First of all, hi to all. My first post.
Second, sorry for my bad english, i hope to be quite readable in this post.
This can be (potentially) a method for recreate (partially/full) the "Drive Serial" data for those of who missed it. The fact to be fully or partially recreatable depends on the help from the user here. So read it please.
All you know that for the
correct extraction of data from liteon, updated tools are required (such as DosFlash 1.7+,DVDKey 1.2+, DVDKey32 0.7+, Firmtool 1.3.1+ and so on). If the data was extracted with previous tools the "Drive serial" isn't complete for this DVD reader...eg. Firmtool 1.3.1+ report it with a warning : lite-on serial appears to be partially incomplete.
I flashed my drive before that those updated tool-set was available, so i was trapped in the net of who have a good local iXtreme, but a (future) problematic one in LIVE!
I decided to try to solve this question, so Googling for it, i was surprised that no info about the "Drive Serial" can be retrieved...starting doing it myself (or at least try to do it).
So here is the part.
The "Drive Serial" can be read from 0x1ff00 in the dummy.bin file created by the tool or directly from the target spoofed firmware, with an hex editor or using jungleflasher (load from dumped data).
A typical
incomplete "Drive Serial" looks like this:
CODE
0000: 44 36 30 38 43 47 38 33 - SS SS SS SS SS SS SS SS D608CG83SSSSSSSS
0010: 31 20 20 20 FF FF FF FF - FF FF FF FF FF FF FF FF 1 ............
0020: FF FF FF FF FF FF FF FF - 41 30 FF FF FF FF FF FF ........A0......
0030: FF FF FF FF FF FF FF FF - FF FF FF FF FF FF FF FF ................
0040: FF FF FF FF FF FF FF FF - FF FF FF FF 41 31 FF FF ............A1..
SS SS SS = My hidden data.
"FF FF FF ..." may be "58 58 58 ..." if the serial data is read from the target firmware prepared with firmtool 1.3.1+.
Searching for those dumps over internet i found some interesting patterns and source for intuition. So found that
a typical
complete "Drive Serial" can be this (call this A0 version) :
CODE
0000: 44 36 30 38 43 47 38 33 - SS SS SS SS SS SS SS SS D608CG83SSSSSSSS
0010: 31 20 20 20 FF FF FF FF - YY YY YY YY YY YY YY YY 1 ....YYYYYYYY
0020: YY YY YY YY YY YY 58 58 - 41 30 FF FF ZZ ZZ ZZ ZZ YYYYYYXXA0..ZZZZ
0030: ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ - ZZ ZZ ZZ ZZ ZZ ZZ 00 00 ZZZZZZZZZZZZZZ..
0040: FF FF FF FF FF FF FF FF - FF FF FF FF 41 31 FF FF ............A1..
or this (call this non A0 version):
CODE
0000: 44 36 30 38 43 47 38 33 - SS SS SS SS SS SS SS SS D608CG83SSSSSSSS
0010: 31 20 20 20 FF FF FF FF - YY YY YY YY YY YY YY YY 1 ....YYYYYYYY
0020: YY YY YY YY YY YY 58 58 - KK KK FF FF ZZ ZZ ZZ ZZ YYYYYYXX....ZZZZ
0030: ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ - ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZ ZZZZZZZZZZZZZZZZ
0040: FF FF FF FF FF FF FF FF - FF FF FF FF 41 31 FF FF ............A1..
So i was thinking that a "Serial Number" is an identifier and must be visible in some manner, otherwise it was a key !!! Not thinking so bad...
Let's go with order.
The
...SSSSSSSS... data is surely present from the dump, it's our DVD Serial Number printed here (except for the last number that seems to be always 0 or 1):
(IMG:
http://www.freeimagehosting.net/uploads/cfc467676a.jpg)
The
YYYYYYYYYYYYYYXX is the optical serial number, is always 16 chars length and (from my dumps) it always end up with "XX". The most of times it start with "8" (eg 8C,8G,8F).
It can be retrieved here :
(IMG:
http://www.freeimagehosting.net/uploads/04be7367a5.jpg)
The
ZZZZZZZZZZZZZZZZZZ[ZZ] is the dvd-mobo serial number and is slightly different, it depends on the fact that 0x0028 is "A0" or something else.
If it's "A0" then the length is always (from my dumps) 18 chars.
If it's not "A0" then the length is always (from my dumps) 20 chars.
But it always start with "S4P8"
It can be retrieved removing both covers of the dvd unit and face it up (with the optical led up). Pay attention at the led/photoled, be carefull : do no touch, do not expose to direct strength light, do not incinerate for who smokes.. (IMG:
style_emoticons/default/biggrin.gif) ..and bla bla bla.
The photo is a bit dark but you can find it easly :
(IMG:
http://www.freeimagehosting.net/uploads/cf69428a67.jpg)
Now the questions directed to all contributors are 2 :1)
A0 or non A0?I found this value in the my incomplete dump (dummy.bin)
CODE
...
0020: FF FF FF FF FF FF FF FF - 41 30 FF FF FF FF FF FF ........A0......
...
Is this value
dumped or
autogenerated from the old tools? because if it is dumped we have 1 more info directly from the "problematic" dummy.bin/spoofed firmware...if it is autogenerated, we need to know how to retrieve it! (Remember that this can help us to find out the length of the dvd-mobo sn, read the doubt at the point 2).
Can someone point this question to the attention of the programmers? (eg. Geremia, C4Eva...)
2)
The perfidious numberLooking on the dvd-mobo label i have a second number (2 digits) in bottom-right corner
(IMG:
http://www.freeimagehosting.net/uploads/ca19952c1a.jpg)
I called it perfidious because my label sn length is 18...so i'm not sure if i need to add those 2 digits (depends on the dump/generation of the previously "A0") and create a 20 chars length sn or if the sn is complete.
Can any of you post your experience related to those questions?
For any of you that have a correct dump (18/20 chars, A0/not A0 in the dummy.bin) : can check if the "perfidius" number is the last part of the dvd-mobo sn or if the entire sn is simply write in the 2 rows of the label and the perfidious is not correlated to sn?(with the box opened for the hack,removing both covers and write down a number take approximatively 15 seconds for you, but this is very helpfull for us)
The most we are, the better is for the complete "Drive Serial" recreation!
Thank you for your contribution.
Have a good hack.
This post has been edited by GiampyXBS: Jan 26 2009, 08:59 AM
Author
Topic: Liteon Incomplete "drive Serial" (please Read All) (Read 346 times)