Hi all and Happy new year ...

Well, if you happen to have a "crashed" original HD in your XBOX and don't have a mod-chip? ... well the good new is you can buy the SAME disk (locked or not) ... you can fine some locked one for real cheap here ... but make sure it's the same drive that you have, ie: WD vs WD and Seagate vs Seagate ...

Now, the work need to be done:

- open you xbox
- remove you "broken drive"
- remove the CONTROLER of the broken drive
- remove the CONTROLER of the NEW drive
- replace the CONTROLER from the broken one on the NEW drive
- put the NEW (modified) drive back in the xbox
- voila!

You see ... the password is written on the Controler drive in an "EEPROM/RAM" chip, so by replacing the controler of your broken drive on the new working drive you transfer the same password to it ... So you orginal XBOX will work ...

This will get the LOCKED orginal drive sell a little more ... why i cam up with this, it is because some folks is joking on peoples who buy LOCKED drive ... so now you see that the looked drive can be use for ....

Cheer!

This post has been edited by Neo2003: Jan 2 2004, 04:42 PM

the only problem with that is the hdd key is generated by YOUR eeprom which is generated on the fly. without the drive installed and locked in YOUR system it will have a wrong key. a simple way to test this is there is a program that will generate a hdd key based on your eeprom. open up one eeprom and generate a key based on a hdd on your computer. then open up a differant eeprom and generate a key for the same hdd on your computer and the 2 keys will be differant.

How do you replace the controller? I'm guessing this would be filed under "easier said than done".

Interesting nonetheless. Makes perfect sense in theory, but would nice to see it independently verified. If it works, then that could indeed allow people to grab nice, locked (and thus seemingly worthless) drives for pennies on the dollar. Assuming no compatibility issues, and assuming you keep your original MS hdd, you could xfer the "hdd controller" from the original drive to the locked drive and boot it up.

I'm still skeptical, though. Take a pic of the "hdd eeprom" and show us how to remove/replace please.

easier said than done, specially considering i think you have to do some desoldering.

This post has been edited by pontfirebird73: Jan 9 2004, 04:39 PM

Well. you all think in the wrong direction:

I'm talking about the Controler BOARD one the HD (or the Circiut board if you like more the term). I'm not talking about the controler CHIPS.

All you have to do is unscreew it from a working drive ... replace it with the controler board from your dead drive

Of cause this only repare the drive that have bad HEAD or bad Sector, or dead Motor

This method can not replace the drive that have the controler board burned

Sorry for the confusion, but we are talking here is the HD controler board, the circuit boad that on bottom of the HD ... not the CHIPS

Have you actually done this or is this just a theory? I'm not trying to call you out. If you say you've done it I guess I'll give you the benefit of the doubt.

But this seems an easy loophole around the reason drives are locked in the first place - data security. If simply xferring the circuit board from an unlocked drive to one that is locked allowed access to the data, that wouldn't seem very secure. I always assumed that password data existed in some form on the hard disk itself.

If I'm not mistaken, the "ribbon cables" that run between the drive itself the it's controller board is "permanently" attached, unlike the "ribbon cables" used in the PS2.

Yes i have been done this with the WD and Seagate. WD drive is easy, since only 4 screews to take the controler board out ... BTW the "lock mecanism" is on the EEROM/FLASH chips of the controler board from the HD it self ... try it you will see it's simply easy, i have buying locked drive to fix a few, DEAD motor original drive they are cheaps ...

OK... to make it more clear, the contronler board i'm talking is the one on the drive where the jumpers, IDE cable and power cable connectors are there ...

I haven't tried this on an xbox OEM drive, but on the IBM, Hitachi, and Maxtor drives I've worked on the actual key is stored on the drive's platters in a special sector that the controller board reads on spin-up. Thus on these drives that trick won't work.
-nB

Tried it with two xbox seagate drives and it didn't work. The xbox boots up and hangs before the MS logo comes up. (the hdd of the xbox was unlocked and the spare was locked if that makes a difference). It does seem though that ColKurtz has a point. It doesn't make any sence data-security wise to have the key on the controller board. If it works though it is going to save my life.

Strange, but it's working for me 2 WD and on seagate ...

All the driver is LOCKED, i keep the LOCKED xbox original drive controler board, and swaped the drive it self and it's working, no mod-chips it is boot up fine ... maybe something to do with the dashboard?

I will try to get more info on the LOCK mechanism of th ATA-IDE spec

Sorry to all that is not working

OK, here's the ATA-3 spec of the IDE drive:
"
According to the ATA-3 specification there are two passwords: a master and
a user password.
The passwords are stored in the EPROM of the hd and are certainly very veryhard to remove.

A locked drive rejects all media access commands.

When a new master password is set, the drive won't be locked.

Setting a new user password locks the drive the next time it is powered-on.

A drive can be unlocked by one of the two passwords.

IBM sets the master password to all ASCII blanks (0x20) during
manufacturing.


To unlock a drive one has to send the command SECURITY UNLOCK (0xBB)
and transfer a single sector to the drive:

Word 0 Bit 0 Identifier:
0=compare user password,
0=compare master password
1-16 Password (32 Bytes)
17-255 reserved


Word 128 of the Identify Drive command contains the Security status:
Bit 8 : Security level
0=High (can be unlocked),
1=Maximum (disk must be erased)
4 : 1=Security count expired (more than five failed unlock tries, hard-reset necessary)
3 : 1=Security frozen (all security commands aborted)
2 : 1=Security locked (media access not allowed)
1 : 1=Security enabled
0 : 1=Security supported
"

Here's more info

"
Comment from scrawner
Date: 03/06/2003 08:36AM PST
Comment

Ok, the best thread i've found on this topic is at:
http://www.geek.com/news/geeknews/q22000/g...00918002375.htm

It has about 2 years worth of discussion, including some comments from a guy who actually knows how to fix it:

As you will probably understand it is not possible for me to give the 'official' method of cracking the HDD password and this in any case requires a small amount of hardware.

However I can tell you that the drive controller checks for the password protection only once at startup. Also that the data on a 'locked' drive is not encrypted.

Therefore after successful calibration on an unlocked drive, the drive controller is in a condition where it can read data from the disk platters and no subsequent check for password is made until the drive is powered down or is put into sleep mode (using the appropriate ATA command).

So you will probably have guessed what you could try should you have a second unlocked 'donor' drive of the same model & firmware revision.

This method if done properly will allow one to bypass the password lock to gain access to data but will not reveal what the original password was. To do that you must use the 'official' method, which on a drive from a DELL or IBM Thinkpad machine reveals what the original password was, in plain text (or in encrypted form if from another type of laptop).

Please note that the two controllers must have an IDENTICAL firmware level otherwise corruption of the data (due to sector mapping errors) may occur. The firmware level is available as an ASCII field in the IDENTIFY information returned by issuing the IDENTIFY DEVICE ATA command (0xEC). This will work on a locked or unlocked drive. Also please note that the above 'bypass' procedure could damage one or both controllers if not performed properly - you have been warned!
-------------

Another suggestion was from a guy who indicated hooking it up to his Macintosh G4 using firewire enabled him to format the drive, though I'm skeptical about it..depends on what part of the drive controller is enforcing the block...

"

To ne02003. Ok so you know your shit. No the two drives were not identical they didn't have the same firmware. Everything you say make perfect sence so I'll wait around until an identical drive comes around. Is there an easier way to find the firmware revision? Preferably by looking at the drive? More crudelly any specific number printed on the label that if you get to match will do the trick?
Fuck I hope the data weren't ruined.

This post has been edited by auberon: Jan 12 2004, 08:44 PM