Post by: podger on May 26, 2008, 05:32:00 PM
Firstly, this is nothing new, I just stumbled over it a while back in xboxhacker.net but it was never confirmed and I only recently had a spare 79 to test it .. You would still need to install a passkey initially to be able to change the code.... It could be very useful if you had a stack of 79's for sale or something...
This is the code in a 79 Rom with key at 4E10, the code blocks reading/writing from the flash if bit 5 of location 5BD is set, the code looks like this dissassembled...
CODE
ROM0:90029FF9 btst 0x10, (0x5BD) ! If bit 0x10 (bit 5) of 5BD is off then exit (no load code)
ROM0:90029FFE beq exit
ROM0:9002A000 mov 0x5D8, A2
ROM0:9002A003 mov A2, A0
You need to ignore the addresses somewhat as this code is at different locations depending on which key rev of 79 you have...
i.e.
Key @ Code Address
4B00 90029FE0
4E10 90029FF9
4D20 90027260
4C30 90027262
Here's what to do ( I am assuming you have flashed a 78/79 before and that you know what you are doing, too many step make it hard to read)
1. Install passkey
2. Dump firmware
3. Make several backups - I didn't do this, I already have 1000's of copies of my key
4. Smart hack patch and open the file
5. Flash this file
nothing new here...
I reboot the dvd drive at this stage and check it was still working dumping etc..
Now the good bit
1. I dumped again
2. Closed toolbox
3. Opened the dump in hexeditor
4. Search for FE 82 BD 05 10 C8 26 - this is the machine code for the assembly above
5. Replace this with CB CB CB CB CB CB CB - machine code for NOP, i.e. just do nothing
6. Save the file no need to mess with checksums as the master checksum is set to 00 00 00 00
7. Open file in toolbox - read detect differences - there should onlly be 1 sector i.e. 90027000 or 90029000 depending on the version you have
8. Flash this file..
9. Remove passkey, should still dump flash etc
You may want to update the orig.bin also for the sake of restore and future updates.. If you were to restore the orig.bin as it is it would restore the code above and be unreadable again, and need a passkey..
1. Open the orig.bin in hexeditor.
2. Search for FE 82 BD 05 10 C8 26
3. Replace this with CB CB CB CB CB CB CB
4. Save the file.
5. VERY IMPORTANT BIT - Open it in toolbox and verify the check sum.and accept the change..
I have done this more than once and it works for me... I have also restored back to the edited orig.bin and then hacked it all over again without issue.....
Other member have also tested.
But as usual there are no guarntees, use at your own risk... You could brick your drive...
http://www.xboxhacker.net/index.php?topic=6963.0
This post has been edited by podger: May 27 2008, 12:36 AM
Post by: Antman1 on May 26, 2008, 05:44:00 PM
Mod Edit: link removed per users request, see post #7.
This post has been edited by Grim187: May 29 2008, 02:00 AM
Post by: jimbobjim on May 27, 2008, 06:14:00 AM
Nice work
Post by: Antman1 on May 27, 2008, 06:58:00 AM
This is incorrect because the file has been smart hack patched so it will have many different sectors but should be fine. Just reduces the amount of steps to take. you can patch the original backup you made first if you wish then flash it with smart hack patcher and it will be only 1 different sector it will see but it should work fine for it to do it all at once.
Post by: podger on May 27, 2008, 08:37:00 AM
Most users will be able to get through the first stages using Textbooks guide etc..... And this is a proven entity...
I hexedit the second dump from drive after it is hacked, coz by this stage the checksum has been set to the master checksum ( all 00's) so there is far less chance of bricking your drive... Also a lot of member will already be at this stage....
I reopen this file with Firmware Toolbox and "Read detect differences" against what's already on the drive, the only difference should be the sector you hexedited....
The order of the steps is important...
Under no circumstances should you try to dump the orig.bin, hexedit it, fix the checksum and attempt to flash, this will brick your drive..... This will happen because no matter which sector you flash first will render the checksum incorrect.... If you change the checksum first the it will not match the data and if you flash the data first the checksum will be wrong... This is why the very first sector always flashed is the one with the master checksum, this is the last sector flashed in a restore.......
This post has been edited by podger: May 27 2008, 03:42 PM
Post by: Antman1 on May 27, 2008, 09:01:00 AM
Post by: Antman1 on May 27, 2008, 10:34:00 AM
79 AntiPasskey Patch!
Post by: cory1492 on May 27, 2008, 08:54:00 PM
QUOTE(podger @ May 27 2008, 08:37 AM) 
Under no circumstances should you try to dump the orig.bin, hexedit it, fix the checksum and attempt to flash, this will brick your drive..... This will happen because no matter which sector you flash first will render the checksum incorrect.... If you change the checksum first the it will not match the data and if you flash the data first the checksum will be wrong... This is why the very first sector always flashed is the one with the master checksum, this is the last sector flashed in a restore.......
For whatever reason, this doesn't make sense to me at all... if this was the case we couldn't do sector flashing at all, no? (Unless you mean flashing a full orig.bin instead of a differential flash?) And your third step of patching/correcting the orig.bin would then be pointless too...
-dump orig.bin
-hexedit orig.bin
-fix checksum (to keep orig for going back later)
-smarthack/patch to ixtreme
-differential flash ixtreme
...simply because I'd bet it would work if I had a backup plan... (IMG:style_emoticons/default/laugh.gif) Still kind of boggles me that this isn't in the smart hack patcher already, though.
This post has been edited by cory1492: May 28 2008, 03:56 AM
Post by: podger on May 28, 2008, 04:59:00 AM
You will find that one of the first sectors flashed is always 3e000, this is not included in the checksum calculation and contains the Check sum. With this set to the Master Checksum you can then flash whatever you like without fear of the drive going into recovery mode due to a bad checksum calculation..
The opposite is also true, on a restore the last sector flashed back would be the calculated checksum.....
So basically, if you wanted to change a sector, you should first change the checksum to master checksum, flash your sector, then flash the checksum with the new calculated checksum....
The patched orig.bin (as long as you calculated correctly in toolbox) would be valid as you would generally be restoring from a hacked state with the Master Checksum in place.... There are 2 menu option in Toolbox (patch) and (restore) when you select (restore) it does the chcksum last, (patch) does it first....
I'm not saying what you suggest is wrong... But a lot of people's drives would already be modded, so that's why I stepped in 2 parts.... Also, while I was testing I had issues with my passkey and bricked my drive several times.. I do however have a backup plan, so it wasn't a problem..... This method was the only one that didn't cause ANY issues for me.
And, as for smart hack patcher, that's a no-brainer business decision....
This post has been edited by podger: May 28 2008, 12:00 PM
Post by: Antman1 on May 28, 2008, 06:34:00 AM
Also I believe the passkey draws a lot of power from the drive too because without the passkey the v79 drive responds a lot quicker in toolbox and now reads all media with the passkey removed.
Post by: podger on May 28, 2008, 07:40:00 AM
This post has been edited by podger: May 28 2008, 02:42 PM
Post by: XmodsUK on May 28, 2008, 09:11:00 AM
QUOTE(Antman1 @ May 28 2008, 01:34 PM) 
It is very odd that Firmware toolbox does not patch this automatically!
Maybe it wil be included as an option in 4.7?
Not had a chance to try this yet, but sounds like an amazingly overlooked piece of coding...
Post by: podger on May 28, 2008, 11:13:00 AM
This really is nothing new, these 2 lines of code were uncovered within days of the 79 coming out... The passkey is designed to work around this particular code... It's not in Toolbox for a very good reason..... Money!
This post has been edited by podger: May 28 2008, 06:14 PM
Post by: XmodsUK on May 28, 2008, 11:41:00 AM
QUOTE(podger @ May 28 2008, 06:13 PM)
@XmodsUK....
This really is nothing new, these 2 lines of code were uncovered within days of the 79 coming out... The passkey is designed to work around this particular code... It's not in Toolbox for a very good reason..... Money!
I suppose so. I just can't beleive it's taken this long to become common knoweldge here. I wish I'd known about it ages ago.
Anyway, now it's out, it can only be a good thing.
Does that .exe file work OK? I've not got a 79 drive hanging about to test it on.
This post has been edited by XmodsUK: May 28 2008, 06:53 PM
Post by: Antman1 on May 28, 2008, 11:28:00 AM
QUOTE(XmodsUK @ May 28 2008, 12:41 PM)
I suppose so. I just can't beleive it's taken this long to become common knoweldge here. I wish I'd known about it ages ago.
Anyway, now it's out, it can only be a good thing.
Does that .exe file work OK? I've not got a 79 drive hanging about to test it on.
the last link I gave 79 patch will have updated readme. if you use it make sure to follow podgers directions and use the one that corresponds to your keys address.
Post by: XmodsUK on May 28, 2008, 12:01:00 PM
QUOTE(Antman1 @ May 28 2008, 07:04 PM)
the last link I gave 79 patch will have updated readme. if you use it make sure to follow podgers directions and use the one that corresponds to your keys address.
Cheers, I have got that. Can't wait to get a 79 in to see it working (not that I'm doubting you!).
Post by: OggyUK on May 28, 2008, 05:47:00 PM
Now, will this shame Maximus/Carranzafp into releasing a 4.7 to incorporate this?
Or has this named and shamed him as a hacker turned money grabber?
I know you honestly believe there isnt a software only solution and doubt it will ever happen, but how many people have left this 79 business up to Maximus/Carranzafp as he has always done us good
IIRC it was only rolling code stopping 78's for so long, but from what I gathered of your email this one bit really is undefeatable software wise.
Keep up the good work though mate
Post by: cory1492 on May 29, 2008, 03:22:00 AM
QUOTE(podger @ May 28 2008, 04:59 AM)
So basically, if you wanted to change a sector, you should first change the checksum to master checksum, flash your sector, then flash the checksum with the new calculated checksum....
The patched orig.bin (as long as you calculated correctly in toolbox) would be valid as you would generally be restoring from a hacked state with the Master Checksum in place.... There are 2 menu option in Toolbox (patch) and (restore) when you select (restore) it does the chcksum last, (patch) does it first....
I'm not saying what you suggest is wrong...
The patched orig.bin (as long as you calculated correctly in toolbox) would be valid as you would generally be restoring from a hacked state with the Master Checksum in place.... There are 2 menu option in Toolbox (patch) and (restore) when you select (restore) it does the chcksum last, (patch) does it first....
I'm not saying what you suggest is wrong...
Basically what I get out of it too, is if you wanted to go from orig.bin directly to orig_hexd.bin one could "restore" it to that? Just wanted to know which quirks of the whole thing was buggering the sense it should have made to me - thanks for the explanation. Thanks for "guinea-pigging" it and showing the rest of us too (IMG:style_emoticons/default/smile.gif) I've got good programmers, but that definitely doesn't add up to a good epoxy remover.
This post has been edited by cory1492: May 29 2008, 10:23 AM
Post by: podger on May 29, 2008, 04:50:00 AM
QUOTE(cory1492 @ May 29 2008, 09:22 AM)
Basically what I get out of it too, is if you wanted to go from orig.bin directly to orig_hexd.bin one could "restore" it to that? Just wanted to know which quirks of the whole thing was buggering the sense it should have made to me - thanks for the explanation. Thanks for "guinea-pigging" it and showing the rest of us too
I've got good programmers, but that definitely doesn't add up to a good epoxy remover.No, I wouldn't risk it, using restore would have the same/opposite problem. Flashing the hex'd sector first would mean the checksum would be wrong..... You just need to accept that changing any sectors with out the Master Checksum set will very likely lead to a bricked drive stuck in recovery mode.... Some sectors are not included in the checksum calculation, I don't have a list, but for instance the sector the Key is in doesn't appear to be included, as flashing the key does flash the checksum
If you just want a "stock" 79 that you can flash... just follow my steps from start to finish...
a. Dump the orig.bin
b. Smart hack (patch) it with the Passkey in place
c. Dump the modded
d. Hexedit it and flash (patch) it.
e. Remove passkey and test, should dump like a 78
f. Hexedit the Orig.bin
g. Open the orig.bin AND VALIDATE the checksum AND accept the changes
h. to be double sure close toolbox and open the hexd_orig again and VALIDATE checksum, it should return OK!
i. Flash this file (restore)
I have done this and I confirm it does work for me, at least!
Post by: Antman1 on May 31, 2008, 09:42:00 AM
QUOTE(cory1492 @ May 29 2008, 04:22 AM)
Antman1: open tray tweak...? I was under the impression slax was the way with this patch (also essentially meaning spoofed drives wouldn't unlock without a key again.)
Basically what I get out of it too, is if you wanted to go from orig.bin directly to orig_hexd.bin one could "restore" it to that? Just wanted to know which quirks of the whole thing was buggering the sense it should have made to me - thanks for the explanation. Thanks for "guinea-pigging" it and showing the rest of us too
I've got good programmers, but that definitely doesn't add up to a good epoxy remover.Sorry for the long delay in responding. when the 79 drive is patched to iXtreme1.4 it still puts the modeB Tray tweak in it. so if you patch to iXtreme1.4 the modeB Tray tweak will still work and if you did the Patch like Podger has setup it works just like the 78 drive. with original patched like Podger said you have to use Slax
Post by: podger on May 31, 2008, 01:11:00 PM
You should give this method a try, just another discovery I made. You can initiate Mode-b from windows with a Via card, other might work also..... if you have other maybe you could port your results...
http://forums.xbox-s...howtopic=651006
Post by: Dre@m on June 02, 2008, 12:20:00 AM
I used 79Patch and 79-4E10.ppf. (My key address @4E10)
Open tray ModeB method works fine for me, after patch.
Nice tut guys...
Post by: Perplexer on July 05, 2008, 11:19:00 PM
I know there are a TON of flashed v79 drives out there with no passkey installed. This simple patch means you won't ever have to bring a soldering iron near your v79 again... and as mentioned, it would be great to see this fix incorporated into Firmware Toolbox 4.7...
Post by: podger on July 06, 2008, 06:40:00 AM
Especially as the Passkey website (useless as it is ) reccommends that you disable it and leave it in place for future upgrades in an effort to force there to be one passkey for every 79... Besides that a lot of people report that the drive just doesn't work in the console with the passkey installed coz it keeps putting the drive in Mode-B...
Another problem with the passkey is. it stops working when you spoof the drive. So if you install the passkey then spoof it as a Benq, then that it, no more dumping or flashing, the passkey won't work....
Post by: Antman1 on August 03, 2008, 07:06:00 AM