Samsung DVD Firmware Hack for Original Xbox Out in the Wild, Xbox360 WIP
-- Posted by XanTium on April 25 23:52 EST
In fact, Commodore4Eva released it a few days ago already, but I was waiting for the smart guys on the xboxhacker.net forums to confirm the hack as real. The hack seems to be done a bit differently than the original (unreleased) Xbox1 hack by TheSpecialist (which was for the Hitachi-LG GDR-8050L drive) and as this modified Samsung SDG-605B firmware requires raw dumps, some patching and expensive DVD-DL recordable discs it took some time to be confirmed working. Commodore4Eva already released a firmware for this drive before, but it wasn't working correctly... this 2nd version however has now been tested and it looks like it's working.
From Commodore4Eva on xboxhacker.net[keep thread clean - technical posts only plz]:
[QUOTE]
Cracked Samsung SDG-605B/616T/616F Firmware for Xbox 1 v2
What's New:
* Totaly re-done to read security sector from image, will now work with all games and xbox live.
* Security sector moved to image
* Security sector now read from PSN $fd021e (originals) AND PSN $f9fa00 (backups. This is the next sector after end of xbox game data.)
* Patched read sector routine to work with originals and backups
* Patched debug cdb command (FF 66 05 or FF 06 05) for bank 0 rom checksum check to return original bank 0 rom checksum. Possible xbox live checker
* Extra debug cdb command found to unlock drive without any challenge response (FF 08 01)
Tested with unmodified xbox with copy of Halo 2 made using hot swap technique, clonecd, original dvd size was psn 30000-FCxxxxx. Added security sector to image with hex editor at psn f9fa00
Don't forget to include per game security sector into image. If need be, will post firmware to easily return security sector data
This will be similar to our soon to be released xbox 360 firmware.
*Update* I released a firmware for reading the security sector data. Use only to obtain SS data from games which is $0800 in length. Send custom cdb command (from dvdinfo pro: AD 00 FF 02 FD FF FE 00 08 00 00 C0). Save data as bin file.
*Update* Status Update for the 360
Things are moving quickly, patched security sector routine. Security sector now also read from $FB04E0, this is the next sector after xbox 360 game data.
Many debug cdb commands found including the firmware checksum routine which will be patched for xbox live checker, other debug commands will be patched as they return values from disk.
Interesting that the firmware checks for version of security sector data at $065f in SS data, being 01 (xbox) or 02 (360)
Read sector routine patched to read from originals and copies. I am working on it and should be complete soon.
[/QUOTE]
DVD Firmware Hack?
The hack is a modified firmware of the (original) Xbox Samsung SDG-605B/616T/616F DVD-ROM drive.
As you (should) know, all Xbox executables (XBE files) are signed by Microsoft (with a private key only MS has). This means that if you try to change anything to the XBE file, the signature will be wrong and the file will not boot.
To protect from booting raw copies of a game from a DVD-R or other recordable media, microsoft gave each XBE file a 'mediaflag'. This mediaflag tells the Xbox from which media (cd-r, dvd-r, dvd+r, dvd-rw, hdd, dvdxbox, dvdxbox360, ...) the XBE is allowed to boot. Changing this mediaflag in the XBE header is not an option as it'll break the signature of the file (see above), so ... what's done in this firmware hack is 'break' the detection of the disc.
Retail games usually get a mediaflag where they only allow 'dvdxbox' (Xbox discs - different than a normal DVD because it has some specific bad sectors etc). The modified firmware will trick the DVD drive into reporting a DVD-R (or other) as a DVDXBOX to the Xbox.
So... how does this work?
First of all you need a Samsung SDG-605B/616T/616F drive, this firmware release will only work with these drives.
Flash the firmware on the drive is easy: you'd have to open your Xbox (void warranty), connect the DVD drive to your PC (via IDE) and use the windows flasher software (MTK Win flash) to flash your drive with this modified firmware.
You also need a 'RAW' dump of an original game of your gameregion... images with ripped/moved stuff or XBE files with modified media, debug or regionflags etc. will NOT work. You can do a real raw dump by hotswapping a full DVD (a burned DL with 8,5GB of data for example) with an Xbox game after your PC drive loaded the first disc, then use clonecd and/or isobuster (for example) to dump the full data of the Xbox disc.
Then you'll have to add the SS (security sector) to the image (with a hex tool like hexworkshop for example). The SS is different for each game ... a few examples were included with the firmware release (Commodore4Eva now also released a special 2nd firmware to get this SS data yourself from an original Xbox disc by sending a special command with the drive connected to your PC). The exact position inside the image where you have to add this SS can be calculated. This SS is required and is on the 2nd layer, that's why you need to burn it on a DVD-DL. The unreleased Hitachi-LG GDR-8050L firmware by TheSpecialist works with DVD5 discs, but this modified Samsung firmware will not work with DVD5, even if the game is small enough to fit on it, it needs this SS data on the 2nd layer to work.
How to calculate the exact position of the SS is best explained by Geremia on the XBH forums:
"My big dvd (disc you used to swap with the original Xbox disc) has last sector = FCFFEF
FCFFEF-F9FA00=305EF, each sector is 2048byte(0x800 hex), so 305EF*800=182F7800 this is in hex the distance backward of the PSN F9FA00 from the end of the image file, use hexworkshop to find the right place.
BTW, it seems that this is the distance of the end of the F9FA00 sector, so the sector begins 0x800 bytes back, anyway in doubt i pasted the SS in both places."
As said above the hack will allow you to run raw dumps with MS-signed and unmodified XBE files only, so that also means the game must be of right region (as changing the regionflag in the XBE header would break the signature). Unsigned, homebrew executables would of course not work, again because signature check would fail. This hack could however help you boot a disc with the gamesave exploit which would then allow you to install an XBE exploit or flash your TSOP (Xbox v1.0-v1.5).
Microsoft and Xbox LIVE?
Can Microsoft check for this firmware? Probably (even if firmware could probably be changed to make it invisible again ... starting a cat&mouse game with MS)
Does MS check it already? Unlikely, but just like when they detect a modified bios, they will probably ban your Xbox from LIVE once the check is in place.
(Note that all info above is based on all stuff I read ... if I made any mistakes, let me know)
Download: n/a, firmwares contains copyrighted code (don't ask for it here or on XBH, we can't help you)
News-Source: xboxhacker.net[keep thread clean - technical posts only plz]
Samsung DVD Firmware Hack for Original Xbox Out in the Wild, Xbox360 W
Apr 26 2006, 04:52 AM
) Good work guys seriously..
) and it's a freaking mess. It is a step, and that's great, but I don't think that there will ever be a way to do this in a way that makes sense.
