Print

[ichigoxxx]

1. Connect theDVD to a SATA port on the PC X360USB does not work
2. Turn on the DVD (I did with CK3Pro ) this must already have the cut trace
3. Open JungleFlasher v0.1.85Beta (257)
4. MTK Tab Flash32
5. Press Enter / Device ID, you get a message stating that you disconnect the DVD for 1 second, press YES
6. Power Off the DVD
7. Place PROBE III (can be a homemade) at the point that even MPX01
8. Turn on the DVD (should recognize the way "vendor"), but if it doesnt gives you "vendor" power cycle again     the DVD. Do not forget to have  PROBE III  on MPX01.
9. You can take the Probe 3 out of the MPX01 point
10. Ready! follow the instructions of the Russian program


1) Cut the track and prepare for the resistor to ground (without connecting it to the point)this is the first thing u should do)
2.Put the DVD in intro mode using the device vendor id JF (works with the cut trace).
3) Open the program by the Russians and put the port number where you connected the DVD in the box.
4) Connect the resistor
5) Click on "unlock" by giving read status should change to 0x0
6) Go to JF and click "erase"
7) ready to write the firmware

[eric4179]

QUOTE(ichigoxxx @ Jul 20 2011, 11:41 PM)

1. Connect theDVD to a SATA port on the PC X360USB does not work
2. Turn on the DVD (I did with CK3Pro ) this must already have the cut trace
3. Open JungleFlasher v0.1.85Beta (257)
4. MTK Tab Flash32
5. Press Enter / Device ID, you get a message stating that you disconnect the DVD for 1 second, press YES
6. Power Off the DVD
7. Place PROBE III (can be a homemade) at the point that even MPX01
8. Turn on the DVD (should recognize the way "vendor"), but if it doesnt gives you "vendor" power cycle again     the DVD. Do not forget to have  PROBE III  on MPX01.
9. You can take the Probe 3 out of the MPX01 point
10. Ready! follow the instructions of the Russian program
1) Cut the track and prepare for the resistor to ground (without connecting it to the point)this is the first thing u should do)
2.Put the DVD in intro mode using the device vendor id JF (works with the cut trace).
3) Open the program by the Russians and put the port number where you connected the DVD in the box.
4) Connect the resistor
5) Click on "unlock" by giving read status should change to 0x0
6) Go to JF and click "erase"
7) ready to write the firmware

 Is this what i must do for my locked drive?  But it wasn't locked  by the new update im still on 13146! i just flashed with wrong Lt plus firmware..

[ruciz]

Just spent 5 hours screwing with this

9504 slim OFW updated and locked to 0272 (13599 dash)
I had a previous dump already, and replacement PCB on the way. I kept getting a 'dump failed' when verifying the write. This is bad as it has to continue to do more sector modification after the write to lock the drive down as it was supposed to be.

Method for me is a bit different than posted, for me to make a good write or read, I have to disable the switch.

1. Cut trace, connect 12ohm resistor and switch between via and GND.
2. Turn on DVD drive and open JF 0.1.85 MTK32 tab
3. hit CTRL + F7 to refresh device, once info found power off drive.
4. hit device ID/intro, select YES and while the .... are going across probe MPX01 point with GND. power cycle drive until 0x72 status (my PMT cap was socketed between 3.3v and GND. I pinned the GND wire from this socket) once 0x72 found remove probe.
5. run the unlock program, enter port in window, hit unlock. should come up with 2 russian words. the 2nd should start with a p. if so your unlocked! (CTRL + C the popup and translate it if you need to)

AT THIS POINT I REMOVE RESISTOR! I don't know why I had to do this, but I had to!
6. flip switch to off (remove resistor)
7. in JF hit Slim UnLock - should do some unlocking and end result is read FW and dump. This may require the LTPlus-0272 file in the firmware folder if you are on 0272 firmware and need a key. (I already had dump, but after LT was wrote this is how I could obtain the key)

8. gen new LT firmware
- maybe not needed, but I did an outro, and an intro and it found 0x72 flash without MPX01 probe - this could be important for successful write)
9. erase and flash as you normally would. It should write, verify, erase a few sectors, authorised! and continue until it says successful!

Again, this took trial and error to figure out the finer points. It does work however!
If you get dump failed errors, or can't dump the key - try screwing with the switch. This may also be true for those with Winbond chipsets. Since I have no 0225 or winbond devices here I'll let someone else figure that out. Guess TX really did their research on how to bypass the SPi lock.

This post has been edited by ruciz: Jul 21 2011, 06:35 AM

[wes302]

i cant get voltage to drop below 2.4.  could some one give me a specs on resistors.

[ichigoxxx]

(IMG:https://lh3.googleusercontent.com/-poMUuttz4Ho/Tic7LCTzLuI/AAAAAAAAA78/4emIud5nX0g/s1024/DSC00476.JPG)

[dougiegillam]

QUOTE(ichigoxxx @ Jul 21 2011, 05:41 AM)

1. Connect theDVD to a SATA port on the PC X360USB does not work
2. Turn on the DVD (I did with CK3Pro ) this must already have the cut trace
3. Open JungleFlasher v0.1.85Beta (257)
4. MTK Tab Flash32
5. Press Enter / Device ID, you get a message stating that you disconnect the DVD for 1 second, press YES
6. Power Off the DVD
7. Place PROBE III (can be a homemade) at the point that even MPX01
8. Turn on the DVD (should recognize the way "vendor"), but if it doesnt gives you "vendor" power cycle again     the DVD. Do not forget to have  PROBE III  on MPX01.
9. You can take the Probe 3 out of the MPX01 point
10. Ready! follow the instructions of the Russian program
1) Cut the track and prepare for the resistor to ground (without connecting it to the point)this is the first thing u should do)
2.Put the DVD in intro mode using the device vendor id JF (works with the cut trace).
3) Open the program by the Russians and put the port number where you connected the DVD in the box.
4) Connect the resistor
5) Click on "unlock" by giving read status should change to 0x0
6) Go to JF and click "erase"
7) ready to write the firmware

Great work guys, but i will be waiting for someone like OggyUK or a Head Moderator confirms this works properly. Plus a definative guide on how to do this surfaces.

[xD34DL1N3Rx]

So is this detectable when a new dash version is released and you update? I haven't seen that mentioned at all.

[zyo]

QUOTE(xD34DL1N3Rx @ Jul 21 2011, 10:17 AM)

So is this detectable when a new dash version is released and you update? I haven't seen that mentioned at all.

No one will be able to predict that. plus it has nothing to do with flashing the firmware

[steina]

QUOTE(ichigoxxx @ Jul 21 2011, 06:41 AM)

1. Connect theDVD to a SATA port on the PC X360USB does not work
2. Turn on the DVD (I did with CK3Pro ) this must already have the cut trace
3. Open JungleFlasher v0.1.85Beta (257)
4. MTK Tab Flash32
5. Press Enter / Device ID, you get a message stating that you disconnect the DVD for 1 second, press YES
6. Power Off the DVD
7. Place PROBE III (can be a homemade) at the point that even MPX01
8. Turn on the DVD (should recognize the way "vendor"), but if it doesnt gives you "vendor" power cycle again     the DVD. Do not forget to have  PROBE III  on MPX01.
9. You can take the Probe 3 out of the MPX01 point
10. Ready! follow the instructions of the Russian program
1) Cut the track and prepare for the resistor to ground (without connecting it to the point)this is the first thing u should do)
2.Put the DVD in intro mode using the device vendor id JF (works with the cut trace).
3) Open the program by the Russians and put the port number where you connected the DVD in the box.
4) Connect the resistor
5) Click on "unlock" by giving read status should change to 0x0
6) Go to JF and click "erase"
7) ready to write the firmware

I have a 0401 with winbond that I'm going to try flashing later.
I have allready dumped the key with my x360usb.
Are steps 1-10 necessary for flashing, or can I go straight to cutting the track?
Can I do a full firmware dump with this method?

Thanks

[BoNg420]

QUOTE(steina @ Jul 21 2011, 07:41 AM)

I have a 0401 with winbond that I'm going to try flashing later.
I have allready dumped the key with my x360usb.
Are steps 1-10 necessary for flashing, or can I go straight to cutting the track?
Can I do a full firmware dump with this method?

Thanks

From what I read I don't think this will work with winbond chip yet or they haven't got it to work yet.

[steina]

QUOTE(BoNg420 @ Jul 21 2011, 03:18 PM)

From what I read I don't think this will work with winbond chip yet or they haven't got it to work yet.

Some claims that winbond is possible if you get voltage down to 1v.
Think I'll try later today.

But my question still is: Is step 1-10 necessary? Are those steps for key-dumping or do I need to use my pmt for flashing?

[ichigoxxx]

this steps are for flashing only and yes first thing u need to do is cut the trace.
and its been confirm on winbond , voltage needs to be 4.7 from what i have read, i don't have one yet will confirm this afternoon when i get one

[dradra]

Only missing is relock the drive...

[piggymouth]

Thinking of the future firmware updates. Were not done playing cat & mouse games with M$. Another version of the firmware will be released, so with cutting that trace and resurfacing it with solider, how hard is it to break it again?  It would be really nice to have some kind of switching for this situation.

Eventually you could wear out the PCB board and have to replace it.

[GHR]

QUOTE(piggymouth @ Jul 21 2011, 06:20 PM)

Thinking of the future firmware updates. Were not done playing cat & mouse games with M$. Another version of the firmware will be released, so with cutting that trace and resurfacing it with solider, how hard is it to break it again?  It would be really nice to have some kind of switching for this situation.

Eventually you could wear out the PCB board and have to replace it.

Well, first off - Relax. TX are probably gonna release LT+ Switch or something for that very purpose.
Secondly, If m$ wants to flash any of the current slim drives again, they would have to unlock the SPI - Once they do it, someone of great knowledge from the scene (G\C4\TMF\MAX) will have the cmd sniffed and then funny times will come.