Published byrobinsod on 2006-02-15 Category: CD/DVD Creation | Page Views: 13274
As noted by others, the Security Sector is located at PSN 0xFD021E which it is not possible to read with a normal DVD drive. One approach is to hack the 360’s DVD firmware such that it will copy Security Sector from DRAM to Flash as soon as possible after it has been read. The following snippet of 8051 assembler will do just that, but please note
1) It’s not for Noobs. You must be able to program and then read back the Flash device from your TS H-943 DVD drive to be able to use this hack.
2) It may not be complete. There appears to be no data from 0x0007 to 0x000A and TheSpecialist (hallowed be his name) observed: “BTW, I'm sure you noticed, but to make your analysis complete: &Sector[0x07] -&Sector[0x0A] contain the unencrypted challenge.” Possibly I am too late dumping DRAM to Flash and it has been overwritten.
3) The interrupts are disabled when the dump begins, I don’t know what state the hardware is in when this happens, possibly the laser is on and the mechanics are active. Maybe damage can result if interrupts are disabled for a long time. Who knows? Use this at your own risk!!! I monitor the WE line with a ‘scope and turn off the ‘360 ASAP after the data has been written.
4) It’s intrusive. The ‘360 will no longer boot games. You must reflash the drive with your original firmware afterwards.
To use: overwrite the existing code at 0xc3f6, this will invoke the copy to flash function
mov r6,#0eah ; c3f6 7e ea
mov r7,#0 ; c3f8 7f 00
lcall 0xe479 ; c3fa 12 e4 79
Copy to code to RAM?
clr c ; c3fd c3
mov ea,c ; c3fe 92 af Disable interrupts
lcall Xea00 ; c400 12 ea 00
Copy to Flash
nop ; c403 00
nop ; c403 00
nop ; c403 00
ljmp Xc403 ; c406 02 c4 03 Loop forever
The actual payload is then inserted at 0xEA00 (not inserted, sorry, overwrite)
I typically start the system by ejecting the DVD (to check firmware is good) then insert the DVD. Once this code has been run the Security Sector from the inserted Xbox1/360 disk will be written to 0x5000 – 0x57ff. Extract this 2K byte chunk from the flash image.
In order to validate this hack it was necessary to decrypt the challenge/response table that would be copied into the ReadDVDStructure command response. In order to do this I have hacked together a VC++ project that will do just that. It is a horrible hack, built from TheSpecialist’s (amen) unlock code, smo’s Linux code with a twist of Robinsod. I make no apologies for the state of the code, it is purely for validating the data I extracted. Run it from the command line and pass 1 parameter, the name of a 2K byte file that was extracted from the Flash.
I have extracted the sector from 1 Xbox1 game and 1 ‘360 game, as observed by others, the version number has been up revved to 2. The decrypt code doesn’t seem to work for ‘360 security sector data. Smart ‘crypto people step up here
The data following the ReadDVDStructure should be useful too but I have not had time to look at it in detail. I believe it is the remainder of the security sector which is not available via the ReadDVDStructure.
Since I have no usable Xbox1 drive and only 1 original Xbox1 and ‘360 game disk I would be grateful if someone with both drives and more games could verify my findings.