Hitachi SS extraction - some ideas, CDB commands, SS Keys

[Danny]

Hi guys.

I've been reading these forums for a while now, but never really needed to post before until now.

Just some thoughts on extracting SS keys from the Hitachi drive

I've looked at some 'certain sources' SS keys from different games. I have a Hitachi drive so that means backing up my own games is unavailable. Even if I was to get SS from certain sources they are not, in most cases, the correct SS. Different regions of PAL etc

There are 7 differences between both of the SS files. It doesn't make the job easier, but some of the hex is the same. The first part of the .BIN is the same and seems to be for all SS Xtreme keys.

I had a play last night with my Pioneer burner (yes i know that extracting SS with this would be like extracting a conversion from a fish) but I was curious to see what the CDB commands do. Would it be possible to enter certain commands in the Hitachi to get the needed SS keys. I thought that the only thing the 0800 firmware for the Samsung did was make the drive compatible/detectable within Windows. How did Commodore4ever know what commands to enter for the Samsung to extract the SS key in the first place? The commands seems so basic - all the same except for the 01, 03, 05 and 07.
 
I'm so sad now I might try talking to that fish!! 

So i guess the Xtreme0800 firmware for the Samsung is custom made to work with the firmware hack as Kev's memdump programs is able to extract what appears to be the true SS but not the compatible with the firmware.

Would it be possible to use Kev's memdump of the security sectors and make them a compatible Xtreme SS. I'm going to have a look tonight at home, though my skills of hex cracking is that of a potato chip. Does anyone else have any ideas or any success?

I'm really bummed that the Hitachi firmware does not allow us to backup our games, only play them. It seems to me that it somewhat encourges downloading of games (even if you do own them) whereas with the backing method, at least Hitachi owners will be able to backup their owned games.

Thanks for reading and I hope us Hitachi owners can work out some answers (or Aussie SS keys  )

[MacDennis]

Would it be possible to enter certain commands in the Hitachi to get the needed SS keys.

No

I thought that the only thing the 0800 firmware for the Samsung did was make the drive compatible/detectable within Windows. How did Commodore4ever know what commands to enter for the Samsung to extract the SS key in the first place? The commands seems so basic - all the same except for the 01, 03, 05 and 07.

I'm not sure but he might have changes the firmware in such a fashion that it logs the challenges and responses to RAM. The commands might have been modified to dump these RAM ranges. Just a wild guess.
 

So i guess the Xtreme0800 firmware for the Samsung is custom made to work with the firmware hack as Kev's memdump programs is able to extract what appears to be the true SS but not the compatible with the firmware.

Yes

Would it be possible to use Kev's memdump of the security sectors and make them a compatible Xtreme SS. I'm going to have a look tonight at home, though my skills of hex cracking is that of a potato chip. Does anyone else have any ideas or any success?

No. The data you required isn't stored in the Hitachi RAM memory.

I'm really bummed that the Hitachi firmware does not allow us to backup our games, only play them. It seems to me that it somewhat encourges downloading of games (even if you do own them) whereas with the backing method, at least Hitachi owners will be able to backup their owned games.

Yes, the Hitachi release only encourages piracy, correct.

[Danny]

First I must say sorry for my lack of hex editing or hacking skill, but here goes.

Differences between NET SS and Kev Memdump SS on Hitachi

Firstly I wanted to see what the SS.BIN looked like after I extracted it using Kev’s Memdump (Seventh Son’s cool app – Hey Kev is that a reference to Maiden? Cool). So last night I opened it up within Hex Workshop and tried a simple search. This was after I hooked up my Hitachi drive using the Connectivity Kit and Windows Xp.

I entered the command C:\> memdump_win f 10200 8 8000 ram.bin - My hitachi was f drive
This dumped the forbidden ranges - I had heard they are the SS but not Xtreme compatible. And of cause there was a game in the drive which was Blazing Angels (PAL AUS Version). Once I had done that i opened the file in Hex Workshop and did what I only knew best - the find command.

I could believe how easy it was the find the hex. They do seem to be hidden around the whole Memdump SS.BIN file that was extracted. Some things did not match up but may be due to different SS timing or different SS regions. I used Blazing Angels PAL SS found from the net and still don't know what region it belonged to. I extracted my own SS.BIN file from my Hitachi and using Kev's cool program Memdump to get the SS key. This is what I've found so far.

Xtreme Samsung NET SS
Offset 0 to 16 is E10F 3110 .... .... .... .... etc 339F which seems to be always used at the start of all Xtreme SS.BIN

Memdump Hitachi SS
The same 16 bytes hex (is that how you say it?) can be found at offset 220396 (0x00035CEC) of the Memdump SS from the Hitachi drive
 
Xtreme Samsung NET SS
Offset 258 (0x000000102) is 0030 to 696F. The last 10 double figures are always different from SS to SS. The 0030 0000 06E0 is always the same.

Memdump Hitachi SS
The same pattern can be found at offset 220654 (0x00035DEE)

Xtreme Samsung Net SS
At offset 768 (0x000000300) is 0215 0000 followed by 144 little groups of quad figures e.g. 4234 3A45 etc, Sorry I’m really up to date with hex talk. The first 0215 0000 seems to always be the same from SS to SS.

Memdump Hitachi SS
This same group is at offset 221164 (0x00035FEC)

Xtreme Samsung Net SS
At offset 1120 are 8 groups of 4 which are always different from SS to SS

Memdump Hitachi SS
Same offset is at 221516 (0x0003614C) which is 8 groups of 4 e.g. A8B3 6074 etc

Xtreme Samsung Net SS
At offset 1182 (0x00000049E) is 0400 (which is always the same) followed by 3 groups of 4 (always different) then 0100. Followed after the is 9 groups of 0000, then 8 groups of quad figures which always seem to be the same. To see how the difference are I used Blazing Angels and Fight Night SS and compared them to one another. Hex Workshop marks the differences in red so it’s easy to see.

Memdump Hitachi SS
The same is at offset 221578 (0x0003618A) and continues to 221622 (0x000361B6)

Now things start to heat up

Xtreme Samsung Net SS
At offset 1226 (0x0000004CA) is where the fun starts. It starts with a 01 and then after about 396 groups of quad hex the Net SS ends. Note I didn’t count all of the quad figures as who wants to do that and it was late. It seems that with the Samsung SS there are 3 sections. Each section is roughly 144 hex groups. Again I’m sorry I don’t know much about hex talk. After the first section there are 9 groups of 0000, then follows another group of hex. Then another 9 groups of 0000 leading to some more hex. The end of the Samsung SS is 9 groups of 0000. I recognize that it stops at 0800, well I can see 0000007EO on the side of Hex Workshop and that was the same when I was using DVDInfoPro to send the custom commands to my Pioneer (yes I know, read my first post and no I still haven’t tried talking to that fish).

Memdump Hitachi SS
So up to now things had been easy. Just search for the hex string. But now things were more complex. As I am a newbie all I know what to do was hex search. So I searched and found the first part at offset 221622 (0x000361B6)

Another portion was at offset 221926 (0x000362E6) which contained the whole last group of hex for the Samsung SS. The part was easy to see as it had FF FF FF FF before and after it. Some of the hex is different but that could be because of the SS timing issue or different region. I live in Australia and it can be hard to get the right region, mostly they are UK PAL and so far have wasted a few DVD+R DL. Only ones I’ve been able to backup have been Fight Night and Perfect Dark. (and now as of today Blazing Angels and Full Auto)

I haven’t been able to find the middle section as of yet. It was late that I started writing this and had to go to sleep. But the other thing that I was going to do was use my backup copy (dvd+r dl) of Perfect Dark and extract the SS from the Hitachi using ‘Memdump’ and check with the SS that I used to back it up. It should be easier to find the entire hex that way. I hope so.

There is also a couple more things I need to find. Again tomorrow I’ll try with Perfect Dark and hopefully everything will be there. I’ll also extract the SS a few times to see if the Hitachi and Memdump extracts different SS of the same game like the Samsung Xtreme firmware does.

If anybody has had success or failure already let us know. I’ve seen on another forum that someone was trying something like this, some kind of extractor Hitachi program but it was in another language, All I could see was the sad smiley logo ( ), though I don’t think they were checking it with hex.

So what does this mean in the end? Well I guess maybe some one could write a cool little program to grab the hex out of a Memdump Hitachi SS dump and create a Xtreme working SS. If not I’d rather cut and paste hex into a new SS that I know will work instead of wasting disc after disc with trail and error NET SS. I really can’t import a Samsung drive into the country as it was going to cost me around $400AUS.

Another thing I noticed this morning was an old topic where Seventh Son had posted some memdumps. During 8002EC00_8003A300_360_game_B.dump BIN file there seemed to be the main part of the needed SS. I guess when I extracted the ranges Memdump extracted everything that was in the drive’s RAM including those parts. Maybe we don’t need to extract the whole range. I guess once we know what ranges to use, Memdump could extract those hex needed for the compatible Xtreme SS.

Also my backup of Blazing Angels with the Net SS worked no worries. Doesn’t mean much except that it worked – the SS was PAL, so I guess AUS Blazing Angles doesn’t have it’s own AUS Pal SS. Note if the Hitachi is able to extract the SS using Memdump it will be good for everyone not just us Aussie. I’ve seen different SS for different parts of the PAL world like Spain, Italy, and Germany. At least if the burn doesn’t work it’s your burning media or burner not the SS that was found on the Net.

I should add how I got the SS from the Hitachi. It would not be possible without Kev’s program Memdump. All of the details can be found from Kev site which is http://www.kev.nu/360/dvd.html or here for the short version http://www.kev.nu/360/dvdshort.html

Quote from Kev.nu site

Dumping the 'forbidden RAM ranges' 0x8002EC00-0x80037300 and 0x8003A000-0x8003A300
It turns out that these ranges contain very interesting information Again, the security measures to prevent software dumping of these ranges were a total failure. Use the following commnds to dump the entire contents of RAM, the 'forbidden' regions are at offsets 0x2EC00-0x37300 and 0x3A000-0x3A300 in the final dump.

Linux example:
$ ./memdump /dev/hdc 10200 8 8000 ./ram.bin

Windows example:
C:\> memdump_win e 10200 8 8000 ram.bin

I’ve read that these ‘forbidden Ram ranges’ is the SS key, but at present is not compatible with the Xtreme firmware. I'll have a look tonight and see if anything can be found. Again I'm a newbie to this hacking scene.

[Tiros]

Danny,
You could have saved yourself a lot of typing if you had just read Mcd reply to your post!
You aint fixin this problem with a hex editor 

No. The data you required isn't stored in the Hitachi RAM memory.

[SeventhSon]

(Seventh Son’s cool app – Hey Kev is that a reference to Maiden? Cool).

It is

Because you appear to be a Maiden fan I like you, so let me try to explain.

The Xtreme FW SSs contain a small table of response values. This small table contains hard coded response values for the console's challenges that require data from the disc or to do with the disc (some of this data is disc seek/read timing data). These values can only be obtained by observing the C/R exhange in real time between the console and DVD drive containing the original disc.

Search for a thread by Robinsod called "The Challenge/Response protocol" for more info.

You'd need a patched Hitachi FW that would capture these values in realtime (or possibly calculate them using the code already in the drive) and write them into the correct location within the SS in RAM. Then you could dump the SS with memdump.

I'm assuming there's nothing else to an Xtreme SS. There may well be because I've never looked into it.

[Danny]

Thanks guys for the response. Even though I might not be fixing everything with hex editing, I was able to find most of what an Xtreme SS has by dumping the 'forbidden ranges' using Seventh Son's Memdump. Most of the information is there, though one section wasn't found, or it might be but differences in response time of the Samsung may be the cause of not finding it. Or as Seventh Son's posts above the Challenge Response protocol. I'm going to search for the thread after I post this.

I can understand that the firmware would not allow a ready made compatible SS but maybe by looking for it from a memdump of an original disc I could cut and paste in a hex editor the right commands (or response) needed for a Xtreme SS and it's firmware. I'd rather extract a memdump .bin from an original game and cut strings out and paste into a small 2KB file, so it would be correct for Commodore4ever firmware. Very hard to get Aussie SS keys at present.

I'd spend most of last night looking through the Hitachi extracted SS. I compared a Samsung SS to the Memdump SS and found most of it except for about a small amount of bytes at offset 246 to 512. Everything else I've been able to find. The memdump program does a great job of extracting everything. I even found that at offset 244413 (0x0003BABD) it shows the media that was used to backup the game (yes I did original 360 games and backup copy game memdumps 3 times each to see any differences in response timing issue) if you extract the forbidden ranges on a DVD+R DL copy. Mine showed 0052 4954 454B (RITEK) he he he cool. Also saw the difference that a DVD movie and xbox360 game has at offset 8002EC00 to 8003A300 (yeah I checked out your zip file Seventh Son 'Hitachi L47 memory dumps' - if you like Joe Satriani I guess you might be a fan of Dream Theater, I wish they would tour Australia,  ) I noticed that the Xtreme backup have a totally different tag as well than 360 games and DVD movies. Pretty interesting.

It was interesting to see how the hex worked and the differences between the backup Xtreme SS (both extracting with the Hitachi and Samsung SS) and the original copies. It was fun. Also some of the difference between NTSC and PAL wasn't much, a few bytes here and there, and some times it was huge amounts of differences.

Also saw that the last section of the Xtreme Samsung SS key is repeated twice at offset 1633 to 1822 and at offset 1840 to 2048. Most of it can be found on an original copy extracted using Memdump, though only 2 cases were not able to be found. One case I used what I believe to be correct, and one I have no idea about. It was hard as I had no real Aussie PAL SS to check.

Though now i've just heard that Commodore4ever will be releasing Hitachi Xtreme0800 firmware so that we can extract the SS, so really I can stop and relax until he's done it. Now I'm happy as now i can back up my games. Thanks again guys and thanks for the reponse Seventh Son - I enjoyed your website very much and your programs as well. My only hope is that 1. The ss extraction firmware is released soon and 2. Iron Maiden tour Australia LOL. Thanks again guys. Up the Irons!!! 

This is what I found. I wasn't going to post this (due to Xtreme0800 Hitachi firmware coming soon) but what the hey. Maybe someone might find a use of it, some people may not want to flash and reflash their drives.

Samsung Xtreme SS
0 to 16 bytes are always the same from Xtreme SS to Xtreme SS
Hitachi Memdump
0x00035CEC to 0x00035CFC

Samsung Xtreme SS
258 to 264 always the same from SS to SS (Xtreme)
Hitachi Memdump
0x00035DEE to 0x00035DF4

Samsung Xtreme SS
264 to 284 always different. But sometimes no difference between PAL and NTSC regions of same game
Hitachi Memdump
0x00035DF4 to 0x00035E08

Samsung Xtreme SS
246 to 512 - This was the main thing I couldn't work out. Seems to be made up of 3 little sections though. Different regions of some game are sometimes different. My guess is maybe region based or Samsung Xtreme timing. I burnt a DVD+R DL of Ghost Recon with this section all FFFF just to see how the 360 would react. Booted up to 'this belongs in a 360 console' Bummer.
Hitachi Memdump
This is is only thing I couldn't find. It seems to be either timing response or region. I'd checked PAL to NTSC and with this section the differnces can be of a few a bytes

Samsung Xtreme SS
720 to 724
Hitachi Memdump
0x00035CE7 to 0x00035CEB

Samsung Xtreme SS
768 to 1024
Hitachi Memdump
0x00035FEC to 0x000360EC

Samsung Xtreme SS
1120 to 1136
Hitachi Memdump
0x0003614C to 0x0003615C

Samsung Xtreme SS
1182 to 1192
Hitachi Memdump
0x0003618A to 0x00036194

Samsung Xtreme SS
1210 to 1226 always the same from SS to SS (Xtreme)
Hitachi Memdump
0x000361A6 to 0x000361B6

This next section was a little pain. But this is what found.
Samsung Xtreme SS (XSS)
1226 to 2048 - End of Xtreme SS
Hitachi Memdump1st part starts at 0x000361B6 to 000362E6 (XSS 1226 to 1530)
2nd part starts at 0x000362E6 to 0x0003634D (XSS 1530 to 1633
3rd part starts at 0x00036E00 to 0x00036ECE (XSS 1633 to 1822)
4th part starts at 0x00036E00 to 0x00036ECE (XSS 1840 to 2048) Yes it's used twice. You will also need to add 0000 to the end of make it Xtreme like. The only part that was differnent is the 2nd part. But even when I checked with different regions SS of the same PAL game this was the only differences. All of the other parts were the same. Maybe it's the timing response from the Samsung. Once you look at the Xtreme SS it would be fairy easy to make you own from the extracted forbidden ranges using Memdump and the Hitachi drive. I just needed that section from 246 to 512. There are other little things that I noticed but I guess you may already be bored with what I have written, especially to all you master hackers out there, but I'm learning and thought I'd have a crack.

Have fun guys

[MacDennis]

I think some clarifications are needed.

The FULL raw original SS (security sector) can be found in the Hitachi RAM memory at 0x00035CE0. The header is 12 bytes long, that's why the normal sector data starts at 0x00035CEC. When I'm talking about offsets, offset 0x0000 = 0x00035CEC

The first 16 bytes are nothing special, they are a copy of the physical format data sector with some minor changes. These bytes also contain the game partition PSN start / end range and layerbreak. They are the same on each disc and are required for the drive to function properly.

The Xtreme SS is a replica of the original SS but with some custom changes made by C4E, I will mention the changes briefly.

The data at 0x200 contains a simple table with all challenges and responses for each CID (challenge ID / entry).
First 4 bytes for the challenge, then 4 bytes for the response and 1 byte is zero, probably the response modifier. This data repeats a couple of times.
This is the data which can NOT be extracted from the Hitachi drive without a custom made firmware.

The CPR_MAI challenge key has been relocated to offset 0x2D0.

At offset 0x661 and 0x730 you will find another table. This table contains the plaintext (descrambled) *drive* challenge/response table.
In the original firmware these offsets contain a scrambled table which is normally descrambled by the drive using the CPR_MAI challenge key.

This is all we currently know about the security sector. The first 0x600 or so bytes are returned to the console and also contains
the *host* version of the challenge/response table. But this data is encrypted/signed just like in xbox1. It's not known how to descramble this
table, this was actually possible on the xbox1.

The function of any other data / offsets is simply unknown.

[Danny]

The Xtreme SS is a replica of the original SS but with some custom changes made by C4E, I will mention the changes briefly.

The data at 0x200 contains a simple table with all challenges and responses for each CID (challenge ID / entry).
First 4 bytes for the challenge, then 4 bytes for the response and 1 byte is zero, probably the response modifier. This data repeats a couple of times.
This is the data which can NOT be extracted from the Hitachi drive without a custom made firmware.

Thanks MacDennis all that makes a lot of sense. That's why I couldn't find the data at 0x200 as it was the Challenge/ Response of the Xtreme firmware. I did notice the 4 bytes for the challenge, then another 4 bytes for the response and the 1 byte which was always the same on all Xtreme SS Bin. Thanks guys that does make a lot of sense.

Thanks Seventh Son I had a look at the Challenge Response thread. Man that was some interesting stuff. The amount of detail that goes into a machine such as the 360 and the complex coding. I guess Microsoft and other gaming companies are learning from their past mistakes. If the PS3 is non region I wonder if that means mod chip will be illegal due to one reason why mod chip exist is so we can play imported games. But if a console is non region then mod chips will be no need. Unless you live in countries that allow you to make backups of your purchased games. In Australia we are not allowed, but mod chips are fine due to people wanting to import games from overseas as it can be cheaper.

I wonder if gaming companies will make it so you have to be connected to their servers to be able to play their games in the future.