Print

[podger]

I mentioned this to Antman1 in passing, I thought everyone knew... But bascally there is a way to leave a 79 readable and flashable state without a passkey and without removing the tsop and flashing as a spoofed 78...

Firstly, this is nothing new, I just stumbled over it a while back in xboxhacker.net but it was never confirmed and I only recently had a spare 79 to test it .. You would still need to install a passkey initially to be able to change the code.... It could be very useful if you had a stack of 79's for sale or something...

This is the code in a 79 Rom with key at 4E10, the code blocks reading/writing from the flash if bit 5 of location 5BD is set, the code looks like this dissassembled...

CODE

ROM0:90029FF9               btst    0x10, (0x5BD)     ! If bit 0x10 (bit 5) of 5BD is off then exit (no load code)
ROM0:90029FFE               beq     exit
ROM0:9002A000               mov     0x5D8, A2
ROM0:9002A003               mov     A2, A0

You need to ignore the addresses somewhat as this code is at different locations depending on which key rev of 79 you have...
i.e.
Key @ Code Address
4B00 90029FE0
4E10 90029FF9
4D20 90027260
4C30 90027262

Here's what to do ( I am assuming you have flashed a 78/79 before and that you know what you are doing, too many step make it hard to read)

1.   Install passkey
2.   Dump firmware
3.   Make several backups - I didn't do this, I already have 1000's of copies of my key
4.   Smart hack patch and open the file
5.   Flash this file
nothing new here...

I reboot the dvd drive at this stage and check it was still working dumping etc..

Now the good bit
1.   I dumped again
2.   Closed toolbox
3.   Opened the dump in hexeditor  
4.   Search for FE 82 BD 05 10 C8 26 - this is the machine code for the assembly above
5.   Replace this with CB CB CB CB CB CB CB - machine code for NOP, i.e. just do nothing
6.   Save the file no need to mess with checksums as the master checksum is set to 00 00 00 00
7.   Open file in toolbox - read detect differences - there should onlly be 1 sector i.e. 90027000 or 90029000 depending on the version you have
8.   Flash this file..
9.   Remove passkey, should still dump flash etc

You may want to update the orig.bin also for the sake of restore and future updates.. If you were to restore the orig.bin as it is it would restore the code above and be unreadable again, and need a passkey..

1.   Open the orig.bin in  hexeditor.
2.   Search for FE 82 BD 05 10 C8 26
3.   Replace this with CB CB CB CB CB CB CB
4.   Save the file.
5.   VERY IMPORTANT BIT - Open it in toolbox and verify the check sum.and accept the change..

I have done this more than once and it works for me... I have also restored back to the edited orig.bin and then hacked it all over again without issue.....
Other member have also tested.

But as usual there are no guarntees, use at your own risk... You could brick your drive...


http://www.xboxhacker.net/index.php?topic=6963.0

This post has been edited by podger: May 27 2008, 12:36 AM

[Antman1]

This is a patch I made for patching the 7 bytes of code Podger has posted.  This will patch the 7 bytes but make sure you follow the directions in the readme file!  I tested on all firmware using toolbox and checking it with Winhex and all checked out fine.  As Always Use at your own risk!  Enjoy!

Mod Edit: link removed per users request, see post #7.

This post has been edited by Grim187: May 29 2008, 02:00 AM

[jimbobjim]

How has this slipped under the radar? I'm gonna use it with any 79 that comes my way.

Nice work

[Antman1]

I did notice their is an error in my readme file.  On step 6 it says Flash the file.  There should be 1 different sector.  Just ignore the "There should be 1 different sector" part of step 6.  

This is incorrect because the file has been smart hack patched so it will have many different sectors but should be fine.  Just reduces the amount of steps to take.  you can patch the original backup you made first if you wish then flash it with smart hack patcher and it will be only 1 different sector it will see but it should work fine for it to do it all at once.

[podger]

@Antman, I wouldn't really play with the order too much, it could be dangerous....

Most users will be able to get through the first stages using Textbooks guide etc..... And this is a proven entity...

I hexedit the second dump from drive after it is hacked, coz by this stage the checksum has been set to the master checksum ( all 00's) so there is far less chance of bricking your drive... Also a lot of member will already be at this stage....

I reopen this file with Firmware Toolbox and "Read detect differences" against what's already on the drive, the only difference should be the sector you hexedited....

The order of the steps is important...

Under no circumstances should you try to dump the orig.bin, hexedit it, fix the checksum and attempt to flash, this will brick your drive..... This will happen because no matter which sector you flash first will render the checksum incorrect.... If you change the checksum first the it will not match the data and if you flash the data first the checksum will be wrong... This is why the very first sector always flashed is the one with the master checksum, this is the last sector flashed in a restore.......

This post has been edited by podger: May 27 2008, 03:42 PM

[Antman1]

ok i see.  so basically if you want to use the patch files I made you need to follow Podgers directions exactly except you can use the patch instead of opening up a hex editor.  When I get home I will try to update my readme with your steps so that it is done exactly right.  Sorry for the confusion if a moderator wants to remove my link to the patch I made until I redo it they can just so no one bricks their drives and I will repost when I get home.

[Antman1]

OK.  Here is a link to the patch with a good readme that is basically the same directions as Podger in the readme just with the patch instead of hex editing.  Enjoy again.  lol.  Moderators if you could remove the last link I posted would be much appreciated.

79 AntiPasskey Patch!

[cory1492]

QUOTE(podger @ May 27 2008, 08:37 AM)

Under no circumstances should you try to dump the orig.bin, hexedit it, fix the checksum and attempt to flash, this will brick your drive..... This will happen because no matter which sector you flash first will render the checksum incorrect.... If you change the checksum first the it will not match the data and if you flash the data first the checksum will be wrong... This is why the very first sector always flashed is the one with the master checksum, this is the last sector flashed in a restore.......

For whatever reason, this doesn't make sense to me at all... if this was the case we couldn't do sector flashing at all, no? (Unless you mean flashing a full orig.bin instead of a differential flash?) And your third step of patching/correcting the orig.bin would then be pointless too...

-dump orig.bin
-hexedit orig.bin
-fix checksum (to keep orig for going back later)
-smarthack/patch to ixtreme
-differential flash ixtreme

...simply because I'd bet it would work if I had a backup plan...  (IMG:style_emoticons/default/laugh.gif) Still kind of boggles me that this isn't in the smart hack patcher already, though.

This post has been edited by cory1492: May 28 2008, 03:56 AM

[podger]

@cory1492

You will find that one of the first sectors flashed is always 3e000, this is not included in the checksum calculation and contains the Check sum. With this set to the Master Checksum you can then flash whatever you like without fear of the drive going into recovery mode due to a bad checksum calculation..

The opposite is also true, on a restore the last sector flashed back would be the calculated checksum.....

So basically, if you wanted to change a sector, you should first change the checksum to master checksum, flash your sector, then flash the checksum with the new calculated checksum....

The patched orig.bin (as long as you calculated correctly in toolbox) would be valid as you would generally be restoring from a hacked state with the Master Checksum in place.... There are 2 menu option in Toolbox (patch) and (restore) when you select (restore) it does the chcksum last, (patch) does it first....

I'm not saying what you suggest is wrong... But a lot of people's drives would already be modded, so that's why I stepped in 2 parts.... Also, while I was testing I had issues with my passkey and bricked my drive several times.. I do however have a backup plan, so it wasn't a problem..... This method was the only one that didn't cause ANY issues for me.

And, as for smart hack patcher, that's a no-brainer business decision....

This post has been edited by podger: May 28 2008, 12:00 PM

[Antman1]

I can also confirm that Podgers method he has mentioned here works 100percent.  I did not brick my v79 drive and I do not have my passkey installed any more!  I was able to read my flash and write back switching keys and such without the passkey just by using the open tray tweak.  It is very odd that Firmware toolbox does not patch this automatically!  

Also I believe the passkey draws a lot of power from the drive too because without the passkey the v79 drive responds a lot quicker in toolbox and now reads all media with the passkey removed.

[podger]

Oh yeah, and the spoofing is OK with this done too... The passkey had an issue with spoofing, if you spoofed you 79 with a passkey installed it would dump garbage for ever more, the drive would still work OK.... I actually verifed this by removing the flash and dumping it and the bin file was exactly as expected, i.e. a 79 spoofed as a 47....

This post has been edited by podger: May 28 2008, 02:42 PM

[XmodsUK]

QUOTE(Antman1 @ May 28 2008, 01:34 PM)

  It is very odd that Firmware toolbox does not patch this automatically!  

Maybe it wil be included as an option in 4.7?

Not had a chance to try this yet, but sounds like an amazingly overlooked piece of coding...

[podger]

@XmodsUK....

This really is nothing new, these 2 lines of code were uncovered within days of the 79 coming out... The passkey is designed to work around this particular code... It's not in Toolbox for a very good reason..... Money!

This post has been edited by podger: May 28 2008, 06:14 PM

[XmodsUK]

QUOTE(podger @ May 28 2008, 06:13 PM)

@XmodsUK....

This really is nothing new, these 2 lines of code were uncovered within days of the 79 coming out... The passkey is designed to work around this particular code... It's not in Toolbox for a very good reason..... Money!

I suppose so. I just can't beleive it's taken this long to become common knoweldge here. I wish I'd known about it ages ago.

Anyway, now it's out, it can only be a good thing.

Does that .exe file work OK? I've not got a 79 drive hanging about to test it on.

This post has been edited by XmodsUK: May 28 2008, 06:53 PM

[Antman1]

QUOTE(XmodsUK @ May 28 2008, 12:41 PM)

I suppose so. I just can't beleive it's taken this long to become common knoweldge here. I wish I'd known about it ages ago.

Anyway, now it's out, it can only be a good thing.

Does that .exe file work OK? I've not got a 79 drive hanging about to test it on.

the last link I gave 79 patch will have updated readme.  if you use it make sure to follow podgers directions and use the one that corresponds to your keys address.