybe a safemode), inquiry reports "BOOT" as fw revision number
		   // it sets 0xA02 to 0x4011C, so flashable parts will be 1,2,4 (main fw + DSP fw). Other parts will be skipped
		   // 0441 subcmd insted of 0341 will set 0xE02, resulting in pat 5 flashable too (bootloader)
		   // 0541 subcmd sets 0x800 and all parts will be skipped


// ------add this to flash entire flash ----------
// this 1D subcmd is accepted only in bootmode
//
// out
// 1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00
// out
// 88 00 00 04 02 42 27 02  // writes 0x2702 to address 0x4011C, which is checked during internal writing functions.
			    // 0x2702 causes all checks to pass, so all firmware parts will be flashed, code + unique/personal data


out
3B 04 00 00 00 00 00 20 00 00 00 00 00 00 00 00  write buffer ID 00
out
first 0x2000 fw chunk

out
3B 04 01 00 00 00 00 20 00 00 00 00 00 00 00 00  write buffer ID 01
out
second 0x2000 fw chunk

out
3B 04 02 00 00 00 00 20 00 00 00 00 00 00 00 00  write buffer ID 02
out
3rd 0x2000 fw chunk
.....
.....
.....
ends with 3B 05 and last fw chunk

3B 05 7F 00 00 00 00 20 00 00 00 00 00 00 00 00  write bufer ID 7F 
out
last 0x2000 fw chunk

[Zotty]

Nice, thanks for sharing!

Btw, also found the AES-128 (inverse) S-box table in the firmware at offset 0x000F0F8C and 0x000F108C.

Inverse S-box table

Code:

000f:0f80 29 a1 0e c3 ad 63 d9 7a b1 77 2f a5 52 09 6a d5 )¡.Ã*cÙz±w/¥R.jÕ
000f:0f90 30 36 a5 38 bf 40 a3 9e 81 f3 d7 fb 7c e3 39 82 06¥8¿@£..ó×û|ã9.
000f:0fa0 9b 2f ff 87 34 8e 43 44 c4 de e9 cb 54 7b 94 32 ./ÿ.4.CDÄÞéËT{.2
000f:0fb0 a6 c2 23 3d ee 4c 95 0b 42 fa c3 4e 08 2e a1 66 ¦Â#=îL..BúÃN..¡f
000f:0fc0 28 d9 24 b2 76 5b a2 49 6d 8b d1 25 72 f8 f6 64 (Ù$²v[¢Im.Ñ%røöd
000f:0fd0 86 68 98 16 d4 a4 5c cc 5d 65 b6 92 6c 70 48 50 .h..Ô¤\Ì]e¶.lpHP
000f:0fe0 fd ed b9 da 5e 15 46 57 a7 8d 9d 84 90 d8 ab 00 ýí¹Ú^.FW§....Ø«.
000f:0ff0 8c bc d3 0a f7 e4 58 05 b8 b3 45 06 d0 2c 1e 8f .¼Ó.÷äX.¸³E.Ð,..
000f:1000 ca 3f 0f 02 c1 af bd 03 01 13 8a 6b 3a 91 11 41 Ê?..Á¯½....k:..A
000f:1010 4f 67 dc ea 97 f2 cf ce f0 b4 e6 73 96 ac 74 22 OgÜê.òÏÎð´æs.¬t"
000f:1020 e7 ad 35 85 e2 f9 37 e8 1c 75 df 6e 47 f1 1a 71 ç*5.âù7è.ußnGñ.q
000f:1030 1d 29 c5 89 6f b7 62 0e aa 18 be 1b fc 56 3e 4b .)Å.o·b.ª.¾.üV>K
000f:1040 c6 d2 79 20 9a db c0 fe 78 cd 5a f4 1f dd a8 33 ÆÒy .ÛÀþxÍZô.ݨ3
000f:1050 88 07 c7 31 b1 12 10 59 27 80 ec 5f 60 51 7f a9 ..Ç1±..Y'.ì_`Q.©
000f:1060 19 b5 4a 0d 2d e5 7a 9f 93 c9 9c ef a0 e0 3b 4d .µJ.-åz..É.ï*à;M
000f:1070 ae 2a f5 b0 c8 eb bb 3c 83 53 99 61 17 2b 04 7e ®*õ°Èë»<.S.a.+.~
000f:1080 ba 77 d6 26 e1 69 14 63 55 21 0c 7d 63 7c 77 7b ºwÖ&ái.cU!.}c|w{

S-box table

Code:

000f:1080 ba 77 d6 26 e1 69 14 63 55 21 0c 7d 63 7c 77 7b ºwÖ&ái.cU!.}c|w{
000f:1090 f2 6b 6f c5 30 01 67 2b fe d7 ab 76 ca 82 c9 7d òkoÅ0.g+þ׫vÊ.É}
000f:10a0 fa 59 47 f0 ad d4 a2 af 9c a4 72 c0 b7 fd 93 26 úYGð*Ô¢¯.¤rÀ·ý.&
000f:10b0 36 3f f7 cc 34 a5 e5 f1 71 d8 31 15 04 c7 23 c3 6?÷Ì4¥åñqØ1..Ç#Ã
000f:10c0 18 96 05 9a 07 12 80 e2 eb 27 b2 75 09 83 2c 1a .......âë'²u..,.
000f:10d0 1b 6e 5a a0 52 3b d6 b3 29 e3 2f 84 53 d1 00 ed .nZ*R;Ö³)ã/.SÑ.í
000f:10e0 20 fc b1 5b 6a cb be 39 4a 4c 58 cf d0 ef aa fb  ü±[j˾9JLXÏÐïªû
000f:10f0 43 4d 33 85 45 f9 02 7f 50 3c 9f a8 51 a3 40 8f CM3.Eù..P<.¨Q£@.
000f:1100 92 9d 38 f5 bc b6 da 21 10 ff f3 d2 cd 0c 13 ec ..8õ¼¶Ú!.ÿóÒÍ..ì
000f:1110 5f 97 44 17 c4 a7 7e 3d 64 5d 19 73 60 81 4f dc _.D.ħ~=d].s`.OÜ
000f:1120 22 2a 90 88 46 ee b8 14 de 5e 0b db e0 32 3a 0a "*..Fî¸.Þ^.Ûà2:.
000f:1130 49 06 24 5c c2 d3 ac 62 91 95 e4 79 e7 c8 37 6d I.$\ÂÓ¬b..äyçÈ7m
000f:1140 8d d5 4e a9 6c 56 f4 ea 65 7a ae 08 ba 78 25 2e .ÕN©lVôêez®.ºx%.
000f:1150 1c a6 b4 c6 e8 dd 74 1f 4b bd 8b 8a 70 3e b5 66 .¦´ÆèÝt.K½..p>µf
000f:1160 48 03 f6 0e 61 35 57 b9 86 c1 1d 9e e1 f8 98 11 H.ö.a5W¹.Á..áø..
000f:1170 69 d9 8e 94 9b 1e 87 e9 ce 55 28 df 8c a1 89 0d iÙ.....éÎU(ß.¡..
000f:1180 bf e6 42 68 41 99 2d 0f b0 54 bb 16 ff ff ff ff ¿æBhA.-.°T».ÿÿÿÿ

Don't know it'll be useful, but now we know.

Btw, does anyone know what kind of compression/encryption Toshiba uses on it's standalone player firmware?