Xbox 360 BenQ VAD6038 64930C Spoof

From ivc wiki
Jump to: navigation, search

The latest BenQ drive is not supported by the 360 Firmware Tool and can only be spoofed by manual editing the final firmware.

Update 8th Oct: A new version of 360 Firmware Toolbox has been released that support for the latest BenQ drives,

BenQ VAD6038 64930C

I got the 64930C firmware on a repaired/RMA machine in September 2007.

Find Key

Open the dumped BenQ firmware in an hexeditor, like Tiny Hexer. The BenQ stores the key at different locations, i.e 0xB030, 0xC020, 0xE030. I found my key at he latter, 0xE030, location. If you copy the wrong data you will see a 'Put this disc in a Xbox 360'-message when you insert a original or stealth backup, but you're still able to play DVD movies just fine.

Right before the key string, the last couple of bytes should be 'FA'. Copy the next 16 bytes and save it as the drive key. There should be a lot of 'FF's after the key.

Benq spoof key.png

Find Drive Info

To make sure the Xbox 360 starts up properly with another drive (other than the original BenQ) the new drive will have to be spoofed as the original drive. If the incorrect drive info is used the Xbox 360 will fail to start and prompt an E66 error code.

Open the firmware and go to the 0x2D64 location. The drive string should be 'PBDS VAD6038-64930C'. Copy the data from 0x2D64 to 0x2D83, the length should be 20 bytes.

Benq spoof drive info.png

Spoofing Hitachi 0047DJ Drive

I wanted to spoof a Hitachi-LG 0047DJ drive, but I think the procedure is mostly the same for other Hitachi-LG drives.

Before I replaced the key and drive info, I patched the original firmware with iXtreme v1.2 in 360 Firmware Tool using the 'Smart Hack Patcher'.

Benq spoof 360 firmware tool.png

Replace Key

Open the firmware in a hexeditor and go to location 0x4F00. Select location 0x4F00 to 0x4F0F and paste the BenQ key over the location.

Benq spoof hitachi key.png

Replace Drive Info

Go to location 0x3D484 in the Hitachi-LG firmware. You should see the current drive info. Select location 0x3D484 to 0x3D4A3, 20 bytes long. Paste the BenQ drive info into this space.

Benq spoof hitachi drive info.png

Flash Firmware

For Hitachi-LG 0047DJ I used 360 Firmware Tool to flash the new spoofed firmware to the drive.

  1. Open the firmware in 360 Firmware Tool v4.0.
  2. Select Tools -> Direct Drive Flash (GDR Only) -> Differential Flash (Patch).
  3. Press 'Read and Detect Differences' and then 'Start Flashing'. I'm using the internal flasher.

Note that the 360 Firmware Tool can't see the drive after you've flashed the drive with the new BenQ spoof drive data. I'm unsure about the command-line 47flash.exe, but you could possibly restore only the drive info from an original firmware using these commands on an encrypted firmware [1]:

47flash d original-e.bin 9003d000 1000
47flash d original-e.bin 9003e000 1000

And it should be visible from 360 Firmware Tool again. Untested.

47flash d original-e.bin 90004000 1000 // KEY SECTOR