***IMPORTANT***
Read Before Replying

from this point on, anyone who says

1. when will the firmware be ready
2. how can i get a new system without a liteon drive
3. what drive is in my system
4. does anyone have the ability to contact c4e directly
5. can we just flash the lite-on with the benq firmware
6. something stupid/useless/not constructive

you WILL have your post invised and your account put on a 7 day mute. if you are unsure about if your post is going to get you in trouble, post it Here.

this being said, i just want to explicitly say, those of you posting the c4e irc logs, great work. those are actually useful and give everyone a straight from the horses mouth update.

*MODERATOR UPDATE*

Please review This Post for the latest news regarding the status of this drive.

Hi today i recieved a console back from microsoft repair center in Australia, it had a BENQ drive which didnt seem to flash via dosflash. Apon inspection i believe i have found a new drive revision!

Model no. DG-16D2S
HW Version. A0A1
FW Version. 74850C



I would be willing to loan/donate the drive to C4E, if he would like to contact me about it via PM
Cheers

Sl4y3r

Have you tried to dump the firmware with dosflash ???

Have you opened it.... A picture/scan of the pcb might indicate if it completely new or just a revision...

Dosflash doesnt read, it gets to the usual y/n to resend commands. Hit Y it will do the normal 51/D1 when I cut power and turn it back on, then the code changes to 52/D2 and will not read. I have flashed manier Benq before with no problems, Here is a photo of the PCB, which confirms a new model

What's more I don't see a flash device....

I doubt it, but is the board double-sided... any parts on the bottom side

No parts on the other side.... as you can see theres clear epoxy around the MT1319L chip which would indicate where the FW is stored:) although im no hardware expert
Also noticed the manufacturers are Phillips and Lite-on, not Phillips and BenQ like on the VAD6038

MT1319L is the drive controller, similar to the MT1359SL that is on the BenQ drive.

Can you take a clearer pic of the top and bottom of the board please.

Thanks,

Caster.

Can you also take a picture of the tray.

Also, the drive functions perfectly fine in the console, correct? Plays originals fine, etc...?

Thanks,

Caster.

Here are some more pics, Yes i know they suck..
New BenQ

Edit: BTW The tray is the same as a Benq

It's quite possible this has an MCU (Multi-Chip Unit) with the flash embedded; it's also quite possible it has an OTP (One Time Programmable) area for the serial with the firmware integrated instead of on embedded flash, especially if it's designed specifically for the 360 (this is something I've always laughed about, using a generic PC drive arch. in a "next gen" machine instead of designing the drive more tightly into the security chain.) Though, to a degree, I can't see them bothering to add epoxy unless it was still vulnerable in some way.

What if the chip manufacturers and Microsoft just made a BGA chip. Then you couldn't get at the pins w/o a shit load of work and effort.

Compare the DG-16D2S model number with this Lite-On drive. I bet that this drive might just be the next kreon drive.

http://us.liteonit.com/us/index.php?option...5&Itemid=99

Can't see them using a BGA package in an effort to stop modders... Those BGA packages way are more expensive than the TQFP, you would only use them where space is an issue ( like 3g ), space just isn't an issue on this PCB and the 144 pin pincount is too low...

Yes. This drive has a MT1309E controller and has an SPI flash.

So, different controller than the drive above and Samsung/BenQ drives.

Caster.

Ok guys some more small findings. I tried mtkflash (+ 10 sec trick) no read, not recognised in windows, its recognised by slax as 16D2S during bootup, thats about as far as i can get.....

Looks like an SPI similar to the BenQs we've come to know and love hold the fw. Deduce which leg of the SPI carries the power to the chip, and try lifting that leg and soldering a switch. From there, try dosflash/mtkflash.



If they did that, they'd only make it harder to fix any systems they recieve. If a chip would indeed be write-once, they wouldn't be able to re-marry a drive (in the event the mobo died, but the drive was still good). I'm pretty convinced that the 360 having a more computer-like essence is saving MS a good chunk of change (compared to if the console was designed more like a PS2).

My theory!

the controller chip looks like on Samsung SH-D162D drives (MT1308E IDE) or Asus DVD-E616A3 (MT1309E SATA) drives, the SPI ROM is now inside the MT1319L.
I think this is the major difference, so where is no problem at all!! the drives are still flashable.


btw. The same move you will see at Hitachi/LG GDR-H20N (MN103SD6FDA SATA) PC drives. the 256kb flash is now embedded.
who knows, maybe we will see soon new HL v90 drives


Samsung SH-D162D




Asus DVD-E616A3



Hitachi/LG GDR-H20N

Yes but it doesn't say Benq anywhere on the drive whereas the old ones do.

I know they are all pretty much the same but I thought it would save confusion by naming this drive a lite-on.

Old Drive
http://pictures.xbox-scene.com/xbox360/benq/Picture013.jpg

New drive
http://i286.photobucket.com/albums/ll88/sl...21042008079.jpg


Basically you could call it either. I'll be calling it a lite-on so I don't get confused.

There are photos showing both sides of the board. Two hints as to why the firmware is in the M1319L package:

1. Apart from the Drive IC, there isn't anything else to house the data.
2. Obvious one here - it's surrounded in epoxy! Why else would you do this if the data wasn't inside? It's a little like having armed guards outside of a vault- they're there for a reason!!

Ok so, here is some information I grabbed about MTK chip

It seems to be an hiden serial interface and a tool that works with

This tool can extract and flash MT13x9 device, hope it can be useful with our dreaded new MTK1319L chip...

test and use at your own risk

http://hb.septem.cz/Doc/Mediatek/mediatek/

-> MTK Serial Tool

http://personal.inet.fi/cool/mediatek/documents/index.html

The link to the documents page from the link posted by Kaiser is dead. So here's the alternate link I found. It has some very useful looking info - like pinouts for 13x9 chips.

Hope that helps.

http://youtube.com/watch?v=5XTbStoR9bY&feature=related

This is kinda a easy way to remove epoxy with paint thinner just in case anyone doesn't know about it

Firstly I know that the firmware can't be read....

BUT!

When M$ install a new DVD do they Key change on the system board or do they flash the DVD to match what's already on the motherboard????

Coz if they flash the DVD with the key from the system board, than any of you guys who had previously flashed your drives should have you DVD key... All you need to do then is get a spare drive, flash you key and SPOOF.... Question is what is the ID string, but maybe you could get this from the SATA bios on your PC.

If this works you could "Donate" your drives to the members who can get to work hacking this baby..

I highly doubt they have the same motherboard returned to them. If they do, the OSIG string will be changed (which we dont know), and most likely the key.

Caster.

mhh i found some information about tese controler , is a mediatek , i foun the firmwares and the datasheets , i post the links ,in one forum in yahoo groups , named mediatek
http://groups.yahoo.com/group/mt13x9

cheers

I dont think those are the same, for certain the frimware isn't, and likely the datasheet as well. I say that because the little bit i've read about the MT1369/79/89 is that they use an external flash, similar to the current BenQ or samsung drives.

Caster.

Okay, got some pictures here.

This is possible the only way of determing if the drive an DG-16D2S without opening the (entire) console.

The Lite-on drive I saw did not have those silver stickers... pictures below are from a BenQ VAD6038

Has anyone tried loading this drive up in windows and using this utility: http://club.cdfreaks.com/f44/flash-utility...2-2-4-a-190420/

If not can someone give it a shot and report back the exact steps you took and your results including detailed messages,errors,ect..... Thanks

I would get cracking on this drive myself but am currently in the market for one.

what happens when you get into windows with the drive plugged in? what does it say in device manager?

If someone wants to send me their drive I will play with it and see what I can do

Another possible program to try in Dos: http://club.cdfreaks.com/f44/liteon-flash-...-models-160914/

Anyone that wants to send their drive to me to figure this out PM me.

I think I may have spotted another way to identify these new drives without (fully) dismantling the console. It's clearly visible when the side and bottom panels are unclipped and the eject button is taken off.

If you have bright lighting and hold it at the correct angle with the faceplate off, you can see the 'R' without dismantling the console

There is a text imprint under the eject button on the Lite-On I have here that isn't present on any of the BenQs.

I have no other Lite-On drives to verify this theory though.

My Lite-On is also missing the silver stickers as mentioned on the previous page of this thread.



Click the thumbnail for a high resolution image.

Cheers

Tried the program but liteon drive isnt recognized in windows, so therefor cannot select the drive from the drop down box.

greetings from Portugal... new drive spotted here also .... returned from germany.

tested with liteon tools posted before here in this thread, no go both in windows or in dos, tried to boot it with slax it boots ok, tried to boot with minipe so i could force a windows recognition of the drive also a no go ... it stucks at some time while loading

if anyone have more ideas i will gladly try

alright. Tried flashing my drive (hitachi), it bricked, sent it in for repairs since the warranty seal was still intact, and though I forgot to put the screws back in, they fixed it.
So 3 days after they picked it up, I got it back, only to find out my backups are worthless now.

It came back from Germany, btw.

Oh, and you can find out it it's the new LiteOn by only removing the faceplate and the top cover (where you put your harddrive on, so you can see the little metal things (see below).

http://img65.imageshack.us/img65/9461/benq...sundesb5.th.jpg

Image wasnt 'enlargeable'

I hear they had white cables like the BenQ mmmmmmm

@bAN01TgAZ

Are you sure it was a UK repair centre (located in HavanT)

UK models have been going to Germany for the past few weeks, check the return label on the box.

I also have got a Lite-On DG-16D2S with firmware 74850C. Manufactured: April 2008.
Same problem with status 52-D2.
http://www.xbox360ombouwamersfoort.nl/benq1.jpg
http://www.xbox360ombouwamersfoort.nl/benq2.jpg
http://www.xbox360ombouwamersfoort.nl/benq3.jpg

The drive is not from me so I can't open the drive.
There will be al lot more lite-on coming I think....

Hi,

I'm located in Norway and a customer of mine came with one of these boxes today. The Xbox 360 just came back from service in Germany. Encloses is a picture i took.



Hope this nut gets cracked soon so we can keep on flashing all 360 drives

/sys

Dudes,

what about this Programm? http://club.cdfreaks.com/f44/flash-utility...2-2-4-a-190420/

Did any of you have tried ?

Tell me if it works!

if you see 2 white wires you are lucky its an original benq


the yellow wire ones are the liteon

Mine actually doesnt have these stickers that yours had on the sides, got mine back today from Frankfurt/Germany...
I guess the best way to determine if it is a Lite-On or a BenQ is by the yellow wire that you can see through the little hole.
If it is white it is a BenQ if it is yellow a Lite-On

Te be clear.

The BenQ have those silver stickers and are flashable

The new Lite-On have NO stickers !

So if there are no Silver Stickers on your drive, it proberbly is a new Lite-On.

Crap,

I was going to mod an xbox of a friend of mine who bought it last weak here in the Netherlands, but it has this new drive too.

Well, then I have to dissapoint him and wait till it gets modded (or not)

Dosflash sees something, but hangs on 0x52 0xD2 as described earlier

grtz

Hi, I just got my 360 beck from Germany cause of RROD and I got this LiteOn drive, I live in Sweden. I have a fine Hitachi 47 drive and I'm wondering if it is possible to extract the drive-key from the LiteOn and insert it ito the Hitachi firmware? I have done the keyswap between a couple of Hitachi drives but no other brands.
So would it be possible to extract the drive-ket just so I can get the Hitachi drive to work with the new motherboard?

Edit. I got the same drive as above:

Model No.: DG-16D2S
HW Ver.: A0A1
FW Ver.: 74850C

There is no way to extract the key right now.

Oh crapple! A guy came straight from Game here in Sweden and what do you know, a Lite-On drive.

LOT: 0819
Team: FDOU

I'd say anything under 0811 is safe today. I got a 0810 Arcade today and it's a BenQ. Getting awfully close though. :S

I attempted to dump the firmware with my VIA chipset as well yesterday.
When the drive wasn't turned on completely yet I got status 0x80. When I turned it on a millisecond later the status switched to 0x52/0xD2. The light starts flashing then and the drive doesnt react anymore at all as if it just turned itself off. I once opened the tray before turning the 360 on and as soon as the light started flashing it wouldnt even close the drive when I turned the 360 off however the status of the drive(opening and closing) still seemed to work in the dashboard...
So I unplugged the sata cable turned the 360 on and then quickly connected the SATA cable again and got 0x51 which changes to 0xD1 when you turn it off(like when you attempt reading the firmware when the drive was turned on minutes ago...).

So I got a BenQ drive and checked what it does at the certain moments to compare.
When you leave it turned on and try to read the firmware it returns 0x51/0xD1 as the firmware guard is still active. When I turned it off and back on then the status changed to 0x73 and it started reading the firmware, at this point the Lite On returns 0x52. So my guess is that we need a new version of dosflash which starts reading when the drive returns 0x52.
I tried the same with mtkflash as well and it returned the same status codes but it wouldnt start reading when the status was 0x73 so I suppose this might be the solution. The drive acts exactly like a BenQ does the same noises at the same moments and the PCB board looks very similar so I guess the BenQ iXtreme firmware should work after injecting the drive key.
The key system is still active as the other guy stated before, the BenQ drive wouldnt play any games...

I apologize in advance if this is just bullshit so please correct me if I'm wrong...

Nice one 19 pages of "oh shit i got a lite on" and finally someone who will have a go at the problem has got one of these instead of just moanin and waitin for the expert's to solve all their problems. Good work

It appears that mediatek has filed patents regarding new securities for console drives.

Please review mediatekpatent.pdf for more information.

c4e: someone will need to dump the memory bus on the drive, maybe a d0-d7 on the mediatek chip to get the fw
c4e: then u should be able to trigger an erase to write the fw
c4e: but they have implemented a hardware checksum back to host when host requests
c4e: so should be doable if we first get a dump

So, looks like MS has done a little backend work on getting mediatek to make some security advancements on this one!

here is a pinout of MT1309E & MT1319L chipset.

Hey that´s nice.
So there´s a UART and SPI interface? Did you have any success with it?

Casio

I been reading the patent and it seems to me that it would be impossible to hack the new drive if mediatek implemented their invention correctly (and they most likely did!!).

I recall that in fact the new controller has an "update routine" integrated to it, so it must be possible to erase the flash rom and write a hacked firmware. BUT the patent says that, in the upload routine, the host uploads the new firmware to an internal buffer and if some "pattern" checks against the internal memory then the update continues. Just what if the "pattern" is the drive key??!!!

The patent says that at least some fragment of the memory CANT be read. Just imagine what part it is. Obviously it would be the key for starters. So even if we are able to dump the "body" of the firmware we would never be able to dump the key.

This would render the drive "almost" unhackeable as there is no bus to trace because the bus between the pattern comparison, the update buffer and the flash memory, everything is inside the same physical chip!!! Thus you would never be able to know the drive key. You may attempt random keys and if, by luck, you inject the right one on the update firmware then you may hack it. But it is highly unlikely.

Obviously this would impose no problem for MShit as they should have a relation of each S/N and its corresponding drive key. In the case the need for update should arise they could easily inject the correct key and update it.

As soon as I saw the patent I went to get me a LOT 811 Arcade (It appears to be the good old Benq, white wires in the hole . I really think that MS got us now, that is if they did what I think :b LOL

My recommendation: Get a LOT<813 and if you send your box to repair for gods sake dump your key!!!

Here's what the patent says:

1. You cannot write to the flash while the FW is not empty (erased).
2. You can erase the FW at any time (no check needed).
3. You cannot read the FW. After uploading the FW, the chip will provide you with a verification result (CRC/MD5 etc). That way you can verify if the upload was sucessfull.

So, to update the FW, you need to:
1. Erase the FW.
2. Upload the new FW.

However, if you erase the FW, you lose the drive key. MS doesnt have that problem, since they know the drive key, which is matched up to the 360 serial (do they change the keys on refurb units with old serials but new drives?). This scheme sounds theoretically safe, and with the flash embedded inside the chip (external programmers will not be able to read it), will be a real bitch to bypass.