Menu
▾
▴
Tree [0729db] default tip / History
| File | Date | Author | Commit |
|---|---|---|---|
| Makefile | 2011-10-23 |
ddl
|
[b7e285] initial code from ddl |
| README | 2011-10-23 |
ddl
|
[b7e285] initial code from ddl |
| ixfw_patch.c | 2011-10-29 |
spock26
|
[0729db] first change (testing purpose) |
| liteon_erase.c | 2011-10-23 |
ddl
|
[b7e285] initial code from ddl |
| liteon_keyext.c | 2011-10-29 |
spock26
|
[0729db] first change (testing purpose) |
| md5.c | 2011-10-23 |
ddl
|
[b7e285] initial code from ddl |
| md5.h | 2011-10-23 |
ddl
|
[b7e285] initial code from ddl |
| mtflash.c | 2011-10-23 |
ddl
|
[b7e285] initial code from ddl |
Read Me
DISCLAIMER: THESE PROGRAMS ARE RELEASED AS IS. USING THESE TOOLS MAY DAMAGE
YOUR COMPUTER AND/OR XBOX 360 DRIVE. I TAKE NO RESPONSIBILITY WHATSOEVER.
My work is based on the following programs and their authors deserve a lot of
respect.
DVDKey32 v0.8.1: Geremia, C4eva, Podger, Seventhson
Firmtool v1.3.1: Caster420
DosFlash v1.7: Geremia, Modfreakz, Kai Schtrom
JungleFlasher v0.0.43b: Team Jungle
Drive Serial Dummy.Bin Fixer: GiampyXBS, Oggy
... and anyone I might have forgot.
PREREQUISITES
-------------------------------------------------------------------------------
1) Connect the drive to your computer and power it up using your 360 or
a connectivity kit.
2) Find your ATA cmd base.
You can skip this step if you already know the command base for the port you
are using on your SATA controller.
If you boot Linux with your LiteOn drive connected and powered up you should
be able to find the ata cmd base by looking at the 'dmesg' content.
Try executing the two following lines. They _might_ give you a printout of
your ata cmd base (depending on SATA driver).
host:~>ATA_ID=`dmesg | grep ATAPI | grep DG-16D2S | cut -d . -f 1`
host:~>dmesg | grep "$ATA_ID: SATA" | sed -r 's/.*cmd (.*) ctl.*/\1/'
0x170
host:~>
This will only work if the boot messages are still present in the kernel
ring buffer. Booting with an erased drive without firmware won't work either.
lspci -vv as root and looking at your SATA controller might also give you
a hint of which I/O ranges are allocated by that specific hardware.
FLASHING A LITEON DRIVE
-------------------------------------------------------------------------------
1) Extract the drive key.
You might have to eject your drive tray and leave it half way out for this to
work on drives with original firmware.
host:~>./liteon_keyext -h
liteon_keyext v1.1b by ddl.
Key extractor for the Xbox 360 LiteOn drive (PLDS DG-16D2S).
Usage: ./liteon_keyext [options] <ATA command base> <serial device> [output dir]
Options:
-h Displays this text.
-n <times> Times to extract the key. (default: 6)
-d Only save dummy file.
This program needs to be run as root since we are going to do port I/O with
outb(), outw(), inb() and inw().
BE SURE TO ENTER THE CORRECT ATA COMMAND BASE FOR YOUR DRIVE!
host:~>sudo ./liteon_keyext 170 /dev/ttyUSB0 drive1
liteon_keyext v1.1b by ddl.
Key extractor for the Xbox 360 LiteOn drive (PLDS DG-16D2S).
Using ATA command base: 0x0170
Using serial device: /dev/ttyUSB0
Attempting to extract the key 6 times...
Attempt 1: EE B6 XX XX XX XX XX XX XX XX XX XX XX XX C6 C6
Attempt 2: EE B6 XX XX XX XX XX XX XX XX XX XX XX XX C6 C6
Attempt 3: EE B6 XX XX XX XX XX XX XX XX XX XX XX XX C6 C6
Attempt 4: EE B6 XX XX XX XX XX XX XX XX XX XX XX XX C6 C6
Attempt 5: EE B6 XX XX XX XX XX XX XX XX XX XX XX XX C6 C6
Attempt 6: EE B6 XX XX XX XX XX XX XX XX XX XX XX XX C6 C6
Sending identify request to drive...
Sending inquiry request to drive...
Extracting serial information from drive...
DVD Label: D60XXXXXXXXXXXXA1
OPT Label: 8F2XXXXXXXXXX4XX
PCB Label: S4P8XXXXXXXXXXXX82
HW Ver : A0A1
Wrote file: drive1/key.bin
Wrote file: drive1/identify.bin
Wrote file: drive1/inquiry.bin
Wrote file: drive1/dummy.bin
host:~>
2) Patch iXtreme firmware.
host:~>./ixfw_patch -h
ixfw_patch v0.5b by ddl.
iXtreme firmware patcher.
Usage: ./ixfw_patch [options] <ofw/dummy file> <ixtreme file> <output file>
Options:
-h Displays this text.
-t <l|s> Force drive type:
l, LiteOn drive.
s, Samsung drive.
host:~>./ixfw_patch drive1/dummy.bin fw/ix16-liteon-repack.bin drive1/patched_ix16.bin
ixfw_patch v0.5b by ddl.
iXtreme firmware patcher.
Identified firmware: iXtreme v1.6 12x (Lite-On)
Writing patched firmware: drive1/patched_ix16.bin
Success!
host:~>
3) Erase drive firmware.
BEFORE YOU DO THIS YOU HAVE TO BE SURE YOU HAVE YOUR DRIVE KEY SAVED SOMEWHERE.
host:~>./liteon_erase -h
Usage: ./liteon_erase [options] <ATA command base>
Options:
-h Displays this text.
host:~>
host:~>sudo ./liteon_erase 170
liteon_erase v1.0 by ddl.
Firmware eraser for the Xbox 360 LiteOn drive (PLDS DG-16D2S).
Status: 0xD0
host:~>
You should be okay if you get status 0xD0, 0x72, 0x80, 0xD1 or 0xF2.
No matter what status you get you should power cycle your drive and try to
flash it. If mtflash fails to enter vendor mode you should repeat the the
erase procedure.
4) Flash the patched firmware.
host:~>./mtflash -h
mtflash v0.8b by ddl.
Firmware flasher for drives with a MT13x9 chip.
Usage: ./mtflash [options] <r|R> <ATA command base> <output file>
./mtflash [options] <w|W> <ATA command base> <input file>
./mtflash [options] <e|E> <ATA command base>
Options:
-h Displays this text.
-p <0|1> Drive position. 0 for master, 1 for slave.
(default: 0)
-b Brute force MTK vendor intro.
-l List supported flash chip types.
host:~>
host:~>./mtflash -l
Name Vendor ID Device ID Size Type
--------------------------------------------------------------------------------
MXIC/Macronix(MX25L2005) 0xC2 0x11 262144 Serial
Winbond/NEX(W25P20/W25X20/NX25P20) 0xEF 0x11 262144 Serial
SST(39SF020) 0xBF 0xB6 262144 Parallel
host:~>
host:~>sudo ./mtflash w 170 drive1/patched_ix16.bin
mtflash v0.8b by ddl.
Firmware flasher for drives with a MT13x9 chip.
Sending MTK vendor intro... OK!
Reading flash vendor and device ID... OK!
Name: MXIC/Macronix(MX25L2005)
Vendor ID: 0xC2
Device ID: 0x11
Size: 4 banks (262144 bytes)
Type: Serial
Writing bank 0 ................ OK!
Writing bank 1 ................ OK!
Writing bank 2 ................ OK!
Writing bank 3 ................ OK!
Flash read-back checksum (datasum): 0x0B59
Flash write successful!
Sending MTK vendor outro... OK!
host:~>
mtflash will verify that all bytes has been written correctly. This is done
in the writing procedure.
If mtflash fails to enter vendor mode you should try to erase the drive again
and power cycle it.
FLASHING A SAMSUNG DRIVE
-------------------------------------------------------------------------------
1) Reading the original (or previously patched) firmware.
Depending on your firmware version you might have to unlock the drive before
proceeding.
Stock ms25: no unlock needed
Stock ms28: vcc trick (use -b option)
<= iXtreme 1.4: use 0800 DVD (activate.iso)
>= iXtreme 1.5: power up drive with tray half open
host:~>./mtflash -h
mtflash v0.8b by ddl.
Firmware flasher for drives with a MT13x9 chip.
Usage: ./mtflash [options] <r|R> <ATA command base> <output file>
./mtflash [options] <w|W> <ATA command base> <input file>
./mtflash [options] <e|E> <ATA command base>
Options:
-h Displays this text.
-p <0|1> Drive position. 0 for master, 1 for slave.
(default: 0)
-b Brute force MTK vendor intro.
-l List supported flash chip types.
host:~>
host:~>sudo ./mtflash -b r ec00 drive2/ofw.bin
mtflash v0.8b by ddl.
Firmware flasher for drives with a MT13x9 chip.
Power off the drive and turn it back on within 1 second.
Press CTRL-C to abort.
Brute forcing MTK vendor intro... OK!
Reading flash vendor and device ID... OK!
Name: SST(39SF020)
Vendor ID: 0xBF
Device ID: 0xB6
Size: 4 banks (262144 bytes)
Type: Parallel
Reading bank 0 ................ OK!
Reading bank 1 ................ OK!
Reading bank 2 ................ OK!
Reading bank 3 ................ OK!
Wrote flash content to: drive2/ofw.bin
Flash read checksum (datasum): 0xE067
Flash read successful!
Sending MTK vendor outro... OK!
host:~>
2) Patch iXtreme firmware.
host:~>./ixfw_patch -h
ixfw_patch v0.5b by ddl.
iXtreme firmware patcher.
Usage: ./ixfw_patch [options] <ofw/dummy file> <ixtreme file> <output file>
Options:
-h Displays this text.
-t <l|s> Force drive type:
l, LiteOn drive.
s, Samsung drive.
host:~>
host:~>./ixfw_patch drive2/ofw.bin fw/ix16-samsung.bin drive2/patched_ix16.bin
ixfw_patch v0.5b by ddl.
iXtreme firmware patcher.
Identified firmware: iXtreme v1.6 12x (Samsung)
Writing patched firmware: drive2/patched_ix16.bin
Success!
alfons:~/projects/xbox360tools/git>
3) Flash the patched firmware.
host:~>./mtflash -h
mtflash v0.8b by ddl.
Firmware flasher for drives with a MT13x9 chip.
Usage: ./mtflash [options] <r|R> <ATA command base> <output file>
./mtflash [options] <w|W> <ATA command base> <input file>
./mtflash [options] <e|E> <ATA command base>
Options:
-h Displays this text.
-p <0|1> Drive position. 0 for master, 1 for slave.
(default: 0)
-b Brute force MTK vendor intro.
-l List supported flash chip types.
host:~>
host:~>./mtflash -l
Name Vendor ID Device ID Size Type
--------------------------------------------------------------------------------
MXIC/Macronix(MX25L2005) 0xC2 0x11 262144 Serial
Winbond/NEX(W25P20/W25X20/NX25P20) 0xEF 0x11 262144 Serial
SST(39SF020) 0xBF 0xB6 262144 Parallel
host:~>
You do not have to explicitly erase the flash before the write since its done
automatically when you choose write.
host:~>sudo ./mtflash -b w ec00 drive2/patched_ix16.bin
mtflash v0.8b by ddl.
Firmware flasher for drives with a MT13x9 chip.
Power off the drive and turn it back on within 1 second.
Press CTRL-C to abort.
Brute forcing MTK vendor intro... OK!
Reading flash vendor and device ID... OK!
Name: SST(39SF020)
Vendor ID: 0xBF
Device ID: 0xB6
Size: 4 banks (262144 bytes)
Type: Parallel
Sending chip erase... OK!
Writing bank 0 ................ OK!
Writing bank 1 ................ OK!
Writing bank 2 ................ OK!
Writing bank 3 ................ OK!
Flash read-back checksum (datasum): 0x763D
Flash write successful!
Sending MTK vendor outro... OK!
host:~>
WHAT ABOUT OTHER DRIVES?
-------------------------------------------------------------------------------
BenQ
----
mtflash could probably be adapted to support the Xbox 360 BenQ drive quite
easily since it also has an embedded SPI flash chip. Though, I would need a
BenQ drive to do that...
Hitachi
-------
The Hitachi drives would require completely different methods. I think
SeventhSon has done some work in this area...
CONTACT
-------------------------------------------------------------------------------
mail: ddl4321@gmail.com
