Xbox 360 Hacks

From ivc wiki
Revision as of 14:19, 14 June 2006 by Ivc (talk | contribs)
Jump to navigationJump to search

It's now possible to hack the Xbox 360 to make it read regular DVD writable discs.

Requirements

  • Screwdrivers
  • Plastic stick
  • S-ATA cable
  • Compatible S-ATA controller card or on-board chipset
  • DOS boot disk or hard drive
  • Windows XP
  • Mktflash, KDX and hacked firmwares
  • Xbox 360 console near a computer
  • ..or Xecuter power adapter


Drives and firmwares

There are currently two different DVD drives for the Xbox 360. Toshiba-Samsung and Hitachi-LG, both require their own hacked firmware.

The first proof of a hacked firmware was actually for the Hitachi-LG and creditted for the_specialist at xboxhacker.net. But the first publicly available hacked firmware was for the Toshiba-Samsung, the Hitachi-LG firmware was released under a month afterwards. These firmwares was hacked and released by commodore4eva.

You can find the DVD drive model you have by looking at the tray, if there are many holes and cracks it's a Hitachi-LG, else it's a Toshiba-Samsung.


Disassemble

It's quite hard to disassemble the 360, as Microsoft officialy said, there are no screws and it was supposedly no way to open it. But you first have to remove the faceplate, untuck a few tabs, use a plastic stick to untuck the tabs on the back and lift the top case off the console. No need to remove the black screws on the bottom of the machine if you only want to remove the DVD drive.


Dump firmware

In order to flash the hacked firmware, you first have to dump the current firmware. Every single DVD drive has a unique key that is chained together with the rest of the console. You cannot exchange the drive from another console, it will only give you error messages if you try.

To dump the firmware, you have to boot into DOS and use a utility called mtkflash.exe to read the flash chip to a file. You can use a floppy, pendrive or harddrive to do this. That's no covered here.

  1. Make sure the SATA settings in the BIOS is set to NATIVE/ID and not SATA-Raid
  2. Plug the SATA into the back of the DVD drive and connect it to the computer SATA connector
  3. Boot computer into DOS using a floppy, hard drive or pendrive
  4. Start Xbox 360 with DVD power cable still connected and video cable plugged in, not neccessary to the tv
  5. Wait 20 seconds for the Xbox 360 to initilize
  6. Execute this command: mtkflash.exe r /SATA /m orig.bin
  7. Wait a few moments while it's dumping the firmware

If your SATA controller/chipset is not recognized, read about hexediting |here.

Patch firmware

Once you have dumped the firmware, turn off the Xbox 360, boot into Windows XP and start KDX (KeydriveX) by foros. This application will load your dumped firmware and read the key. Copy this key, open the hacked firmware, and paste the key into the DVD Key field to replace the 00's or FF'. Save the firmware as patchorg.bin (8+3 characters for DOS).


Write firmware

When you've patched your DVD drive key onto the hacked firmware, boot into DOS again and use mtkflash.exe to write the new firmware to the DVD drive firmware chip.

Follow the same procedure as when you dumped the firmware, mentioned above.

  • Execute mtkflash.exe w /SATA /m patchorg.bin


Backup games

First of all, you have to realise that you need DVD+-R Dual Layer media and a burner that is able to set the so called booktype to DVD-ROM. This is also known as bitsetting. Most NEC and BenQ drives allows you to set the bitsetting for dual layer burns.

There are two ways to create a backup:

  • Use a generic PC DVD drive
  • Use the Xbox 360 DVD drive

Generic PC DVD drive (easiest)

Requirements:

  • DVD drive - one you can disassemble
    • Know to work: Shrek, Saving Private Ryan, 24 S2D3,
  • Movie DVD disc around 8 GB - larger than Xbox 360 games
  • wxRipper - dump game data
  • Enough hard drive space - to save 15 GB of data

You have to open/disassemble the DVD drive because you are going to swap the movie dvd with a Xbox 360 game disc without ejecting the disc. Also, you can not get the required security-sector file using this method. A matching SS file could be found online though, more below.

The reason for this is that the TOC, or table of content size, of the movie dvd will exceed size of any Xbox 360 game and we can therefore do a normal straightforward dump of the disc because this bypasses the disc security added by Microsoft. Ejecting the disc would reset the TOC and after an eject the normal accessible TOC (Video DVD part) of any Xbox 360 game is only a few megabytes.

Preparing

You need to have external access to the DVD drive. Make enough room around the computer and make sure nothing can damage the computer or the DVD drive while you're dumping the game. The drive can be USB connected as long as it works with Windows.

Remove the top case shield of the DVD drive by removing the screws that hold it together. When you have the top loose, take a look at it and notice the round plastic piece with a metalic ring in it that normally is holding the DVD disc down when it's spinning. You need to somehow, without damaging it, remove it from the top shield. You need this piece before you can proceed. Another way is to just put the top shield back on when nessecary if that's possible.

Swapping disc

With the piece in hand, connect the DVD drive externally to the computer and boot Windows.

Warning: Do not look at the laser when the the computer is powered on.

Start wxRipper, now eject the drive as normal, place the movie dvd in the tray, press the eject button and immediately when the tray has stopped retracting, put the plastic metalic ring on top of the disc where the spin-motor is popping up from beneath. The disc is now secure and ready to be spun up by the syste.

When the disc has spun up and is recognized, press the "Stop"-button or select "Stop" from the Hotswap-menu. For USB drives, you have to wait 2 minutes for it to shut down normally as the stop command does not work over USB.

When the movie dvd has spun down, without touching the eject button, remove the disc and swap it with the Xbox 360 Game DVD you want to dump. Press the "Play"-button or select "Play" from the menu. Wait a few moments for it to be recognized. Then press the "Find"-button or select "Find magic number" from the menu. A list of seven "Copy", "Dummy" and "Jump" actions will appear.

The disc is now ready to be dumped. Press green-button or select the "Start dump" option fron the menu. Save the iso-file as gamename_videomode.iso, i.e halo2_pal.iso.

This iso-file is now ready but you still need the security-sector file that is needed in the combining step below. You can either extract this using the Xbox 360 DVD drive or find the online.


Xbox 360 DVD drive

Requirements:

  • TS drive only: flash drive with xtrm0800.bin firmware - to make it show in Windows
  • DVDProInfo - send commands to drive and create security-sector file
  • ISOBuster - dump game data

After you've flashed the drive with the game-dump-firmware (xtrm0800.bin), the drive should appear as a normal DVD drive in Windows and you can send custom commands to it using DVDProInfo. You first send 4 consquative commands to extract the security-sectors and then send one last command to tell the drive to get ready to dump the game data. ISOBuster is used to dump the content of the disc.

The extracted security-sectors file will be combined with the game data and burned to the second layer of the dual layer disc later on. That's where the Xbox 360 system expects them to exists.


Save security-sector

To start of, open DVDProInfo and select the Xbox 360 DVD drive on the lower-left dropdown-menu. In the lower-right dropdown-menu select "Send Custom Command" under the "MMC Commands" header. Read the warning message that appears and click "I Agree". A window will slide out on the right side and show you 12 fields starting with the name CDB. In those fields fill inn two character in each field from the list below. One line at a time. Press "Send" between each line.

AD 00 FF 02 FD FF FE 00 08 00 01 C0
AD 00 FF 02 FD FF FE 00 08 00 03 C0
AD 00 FF 02 FD FF FE 00 08 00 05 C0
AD 00 FF 02 FD FF FE 00 08 00 07 C0

You will notice that only the second to last field is different (CBD 10).

When you have executed all four lines, switch to the main window with the DVDInfoPro logo and buttons with CD icons on the top. Press the right-most button marked with a document and a pencil, it's named "Saves Hexadecimal display as a binary file". Save the file as gamename_videomode_ss.bin, i.e halo2_pal_ss.bin.

Dump game data

When you've saved the security-sector, switch over to the small slide-out window again and enter this command to allow dumping of the game data.

FF 08 01 01 00 00 00 00 00 00

Now open IsoBuster and select the Xbox 360 DVD drive on the top-left dropdown-menu. Right-click on the top drive-icon named something like DVD-R DL and select "Extract From-To". In the window that opens enter 0 in the "Start Adress"-field and 3567872 in the "Length"-field. Select the first "User Data - 2048 bytes/block" option in the "Extraction Type"-setting below. Click "Start Extraction" and save the game data as gamename_videomode.iso, i.e halo2_pal.iso.

If you receive any errors during the extraction select "Fill with blank zeros" and check the "Use this for all errors".

Combining ss and game data

Before you can burn the iso-file, you need to combine the security-sectors file and the game data iso. You need Xbox360 SS Merger for this.

Start the program and under the "ISO File"-header, press the browse button on the right. Select the game data iso file you created with IsoBuster. The program should automatically detect which method you used to create the iso-file and fill in the correct security-sector offset further down. Next, under the "SS File"-header, click browse and select the correct security-sector file for the game iso you selected above.

When everything is set, click the big "Merge and create layer break file"-button and Xbox360 SS Merger will patch the iso-file you selected and create a small new text file that has an .dvd extenstion that is used to guide the dvd writer program you're going to use to make the appropriate break between the layers.


Burning game backup

Requirements:

  • DVD burner with DL bittsetting
  • DVD+-R Dual Layer media (8.5 GB)
  • CloneCD (recommended) - dvd writing
  • ..or DVD Decryptor - dvd writing
  • Nero CD-DVD Speed - to change bitsetting

If you've finally combined the security-sector file and game data iso-file, you need a rather new DVD burner and good DVD Dual Layer media before you can burn the game backup.

The reason you need a rather new DVD burner is that the way the firmware works is by masqurading the mediaflag to the Xbox 360 system. The burner has to support DVD-ROM bitsetting/mediaflag. Normally Xbox 360 games has a mediaflag of Xbox360Game and normal DVD+-R discs has a mediaflag of DVD-R or DVD+R (after bitsetting it's DVD-ROM instead). When the Xbox 360 system asks what kind of a disc is in the tray, the hacked firmware will tell the system that normal DVD+-R discs are indeed Xbox360Game discs but in reality is just dvd+-r backup discs of Xbox 360 games with the bitsetting set to DVD-ROM.

To check if your DVD burner has bitsetting support, open the latest CD-DVD Speed and the "Extra"-menu and then "Bitsetting". The first two options (DVD+R, DVD+RW) might be greyed out and disabled, but the third and important (DVD+R DL) setting should be enabled. It should be set to DVD-ROM book type, set the others to DVD-ROM if possible. Click "Refresh" to verify.

To burn the final iso-file use either CloneCD or DVD Decryptor. Many people have had success by setting the burning speed to 2.4x. When finished make sure the Xbox 360 DVD drive is flashed with the normal hacked firmware and reassemble the console to check if the new backup disc is working.

Happy gaming. :)


References

Temp: