firmware f900 for hitachi 47: for extract Security Sectors

[spectrum4eva]

f900 firmware for 3120L

this firmware let you extract Xbox360 Security Sectors from the 3120L version 47.

link:

the usage is very simple:

  getss.exe drive ss.bin

    drive->  is the letter of your 3120L DVD drive
    ss.bin-> is the generated SS file

the generated SS are compatible with me friend commodore4eva xtreme firmware.


I only release this tool because you CAN'T SHARE THE SS, THEY ARE COPYRIGHTED.


to apply this patch use ppf-o-matic over your file.

to flash you drive yo need to flash the following  areas:

  9003e000 -> master checksum

  90024000 -> enable modeA

  90027000 -> main patch


NOTE: this tool only run on XP/W2K

spectrum4eva

thanks to all hackers here, and specially to the guy that test this firm lot of hours.

[geebee]

Great work "spectrum4eva" (who IS that masked man?)


to apply this patch use ppf-o-matic over your file.

to confirm that means patching a copy of your original fw, then flashing it.
Then , like the Samsung, reflashing with the v47 fw to play?

[undertoe]

great work , im new to this  whats the procedure to dump the game files to an ISO for use with the extracted SS?

[SeventhSon]

great work , im new to this  whats the procedure to dump the game files to an ISO for use with the extracted SS?

Read the forums.

[geebee]

well to me it looks like:

reflash your orig.bin to the hitachi
apply ppf to orig.bin
firmcrypt the patched fw
flash it with flashsec (those mentioned sectors only)
extract the ss
reflash c4e's v47 fw

[TSS]

That's great news, congratulations for that mate, excellent ...

Will you port it to the other hitachi firmware versions, too ?

[fugsi]

Is there going to be a guide for this

so i need to use restore.bin from commoda4eva

how do i upload orig.bin to hitachi ?

apply the ppf file and flash the drive again !!!f

[talaash]

well to me it looks like:

reflash your orig.bin to the hitachi
apply ppf to orig.bin
firmcrypt the patched fw
flash it with flashsec (those mentioned sectors only)
extract the ss
reflash c4e's v47 fw

does this mean each time you want an ss you have to do this? Sorry i am a noob, just taht since you say extract ss before applying c4e's firmware, my small brain has lead me to believe that it needs to be done for each game.

[geebee]

Ok the f900 release LOOKS simple to do, but a bit of thought shows it has some tricky points:
(thanks stonersmurf)

The checksums are good so it was made by someone who knows their stuff :-)


Heres what i have put together so far: needs testing!

The reason we go BACK to orig.bin twice is to make sure the new code at 90024000 is overwritten.
If someone (S4E? garyopa?) can show that code is harmless, then we can simplify this.


Extracting the SS with a v47 Hitachi:

Tools needed:
hitachi_47_f900 package
ppf-o-matic
firmcrypt
flashsec_47
edited restore.bat (see below) or : http://www.bestsharing.com/files/ms00171641/restf900.bat.html

Make the f900 firmware (you only need to do this ONCE):

1. Using ppf-o-matic, patch a copy of your orig.bin.

2. Using firmcrypt, encrypt the patched firmware

C:/>firmcrypt e orig.bin f900.bin



Flash the f900 firmware:

This presumes you have v47 c4es fw on your drive to start. If your drive is still running original firmware, skip to step 2.


1. Run restore.bat (original or restf900) to flash your original firmware back to the 360

2. Flash the patched firmware to the Hitachi

C:/>flashsec47_win driveletter f900.bin 9003e000 1000

C:/>flashsec47_win driveletter f900.bin 90024000 1000

C:/>flashsec47_win driveletter f900.bin 90027000 1000


Extract the SS:

1. Extract the SS

C:/>gets.exe driveletter ss.bin


Reflash the v47 fw:

1. Run restf900.bat to flash your original firmware back to the 360

2. Run xtreme.bat to flash your hacked v47 fw firmware back to the 360




Editing restore.bat:

1. Open restore.bat in notepad.

2. After:
@echo Flashing sector 90003000 (Custom Code)...
@echo.

flashsec47_win %1 orig-e.bin 90003000 1000
pause

Insert:

@echo Flashing sector 90024000 (Extra Custom Code)...
@echo.

flashsec47_win %1 orig-e.bin 90024000 1000
pause

[talaash]

Ok the f900 release LOOKS simple to do, but a bit of thought shows it has some tricky points:
(thanks stonersmurf)

The checksums are good so it was made by someone who knows their stuff :-)


Heres what i have put together so far: needs testing!

geebee

As you have mentioned that it needs testing, will you let us know when you are satisfied with it? Or is it safe enough to try out?

Thanks for your assistance.

[skEwb]

It would be cool to have rev 1.1 of this, that boots backups and reads ss at the same time so you dont need to reflash all the time. s4e and c4e should get together... 

[geebee]

Ok the f900 release LOOKS simple to do, but a bit of thought shows it has some tricky points:
(thanks stonersmurf)

The checksums are good so it was made by someone who knows their stuff :-)


Heres what i have put together so far: needs testing!

geebee

As you have mentioned that it needs testing, will you let us know when you are satisfied with it? Or is it safe enough to try out?

Thanks for your assistance.

it looks ok to me...but what do i know?


Give it a try! Just dont turn the 360 off if it doesnt work and reflash  your orig.bin

[SharkUW]

has anybody tested that this is safe to do yet?
Actually, my question is, why can't the 'main patch' sector 90027000 coexist with the regular xtreme firmware's?

[Flash78]

This is a Firmware verifier, It's good to identify a original firmware and mods. I need update the program to detect new firmwares. Link

Sintaxis: Keygen   [-d]

Options:  -d (Show CRC DATA)

[Geremia]

Geebee, have you tested? i suppose not, and you don't even think about testing.

Well, i've tested

The ppf patch seems it have to be applied to an encrypted fw (the orig.bn is unencrypted), at last it seems looking at address 3E7FC, the checksum area.
If you patch an encripted fw, the checksum area will be 00 00 00  00, and this is ok.

I've not tested the functionality of this fw, cause now i've to desolder the TSOP flash and burn it externally, no problem in this.

[geebee]

Geebee, have you tested? i suppose not, and you don't even think about testing.

Well, i've tested

The ppf patch seems it have to be applied to an encrypted fw (the orig.bn is unencrypted), at last it seems looking at address 3E7FC, the checksum area.
If you patch an encripted fw, the checksum area will be 00 00 00  00, and this is ok.

I've not tested the functionality of this fw, cause now i've to desolder the TSOP flash and burn it externally, no problem in this.

i cant test, i dont have my hitachi here.

so are you saying we need to firmcrypt the orig.bin the apply the ppf?

[Geremia]

Geebee, have you tested? i suppose not, and you don't even think about testing.

Well, i've tested

The ppf patch seems it have to be applied to an encrypted fw (the orig.bn is unencrypted), at last it seems looking at address 3E7FC, the checksum area.
If you patch an encripted fw, the checksum area will be 00 00 00  00, and this is ok.

I've not tested the functionality of this fw, cause now i've to desolder the TSOP flash and burn it externally, no problem in this.

i cant test, i dont have my hitachi here.

so are you saying we need to firmcrypt the orig.bin the apply the ppf?

i'm sayng, just test yourself, then write technical info, not copy and paste what you heard somewhere by someone.

I've patched the encripted and the unencripted original, then compared with the xtreme fw at address 3E7FC.
just take a look yourself

[geebee]

i HAVE NOT copied and pasted anything.

I am trying to figure out how to use the f900 correctly so i can document it clearly to avoid n00bs bricking boxes.

I am not technical and make no pretenses to be so. I just document.


So what is wrong with the details i posted? Help me get it right lol.

At address 3E7FC in both encrypted and unencrypted patched orig.bin : 66 64 60 F7

[SeventhSon]

Yep. Geremia is right.

Looks like the patch needs to be applied to an obfuscated FW. The code changes are gibberish when the patch is applied to a cleartext FW image.

[Geremia]

i HAVE NOT copied and pasted anything.

I am trying to figure out how to use the f900 correctly so i can document it clearly to avoid n00bs bricking boxes.

I am not technical and make no pretenses to be so. I just document.


So what is wrong with the details i posted? Help me get it right lol.

At address 3E7FC in both encrypted and unencrypted patched orig.bin : 66 64 60 F7

How can you write technical stuff if you are not at least minimal technical skilled?
How can you help noobs with stuff you even know?
Do you want advice? First read the original xbox hacking thread, then make yourself an idea.

A specific advice about this fw patch

At unencrypted 3E7FC you must see 00 00 00 00, this is the workaround to disable checksum.

If you patch orig.bin you have 666460F7
If you patch orig-e.bin and then decrypt it with firmwarecrypt (just to see if code is ok), you have 00 00 00 00

So, this seems that you need to patch the encrypted fw

Just a precision, as seventhson says, the hitachi firmware is not encrypted, it's only scrambled, but folks like to call a bitswapping + xoring an encryption.