hahhahaah, xt5 from xboxhacker found a CDB that solves all your worries.

This does not need a patched firmware at all :) :)

http://www.ingenieria-inversa.cl/files/vid.rar

xt5 from xboxhacker found a CDB

Got any link to that post?

hahhahaah, xt5 from xboxhacker found a CDB that solves all your worries.

This does not need a patched firmware at all :) :)

http://www.ingenieria-inversa.cl/files/vid.rar

You gotta be kidding! :D

Link doesn't work atm.

I just wanted to thank you for clarifying this thread. I just posted an article on my blog i hope i got everything correct. Care to read it? find it here (http://dltv.wordpress.com/2007/04/09/xbox-360-hd-dvd-drive-exposes-volume-id/)






Sure.


Yes.


We are patching the drive so when a disc is inserted it will give the Volume ID of that disc. Without the need of a special key (called a Host Private Key).


If in several weeks new discs are released this may be one of the few ways to get the Volume ID which is needed (among another Key called the Processing Key) to decrypt/backup your discs. But you don't need it now.


Have I succeeded?

Regards,

arnezami

http://www.sendspace.com/file/g25nhb

I think people would prefer to have their back ups decrypted and free from DRM, so there are no strings attached.
I won't dispute that most people would prefer to eliminate the DRM entirely. The problem is that the AACS LA is very likely to begin using the SKB system. Without delving too deeply, the SKB system is going to require more keys than current decryptions require. Disclosing those additional keys means disclosing something about who provided those keys and where they came from. That's their purpose. If you disclose the source of the keys, you make it easier to cut off that source.

In contrast, spoofing the Volume ID on the BCA by modifying the firmware would make fair use backups possible without requiring any keys. If you have the keys and can remove the DRM, then great, but this would provide an alternative when you don't have the keys.

Sometimes half a loaf is better than nothing.

hahhahaah, xt5 from xboxhacker found a CDB that solves all your worries.

This does not need a patched firmware at all :) :)

http://www.ingenieria-inversa.cl/files/vid.rar

OMG. Its working !!! On my unpatched drive!!!

This is FUN!! :D

How on earth is this done? Some kind of exploit? Or some left over debug CDB command? That would be fun!

I've said it before but this time its really true: the Volume ID is a joke :).

arnezami

OMG. Its working !!! On my unpatched drive!!!

This is FUN!! :D

How on earth is this done? Some kind of exploit? Or some left over debug CDB command? That would be fun!

I've said it before but this time its really true: the Volume ID is a joke :).
What? What? What??? What does it do??? =) Please tell us =)

I think the new program the VID.rar file contains the program and source code to get the volume ID without needing to patch the firmware of the HD DVD drive. It is able to get retrieve the Volume ID of the xbox 360 hd dvd drive by another method.

well, near the DF 00 E2 00 00 ba ba ba ea ea ea command to dump mem, xt5 found a nice
DF 00 E3 00 sa sa sa ea ea ea bb bb tu poke ram :), where sasasa is start address, eaeaea is end address, and bbbb is the 16bit value to write

Now it's posible to write to ram to let the (not patched) volumeID function to pass without being authenticated, just 2 bytes have to be written, because just 2 bytes are checked


ROM:002218DE loc_2218DE: ; CODE XREF: ATAPI_AD_AACS_READ_VOLUMEID+20j
ROM:002218DE ldi:20 #0x164, r0
ROM:002218E2 mul r0, r9 ; r9 = AGID, from 0 to 3
ROM:002218E4 mov mdl, r0
ROM:002218E6 ldi:32 #0x60C1C8, r8 ; probably AGID related ram address
ROM:002218EC add r0, r8
ROM:002218EE ldi:8 #4, r13
ROM:002218F0 ld @(r13, r8), r0
ROM:002218F2 cmp #0, r0
ROM:002218F4 bne loc_221902 ; branch if 60C1CC is not 00000000
ROM:002218F6 ldi:32 #CDB_field_error, r12
ROM:002218FC call:D @r12
ROM:002218FE ldi:8 #0xA, r4
ROM:00221900 bra loc_2219A8
ROM:00221902 ; ---------------------------------------------------------------------------
ROM:00221902
ROM:00221902 loc_221902: ; CODE XREF: ATAPI_AD_AACS_READ_VOLUMEID+42j
ROM:00221902 ld @r8, r0
ROM:00221904 cmp #5, r0
ROM:00221906 beq:D loc_22191C ; branch if 60C1C8 is 00000005
ROM:00221908 mov r9, r4


this app coded by xt5 does:
enable the DF command
writes 0001 to 60C1CE and 0005 to 60C1CA
reads the volumeId
disable the DF command

What? What? What??? What does it do??? =) Please tell us =)

It gives the volume ID without patching the drive and without doing AACS auth. Meaning this drive has a HUGE security hole in it :).

this app coded by xt5 does:
enable the DF command
writes 0001 to 60C1CE and 0005 to 60C1CA
reads the volumeId
disable the DF command
What a beautiful hack! No traces afterwards.

Keep up the good work =)

well, near the DF 00 E2 00 00 ba ba ba ea ea ea command to dump mem, xt5 found a nice
DF 00 E3 00 sa sa sa ea ea ea bb bb tu poke ram :), where sasasa is start address, eaeaea is end address, and bbbb is the 16bit value to write

Now it's posible to write to ram to let the (not patched) volumeID function to pass without being authenticated, just 2 bytes have to be written, because just 2 bytes are checked


ROM:002218DE loc_2218DE: ; CODE XREF: ATAPI_AD_AACS_READ_VOLUMEID+20j
ROM:002218DE ldi:20 #0x164, r0
ROM:002218E2 mul r0, r9 ; r9 = AGID, from 0 to 3
ROM:002218E4 mov mdl, r0
ROM:002218E6 ldi:32 #0x60C1C8, r8 ; probably AGID related ram address
ROM:002218EC add r0, r8
ROM:002218EE ldi:8 #4, r13
ROM:002218F0 ld @(r13, r8), r0
ROM:002218F2 cmp #0, r0
ROM:002218F4 bne loc_221902 ; branch if 60C1CC is not 00000000
ROM:002218F6 ldi:32 #CDB_field_error, r12
ROM:002218FC call:D @r12
ROM:002218FE ldi:8 #0xA, r4
ROM:00221900 bra loc_2219A8
ROM:00221902 ; ---------------------------------------------------------------------------
ROM:00221902
ROM:00221902 loc_221902: ; CODE XREF: ATAPI_AD_AACS_READ_VOLUMEID+42j
ROM:00221902 ld @r8, r0
ROM:00221904 cmp #5, r0
ROM:00221906 beq:D loc_22191C ; branch if 60C1C8 is 00000005
ROM:00221908 mov r9, r4


this app coded by xt5 does:
enable the DF command
writes 0001 to 60C1CE and 0005 to 60C1CA
reads the volumeId
disable the DF command

Deep respect for xt5 and Geremia here. Fabulous work :)

works here aswell :) amazing work too all of you. i checked the key it gave me against the one aacskeys gives me and its the same.

but the drive gives me 8 bits more info at the beginning of the key:

from the drive: 00220000400026061109202157474844564D0000

from aacskeys: 400026061109202157474844564D0000


so what dumper can use a VID not VUK as its key ??

DumpHD looks for a VUK i believe.

Btw: are there any Toshiba/Samsumg BD drives? ;)

good point on BD drives.

the availability and interoperability of HD-DVD hardware might just be giving Sony a competitive advantage it most certainly should not have... already there's been delays in HD-DVD titles but no corresponding delays in BD titles.

if i had the moolah i'd be buying up hardware and donating it to deserving hacksters :) sadly it seems the cleverest people have sided with HD-DVD, possibly to it's detriment.

here we see DRM turning usual market principles upside down... make a product more competitive and useful and suddenly it's at a disadvantage.

I won't dispute that most people would prefer to eliminate the DRM entirely. The problem is that the AACS LA is very likely to begin using the SKB system. Without delving too deeply, the SKB system is going to require more keys than current decryptions require. Disclosing those additional keys means disclosing something about who provided those keys and where they came from. That's their purpose. If you disclose the source of the keys, you make it easier to cut off that source.
Will SKB be an compatible "extension" to the AACS that we know today, or will it break the current hacks and how AACS works?

I need to buy one of those readers :D

Thanks guys to share

Will SKB be an compatible "extension" to the AACS that we know today, or will it break the current hacks and how AACS works?

A bit of both. Try reading this:
http://forum.doom9.org/showthread.php?p=986881#post986881

Btw: are there any Toshiba/Samsumg BD drives? ;)

Toshiba are the one of the main supporters of HD DVD so it is very unlikely they will come out with a Blu-ray player let alone a drive.

Samsung on the other hand do have a BD Writer, although I cannot seem to find it on their website anymore (it may be outdated). It is listed here though:

SAMSUNG SH-B022
http://www.blu-ray.com/drives/

Maybe someone has this model or can get their hands on one of them.

About bluray, it will be interesting to see the fw of this drive

Plextor BD-R PX-B900A

The Panasonic MN103 is well known

http://www.cdrinfo.com/Sections/Reviews/Print.aspx?ArticleId=19104

Samsung BD writers for PC do not seem to be popular even if they exist:

http://www.videohelp.com/dvdwriters.php?bdrom=1

But what about Samsung standalone players: BD-P1000 and BD-P1200? They are probably second best selling BD players after PS3. It would be interesting to know what drive they use.

I found pictures of the insides of BD-P1000 here:

http://www.engadgethd.com/2006/06/13/samsung-bd-p1000-hands-on-cracked-open-pored-over/

and that page has a link to a more detailed article here:

http://www.avsforum.com/avs-vb/showthread.php?t=683987&page=2&pp=30

i have LiteOn LH-2B1S Bluray writer

from cdrinfo this chip is inside


http://www.cdrinfo.com/Sections/Articles/Sources/L/LiteOn%20LH-2B1S/images/Chipset1.jpg

works here aswell :) amazing work too all of you. i checked the key it gave me against the one aacskeys gives me and its the same.

but the drive gives me 8 bits more info at the beginning of the key:

from the drive: 00220000400026061109202157474844564D0000

from aacskeys: 400026061109202157474844564D0000


so what dumper can use a VID not VUK as its key ??

DumpHD looks for a VUK i believe.

Yes, I have the same problem, how do we get from the VID to the VUK to get the tools working (since they require VUK)? I know its been discussed, but my math is not that great...

Yes, I have the same problem, how do we get from the VID to the VUK to get the tools working (since they require VUK)? I know its been discussed, but my math is not that great...

Just use mkb.exe (http://forum.doom9.org/showthread.php?p=953496#post953496) for the moment.

Just use mkb.exe (http://forum.doom9.org/showthread.php?p=953496#post953496) for the moment.

OK, thanks...

Yes, I have the same problem, how do we get from the VID to the VUK to get the tools working (since they require VUK)? I know its been discussed, but my math is not that great...

But what I'm wondering is why you are not using aacskeys because that will give you the VUK...

Clearly you have a xbox 306 HD DVD drive and an original disc. So aacskeys should work fine.

Or did you just wanted to know how to use a Volume ID instead of a VUK?

Or did you just wanted to know how to use a Volume ID instead of a VUK?
Just curious... How can mkb.exe get the VUK just by having the VID?

Just curious... How can mkb.exe get the VUK just by having the VID?

The Processing Key is in it ;). So it takes the MKBROM.AACS and the Volume ID and voila it gives a VUK.

evdberg wrote this proggy just after the Processing Key was found...

Samsung BD writers for PC do not seem to be popular even if they exist
AFAIK Samsung never released its SH-B022A/SE-B026A BD writers for whatever reason. So far there are the following "original designed" half height BD writers released (all others are rebadged drives based on these):
LG GBW-H10N
Lite-On LH-2B1S (rebadged drives include BenQ BW1000 and Philips SPD7000)
Panasonic SW-5582 (rebadged drives include Plextor PX-B900A and Sony BWU-100A)
Pioneer BDR-101A

About bluray, it will be interesting to see the fw of this drive

Plextor BD-R PX-B900A

The Panasonic MN103 is well known

Sony BWU-100A is the same drive as the Plextor (both are OEM Panasonic drives) and Sony has released a firmware update for this model here (http://sony.storagesupport.com/blu-ray/downloads/bwu100a/10c2Firmware/BWU100A_10c2.zip).

The HD DVD and DVD Pre-recorded Book says that the KCD is stored in the Copyright Data Section of the lead in area.
It's right after the lsb_64 of the Volume ID. Since you are reading the Volume ID, I wonder if you have found anything in the fw that reads the KCD? It would be interesting to know if the current AACS discs have a KCD on them.

Along the same lines, I notice that there's room in the flash for storing the host revocation list. Have any CDBs for storing the HDL actually been identified?

I think it would be highly useful if the BluRay in the PS3 could be patched so it works under Linux... Will be good for people just wanting to use the PS3 as a HTPC...

BTW does the Xbox360 HD-DVD work under linux (are there any drivers?)?

Great work guys!

The HD DVD and DVD Pre-recorded Book says that the KCD is stored in the Copyright Data Section of the lead in area.
It's right after the lsb_64 of the Volume ID. Since you are reading the Volume ID, I wonder if you have found anything in the fw that reads the KCD? It would be interesting to know if the current AACS discs have a KCD on them.


hum, interesting, i missed this part of aacs stuff :)

The HD DVD and DVD Pre-recorded Book says that the KCD is stored in the Copyright Data Section of the lead in area.
It's right after the lsb_64 of the Volume ID. Since you are reading the Volume ID, I wonder if you have found anything in the fw that reads the KCD? It would be interesting to know if the current AACS discs have a KCD on them.


So suppose the KCD is on disk and the current XBOX360 drive can read it. And the KCD is not encrypted or scrambled in some secret way(The AACS spec seems to say it's store in a way defined in the confidential part of the spec). Then does this mean the KCD mechanism is broken, at least for people who own the current version of XBOX360 HD-DVD players?

So my guess is we need to find PC Blu Ray drive with the same free memory options like Xbox HD DVD drive.

And then we are done.

And AACS is done.

This is great for me. I watch my HD-DVD's strictly from the HD on my HTPC since the 360 drive is too loud for my taste.

Thanks to all of you for your hard work.
I wish these people would wake up and understand that if I couldn't watch my own store bought movies this way I wouldn't be buying them in the first place.

Mark

So suppose the KCD is on disk and the current XBOX360 drive can read it. And the KCD is not encrypted or scrambled in some secret way(The AACS spec seems to say it's store in a way defined in the confidential part of the spec). Then does this mean the KCD mechanism is broken, at least for people who own the current version of XBOX360 HD-DVD players?
From my reading, it appears that the KCD will only be used by integrated standalone devices, not PC host software using drives like the XBOX360 HD-DVD drive. Standalone devices will calculate a media key precursor Kmp with their device keys, not the media key Km that is used by all the software here. The Kmp can be used with the KCD to calculate the Km via AES-G. The purpose of the KCD is to prevent device keys stolen from one type of device (standalone) from being used with another type (PC and software like WinDVD) That's why it's interesting to see if the XBOX 360 drive can read the KCD. If it can read the KCD, then that part of the system has a crack in it.

So my guess is we need to find PC Blu Ray drive with the same free memory options like Xbox HD DVD drive.

And then we are done.

And AACS is done.

AACS has lots of fight left in it. The new software versions of WinDVD and PowerDVD will be hardened making it harder to pull keys out and breaking older methods. The old processing key and the one known device key ( I think one is all that's been found) will be revoked in the next MKB. They'll probably revoke the old software in a new Host Revocation List. They'll bring out the SKB system for traitor tracing. No, I don't think anyone is quite ready to declare victory yet.

AACS has lots of fight left in it. The new software versions of WinDVD and PowerDVD will be hardened making it harder to pull keys out and breaking older methods. The old processing key and the one known device key ( I think one is all that's been found) will be revoked in the next MKB. They'll probably revoke the old software in a new Host Revocation List. They'll bring out the SKB system for traitor tracing. No, I don't think anyone is quite ready to declare victory yet.


Oh well.My bad.

But frankly, I am not sure I understand.

If we can get VUK from HD DVD Xbox without any software player involved, why do we care about the software players at all?

You know a hell more about the whole thing than I do.

Please explain, thank you.

AACS has lots of fight left in it. The new software versions of WinDVD and PowerDVD will be hardened making it harder to pull keys out and breaking older methods. The old processing key and the one known device key ( I think one is all that's been found) will be revoked in the next MKB. They'll probably revoke the old software in a new Host Revocation List. They'll bring out the SKB system for traitor tracing. No, I don't think anyone is quite ready to declare victory yet.

And can't they just revoke the HD-DVD addon hardware?

If we can get VUK from HD DVD Xbox without any software player involved

You can't get it directly, you still need the processing key (which is the same for all discs...AT THE MOMENT, but it will be changed sooner rather then later).

The Processing Key is in it ;). So it takes the MKBROM.AACS and the Volume ID and voila it gives a VUK.

evdberg wrote this proggy just after the Processing Key was found...
I see =) Thanks.

It is not quite related, but what is KCD that people are talking about?

Just thinking. Would it be a good idea if the leading hackers exchanged contact information in case Doom9 and/or xboxhacker should be taken down, so you are separated if the forums should be taken down?

If you don't want to give out your real email, then use Sneakemail (http://www.sneakemail.com), which makes an email alias to your real email. I have used it for years, and it just works!

And can't they just revoke the HD-DVD addon hardware?
Yes, using the Drive Revocation List they can revoke drives. I don't know whether individual drives can be revoked (your XBOX 360 HD-DVD drive, but not mine) or if it's just whole classes of drives (all XBOX 360 HD-DVD drives).

I think it would be highly useful if the BluRay in the PS3 could be patched so it works under Linux... Will be good for people just wanting to use the PS3 as a HTPC...

BTW does the Xbox360 HD-DVD work under linux (are there any drivers?)?

Great work guys!

Me dont have an PS3 but i think it works already under linux. There is a UDF patch for the kernel to support UDF 2.5. Check ps3news.com

Yes, using the Drive Revocation List they can revoke drives. I don't know whether individual drives can be revoked (your XBOX 360 HD-DVD drive, but not mine) or if it's just whole classes of drives (all XBOX 360 HD-DVD drives).

But why is it important? I will not be able to play HD DVD movie from the drive, but I still will be able to use it for decryption, no?

It gives the volume ID without patching the drive and without doing AACS auth. Meaning this drive has a HUGE security hole in it :).

Heads off to buy stockpile of these drives - they're only about US$110 here at the moment (Australia).

They could be worth a mint when they eventually patch the drive firmware LOL!

But why is it important? I will not be able to play HD DVD movie from the drive, but I still will be able to use it for decryption, no?

Sure you can read the Volume IDs (and the encrypted disc contents) using this drive - however you still need keys (e.g. a processing key) in order to decrypt those files.

They will be revoking all such publicly known decryption keys as sure as day follows night.

What we need to do is find another processing key... and not release it until about one month from now ;-)

I wonder if this time they will use completely different keys for Blu-Ray and HD-DVD?!

I don't know whether individual drives can be revoked (your XBOX 360 HD-DVD drive, but not mine) or if it's just whole classes of drives (all XBOX 360 HD-DVD drives).But why is it important? I will not be able to play HD DVD movie from the drive, but I still will be able to use it for decryption, no?

That's two questions. Why is it important? Mainly we want to understand what can and can't be done. I suspect that they would not turn off all legitimate XBOX 360 drives with a DRL revocation just to get at some hackers who could probably get around the revocation. I also have my doubts that there is enough space on an AACS disc to individually revoke specific drives, which leads me to guess that DRL is not a big issue. I suppose they might have some way of forcing people to flash upgrade the drives, then they could revoke the old unflashed versions, but even that seems unlikely. Finally, I'm not sure we know where the DRL revocation would be stored (If I saw this in the specs, I've forgotten - arnezami, do you recall?). Is it in the drive, the software? Right now it looks like there would be ways to get around a stored DRL list, but only time will tell for certain.

As to whether you could still use a DRL revoked drive to decrypt - that mostly would depend on what they've changed in the encryption. I agree, the drive could probably still be used to read everything on the encrypted AACS disc with the control that's been gained over the firmware, but will you have all the required decryption DK and SK keys to work through the MKB and the SKB? Again, only time will tell for certain.

Sure you can read the Volume IDs (and the encrypted disc contents) using this drive - however you still need keys (e.g. a processing key) in order to decrypt those files.

They will be revoking all such publicly known decryption keys as sure as day follows night.

What we need to do is find another processing key... and not release it until about one month from now ;-)

I wonder if this time they will use completely different keys for Blu-Ray and HD-DVD?!


This is understandable.

Processing keys will change, like you said.

New keys will have to be found.

But hardware revocation is irrelevant.