Dumping Security Sector with H-943A
Published by robinsod on 2006-02-15
As noted by others, the Security Sector is located at PSN 0xFD021E which it is not possible to read with a normal DVD drive. One approach is to hack the 360’s DVD firmware such that it will copy Security Sector from DRAM to Flash as soon as possible after it has been read. The following snippet of 8051 assembler will do just that, but please note
1) It’s not for Noobs. You must be able to program and then read back the Flash device from your TS H-943 DVD drive to be able to use this hack.
2) It may not be complete. There appears to be no data from 0x0007 to 0x000A and TheSpecialist (hallowed be his name) observed:
“BTW, I'm sure you noticed, but to make your analysis complete: &Sector[0x07] -&Sector[0x0A] contain the unencrypted challenge.” Possibly I am too late dumping DRAM to Flash and it has been overwritten.
3) The interrupts are disabled when the dump begins, I don’t know what state the hardware is in when this happens, possibly the laser is on and the mechanics are active. Maybe damage can result if interrupts are disabled for a long time. Who knows? Use this at your own risk!!! I monitor the WE line with a ‘scope and turn off the ‘360 ASAP after the data has been written.
4) It’s intrusive. The ‘360 will no longer boot games. You must reflash the drive with your original firmware afterwards.
To use: overwrite the existing code at 0xc3f6, this will invoke the copy to flash function
0xc3f6:
mov r6,#0eah ; c3f6 7e ea
mov r7,#0 ; c3f8 7f 00
lcall 0xe479 ; c3fa 12 e4 79
Copy to code to RAM?
clr c ; c3fd c3
mov ea,c ; c3fe 92 af
Disable interrupts
lcall Xea00 ; c400 12 ea 00
Copy to Flash
0xc403:
nop ; c403 00
nop ; c403 00
nop ; c403 00
ljmp Xc403 ; c406 02 c4 03 Loop forever
The actual payload is then inserted at 0xEA00 (not inserted, sorry, overwrite)
Xea00: mov dptr,#X4039 ; ea00 90 40 39
mov a,#1 ; ea03 74 01
movx @dptr,a ; ea05 f0
mov a,#50h ; ea06 74 50
mov 38h,a ; ea08 f5 38
clr a ; ea0a e4
mov 39h,a ; ea0b f5 39
setb p1.5 ; ea0d d2 95
Xea0f: mov dptr,#X4000 ; ea0f 90 40 00
movx a,@dptr ; ea12 e0
jb acc.7,Xea0f ; ea13 20 e7 f9
mov dptr,#X4c0e ; ea16 90 4c 0e
movx a,@dptr ; ea19 e0
addc a,#7ch ; ea1a 34 7c
mov dptr,#X404b ; ea1c 90 40 4b
movx @dptr,a ; ea1f f0
mov dptr,#X4c0d ; ea20 90 4c 0d
movx a,@dptr ; ea23 e0
addc a,#9ah ; ea24 34 9a
mov dptr,#X404a ; ea26 90 40 4a
movx @dptr,a ; ea29 f0
mov dptr,#X4c0c ; ea2a 90 4c 0c
movx a,@dptr ; ea2d e0
mov dptr,#X4049 ; ea2e 90 40 49
movx @dptr,a ; ea31 f0
Xea32: setb p1.5 ; ea32 d2 95
mov dptr,#X4060 ; ea34 90 40 60
movx a,@dptr ; ea37 e0
mov r7,a ; ea38 ff
Xea39: mov dptr,#X4000 ; ea39 90 40 00
movx a,@dptr ; ea3c e0
jb acc.7,Xea39 ; ea3d 20 e7 f9
clr p1.5 ; ea40 c2 95
mov dptr,#X5555 ; ea42 90 55 55
mov a,#0aah ; ea45 74 aa
movx @dptr,a ; ea47 f0
mov dptr,#X2aaa ; ea48 90 2a aa
mov a,#55h ; ea4b 74 55
movx @dptr,a ; ea4d f0
mov dptr,#X5555 ; ea4e 90 55 55
mov a,#0a0h ; ea51 74 a0
movx @dptr,a ; ea53 f0
nop ; ea54 00
nop ; ea55 00
mov a,38h ; ea56 e5 38
mov dph,a ; ea58 f5 83
mov a,39h ; ea5a e5 39
mov dpl,a ; ea5c f5 82
nop ; ea5e 00
nop ; ea5f 00
mov a,r7 ; ea60 ef
movx @dptr,a ; ea61 f0
mov dptr,#X0000 ; ea62 90 00 00
movx a,@dptr ; ea65 e0
Xea66: mov dptr,#X0000 ; ea66 90 00 00
movx a,@dptr ; ea69 e0
mov r7,a ; ea6a ff
movx a,@dptr ; ea6b e0
xrl a,r7 ; ea6c 6f
jb acc.6,Xea66 ; ea6d 20 e6 f6
nop ; ea70 00
nop ; ea71 00
inc 39h ; ea72 05 39
mov a,39h ; ea74 e5 39
jnz Xea7a ; ea76 70 02
inc 38h ; ea78 05 38
Xea7a: clr c ; ea7a c3
subb a,#0 ; ea7b 94 00
mov a,38h ; ea7d e5 38
subb a,#58h ; ea7f 94 58
jc Xea32 ; ea81 40 af
ret ; ea83 22
I typically start the system by ejecting the DVD (to check firmware is good) then insert the DVD. Once this code has been run the Security Sector from the inserted Xbox1/360 disk will be written to 0x5000 – 0x57ff. Extract this 2K byte chunk from the flash image.
In order to validate this hack it was necessary to decrypt the challenge/response table that would be copied into the ReadDVDStructure command response. In order to do this I have hacked together a VC++ project that will do just that. It is a horrible hack, built from TheSpecialist’s (amen) unlock code, smo’s Linux code with a twist of Robinsod. I make no apologies for the state of the code, it is purely for validating the data I extracted. Run it from the command line and pass 1 parameter, the name of a 2K byte file that was extracted from the Flash.
I have extracted the sector from 1 Xbox1 game and 1 ‘360 game, as observed by others, the version number has been up revved to 2. The decrypt code doesn’t seem to work for ‘360 security sector data. Smart ‘crypto people step up here
The data following the ReadDVDStructure should be useful too but I have not had time to look at it in detail. I believe it is the remainder of the security sector which is not available via the ReadDVDStructure.
Since I have no usable Xbox1 drive and only 1 original Xbox1 and ‘360 game disk I would be grateful if someone with both drives and more games could verify my findings.
Big up to Tiros for all his help
Related Link: XboxHacket.Net Thread
|
|