Again i've heard around big words about secret preservation in the name of the scene life, requesting a little sacrifice in $.
There is a guy that owns a topsecret way to dump drive fw, and i'm not going to reveal, cause it's something he should do, not me.
I'm sure i would have been able to discover myself, and i'm sure he would have been able to discover himself without my hints, why not, but i'm sure too that someone else can do it the same way.

I've spent a lot of time reversing the 7xxx fw to find an alternative solution, but now some flashed 93450 appeared on the mod market (lame 7xxx spoofed as 93450, probably you great modder don't have the mkt scrambling/descrambling app to change the original inquiry) with epoxy removed and reapplied (great security, i'm sure MS can't see it).

So, i'm sure the scene prefers to pay a MSproof modding to help the scene(rs), but if anyone wants to do some experiment and find the secret by himself, i'm happy to share something from my pocket, i'm sure someone with no $ in mind can report back some interesting result.

As you know, liteons have embedded spi flash, it's an MX25L2005 and a winbond in some cases.
during powerup, the spi is read by the mmtk internal flash controller, descrambled and copied to an internal sram. This sram is then connected to address and data pins of the 8051 core, which will start executing the code.
The mtk checkmodule checks for the first 0x200 bytes of spi flash, if are blank (all FF), the vendormode is full enabled with an ata status 72 and you can access the spi flash (and dosflash can read/write).
If the first 0x200 bytes are not blank, you can enter vendormode but you can't access the spi flash (status 52).
What i tried times ago, was to mess with the pins of the mtk chip to find a way to disable the spi flash during powerup, cause in many cases of spi imlementation, if the spi flash does not pull down MISO pin, the spi master reads all FF (lifting one pin makes an old psp battery pandorized, same principle).
The problem is that the embedded spi flash pins are not present outside of the mtk chip, except vcc and ground which are shared with other internal stuff).

Use some imagination, and feel free to do what you want with your discovery.

very plausible

1.8 volt is no involved from what i see on mx25l2005 datasheet ... My bad !

I'm pretty sure the external flash was tested in the early days and nothing came of it.

Could we not wire up a blank spi to the pins the internal spi are going and lift the chips vcc pin? That would make the mtk chip boot up using the blank flash chip and go into complete vendor, then we could flip a switch and go back to the internal and read that?

i lifted  the 3.3v pin but it is still linked to 3,3v (i check with a multimeter)
if i power on the drive with lifted pin  ...it works normally

Im very very pissed off about few people (no names).

so I decided to release all personally discovered information and a way how to read the whole LiteOn firmware.

I wish I'd seen that post before I spent the last few minutes searching ways of pulling CE high to disable the chip

I thought maybe bridging the 1.8 and 3.3 volt pins would drive it close to 5v and disable it -- but I'm sure that's wrong.

Great work, I'll shut up and drool in anticipation now.

 

Please, keep this thread along the lines of 'Research & Technical'.

Everyone's thanks etc is noted.

I'm sure others, like me, don't want to wake in the morning and see 1000's of posts saying thanks/conspiracy theories and have to sift through it.

I cant stress enough, if your post doesn't add relevant content to the thread, perhaps consider not posting it.

Actually, seeing this post and your PM.. I'm going to f***ing kill you right away.