Xbox 360 Lite-On DG16D2S Extract Key

From ivc wiki
Revision as of 00:48, 1 September 2008 by Ivc (talk | contribs) (→‎Half Open Tray)
Jump to navigationJump to search

In later August 2008 a method to dump the new Lite-On DG16D2S drive was released. It requires a serial controller and SATA controller to dump the key.

Thanks goes to Geremia, C4eva, Tiros, Schtrom, TMF, Redline99, and the Xbox-hacker community.

Lite-On DG16D2S

This drive started to appear in machines manufactured after 20th April 2008 (2008-04-20). Currently it's not possible to dump or flash the drive, only extracting the key.

Xbox 360 lite-on label.jpg Xbox 360 lite-on drive board.jpg

Serial Controller

The serial controller will be connected to the Lite-On drive and used to interface and send commands to the MT1319L controller on the drive board.

Build

Either buy a pre-built RS-232 adapter or build one yourself. The parts are cheap and it isn't hard to build.

Some RS-232 transecivers:

  • MAX3232
  • ST3232

Xbox 360 lite-on rs232 build.png

Here is my adapter based on a MAX3232 chip:

Xbox 360 lite-on max3232 front.jpg Xbox 360 lite-on max3232 back.jpg

To verify that the serial adapter works, make sure the serial-port is enabled in the BIOS, and join (loop) the Tx and Rx pins together (pin 2 and 3). Open HyperTerm (or any other terminal applications) and try the default settings (9600, 8, None, 1). Type something in the terminal, it should echo back what you typed if it's working.

Alternatively, try this very simple RS-232 level converter. Composed of only resistors, diodes, transistors, and a capacitor.

Xbox 360 lite-on rs232 simple.jpg

Links:

Connect

Once the serial adapter is ready, connect the 3.3v, Ground, TxD and RxD points to the Lite-On drive board. There is also two jumpers/solder pads for TxD and RxD that needs to be joined. The points are shown below:

Xbox 360 lite-on serial adapter points.jpg

The adapter installed:

Xbox 360 lite-on serial adapter installed closeup.jpg Xbox 360 lite-on serial adapter installed overview.jpg

Dump Key

Utility

Download the DVDKey utility. The utility will interface with the drive over the serial connection and dump the key via SATA.

Create a DOS boot disk and put DVDKey on the drive.

Find SATA Port

DVDKey requires the address of the SATA port where the Lite-On drive will be connected. The address location is in HEX format (e.g. 0xA000 or A000).

Currently there are 3 different methods to find the address, some easier than others.

iPrep

This is a Windows tool to create a boot disk for iXtreme flashing.

Install the application and open it, in the middle of the window, look for the name of your SATA controller, click the question mark on the right-side, the SATA port is the first 4 (four) characters in the DeviceIO string. Here it's A000.

Xbox 360 lite-on iprep.png

Make sure you have the .Net Framework v2.0 installed if the application throws an error on launch.

DosFlash

DosFlash is used to flash BenQ drives (and Toshiba-Samsung drives). It will report the address of the detected drive before it continues.

Connect the Lite-On drive to the SATA port, create a DOS boot disk and put DosFlash in it, boot to DOS, and execute dosflash.exe in the Dosflash16 directory (DOSFLA~1). Press n on any prompts. The port will be reported in the text string starting with MTK Vendor Intro failed on port.... Press ctrl+c to exit.

The output should look like this: 

c:\DOSFLASH\DOSFLA~1>dosflash
DOSFLASH V1.4 Beta Build 20071115 by Team Modfreakz and Kai Schtrom
 0) 0x01F0 IDE    Pri Master   None
 1) 0x01F0 IDE    Pri Slave    None
 2) 0x0170 IDE    Sec Master  None
 3) 0x0170 IDE    Sec Slave   None
MTK Vendor Intro failed on port 0xA000. If you choose to resend the command
you should turn the drive off and on after you pressed "Yes".
Do you want to resend the command until the drive responds (Y/N)? n
4) 0xA000 SATA   Pri Master   ATAPI PLDS   DG16D2S 74850C
     Flash ManufacturerID: 0x00, DeviceID: 0x00
     Flash Type: MTK Vendor Intro failed!
     Flash Size: 0 bytes (0 KB)
5) 0xA400 SATA   Pri Master   None
6) 0xA800 IDE     Pri Master  None
7) 0xA800 IDE     Pri Slave   None

Enter the number of an ATAPI drive to read, write, erase flash:
c:\DOSFLASH\DOSFLA~1>

Picture:

Xbox 360 lite-on dosflash.jpg

Slax Linux

Slax is a Linux distribution tweaked for Xbox 360 use. It will put the Hitachi-LG drive in mode-b for flashing.

Connect the Lite-On drive to the SATA port, burn the image to a CD-R/DVD-R, boot the disc, eject the tray if the boot halts, and login using username root and password toor.

Type dmesg|grep SATA' (case important, SATA)' to filter out the SATA messages from the kernel boot log. The SATA port address can be found after SATA max UDMA/133 cmd, before ctl. In this example 0xA000, or A000 is the part that will be used here.

The output should look similar to the below: 

root@slax:~# dmesg|grep SATA
ata1: SATA max UDMA/133 cmd 0xA000 ctl 0xA00A bmdma 0xB000 irq 11
ata2: SATA max UDMA/133 cmd 0xA400 ctl 0xA40A bmdma 0xB008 irq 8

Picture:

Xbox 360 lite-on slax.jpg

Dump

Required:

  • Native SATA controller or VIA VT6421A or VT6421L PCI card
  • Power to the Lite-On drive:
    • Either via Team Xecuter Connectivity kit v1/v2 or place the Xbox 360 near the computer

Half Open Tray

The tray has to stay half open during the process. Once the drive tray is half-open it will stay open, not close on the next power up as a normal drive would do.

Note: On some setups it's not needed to have the tray half-open, it works fine with the tray closed.

Eject button method:

  1. Power on the drive
  2. Press the eject button - On the Connectivity Kit or front of the Xbox 360
  3. Remove the power again
  4. Manually press the drive half-way in

Xbox 360 lite-on open tray.jpg

Paper clip method:

  1. Locate the black slider on the right-side on the bottom of the drive (see picture)
  2. Use a paper clip or screwdriver to press the slider all the way in
  3. The tray should slide or pop out, pull it half-way open

Xbox 360 lite-on open tray paperclip.jpg

Dumping Procedure

Follow this procedure to dump the key:

  1. Power off the computer
  2. Disconnect power and SATA cable on the Lite-On drive
  3. Connect the serial controller cable to COM1 (bios setting 3F8/IRQ4)
  4. Connect power to the Lite-On drive
  5. Power on the computer
  6. Boot DOS, either from hard drive or a flash drive, DVDKey already installed
  7. Plug in the SATA cable to the Lite-On drive
    • Note: On some computers (VT6421), the cable can be plugged in before the computer is powered on
  8. Execute DVDKey with the SATA port found above:
    • dvdkey a000
  9. After 20-30 seconds the key will be dumped

The output should be something like this: 

c:\DVDKEY>dvdkey a000
Port A000
Drive Present
Wait about 20 seconds

GOT SOMETHING !!!    sona: 03   sega: 54
DVD key:
9174C2D5905AE8B9ACB23CD116XXXXXX
Seems a GOOD Key!!!!
KEY.BIN saved

PLDS   DG-16D2S      74850C
INQUIRY.BIN saved

PLDS   DG-16D2S
IDENTIFY.BIN saved

c:\DVDKEY>

Picture:

Xbox 360 lite-on dvdkey success.jpg

Errors

If you got something like this, you need to:

  • Power down the drive between each tries
  • Check the serial adapter communication
  • Wrong COM port for the serial adapter
c:\DVDKEY>dvdkey a000
Port A000
Drive Present
Wait about 20 seconds

It didn't work, sorry   reg1: 54
DVD key:
00000000000000000000000000000000
Seems NOT a good DVD Key!!! 00 00
KEY.BIN saved


c:\DVDKEY>

In this case the wrong SATA port address is used. Try iPrep, DOSFlash, or Slax to find the correct port. 

c:\DVDKEY>dvdkey a400
Port A000
Problems with sata status, try to reboot PC 

c:\DVDKEY>

Spoof

References

Retrieved from "https://beta.ivc.no/wiki/index.php?title=Xbox_360_Lite-On_DG16D2S_Extract_Key&oldid=4311"