Skip to content

Instantly share code, notes, and snippets.

@JayFoxRox
Created January 21, 2020 21:46
  • Star 1 You must be signed in to star a gist
  • Fork 0 You must be signed in to fork a gist
Star You must be signed in to star a gist
Save JayFoxRox/2d51a8fabe0531897a4bf2903ee14335 to your computer and use it in GitHub Desktop.
IDC Script and information about Hitachi-LG GDR-8050L (Original Xbox Drive)

(This information stems from a french forum post which I'll not link here to avoid legal issues)

I believe this information is about the 360 variant of the drive.

According to TheSpecialist the firmware has a checksum which is verified at the start of the firmware at offset 0x000099. By patching the bytes C8 23 FC in CC 23 00 the checksum is bypassed and the console starts without problem!

Addresses in firmware (47DH):

AESParameterSetup:  90031083
AESEngine:90031150
AES_key_source                        00000014
ATAPI_CMD                           0000059E
CDB1_0                              000005B8
CDB1_1                              000005B9
CDB1_2                              000005BA
CDB1_3                              000005BB
CDB1_4                              000005BC
CDB1_5                              000005BD
CDB1_6                              000005BE
CDB1_7                              000005BF
CDB1_8                              000005C0
CDB1_9                              000005C1
CDB1_A                              000005C2
CDB1_B                              000005C3
ATAPI_outBUF_addr                   00000630
ATAPI_return_length                 00000634
ATAPI_Buf_0                         0000063C
ATAPI_BUF_1                         0000063D
ATAPI_Buf_2_3                       0000063E
ATAPI_Buf_4                         00000640
ATAPI_Buf_5                         00000641
ATAPI_Buf_6                         00000642
ATAPI_Buf_7                         00000643
ATAPI_BUF_8                         00000644
ATAPI_BUF_9                         00000645
ATAPI_Buffer_AES_0                  00000646
ATAPI_Buffer_AES_1                  00000647
ATAPI_Buffer_AES_2                  00000648
ATAPI_Buffer_AES_3                  00000649
ATAPI_Buffer_AES_4                  0000064A
ATAPI_Buffer_AES_5                  0000064B
ATAPI_Buffer_AES_6                  0000064C
ATAPI_Buffer_AES_7                  0000064D
ATAPI_Buffer_AES_8                  0000064E
ATAPI_Buffer_AES_9                  0000064F
ATAPI_Buffer_AES_A                  00000650
ATAPI_Buffer_AES_B                  00000651
ATAPI_Buffer_AES_C                  00000652
ATAPI_Buffer_AES_D                  00000653
ATAPI_Buffer_AES_E                  00000654
ATAPI_Buffer_AES_F                  00000655
ATAPI_Buffer_AES_10                 00000656
ATAPI_Buffer_AES_11                 00000657
ATAPI_Buffer_AES_12                 00000658
ATAPI_Buffer_AES_13                 00000659
ATAPI_Buffer_AES_14                 0000065A
ATAPI_Buffer_AES_15                 0000065B
ATAPI_Buffer_AES_16                 0000065C
AES_Status                          00000974
AESDataBlockCount1                  00000977
AESStartingBlock                    00000978
AESKeyLength                        00000979
AESDataBlockCount                   0000097A
AESTotalProcessBytes                0000097B
AESKeySizeIndex                     0000097C
AES_init_key_idx                    0000097D
ATAPI_CDB1_0_CMD                    0000DFA0
ATAPI_CDB1_2                        0000DFA2
ATAPI_CDB1_4                        0000DFA4
ATAPI_CDB1_6                        0000DFA6
ATAPI_CDB1_8                        0000DFA8
ATAPI_CDB1_A                        0000DFAA
CDB2_0                              80010010
CDB2_1                              80010011
CDB2_2                              80010012
CDB2_3                              80010013
CDB2_4                              80010014
CDB2_5                              80010015
CDB2_6                              80010016
CDB2_7                              80010017
CDB2_8                              80010018
CDB2_9                              80010019
CDB2_a                              8001001A
CDB2_b                              8001001B
DVD_Structure_AES_Start             80035CFD
AES_section_key                     80039340
DecBlock1fromCMD55003A              80039360
AESXORBlock                           80039380
AESRoundKey0_0                      800393A0
AESbufBlock0                        80039580
AESbufBlock1                        80039590
AESbufBlock2                        800395A0
CMD_12                              90001668
ClearRam                            90001909
CopyFlashToRam                      90001922
AES_FWkey                          90004F00
CheckSumStart                       90006000
GoodStart                           90006040
ATAPI_sendoutstring                 9001B5FE
Setup_ATAPI_output_with_next_call   9001B621
ATAPI_READ_HEADER                   90023D42
ATAPI_SCAN                          900246B3
ATAPI_PLAY_AUDIO_MSF                900248EE
ATAPI_PLAY_AUDIO(12)                90024BDB
ATAPI_PLAY_TRACK_RELATIVE           90024D0F
ATAPI_PAUSE_RESUME                  90024E2B
ATAPI_INQUIRY                       90024F48
ATAPI_TEST_UNIT_READY               90025049
ATAPI_REQUEST_SENSE                 90025957
ATAPI_HITACHI_DEBUG                 90025BC8
ATAPI_MODE_SELECT(10)               9002643F
CMD_55_2A_AESdec_updatekey          9002709B
CMD_55_3A_AESdec_updatekey          90028239
NullStringCheck                     900284CC
ATAPI_MODE_SENSE(10)                90028508
CMD_5A003B                          900287D2
CMD_5A003C                          900288AD
CMD_5A003D                          90028B69
CMD_5A003E                          90028BD5
CMD_5A003F                          90028CF1
CheckAESKey16FWStatus               90028E7E
ATAPI_GET_CONFIGURATION             900290E1
ATAPI_READ_SUB_CHANNEL              90029291
ATAPI_SEEK(10)                      90029ADD
ATAPI_READ_TOC_PMA_ATIP             90029CB9
ATAPI_GET_EVENT_STATUS_NOTIFICATION 9002A996
ATAPI_MECHANISM_STATUS              9002AFB3
ATAPI_PREVENT_ALLOW_MEDIUM_REMOVAL  9002B4E3
ATAPI_READ_CAPACITY                 9002B59A
ATAPI_UNKNOWN_(01)                  9002B685
ATAPI_START_STOP_UNIT               9002B78D
ATAPI_SET_STREAMING                 9002BCFE
ATAPI_READ_DISC_INFORMATION         9002BE6B
ATAPI_SET_READ_AHEAD                9002C249
ATAPI_GET_PERFORMANCE               9002C2D2
ATAPI_READ_TRACK_INFORMATION        9002C569
ATAPI_READ_FORMAT_CAPACITIES        9002D22F
ATAPI_SEND_EVENT                    9002D30D
ATAPI_SEND_KEY                      9002D3CD
ATAPI_REPORT_KEY                    9002D9AB
ATAPI_READ_DVD_STRUCTURE            9002E08A
CMD_AD_physical_format              9002E137
ATAPI_RPC2_X                        9002EF64
ATAPI_RPC2_Y                        9002F017
ATAPI_STOP_PLAY_SCAN                9003030E
ATAPI_SET_CD_SPEED                  900303A2
ATAPI_READ(10)                      90030416
ATAPI_READ(12)                      90030423
ATAPI_READ_CD                       90030430
ATAPI_READ_CD_MSF                   9003043D
ATAPI_WRITE_BUFFER                  90030AB4
ATAPI_READ_BUFFER                   90030CD4
GetAESKeySizeIndex                  90030FFE
GetAESKeySize                       90031003
CopyBlockToAESXORkey                9003102A
GetAESXORblock                      9003105E
clear974_976                        9003107A
AESparametersetup                   90031083
CopyString_GetDataBlockCount        900310FF
StringXOR                           9003113A
AES_Engine                          90031150
AES_Encrypt_Multiple_Block          9003116F
AES_Decrypt_Multiple_Block          90031218
AES_Encrypt_Block                   900312BD
AES_Decrypt_Block                   9003132C
sbox_fwd_keyschedule                9003138F
AES_Add_Roundkey                    900313B0
AES_SBOXfwd_ShiftRow                9003142B
AES_SBOX_Shiftrows_rev              90031BE8
AES_MixCol_Addroundkey_FWD              900323A8
AES_Mixcol_Addroundkey_rev              9003253A
AESKeySchedule                      9003274A
StoreAESInitKeyIndex                900329CE
AESDec20h                           900329EF
CMD_5A003B_AES                      90032A63
AESDec10h                           90032AC8
CMD_5A003E_AES                      90032AF8
GetReverDword                       90033A84
GetReverseWord                      90033AD8
CopyToRam                           90033C12
dvd_cmd_table0                      9003CF08
dvd_cmd_table1                      9003D008
dvd_cmd_handlers                    9003D108
SBOX_FWD                            9003D7EC
SBOX_REV                            9003D8EC
Rcon                                9003D9EC
checksum                            9003E7FC
// The original IDC script was released on xboxhacker.net by djhuevo.
//
// It can be used to recover the ATAPI command addresses.
// I don't think an archive of those threads exists.
//
// This copy of the code stems from a french forum post.
// I'll not link it here to avoid legal issues.
// The include line is broken due to forum markup.
#include
static atapi_cmd_str(cmd) {
if (cmd==0x00) return "TEST UNIT READY";
else if (cmd==0x03) return "REQUEST SENSE";
else if (cmd==0x04) return "FORMAT UNIT";
else if (cmd==0x12) return "INQUIRY";
else if (cmd==0x1B) return "START STOP UNIT";
else if (cmd==0x1E) return "PREVENT ALLOW MEDIUM REMOVAL";
else if (cmd==0x23) return "READ FORMAT CAPACITIES";
else if (cmd==0x25) return "READ CAPACITY";
else if (cmd==0x28) return "READ(10)";
else if (cmd==0x2A) return "WRITE(10)";
else if (cmd==0x2B) return "SEEK(10)";
else if (cmd==0x2E) return "WRITE AND VERIFY(10)";
else if (cmd==0x2F) return "VERIFY(10)";
else if (cmd==0x35) return "SYNCHRONIZE CACHE";
else if (cmd==0x3B) return "WRITE BUFFER";
else if (cmd==0x3C) return "READ BUFFER";
else if (cmd==0x42) return "READ SUB-CHANNEL";
else if (cmd==0x43) return "READ TOC/PMA/ATIP";
else if (cmd==0x44) return "READ HEADER";
else if (cmd==0x45) return "PLAY AUDIO(10)";
else if (cmd==0x46) return "GET CONFIGURATION";
else if (cmd==0x47) return "PLAY AUDIO MSF";
else if (cmd==0x4A) return "GET EVENT/STATUS NOTIFICATION";
else if (cmd==0x4B) return "PAUSE/RESUME";
else if (cmd==0x4E) return "STOP PLAY/SCAN";
else if (cmd==0x51) return "READ DISC INFORMATION";
else if (cmd==0x52) return "READ TRACK INFORMATION";
else if (cmd==0x53) return "RESERVE TRACK";
else if (cmd==0x54) return "SEND OPC INFORMATION";
else if (cmd==0x55) return "MODE SELECT(10)";
else if (cmd==0x58) return "REPAIR TRACK";
else if (cmd==0x5A) return "MODE SENSE(10)";
else if (cmd==0x5B) return "CLOSE TRACK/SESSION";
else if (cmd==0x5c) return "READ BUFFER CAPACITY";
else if (cmd==0x5d) return "SEND CUE SHEET";
else if (cmd==0xA1) return "BLANK";
else if (cmd==0xA2) return "SEND EVENT";
else if (cmd==0xA3) return "SEND KEY";
else if (cmd==0xA4) return "REPORT KEY";
else if (cmd==0xA5) return "PLAY AUDIO(12)";
else if (cmd==0xA6) return "LOAD/UNLOAD CD/DVD";
else if (cmd==0xA7) return "SET READ AHEAD";
else if (cmd==0xA8) return "READ(12)";
else if (cmd==0xA9) return "PLAY TRACK RELATIVE";
else if (cmd==0xAA) return "WRITE(12)";
else if (cmd==0xAC) return "GET PERFORMANCE";
else if (cmd==0xAD) return "READ DVD STRUCTURE";
else if (cmd==0xB6) return "SET STREAMING";
else if (cmd==0xB9) return "READ CD MSF";
else if (cmd==0xBA) return "SCAN";
else if (cmd==0xBB) return "SET CD SPEED";
else if (cmd==0xBD) return "MECHANISM STATUS";
else if (cmd==0xBE) return "READ CD";
else if (cmd==0xBF) return "SEND DVD STRUCTURE";
else if (cmd==0xE7) return "HITACHI DEBUG";
else if (cmd==0xFE) return "RPC2 X";
else if (cmd==0xFF) return "RPC2 Y";
return form("UNKNOWN (%02x)", cmd);
}
static comment_atapi_cmd_table(table_start, handlers) {
auto i,b0,dw0;
for(i=0; i<0x100; i++) {
MakeByte(table_start+i);
b0=Byte(table_start+i);
dw0=Dword(handlers+b0*4);
MakeComm(table_start+i, form("ATAPI COMMAND %s (handler at 0x%08x)", atapi_cmd_str(i), dw0));
MakeCode(dw0);
MakeFunction(dw0, BADADDR);
MakeNameEx(dw0, form("ATAPI %s", atapi_cmd_str(i)), SN_NOCHECK|SN_NOWARN);
Message("f0=%x\n",dw0);
}
}
static main(void) {
auto i;
auto array0;
auto tabla_start;
auto c0,f0;
auto comentario;
auto dvd_model;
auto dvd_cmd_table0, dvd_cmd_table1;
auto dvd_cmd_handlers;
dvd_model=AskStr("GDR-8163B0L23","enter the current DVD model");
if(dvd_model=="GDR-8163B0L23") {
dvd_cmd_table0=0x9003C4B4;
dvd_cmd_table1=BADADDR;
dvd_cmd_handlers=0x9003c5B4;
} else if(dvd_model=="GDR-8050L") {
dvd_cmd_table0=0x9003BCB4;
dvd_cmd_table1=0x9003BDB4;
dvd_cmd_handlers=0x9003BEB4;
} else if(dvd_model=="GDR-3120L46"||dvd_model=="GDR-3120L47") {
dvd_cmd_table0=0x9003CF08;
dvd_cmd_table1=0x9003D008;
dvd_cmd_handlers=0x9003D108;
} else {
Message(form("cannot handle the string model \"%s\".\n", dvd_model));
return;
}
MakeDword(dvd_cmd_handlers);
MakeArray(dvd_cmd_handlers, 0x4C);
MakeName(dvd_cmd_handlers, "dvd_cmd_handlers");
MakeName(dvd_cmd_table0, "dvd_cmd_table0");
comment_atapi_cmd_table(dvd_cmd_table0, dvd_cmd_handlers);
if(dvd_cmd_table1!=BADADDR) {
MakeName(dvd_cmd_table1, "dvd_cmd_table1");
comment_atapi_cmd_table(dvd_cmd_table1, dvd_cmd_handlers);
}
Message("done!");
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment