Commodore4eva Explains Stealth Media Options

[Xbox-Scene]

Commodore4eva Explains Stealth Media Posted by XanTium | August 15 00:57 EST

Commodore4eva implemented "Stealth Media" into the lastest version of his TS-H943 DVD firmware (Xtreme firmware 3.0 for TS-H943 Xbox 360). Today he posted more details about what this exactly means: [QUOTE] * Stealth Media This is to clear up a few misconceptions about what Stealth Media is and how it works. This is not firmware stealth. Reading the firmware itself for changes is not controlled by the firmware itself, it is a low level hardware function which cannot be stopped by firrmware code. A firmware check routine which calculated a checksum and returned that to the host was already found in V1 and was modified to always return the correct unmodified firmware value. I think this was a last minute check incorporated by MS as they knew the firmware code was not signed. Stealth Media is all about making a backup disc appear to the Xbox360 host exactly the same as an original. Although this was already done by the Security Sector and the challenge/response, there remained a number of differences on the disc that are currently not checked for. It would be very easy for the dash or the particular game to perform these extra disc checks. There are four main aspects to Stealth Media: * PSN Lockdown: This is a two part process: -Before disc authentication (security sector,challenge response) is performed the drive will only allow vaild PSN reads as defined in the PFI sector. This is currently the standard video partition. Any request to read outside this range is not allowed - as per originals. (No more reading of the backup PFI,DMI,SS sectors.) -After disc authentication is performed and the drive is unlocked only valid PSN reads are allowed from the range defined by the Security Sector, this is the standard game partition. Any request to read outside this range is not allowed - as per originals. * PFI Sector (Physical Format Information): This sector is contained within the lead-in and contains information about its physical format. Disc booktype, start PSN and end PSN and Layerbreak are contained here. Currently all Xbox360 and Xbox1 games have the same PFI information, but that may change. On Writable media (our backups), this also contains media specific information such as Media Code/Manufacturer ID and Media Product Revision number. Any requestes for this information is now redirected to the the PFI sector now at $04FB1D (for Xbox 360 backups) or $0605FD (Xbox 1 backups), if it exists. If it does not exist (pre V3 backup) a seperate embedded PFI is used for Xbox 360 and Xbox 1. * DMI Sector (Disk Manufacturing Information): This sector is also contained within the lead-in and contains information about the Disc manufacturer, such as Company name, batch id etc. This is currently different for each Xbox360 and Xbox1 game in each region. Any requestes for this information is now redirected to the the DMI sector now at $04FB1E (for Xbox 360 backups) or $0605FE (Xbox 1 backups). A pre V3 backup will always return blank information for this. (A possible detection method.) * Video Partition: When Extreme V1 was released ,the disc build included a blanc video partition as it wasnt required for games to boot. As this can be checked by the XBox360 host, the standard video partition from any game was included with the stealth firmware. This is nothing new, just put back in for correctness! * Conclusion: As of today , none of these extra disc checks are being performed, but it is only a matter of time before a game will. The same sort of checks were introduced to XBox1 games a while ago. I performed an exhaustive check of every command that the Samsung firmware can respond to and these differences were discovered. The Samsung firmware only supports a limited subset of commands from the MMC-3/4 standards so not all commands exist compared to a standard PC drive, so anyone testing for media specific information should bear this in mind. Non-Stealth backups will still boot with stealth firmware and will be enhanced with the PSN Lockdown and PFI Sector embedded in the firmware. These backups will have no DMI and possibly have a blank video partition, both of which can be checked for. Stealth backups will still boot with non-stealth firmware but will be exposed to the above top three differences (PSN Lockdown,PFI,DMI) making the backup detectable. Correct Video partition is present. [/QUOTE] News-Source: xboxhacker.net (this is posted in the XBH tech section - please keep discussion there serious/tech only - thx)

[SAPHiREX]

thanks for the headsup.
now it makes sense

[Nailed]

Good write-up. Any word on when the Hitachi drives will be updated with Stealth?

[J0RD4N 007]

A firmware check routine which calculated a checksum and returned that to the host was already found in V1 and was modified to always return the correct unmodified firmware value.

does this mean that a modified firmware cannot be detected? sorry if this is a retarded question, but thats the impression it gave me

[ILLusions0fGrander]

does this mean that a modified firmware cannot be detected? sorry if this is a retarded question, but thats the impression it gave me

Reading the firmware itself for changes is not controlled by the firmware itself, it is a low level hardware function which cannot be stopped by firrmware code.

anyways.. nice info... a real scene hero for this aspect of modding.

[halikus]

You must be tired by now Commodore4eva, for the love of god, go get shitfaced drunk the rest of the week...
Thanks for your commitment to the scene. Get some rest before you tackle the new XDK shiz.

[Base8]

Thanks again comadore4eva, I have yet to mod my drive. I will soon but I am too lazy. I am waiting to get an adapter so I dont have to run a linux boot cd and read up on things so I understand it a bit better. Im going to read ths again while I'm sober to see if I want to use a curent firmware or wait for this for the LG. After more reaserch I am sure I will be doing this soon though I am sure.

Thanks
BaseEight

Edit:

Seems really cool I hope this mod lasts forever, I hope we win the cat and mouse game permanately. Sorry for my spelling, I have a GED.

Edit 2:

Oh god, you gotta love the last sentence of the first paragraph, I'll leave it there for all to enjoy.

This post has been edited by Base8: Aug 15 2006, 08:33 AM

[tom_mandory]

i see

[pickie]

?? so the backups of my games which i have as image files on my pc, can these be patched with slealth or do i need to re rip them again in a different way to make them stealth ?

cheers
pickie

[mist4fun]

Thanks again comadore4eva, I have yet to mod my drive. I will soon but I am too lazy. I am waiting to get an adapter so I dont have to run a linux boot cd and read up on things so I understand it a bit better. Im going to read ths again while I'm sober to see if I want to use a curent firmware or wait for this for the LG. After more reaserch I am sure I will be doing this soon though I am sure.

Thanks
BaseEight

Edit:

Seems really cool I hope this mod lasts forever, I hope we win the cat and mouse game permanately. Sorry for my spelling, I have a GED.

Edit 2:

Oh god, you gotta love the last sentence of the first paragraph, I'll leave it there for all to enjoy.

lmfao.. thanks I needed a good laugh

[bucko]

Very nice work

[infamous_Q]

i wonder if its possible to merge this new stealth stuff onto one of the on-the-fly chips....theoretically wouldn't that make detection next to impossible?

[jo7a]

thks Commodore4eva

[KUNFUCHOPSTICKS]

* DMI Sector (Disk Manufacturing Information):
This sector is also contained within the lead-in and contains information about the Disc manufacturer, such as Company name, batch id etc. This is currently different for each Xbox360 and Xbox1 game in each region.
Any requestes for this information is now redirected to the the DMI sector now at $04FB1E (for Xbox 360 backups) or $0605FE (Xbox 1 backups).
A pre V3 backup will always return blank information for this. (A possible detection method.)



I think this is where the threat will be if MS wanted to disable all backups up to this date. all i have to say is, dont plug your box in (ethernet).
peace

[Textbook]

does this mean that a modified firmware cannot be detected? sorry if this is a retarded question, but thats the impression it gave me

I'd like to know the answer as well. Everybody has been weary of flashing their drive because "it's just stealth backups, not stealth firmware." Well, does this prove that incorrect? Is this why MS hasn't been able to block the firmware hacks? Maybe we've had stealth firmware all along and nobody realized it? That's what I interpreted, or was I wrong?