Doom9's Forum - View Single Post - Got VolumeID without AACS authentication :)

Geremia · 5th April 2007, 01:56

i already checked, the difference of my dump and the other dump is only in unique data not checksumed at 4000-7FFF

the code analize the uploaded firmare in 7 passes, which denotes 7 firmware zones:

1st pass: base 0 len 4000 (0-3FFF) main firmware (checksumed)
2ns pass: base 10000 len D0000 (10000-DFFFF) main firmware (checksumed)
3rd pass: base 6000 len 2000 (6000-7FFF) unique data, S/N and few other bytes, maybe region (not checksumed)
4th pass: base 8000 len 4000 (8000-BFFF) don't know what's inside, does not seems code (checksumed)
5th pass: base F0000 len 10000 (F0000-FFFFF) bootloader (checksumed)
6th pass: base E0000 len 10000 (E0000-EFFFF) just a few bytes then 00, same data in other MC08 dump, empty in TS06 fw upgrade (checksumed, but 00 on 8th byte)
7th pass: base 4000 len 2000 (4000-5FFF) unique data, probably AACS related (not checksumed)

difference is only in part 3 and 7 (not checksumed), which are filled with FF in the buffalo TS06 fw upgrade. Filling FF on my dump and flashing back to drive, the drive still works, so, as the code analisys seems to confirm, that zones are skipped, and it sounds logical, even in many other drives you can't reflash the area that stores region code and serial number.

what i'm not sure is part 6: it's the same for both flash dumps, but it's filled with FF on buffalo TS06 upgrade, so it seems not firmare code but data common to all SD-S802A. Filled with FF on my dump and flashed back, the drive works again.
Anyway the code explain himself, it skips from checking part 3, 6 and 7, but what i'm not sure, is if a skipped area will be flashed or not, i suppose not, but i must be sure of this.

Code:

ROM:002FE364                 ldi:8   #6, r0
ROM:002FE366                 mul     r0, r9          ; r9 = pass number, from 0 to 6
ROM:002FE368                 ldi:32  #0x2FDC18, r13
ROM:002FE36E                 mov     mdl, r10
ROM:002FE370                 lduh    @(r13, r10), r6 ;can be F010, F011, 0080, A090, 70A0, 00D0, 00D1

.........
.........
ROM:002FE3A2 loc_2FE3A2:                             ; CODE XREF: bootmode_unknown_3B_not04_writebuffer+DCj
ROM:002FE3A2                 ldi:20  #0x2000, r0
ROM:002FE3A6                 and     r0, r6          ; r6 was F010, F011, 0080, A090, 70A0, 00D0, 00D1
ROM:002FE3A6                                         ; so     2000, 2000, 0000, 2000, 2000, 0000, 0000
ROM:002FE3A8                 beq     loc_2FE46E      ; branch for part 3, 6, 7 (not firmare code)
.........
.........
ROM:002FE46E loc_2FE46E:                             ; CODE XREF: bootmode_unknown_3B_not04_writebuffer+ECj
ROM:002FE46E                                         ; bootmode_unknown_3B_not04_writebuffer+194j
ROM:002FE46E                                         ; bootmode_unknown_3B_not04_writebuffer+1A4j
ROM:002FE46E                 ldi:32  #0x2FDC18, r13
ROM:002FE474                 lduh    @(r13, r10), r4 ; F010, F011, 0080, A090, 70A0, 00D0, 00D1
ROM:002FE476                 ldi:20  #0x4000, r0
ROM:002FE47A                 and     r4, r0          ; 4000, 4000, 0000, 0000, 4000, 0000, 0000
ROM:002FE47C                 beq     next_pass_or_goon_if_was_last ; don't branch for pass 1, 2, 5 mainfw and bootloader

5th April 2007, 01:56	#12 \| Link
Geremia Registered User Join Date: Feb 2007 Posts: 71	i already checked, the difference of my dump and the other dump is only in unique data not checksumed at 4000-7FFF the code analize the uploaded firmare in 7 passes, which denotes 7 firmware zones: 1st pass: base 0 len 4000 (0-3FFF) main firmware (checksumed) 2ns pass: base 10000 len D0000 (10000-DFFFF) main firmware (checksumed) 3rd pass: base 6000 len 2000 (6000-7FFF) unique data, S/N and few other bytes, maybe region (not checksumed) 4th pass: base 8000 len 4000 (8000-BFFF) don't know what's inside, does not seems code (checksumed) 5th pass: base F0000 len 10000 (F0000-FFFFF) bootloader (checksumed) 6th pass: base E0000 len 10000 (E0000-EFFFF) just a few bytes then 00, same data in other MC08 dump, empty in TS06 fw upgrade (checksumed, but 00 on 8th byte) 7th pass: base 4000 len 2000 (4000-5FFF) unique data, probably AACS related (not checksumed) difference is only in part 3 and 7 (not checksumed), which are filled with FF in the buffalo TS06 fw upgrade. Filling FF on my dump and flashing back to drive, the drive still works, so, as the code analisys seems to confirm, that zones are skipped, and it sounds logical, even in many other drives you can't reflash the area that stores region code and serial number. what i'm not sure is part 6: it's the same for both flash dumps, but it's filled with FF on buffalo TS06 upgrade, so it seems not firmare code but data common to all SD-S802A. Filled with FF on my dump and flashed back, the drive works again. Anyway the code explain himself, it skips from checking part 3, 6 and 7, but what i'm not sure, is if a skipped area will be flashed or not, i suppose not, but i must be sure of this. Code: ROM:002FE364 ldi:8 #6, r0 ROM:002FE366 mul r0, r9 ; r9 = pass number, from 0 to 6 ROM:002FE368 ldi:32 #0x2FDC18, r13 ROM:002FE36E mov mdl, r10 ROM:002FE370 lduh @(r13, r10), r6 ;can be F010, F011, 0080, A090, 70A0, 00D0, 00D1 ......... ......... ROM:002FE3A2 loc_2FE3A2: ; CODE XREF: bootmode_unknown_3B_not04_writebuffer+DCj ROM:002FE3A2 ldi:20 #0x2000, r0 ROM:002FE3A6 and r0, r6 ; r6 was F010, F011, 0080, A090, 70A0, 00D0, 00D1 ROM:002FE3A6 ; so 2000, 2000, 0000, 2000, 2000, 0000, 0000 ROM:002FE3A8 beq loc_2FE46E ; branch for part 3, 6, 7 (not firmare code) ......... ......... ROM:002FE46E loc_2FE46E: ; CODE XREF: bootmode_unknown_3B_not04_writebuffer+ECj ROM:002FE46E ; bootmode_unknown_3B_not04_writebuffer+194j ROM:002FE46E ; bootmode_unknown_3B_not04_writebuffer+1A4j ROM:002FE46E ldi:32 #0x2FDC18, r13 ROM:002FE474 lduh @(r13, r10), r4 ; F010, F011, 0080, A090, 70A0, 00D0, 00D1 ROM:002FE476 ldi:20 #0x4000, r0 ROM:002FE47A and r4, r0 ; 4000, 4000, 0000, 0000, 4000, 0000, 0000 ROM:002FE47C beq next_pass_or_goon_if_was_last ; don't branch for pass 1, 2, 5 mainfw and bootloader