Благодарение на Geremia имаме малко груб, но 100% работещ, начин да извлечем ключа от 83850c v2 или 93850c драйв, които досега бяха нехакваеми.
Ето и направо негов цитат:
Again i’ve heard around big words about secret preservation in the name of the scene life, requesting a little sacrifice in $.
There is a guy that owns a topsecret way to dump drive fw, and i’m not going to reveal, cause it’s something he should do, not me.
I’m sure i would have been able to discover myself, and i’m sure he would have been able to discover himself without my hints, why not, but i’m sure too that someone else can do it the same way.I’ve spent a lot of time reversing the 7xxx fw to find an alternative solution, but now some flashed 93450 appeared on the mod market (lame 7xxx spoofed as 93450, probably you great modder don’t have the mkt scrambling/descrambling app to change the original inquiry) with epoxy removed and reapplied (great security, i’m sure MS can’t see it).
So, i’m sure the scene prefers to pay a MSproof modding to help the scene(rs), but if anyone wants to do some experiment and find the secret by himself, i’m happy to share something from my pocket, i’m sure someone with no $ in mind can report back some interesting result.
As you know, liteons have embedded spi flash, it’s an MX25L2005 and a winbond in some cases.
during powerup, the spi is read by the mmtk internal flash controller, descrambled and copied to an internal sram. This sram is then connected to address and data pins of the 8051 core, which will start executing the code.
The mtk checkmodule checks for the first 0×200 bytes of spi flash, if are blank (all FF), the vendormode is full enabled with an ata status 72 and you can access the spi flash (and dosflash can read/write).
If the first 0×200 bytes are not blank, you can enter vendormode but you can’t access the spi flash (status 52).
What i tried times ago, was to mess with the pins of the mtk chip to find a way to disable the spi flash during powerup, cause in many cases of spi imlementation, if the spi flash does not pull down MISO pin, the spi master reads all FF (lifting one pin makes an old psp battery pandorized, same principle).
The problem is that the embedded spi flash pins are not present outside of the mtk chip, except vcc and ground which are shared with other internal stuff).Use some imagination, and feel free to do what you want with your discovery.
И естествено самия метод:
-Lift pin 101 and 122 (The MT Chip)
-solder a cable to pin 100, pin 101 and one to 3,3V
-use a 2-way switch which either connects 101 to 3,3V or to 100
-put the switch into the position so that it connects 100 to 101
-power drive
-start Dosflash, it will recognise the SPI with Status x72
-if you read it out now, it will just give you a .bin full of FFFFFFFF, but thats OK, this is how we tricked the Flash Controller to think the SPI is empty
-put the switch in the other position (so that 101 is connected to 3,3V)
-now read the flash
Filed under: Xbox360 Новини, Xbox360 Ръководства, Новини, Хакване
Опа, доде му времето
А дали има някакав риск да се прецака ?
И най-важното, от кога почваш да го практикуваш и за колко пачка
Има шанс да. А иначе метода за сега дава добър дъмп. Но слагането на ixtreme е проблема, тъй като няма за тези драйвери. Има няколко врътки да се сложи от сегашните ixtreme-и но това ще флагне конзолата доста сериозно за бан. Имайки предвид че LT фирма е завършен ( според JungleFlasher ), то скоро би трябвало да излезе фирм. Може би дотогава ще има и по приятен начин за дъмпване, въпреки че този не е толкова лош. Със сигурност ще флашвам новите драйвове, но първо трябва да се останови как, така че да има най-малка възможност за фал.