XboxHacker BBS
 
*
Welcome, %1$s. Please login or register.
Did you miss your activation email?
May 04, 2016, 06:38:15 AM




Pages: « 1 2 3 4 »

Author Topic: HD-DVD addon Toshiba SD-S802A  (Read 72627 times)

amadeus

  • Hacker
  • ***
  • Posts: 59
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #40 on: April 05, 2007, 06:13:12 AM »

Would it be out of the scope to figure out where the VolumeID is physically stored on the disc?

I am thinking knowing that would lead to another backdoor? Why else would AACS LA keep that information out of the specs?
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #41 on: April 05, 2007, 06:40:22 AM »

VolumeID is half stored in BCA and half in CopyrightDataSegment into the leadin (atm seems not in the 2048byte data area of CDS sectors, i personally think it could be into headers of that sectors), both not burnable.
Full raw CDS reading could be maybe done with a proper fw patch.
Hiding is a quick way to protect.
Logged

amadeus

  • Hacker
  • ***
  • Posts: 59
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #42 on: April 05, 2007, 07:19:53 AM »

VolumeID is half stored in BCA and half in CopyrightDataSegment into the leadin (atm seems not in the 2048byte data area of CDS sectors, i personally think it could be into headers of that sectors), both not burnable.
Full raw CDS reading could be maybe done with a proper fw patch.
Hiding is a quick way to protect.
Making a full raw dump, will that require a Device Key or is it AACS independent?
Logged

awhitehead

  • Member
  • **
  • Posts: 15
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #43 on: April 05, 2007, 01:25:43 PM »


Making a full raw dump, will that require a Device Key or is it AACS independent?


With properly patched firmware, drive should be physically capable of accessing the normally unreadable sectors.  Since once the firmware is modified, it is possible to make it ignore AACS (and heck, possible to define your own custom CDBs, if you want to go the hard route), I believe that making a full raw dump, including reading the lead-in and bca is AACS independent.

I could be wrong.
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #44 on: April 07, 2007, 05:00:14 PM »

further discussion about the firmware is here http://forum.doom9.org/showthread.php?t=124294
here i'll post any xbox360 related info, if any
Logged

xt5

  • Hacker
  • ***
  • Posts: 61
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #45 on: April 08, 2007, 03:09:58 PM »

hello,

very nice work Geremia and arnezami :)

here is yet another proggie to dump the firm (I still don't get one HDDVD for myself so it is untested), it used SPTI layer thats mean it doesn't rely on PLSCSI.
http://rapidshare.com/files/24985414/dump.rar.html

sorry for continue the thread here, but doom9 forums says you can't post until you got 5 days from registration  ::)

here I've found a complete manual about the FR30 MCU: http://www.ffarc.com/pdf/91101a.pdf

I've lot of questions about the H802A firm:

-where is the function 002F0BB8 called?? I've traced lot of code and references and still can found where it is called.
that function is the one that memcpy the checksum function to 0x18000 and execute it through the "sections" of the firm (dunno if is the same for the XBOX360 HDDVD drive??)


Code: [Select]
ROM:002F0BE8
ROM:002F0BE8 loc_2F0BE8:
ROM:002F0BE8                 st      r10, @(r14, 0xFC)
....................................
....................................
ROM:002F0C80                 ldi:8   #0xEC, r6
ROM:002F0C82                 asr     #2, r5
ROM:002F0C84                 ld      @(r14, 0xFC), r0 ; rescata r0 del stack
ROM:002F0C86                 extsb   r6              ; r6 dentro del stack
ROM:002F0C88                 call:D  @r0             ; llama a fnc_checksum
ROM:002F0C8A                 add     r14, r6
ROM:002F0C8C                 cmp     #0, r4         ; compara la suma con zero
ROM:002F0C8E                 beq     loc_2F0C94
ROM:002F0C90                 bra:D   loc_2F0C9E      ; return 0
ROM:002F0C92                 ldi:8   #0, r4

-in that code sniped r6 is passed to fnc_checkum to store the "columns xors" values, but seems to not been used at least for this function, also the r14 pointer is used as local storage for the fnc_checksum ptr, at first I though that r14 was a "frame pointer", but that make no sense because the value of r6 is discarded.

-do you know what are those vectors at start of the firm?
Code: [Select]
ROM:00200040 off_200040:     .long sub_200060        ; DATA XREF: sub_2FF67C:loc_2FF6A2o
ROM:00200044 off_200044:     .long sub_2137F8        ; DATA XREF: sub_2FF73A+6o
ROM:00200048 off_200048:     .long sub_215456        ; DATA XREF: sub_2FF75A+6o
ROM:0020004C off_20004C:     .long sub_2007BE        ; DATA XREF: sub_2FF77A+6o
ROM:00200050 off_200050:     .long nullsub_4         ; DATA XREF: sub_2FF71A+6o
ROM:00200054 off_200054:     .long sub_21161C        ; DATA XREF: sub_2FF6FA+6o
ROM:00200058 off_200058:     .long sub_2125BA        ; DATA XREF: sub_2FF6DA+6o
ROM:0020005C off_20005C:     .long sub_200070        ; DATA XREF: sub_2FF6BA+6o


sorry my crappy english
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #46 on: April 08, 2007, 06:58:48 PM »

thanks very much for the app, it's very usefull :)

i already have that pdf, it contains all asm opcodes, i forgot to mention here

wait, i'll take a look at my ida
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #47 on: April 08, 2007, 07:14:48 PM »

The bootloader is the same for SD-H802A and SD-S802A

Code: [Select]
ROM:002F0C80                 ldi:8   #0xEC, r6
ROM:002F0C82                 asr     #2, r5          ; divide by 4, but in the calculation routine is multiplied by 4
ROM:002F0C84                 ld      @(r14, 0xFC), r0 ; 18000 that stores routine XOR_and_sum_FWpart
ROM:002F0C86                 extsb   r6
ROM:002F0C88                 call:D  @r0
ROM:002F0C8A                 add     r14, r6         ; r6 = r14-14 = (r14, EC), will hold xored values
ROM:002F0C8C                 cmp     #0, r4
ROM:002F0C8E                 beq     loc_2F0C94      ; branch if the sum of words of fw is 00000000
ROM:002F0C90                 bra:D   loc_2F0C9E
ROM:002F0C92                 ldi:8   #0, r4

don't know if i understood you well, but maybe you are mistaking the delayed branch.
in the V6AssmManualCM71-00203-2E.pdf chapter 5.1.7, it describe the :D
if you see a bra:D or a call:D it means that the next instruction is executed prior to branch/call, this is because of code optimization
Logged

xt5

  • Hacker
  • ***
  • Posts: 61
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #48 on: April 08, 2007, 07:20:12 PM »

yup, I've noticed the delay slot, but the value stored is never been used in that function, thats why I want to see where the function is called.

another question: do you know what are the JEDEC codes of that drive EEPROM, or the EEPROM model?
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #49 on: April 08, 2007, 07:26:51 PM »

002F0BB8 is called here

ROM:002FE998                 ldi:32  #checksum_firmware, r12

which is part of the function that is called from this function

ROM:002FDC48
ROM:002FDC48                 .type sub_2FDC48, @function
ROM:002FDC48 sub_2FDC48:
ROM:002FDC48                 ldi:32  #0x41FFC, r15   ; DATA XREF: ROM:off_2FFFFC
ROM:002FDC4E                 ldi:20  #0x486, r1


which is pointed by the end of firmware

ROM:002FFFFC off_2FFFFC:     .long sub_2FDC48

the end of firmware is the much interesting if you want to exactly find the bootloader entry point, I suppose the internal rom code will load @ one of these address to start executing code of flashrom

Code: [Select]
ROM:002FFF90                 .long sub_2FF79A
ROM:002FFF94                 .long sub_2FF77A        ; calls 2007A8 pointed by 20004C
ROM:002FFF98                 .long sub_2FF75A        ; calls 215806 pointed by 200048
ROM:002FFF9C                 .long sub_2FF73A        ; calls 213BE2 pointed by 200044
ROM:002FFFA0                 .long sub_2FF79A
ROM:002FFFA4                 .long sub_2FF79A
ROM:002FFFA8                 .long sub_2FF79A
ROM:002FFFAC                 .long sub_2FF71A        ; calls 213C28 pointed by 200050
ROM:002FFFB0                 .long sub_2FF79A
ROM:002FFFB4                 .long sub_2FF6DA        ; calls 212648 pointed by 200058
ROM:002FFFB8                 .long sub_2FF6FA        ; calls 211652 pointed by 200054
ROM:002FFFBC                 .long sub_2FF6BA        ; calls 200070 pointed by 20005C
ROM:002FFFC0                 .long sub_2FF67C        ; calls 200060 pointed by 200040 or
ROM:002FFFC0                                         ; 2FDC48 pointed by 2FFFFC
ROM:002FFFC4                 .long sub_2FF79A
ROM:002FFFC8                 .long 0x2FDD10
ROM:002FFFCC                 .long sub_2FF79A
ROM:002FFFD0                 .long sub_2FF79A
ROM:002FFFD4                 .long sub_2FF79A
ROM:002FFFD8                 .long sub_2FF79A
ROM:002FFFDC                 .long sub_2FF79A
ROM:002FFFE0                 .long sub_2FF79A
ROM:002FFFE4                 .long sub_2FF79A
ROM:002FFFE8                 .long sub_2FF79A
ROM:002FFFEC                 .long sub_2FF79A
ROM:002FFFF0                 .long sub_2FF79A
ROM:002FFFF4                 .long sub_2FF79A
ROM:002FFFF8                 .byte 9
ROM:002FFFF9 byte_2FFFF9:    .byte 0x2F
ROM:002FFFFA                 .byte 0xF7 ;
ROM:002FFFFB                 .byte 0x9A ;
ROM:002FFFFC off_2FFFFC:     .long sub_2FDC48        ; DATA XREF: ROM:00218CF6o
ROM:002FFFFC                                         ; sub_2FF67C+18o
ROM:002FFFFC ; end of 'ROM'


take alook, there are also pointer to 200040 etc..

Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #50 on: April 08, 2007, 07:38:30 PM »

 excuse but i'm not english too :)
well, after exiting the xor and sum function, the xors at (r14, 0xEC) are partially cleared, this is weird, but arnezami told that only the sum is considered at this time, after that, the xors will be calculated again and without the first and last 0x10 bytes of fwpart, at least for checks about fw flashing...here you are looking at the check on boot.

What do you mean with jedec codes? do you mean manufacturer and device ID?  that flash support CFI, that should be a lot of information about the flash you can retrieve, not only manufact and dev id.

Anyway it's a EN29LV160AB and manufactID and devID should be 1C 49 or 7f 49

Going to sleep now :)
« Last Edit: April 08, 2007, 07:48:10 PM by Geremia »
Logged

garyopa

  • Xbox Hacker
  • *****
  • Posts: 588
  • Oasis Pensive Abacutors
    • View Profile
    • Oasis Pensive Abacutors
Re: HD-DVD addon Toshiba SD-S802A
« Reply #51 on: April 10, 2007, 08:51:13 PM »

Looks like some of your early efforts have paid off, and now it is in the major news.

My hat off to everyone here at "xboxhacker" and "doom9".

I still want to see some process on seeing if the X360 can read gamedata from the drive,
as it seems to have some functions to do with that, maybe at least to tell the console,
NOT to play games. (I wonder if that can be reserved and a AES drive key added?)

Quote
AACS hacked to expose Volume ID: WinDVD patch irrelevant
Posted Apr 10th 2007 6:04AM by Thomas Ricker on ENGADGET.COM

The DRM "protecting" HD DVD and Blu-ray Disc films -- AACS -- continues to unravel at the seams.
In parallel efforts, hackers in both the Xboxhacker and Doom9 forums have exposed the "Volume ID" for discs played on XBOX 360 HD DVD drives.
Any inserted disc will play without first authenticating with AACS, even those with Volume IDs which have already been revoked by the AACS LA due to previous hacking efforts.
Add the exposed processing keys and you can decrypt and backup your discs for playback on any device of your choosing.
So yeah, it looks like last week's WinDVD update has been quickly and definitively made useless just as we expected it would be.
Well, for XBOX 360 HD DVD drive owners anyway, but you can see where this is heading, right?
Now go ahead AACS LA, revoke the Toshiba-built XBOX 360 HD DVD player...

we double-dog dare ya.
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #52 on: April 11, 2007, 01:40:59 PM »

I'm happy that other people joined the game.

I've traced the modeselect and modesense functions, it seems that no pagecode 3B or 3E is present (the one used in C/R protocol, as far as i've understood). There is a 3D pagecode, but does not allow more than a few bytes to be transmitted.

I've inserted an original xbox360 game and dumped all address space, at first look i didn't find the SS.

I'm sure something xbox related will pop up while tracing other stuff.

Anyway the "xbox media with BCA" ascii text is something interesting,  just waiting to see if any of these disc will appear....do'nt forget that AACS can be applied also to DVD media.
Logged

TheSpecialist

  • Global Moderator
  • Xbox Hacker
  • *****
  • Posts: 782
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #53 on: April 12, 2007, 05:25:49 AM »

Came back from holiday, I was just reading the biggest dutch IT related news site, found out that 2 hackers called 'Geremia' and 'xt5' cracked an important part of HD-DVD :)

http://tweakers.net/nieuws/47089/Nieuwe-aacs-hack-maakt-WinDVD-patch-overbodig.html

Congratulations guys, nice work ! :) It are open, information sharing threads like these that make me proud to be a member of this community !
« Last Edit: April 12, 2007, 06:28:34 AM by TheSpecialist »
Logged

CoolkcaH

  • Newbie
  • *
  • Posts: 3
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #54 on: April 22, 2007, 08:22:10 PM »

Hi. How hard is it to make the firmware rpc1? If that helps..
I bought one in the US and a few region 1 dvds and when I tried them in my PAL 360, they didn't work.

Weird thing is, even if the Toshiba HD-DVD is set to region 1, the 360 will play region 2 dvds...that means the software dvd-player checks the region of the dvd without caring for the region setting of the player.
Can we make the player always report region 2?

Can you tell me a good website to study this with commented firmwares or something?
Logged

awhitehead

  • Member
  • **
  • Posts: 15
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #55 on: April 28, 2007, 08:26:09 PM »

*sigh* 

I'll give it a go answering your question about region locking.

Basically, you want to start with a copy of MMC 6 specifications from
http://www.t10.org/ftp/t10/drafts/mmc6/mmc6r00.pdf

In the specification you want to look at REPORT KEY (opcode A4) and SEND KEY (opcode A3) commands, since they are the ones that are used in region locking.

Specifically:
SEND KEY with parameter 06 (A3/06) is used to change drive's region.
REPORT KEY with parameter 08 (A4/08) is used to query drive's region and region change counters
REPORT KEY with parameter 04 (A4/04) is used to obtain the CSS Title Key (which is needed to decrypt a CSS encrypted movie)

Another somewhat important CDB is the READ DVD STRUCTURE (AD), specifically, with the DISC KEY (02) format selector.


A region-free drive will report the Title Key to the host in response to A4/04, and, as it has no region, it doesn't know about the A3/06 or A4/08 commands and will report an INVALID FIELD IN CDB error back to host OS if queried.

A region-locked drive will be set to one and only one region, and will remember this region.  It will give a valid reply to A4/08 command by returning its current region and counters.  It will let you change the regions if the region change counter was not decrememnted down to 0, and you send it A3/06 command. A4/04 command will not return the Title Key if the movie isn't authorized for playback in the drive's region, and will return Title Key if the move is authorized for playback in the drive's region.

Your host OS figures out if the drive is RPC1 or RPC2 by sending the drive it the A4/08 command. If the drive replies with the region settings, the drive is region-locked.   That's basically what the region checking utilities do (plus they of course decode the response correctly and present you with a nice results).

Coincidentially, when you look at the DVD video structure, at offset 23h of the VIDEO_TS.IFO you can find a copy of the region mask for the movie, against which the drive is matched. 

So basically, what you need to do is trace the A4/08 handler and figure out where in the firmware the drive stores it's region settings.  Ideally (at least from PC perespective), what you want to do is change the pointer to the region mask from non-volatile to volatile memory.  This way your drive will reset to "no region set" default, and allow you to change the region 5 times.  Then you power cycle the drive, and it's back to "no region set", while the host OS and any checking utilities still think that they are dealing with RPC2 drive.  I have no idea if Xbox lets you change the regions 5 times, of if it defaults to whatever, and sticks to it (or if the region is set and enforced by the OS in the Xbox proper, as opposed to the drive firmware), so this might have to be adjusted for your situation.
 
These kinds of questions are probably best asked on rpc1.org forums, since that's where people with alot more clue in region lock removal hang out.  I am just an amature.

To get you started, take a look at this PDF and you can have my script on quering drive's RPC status, since the comments on decoding the response in this script are alot more useful then just a plscsi command, and will help you out in understanding the language of MMC6 specification.


Code: [Select]
#!/bin/sh
# $Id: get_RPC.sh,v 1.1                               $
######################################################################################################################################
# A4 is REPORT KEY used in region locking mechanism
# The A4/08 command is used to query the drive's region and counters
#
# Report key command packet looks thusly:
#     Bit  7 6 5 4 3 2 1 0
# Byte
#  0       Operation mode (A4)
#  1       Reserved
#  2       Reserved or LBA
#  3       Reserved or LBA
#  4       Reserved or LBA
#  5       Reserved or LBA
#  6       Reserved
#  7       Key Class
#  8       Allocation Length
#  9       Allocation Length
# 10       7,6 = AGID, rest = Key format
# 11       Control

# from mmc6r00.pdf:
# Table 512  Key Format Code definitions for REPORT KEY Command (Key Class 0)
# Key Format    Returned Data           Description                                                             AGID Use
# 000000b       AGID for CSS/CPPM       Returns an AUTHENTICATION GRANT ID for Authentication for CSS/CPPM      Reserved & N/A
# 000001b       Challenge Key           Returns a Challenge KEY                                                 Valid AGID Required
# 000010b       KEY1                    Returns a KEY1                                                          Valid AGID Required
# 000100b       TITLE KEY               Returns a TITLE KEY obfuscated by a Bus Key                             Valid AGID Required
# 000101b       ASF                     Returns the current state of the Auth. Success Flag for CSS/CPPM        Reserved & Ignored
# 001000b       RPC State               Report Drive region settings                                            Reserved & Ignored
# 010001b       AGID for CPRM           Returns an AUTHENTICATION GRANT ID for Authentication for CPRM          Reserved & N/A
# 111111b       None                    Invalidate Specified AGID. Invalidating an invalid AGID
#                                       shall not be considered an error.  An AGID that has not been
#                                       granted shall be considered invalid.
#                                       Valid AGID preferred but not required
# All other values Reserved

plscsi -v -x "A4 00 00 00 00 00 00 00 00 08 08 00" -i x8

# A4/08 reply packet format:
#     Bit  7 6 5 4 3 2 1 0
# Byte
#  0       00
#  1       06
#  2       00
#  3       00
#  4       7,6 - State, 5,4,3 - Resets left, 2,1,0 - Changes left
#  5       Region Mask
#  6       01
#  7       00

# Byte 4 decoding:
# The 'Changes left' field contains the number (from 0 to 5) of region
# changes that still can be done.

# The 'Resets left' field contains the number (from 0 to 4) of vendor
# resets that still can be done.

# The 'State' field that will depend on the 'Changes left' field. If
# the 'Changes left' is 0, the 'State' will be binary 11. If the 'Changes
# left' is 1, the 'State' will be 10, if the 'Changes left' is 2, 3 or 4,
# 'State' will be 01, and when 'Changes left' is 5, 'State' is 00. The
# official name of these 4 states are 'None', 'Set', 'Last Chance', 'Permanent'.

# Byte 5 of response packet is the Region mask:
# FF    - No Region
# FE    - Region 1
# FD    - Region 2
# FB    - Region 3
# F7    - Region 4
# EF    - Region 5
# DF    - Region 6
# BF    - Region 7
# 7F    - Region 8

# Example:
# x 00000000 A4 00 00:00:00:00 00 00:00:08:08 00 .. .. .. .. "$@@@@@@@@HH@"
# x 00000000 00:06:00:00 63:FE:01:00 .. .. .. .. .. .. .. .. "@F@@c~A@"

# Byte 4
# x63 = 0110 0011 binary
# 01 = state - set, 01 since Changes left is 3
# 100 - Resets left  == 4
# 011 - Changes left == 3

# Byte 5
# xFE == Region 1

« Last Edit: April 28, 2007, 08:30:43 PM by awhitehead »
Logged

awhitehead

  • Member
  • **
  • Posts: 15
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #56 on: April 28, 2007, 08:47:20 PM »

Oh, and silly me.

First thing you want to do is dump the firmware of your SD-S802A, using xt5's dump.exe, and a PC (or using Geremia's plscsi route if you so prefer), and disassemble it.  IDA Pro is nice, I am told (Trying to see if I can convince my Ucraininan buddies to buy me a copy if IDA Pro from Ucraine - supposedly it's only 150 USD there for a legal license), although I use the disassembler link to which I posted earlier.

It helps having a chip flasher and means of desoldering your drive's on board flash, and mounting a socket in it's place (or having no qualms to re-solder the chip back on every time you have to re-flash  a bad firmware flash).

Then you disassemble the firmware, make the changes you want, and re-flash it back into the drive using WinVUP (I wrote a plscsi script to flash SD-S802A, based on CDBs that Geremia posted earlier in this thread, but I don't recommend anyone use it if they have access to a Windows system :-). 

Oh, and there is an XOR like scheme that is used to protect the integrity of firmware, that you need to fix up before flashing the firmware back in.

If your firmware change works on the first try, you are good.  If it kills your drive, you need to desolder the flash, and flash in the original backup of the firmware, solder the flash back on, and try again.

That's basically it.  Simple, right?

*runs*

(It might be faster to figure out what memory bits need to be flipped on the drive to make it return the INVALID FIELD IN CDB for A4/08 and always return the Title Key in response to A4/04, and write a small plscsi script to enable vendor specific commands, and then write the correct bits to drive's RAM, then actually patch the firmware.   It's a valid soluton for PC users, at least.)
« Last Edit: April 28, 2007, 08:53:51 PM by awhitehead »
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #57 on: April 30, 2007, 12:17:58 PM »

I was asked a couple of days ago if there is a way to have the drive directly connected to ATA cable.
Yes it's possible, and it works, but you have to use a modified JAE50 to IDE adapter.

Here is the pinout of a laptop drive (btw, it's a toshiba and you can also read about 1C/1D CDB vendor specific commands for send and receive diagnostics, one of these is what i've found to enable disabled commands)
http://udf-cat.tstu.edu.ua/fileserver/Engeneering/Electronics/TechDoc/Toshiba/psr2002.pdf

The pinout is at page 19.

The SD-S02A (and probably the SD-E802A found in toshiba standalone players) uses 12v too, which is not present in a standard JAE50 connector (maybe the right name is KX14-50 for drive side and KX15-50 for external adapter side)

this is the SD-S802A not standard pins

pin 47-48-49-50 = +12v
pin 1 = eject line. Drives output 3,3v, just a quick short to gnd will open/clode (i prefer to not directly short to gnd, i used a 1K resistor->GND)
pin 2 = tray status. goes to the lexar chip near the nand on the external board. 0v on idle, 3,3v during opening/closing.
pin 3 = (seems) activity. seems unconnected on the external board but it's connected on the internal drive board. 1,10v on idle, blinks to 3,3v during opening/closing
pin 37 = fan enable. This pin on ata cable is activity led, but on the 360 hd-dvd addon goes to the psu unit where the fan is. If i left unconnect, the drive seems to not work correctly, i've to investigate about this.
The main problem is to mod the JAE50 to IDE adapter (the one used to connect notebook drives to desktop ata 40pin)
My adapter is not very suitable, i've ordered a different one to see if it can be easily modified.
First i had to dremel 3  pins of the ata40 connector, because they makes contact on the drive metallic case.
Pins 1-2-3 are not a problem because they go to the audio connector of the adapter
Pin 47 (cable select) originally goes to the ata40 connector, had to cut the trace
Pins 49 and 50 were unconnected on my adapter, so no problem here
Pin 48 was more probelmatic, it was connected to ground under the connector, so i had to desolder the kx15-50 connector, cut and resolder back.
Then externally wired 12v to 47-48-49-50.

I've tested the drive with an IDE to USB adapter and it seems to work well.
 
« Last Edit: May 03, 2007, 05:16:40 PM by Geremia »
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: HD-DVD addon Toshiba SD-S802A
« Reply #58 on: May 01, 2007, 02:05:10 PM »

I'm trying to find any active UART port, i know that similar chip does have 2-3 uarts with tx, rx and clock.
There is comething like a debug connector on the pcb, and i measured a clock of 1Mhz on one pin.
Does anyone know if 1Mhz is a common clock for some debug port, like serial ,jtag, bdm....?
1Mhz in a serial port 8N1 should be something near 2400 boud, right? seems not so much...
Logged

bourke

  • Hacker
  • ***
  • Posts: 60
    • View Profile
    • Actualisation Technologies
Re: HD-DVD addon Toshiba SD-S802A
« Reply #59 on: May 02, 2007, 08:02:06 AM »

Coincidentially, when you look at the DVD video structure, at offset 23h of the VIDEO_TS.IFO you can find a copy of the region mask for the movie, against which the drive is matched. 

I thought that 23h@VIDEO_TS.IFO was only checked in RPC1?  RPC2 uses octet 5 of the CSS CPR_MAI field (a 6 octet field)?

So if the player (Xbox) is the device with the region code (not the drive itself) - then you need to modify the drive firmware to mask all CSS CPR_MAI fields with the correct (hard-coded) region - i.e the region of the Xbox :-)
« Last Edit: May 02, 2007, 08:27:50 AM by bourke »
Logged
Forum member since April 2002.
Pages: « 1 2 3 4 »
 
 

Powered by MySQL Powered by PHP SMF 2.0.11 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM