Print

[Icekiller2k6]

I was getting sick of changing the KingKong dvd with the SDA loader DISC..
So I went hunting for the possibility to have 1 single dual layer DVD to do all my bidding...
After annoying Ssmurf on IRC he said it is very well possible but the only problem was that the dvd was in 'game' mode and needed to change to regular mode.

Then I searched around and got the basic readcd codehttp://free60.cvs.sourceforge.net/free60/xell/readcd(thx Tbminc for the good notes @ code Wink).

I also got a hold of the "close tray" PPC code...

After experimenting with a few possibilities, increasing the time etc... We (ssmurf & I) found out that the disc doesn't exactly 'needs' to eject.
The Dvdrom drive just needs to get the instruction to eject. So basically the Tray stays closed (cool!).

We compiled the code at an Xbox360 itself (tutorial is on free60 http://www.free60.org/wiki/Readcd).

After this we hexed in the SDA loader @ 0x00 because the Xbox360 ignores it anyway... (Hacked drive of course..)



What you need:
Vulnerable Kernel: versions 4532 and 4548
Xbox360 Dvd drive with patched firmware.
The new shader: released in the shaderform(loadfromdvd.bin)
Xorloser tools: kkpatcher.
Kingkong Game (first 1)
winhex
XELL-Bootloader-sda2-v2.6.21.1.iso (maybe there will be another one by the time this guide is posted...)


First backup your KingKong game with XBC, we'll name it KingKong.iso

 
After that we use the kkpatcher to patch our newly formed shader into the KingKing.iso(in dos):
kkpatcher kingkong.iso loadfromdvd.bin

You will see successful or something..

Hex Editing the xell boot loader sda2:
now start winhex, make sure you have more than 7,5 gb free on your C drive (winhex makes a tempfile..)
open KingKong.iso then open XELL-bootloader-sda2-v2.6.21.1.iso.

go to XELL-bootloader-sda2-v2.6.21.1.iso, control+a (select all), then Control+c (right click:edit->copy block->Normally).
Now go to KingKong.iso !!VERY IMPORTANT DON'T CONTROL+V!! First go to address 0 (alt+G).
Now go to Edit->Clipboard Data->WRITE.
Now go to file save just to be sure..
Burn with XBC and your done..



Just to be clear I maybe went through the motions but Ssmurf did all the hard work.. for which I’m grateful no more getting up to change the disc! Wink

has been tested on a xbox360 with a Samsung & Hitachi 47DJ with older xtreme versions. But seeing as you won't go on live anymore..




download link:
http://rapidshare.com/files/83248474/DL-DV...rf_Kit.rar.html
http://www.megaupload.com/?d=94S7ARWD

extra:
BUT you need to have Linux installed on your xbox 360..

so first use KingKong with the normal shader & the gentoo live cd install debian or ubuntu like explained here:
Install it to harddisk (optional)

Guide: http://forums.xbox-scene.com/index.php?showtopic=595543

Debian etch install Script: http://www.free60.org/wiki/Debian-etch (Recommended)

Ubuntu 7.04 install Script: http://www.free60.org/wiki/Ubuntu7.04

after you have done that,

Use kingkong with 'my' shader...
put dvd in and play start and it boots linux from your xbox360 hd...without changing discs or the tray opening at all..

[JCDenton@AS]

oh brilliant! Just what us lazy people need lol. Im in the process of modding for linux on a alternative 360. Using ubuntu!

This post has been edited by JCDenton@AS: Jan 13 2008, 07:02 PM

[Dark Seraph]

omfg....amazing.

i cant wait to do this later today...i hate getting up to change the disk.

so this basically means i can sit on my bed..use my controller to turn my 360 on..and boot into linux without ever getting up =D awesome.

[Magixx]

Of course I just had to delete my King Kong backup a week ago.

[Itcouldbeyou]

Great work! Anyone knows, how long does it take to boot up Linux from powerup to the desktop this way?

[Icekiller2k6]

QUOTE(Itcouldbeyou @ Jan 13 2008, 09:06 PM)

Great work! Anyone knows, how long does it take to boot up Linux from powerup to the desktop this way?

um for the moment it actually takes a little longer then needs be..

the Xell (at sda booter) should be rewritten.. because it still has & timer and extra code like boot from TFTP etc.. and fuses etc which isn't necessary.. i'll time it next chance i get (IMG:style_emoticons/default/wink.gif)

[mrbelvedere]

Great job! Works perfectly on my box with a Hitachi drive. My tray does open about half way before closing though. But that's no problem at all.

[Icekiller2k6]

QUOTE(mrbelvedere @ Jan 14 2008, 12:20 AM)

Great job! Works perfectly on my box with a Hitachi drive. My tray does open about half way before closing though. But that's no problem at all.

really? can you tell me which version of Xtreme you have on it & which hitachi?

[mrbelvedere]

Sure, Xtreme 2.4 on a Hitachi GDR-3120L 47DJ. Although, the second time I used the disc it did not eject the tray at all. Also, I made a similar post over at xboxhacker under the name kwkard.

[Muzzakus]

WHat are you guys running on you're linux boxes ?

mame?  some sort of media center ?

what makes it worth while for your average man at this point in time ?

[Icekiller2k6]

mame should run.. i'm going to try LinuxMCE when i have spare time..

I setuped my box with auto boot game if it is in the dvd drive
 
0secs   poweron
29secs to boot to 'start' game
34secs to be able to press start (before the USB control is detected, should be faster with an xbox 360 remote control)

51secs for Xell to start the count down.

Truth be told that the xell timer & fuses stuff 'could' be removed to speed it up.

edit:
owyeah, the xbox360  controllers work in linux.. including the wireless ones.. so you could just use them for mame..


This post has been edited by Icekiller2k6: Jan 14 2008, 11:55 AM

[mrbelvedere]

QUOTE(Icekiller2k6 @ Jan 14 2008, 04:36 AM)

mame should run.. i'm going to try LinuxMCE when i have spare time..

I setuped my box with auto boot game if it is in the dvd drive
 
0secs   poweron
29secs to boot to 'start' game
34secs to be able to press start (before the USB control is detected, should be faster with an xbox 360 remote control)

51secs for Xell to start the count down.

Truth be told that the xell timer & fuses stuff 'could' be removed to speed it up.

edit:
owyeah, the xbox360  controllers work in linux.. including the wireless ones.. so you could just use them for mame..

What do you have to do to get the wireless controllers working. After the linux kernel loads my controller will no longer connect to the xbox.  Also, when the kernel is loaded the leds on the front change to red. What is controlling those? In other words, I would like to write some code to manipulate the leds.

[Icekiller2k6]

QUOTE(mrbelvedere @ Jan 14 2008, 07:09 PM)

What do you have to do to get the wireless controllers working. After the linux kernel loads my controller will no longer connect to the xbox.  Also, when the kernel is loaded the leds on the front change to red. What is controlling those? In other words, I would like to write some code to manipulate the leds.

everything you need is here:
http://gentoo-wiki.com/HOWTO_Xbox_360_controller_on_Linux

[mrbelvedere]

Looks good, I'll play with it when I get home. Any idea about controlling the led's on the front of the console?

This post has been edited by mrbelvedere: Jan 14 2008, 10:28 PM

[Icekiller2k6]

QUOTE(mrbelvedere @ Jan 14 2008, 10:26 PM)

Looks good, I'll play with it when I get home. Any idea about controlling the led's on the front of the console?

CODE

#include
#include
#include
#include
#include

#define SMC_FILENAME "/dev/smc"

int smc_fd;

void query_poweron_type(unsigned char *msg)
{
  msg[0] = 0x01;
}

void query_rtc(unsigned char *msg)
{
  msg[0] = 0x04;
}

void query_sensor(unsigned char *msg)
{
  msg[0] = 0x07;
}

void query_tray(unsigned char *msg)
{
  msg[0] = 0x0A;
}

void query_avpack(unsigned char *msg)
{
  msg[0] = 0x0F;
}

void query_version(unsigned char *msg)
{
  msg[0] = 0x12;
}

void query_ir_address(unsigned char *msg)
{
  msg[0] = 0x16;
}

void query_tilt_sensor(unsigned char *msg)
{
  msg[0] = 0x17;
}

void set_standby(unsigned char *msg)
{
  msg[0] = 0x82;
  // TODO: other parameters
}

void set_time(unsigned char *msg, int time)
{
  msg[0] = 0x85;
// msg[1] = ...
}

void set_fan_algorithm(unsigned char *msg, int algorithm)
{
  msg[0] = 0x88;
  msg[1] = algorithm;
}

void set_fan_speed(unsigned char *msg, int cpugpu, int speed)
{
  msg[0] = cpugpu ? 0x94 : 0x89;
  msg[1] = speed | 0x80;
}

void set_dvd_tray(unsigned char *msg, int state)
{
  msg[0] = 0x8B;
  msg[1] = state ? 0x60 : 0x62;
}

void set_power_led(unsigned char *msg, int override, int state, int startanim)
{
  msg[0] = 0x8C;
  msg[1] = (override ? 1 : 0) | (state ? 0 : 2);
  msg[2] = startanim;
}

void set_audio_mute(unsigned char *msg, int mute)
{
  msg[0] = 0x8D;
  msg[1] = mute;
}

void set_ir_address(unsigned char *msg, int ir_address)
{
  msg[0] = 0x95;
  msg[1] = ir_address;
}

void set_dvd_tray_secure(unsigned char *msg)
{
  msg[0] = 0x98;
}

void set_leds(unsigned char *msg, int enable, int red, int green)
{
  msg[0] = 0x99;
  msg[1] = enable;
  msg[2] = red | (green << 4);
}

void set_rtc_wake(unsigned char *msg, int time)
{
  msg[0] = 0x9a;
  // todo
}

void hexdump(unsigned char *msg)
{
  int i;
  for (i=0; i<0x10; ++i)
    printf("%02x ", msg);
  printf("\n");
}

void show_tilt(unsigned char *msg)
{
  if (*msg == 0x83)
    msg++;
  printf("tilt: %s\n", (msg[1]&1) ? "vertical" : "horizontal");
}

void show_tray(unsigned char *msg)
{
  char *states[] = {"open", "opening", "closed", "closing", "pushed"};
  printf("tray: %s\n", states[(msg[1] & 0xF) % 5]);
}

void show_ir(unsigned char *msg)
{
  printf("IR code: %02x\n", msg[3]);
}

void show_avpack(unsigned char *msg)
{
  if (*msg == 0x83)
    ++msg;
  printf("AV pack type: %02x\n", msg[1]);
}

void show_poweron_type(unsigned char *msg)
{
  printf("poweron type: %02x\n", msg[1]);
}

void show_rtc(unsigned char *msg)
{
  int rtc = msg[1] | (msg[2] << | (msg[3] << 16) | (msg[4] << 24);
  printf("rtc: %d.%03d\n", rtc / 1000, rtc % 1000);
}

void show_sensor(unsigned char *msg)
{
  printf("sensor data: ");
  int i;
  for (i=0; i<4; ++i)
  {
    float s = (msg[i * 2 + 1] | (msg[i * 2 + 2] << ) / 256.0;
    printf("%3.1f C, ", s);
  }
  printf("\n");
}

void show_version(unsigned char *msg)
{
  printf("version: %d.%d\n", msg[2], msg[3]);
}

void show_ir_address(unsigned char *msg)
{
  printf("ir address: %d\n", msg[1]);
}

void show_response(unsigned char *msg)
{
  switch (msg[0])
  {
  case 0x83:
    switch (msg[1])
    {
    case 0x11:
      printf("poweroff occuring\n");
      break;
    case 0x14:
      show_tilt(msg);
      break;
    case 0x60 ... 0x65:
      show_tray(msg);
      break;
    case 0x23:
      show_ir(msg);
      break;
    case 0x40:
      show_avpack(msg);
      break;
    default:
      hexdump(msg);
      break;
    }
    break;
  case 0x01:
    show_poweron_type(msg);
    break;
  case 0x04:
    show_rtc(msg);
    break;
  case 0x07:
    show_sensor(msg);
    break;
  case 0x0a:
    show_tray(msg);
    break;
  case 0x0F:
    show_avpack(msg);
    break;
  case 0x12:
    show_version(msg);
    break;
  case 0x16:
    show_ir_address(msg);
    break;
  case 0x17:
    show_tilt(msg);
    break;
  default:
    hexdump(msg);  
    break;
  }
}

int main(int argc, char **argv)
{
  int first = 1;
    /* try open SMC. if this doesn't work, bail out. */
  smc_fd = open(SMC_FILENAME, O_RDWR);
  if (smc_fd < 0)
  {
    perror(SMC_FILENAME);
    return 1;
  }
  
  while (1)
  {
    unsigned char msg[16];

    static struct option long_options[] =
      {
        {"query-poweron-type", no_argument, 0, 'p'},
        {"query-rtc", no_argument, 0, 'r'},
        {"query-sensors", no_argument, 0, 's'},
        {"query-tray", no_argument, 0, 't'},
        {"query-avpack", no_argument, 0, 'a'},
        {"query-version", no_argument, 0, 'v'},
        {"query-ir-address", no_argument, 0, 'i'},
        {"query-tilt-sensor", no_argument, 0, 'n'},
        {"set-standby", required_argument, 0, 'S'},
        {"set-time", required_argument, 0, 'R'},
        {"set-fan-algorithm", required_argument, 0, 'f'},
        {"set-cpu-fan-speed", required_argument, 0, 'C'},
        {"set-gpu-fan-speed", required_argument, 0, 'G'},
        {"set-dvd-tray", required_argument, 0, 'T'},
        {"set-powerled", required_argument, 0, 'P'},
        {"set-audio-mute", required_argument, 0, 'M'},
        {"set-ir-address", required_argument, 0, 'I'},
        {"set-dvd-tray-secure", no_argument, 0, 'O'},
        {"set-leds", required_argument, 0, 'L'},
        {"set-rtc-wakeup", required_argument, 0, 'W'},
        {"poll", no_argument, 0, 'w'},
        {}
      };

    char *help[] = {0, 0, 0, 0, 0, 0, 0, 0, 0, 0, 0,
      "speed from 0 to 127", "speed from 0 to 127", "0: open, 1: close",
      "0: default, 1: on, 2: off, 3: animated", 0, 0, 0, "GR with 1+2+4+8 for the red&green segments", 0, 0};

    int option_index = 0, c;
    c = getopt_long (argc, argv, "prstavinS:R:f:C:G:T:P:M:I:OL:W:w",
        long_options, &option_index);
    
    if ((c == -1) && !first)
      break;

    first = 0;
      
    
    if ((c == '?') || (c == -1))
    {
      struct option *o = long_options;
      char **h = help;
      fprintf(stderr, "usage:\n");
      printf("\t%s [...]\n", argv[0]);
      while (o->name)
      {
        printf("\t\t--%s, -%c \t%s\n", o->name, o->val, o->has_arg ? "" : "");
        if (*h)
          printf("\t\t\t%s\n", *h);
        ++h;
        ++o;
      }
      
      break;
    }
    
      /* prepare message */
    memset(msg, 0, 16);
    
    switch (c)
    {
    case 'p':
      query_poweron_type(msg);
      break;
    case 'r':
      query_rtc(msg);
      break;
    case 's':
      query_sensor(msg);
      break;
    case 't':
      query_tray(msg);
      break;
    case 'a':
      query_avpack(msg);
      break;
    case 'v':
      query_version(msg);
      break;
    case 'i':
      query_ir_address(msg);
      break;
    case 'n':
      query_tilt_sensor(msg);
      break;
    case 'S':
      set_standby(msg);
      break;
    case 'R':
      set_time(msg, atoi(optarg));
      break;
    case 'f':
      set_fan_algorithm(msg, atoi(optarg));
      break;
    case 'C':
      set_fan_speed(msg, 0, atoi(optarg));
      break;
    case 'G':
      set_fan_speed(msg, 1, atoi(optarg));
      break;
    case 'T':
      set_dvd_tray(msg, atoi(optarg));
      break;
    case 'P':
      switch (atoi(optarg))
      {
      case 0: // default
        set_power_led(msg, 0, 0, 0);
        break;
      case 1: // always on
        set_power_led(msg, 1, 1, 0);
        break;
      case 2: // always off
        set_power_led(msg, 1, 0, 0);
        break;
      case 3: // animation
        set_power_led(msg, 1, 0, 1);
        break;
      default:
        break;
      }
      break;
    case 'M':
      set_audio_mute(msg, atoi(optarg));
      break;
    case 'I':
      set_ir_address(msg, atoi(optarg));
      break;
    case 'O':
      set_dvd_tray_secure(msg);
      break;
    case 'L':
    {
      int state = strtoul(optarg, 0, 0x10);
      set_leds(msg, !!state, state & 0xF, (state >> 4) & 0xF);
      break;
    }
    case 'W':
      set_rtc_wake(msg, atoi(optarg));
      break;
    case 'w':
      break;
    default:
    {
      abort();
    }
    }
    
    if (c != 'w')
    {
      printf("sending ");
      int i;
      for (i=0; i<0x10; ++i)
         printf("%02x ", msg);
      printf("\n");
      if (write(smc_fd, msg, 16) != 16)
      {
        perror("write");
        break;
      }
    }
    
    if ((c == 'w') || (msg[0] < 0x80))
    {
      int wait_for = msg[0];
      while (1)
      {
        if (read(smc_fd, msg, 16) != 16)
          perror("read");
        show_response(msg);
        if (msg[0] == wait_for)
          break;
      }
    }
  }

}

compile it gcc smc.c
and then do
./a.out  --set-leds <xxx>


This post has been edited by Icekiller2k6: Jan 15 2008, 12:12 AM