Welcome, Guest!

Here are some external resources you may find helpful
  • Hello, Guest.

    With the recent attacks against members, and lack of care towards their mental health we have started a fundraiser to help fund the life saving charity the Samaritans. Without their support and efforts many people we know wouldn't be alive.

    If you're able to help, you can donate via our fundraiser on GoFundMe Link

    Thank you.

X360 Xbox 360 HD-DVD player

Americandad

Registered
Registered
Joined
Jun 28, 2019
Messages
97
Reaction score
42
Points
18
AG User Name
Americandad
AG Join Date
July 4, 2011
thats weird, tried playing with MPC-HC and VLC but both refused to play anything
You need AnyDVD to decrypt the discs, it won't play without it.
1 Install AnyDVD with working trial period (or buy license, cracks/keygens don't work anymore)
2 Manually open video files on the disc with said players (won't open if you use the "open disc" dialogue).
 

stuntpenguin

2021 Donator
2021 Donator
Registered
Joined
Dec 6, 2020
Messages
21
Reaction score
23
Points
3
AG User Name
stuntpenguin
AG Join Date
2009
This post contains a lot of edits corresponding to minor revelations. I swear I'm not schizo haha

PXL_20210105_051424798.jpg


Drive turned up a week or two ago. Been too busy enjoying time off to look at this. T6? is buried away somewhere. Thinking about drilling through these screws... that or ripping through the two I can't get at. Ok. Just ripped this thing open. Lets have a looksie

Toshiba SD-S802A

So I guess we ask, is this a USB -> proprietary sata connector? I've never touched one of these things. Why are there 3 USB ports? My over-the-top keyboard uses two. Presumably for extra power. One is a mini. Why?

Ripping this drive out of the case has served little purpose. I'm not planning on de-soldering components just yet. Determining pinout is kinda useless if I just pull the flash.

From wiki:
Code:
The HD DVD player connects to the Xbox 360 using a mini USB connection.[8] All of the audio and video processing and output come from Xbox 360 itself. The unit can also function as a USB hub, with 2 ports on the rear.

So I guess only the mini matters.

Before and after plugging this in to a PC:
Code:
[email protected]:~/Documents/xkAFL-vm$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 138a:0090 Validity Sensors, Inc. VFS7500 Touch Fingerprint Sensor
Bus 001 Device 002: ID 04f2:b596 Chicony Electronics Co., Ltd Integrated Camera
Bus 001 Device 004: ID 8087:0a2b Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[email protected]:~/Documents/xkAFL-vm$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 138a:0090 Validity Sensors, Inc. VFS7500 Touch Fingerprint Sensor
Bus 001 Device 002: ID 04f2:b596 Chicony Electronics Co., Ltd Integrated Camera
Bus 001 Device 007: ID 045e:029c Microsoft Corp. Xbox360 HD-DVD Drive
Bus 001 Device 006: ID 045e:029e Microsoft Corp. Xbox360 HD-DVD Memory Unit
Bus 001 Device 005: ID 0409:005a NEC Corp. HighSpeed Hub
Bus 001 Device 004: ID 8087:0a2b Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub

So the cool stuff:
Code:
Bus 001 Device 007: ID 045e:029c Microsoft Corp. Xbox360 HD-DVD Drive
Bus 001 Device 006: ID 045e:029e Microsoft Corp. Xbox360 HD-DVD Memory Unit
Bus 001 Device 005: ID 0409:005a NEC Corp. HighSpeed Hub

I'm geeking out over the attack surface, but it looks like we've got one worthwhile thing for this purpose: Bus 001 Device 007: ID 045e:029c Microsoft Corp. Xbox360 HD-DVD Drive

What purpose does a "Xbox360 HD-DVD Memory Unit" serve? Data from this memory unit is processes differently from a standard memory unit?

I want to MITM the USB traffic on this. IIRC, I used a beaglebone black to capture USB traffic off the xbone wifi card in the past. Pretty sure I only have 360 XDK's right now... never got too into the 360 scene.

For posterity:
Code:
Based on my understanding, current batch of Xbox 360 HD-DVD drives (Toshiba SD-S802A) are shipped with firmware version MC08.  Amir Majidimehr (amirm) indicated on AVSforum that HD-DVD Xbox update is decoupled from the Spring dashboard update (Rumored to be out on May 7th), and will be available within a few days of the Dashboard update.
 
Last edited:

Dans34

OG Staff
OG Staff
2021 Donator
2020 Donator
2019 Donator
Registered
Joined
Jan 19, 2019
Messages
112
Reaction score
164
Points
43
Location
UK
AG User Name
Dans87
AG Join Date
Jan 6, 2013
what if the memory unit contains the dvd player program ?
 

Americandad

Registered
Registered
Joined
Jun 28, 2019
Messages
97
Reaction score
42
Points
18
AG User Name
Americandad
AG Join Date
July 4, 2011
what if the memory unit contains the dvd player program ?
Hd-dvd player is included in x360 dash ever since hd-dvd drive was released. If using old dash then you need to manually install hd-dvd player to hdd from included disc.
So, no, it's not stored in the drive's memory unit.
 

Americandad

Registered
Registered
Joined
Jun 28, 2019
Messages
97
Reaction score
42
Points
18
AG User Name
Americandad
AG Join Date
July 4, 2011
Nice to get proven wrong with facts. Do you know if it's possible to copy it to hdd on an unhacked console?

This begs the question, what is the point of the hd-dvd installer disc if the player is actually contained in the drive's memory?

And why doesn't the player show up on the old dash unless you use the install disc?
 

sonik

Registered
Registered
Joined
Jul 24, 2019
Messages
35
Reaction score
20
Points
8
AG User Name
sonik
AG Join Date
Mar 15, 2004
It's possible to write back to this memory? Update the player?
Long time ago I was trying to use a retail hd-dvd drive on a devkit. Does not work as the player is signed for retail.
 

JustAnyone

2020 Donator
2020 Donator
2019 Donator
Registered
Joined
Jan 20, 2019
Messages
175
Reaction score
134
Points
43
Age
21
Location
Lithuania
AG User Name
mindaugasgt
AG Join Date
Jul 10, 2018
Nice to get proven wrong with facts. Do you know if it's possible to copy it to hdd on an unhacked console?

This begs the question, what is the point of the hd-dvd installer disc if the player is actually contained in the drive's memory?

And why doesn't the player show up on the old dash unless you use the install disc?
Pretty sure it is possible to copy on hdd, but then console won't find the player as it is looking for specific partition.
I think that from factory hd dvd flash was empty, and with that installer disc you would install player etc
It's possible to write back to this memory? Update the player?
Long time ago I was trying to use a retail hd-dvd drive on a devkit. Does not work as the player is signed for retail.
Yeah this memory is r/w. I used this player with my devkit on rgloader shadowboot and worked just fine actually
 

stuntpenguin

2021 Donator
2021 Donator
Registered
Joined
Dec 6, 2020
Messages
21
Reaction score
23
Points
3
AG User Name
stuntpenguin
AG Join Date
2009
Came across some old Xbox-Hacker threads / other stuff still available on archive.org. The drive can accept CDB commands. Flash can be read in increments of ~0x800 bytes with one command. This command is however, disabled by default. To remedy this, a command can be issued to poke memory and enable debug commands. In the old forum posts they had been using a program called plscsi under Windows. I compiled what source I could find for Linux, but ran into a crash even trying to detect my drive. Under Linux, you can use a utility called sg_raw found in the sg3-utils package (depending on distro). I have to write a script do all 512 dumps and concat the files, but the process looks something like this:

Code:
#! /bin/bash

# Install sg3-utils -- May vary based on distro
# sudo apt install sg3-utils

# Create file with subcommand
echo -n -e '\x88\x00\x00\x04\x02\x6F\x01\x00' > DFenable.bin

# Poke patch to enable commands (non-persistent)
sg_raw -s 8 -i ./DFenable.bin /dev/sg2 1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00

# Dump 0x800 bytes at a time... 512 times
# Notice that 3 bytes indicate start address and 3 bytes indicate end address
mkdir fw_dump
sg_raw -r 0x800 -o fw_dump/fw.part1 /dev/sg2 DF 00 E2 00 00 20 00 00 20 07 FF
sg_raw -r 0x800 -o fw_dump/fw.part2 /dev/sg2 DF 00 E2 00 00 20 08 00 20 0F FF
sg_raw -r 0x800 -o fw_dump/fw.part3 /dev/sg2 DF 00 E2 00 00 20 10 00 20 17 FF

# TODO!
# Probably use something like this:
# seq 0 512 | while read n; do printf "%06X\n" $( expr 2048 '*' "$n" ) | sed 's/.\{2\}/& /g'; done

Credits to Geremia
Mirror(s) in case of link rot: Mirror 1 Mirror 2

I believe I read somewhere that it's easy to flash too. I'd like to get some safeties in place making it difficult to brick before going too crazy. Will report back if I get a full script prepared.

Also when looking at the example script, note that your device might not be /dev/sg2

Don't 360 discs spin backwards or something? I recall making a Kreon drive and having to reverse polarity on the motor. Actually, this is probably irrelevant or imagined. Retail drives can read regular DVDs.

Firmware is checksummed, but the xbox-hacker crowd cracked this / figured out how to generate a checksum. I'm thinking the first move is to make a patch with debug commands enabled and flash that back. Negates the need for the poke command and acts as an indicator of a properly re-checksummed firmware.

Somewhere out there is a partial pinout of the connector. Should have taken better notes.

Update:
Okay, my bash is trash. I need to learn more about the tools at my disposal and how to best utilize them. Here's my process to dump the firmware. It's a few steps so read through if you're following along at home.

First, we're going to generate a script which we will run to dump the firmware. Assume a debian based linux distro. Create a file with the following named fw_dump_gen.sh. Again, you should check that your drive appears as /dev/sg2. If it does not, update the script accordingly.

Code:
#! /bin/bash

printf "#! /bin/bash\n"

# Create file with subcommand
echo -n -e '\x88\x00\x00\x04\x02\x6F\x01\x00' > DFenable.bin

# Create the output folder
mkdir fw_dump

# Create file to house final dump
touch fw_dump/fw_full.bin

printf "# Poke patch to enable commands (non-persistent)\n"
printf "sg_raw -s 8 -i ./DFenable.bin /dev/sg2 1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00\n"

seq 1 512 | while read n
do
    # Generate CDB command to dump firmware part
    printf "sg_raw -r 0x800 -o fw_dump/fw.part%d /dev/sg2 DF 00 E2 00 00 " $( expr "$n" )
    printf "%06X" $( expr 2048 '*' $(($n - 1)) '+' $((0x200000))) | sed 's/.\{2\}/& /g';
    printf "%06X\n" $( expr 2048 '*' "$n" '-' 1 '+' $((0x200000))) | sed 's/.\{2\}/& /g';

    # Concatenate fw part to full dump
    printf "cat fw_dump/fw.part%d >> fw_dump/fw_full.bin\n" $( expr "$n" )

    # Delete part
    printf "rm fw_dump/fw.part%d\n" $( expr "$n" )
done

Make the file executable.
chmod +x ./fw_dump_gen.sh

Run it and save the output to another file.
./fw_dump_gen.sh > fw_dumper.sh

Make the newly generated file executable.
chmod +x ./fw_dumper.sh

Run the dumper.
./fw_dumper.sh

This convoluted approach will dump out your firmware in 512 parts to a folder named fw_dump. These parts get concatenated and deleted. The end result is a file named fw_full.bin in folder fw_dump. The script or rather scripts are too complex but they get the job done. I have yet to verify that this dumps the firmware properly. I believe there are a few unique sections in the firmware. I am unsure. The non-unique sections should probably be hashed to verify a proper dump.

Quick case insensitive search for "x" finds a few things.

XBOX Media w/o BCA
XBOX Media w/ BCA
No XBOX Media
SYS: XBOX 1/2 Bit AD Chal
SYS: XBOX 1/2 Bit Chal
SYS: XBOX Mirror AD Chal
SYS: XBOX Mirror Chal
SYS_IGN: XBOX CDF Read
SYS: XBOX Idle
SYS: XBOX Reset
XBOX XGD2
XBOX X2
 
Last edited:

JustAnyone

2020 Donator
2020 Donator
2019 Donator
Registered
Joined
Jan 20, 2019
Messages
175
Reaction score
134
Points
43
Age
21
Location
Lithuania
AG User Name
mindaugasgt
AG Join Date
Jul 10, 2018
Don't 360 discs spin backwards or something? I recall making a Kreon drive and having to reverse polarity on the motor. Actually, this is probably irrelevant or imagined. Retail drives can read regular DVDs.
Nah, to make kreon drive you just need to flash custom firmware on it. However you did have to reverse polarity if you wanted to make a samsung (or LG?) IDE DVD drive fully compatible with original xbox :)

Also nice job on dumping its firmware, will try doing that myself as well
 

stuntpenguin

2021 Donator
2021 Donator
Registered
Joined
Dec 6, 2020
Messages
21
Reaction score
23
Points
3
AG User Name
stuntpenguin
AG Join Date
2009
However you did have to reverse polarity if you wanted to make a samsung (or LG?) IDE DVD drive fully compatible with original xbox :)

Ohhhh that's what it was!

This Ghidra processor module seems to work with the firmware. Auto analysis misses some functions I've seen mentioned elsewhere. Flipping the aggressive analyzer options helps quite a bit.

A few thoughts regarding the initial goal of adding HD-DVD support to the 360 with an internal drive:

Judging by strings in the firmware, XGD2 support may be hidden, possibly disabled, somewhere. I don't know much of anything about XGD2 but I've heard of XGD3. A patch enabling XGD2 support won't be capable of reading every 360 game disc.

As discussed earlier, the media player executable is stored on the daughterboard of the HD-DVD player. If stock software is to be used then a USB device would likely need to be present to provide the media player. Perhaps the executable can be moved to the hard drive. Maybe a patch will be required.

Some kind of converter board will be needed.

If we start making patches to the firmware, we'll end up with bricks before long -- or so I assume.

With that in mind, I don't think the 360 HD-DVD player really suits the initial goal. Perhaps an HD-DVD drive similar in model to an existing 360 drive would be a better starting point. Maybe something with SPI flash that can easily be emulated with a Dediprog EM100. This would make bricking far more difficult and allow easier development. Maybe something that can be debugged with JTAG. Its a HUGE undertaking. I feel that it may be the only way.

Even so, I'm going to keep poking at my drive until it bricks.
 
Last edited:

Dans34

OG Staff
OG Staff
2021 Donator
2020 Donator
2019 Donator
Registered
Joined
Jan 19, 2019
Messages
112
Reaction score
164
Points
43
Location
UK
AG User Name
Dans87
AG Join Date
Jan 6, 2013
they seam to be super cheap on ebay , might pickup a couple myself
 

stuntpenguin

2021 Donator
2021 Donator
Registered
Joined
Dec 6, 2020
Messages
21
Reaction score
23
Points
3
AG User Name
stuntpenguin
AG Join Date
2009
Perhaps an HD-DVD drive similar in model to an existing 360 drive would be a better starting point.
I guess there weren't a ton of retail internal HD-DVD drives that hit the market (From what I can tell). Several years ago, a friend suggested that it would be possible to write a custom firmware to a DVD burner and actually burn discs that pass media checks on the original Xbox. That piqued my interest and had me looking for some drive with open source firmware. Was never able to find such a project. I'm somewhat interested in starting such a project. Realistically, it would never see any results. In the same vein that's almost what needs to happen here. Ideally it'd start with an easily sourcable drive or chipset. It'd be funny to make it some overkill Linux device... Network connected OFC šŸ¤£
 

stuntpenguin

2021 Donator
2021 Donator
Registered
Joined
Dec 6, 2020
Messages
21
Reaction score
23
Points
3
AG User Name
stuntpenguin
AG Join Date
2009
So I'm pretty trash at surface mount soldering / soldering small things. Been playing with some SOIC 8/16 clips and realized I could read / write quite a bit in-circuit. Obviously the fw chip on this can be desoldered and socketed but it's not really practical for this package. I won't link it here BC I don't want to break rules, but if you search 360 TSOP clip on aliexpress, there's an interesting clip that might be applicable here. I've got some variant of this clip in the mail to experiment in TSOP flashing original xboxen. There's a bit of clearance needed for the plastic on the clips. Could be used to flash fw on the HDDVD board?
 
Top