Print

[InterestedHacker]

QUOTE(MacDennis @ Jan 18 2006, 04:14 PM)

Did you actually read my replies? A swap has already been tested and does NOT work.
And what I was trying to say, it seems that each drive IS actually locked to an individual console. That's why a swap does not work.

So you are saying that 2 identical drives, had the firmware swapped, and the machines then had the drives swapped (each 360 has the others DVD drive, but a copy of it's own original firmware), thus proving that the 16 byte code in the firmware isn't the only thing the 360 looks at to check if it's the 'locked' drive?  Could it be that the 16 byte code is a duplicate of the public key used in other secure comms by the 360. (food for thought), and if this proves there is some other ID key, I wonder where it is...

I suppose differences could be found by logging initial comms between the 360 and drive on both machines, then comparing.  Then there maybe clues as to where to look.  EDIT: But the AES encryption is going to make this a wee bit trickier...

[posiedon]

i own a licenced repair shop and i looked into this a few weeks ago
not only did i find out about the drive i also found what the bios was for and it is relevant to the drive
the bios chip contains a random number
on the very first start up the system uses this number to generate an encryption code wich it writes to every component of the unit
it then erases the chip
from then on startup is not assisted by the bios and the data is encrypted from the moment the unit is turned on
so this encryption is used in every exposed data passage in the console to prevent us cracking the x360 like we did the original one
(by evesdroping on the startup commands)
ms originaly was leaving the chips in place and having the locking sequence run when you first start it up at home
but someone could modify the system before the first startup
so ms now starts up the system at the factory then removes the chip
this is why some units have the chip while others do not
to replace the drive a override code must be inserted in the bios chip slot
and a boot up disc must be used
the 2 of these in unison are used to start up the console without encryption in "safe mode"
this mode is usefull for changing the codes to do things like replace a dvd drive and lock it to the console
i reuqested the programmer and startup disc and they sent me a vaiver for non-disclosure of the codes on the disc and programmer
and the penalties outlined in it make me want to uphold that document
so i am NOT going to dump the contents on the internet so do not ask for them
but it only states not to release the code not the method in wich it works
so telling you all this is my way of sticking it to ms for holding a stun gun to my balls with that document

[PedrosPad]

QUOTE(posiedon @ Jan 18 2006, 04:46 PM)

the bios chip contains a random number
on the very first start up the system uses this number to generate an encryption code wich it writes to every component of the unit
it then erases the chip
from then on startup is not assisted by the bios and the data is encrypted from the moment the unit is turned on
so this encryption is used in every exposed data passage in the console to prevent us cracking the x360 like we did the original one
(by evesdroping on the startup commands)
ms originaly was leaving the chips in place and having the locking sequence run when you first start it up at home
but someone could modify the system before the first startup
so ms now starts up the system at the factory then removes the chip

Wow.  That sure reads as legitimate and doesn’t appears to conflict with the findings.  Nice new information.  Kind'a like Windows Setup's Plug 'n' Pray hardware interrogation phase, but burns the results into Flash memory, rather then the registry.

[m.e]

Awesome new information posiedon!!! I think it will be very useable for the scene.

[PS2MXBOX]

hey poseiden, is that boot disc the green disc that got left in a console a few months back>?

[carranzafp]

QUOTE(greatdevourer @ Jan 18 2006, 07:55 PM)

What if you misplace the disk, and maybe someone else might pick it up, upload it, and then be kind enough to give it back to you Not suggesting anything, of course

I think MS cover "Unintencional Lost" on their documents but I am not sure.

It would be better to dig into the legal boundaries to get the most info about that disk and programmer that poseidon mentions.  

He mention a programmer, my first question is, what kind of component it programs?
It is a Serial Eeprom (ATMEL 25020) like the mentioned near to the cpu ? (see pic)
(some 360 has it, some others not)

http://pictures.xbox...oard/eeprom.jpg

[Fattysc]

Pretty interesting info posiedon, someone go break into a repair shop and steal the disc!

j/k

 

[21cwSpanky]

So this 16 byte key could be the encryption code we need? What would we do then? Download the encrypted data, decrypt it and pray there's somthing we can use? Or attempt to create a type of disc similar to the official disk that posiden recieved to blank out the encryption and then attempt to do somthing?

[MacDennis]

QUOTE(posiedon @ Jan 18 2006, 03:46 PM)

i own a licenced repair shop and i looked into this a few weeks ago
not only did i find out about the drive i also found what the bios was for and it is relevant to the drive
the bios chip contains a random number

Very nice information posiedon!
Can you confirm that the bios / bios chip you are talking about is the small EEprom chip as seen in this picture? Atmel 25020 EEPROM
If this is the case then your story makes a lot of sense.

Also, can you describe in general which steps you have to take if you would have to replace a broken dvd-rom drive in a x360 console?

[posiedon]

the disc is blue and black and no it is not the disc left in the x360 last year
and yes that is the position of the access point next to the heatsink
i have agreemants with ms but my loyalty lies with xs
and i will give as much as those documents allow
but i regret to inform you that in the waiver it says "photographs of the contents is prohibited" wich is sad because i just got a new camera
what i can tell you is this
in the box was
-a usb keybord
-a red device (the programer)
- and 2 discs
-manual
out lined in the manual were 2 ways to use it but so far i have only used 1 of the 2 ways
the programmer is the size of a usb flashdrive and it has 8 contacts wich go on the 8 pins for the bios chip slot on the mb the other end has a male usb connector and a switch in the middle of the unit
the unit does not need bios when it starts up but that does not mean it does not look for it
the switch has 2 positions 1 and 2
position 1 is a override
position 2 is a flashable chip
when the 360 reads this chip in position 1 restarts with a black screen and a dos like kernel it asks for the "backup disc"
and then boots with a series of number selected options
wich you interface with via the usb keybord
and when you are done you remove the unit and restart
i do not know the full extent of this tool i have only used it once to swap a dvd drive
position 2 is for a laptop to write code to the programer
you can use the software to tell the programmer what to do then startup the x360 and the programer does the rest
instead of it asking for the backup disc it automaticly completes all the changes you asked for with the computer interface then restarts the x360 as normal
(but is erases the flash memory in the programmer just like if a soldered chip was there)
but i have not used the second method yet i have only used the backup disc interface not the laptop interface
i have been busy with friends, the store, my slim 360 project but i will find some time by the weekend to play with my new toy
and when it is in safe mode it does not matter if the dvd drive is locked or not it reads from it just fine
you lock it to the mb using the utilites
i took the unit apart and it has 2 chips inside one is flashable the other is read only

AND I ALREADY DID AN EXPERMIENT THE 360 DOES NOT READ THE BACKUP DISC WITHOUT THE UNIT IN SAFE MODE SO THE DISC IS USELESS WITHOUT THE PROGRAMER

that document covers everything so all you will get from me is talk
and i think i am already on thin ice for telling every that these tools exist

there is even a line to not share the non-disclosure document itself
because acording to ms these tools do not exist

and they will trace it back to me even if i have someone else upload pics or dump the contents

and the little fact of i do not have 3 million to pay in penalties and i do not want to spend in-excess of 20 years in jail over 2 discs and some code

[posiedon]

if the serial Eeprom is still there you have to remove it
(ms started doing this on their own after the forst 2000 uunits)
and it is held in place with 2 clips that go into the holes for the "x" brace on the bottom of the heatsink
it would be a pain in the ass to have to solder it to place and remove it
and maybe some will post a dump of the read-only chip and the backup disc
because if you use a programmer you can write the code to a standard 2 mb flashrom chip then solder it to the mb

[carranzafp]

It sounds like you can put the switch on position "1" and then dump the contents of the programmer to file with a common 25020 reader.... (to see the override code) ... and probably share...

then with the override code someone can program a blank 25020 serial eeprom and ta da.... a brand new programmer... but we still need the disk... (it is the disk signed? if not call to PI or CLEAR group and...) wow my mind explodes....

[posiedon]

and the disc is not signed because the unit does not read it when it is not in safe mode
and the executables are not .xex or .xbe there something called .xbu
wich does not make sense to me
i suppose the bu stands for "backup

and i hate to say this but ms has this equipment so protected that i think my words are as close as you will ever get to those discs or that programmer code


also i do not know if this means anything but while in safe mode only the yellow video cable works
no sound, no component video, and no s-video

[posiedon]

i am only doing this because i want to see if someone can replicate what this equipment does without the actual code being released

and people call me "the god" of soldering because of my past work
and asking me to replicate the chip inside that thing is like replicating an x3 chip ITS DIFFICULT!
i could do it but i do not know if anyone else can only someone with my skills or better

and i know for a fact the disc is copyable    but as i said it is useless without that override code

and lets not for get the line "the contents of the parcel including this document should and will not be copied by any means including photographic, hand drawn, or physical duplication by the applicant as signed below in order to protect the security of the ......... (skip a few paragraphs) and if violated the applicant will be prosecuted to the fullest of the copyright act of ....... blah blah blah  

you get the picture by now i hope

and you have to request the programmer they do not just send it to you because you have a license with them to repair consoles
i found out about it from the x360 repair manual wich also must be requested
so not a lot of repair shops know about this
i called the private repair line and asked how to rewrite the code to lock a dvd drive to a unit they sent me the waiver
i sent it back
they sent me the box with a copy of the vaiver
and i heckeled with 2 ups guys for 15 min before they were convinced i was who the package was for
(not even my driver license was enough)because ms labeled the contents as "top secret"

[Psyon360]

QUOTE(posiedon @ Jan 18 2006, 09:29 PM)

and lets not for get the line "the contents of the parcel including this document should and will not be copied by any means including photographic, hand drawn, or physical duplication by the applicant as signed below in order to protect the security of the ......... (skip a few paragraphs) and if violated the applicant will be prosecuted to the fullest of the copyright act of ....... blah blah blah  

you get the picture by now i hope

Uhm....didn't you just do exactly that by posting that sentence here?

If what you're saying is true you better be carefull...eg. its probably not the smartest thing to have your location and your birthday in your profile (if that information is actually true)