Difference between revisions of "Xbox 360 Lite-On DG16D2S Extract Key"

From ivc wiki
Jump to navigationJump to search
 
(165 intermediate revisions by the same user not shown)
Line 1: Line 1:
In later August 2008 a method to dump the new Lite-On DG16D2S drive was released. It requires a serial controller and SATA controller to dump the key.
In late August 2008 a method to dump the key for the new Lite-On DG-16D2S drive was released. It requires a serial adapter and SATA controller. Once the key and identification string is dumped, a new drive can be flashed with a spoofed iXtreme firmware.


== Lite-On DG16D2S ==
Thanks goes to Geremia, C4eva, Tiros, Schtrom, TMF, Redline99, and the Xbox-hacker community.


This drive started to appear in machines manufactured after 20th April 2008 (2008-04-20). Currently it's not possible to dump or flash the drive, only extracting the key.
'''Replacing drive note:''' When replacing the DVD Drive: It's only recommended to use the BenQ drive at this stage, using other drives gives a very high possibility of getting banned if you go on Xbox Live, obviously any drive can get you banned but the Toshiba-Samsung and Hitachi-LG drives will have a far higher possibility to be banned. A special firmware for TS and HL has to be released to deal with some security sector (SS) issue when spoofing.


[[Image:Xbox 360 liteon label.jpg|300px]]
'''Update 27th December 2008:''' The release of iXtreme v1.5 now enables flashing of the Lite-On drive. It still requires extracting of the key.


== Serial Controller ==
== Lite-On DG-16D2S ==


The serial controller will be connected to the Lite-On drive and used to interface and send commands to the MT1319L controller on the drive board.  
This drive started to appear in machines manufactured after 20th April 2008 (2008-04-20). Currently it's not possible to dump or flash the drive, only to extract the key.
 
[[Image:Xbox 360 lite-on label.jpg|300px]] [[Image:Xbox 360 lite-on drive board.jpg|300px]]
 
== Serial Adapter ==
 
The serial adapter will be connected to the Lite-On drive board and used to interface with the MT1319L controller using the special DVDKey utility (more below).


=== Build ===
=== Build ===


Either buy a pre-built RS-232 adapter or build one yourself. The parts are cheap and it isn't hard to build.
Either buy a pre-built RS-232 level shifter adapter or build one yourself. The parts are cheap and it isn't hard to build.
 
Any USB-based RS-232 adapters (like [http://www.pololu.com/catalog/product/391 this]) will work fine with DVDKey32 (Windows application). The regular 16-bit DVDKey application for DOS will not work with USB-adapters, only COM-port based adapters.


Some RS-232 transecivers:
To build an adapter, these two RS-232 transceivers will work fine:
* MAX3232
* MAX3232
* ST3232
* ST3232


[[Image:Xbox 360 liteon rs232 build.jpg|300px]]
Other required parts are 5x 0.1 uF (1000nF) ceramic or electrolytic capacitors, 1x D-Sub 9-pin female connector, and maybe a 2.54 mm spaced breadboard to mount everything.
 
* [http://beta.ivancover.com/xbox360/lite-on/MAX3222-MAX3241.pdf Download MAX3232 datasheet]
 
[[Image:Xbox 360 lite-on rs232 build.png|400px]]


Here is my adapter based on a MAX3232 chip:
Here is my adapter based on a MAX3232 chip:
[[Image:Xbox 360 liteon max3232 front.jpg|300px]] [[Image:Xbox 360 liteon max3232 back.jpg|300px]]


[[Image:Xbox 360 lite-on max3232 front.jpg|300px]] [[Image:Xbox 360 lite-on max3232 back.jpg|300px]]
To verify that the serial adapter works, make sure the serial-port is enabled in the BIOS, and join (loop) the Tx and Rx pins together (pin 2 and 3). Open HyperTerm (or any other terminal applications) and try the default settings (9600, 8, None, 1). Type something in the terminal, if it's working it should echo back what you type. HyperTerm will not show what you type/input by default, only what's replied back/output from the RS232 transceiver. For more loopback test info, [http://zone.ni.com/devzone/cda/tut/p/id/3450 look here].
Alternatively, try this very simple RS-232 level converter. Composed of only resistors, diodes, transistors, and a capacitor.
* [http://www.xboxhacker.net/index.php?topic=10204.msg66359#msg66359 Xbox-hacker suggestion]
* [http://picprojects.org.uk/projects/simpleSIO/ssio.htm Simple RS232 to logic level converter]
Alternative:
[[Image:Xbox 360 lite-on rs232 simple.jpg|400px]]


=== Connect ===
=== Connect ===


Once the serial adapter is ready, connect the 3.3v, Ground, TxD and RxD points to the Lite-On drive board. The points are shown below:
Once the serial adapter is ready, connect the 3.3v, Ground, TxD and RxD points to the Lite-On drive board. There is also two jumpers/solder pads for TxD and RxD that needs to be joined. The points are shown below:
[[Image:Xbox 360 liteon serial adapter points.jpg|300px]]
 
* [http://beta.ivancover.com/xbox360/lite-on/xbox360_liteon_dvdkey_serial_diagrams.zip Download the original diagrams]
 
[[Image:Xbox 360 lite-on serial adapter points.jpg|300px]]
 
If you buy or use a pre-built adapter, remember tht '''V+''' or '''Vcc''' is the same as '''3.3v''', '''V-''' or '''Vss''' is the same as '''Ground''', '''Tx''' or '''T1 In''' is the same as '''TxD''', and '''Rx''' or '''R1 Out''' is the same as '''RxD'''. The MAX3232 level shifter can operate on voltages ranging from 3.0v to 6.0v.
 
* R707 going to TxD on the MAX3232
* R708 going to RxD on the MAX3232


The adapter installed:
The adapter installed:
[[Image:Xbox 360 liteon serial adapter installed closeup.jpg|300px]] [[Image:Xbox 360 liteon serial adapter installed overview.jpg|300px]]


== Dump Key ==
[[Image:Xbox 360 lite-on serial adapter installed closeup.jpg|300px]] [[Image:Xbox 360 lite-on serial adapter installed overview.jpg|300px]]
 
This is the DVD drive power cable signal layout:
 
[[Image:Xbox 360 lite-on dvd power cable.png|300px]]
 
* [http://beta.ivancover.com/xbox360/lite-on/Xbox_360-HandC-V1_4.pdf Download the Xbox 360 Motherboard Headers and Connectors v1.4 guide]
 
An alternate way to connect the 3.3v, Gnd, TxD, and RxD points is to just join the two points and connect the other points via the DVD power connector/cable. Power and ground goes through to an external adapter, e.g. the Connectivity Kit v1/v2 or 360toPC Kit. While the basic cable doesn't include wires for TxD and RxD, two extra wires has to be inserted into the white connector and then connected to the serial adapter. Although you need wires with pre-cramped hooks at the ends, e.g. from a Xbox 1, DVD-ROM audio cable, or a replacement power cable.
 
== Dump Preparation ==
 
=== Requirements ===
 
These are the basic requirements to connect the drive to a computer and powering it.
 
* Native SATA controller or VIA VT6421A or VT6421L PCI card
* Power to the Lite-On drive, either:
** Team Xecuter Connectivity kit v1 or v2 (on v1, keep the eject button open/high)
** The Xbox 360 located close the computer to provide power to the drive
 
In addition you of course need a new DVD drive to put the key on once it's dumped. Any old BenQ, Toshiba-Samsung, or Hitachi-LG drive will work.


=== Utility ===
=== Utility ===
Line 39: Line 90:
Download the DVDKey utility. The utility will interface with the drive over the serial connection and dump the key via SATA.  
Download the DVDKey utility. The utility will interface with the drive over the serial connection and dump the key via SATA.  


* [http://beta.ivancover.com/xbox360/liteon/dvdkey_v1.1.rar Download DVDKey v1.1]
* [http://beta.ivancover.com/xbox360/lite-on/DVDkey_V1.1.rar Download DVDKey v1.1]


Create a DOS boot disk and put DVDKey on the drive.
Create a DOS boot disk and put DVDKey on the drive.
Line 53: Line 104:
This is a Windows tool to create a boot disk for iXtreme flashing.
This is a Windows tool to create a boot disk for iXtreme flashing.


* [http://beta.ivancover.com/xbox360/liteon/iprep_v05100.rar Download iPrep 02001]
* [http://beta.ivancover.com/xbox360/lite-on/iPrep_101_v0.0.6.2_Beta.rar Download iPrep 101 v0.0.6.2 beta]


Install the application and open it, in the middle of the window, look for the name of your SATA controller, click on 'More', the SATA port is the first 4 (four) characters in the DeviceIO string.
Install the application and open it, in the middle of the window, look for the name of your SATA controller, click the question mark on the right-side, the SATA port is the first 4 (four) characters in the DeviceIO string. Here it's ''A000''.


[[Image:Xbox 360 liteon iprep.png|300px]]
[[Image:Xbox 360 lite-on iprep.png|300px]]


Make sure you have the [http://www.microsoft.com/downloads/details.aspx?familyid=0856eacb-4362-4b0d-8edd-aab15c5e04f5 .Net Framework v2.0] installed if the application throws an error on launch.
Make sure you have the [http://www.microsoft.com/downloads/details.aspx?familyid=0856eacb-4362-4b0d-8edd-aab15c5e04f5 .Net Framework v2.0] installed if the application throws an error on launch.


==== DOSFlash ====
==== DosFlash ====


DOSFlash is used to flash BenQ drives (and Toshiba-Samsung drives). It will report the address of the detected drive before it continues.  
DosFlash is used to flash BenQ drives (and Toshiba-Samsung drives). It will report the address of the detected drive before it continues.  


* [http://beta.ivancover.com/xbox360/liteon/dosflash_v14beta.rar Download DOSFlash v1.4 beta]
* [http://beta.ivancover.com/xbox360/lite-on/DosFlash_V1.4Beta.rar Download DosFlash v1.4 beta]


Connect the Lite-On drive to the SATA port, create a DOS boot disk and put DOSFlash in it, boot to DOS, and execute dosflash.exe in the Dosflash16 directory (DOSFLA~1). The port will be reported in the text string starting with ''MTK Vendor Intro failed on port 0xA000. ...''. Press ctrl+c to exit.
Connect the Lite-On drive to the SATA port, create a DOS boot disk and put DosFlash in it, boot to DOS, and execute dosflash.exe in the Dosflash16 directory (DOSFLA~1). '''Press 'n' on any prompts.''' The port will be reported in the text string starting with ''MTK Vendor Intro failed on port...''. Press ctrl+c to exit.


The output should look like this:
The output should look like this:
Line 73: Line 124:
  DOSFLASH V1.4 Beta Build 20071115 by Team Modfreakz and Kai Schtrom
  DOSFLASH V1.4 Beta Build 20071115 by Team Modfreakz and Kai Schtrom
   0) 0x01F0 IDE    Pri Master  None
   0) 0x01F0 IDE    Pri Master  None
   1) 0x01F0 IDE    Pri Slave     None
   1) 0x01F0 IDE    Pri Slave   None
   2) 0x0170 IDE    Sec Master None
   2) 0x0170 IDE    Sec Master None
   3) 0x0170 IDE    Sec Slave   None
   3) 0x0170 IDE    Sec Slave   None
  MTK Vendor Intro failed on port 0x'''A000'''. If you choose to resend the command
  MTK Vendor Intro failed on port 0xA000. If you choose to resend the command
  you should turn the drive off and on after you pressed "Yes".
  you should turn the drive off and on after you pressed "Yes".
  Do you want to resend the command until the drive responds (Y/N)? n
  Do you want to resend the command until the drive responds (Y/N)? n
  4) 0x'''A000''' SATA Pri Master ATAPI PLDS  DG16D2S 748XXX
  4) 0xA000 SATA   Pri Master   ATAPI PLDS  DG16D2S 74850C
       Flash ManufacturerID: 0x00, DeviceID: 0x00
       Flash ManufacturerID: 0x00, DeviceID: 0x00
       Flash Type: MTK Vendor Intro failed!
       Flash Type: MTK Vendor Intro failed!
       Flash Size: 0 bytes (0 KB)
       Flash Size: 0 bytes (0 KB)
  5) 0xA400 SATA Pri Master None
  5) 0xA400 SATA   Pri Master   None
  6) 0xA800 IDE    Pri Master  None
  6) 0xA800 IDE    Pri Master  None
  7) 0xA800 IDE    Pri Slave     None
  7) 0xA800 IDE    Pri Slave   None
 
  Enter the number of an ATAPI drive to read, write, erase flash:
  Enter the number of an ATAPI drive to read, write, erase flash:
  c:\DOSFLASH\DOSFLA~1>
  c:\DOSFLASH\DOSFLA~1>


Picture:
Picture:
[[Image:Xbox 360 liteon dosflash.jpg|300px]]
 
[[Image:Xbox 360 lite-on dosflash.jpg|300px]]


==== Slax Linux ====
==== Slax Linux ====
Line 97: Line 149:
Slax is a Linux distribution tweaked for Xbox 360 use. It will put the Hitachi-LG drive in mode-b for flashing.  
Slax is a Linux distribution tweaked for Xbox 360 use. It will put the Hitachi-LG drive in mode-b for flashing.  


* [http://beta.ivancover.com/xbox360/liteon/slax_v2.1.rar Download Slax Linux 2.1]
* [http://beta.ivancover.com/xbox360/lite-on/pSlax21.rar Download Slax Linux 2.1]


Connect the Lite-On drive to the SATA port, burn the image to a CD-R/DVD-R, boot the disc, eject the tray if the boot halts, and login using username ''root'' and password ''toor''.
Connect the Lite-On drive to the SATA port, burn the image to a CD-R/DVD-R, boot the disc, eject the tray if the boot halts, and login using username ''root'' and password ''toor''.


Type '''dmesg|grep SATA''' (case important, ''SATA''')' to filter out the SATA messages from the kernel boot log. The SATA port address can be found after ''SATA max UDMA/133 cmd'', before ''ctl''. In this example 0xA000, or A000 is the part that will be used here.
Type '''dmesg|grep SATA''' ''(case is important, remember upper-case '''SATA''')'' to filter out the SATA messages from the kernel boot log. The SATA port address can be found after ''SATA max UDMA/133 cmd'', before ''ctl''. In this example 0xA000, or A000, is the part that will be used here.


The output should look similar to the below:
The output should look similar to the below:
Line 109: Line 161:


Picture:
Picture:
[[Image:Xbox 360 liteon slax.jpg|300px]]


=== Dump ===
[[Image:Xbox 360 lite-on slax.jpg|300px]]


Required:
== Dump Key ==
* Native SATA controller or VIA VT6421A or VT6421L PCI card
 
* Power to the Lite-On drive:
Once the steps above is complete, the dump process can begin.
** Either via Team Xecuter Connectivity kit v1/v2 or place the Xbox 360 near the computer


==== Half Open Tray ====
=== Half Open Tray ===


The tray has to stay half open during the process. Once the drive tray is half-open it will stay open, not close on the next power up as a normal drive would do.
The tray has to stay half open during the process. Once the drive tray is half-open it will stay open, not close on the next power up as a normal drive would do.
Line 124: Line 174:
''Note:'' On some setups it's not needed to have the tray half-open, it works fine with the tray closed.
''Note:'' On some setups it's not needed to have the tray half-open, it works fine with the tray closed.


Eject button method:
==== Eject button method ====
 
# Power on the drive
# Power on the drive
# Press the eject button - On the Connectivity Kit or front of the Xbox 360
# Press the eject button - On the Connectivity Kit or front of the Xbox 360
# Remove the power again
# Remove the power again
# Manually press the drive in half-way
# Manually press the drive half-way in
 
[[Image:Xbox 360 lite-on open tray.jpg|300px]]


Paper clip method:
==== Paper clip method ====
# Locate the black slider on the right-side of the drive (see picture)
 
# Locate the black slider on the right-side on the bottom of the drive (see picture)
# Use a paper clip or screwdriver to press the slider all the way in
# Use a paper clip or screwdriver to press the slider all the way in
# The tray should slide or pop out, pull it half-way open
# The tray should slide or pop out, pull it half-way open


==== Dumping Procedure ====  
[[Image:Xbox 360 lite-on open tray paperclip.jpg|300px]]
 
=== Dumping Procedure ===  


Follow this procedure to dump the key:
Follow this procedure to dump the key:
Line 141: Line 197:
# Power off the computer
# Power off the computer
# Disconnect power and SATA cable on the Lite-On drive
# Disconnect power and SATA cable on the Lite-On drive
# Connect the serial controller cable to COM1 (first/top port on the back of the machine) - Can be connected all the time if retries
# Connect the serial controller cable to COM1 (bios setting 3F8/IRQ4) on the computer
# Connect power to the Lite-On drive
# Connect power to the Lite-On drive
# Power on the computer
# Power on the computer
# Boot DOS, either from hard drive or a flash drive, DVDKey already installed
# Boot to DOS, either from hard drive or a flash drive, DVDKey already installed
# Plug in the SATA cable to the Lite-On drive
# Plug in the SATA cable to the Lite-On drive
#* ''Note:'' On some computers, the cable can be plugged in before the computer is powered on
#* ''Note:'' On some computers (VT6421), the cable can be plugged in before the computer is powered on
# Execute DVDKey with the SATA port found above:
# Execute DVDKey with the SATA port address (found above) as an argument:
#*'''dvdkey a000'''
#*'''dvdkey a000'''
# After 20-30 seconds the key will be dumped
# After 20-30 seconds the key will be dumped
# If it fails, try again from step 1


The output should be something like this:
The output should be something like this:
Line 163: Line 220:
  KEY.BIN saved
  KEY.BIN saved
   
   
  PLDS  DG-16D2S      74850XXX
  PLDS  DG-16D2S      74850C
  INQUIRY.BIN saved
  INQUIRY.BIN saved
   
   
Line 171: Line 228:
  c:\DVDKEY>
  c:\DVDKEY>


If you got something like this, you need to power down the drive between each try:
* ''key.bin'' is dumped through the COM-port
* ''inquiry.bin'' and ''identify.bin'' is dumped through the SATA-port
 
As a side note, all this also work exactly the same on a BenQ drive. Leave the tray half-open and cylce the drive power between each try.
 
Picture of the dump and setup with Connectivity Kit v1 and Serial Adapter connected:
 
[[Image:Xbox 360 lite-on dvdkey success.jpg|300px]] [[Image:Xbox 360 lite-on dump setup.jpg|300px]]
 
=== Errors ===
 
If you got something like this, you need to:
 
* Power down the drive between each tries
* Check the serial adapter communication
* Wrong COM port selected for the serial adapter (DVDKey hardcoded to COM1)
* Tx and Rx pin is reversed or misplaced on the transceiver
 
  c:\DVDKEY>dvdkey a000
  c:\DVDKEY>dvdkey a000
  Port A000
  Port A000
Line 186: Line 260:
  c:\DVDKEY>
  c:\DVDKEY>


== Spoof ==
In this case the wrong SATA port address is used. Try iPrep, DOSFlash, or Slax to find the correct port.
 
c:\DVDKEY>dvdkey a400
Port A000
Problems with sata status, try to reboot PC
c:\DVDKEY>
 
== Spoof Drive ==
 
The Xbox 360 system is married to the specific DVD drive when it ships from the factory. Two parts in the DVD firmware is linking it to the 360, the first is the DVD encryption key, e.g. ''9174C2D5905AE8B9ACB23CD116XXXXXX'', and the second is the drive identity, e.g. ''PLDS DG-16D2S 74850CA0A1D608CG81881200VM1''.
 
For any games to start at all the key stored in the NAND flash has to match the key in the firmware on DVD drive, else only DVD movies will play.
 
Earlier drives (Toshiba-Samsung, Hitachi-LG, and BenQ) had the same drive identification string, but the new Lite-On has an unique identifier per drive. This unique identifier is found in the ''INQUIRY.BIN'' file.
 
=== DVD Key ===
 
Have your hacked firmware for the drive you want to use as a replacement for the Lite-On ready. The hacked firmware is found in '''Benq iXtreme v1.41''' package for BenQ, '''Samsung.iXtreme.1.4''' package for Thoshiba-Samsung, and '''360FW-Toolbox-v4.8''' or '''iXtreme1.4_Hitachi''' package for Hitachi-LG.
 
The best way to get hold of the correct hacked firmware is to first flash the new drive with iXtreme and verify that it works. Then use the backup of the previously flashed iXtreme file, as the bases for the new spoofed firmware.
 
''Note'': On Hitachi-LG drives, first restore the original firmware before flashing the new spoofed firmware.
 
If you haven't written down the key for the Lite-On during the dump process, download '''Tiny Hexer''' and open the '''KEY.BIN''' file. The key is in HEX form, here it's starting '''9174 C2D5 ...'''.
 
[[Image:Xbox 360 lite-on tinyhexer key.png]]
 
Write down this key and save it to a text file for later reference and backup.
 
==== 360 Firmware Toolbox (recommended method) ====
 
Download and extract 360 Firmware Toolbox v4.8 or newer.
 
* [http://beta.ivancover.com/xbox360/lite-on/360FW-Toolbox-v4.8.rar Download 360 Firmware Toolbox v4.8]
 
Open 360 Firmware Toolbox, select File and Open, and find the hacked firmware for the new drive. Copy the Lite-On DVD key found above and paste it into the '''Key''' field under the '''Key Information''' section. Click '''Save Key''' to apply the change.
 
[[Image:Xbox 360 lite-on 360firmware key.png|500px]]
 
The key is now patched. Next, spoof the drive identification.
 
==== Manual method ====
 
The key location is different for each drive and firmware version. Use the table below to find the correct location.
 
===== BenQ =====
 
BenQ key string is located at '''0xE030 to 0xE040''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key benq.png]]
 
===== Toshiba-Samsung =====
 
Toshiba-Samsung key string is located at '''0x401A to 0x402A''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key sam 401a.png]]
 
And alternatively ''0x40EC to 0x40FC'', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key sam 40ec.png]]
 
And alternatively ''0x4116 to 0x4126'', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key sam 4116.png]]
 
Essentially the key can be found by following this sequence [http://www.xboxhacker.net/index.php?topic=6196.msg39889#msg39889]:
01 EE EE EE EE - 16 byte key location - 02 11 11 11 11 - 16 byte key location - 03 EE EE EE EE - 16 byte key location - etc
 
==== Hitachi-LG ====
 
'''Version 32 / 36 / 46 / 47 / 59'''
 
Hitachi-LG key string is located at '''0x4F00 to 0x4F10''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key hit 32.png]]
 
'''Version 78 v1'''
 
Hitachi-LG key string is located at '''0x4B00 to 0x4B10''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key hit 78v1.png]]
 
'''Version 78 v2'''
 
Hitachi-LG key string is located at '''0x4C30 to 0x4C40''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key hit 78v2.png]]
 
'''Version 78 v3'''
 
Hitachi-LG key string is located at '''0x4D20 to 0x4D30''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key hit 78v3.png]]
 
'''Version 78 v4'''
 
Hitachi-LG key string is located at '''0x4E10 to 0x4E20''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key hit 78v4.png]]
 
'''Version 79 v1'''
 
Hitachi-LG key string is located at '''0x4B00 to 0x4B10''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key hit 78v1.png]]
 
'''Version 79 v2'''
 
Hitachi-LG key string is located at '''0x4E10 to 0x4E20''', length 0x10 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer key hit 78v4.png]]
 
----
 
=== Identification String ===
 
The identification string for the Lite-On drive is saved to the ''INQUIRY.BIN'' file. This file was created during the dumping process. Not spoofing the drive will result in an E66 error message during the Xbox 360 booting process.
 
==== 350 Firmware Toolbox (recommended method) ====
 
Download 360 Firmware Toolbox v4.8 or newer and exact it to a folder.
 
* [http://beta.ivancover.com/xbox360/lite-on/360FW-Toolbox-v4.8.rar Download 360 Firmware Toolbox v4.8]
 
Launch 360 Firmware Toolbox and open the hacked firmware for the new drive. Select '''Tools''' and '''Spoof Firmware'''. In the selection box pick '''Custom (Requires inquiry.bin)''' and click ''Apply Spoof''.
 
[[Image:Xbox 360 lite-on 360firmware spoof firmware.png|330px]]
 
In the next file dialog that's popping up, find and select the '''INQUIRY.BIN''' file from the Lite-On dump. This file includes the unique identifier for the drive. Click ''Ok'' and a message will report the change was made.
 
[[Image:Xbox 360 lite-on 360firmware spoof firmware success.png|280px]]
 
To verify and view the unique identifier, select '''Tools''' and '''Spoof Firmware''' again, and look at the top of window under '''Current Detection String'''. This is the real spoof string.
 
[[Image:Xbox 360 lite-on 360firmware spoof firmware string.png|280px]]
 
The firmware should now be ready and can be flashed back to the drive.
 
''Note'': On Hitachi-LG drives, first restore the original firmware before flashing the new spoofed firmware. 360 Firmware Toolbox includes all the original Hitachi-LG firmwares.
 
Utility to use:
 
* ''BenQ'': Use '''DosFlash'''
* ''Toshiba-Samsung'': Use '''DosFlash''' or '''MTKFlash'''
* ''Hitachi-LG'': Use '''360 Firmware Toolbox'''
 
There are many good tutorials available that shows how to flash the different drives.
 
==== Manual method ====
 
Open the ''INQUIRY.BIN'' file in Tiny Hexer, select all the 6 lines (ctrl+a), and copy it (ctrl+c).
 
[[Image:Xbox 360 lite-on tinyhexer inquiry.png]]
 
Next, open the hacked firmware and find the correct range to replace in the table below. The block starts with '''0580 0032 ...'''.  The identification string is 0x60 bytes long. Mark this range and paste the Lite-On inquiry block into this selection.
 
===== BenQ =====
 
BenQ identification string is located at '''0x2D5C to 0x2DBC''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof benq.png]]
 
===== Toshiba-Samsung =====
 
Toshiba-Samsung identification string is located at '''0x20B0 to 0x2114''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof sam.png]]
 
===== Hitachi-LG =====
 
'''Version 32'''
 
Hitachi-LG identification string is located at '''0x3D460 to 0x3D4C0''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit32.png]]
 
No checksum reset.
 
'''Version 36'''
 
Hitachi-LG identification string is located at '''0x3D444 to 0x3D4A4''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit36.png]]
 
No checksum reset.
 
'''Version 46 and 47'''
 
Hitachi-LG identification string is located at '''0x3D47C to 0x3D4DC''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit46.png]]
 
Reset the checksum to '''0000 0000''' at location '''0x3E7FC to 0x3E800'''.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit46 checksum.png]]
 
'''Version 59'''
 
Hitachi-LG identification string is located at '''0x3D498 to 0x3D4F8''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit59.png]]
 
Reset the checksum to '''0000 0000''' at location '''0x3E7FC to 0x3E800'''.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit46 checksum.png]]
 
'''Version 78 - Key location 4B00, 4C30, and 4D20'''
 
Hitachi-LG identification string is located at '''0x3CAB0 to 0x3CB10''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit78.png]]
 
Reset the checksum to '''0000 0000''' at location '''0x3E7FC to 0x3E800'''.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit46 checksum.png]]
 
'''Version 78 - Key location 4E10'''
 
Hitachi-LG identification string is located at '''0x3CB3C to 0x3CB9C''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit78 4e10.png]]
 
Reset the checksum to '''0000 0000''' at location '''0x3E7FC to 0x3E800'''.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit46 checksum.png]]
 
'''Version 79 - Key location 4B00'''
 
Hitachi-LG identification string is located at '''0x3CAB0 to 0x3CB10''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit78.png]]
 
Reset the checksum to '''0000 0000''' at location '''0x3E7FC to 0x3E800'''.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit46 checksum.png]]
 
'''Version 79 - Key location 4E10'''
 
Hitachi-LG identification string is located at '''0x3CB3C to 0x3CB9C''', length 0x60 bytes.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit78 4e10.png]]
 
Reset the checksum to '''0000 0000''' at location '''0x3E7FC to 0x3E800'''.
 
[[Image:Xbox 360 lite-on tinyhexer spoof hit46 checksum.png]]
 
The firmware should now be ready and can be flashed back to the drive.
 
''Note'': On Hitachi-LG drives, first restore the original firmware before flashing the new spoofed firmware. 360 Firmware Toolbox includes all the original Hitachi-LG firmwares.
 
Utility to use:
 
* ''BenQ'': Use '''DosFlash'''
* ''Toshiba-Samsung'': Use '''DosFlash''' or '''MTKFlash'''
* ''Hitachi-LG'': Use '''360 Firmware Toolbox'''
 
There are many good tutorials available that shows how to flash the different drives.
 
== Summary ==
 
To summarize the entire process to a simple step-by-step guide[http://www.xboxhacker.net/index.php?topic=10204.msg67165#msg67165]:
 
# Open up Lite-On
# Bridge resistor points
# Solder on Tx, Rx, Gnd, and 3.3v
# Boot up DOS
# Connect power to 360 and DVD drive
# Eject drive
# Pull power plug of 360 and DVD drive
# Close DVD drive with your hand half way
# Plug in 360 and power it on
# Plug in DVD power, and SATA cable from your computer
# Connect adapter to COM1-port
# Run dvdkey xxxx (xxxx = your sata port)
# Dump key and identity
# Spoof new Hitachi-LG/Toshiba-Samsung/BenQ DVD drive
 
== References ==
 
* [http://www.xboxhacker.net/index.php?topic=10204.0 Xbox-hacker DVDkey Benq/Liteon key extractor]
* [http://gueux-forum.net/index.php?showtopic=195833&hl= Gueux-forum Lite-On tutorial (Frence)]
* [http://www.eurasia.nu/wiki/index.php?pagename=LiteOnDvdKeySpoof Eurasia Lite-On DVD Key Spoof]

Latest revision as of 17:30, 30 December 2008

In late August 2008 a method to dump the key for the new Lite-On DG-16D2S drive was released. It requires a serial adapter and SATA controller. Once the key and identification string is dumped, a new drive can be flashed with a spoofed iXtreme firmware.

Thanks goes to Geremia, C4eva, Tiros, Schtrom, TMF, Redline99, and the Xbox-hacker community.

Replacing drive note: When replacing the DVD Drive: It's only recommended to use the BenQ drive at this stage, using other drives gives a very high possibility of getting banned if you go on Xbox Live, obviously any drive can get you banned but the Toshiba-Samsung and Hitachi-LG drives will have a far higher possibility to be banned. A special firmware for TS and HL has to be released to deal with some security sector (SS) issue when spoofing.

Update 27th December 2008: The release of iXtreme v1.5 now enables flashing of the Lite-On drive. It still requires extracting of the key.

Lite-On DG-16D2S

This drive started to appear in machines manufactured after 20th April 2008 (2008-04-20). Currently it's not possible to dump or flash the drive, only to extract the key.

Xbox 360 lite-on label.jpg Xbox 360 lite-on drive board.jpg

Serial Adapter

The serial adapter will be connected to the Lite-On drive board and used to interface with the MT1319L controller using the special DVDKey utility (more below).

Build

Either buy a pre-built RS-232 level shifter adapter or build one yourself. The parts are cheap and it isn't hard to build.

Any USB-based RS-232 adapters (like this) will work fine with DVDKey32 (Windows application). The regular 16-bit DVDKey application for DOS will not work with USB-adapters, only COM-port based adapters.

To build an adapter, these two RS-232 transceivers will work fine:

  • MAX3232
  • ST3232

Other required parts are 5x 0.1 uF (1000nF) ceramic or electrolytic capacitors, 1x D-Sub 9-pin female connector, and maybe a 2.54 mm spaced breadboard to mount everything.

Xbox 360 lite-on rs232 build.png

Here is my adapter based on a MAX3232 chip:

Xbox 360 lite-on max3232 front.jpg Xbox 360 lite-on max3232 back.jpg

To verify that the serial adapter works, make sure the serial-port is enabled in the BIOS, and join (loop) the Tx and Rx pins together (pin 2 and 3). Open HyperTerm (or any other terminal applications) and try the default settings (9600, 8, None, 1). Type something in the terminal, if it's working it should echo back what you type. HyperTerm will not show what you type/input by default, only what's replied back/output from the RS232 transceiver. For more loopback test info, look here.

Alternatively, try this very simple RS-232 level converter. Composed of only resistors, diodes, transistors, and a capacitor.

Alternative:

Xbox 360 lite-on rs232 simple.jpg

Connect

Once the serial adapter is ready, connect the 3.3v, Ground, TxD and RxD points to the Lite-On drive board. There is also two jumpers/solder pads for TxD and RxD that needs to be joined. The points are shown below:

Xbox 360 lite-on serial adapter points.jpg

If you buy or use a pre-built adapter, remember tht V+ or Vcc is the same as 3.3v, V- or Vss is the same as Ground, Tx or T1 In is the same as TxD, and Rx or R1 Out is the same as RxD. The MAX3232 level shifter can operate on voltages ranging from 3.0v to 6.0v.

  • R707 going to TxD on the MAX3232
  • R708 going to RxD on the MAX3232

The adapter installed:

Xbox 360 lite-on serial adapter installed closeup.jpg Xbox 360 lite-on serial adapter installed overview.jpg

This is the DVD drive power cable signal layout:

Xbox 360 lite-on dvd power cable.png

An alternate way to connect the 3.3v, Gnd, TxD, and RxD points is to just join the two points and connect the other points via the DVD power connector/cable. Power and ground goes through to an external adapter, e.g. the Connectivity Kit v1/v2 or 360toPC Kit. While the basic cable doesn't include wires for TxD and RxD, two extra wires has to be inserted into the white connector and then connected to the serial adapter. Although you need wires with pre-cramped hooks at the ends, e.g. from a Xbox 1, DVD-ROM audio cable, or a replacement power cable.

Dump Preparation

Requirements

These are the basic requirements to connect the drive to a computer and powering it.

  • Native SATA controller or VIA VT6421A or VT6421L PCI card
  • Power to the Lite-On drive, either:
    • Team Xecuter Connectivity kit v1 or v2 (on v1, keep the eject button open/high)
    • The Xbox 360 located close the computer to provide power to the drive

In addition you of course need a new DVD drive to put the key on once it's dumped. Any old BenQ, Toshiba-Samsung, or Hitachi-LG drive will work.

Utility

Download the DVDKey utility. The utility will interface with the drive over the serial connection and dump the key via SATA.

Create a DOS boot disk and put DVDKey on the drive.

Find SATA Port

DVDKey requires the address of the SATA port where the Lite-On drive will be connected. The address location is in HEX format (e.g. 0xA000 or A000).

Currently there are 3 different methods to find the address, some easier than others.

iPrep

This is a Windows tool to create a boot disk for iXtreme flashing.

Install the application and open it, in the middle of the window, look for the name of your SATA controller, click the question mark on the right-side, the SATA port is the first 4 (four) characters in the DeviceIO string. Here it's A000.

Xbox 360 lite-on iprep.png

Make sure you have the .Net Framework v2.0 installed if the application throws an error on launch.

DosFlash

DosFlash is used to flash BenQ drives (and Toshiba-Samsung drives). It will report the address of the detected drive before it continues.

Connect the Lite-On drive to the SATA port, create a DOS boot disk and put DosFlash in it, boot to DOS, and execute dosflash.exe in the Dosflash16 directory (DOSFLA~1). Press 'n' on any prompts. The port will be reported in the text string starting with MTK Vendor Intro failed on port.... Press ctrl+c to exit.

The output should look like this:

c:\DOSFLASH\DOSFLA~1>dosflash
DOSFLASH V1.4 Beta Build 20071115 by Team Modfreakz and Kai Schtrom
 0) 0x01F0 IDE    Pri Master   None
 1) 0x01F0 IDE    Pri Slave    None
 2) 0x0170 IDE    Sec Master  None
 3) 0x0170 IDE    Sec Slave   None
MTK Vendor Intro failed on port 0xA000. If you choose to resend the command
you should turn the drive off and on after you pressed "Yes".
Do you want to resend the command until the drive responds (Y/N)? n
4) 0xA000 SATA   Pri Master   ATAPI PLDS   DG16D2S 74850C
     Flash ManufacturerID: 0x00, DeviceID: 0x00
     Flash Type: MTK Vendor Intro failed!
     Flash Size: 0 bytes (0 KB)
5) 0xA400 SATA   Pri Master   None
6) 0xA800 IDE     Pri Master  None
7) 0xA800 IDE     Pri Slave   None

Enter the number of an ATAPI drive to read, write, erase flash:
c:\DOSFLASH\DOSFLA~1>

Picture:

Xbox 360 lite-on dosflash.jpg

Slax Linux

Slax is a Linux distribution tweaked for Xbox 360 use. It will put the Hitachi-LG drive in mode-b for flashing.

Connect the Lite-On drive to the SATA port, burn the image to a CD-R/DVD-R, boot the disc, eject the tray if the boot halts, and login using username root and password toor.

Type dmesg|grep SATA (case is important, remember upper-case SATA) to filter out the SATA messages from the kernel boot log. The SATA port address can be found after SATA max UDMA/133 cmd, before ctl. In this example 0xA000, or A000, is the part that will be used here.

The output should look similar to the below:

root@slax:~# dmesg|grep SATA
ata1: SATA max UDMA/133 cmd 0xA000 ctl 0xA00A bmdma 0xB000 irq 11
ata2: SATA max UDMA/133 cmd 0xA400 ctl 0xA40A bmdma 0xB008 irq 8

Picture:

Xbox 360 lite-on slax.jpg

Dump Key

Once the steps above is complete, the dump process can begin.

Half Open Tray

The tray has to stay half open during the process. Once the drive tray is half-open it will stay open, not close on the next power up as a normal drive would do.

Note: On some setups it's not needed to have the tray half-open, it works fine with the tray closed.

Eject button method

  1. Power on the drive
  2. Press the eject button - On the Connectivity Kit or front of the Xbox 360
  3. Remove the power again
  4. Manually press the drive half-way in

Xbox 360 lite-on open tray.jpg

Paper clip method

  1. Locate the black slider on the right-side on the bottom of the drive (see picture)
  2. Use a paper clip or screwdriver to press the slider all the way in
  3. The tray should slide or pop out, pull it half-way open

Xbox 360 lite-on open tray paperclip.jpg

Dumping Procedure

Follow this procedure to dump the key:

  1. Power off the computer
  2. Disconnect power and SATA cable on the Lite-On drive
  3. Connect the serial controller cable to COM1 (bios setting 3F8/IRQ4) on the computer
  4. Connect power to the Lite-On drive
  5. Power on the computer
  6. Boot to DOS, either from hard drive or a flash drive, DVDKey already installed
  7. Plug in the SATA cable to the Lite-On drive
    • Note: On some computers (VT6421), the cable can be plugged in before the computer is powered on
  8. Execute DVDKey with the SATA port address (found above) as an argument:
    • dvdkey a000
  9. After 20-30 seconds the key will be dumped
  10. If it fails, try again from step 1

The output should be something like this:

c:\DVDKEY>dvdkey a000
Port A000
Drive Present
Wait about 20 seconds

GOT SOMETHING !!!    sona: 03   sega: 54
DVD key:
9174C2D5905AE8B9ACB23CD116XXXXXX
Seems a GOOD Key!!!!
KEY.BIN saved

PLDS   DG-16D2S      74850C
INQUIRY.BIN saved

PLDS   DG-16D2S
IDENTIFY.BIN saved

c:\DVDKEY>
  • key.bin is dumped through the COM-port
  • inquiry.bin and identify.bin is dumped through the SATA-port

As a side note, all this also work exactly the same on a BenQ drive. Leave the tray half-open and cylce the drive power between each try.

Picture of the dump and setup with Connectivity Kit v1 and Serial Adapter connected:

Xbox 360 lite-on dvdkey success.jpg Xbox 360 lite-on dump setup.jpg

Errors

If you got something like this, you need to:

  • Power down the drive between each tries
  • Check the serial adapter communication
  • Wrong COM port selected for the serial adapter (DVDKey hardcoded to COM1)
  • Tx and Rx pin is reversed or misplaced on the transceiver
c:\DVDKEY>dvdkey a000
Port A000
Drive Present
Wait about 20 seconds

It didn't work, sorry   reg1: 54
DVD key:
00000000000000000000000000000000
Seems NOT a good DVD Key!!! 00 00
KEY.BIN saved


c:\DVDKEY>

In this case the wrong SATA port address is used. Try iPrep, DOSFlash, or Slax to find the correct port.

c:\DVDKEY>dvdkey a400
Port A000
Problems with sata status, try to reboot PC 

c:\DVDKEY>

Spoof Drive

The Xbox 360 system is married to the specific DVD drive when it ships from the factory. Two parts in the DVD firmware is linking it to the 360, the first is the DVD encryption key, e.g. 9174C2D5905AE8B9ACB23CD116XXXXXX, and the second is the drive identity, e.g. PLDS DG-16D2S 74850CA0A1D608CG81881200VM1.

For any games to start at all the key stored in the NAND flash has to match the key in the firmware on DVD drive, else only DVD movies will play.

Earlier drives (Toshiba-Samsung, Hitachi-LG, and BenQ) had the same drive identification string, but the new Lite-On has an unique identifier per drive. This unique identifier is found in the INQUIRY.BIN file.

DVD Key

Have your hacked firmware for the drive you want to use as a replacement for the Lite-On ready. The hacked firmware is found in Benq iXtreme v1.41 package for BenQ, Samsung.iXtreme.1.4 package for Thoshiba-Samsung, and 360FW-Toolbox-v4.8 or iXtreme1.4_Hitachi package for Hitachi-LG.

The best way to get hold of the correct hacked firmware is to first flash the new drive with iXtreme and verify that it works. Then use the backup of the previously flashed iXtreme file, as the bases for the new spoofed firmware.

Note: On Hitachi-LG drives, first restore the original firmware before flashing the new spoofed firmware.

If you haven't written down the key for the Lite-On during the dump process, download Tiny Hexer and open the KEY.BIN file. The key is in HEX form, here it's starting 9174 C2D5 ....

Xbox 360 lite-on tinyhexer key.png

Write down this key and save it to a text file for later reference and backup.

360 Firmware Toolbox (recommended method)

Download and extract 360 Firmware Toolbox v4.8 or newer.

Open 360 Firmware Toolbox, select File and Open, and find the hacked firmware for the new drive. Copy the Lite-On DVD key found above and paste it into the Key field under the Key Information section. Click Save Key to apply the change.

Xbox 360 lite-on 360firmware key.png

The key is now patched. Next, spoof the drive identification.

Manual method

The key location is different for each drive and firmware version. Use the table below to find the correct location.

BenQ

BenQ key string is located at 0xE030 to 0xE040, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key benq.png

Toshiba-Samsung

Toshiba-Samsung key string is located at 0x401A to 0x402A, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key sam 401a.png

And alternatively 0x40EC to 0x40FC, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key sam 40ec.png

And alternatively 0x4116 to 0x4126, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key sam 4116.png

Essentially the key can be found by following this sequence [1]:

01 EE EE EE EE - 16 byte key location - 02 11 11 11 11 - 16 byte key location - 03 EE EE EE EE - 16 byte key location - etc

Hitachi-LG

Version 32 / 36 / 46 / 47 / 59

Hitachi-LG key string is located at 0x4F00 to 0x4F10, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key hit 32.png

Version 78 v1

Hitachi-LG key string is located at 0x4B00 to 0x4B10, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key hit 78v1.png

Version 78 v2

Hitachi-LG key string is located at 0x4C30 to 0x4C40, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key hit 78v2.png

Version 78 v3

Hitachi-LG key string is located at 0x4D20 to 0x4D30, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key hit 78v3.png

Version 78 v4

Hitachi-LG key string is located at 0x4E10 to 0x4E20, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key hit 78v4.png

Version 79 v1

Hitachi-LG key string is located at 0x4B00 to 0x4B10, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key hit 78v1.png

Version 79 v2

Hitachi-LG key string is located at 0x4E10 to 0x4E20, length 0x10 bytes.

Xbox 360 lite-on tinyhexer key hit 78v4.png


Identification String

The identification string for the Lite-On drive is saved to the INQUIRY.BIN file. This file was created during the dumping process. Not spoofing the drive will result in an E66 error message during the Xbox 360 booting process.

350 Firmware Toolbox (recommended method)

Download 360 Firmware Toolbox v4.8 or newer and exact it to a folder.

Launch 360 Firmware Toolbox and open the hacked firmware for the new drive. Select Tools and Spoof Firmware. In the selection box pick Custom (Requires inquiry.bin) and click Apply Spoof.

Xbox 360 lite-on 360firmware spoof firmware.png

In the next file dialog that's popping up, find and select the INQUIRY.BIN file from the Lite-On dump. This file includes the unique identifier for the drive. Click Ok and a message will report the change was made.

Xbox 360 lite-on 360firmware spoof firmware success.png

To verify and view the unique identifier, select Tools and Spoof Firmware again, and look at the top of window under Current Detection String. This is the real spoof string.

Xbox 360 lite-on 360firmware spoof firmware string.png

The firmware should now be ready and can be flashed back to the drive.

Note: On Hitachi-LG drives, first restore the original firmware before flashing the new spoofed firmware. 360 Firmware Toolbox includes all the original Hitachi-LG firmwares.

Utility to use:

  • BenQ: Use DosFlash
  • Toshiba-Samsung: Use DosFlash or MTKFlash
  • Hitachi-LG: Use 360 Firmware Toolbox

There are many good tutorials available that shows how to flash the different drives.

Manual method

Open the INQUIRY.BIN file in Tiny Hexer, select all the 6 lines (ctrl+a), and copy it (ctrl+c).

Xbox 360 lite-on tinyhexer inquiry.png

Next, open the hacked firmware and find the correct range to replace in the table below. The block starts with 0580 0032 .... The identification string is 0x60 bytes long. Mark this range and paste the Lite-On inquiry block into this selection.

BenQ

BenQ identification string is located at 0x2D5C to 0x2DBC, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof benq.png

Toshiba-Samsung

Toshiba-Samsung identification string is located at 0x20B0 to 0x2114, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof sam.png

Hitachi-LG

Version 32

Hitachi-LG identification string is located at 0x3D460 to 0x3D4C0, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof hit32.png

No checksum reset.

Version 36

Hitachi-LG identification string is located at 0x3D444 to 0x3D4A4, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof hit36.png

No checksum reset.

Version 46 and 47

Hitachi-LG identification string is located at 0x3D47C to 0x3D4DC, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof hit46.png

Reset the checksum to 0000 0000 at location 0x3E7FC to 0x3E800.

Xbox 360 lite-on tinyhexer spoof hit46 checksum.png

Version 59

Hitachi-LG identification string is located at 0x3D498 to 0x3D4F8, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof hit59.png

Reset the checksum to 0000 0000 at location 0x3E7FC to 0x3E800.

Xbox 360 lite-on tinyhexer spoof hit46 checksum.png

Version 78 - Key location 4B00, 4C30, and 4D20

Hitachi-LG identification string is located at 0x3CAB0 to 0x3CB10, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof hit78.png

Reset the checksum to 0000 0000 at location 0x3E7FC to 0x3E800.

Xbox 360 lite-on tinyhexer spoof hit46 checksum.png

Version 78 - Key location 4E10

Hitachi-LG identification string is located at 0x3CB3C to 0x3CB9C, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof hit78 4e10.png

Reset the checksum to 0000 0000 at location 0x3E7FC to 0x3E800.

Xbox 360 lite-on tinyhexer spoof hit46 checksum.png

Version 79 - Key location 4B00

Hitachi-LG identification string is located at 0x3CAB0 to 0x3CB10, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof hit78.png

Reset the checksum to 0000 0000 at location 0x3E7FC to 0x3E800.

Xbox 360 lite-on tinyhexer spoof hit46 checksum.png

Version 79 - Key location 4E10

Hitachi-LG identification string is located at 0x3CB3C to 0x3CB9C, length 0x60 bytes.

Xbox 360 lite-on tinyhexer spoof hit78 4e10.png

Reset the checksum to 0000 0000 at location 0x3E7FC to 0x3E800.

Xbox 360 lite-on tinyhexer spoof hit46 checksum.png

The firmware should now be ready and can be flashed back to the drive.

Note: On Hitachi-LG drives, first restore the original firmware before flashing the new spoofed firmware. 360 Firmware Toolbox includes all the original Hitachi-LG firmwares.

Utility to use:

  • BenQ: Use DosFlash
  • Toshiba-Samsung: Use DosFlash or MTKFlash
  • Hitachi-LG: Use 360 Firmware Toolbox

There are many good tutorials available that shows how to flash the different drives.

Summary

To summarize the entire process to a simple step-by-step guide[2]:

  1. Open up Lite-On
  2. Bridge resistor points
  3. Solder on Tx, Rx, Gnd, and 3.3v
  4. Boot up DOS
  5. Connect power to 360 and DVD drive
  6. Eject drive
  7. Pull power plug of 360 and DVD drive
  8. Close DVD drive with your hand half way
  9. Plug in 360 and power it on
  10. Plug in DVD power, and SATA cable from your computer
  11. Connect adapter to COM1-port
  12. Run dvdkey xxxx (xxxx = your sata port)
  13. Dump key and identity
  14. Spoof new Hitachi-LG/Toshiba-Samsung/BenQ DVD drive

References