👩🏼‍🤝‍👨🏾 👂🏽 💰 Protecting and Hacking the Xbox 360 (Part 2) 🤛🏾 👐🏻 👩🏽‍⚕️

The last time we left the Xbox 360 scene at a time when it became clear to the developers that DVD-ROM protection is easy to do, and you definitely need to do something about it. Attempts to rectify the situation by updating the software of the set-top box itself were unsuccessful, and Philips & Lite-On entered the battlefield, the DVD drives of which with each new model became more and more advanced in terms of protection. But the hacking methods each time became more and more sophisticated. In this part, I will tell you how Microsoft tried to fix the situation with unlicensed discs, and what methods for flashing a DVD drive can get to when literally everything is closed.

Meet - PLDS DG-16D2S 74850c

The Philips & LiteOn DG-16D2S drive began to be installed in game consoles in 2008, and put it right up to 2011, when a new, “slim” version of the console came out. Here is our hero:

Of course, the researchers immediately took up and found out:

the drive is very similar to the previous model, Philips & Benq VAD6038
the firmware is stored inside the controller, do not consider the programmer
does not enter service mode, even on VIA chipsets

Even the MT1319 controller on the board is flooded with a compound:

It looked like Microsoft had finally made an “unbreakable” drive and everyone would have a hard time.
However, after some time, the developer of modified firmware for the Xbox 360 c4eva reported that the drive is amenable and the development of custom firmware is already underway:

c4eva: i have found some things that are not yet known about the lite-on, it will be done!

I do not want to wait, change!

While custom firmware was being developed (and it was being developed for almost six months), people wanted to flash "here and now." And at the end of August 2008, researchers found an interesting trick :

Turn on the prefix
Open the DVD drive tray
We pull out the power of the DVD-drive
Push the tray in the middle
Insert drive power

After these magical actions, the drive spits out its secret key in UART! It remained to assemble the simplest COM-UART adapter on one transistor and poke it at a point on the board at the time of power-up:

(historically reliable reconstruction using an adapter from those times)

According to my assumptions, this “feature” was left for service centers so that it would be easy to replace the drive with a new one in the event of a breakdown. It is difficult to come up with another explanation for the presence of such functionality.

As soon as the key is received, you can write it to the used firmware, change its name to “PLDS DG-16D2S” and play as if nothing had happened! (The first revisions of the Xbox 360 were not famous for reliability, because there were many used TS-H943 drives on the market, shot from half-dead consoles). This step has strongly come back in the future, but at that time gamers were happy.

There was a problem in all this idyll, and it came from where they had not expected. What’s the matter - the Xbox 360 drive has a non-standard and short power cable:

There are small tabs on the plug for proper orientation in the connector:

The key reading operation is conveniently carried out “on the back” when the drive is upside down. But they forgot to turn the not too flexible power cable, the length of the limiters on the plug was not enough, as a result, 12 volts went to the wrong contacts at all, and a magic haze flew out of the board ...

Those who were “lucky” to burn the drive were advised to carefully assemble the prefix back and hand over nothing to the store under warranty. Often the store did not steam at all and accepted such consoles without even checking the warranty seal.

Hooray, firmware!

So, after almost six months of waiting, for the Christmas holidays c4eva released the iXtreme 1.5 firmware release, from which we learned:

c4eva and his team considered firmware dissolution of the chip body
The key is still read by the semi-retracted tray method
To enter the service mode and record the firmware, you need to erase the drive!

I was sure that I had a photo with a half-dissolved MT1319 connected to the programmer, but I could not find it. As soon as I find it, I'll add it right here (if anyone has it, send it, please).

The “erase before recording” feature caused problems for the people - the computer could freeze, go to BSOD. Even if everything “went this way”, after erasing the drive, of course, was not determined by the system and had to enter the service mode “blindly”. In general, people pretty badly hit his nerves.

There were experimenters who pressed the “erase” button simply out of curiosity, without having read the key before, even despite the warnings:

But the main goal was achieved - the “non-flashable” LiteOn finally became flashed, and craftsmen with straight arms could flash the drive on their own.

DG-16D2S 83850c

Of course, Microsoft came to their senses and began to install a drive with a new firmware version, 83850s, in which the UART key reading functionality no longer worked.

Surprisingly, it turned out that LiteOn 83850c gave the key via SATA, and with the same witchcraft with a half-open tray! Foundmy.com released the LO83info utility that read the key, but issued it in encrypted form. It was proposed to send the key to the authors by mail and for $ 42 receive a decrypted version.

The program lasted for four days, after which Maximus and Geremia released a free key decryptor :) How many authors managed to earn these days is unknown.

DG-16D2S 93450c

A freebie with easy reading of keys could not last long - LiteOn 83850c v2, which did not yield to the tricks of LO83Info, soon began to fall into, and then LiteOn 93450c was completely put into consoles. All methods of reading the key are closed, the key cannot be

prefixed without the key ... They were not sad for long, enthusiasts found this hardware bug:

cut off part of the supply roads
solder a 22 ohm resistor through the switch
short circuit power through 22 ohms to GND!

As a result, the voltage on the USB flash drive inside the processor sagged so much that only 0xFF was read instead of the data, the drive was sure that the firmware had already been erased and entered the service mode! Well, after entering the service mode, it remained only to open the resistor and read the entire USB flash drive:

This “flashing” method killed even more drives than UART. Imagine what a schoolboy can do with a Soviet soldering iron in an attempt to solder two wires according to the scheme? This is how it should be:

But this could be seen on the forums:

Well, and since the vulnerability is hardware, they could no longer fix this with Microsoft firmware update, LiteOn DG-16D2S finally went into the category of flash drives.

They stopped feeling completely sad when they discovered an even more interesting hack:

turn on the drive
turn off the 3.3v power line (the 1.8v line remains active)
ground point MPX01
turn on 3.3v
We go into the service and read the key from RAM! ??

The MPX01 point in the drive is responsible for whether the firmware will be decrypted at startup. Closing it to GND, we force the drive to skip the decryption stage, because of which it tries to start the garbage and goes into error. And already from this state, he allows you to enter the limited service mode and read RAM! And due to the fact that we did not clean 1.8v, the RAM was not reset and our key still lies there. That's it.

New - PLDS DG-16D4S 9504

Along with the Slim version of the console in the Xbox 360, the DVD drive has also been updated. Even the design of the drive changed, his legs disappeared and he became even more like a brick:

The drive controller has also changed, now everyone was driven by the MT1335 chip

Surprisingly, the new model, unlike its predecessor, could be read and written without any problems. The Maximus team quickly dealt with this . Ahead of the planet, they released a utility for reading / writing a key / firmware called "Tarablinda":

By the way, Liteon D4S firmware for research was also obtained by dissolving the chip:

And while c4eva is developing ... people are shoving the old-fashioned used ear drives again! Having cut legs and warped the body:

But take it and block it!

This time, Microsoft decided to approach from the other side. Since people still find ways to read the key, let's forbid overwriting it! In the new consoles, they began to detect DG-16D4S drives of versions 0225, 0401 and 1071, in which the internal SPI flash memory was locked!

The lock was performed using the status register and legs of the WP flash memory:

But here they came up with a method very similar to how LiteOn 93450c was overcome:

cut off the power road
turn on the drive, go to the service
poke a resistor of 18 ohms to the cut off
give the unlock command!

In exactly the same way, the supply voltage of the SPI flash memory sagged, something clicked in her electronic brains and the unlock successfully completed. This worked only on flash drives from the company MXIC:

For Winbond, they came up with an even crazier unlock method.

The fact is that the DVD drive processor was not integral. On top of it, a chip of the same flash memory was glued to it with a sandwich, connected to the main crystal by thin wires. And the Write Protect (WP) wiring we needed, despite the fact that it was tightly wound to ground, was quite successfully above all others:

There was an idea to somehow cut it, and then give the unlock command. And yes, it was here that people went to accurately and accurately drill a chip with a millimeter drill!

In fact, if accurately marked and neatly acted, you can achieve a great chance of success. Naturally, inexperienced movements were done like this:

or so:

But it wasn’t so bad - MT1335WE chips after (or instead of) unsuccessful unlocking could be resolved to compatible MT1339E with an external USB flash drive removed from Chinese drives:

The result - again, victory is not on the side of Microsoft, discs are written, drives are flashed.

AP 2.5, XGD3, ...

Microsoft not only improved the firmware of the drives, but also finalized the protection of the game discs themselves. And here they came off in full:

First, the format of the disk itself was changed . The old XGD2 format contained, like a regular two-layer DVD, about 7.5 GB of data. The new XGD3 used a slightly larger disk area, almost to the very edge, due to which 8.5 GB of data already fit in. The usual means of "disc" can not be written.

Secondly, the dae.bin file was added to the system itself , containing additional checks for specific games. The prefix asked the drive on which physical sector of the disk the specific data is located and compared with the samples. Unlike stamped licenses according to one template, the data placement on the recorded discs could differ.

Interestingly, only a few popular games were protected in this way

. Thirdly, to support all the innovations, all DVD drives on all consoles were updated with the next update of the system!

LiteOn D2S updated and closed simple key reading methods
Previously flashing LiteOn D4S 9504 updated and locked on record
Those with prefixes "flashed" normally - had to "flash" again
Who changed the drive to another model - got an error and a non-working prefix

In very old Samsung TS-H943 DVD drives it was not possible to implement AP 2.5 checks, so only XGD3 format support was added in their update. Most unlucky were the players who were replaced with Samsung with LiteOn firmware - they had to look for a new drive and change it back. The owners of LiteOn D4S 9504 were very disappointed, they had to unlock the chip for re-firmware.

But here everything went around. It turned out that 7.5 GB is not the limit, and on ordinary two-layer discs it is quite possible to record 8 GB or more, which was required for XGD3 games. On ordinary writing drives, the recording did not go to the end (by 97%), as long as there was enough space - such discs also worked, although there was a threat of detection and subsequent ban. Further c4eva released a program with support for some computer DVD cutters, which tricked the drive, removed restrictions and forced it to write the entire surface of the disc:

c4eva also made firmware for Xbox 360 drives - iXtreme LT + to bypass new protections - ready-made answers directly from the dae.bin file were written to the game disc, the firmware responded “by template”, everyone is happy. But Microsoft also acted in a rather obvious way - in the next system update they changed dae.bin , the pirates stopped working, the disks had to be patched and burned again:

After some time, c4eva became thoughtful, and said that he had figured out how to solve AP 2.5 once and for all, saying that wait for iXtreme LT + 3.0. By the way, by that time the number of questions “well, when is the new firmware ??” in the IRC channels where c4eva was sitting so increased that someone made the whole site c4evaspeaks.com, where all his quotes (literally everything!) and news on the firmware topic were saved:

In iXtreme LT + 3.0, instead of the “pattern matching” answer, special data on disk geometry was used. In fact, the licensed disc was scanned, generated and recorded on the game disc with a special “card”, by which the firmware calculated and correctly answered any AP 2.5 requests.

On this, the saga with AP 2.5 ended with the victory of c4eva and its firmware. There were attempts to ban players whose AP 2.5 checks worked, but either the bans hooked honest players, or they failed to prove the fact of piracy and 100% reliability of the checks, but the bans also stopped.

Legend - PLDS DG-16D5S 1175

The final point in the struggle for drives put LiteOn DG-16D5S:

It contained the MT1332E controller, which did not enter the service mode by known methods, and, according to rumors, the key was not stored in ROM:

There were attempts to read the ROM by dissolving the case and soldering with wiring:

Yes, inside it was also a sandwich from proca and flash drive:

There is information that there were also software methods for reading firmware from it; I personally downloaded the laid out dumps on one of the forums. In any case, this time in the public domain there are no tools for reading the key from the drive itself.

Instead, c4eva developed the iXtreme LTU (Lite Touch Ultimate) firmware, which used data extracted from the set-top box itself (through hacking the system itself) and required replacing the drive circuit board. The custom printed circuit board was exactly the same as the one from the 16D5S, but the processor on it could be reflashed:

More adventurous "firmware wizards" independently went to the suppliers of unlocked MT1332 and simply soldered the chip on the board. These chips were shot from Chinese DVD players on the same chip:

Soon, the MT1332 chips corny ended! Then the Maximus team developed an unusual thing - Cryptocop:

This chip, attached on the side of the board, did the magic thing - at startup it loaded a new bootrom into MT1335 / MT1339, after which the LTU firmware designed for MT1332 started up and worked perfectly. But there were enough chips - MT1335 was removed from used drives of the previous model, 16D 4 S, MT1339 - from Chinese drives or from suppliers. The normal version of LTU for MT1339 c4eva refused to compile (otherwise people would just install old drives and not buy their boards).

But when already the reserves of LTU boards ran out, c4eva made an amazing feint with his ears - he compiled the iXtreme LTU2 firmware for the MT1319 chip! This processor was in the very first LiteOn with "thick" consoles. And yes, they started riveting and selling new LTU2 boards:

Well, finally, the Chinese joined the holiday, who started making boards based on MT1309, the more common MT1319 brother with an external flash drive:

The era of Xbox 360 firmware ended when a new revision of the console came out, on which you can’t get the key either from the system or from the DVD drive. But more about that in the next part!

Protection and hacking Xbox 360, Part 1
Protection and hacking Xbox 360, Part 2
Protection and hacking Xbox 360, Part 3
Any details, details, nuances - ask in the comments!

Protecting and Hacking the Xbox 360 (Part 2)