Welcome to Doom9's Forum, THE in-place to be for everyone interested in DVD conversion.

Before you start posting please read the forum rules. By posting to this forum you agree to abide by the rules.

 

Go Back   Doom9's Forum > General > Decrypting

Reply
 
Thread Tools Search this Thread Display Modes
Old 15th July 2008, 10:27   #1  |  Link
Oopho2ei
Guest
 
Posts: n/a
Volume ID firmware patch for PX-B920SA/GGW-H20*/GGC-H20*

We made a firmware patch which allows you to read the Volume ID without aacs authentication. The following two commands are enough to get the volume id of the disc inserted:
Code:
sg_raw -r 8 /dev/sr0 A4 00 00 00 00 00 00 02 00 08 00 00
sg_raw -r 36 /dev/sr0 AD 01 00 00 00 00 00 80 00 24 00 00
Patched firmware for GGC-H20L:
GGC-H20L version 1.03
GGC-H20L version 1.02

Patched firmware for GGC-H20N:
GGC-H20N version 1.03
GGC-H20N version 1.02


Patched firmware for GGW-H20L:
GGW-H20L version YL04
GGW-H20L version YL03

Patched firmware for GGW-H20N:
GGW-H20N version XL04
GGW-H20N version XL03


Patched firmware for PX-B920SA:
PX-B920SA version 1.01

If you encounter any problems after programming the drive enter safe mode (keeping eject pressed while power on for 10s) and then program the drive with the original firmware again to restore it to it's previous state. For more details see posting #5 of this thread.

If you need any help let me know.

Last edited by Oopho2ei; 5th October 2008 at 20:33. Reason: new firmware versions available
  Reply With Quote
Old 15th July 2008, 11:51   #2  |  Link
KenD00
Registered User
 
Join Date: Jan 2007
Location: Internet
Posts: 378
Interesting that something is happening in this area again. Why are you sending a REPORT KEY command first and then the READ DISC STRUCTURE? The key isn't used later, and why do both commands use a different AGID (00b vs. 11b)?

Hmm, the GGW can do 6x BD-R writing while the PX only 4x, i would be careful to use the PX firmware on the GGW.

KenD00 is offline   Reply With Quote
Old 15th July 2008, 12:46   #3  |  Link
Oopho2ei
Guest
 
Posts: n/a
Quote:
Originally Posted by KenD00 View Post
Why are you sending a REPORT KEY command first and then the READ DISC STRUCTURE? The key isn't used later, and
Because of the calculation of the Volume ID MAC which would otherwise fail resulting in a delay of 2-3s. The volume id will be returned in any case so it's not necessary.

Quote:
Originally Posted by KenD00 View Post
why do both commands use a different AGID (00b vs. 11b)?
That's my mistake. Actually you would even need to invalidate the agid before using it but those two commands posted here are sufficient to demonstrate that the firmware patch was successful.

Quote:
Originally Posted by KenD00 View Post
Hmm, the GGW can do 6x BD-R writing while the PX only 4x, i would be careful to use the PX firmware on the GGW.
If you have any doubts about this just don't use the patched firmware and wait for other peoples reports of their experiences. If anyone has tested it on his LG GGW-H20L please leave a note here how it went.
  Reply With Quote
Old 15th July 2008, 21:05   #4  |  Link
NanoBot
Registered User
 
Join Date: Sep 2003
Posts: 164
Hi,

is there a chance to see a patched firmware for the GGC-H20L ( that's the combodrive which can only read BR and HD-DVD ) ?
I think that the firmware of this drive might be patched in a similar way. And because this drive is much cheaper, I can imagine that a lot of people might want to use it to backup their disks. So a patched firmware would be very helpful.

C.U. NanoBot
NanoBot is offline   Reply With Quote
Old 15th July 2008, 22:18   #5  |  Link
Oopho2ei
Guest
 
Posts: n/a
Quote:
Originally Posted by NanoBot View Post
is there a chance to see a patched firmware for the GGC-H20L ( that's the combodrive which can only read BR and HD-DVD ) ?
I think that the firmware of this drive might be patched in a similar way. And because this drive is much cheaper, I can imagine that a lot of people might want to use it to backup their disks. So a patched firmware would be very helpful
The code to be patched is identical so this is probably easy. In the meantime please verify that this drive (GGC-H20L) has a safe mode:
1. switch it off
2. press the eject button and keep it pressed
3. power the drive back on
4. wait ~10s
5. release the eject button

Your drive name/id should have changed to some weird looking string and you won't be able to use many basic drive functions. You should however more importantly be able to update the firmware in this mode to recover your drive it if anything should have gone wrong. The drive will leave this mode either automatically (after the firmware update finished successfully) or manually by restart/(power off/on).

Last edited by Oopho2ei; 15th July 2008 at 22:25.
  Reply With Quote
Old 16th July 2008, 12:07   #6  |  Link
NanoBot
Registered User
 
Join Date: Sep 2003
Posts: 164
Hi,

I will check the existence of a safe mode as soon as I get the drive. I just ordered it yesterday and I hopefully will get a hand on it todays afternoon CET or tomorrow.

C.U. NanoBot
NanoBot is offline   Reply With Quote
Old 16th July 2008, 17:24   #7  |  Link
KenD00
Registered User
 
Join Date: Jan 2007
Location: Internet
Posts: 378
@Oopho2ei:
You are confusing me, i don't see how you can perform VID MAC calculation with just the DRIVE KEY and why do you need to invalidate an AGID before using it, but well, i like more to know what your patch actually does:
  1. Does it enable you to execute any protected command without beeing authenticated?
  2. Do you have to request an AGID for the commands or
  3. Do the commands request an AGID themself silently and
  4. Do you have to invalidate an used AGID

KenD00 is offline   Reply With Quote
Old 16th July 2008, 18:15   #8  |  Link
Oopho2ei
Guest
 
Posts: n/a
Quote:
Originally Posted by KenD00 View Post
You are confusing me, i don't see how you can perform VID MAC calculation with just the DRIVE KEY and why do you need to invalidate an AGID
Like i told you before you only need the "read disc structure" command to request the volume id. All the agid stuff is optional but recommended.

Quote:
Originally Posted by KenD00 View Post
Does it enable you to execute any protected command without beeing authenticated?
the AD/80 subcommand handler is patched to output the volume id already stored in ram no matter if authentication succeeded or not. No other commands are affected.

Quote:
Originally Posted by KenD00 View Post
[/LIST 1][*] Do you have to request an AGID for the commands. [*] Do the commands request an AGID themself silently and[*] Do you have to invalidate an used AGID[/LIST]
This is all about the 16 bytes following the volume id (the mac). These are not directly copied from memory but calculated every time this subcommand handler is called. The function doing this calculation fails if you haven't requested the agid before resulting (for the original firmware) in a hardware error (vendor code A0) message after a delay of multiple seconds. I can't tell you what exactly is causing the delay so i suggest you follow the protocol and invalidate all agids before you request a new one. Only after that you should directly request the volume id effectively skipping the aacs authentication process.

(There could be some cryptographic coprocessor which gets initialized when you request the agid but this is pure speculation.)

Last edited by Oopho2ei; 16th July 2008 at 18:38.
  Reply With Quote
Old 18th July 2008, 11:07   #9  |  Link
Oopho2ei
Guest
 
Posts: n/a
I have added firmware patches for the drives GGW-H20* and GGC-H20* as requested. Please post your feedback.
  Reply With Quote
Old 18th July 2008, 17:30   #10  |  Link
NanoBot
Registered User
 
Join Date: Sep 2003
Posts: 164
Hi,

I just got my GGC-H20L and the safe mode seems to be there.

Without pressing the eject button it identifies itself in the "Geršteinstanzkennung" ( should be something like deviceinstance in english, I only have a german XP installed ) as
IDE\CDROMHL-DT-ST_BDDVDRW_GGC-H20L_______________1.02____\354B38374F313241333020332020202020202020
Windows sees the drive as a DVD drive and it is fully operational.

When the eject button was pressed during startup, it identifies itself as
IDE\CDROMHL-DT-ST_BDDVDRW_GGC-H20N_______________COR4____\6&24F7E3F0&0&0.0.0
Windows sees the drive as a CD drive and like Oopho2ei said, some drive functions are inoperationable, e.g. the "eject" function of the explorer context menu is not working when in safe mode.

I am now going to flash the drive with the new firmware and will report back later. But before that I have to seek a program which is able to make use of the patched firmware. As far as I remember I need a program which is able to send raw atapi commands to the drive to check if the patch is succesful.

C.U. NanoBot
NanoBot is offline   Reply With Quote
Old 18th July 2008, 17:41   #11  |  Link
Oopho2ei
Guest
 
Posts: n/a
You can use PLSCSI if you are running windows or sg_raw (from the sg3-utils package) in linux. Please have a look here for further information: http://forum.doom9.org/showthread.php?t=124294
  Reply With Quote
Old 18th July 2008, 18:04   #12  |  Link
NanoBot
Registered User
 
Join Date: Sep 2003
Posts: 164
Hi,

back again. Flashing works like a charm, and I tried to use "vid.exe" for Windows, which originally was designed to work with a patched XBOX HD DVD drive. If neccessary I will try PLSCSI also.
For now I tried to read the VID from a Blu-Ray disk, thats "I am legend" europe and it reports:

D:\AACS\VID>vid l
Volume ID retriever 0.3 by Geremia/xt5

using device \\.\l:
Volume ID: 002200008700CEED36BC9800DF1ECA208A01B14F

Ok, now I tested it with PLSCSI:

Reading the VID only takes about 3 seconds to answer and delivers:

Code:
D:\AACS\PLSCSI>plscsi.exe -v -x "AD 01 00 00 00 00 00 80 00 24 00 00" -i x24
x 00000000 AD 01 00:00:00:00 00 80:00:24:00 00 .. .. .. .. "-A@@@@@@@$@@"
x 00000000 00:22:00:00 87:00:CE:ED 36:BC:98:00 DF:1E:CA:20 "@"@@G@Nm6<X@_^J "
x 00000010 8A:01:B1:4F 00:00:00:00 00:00:00:00 00:00:00:00 "JA1O@@@@@@@@@@@@"
x 00000020 00:00:00:00 .. .. .. .. .. .. .. .. .. .. .. .. "@@@@"
// 0 = plscsi.main exit int
Using both commands together like suggested gives immediate answers:

Code:
D:\AACS\PLSCSI>plscsi.exe -v -x "A4 00 00 00 00 00 00 02 00 08 00 00" -i x24
x 00000000 A4 00 00:00:00:00 00 02:00:08:00 00 .. .. .. .. "$@@@@@@B@H@@"
x 00000000 00:06:00:00 00:00:00:00 AE:AE:AE:AE AE:AE:AE:AE "@F@@@@@@........"
x 00000010 AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE AE:AE:AE:AE "................"
x 00000020 AE:AE:AE:AE .. .. .. .. .. .. .. .. .. .. .. .. "...."
// 0 = plscsi.main exit int

D:\AACS\PLSCSI>plscsi.exe -v -x "AD 01 00 00 00 00 00 80 00 24 00 00" -i x24
x 00000000 AD 01 00:00:00:00 00 80:00:24:00 00 .. .. .. .. "-A@@@@@@@$@@"
x 00000000 00:22:00:00 87:00:CE:ED 36:BC:98:00 DF:1E:CA:20 "@"@@G@Nm6<X@_^J "
x 00000010 8A:01:B1:4F E8:D7:64:F2 E0:07:E1:14 63:E3:BE:79 "JA1OhWdr`GaTcc>y"
x 00000020 F7:A1:F1:46 .. .. .. .. .. .. .. .. .. .. .. .. "w!qF"
// 0 = plscsi.main exit int
So for me it looks like the patch is working like it should. But to be able to verify the vid I would need the suitable processing key ?

C.U. NanoBot

Last edited by NanoBot; 18th July 2008 at 18:47. Reason: More results with plscsi, added code tags
NanoBot is offline   Reply With Quote
Old 18th July 2008, 19:16   #13  |  Link
Oopho2ei
Guest
 
Posts: n/a
Quote:
Originally Posted by NanoBot View Post
Reading the VID only takes about 3 seconds to answer and delivers:
The volume id gets stored automatically in ram (of your drive) shortly after you insert the disc. What does take so long is the execution of a function which finally produces the volume id mac (last 16 bytes of the return) which is normally used for the verification of the volume id. Now this function has some requirements which have to be met before it runs successfully and one of those requirements is that you request a valid agid. I really don't know what the function does during these 3s so i suggest you better follow the normal authentication procedure at least to the point where you request the agid. I believe(!) the volume id mac will be wrong in any case unless you perform a successful authentication first so you can simply ignore it.

Quote:
Originally Posted by NanoBot View Post
So for me it looks like the patch is working like it should. But to be able to verify the vid I would need the suitable processing key ?
You could also just try this with a disc you know the volume id of. Actually you only need the media key now. Together with the volume id you will get your volume unique key needed for decryption. Maybe we will see a updated version of aacskeys soon which exploits this patch so you can simply verify the decryption result (using dumphd or whatever tool you use).

Did you check that powerdvd and windvd are working with the patched firmware?

Last edited by Oopho2ei; 18th July 2008 at 19:28.
  Reply With Quote
Old 19th July 2008, 03:43   #14  |  Link
KenD00
Registered User
 
Join Date: Jan 2007
Location: Internet
Posts: 378
I have tested the patched GGW-H20L firmware and it works without any problem. I can retrieve the VolumeID unauthenticated from BluRays and HD-DVDs and they are correct. I have that lag too when i directly read the VID, but its gone when i request an AGID before doing so.

Latest PowerDVD 7 doesn't complain about the patch and plays fine.

I was curious why vid works with my drive too although it shouldn't and investigated. Now I know why it does and why aacskeys doesn't detect all errors when reading the VID: it doesn't check the MMC command response, only the IO response (which says good although the MMC command failed). So the aacskeys update will take a little longer, i also need to install linux again . For now vid serves the purpose.

Another note, i just discovered that the xbox-hack works also with the Toshiba SD-H802A without any modification .

KenD00 is offline   Reply With Quote
Old 19th July 2008, 04:02   #15  |  Link
NanoBot
Registered User
 
Join Date: Sep 2003
Posts: 164
Hi,

latest PowerDVD8 works without problems with the patched firmware installed.

If anybody with a C compiler for Windows installed would be so kind: Could you please modify "vid.exe" to use both commands to get the vid ? The sources for vid.exe are availabe here
http://www.ingenieria-inversa.cl/files/vid.rar

C.U. NanoBot
NanoBot is offline   Reply With Quote
Old 25th July 2008, 13:49   #16  |  Link
Oopho2ei
Guest
 
Posts: n/a
The patched firmware is now supported by the latest version of aacskeys: http://forum.doom9.org/showthread.ph...10#post1162510
  Reply With Quote
Old 10th August 2008, 05:37   #17  |  Link
chavonbravo
Registered User
 
Join Date: Aug 2007
Posts: 17
1.03 firmware released for lg drives. Is it hard to patch this as well?
chavonbravo is offline   Reply With Quote
Old 10th August 2008, 11:25   #18  |  Link
Oopho2ei
Guest
 
Posts: n/a
Quote:
Originally Posted by chavonbravo View Post
1.03 firmware released for lg drives. Is it hard to patch this as well?
It depends on how much has changed in the new Version. We will look at this soon. I generally recommend not to update the firmware with every new release. Are you having problems with Version 1.02?

Last edited by Oopho2ei; 10th August 2008 at 11:29.
  Reply With Quote
Old 10th August 2008, 22:04   #19  |  Link
NanoBot
Registered User
 
Join Date: Sep 2003
Posts: 164
Hi,

the only change in the new firmware is an improved write strategy on some media. Therefore the new firmware is not a "must have", but if you are able to provide a patched version of the new firmware, I would appreciate that.

C.U. NanoBot
NanoBot is offline   Reply With Quote
Old 11th August 2008, 08:01   #20  |  Link
Oopho2ei
Guest
 
Posts: n/a
Ok i have uploaded the patched firmware of GGC-H20L v1.03 and GGC-H20N v1.03.
  Reply With Quote
Reply

Thread Tools Search this Thread
Search this Thread:

Advanced Search
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off

Forum Jump


All times are GMT +1. The time now is 16:46.


Powered by vBulletin® Version 3.8.11
Copyright ©2000 - 2017, vBulletin Solutions Inc.