Post by: calloused labia on September 06, 2008, 10:00:00 PM
The member who posted it was asked to elaborate but never did.
After spoofing BenQs as Samsungs and Samsungs as BenQs using Firmtool 1.2 , I ran across something that indicated a Samsung spoofed to a BenQ is detectable. At least by Firmware Toolbox.
After spoofing a Benq to appear as a Samsung using Firmtool 1.2 I opened the spoofed firmware in Firmware Toolbox. Firmware Toolbox lists the "ROM version" of a "Samsung Spoofed" BenQ exactly how the original Samsung Firmware is seen. This is good.
=====================================================================
This is the original TS 25 firmware as seen by Firmware Toolbox
(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/orig25.jpg)
=========================================================================
This Benq iXtreme firmware spoofed as a Samsung TS 25 using Firmtool 1.2 . Firmware Toolbox sees the Rom Version as the same.
(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/ftoolbox.jpg)
The Rom version is identical!
============================================================================
============================================================================
But when I use Firmtool 1.2 to make a Samsung appear like a BenQ, Firmware Tool Toolbox lists the ROM version with strange characters in it. ( I have been able to duplicate it several times ).
=============================================================================
=============================================================================
Original BenQ Firmware
(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/stock.jpg)
===========================================================================
Samsung xtreme Firmware spoofed as BenQ using Firmtool 1.2. Firmware Toolbox has an issue with the ROM Version
(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/wierd.jpg)
Wierd characters
==========================================================================
If Firmware Toolbox can see this difference then could MS?
( Scuba where is Firmtool version 1.3? You told me last month on a separate but another spoofing related scenario that I should use that)
This post has been edited by calloused labia: Sep 7 2008, 05:01 AM
Post by: darkshadow2k8 on September 06, 2008, 10:58:00 PM
Post by: CasioNo15 on September 07, 2008, 04:52:00 AM
If you open up an iXtreme firmware with toolbox, for example a benq firmware, it will detect it as iXtreme and go to an specific offset to look which iXtreme version this firmware is.
For Benq this could be 0x5FE0. I don´t know if it´s the same offset for all Benq´s.
Now when you take a MS25 firmware and spoof it as Benq, the toolbox thinks it is a Benq firmware and goes to offset 0x5FE0 and reads out the iXtreme version, but it´s written at a different offset on a MS25 firmware.
As written on xboxhacker, the detection has to do with the SS generation.
Casio
This post has been edited by CasioNo15: Sep 7 2008, 11:53 AM
Post by: calloused labia on September 07, 2008, 05:09:00 AM
QUOTE(CasioNo15 @ Sep 7 2008, 06:52 AM) 
No it has nothing to do with this wrong displayed characters.
If you open up an iXtreme firmware with toolbox, for example a benq firmware, it will detect it as iXtreme and go to an specific offset to look which iXtreme version this firmware is.
For Benq this could be 0x5FE0. I don´t know if it´s the same offset for all Benq´s.
Now when you take a MS25 firmware and spoof it as Benq, the toolbox thinks it is a Benq firmware and goes to offset 0x5FE0 and reads out the iXtreme version, but it´s written at a different offset on a MS25 firmware.
As written on xboxhacker, the detection has to do with the SS generation.
Casio
If you open up an iXtreme firmware with toolbox, for example a benq firmware, it will detect it as iXtreme and go to an specific offset to look which iXtreme version this firmware is.
For Benq this could be 0x5FE0. I don´t know if it´s the same offset for all Benq´s.
Now when you take a MS25 firmware and spoof it as Benq, the toolbox thinks it is a Benq firmware and goes to offset 0x5FE0 and reads out the iXtreme version, but it´s written at a different offset on a MS25 firmware.
As written on xboxhacker, the detection has to do with the SS generation.
Casio
Thanks. I knew about the SS but I did not know where Firmware Toolbox got the Rom Version from. That makes sense.
Post by: calloused labia on September 07, 2008, 07:03:00 AM
QUOTE(CasioNo15 @ Sep 7 2008, 06:52 AM)
As written on xboxhacker, the detection has to do with the SS generation.
Casio
Wait! I just re-read your post. At first I though you were saying the only way of any type of detection was bad SS on games. But after re-reading it, I realize you mean something completely different.
So spoofing a Samsung as a BenQ is detectable? Is there anybody working on this? Is there any way to work on it?
Post by: podger on September 07, 2008, 10:20:00 AM
Post by: calloused labia on September 07, 2008, 12:03:00 PM
QUOTE(podger @ Sep 7 2008, 12:20 PM)
5 bytes of the ss are drive specific. So a Sammy spoofed as benq will return a different ss to a benq... I believe this is the case even with originals.... Cross-spoofing has never been considered safe...
ouch. I am just going to put the drives back in their original 360s then. I guess since the hard drive install update will be released soon, any problems with the Benq load times will be irrelevant.
Post by: podger on September 07, 2008, 02:11:00 PM
But it gets very complicated when it comes to Hitachi, coz there is so many of them... 64 or so variants..... only 4 for samsung
This post has been edited by podger: Sep 7 2008, 09:13 PM
Post by: calloused labia on September 07, 2008, 07:29:00 PM
QUOTE(podger @ Sep 7 2008, 04:11 PM)
Of course you could produce f/w for say a Sammy that is optimal for spoofing as Benq/Lite-On.... but you would need to know what you are doing.... As far as I know C4 is working on this....
But it gets very complicated when it comes to Hitachi, coz there is so many of them... 64 or so variants..... only 4 for samsung
But it gets very complicated when it comes to Hitachi, coz there is so many of them... 64 or so variants..... only 4 for samsung
Cool .. then maybe I will wait. What about the other way around. What about a BenQ drive spoofed as a Samsung? Is also detectable? Does it also send back a different response?
Post by: calloused labia on September 09, 2008, 11:50:00 PM
Post by: Ranger72 on September 10, 2008, 10:43:00 AM
So if Microsoft is spoofing drives themselves when they replace them then how could they use that as a determination of a Live banning without also banning their legit customers?
Post by: Traviss63 on September 10, 2008, 11:33:00 AM
QUOTE(Ranger72 @ Sep 10 2008, 05:43 PM) 
How is Microsoft going to determine what is a spoofed drive from their repair centers and what is a spoofed drive from a hacker? I have received more than a few refurbished 360's that has a different drive in the console than the one that was originally there.
So if Microsoft is spoofing drives themselves when they replace them then how could they use that as a determination of a Live banning without also banning their legit customers?
Yes, I had two..."friends" who both claim to have just got back their console (when they brought them to me) from a M$ repair center. When I read/dumped the firmware with iprep it said it was spoofed, I think it was a Samsung spoofed as a Hitachi for one and I can't recall the other, anyhow this was a first for me. I had never even heard of spoofing until then.
I always assumed M$ didn't need to spoof the drive. I thought they could just reset that shit how they saw fit, but unless my custome... I mean "friends", were BOTH lying about their consoles coming from M$( Why lie?) then this suggest exactly what Ranger says...
How would they tell the difference between drives spoofed at a M$ RC or Hacker spoofed drives?
(IMG:style_emoticons/default/uhh.gif)
Post by: calloused labia on September 11, 2008, 02:05:00 AM
QUOTE(Traviss63 @ Sep 10 2008, 01:33 PM)
Yes, I had two..."friends" who both claim to have just got back their console (when they brought them to me) from a M$ repair center. When I read/dumped the firmware with iprep it said it was spoofed, I think it was a Samsung spoofed as a Hitachi for one and I can't recall the other, anyhow this was a first for me. I had never even heard of spoofing until then.
I always assumed M$ didn't need to spoof the drive. I thought they could just reset that shit how they saw fit, but unless my custome... I mean "friends", were BOTH lying about their consoles coming from M$( Why lie?) then this suggest exactly what Ranger says...
How would they tell the difference between drives spoofed at a M$ RC or Hacker spoofed drives?
I also thought MS could "reset" anything how they wanted. Has anybody dumped the firmware they got back from MS service to see if there are differences? Perhaps their method of spoofing the drives is a little different and when they spoof, the drive returns the right SS responses?
Post by: calloused labia on September 11, 2008, 10:11:00 AM
QUOTE(calloused labia @ Sep 11 2008, 04:41 AM)
I also thought MS could "reset" anything how they wanted. Has anybody dumped the firmware from an MS spoofed drive? Perhaps their method of spoofing the drives is a little different and when they spoof, the drive returns the right SS responses?
Post by: ghaladream on October 09, 2008, 04:31:00 PM
http://forums.xbox-scene.com/lofiversion/i...hp/t658021.html
http://forums.maxconsole.net/showthread.php?p=1029558
Also.. about that 5 bytes of the SS being different when cross-spoofing.. Have there been any reports of bannings due to people who have done this?
This post has been edited by ghaladream: Oct 9 2008, 11:36 PM
Post by: caster420 on October 09, 2008, 04:51:00 PM
QUOTE(calloused labia @ Sep 7 2008, 12:00 AM)
If Firmware Toolbox can see this difference then could MS?
This isnt firmware toolbox seeing the difference, it is a bug in firmware toolbox. Firmtool changes both the inquiry and identify string and 360 firmware toolbox does not. Compare the two files you created in hex and you'll see exactly what i'm talking about...
Caster.
Post by: caster420 on October 09, 2008, 04:41:00 PM
(1) Firmware created with firmtool
2) Firmtool created firmware opened with 360 Firmware Toolbox (same error you noted above, plus key is incorrect, as i would assume yours was as well!!!)
3) 360 Firmware Toolbox v4.7 spoofing the same type of firmware...
4) Hex comparison of two generated firmware...
Notice that 360 Firmware Toolbox does not spoof the identify string (one on top). This is how it 'detects' spoofed firmware. Since firmtool changes both strings, 360 Firmware Toolbox does not detect it properly and does not find the key properly. There is nothing wrong with the firmware firmtool created but rather with 360 Firmware Toolbox.
Regards,
Caster.
Post by: ghaladream on October 09, 2008, 05:28:00 PM
Post by: calloused labia on October 09, 2008, 05:45:00 PM
I didn't notice any discrepancy with the key when I was testing so I decided to go back and open the Samusng spoofed BenQ firmware with FWTB and Firmtool.
Sure enough.. the key in FWTB is wrong!!
(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/WTF.jpg)
Post by: caster420 on October 09, 2008, 08:06:00 PM
Regards,
Caster.
Post by: ghaladream on October 09, 2008, 08:21:00 PM
QUOTE(podger @ Sep 7 2008, 01:20 PM)
5 bytes of the ss are drive specific. So a Sammy spoofed as benq will return a different ss to a benq... I believe this is the case even with originals.... Cross-spoofing has never been considered safe...
So, should I be worried about this?
Post by: test123123 on October 10, 2008, 04:24:00 AM
Post by: calloused labia on October 10, 2008, 10:16:00 AM
QUOTE(test123123 @ Oct 10 2008, 06:24 AM)
If I purely used Firmware Toolbox 4.8 to flash Hitachi drive and NOT using the spoof function. Is it OK?
Yes, it should be fine.
QUOTE(ghaladream @ Oct 9 2008, 10:57 PM)
So, should I be worried about this?
I was, I removed the spoofed Samsung from my 360 and but back the BenQ.