Difference between revisions of "Xbox 360 BenQ VAD6038 64930C Spoof"
Line 33: | Line 33: | ||
Go to location 0x3D484 in the Hitachi-LG firmware. You should see the current drive info. Select location 0x3D484 to 0x3D4A3, 20 bytes long. Paste the BenQ drive info into this space. | Go to location 0x3D484 in the Hitachi-LG firmware. You should see the current drive info. Select location 0x3D484 to 0x3D4A3, 20 bytes long. Paste the BenQ drive info into this space. | ||
[[Image:Benq spoof hitachi drive info.png]] | |||
=== Flash Firmware === | === Flash Firmware === |
Revision as of 18:16, 30 September 2007
The latest BenQ drive is not supported by the 360 Firmware Tool and can only be spoofed by manual editing the final firmware.
BenQ VAD6038 64930C
I got the 64930C firmware on a repaired machine in September 2007.
Find Key
Open the dumped BenQ firmware in an hexeditor, like mirkes.de Tiny Hexer. The BenQ stores the key at different locations, i.e 0xB030, 0xC020, 0xE030. I found my key at he latter, 0xE030, location.
Right before the key string, the last couple of bytes should be 'FA'. Copy the next 16 bytes and save it as the drive key. There should be a lot of 'FF's after the key.
Find Drive Info
To make sure the Xbox 360 starts up properly with another drive (other than the original BenQ) the new drive will have to be spoofed as the original drive. If the incorrect drive info is used the Xbox 360 will fail to start and prompt an E66 error code.
Open the firmware and go to the 0x2D64 location. The drive string should be 'PBDS VAD6038-64930C'. Copy the data from 0x2D64 to 0x2D83, the length should be 20 bytes.
Spoofing Hitachi 0047DJ Drive
I wanted to spoof a Hitachi-LG 0047DJ drive, but I think the procedure is mostly the same for other Hitachi-LG drives.
Before I replaced the key and drive info, I patched the original firmware with iXtreme v1.2 in 360 Firmware Tool using the 'Smart Hack Patcher'.
Replace Key
Open the firmware in a hexeditor and go to location 0x4F00. Select location 0x4F00 to 0x4F0F and paste the BenQ key over the location.
Replace Drive Info
Go to location 0x3D484 in the Hitachi-LG firmware. You should see the current drive info. Select location 0x3D484 to 0x3D4A3, 20 bytes long. Paste the BenQ drive info into this space.
Flash Firmware
For Hitachi-LG 0047DJ I used 360 Firmware Tool to flash the new spoofed firmware to the drive. Open the firmware and select Tools -> Direct Drive Flash (GDR Only) -> Differential Flash (Patch).
Note that the 360 Firmware Tool can't see the drive after you've flashed the drive with the new BenQ spoof data. I'm unsure about the command-line 47flash.exe, but you could possibly restore only the drive info from an original firmware using these commands on an encrypted firmware [1]:
47flash d original-e.bin 9003d000 1000 47flash d original-e.bin 9003e000 1000
And it should be visible from 360 Firmware Tool again. Untested.
47flash d original-e.bin 90004000 1000 // KEY SECTOR