You need AnyDVD to decrypt the discs, it won't play without it.
1 Install AnyDVD with working trial period (or buy license, cracks/keygens don't work anymore)
2 Manually open video files on the disc with said players (won't open if you use the "open disc" dialogue).
This post contains a lot of edits corresponding to minor revelations. I swear I'm not schizo haha
Drive turned up a week or two ago. Been too busy enjoying time off to look at this. T6? is buried away somewhere. Thinking about drilling through these screws... that or ripping through the two I can't get at. Ok. Just ripped this thing open. Lets have a looksie
Toshiba SD-S802A
So I guess we ask, is this a USB -> proprietary sata connector? I've never touched one of these things. Why are there 3 USB ports? My over-the-top keyboard uses two. Presumably for extra power. One is a mini. Why?
Ripping this drive out of the case has served little purpose. I'm not planning on de-soldering components just yet. Determining pinout is kinda useless if I just pull the flash.
From wiki:
Code:
The HD DVD player connects to the Xbox 360 using a mini USB connection.[8] All of the audio and video processing and output come from Xbox 360 itself. The unit can also function as a USB hub, with 2 ports on the rear.
So I guess only the mini matters.
Before and after plugging this in to a PC:
Code:
[email protected]:~/Documents/xkAFL-vm$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 138a:0090 Validity Sensors, Inc. VFS7500 Touch Fingerprint Sensor
Bus 001 Device 002: ID 04f2:b596 Chicony Electronics Co., Ltd Integrated Camera
Bus 001 Device 004: ID 8087:0a2b Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
[email protected]:~/Documents/xkAFL-vm$ lsusb
Bus 002 Device 001: ID 1d6b:0003 Linux Foundation 3.0 root hub
Bus 001 Device 003: ID 138a:0090 Validity Sensors, Inc. VFS7500 Touch Fingerprint Sensor
Bus 001 Device 002: ID 04f2:b596 Chicony Electronics Co., Ltd Integrated Camera
Bus 001 Device 007: ID 045e:029c Microsoft Corp. Xbox360 HD-DVD Drive
Bus 001 Device 006: ID 045e:029e Microsoft Corp. Xbox360 HD-DVD Memory Unit
Bus 001 Device 005: ID 0409:005a NEC Corp. HighSpeed Hub
Bus 001 Device 004: ID 8087:0a2b Intel Corp.
Bus 001 Device 001: ID 1d6b:0002 Linux Foundation 2.0 root hub
So the cool stuff:
Code:
Bus 001 Device 007: ID 045e:029c Microsoft Corp. Xbox360 HD-DVD Drive
Bus 001 Device 006: ID 045e:029e Microsoft Corp. Xbox360 HD-DVD Memory Unit
Bus 001 Device 005: ID 0409:005a NEC Corp. HighSpeed Hub
I'm geeking out over the attack surface, but it looks like we've got one worthwhile thing for this purpose: Bus 001 Device 007: ID 045e:029c Microsoft Corp. Xbox360 HD-DVD Drive
What purpose does a "Xbox360 HD-DVD Memory Unit" serve? Data from this memory unit is processes differently from a standard memory unit?
I want to MITM the USB traffic on this. IIRC, I used a beaglebone black to capture USB traffic off the xbone wifi card in the past. Pretty sure I only have 360 XDK's right now... never got too into the 360 scene.
For posterity:
Code:
Based on my understanding, current batch of Xbox 360 HD-DVD drives (Toshiba SD-S802A) are shipped with firmware version MC08. Amir Majidimehr (amirm) indicated on AVSforum that HD-DVD Xbox update is decoupled from the Spring dashboard update (Rumored to be out on May 7th), and will be available within a few days of the Dashboard update.
Hd-dvd player is included in x360 dash ever since hd-dvd drive was released. If using old dash then you need to manually install hd-dvd player to hdd from included disc.
So, no, it's not stored in the drive's memory unit.
It's possible to write back to this memory? Update the player?
Long time ago I was trying to use a retail hd-dvd drive on a devkit. Does not work as the player is signed for retail.
Pretty sure it is possible to copy on hdd, but then console won't find the player as it is looking for specific partition.
I think that from factory hd dvd flash was empty, and with that installer disc you would install player etc
It's possible to write back to this memory? Update the player?
Long time ago I was trying to use a retail hd-dvd drive on a devkit. Does not work as the player is signed for retail.
Came across some old Xbox-Hacker threads / other stuff still available on archive.org. The drive can accept CDB commands. Flash can be read in increments of ~0x800 bytes with one command. This command is however, disabled by default. To remedy this, a command can be issued to poke memory and enable debug commands. In the old forum posts they had been using a program called plscsi under Windows. I compiled what source I could find for Linux, but ran into a crash even trying to detect my drive. Under Linux, you can use a utility called sg_raw found in the sg3-utils package (depending on distro). I have to write a script do all 512 dumps and concat the files, but the process looks something like this:
I believe I read somewhere that it's easy to flash too. I'd like to get some safeties in place making it difficult to brick before going too crazy. Will report back if I get a full script prepared.
Also when looking at the example script, note that your device might not be /dev/sg2
Don't 360 discs spin backwards or something? I recall making a Kreon drive and having to reverse polarity on the motor. Actually, this is probably irrelevant or imagined. Retail drives can read regular DVDs.
Firmware is checksummed, but the xbox-hacker crowd cracked this / figured out how to generate a checksum. I'm thinking the first move is to make a patch with debug commands enabled and flash that back. Negates the need for the poke command and acts as an indicator of a properly re-checksummed firmware.
Somewhere out there is a partial pinout of the connector. Should have taken better notes.
Update:
Okay, my bash is trash. I need to learn more about the tools at my disposal and how to best utilize them. Here's my process to dump the firmware. It's a few steps so read through if you're following along at home.
First, we're going to generate a script which we will run to dump the firmware. Assume a debian based linux distro. Create a file with the following named fw_dump_gen.sh. Again, you should check that your drive appears as /dev/sg2. If it does not, update the script accordingly.
Code:
#! /bin/bash
printf "#! /bin/bash\n"
# Create file with subcommand
echo -n -e '\x88\x00\x00\x04\x02\x6F\x01\x00' > DFenable.bin
# Create the output folder
mkdir fw_dump
# Create file to house final dump
touch fw_dump/fw_full.bin
printf "# Poke patch to enable commands (non-persistent)\n"
printf "sg_raw -s 8 -i ./DFenable.bin /dev/sg2 1D 00 00 00 08 00 00 00 00 00 00 00 00 00 00 00\n"
seq 1 512 | while read n
do
# Generate CDB command to dump firmware part
printf "sg_raw -r 0x800 -o fw_dump/fw.part%d /dev/sg2 DF 00 E2 00 00 " $( expr "$n" )
printf "%06X" $( expr 2048 '*' $(($n - 1)) '+' $((0x200000))) | sed 's/.\{2\}/& /g';
printf "%06X\n" $( expr 2048 '*' "$n" '-' 1 '+' $((0x200000))) | sed 's/.\{2\}/& /g';
# Concatenate fw part to full dump
printf "cat fw_dump/fw.part%d >> fw_dump/fw_full.bin\n" $( expr "$n" )
# Delete part
printf "rm fw_dump/fw.part%d\n" $( expr "$n" )
done
Make the file executable. chmod +x ./fw_dump_gen.sh
Run it and save the output to another file. ./fw_dump_gen.sh > fw_dumper.sh
Make the newly generated file executable. chmod +x ./fw_dumper.sh
Run the dumper. ./fw_dumper.sh
This convoluted approach will dump out your firmware in 512 parts to a folder named fw_dump. These parts get concatenated and deleted. The end result is a file named fw_full.bin in folder fw_dump. The script or rather scripts are too complex but they get the job done. I have yet to verify that this dumps the firmware properly. I believe there are a few unique sections in the firmware. I am unsure. The non-unique sections should probably be hashed to verify a proper dump.
Quick case insensitive search for "x" finds a few things.
XBOX Media w/o BCA
XBOX Media w/ BCA
No XBOX Media
SYS: XBOX 1/2 Bit AD Chal
SYS: XBOX 1/2 Bit Chal
SYS: XBOX Mirror AD Chal
SYS: XBOX Mirror Chal
SYS_IGN: XBOX CDF Read
SYS: XBOX Idle
SYS: XBOX Reset
XBOX XGD2
XBOX X2
Don't 360 discs spin backwards or something? I recall making a Kreon drive and having to reverse polarity on the motor. Actually, this is probably irrelevant or imagined. Retail drives can read regular DVDs.
Nah, to make kreon drive you just need to flash custom firmware on it. However you did have to reverse polarity if you wanted to make a samsung (or LG?) IDE DVD drive fully compatible with original xbox
Also nice job on dumping its firmware, will try doing that myself as well
This Ghidra processor module seems to work with the firmware. Auto analysis misses some functions I've seen mentioned elsewhere. Flipping the aggressive analyzer options helps quite a bit.
A few thoughts regarding the initial goal of adding HD-DVD support to the 360 with an internal drive:
Judging by strings in the firmware, XGD2 support may be hidden, possibly disabled, somewhere. I don't know much of anything about XGD2 but I've heard of XGD3. A patch enabling XGD2 support won't be capable of reading every 360 game disc.
As discussed earlier, the media player executable is stored on the daughterboard of the HD-DVD player. If stock software is to be used then a USB device would likely need to be present to provide the media player. Perhaps the executable can be moved to the hard drive. Maybe a patch will be required.
Some kind of converter board will be needed.
If we start making patches to the firmware, we'll end up with bricks before long -- or so I assume.
With that in mind, I don't think the 360 HD-DVD player really suits the initial goal. Perhaps an HD-DVD drive similar in model to an existing 360 drive would be a better starting point. Maybe something with SPI flash that can easily be emulated with a Dediprog EM100. This would make bricking far more difficult and allow easier development. Maybe something that can be debugged with JTAG. Its a HUGE undertaking. I feel that it may be the only way.
Even so, I'm going to keep poking at my drive until it bricks.
I guess there weren't a ton of retail internal HD-DVD drives that hit the market (From what I can tell). Several years ago, a friend suggested that it would be possible to write a custom firmware to a DVD burner and actually burn discs that pass media checks on the original Xbox. That piqued my interest and had me looking for some drive with open source firmware. Was never able to find such a project. I'm somewhat interested in starting such a project. Realistically, it would never see any results. In the same vein that's almost what needs to happen here. Ideally it'd start with an easily sourcable drive or chipset. It'd be funny to make it some overkill Linux device... Network connected OFC
So I'm pretty trash at surface mount soldering / soldering small things. Been playing with some SOIC 8/16 clips and realized I could read / write quite a bit in-circuit. Obviously the fw chip on this can be desoldered and socketed but it's not really practical for this package. I won't link it here BC I don't want to break rules, but if you search 360 TSOP clip on aliexpress, there's an interesting clip that might be applicable here. I've got some variant of this clip in the mail to experiment in TSOP flashing original xboxen. There's a bit of clearance needed for the plastic on the clips. Could be used to flash fw on the HDDVD board?
The things i hate about HD DVD are the disc's die from the layer separating ,the disc looks fine but will not play or locks up on parts of the film.
If you keep trying to eject a disc without it connected to your xbox 360 or pc, smoke comes out of the HD DVD drive. This was a brand new one i got as a spare.
90% of the time these are Warner Bros Home Video discs or discs made by labels owned by Warner Bros. WB discs are a lottery with, in my experience, a ~70-80% chance of being a dud. Which is too bad cause WB made a lot of good movies and nice (content wise) HD DVD releases.
On a sidenote, the first five Harry Potter Blu-Rays are lossy re-encodes of the HD DVD releases. Which says a lot about WB Home Video production "standards" since all Blu-Ray players support the VC-1/MPEG2 codecs used in HD DVD, meaning they could've literally just drag & dropped the HD DVD files to a Blu-Ray (editing the menu files and simply renaming the video files) resulting in a lossless conversion. Yet they had some intern make a lossy re-encode from an already supported codec.
Never heard of this. In fact I regularly eject my 360 HD DVD disconnected from PC & 360 and nothing like this ever happened.
90% of the time these are Warner Bros Home Video discs or discs made by labels owned by Warner Bros. WB discs are a lottery with, in my experience, a ~70-80% chance of being a dud. Which is too bad cause WB made a lot of good movies and nice (content wise) HD DVD releases.
On a sidenote, the first five Harry Potter Blu-Rays are lossy re-encodes of the HD DVD releases. Which says a lot about WB Home Video production "standards" since all Blu-Ray players support the VC-1/MPEG2 codecs used in HD DVD, meaning they could've literally just drag & dropped the HD DVD files to a Blu-Ray (editing the menu files and simply renaming the video files) resulting in a lossless conversion. Yet they had some intern make a lossy re-encode from an already supported codec.
Sometimes the WB discs do work though it's just that they have a very high failure rate. Pretty sure LDDB has some basic info for HD-DVD rot (likelihood of a particular release being bad, they have the same info there for LD obviously). If you have a login there you can add your collection. I only have like 10 HD-DVD titles listed there atm (none of my discs have rot).
Surely, no one really wants the disc approach. This is interesting though. The specification is out there. The development hardware isn't.
X360 media checks were bypassed. That seems like a fun exercise.
I've been told by multiple people that a modified burner can bypass checks on original xbox.
This is one of those bizarre things.
The spec is available to anyone, but no open source firmware or gerbers.
Hardware will be one of the most difficult hurdles for anyone in the scene.
We can flash firmware, but one mistake and we're left with a brick.
Boards can be drawn up in a couple hundred hours but then you run in to mistakes and end up spending thousands on development.\
I just wish there was a board you could flash in-circuit.
The 360 guys must have had a good system down, or destroyed a lot of boards testing their patches.
This site uses cookies to help personalise content, tailor your experience and to keep you logged in if you register.
By continuing to use this site, you are consenting to our use of cookies.