Print

[ldots]

QUOTE (Chicken Scratch Boy @ Apr 22 2004, 12:57 AM)

any news on either xbedump or the factering of the password?

Found some "different" keys with the help of Catfish. Dont know if they are though, audio of font. Testing should reveal this    Had no time to include them though.

Spent more time on the HD key and locking thing. Found some code which was more or less ripped from the xbox-linux project that contained the HD key generation algorithm. Made a few changes to fit the use on a PC and voila! It loads the eeprom and generates the correct key. Look at my other thread for news on xboxhdm.
This is more or less the code from Speedbump, Franz, Ed,... Thanks guys!

Incredible enough, Catfish pointed me to a mailing list where some guy was trying to get some code from CVS at xbox-linux to generate HD keys (thanks Catfish). Said he found and solved some bugs. I was not able to get this to run though...

However the locking/unlocking is another story. From the above mentioned code and reading the ATA specs you pointed me to it seems very simple the issue the SECURITY UNLOCK command. I did this but no success. Then program hangs for 5 secs or so, then fails. I think it's the builtin counter of the ATA specs that kicks in. No further attempts can be made and I have to reboot. Debugging gets rather tiresome this way  
I could really use someone with knowledge on this. From the ATA_IDENTIFY command I get that the security level of the drive is set to maximum. From the ATA specs I understand that even issueing an UNLOCK command with the MASTER passwd will fail at this level - or maybe I'm getting something wrong here!

I'm also not quite sure how many bytes I should pass to the controller. The ata specs say that the UNLOCK command will transfer 256 words (512 bytes) to the controller. First word contains a control word and some passwd identifyers (user/master), next 16 the passwd (32 bytes). Question is what this 1'st word should be? Is the UNLOCK command (0xF2) the control word itself or is this not incluede in the 512 bytes, and from my findings on the security levels, should I use user or master passwd. I thought user initially...

Most be able to find the answers somewhere though. Another possibility was to embed the asm-code of hdunlock now that we have the hd key. Would be cleaner to send the commands though.

[Chicken Scratch Boy]

well, i havent checked the specs specificly for this recently, but i think the maximum level means that it auto relocks unless you do a hdd unlock disable command on it after you unlock it...

in terms of pws i think user may work, not sure....

and i think that the 1 word command counts in the 512bytes...

dont quote me on any of that, i'll re-check it with the spec and post back with confirmation

edit:

ok the commands pass 255 words, word 0 is the command.... so yeah basicly word 1 is the command, and use another 255

once more:

you need the user password for unlocking from maximuim state, MASTER does not work

and again:

the command is "as described in table 40"

http://www.t13.org/d...02/d1410r3b.pdf pdf page 232 bottem of the page...

[ldots]

Thanks for your effort CS Boy. The ATA document you link to was a more recent revision than I had, but they are identical, I think, on the SECURITY UNLOCK section.

Looked at it a bit more. I think now that the Security Unlock command (0xF2)  is not included in the 512 bytes. The 1 word of this ( word 0 ) is the control word but it does not include the command itself, only the master/user passwd bits, and some reserved bits. This also fits together with the pascal/asm code of hdunlock that I looked at again. Here the 0xF2 command is written to the registers directly in the asm block an later in this block the 'SecRecord' is dumped. This includes '0000' to begin with, which would be true if user passwd was used and then the 32-bit passwd. So I'm fell quite sure now that the 512 byte record should be set up is (00 00 XX XX XX ... and so on.).
Problem now is the UNLOCK command. The linux code of Ed's uses the 'ioctl' command from the linux kernel to dump the 512 bytes to the HD. He sets up a 516 byte record where the first two words are then (F2 00 00 00). When I do this I get the same 3-4 sec. hanging and then the HD doesn't accept any input until I reboot. I also tried putting (F2 00) in front of the 512 byte record -> no go! Also tried just (F2) -> no go!

This is all the experimenting I have time for today. Again maybe I should try to embed the asm code of hddunlock.

[Chicken Scratch Boy]

hmm weird.... you pad out the key, right?

[ldots]

, but that it is simply not possible to issue these commands on a fully bootet system. After the kernel has done it's hardware detection maybe it has grabbed the device so that it will not accept the ATA commands (the IDENTIFY commands is accepted though). Must be the same thing with Win XP. Why else does no locking/unlocking tools exist for windows? Looked at the source for liveinfo. It has everything needed to issue locking/unlocking commands (the offsets are even defined in the code), but still this option does not exist in Liveinfo. All our locking/unlocking tools must be run from DOS which could be an "unprotected" OS, in terms of IDE devices.

I think for this to be done for linux it has to been implemented in the linux kernel (like it is in Cromwell) or in the bootloader. Could be done, but it's a more involved project - at least for me. I think I also read somewhere that these ATA commands should be issue on bios level or on a low level of the boot process.

Wish someone could confirm or deny this. Apart from the educational aspect of this, it would be a waste of time to keep persuing this if the linux kernel doesn't permit such operations.

[Chicken Scratch Boy]

i believe you are right... alternativly, why not write a text file that a dos program will read as dos boots, launching the locking/unlocking program, giving it the key, and deleting the textfile... or at least the boot flag part...

[ldots]

QUOTE (Chicken Scratch Boy @ Apr 27 2004, 10:24 PM)

i believe you are right... alternativly, why not write a text file that a dos program will read as dos boots, launching the locking/unlocking program, giving it the key, and deleting the textfile... or at least the boot flag part...

Could look into that. Would require me to dig out an old Turbo Pascal compiler for DOS and ad this reading of passwd file to the hdlock/hdunlock code. But it's an alternative automated approach...

[Chicken Scratch Boy]

have you started out on this, cause if you haven't i could start cracking down on it tommarrow, aimt o get it done by monday, can't be too hard to get the syntax down and insert a few lines of code, eh?

[ldots]

I guess it would be easiest to just have the program load the 20-bit hdd key (omitting the zeros). The code pads up remaining zeros anyway.
Maybe one could also omit the code for unlocking drives on the slave ide channel since xboxhdm assumes the drive to be master anyway. Not a big deal though.

[Chicken Scratch Boy]

heh, thats what i was thinking...

what exactly is the format of the data in the file with the password in it, i dopnt really have a copy of the distro on hand now...

it'd be great if it was the same as one put out by evox and config magic

[ldots]

Why not just let it be a simple txt file with just the password and nothing else. Like the log-file it produces. If people wanted to use this outside xboxhdm, they could just paste the password from evox or configmagic in a textfile themselves. I'm not sure the format of the hdkey output from xboxhdm will be static anyway - I have changed some things for next release.

I was thinking that this would be used when people ask xboxhd to generate the hdd password. Then prompt the user for the posibility to insert floppy and make DOS floppy with hdlock/hdunlock and the password supplied.

[Chicken Scratch Boy]

why not compile the epprom reader for dos, what is it written in, by the way...

[ldots]

It's written in C. But it would take a lot of rewriting, since some linux kernel headers and functions are used.
If you are up for such a task I would have a look at the source code of liveinfo and TAunlock instead. This is in cpp, but I dont know if you could compile this for DOS and not windows?

[ldots]

QUOTE (Biniecki @ Apr 30 2004, 03:53 PM)

So is there a distro hosted anywhere for this cuz that would be awsome and alot easier also how do u go about hot swapping cuz if i can clone the xbox HD to a bigger 1 and put it in by hot swapping then i would do that too

Check the pinned topics.
Dont know what you mean by "put it in by hot swapping"? Your new drive must be locked with a unique password (different from the one used on the retail HDD) to be able to boot. All needed information is in the pinned topics (link in my sig.)

[Chicken Scratch Boy]

well, i've written some code, but cant seem to find a compiler... maybe you can give me a link i found one but it's alittle nutty, plus made in what.... 1994?