Xbox 360 Hacks
Note: Most of this information is out-dated and better techniques exits now to patch the DVD drives!
It's now possible to hack the Xbox 360 to make it read regular writable DVD discs. The hack is primary used to allow playback of leagal copies of the games you own. There is currently no way to run unsigned code, only signed code by Microsoft.
- Plastic stick - removing outher shell
- S-ATA cable - connect Xbox and computer
- Compatible S-ATA controller card or on-board chipset - Silicon Image Sil3112 does not work
- Windows XP - Extract and patch key, dump and burn game backup
- Xbox 360 console near a computer
- ..or Xecuter Connectivity Kit - power adapter
Drives and firmwares
There are currently two different DVD drives for the Xbox 360. Toshiba-Samsung and Hitachi-LG, both require their own hacked firmware.
The first proof of a hacked firmware was actually for the Hitachi-LG and creditted for the_specialist at xboxhacker.net. But the first publicly available hacked firmware was for the Toshiba-Samsung, the Hitachi-LG firmware was released under a month afterwards. These firmwares was hacked and released by commodore4eva.
You can find the DVD drive model you have by looking at the tray, if there are many holes and cracks it's a Hitachi-LG, else it's a Toshiba-Samsung.
It's quite hard to disassemble the 360, as Microsoft officialy said, there are no screws and it was supposedly no way to open it. But you first have to remove the faceplate, untuck a few tabs, use a plastic stick to untuck the tabs on the back and lift the top case off the console. No need to remove the black screws on the bottom of the machine if you only want to remove the DVD drive.
A firmware upgrade will update the code that controls the DVD drive. The firmware is responsible for open/close the tray, move the laser, focus and track the disc surface, send requested data from the disc to the operating system and a lot more. The code is stored on a small memory chip inside the DVD drive.
By default all Xbox 360 DVD drives will not be detected or work with Windows. This is because the ATAPI command talk is non-standard and specific only for the Xbox 360 system. The Hitachi-LG drive ha a debug mode that can be triggered and allow Windows to talk to it as a normal DVD drive. Toshiba-Samsung on the other hand has no unified firmware with a debug mode and requires a seperate firmware to be flashed to make it appear in Windows.
If the drive does not appear in Windows after following the guides below, try Start, Run and enter diskmgmt.msc. If you see the DVD drive in the list but there is no drive letter assigned, right-click on the drive and select "Change Drive Letter and Paths", add a letter and click Ok.
Toshiba-Samsung DVD Drive
- Xtreme Hacked Firmware, the proper release
- DOS boot disk or hard drive - mktflash requires DOS
- mtkflash 1.83c or modified version
- KeyDrive Xtractor (KDX)
For the TS drive there are two different firmwares available. One is used to play backup copies of Xbox 360 games and the other is to gain access to the drive in Windows to dump the security-sector and game data.
xtreme.bin - the normal hacked firmware xtreme0800.bin - to gain access to the drive in Windows
There is also a proper release of the xtreme.bin key above called xtreme_proper.bin. The only change is the default key, 00's instead of FF's. The change was needed for KeyDrive Xtractor (KDX) to function properly.
xtreme_proper.bin - key is 00's instead of FF's for KDX compatibility
In order to flash the hacked firmware, you first have to dump the current firmware. Every single DVD drive has a unique key that is chained together with the rest of the console. You cannot exchange the drive from another console, it will only give you error messages if you try.
To dump the firmware, you have to boot into DOS and use a utility called mtkflash.exe to read the flash chip to a file. You can use a floppy, pendrive or harddrive to do this. That's no covered here.
- Disconnect any other SATA devices connected to the SATA ports, also consider disabling all IDE ports
- Make sure the SATA settings in the BIOS is set to NATIVE/ID and not SATA-RAID
- DVD power cable still connected to Xbox 360 motherboard, or via Xecuter adapter
- Connect the SATA cable from the DVD drive to the computer
- Boot computer into DOS using a floppy, hard drive or pendrive
- Start Xbox 360 with video cable plugged in, not neccessary to the tv
- Wait 20 seconds for the Xbox 360 to initilize
- Execute this command: mtkflash.exe r /m orig.bin
- Wait a few moments while it's dumping the firmware
If you have problems, try to add /SATA to the arguments. If your SATA controller/chipset is not recognized, read about hexediting here.
Once you have dumped the firmware, turn off the Xbox 360, boot into Windows XP and start KeyDrive Xtractor (KDX) by foros. This application will load your dumped firmware and read the key. Copy this key, open the hacked firmware, and paste the key into the DVD Key field to replace the 00's or FF'. Save the firmware as patched.bin (8+3 characters for DOS).
For advanced users: You can also open the original firmware in a hex editor, go to position $4000, copy everything between $4000-$4200, open the hacked firmware, go to $4000 and paste the copied content into the $4000-4200 range. Save the changes to patched.bin.
When you've patched your DVD drive key onto the hacked firmware, boot into DOS again and use mtkflash.exe to write the new firmware to the DVD drive firmware chip.
Follow the same procedure as when you dumped the firmware, mentioned above.
- Execute mtkflash.exe w /m patched.bin
If you have problems, try to add /SATA to the arguments and try again.
- Hacked Xtreme v46 or v47 Firmware
- memdump_win - dump firmware and key
- flashsec47 - flash utility for rom v47
- firmcrypt - encrypt original firmware before flash
- Slax Linux Live CD - trigger debug mode via software
- ..or Xecuter Connectivity Kit - trigger debug mode via hardware, external power
The Hitachi-LG drive is a lot easier to upgrade and it's not required to dump the the key or the entire firmware, but it's still recommended. The flash utility can do incremential updates of only the memory banks that has to be upgraded. Every operation can be executed in Windows and as long as the drive is recognized it doesn't matter what kind of adapter you use to connect the drive (SATA-to-IDE, IDE-to-SATA, even Sil3112 controller card confirmed).
This drive does not require a seperate firmware to dump game data, but the drive will need to be in a debug mode.
Note: there are different version of the hacked firmware, make sure you get the firmware that works with your firmware / ROM version. You can find the ROM version ontop of the drive, it's printed on a white label.
The Hitachi-LG firmware on the other hand has a debug routine (aka modeb), besides the playback mode, that can be trigged either by software or hardware.
The easiest way is of course by software and the Slax Live CD happen to trigger the debug routine while it's loading. We can take advantace of this by doing a soft-reboot with the reset-button on the computer and boot back into Windows while the DVD drive is still in debug mode and will then be accessible from Windows. This only works of you have a compatible SATA controller/chipset, you quickly find out the first time try this method if it works or not.
- Download and burn out the Slax Live CD iso-file
- DVD Power cable still connected to the Xbox 360 motherboard, or via Xecuter adapter
- Connect the SATA cable from the DVD drive to the computer
- Make sure the computer bios is set to boot from CD or DVD
- Start the Xbox 360 with the video cable plugged in and wait 20 seconds for it to initialize
- Boot the Live CD and wait for the Linux login prompt
- Press the RESET-button on the computer and remove the CD
- Boot into Windows and check that the drive is detected as aregular DVD drive
To trigger the debug mode you actually don't have to open the drive or modify anything. The entire prodecure can be done using the Xbox 360 DVD drive power connector. By connecting two points together, the drive will go into debug mode when it's powered on.
Important: disconnect the two wires quickly after the drive is powered on, right when you hear the drive is making loud sounds, else the drive could be damaged. The drive will still be in debug mode when you disconnect the points.
Power conenctor seen from behind the drive: X 8 6 4 2 0 X 9 7 5 3 1
- Find a single tiny wire with both ends stripped
- Connect the power cable to the Xbox 360 and SATA cable to the computer
- Cross wire point 9 to point 0 (ground) by squeezing the wire into the socket of the points behind the power cable connector
- Power on the Xbox 360
- Quckly disconnect wire between point 9 and point 0
- Boot Windows as normal, or it might work to refresh Device Manager
9a (modea) = input : tray_status (pin9) (0V = opening/closing, +3.3V open/closed) 9b (modeb) = input : tray_status (pin9) (+3.3V = open, 0V = closed)
Hot swap cable
There is also another method to get the drive accessible in Windows. If you have another generic DVD drive with SATA interface, you can how swap the SATA cable from the generic DVD drive over to the Hitachi-LG drive.
- Connecto the regular DVD drive
- Boot Windows and check if it's detected
- Quickly disconnect the cable from the generic DVD drive and plug it into the Hitachi-LG drive
- Use the drive letter of the old drive to dump and flash the firmware
Dump firmware (optional)
It's recommended that you dump the entrie firmware incase you should need to go back to the original firmware later on. There is nothing that needs to be done to this dump, it's for backup purposes only.
- Start a new command prompted by selecting Start and Run, type cmd.
- Execute this command: memdump_win e 12200 8 8000 orig.bin (where e is the drive letter of the drive)
Dump key (optional)
It's recommended that you extract the DVD drive key incase anything should happen while you flash the drive with the hacked firmware or troubleshoot. The key is used to encrypt and decrypt the commands between the drive and the Xbox 360 system, without it the drive is useless.
It's also possible to extract the key from the complete firmware dump using KeyDrive Xtractor (KDX).
- Follow the procedure above up to the last step
- Execute this command: memdump_win e 91004F0 1 10 key.bin (where e is the drive letter of the drive)
With the Hihtachi-LG drive it's possible to flash only specific memory banks on the chip. This lowers the chance that something can go wrong as it's less data that needs to be changed or written.
To write the hacked firmware to the DVD drive, you can execute a series of commands using the provided batch script. This makes it very easy to upgrade the firmware. The batch script will first dump the original firmware, then write to five different locations on the chip.
- Extract the files in the xtreme_47d or xtreme_46d package
- Open a command prompt, Start click Run and enter run
- Execute the xtreme.bat file using this command string: xtreme.bat e (where e is the drive letter)
Important: Before trying to flash the drive for a second time, make sure you copy the dumped firmware to a save location. It will be overwriten if you run the xtreme.bat file again. If you get sense-errors, you need to try again untill all the sequences are successfully flashes. Ejecting the tray might help.
You can also use the method below to compare the data on the chip and the hacked firmware file. Only 1 byte should be different , when comparing the original firmware a few more bytes are expected to different (this is normal).
memdump_win e 12200 8 8000 my_fw.bin (dump current firmware on the chip) decrypt d xtrm-e.bin xtrm.bin (decrypt hacked xtrm-e.bin firmware) fc /B my_fw.bin xtrm.bin (binary compare files, only a single byte should be different )
There is a restore batch script included that lets you restore to the original firmware.
- Open a command prompt, Start click Run and enter run
- Execute the restore.bat file using this command string: restore.bat e (where e is the drive letter)
Open a command prompt and execute these commands. Note: the xtreme-e.bin has already encrypted using firmcrypt.exe. Change the drive letter (e) to the one on your system.
flashsec47_win e xtrm-e.bin 9003e000 1000 (Master Checksum) flashsec47_win e xtrm-e.bin 90035000 1000 (Security Sector Read) flashsec47_win e xtrm-e.bin 9001c000 1000 (Drive Response Table Decrypt) flashsec47_win e xtrm-e.bin 90003000 1000 (Custom Code) flashsec47_win e xtrm-e.bin 90027000 1000 (Challenge Response)
To write the entire dumped original firmware, you have to encrypt it before writing it back to the drive. The master checksum is not changed back. Change the drive letter (e) to the one on your system.
firmcrypt e orig.bin orig-e.bin - Encrypt original firmware flashsec47_win e orig-e.bin 90035000 1000 (Security Sector Read) flashsec47_win e orig-e.bin 9001c000 1000 (Drive Response Table Decrypt) flashsec47_win e orig-e.bin 90003000 1000 (Custom Code) flashsec47_win e orig-e.bin 90027000 1000 (Challenge Response)
If you experience errors, try opening the tray. Don't reboot the computer of you got a bad flash, it's still possible to recover if the drive still has the firmware in memory and is accessible. Use the method above to make sure the data on the chip is the same (1 byte difference ) as the hacked xtrm-e.bin file.
First of all, you have to realise that you need DVD+R Dual Layer (not DVD-R DL) media and a burner that is able to set the so called booktype to DVD-ROM. This is also known as bitsetting. Most NEC and BenQ drives allows you to set the bitsetting for dual layer burns.
There are two ways to create a backup:
- Use a generic PC DVD drive
- Use the Xbox 360 DVD drive
Generic PC DVD drive method
Pros: easier, no need to have the Xbox 360 near the computer Cons: security-sector not extracted, need to find 8 GB movie dvd
- DVD drive - one you can disassemble
- DVD disc around 8 GB - larger than Xbox 360 games
- wxRipper - dump game data
- Enough hard drive space - to store 8 GB of data
You are going to swap the large dvd with a Xbox 360 game disc without ejecting the tray, by either force the tray open using a paperclip and the eject-hole, or if that doesn't work, you have to open/disassemble the DVD drive to gain access to the disc. Also, you can not get the required security-sector file using this method, a matching SS file could be found online though, more below.
You need a disc that is filled with around or over 8 GB of data, it can be a data or movie disc. You can even burn this yourself if you don't have anything laying around. Movie dvds know to work: Hitch, Shrek, Saving Private Ryan, Underworld Evolution.
The reason for all this is that the TOC, or table of content size, of the movie dvd will exceed size of any Xbox 360 game and we can therefore do a normal straightforward dump of the disc because this bypasses the disc security added by Microsoft. Ejecting the disc would reset the TOC and after an eject the normal accessible TOC (Video DVD part) of any Xbox 360 game is only a few megabytes.
You need to have external access to the DVD drive. Make enough room around the computer and make sure nothing can damage the computer or the DVD drive while you're dumping the game. The drive can be USB connected as long as it works with Windows.
Remove the top case shield of the DVD drive by removing the screws that hold it together. When you have the top loose, take a look at it and notice the round plastic piece with a metalic ring in it that normally is holding the DVD disc down when it's spinning. You need to somehow, without damaging it, remove it from the top shield. You need this piece before you can proceed. Another way is to just put the top shield back on when nessecary if that's possible.
With the piece in hand, connect the DVD drive externally to the computer and boot Windows.
Warning: Do not look at the laser when the the computer is powered on.
Start wxRipper, now eject the drive as normal, place the movie dvd in the tray, press the eject button and immediately when the tray has stopped retracting, put the plastic metalic ring on top of the disc where the spin-motor is popping up from beneath. The disc is now secure and ready to be spun up by the syste.
When the disc has spun up and is recognized, press the "Stop"-button or select "Stop" from the Hotswap-menu. For USB drives, you have to wait 2 minutes for it to shut down normally as the stop command does not work over USB.
Dumping game data
When the movie dvd has spun down, without touching the eject button, remove the disc and swap it with the Xbox 360 Game DVD you want to dump. Press the "Play"-button or select "Play" from the menu. Wait a few moments for it to be recognized. Then press the "Find"-button or select "Find magic number" from the menu. A list of seven "Copy", "Dummy" and "Jump" actions will appear.
The disc is now ready to be dumped. Press green-button or select the "Start dump" option fron the menu. Save the iso-file as gamename_videomode.iso, i.e halo2_pal.iso.
If you get CRC errors or bad sectors, you can try to save the layout file using the File menu, open the layout file in notepad, change the 1st and 3rd line that start with "C" (c is copy) and change the letter to "D" (d is dummy), save the file and open it again in wxRipper. This should take care of the reading errors.
C19408 - Unchanged or try D instead of C D1072 - Unchanged D109344 - D instead of C
This iso-file is now ready but you still need the security-sector file that is needed in the combining step below. Without the ss-file the iso-file is worthless. You can either extract this using the Xbox 360 DVD drive method below or try to find the online.
You can find the number (md5sum) of the ss-file you need by opening the iso-file in Xbox360 SS Merger and select "Yes" when you're asked to calculate the md5sum. When it's finished, hopefully someone else have already submitted the game that you ripped to the online database and you're shown the md5sum of the ss-file that they successfully used. Use the recommended md5sum number to find the ss-file online.
Xbox 360 DVD drive method
Pros: able to extract security-sector Cons: toshiba-samsung drive requires reflash between playing back and dump data
- TS drive only: flash drive with xtreme0800.bin firmware - to make it show in Windows
- DVDProInfo - send commands to drive and create security-sector file
- ISOBuster - dump game data
You going to send custom commands to the drive using DVDProInfo. The first 4 consquative commands are used to extract the security-sector and then the last command is to tell the drive to get ready to dump the game data. ISOBuster is used to dump the content of the disc.
The extracted security-sectors file will be combined with the game data and burned to the second layer of the dual layer disc. Without the correct security-sector the disc is rejected by the Xbox 360.
Toshiba-Samsung DVD drive
The drive needs to be flashed with the game-dump-ready firmware (xtrem0800.bin) for it to appear as a normal DVD drive in Windows.
To start of, open DVDProInfo and select the Xbox 360 DVD drive on the lower-left dropdown-menu. In the lower-right dropdown-menu select "Send Custom Command" under the "MMC Commands" header. Read the warning message that appears and click "I Agree". A window will slide out on the right side and show you 12 fields starting with the name CDB. In those fields fill inn two character in each field from the list below. One line at a time. Press "Send" between each line.
AD 00 FF 02 FD FF FE 00 08 00 01 C0 AD 00 FF 02 FD FF FE 00 08 00 03 C0 AD 00 FF 02 FD FF FE 00 08 00 05 C0 AD 00 FF 02 FD FF FE 00 08 00 07 C0
You will notice that only the second to last field is different (CBD 10).
When you have executed all four lines, switch to the main window with the DVDInfoPro logo and buttons with CD icons on the top. Press the right-most button marked with a document and a pencil, it's named "Saves Hexadecimal display as a binary file". Save the file as gamename_videomode_ss.bin, i.e halo2_pal_ss.bin.
Dump game data
When you've saved the security-sector, switch over to the small slide-out window again and enter this unlock command to allow dumping of the game data.
FF 08 01 01 00 00 00 00 00 00
Now open IsoBuster and select the Xbox 360 DVD drive on the top-left dropdown-menu. Right-click on the top drive-icon named something like DVD-R DL and select "Extract From-To". In the window that opens enter 0 in the "Start Adress"-field and 3567872 in the "Length"-field. Select the first "User Data - 2048 bytes/block" option in the "Extraction Type"-setting below. Click "Start Extraction" and save the game data as gamename_videomode.iso, i.e halo2_pal.iso.
If you receive any errors during the extraction select "Fill with blank zeros" and check the "Use this for all errors".
Hitachi-LG DVD drive
There is currently no way to extract the security-sector or dump the game data with the Hitachi-LG DVD drive.
Combining ss and game data
Before you can burn the iso-file, you need to combine the security-sectors file and the game data iso. You need Xbox360 SS Merger for this.
Start the program and under the "ISO File"-header, press the browse button on the right. Select the game data iso file you created with IsoBuster. The program should automatically detect which method you used to create the iso-file and fill in the correct security-sector offset further down. Next, under the "SS File"-header, click browse and select the correct security-sector file for the game iso you selected above.
When everything is set, click the big "Merge and create layer break file"-button and Xbox360 SS Merger will patch the iso-file you selected and create a small new text file that has an .dvd extenstion that is used to guide the dvd writer program you're going to use to make the appropriate break between the layers.
The layout of the complete iso-file : (Disc start inner ring) Video partition | Security-sector | Game data (disc end outer ring)
Burning game backup
- DVD burner with Dual Layer bitsetting - force DVD-ROM book type
- DVD+R Dual Layer 8.5 GB media - premium or recommended grade
- CloneCD (recommended) - dvd writing
- ..or DVD Decrypter - dvd writing
- Nero CD-DVD Speed - set and check bitsetting
If you've finally combined the security-sector file and game data iso-file, you need a rather new DVD burner and good DVD Dual Layer media before you can burn the game backup.
The reason you need a rather new (post-2004) DVD burner is that the way the firmware works is by masqurading the mediaflag to the Xbox 360 system. The burner has to support DVD-ROM bitsetting/mediaflag on DVD+R DL. Normally Xbox 360 games has a mediaflag like Xbox360Game and normal DVD+R discs has DVD+R. After changing the bitsetting it's detected as DVD-ROM instead. When the Xbox 360 system asks what kind of a disc is in the tray, the hacked firmware will tell the system that the normal DVD+R disc with the bittsetting set to DVD-ROM is indeed a Xbox360Game disc and will appear to the Xbox 360 system as a geniune game disc.
To check if your DVD burner has bitsetting support, open the latest CD-DVD Speed and the "Extra"-menu and then "Bitsetting". The first two options (DVD+R, DVD+RW) might be greyed out and disabled, but the third and important (DVD+R DL) setting should be enabled. It should be set to DVD-ROM book type, set the others to DVD-ROM if possible. Click "Refresh" to verify.
To burn the final iso-file use either CloneCD or DVD Decrypter. Many people have had success by setting the burning speed to 2.4x. Only use quality media if you want to avoid hadaches and problems later on. When finished make sure the Xbox 360 DVD drive is flashed with the normal hacked firmware and reassemble the console. Now it's finally time to check if the new backup disc is working.
Happy gaming. :)
- Howto update mtkflash with new sata chipset
- Kev - Hacking the Xbox 360 DVD drive
- Xbox 360 DVD Hack Guides
- Clevermod - Hack the 360 tutorials
- wxRipper tricks
- Which DVD-ROM for wxRipper?
- Xecuter Connectivity Kit tutorial
- Xbox1 DVD-ROM
- Free60 DVD Information
- Quick way to get Hitachi recognized in Windows
- Hex edited mtkflash files
- Xbox-Scene - Releases, tutorial and Guides
- Xboxhacker - Xbox 1 dump
- Arakon's DVD backup
- TS-943 firmware dump by software
- Open Xbox 360 Properly
- Alternate Samsung TS-943 MS28 method