Le développeur Kai Schtrom nous livre aujourd'hui via le Xbins une nouvelle version de son application baptisée DosFlash et qui vous permettra de flasher vos lecteurs Xbox360 sous DOS. On remarquera principalement dans cette nouvelle version l'intégration des dernières méthodes d'unlock des lecteurs Slim avec chip Winbond/MXIC. L'auteur en profite d'ailleurs pour saluer le travail de Geremia et de la Team Maximus sur ces méthodes de déverrouillage.
Voici la liste des nombreuses modifications de cette version 2.0 :
DosFlash V2.0 Release Date 03.09.2011
---------------------------------------
- Key extraction task "LiteOn Key V3 (Tarablinda)" now supports the Slim firmware versions 9504, 0272, 0225, 0401, 1071 and also tries to discover the key on unknown firmware versions
- 2 new tasks added named "Lock SPI Flash" and "Unlock SPI Flash"
The new unlock SPI flash task is used in combination with Geremia's MXIC and Winbond Unlock method.It is very much influenced by Geremia's unlockSPI program, which was the first bruter to unlock Winbond SPI flashes.
To relock the flash after you have finished writing a patched firmware to it, use the lock SPI flash task.
This will instantly make the SPI flash write protected for all blocks. BP0, BP1 and SRP status bits are activated afterward, so handle this function with care!
- Read Flash task now can create a full firmware dump of the Slim firmware versions 9504, 0272, 0225, 0401 and 1071To create full firmware dumps of 0225 drives and above you should get a compatible SATA2 controller and set it to IDE mode. In addition you should be able to do Geremia's MXIC or Winbond unlock method.
The compatible SATA2 controller is needed to unlock the MTK. Any installed drivers should be uninstalled, because they will switch the controller back to AHCI mode. In combination with the SPI flash status register unlock you are able to write to the firmware and inject Geremia's 8051 trojan, which can then dump the complete firmware. A risk level is added to show you how risky it is for your individual flash chip and firmware combination to write the patched firmware to obtain a full dump.
- Possibility during "Read Flash" task to write firmware sector 3E of Slim drives with unknown firmware version This feature should be useful if new, unknown Slim firmware versions get out. If you write the patched 3E sector to a new and unknown firmware version this could potentially kill your drive. So handle it with care!
- Portio.sys reimplemented as separate driver for DosFlash32 and DosFlash64
The driver files portio32.sys and portio64.sys are again separated from the executable file. This way the
user has the possibility to sign the drivers on his x64 system with the Driver Signature Enforcement Overrider.
- SATA and IDE adapter list updated
Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
-----------------------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "LiteOn Key V3 (Tarablinda)"
- press "LiteOn Key V3" button
- choose a destination directory for the extracted files
- after this DosFlash32/64 displays your DVD-Key and saves your key and identify data
- then DosFlash32/64 displays the following message:
There seems to be a LiteOn Slim drive connected as Master
to port 0xA000.
You should try SATA2 MTK unlock method.
- Use a compatible SATA2 controller set to IDE mode
- Repower the drive which is connected to the SATA 2 controller
- Press "Yes" if you are ready
Are you ready?
- do the above and press "Yes"
- this repower is used to get DosFlash32/64 back to a known MTK state
Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
--------------------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Ms-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "LITEON K"
- as extraction method choose "V3"
- choose a destination directory for the extracted files
- after this DosFlash16 displays your DVD-Key and saves your key and identify data
Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
--------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Unlock SPI Flash"
- press "Unlock SPI Flash" button
- you will hear a test sound from the PC speaker and the following message is displayed:
The sound that just played was a test. You will hear the
same sound if unlocking is successful later on. If you
have not heard a sound, you should skip the unlock and
check your PC speaker.
Unlocking the SPI flash requires you to use Geremia's MXIC
or Winbond Unlock method. Proceed like follows:
- Press "Yes" if you are ready
- Start Geremia's MXIC / Winbond Unlock
- Stop if you hear the sound
Are you ready?
(Press ESC key to abort!)
- press "Yes"
- start MXIC or Winbond dremel unlock
- stop if you hear the test sound again
- the SPI flash should now be successfully unlocked
Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
-----------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "U" for "Unlock SPI Flash"
- you will hear a test sound from the PC speaker and the following message is displayed:
The sound that just played was a test. You will hear the
same sound if unlocking is successful later on. If you
have not heard a sound, you should skip the unlock and
check your PC speaker.
Unlocking the SPI flash requires you to use Geremia's MXIC or Winbond Unlock
method. Proceed like follows:
- Press "Yes" if you are ready
- Start Geremia's MXIC / Winbond Unlock
- Stop if you hear the sound
Are you ready?
(Press ESC key to abort!)
- confirm with 'Y' for "Yes"
- start MXIC or Winbond dremel unlock
- stop if you hear the test sound again
- the SPI flash should now be successfully unlocked
Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
------------------------------------------------------------------------------------
- you should have unlocked the SPI flash prior to reading the flash, otherwise the following steps will not work
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Read Flash"
- press "Read Flash" button
- enter the name of your flash firmware output file e.g. fulldump.bin
- you read the following (the displayed checksum and risk level can vary):
Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.
Firmware sectors 0x3D000 and 0x3E000 match known checksum
0xFFFFF800.
Do you want to write firmware with patched code to be able to read
the firmware?
- press "Yes"
- then DosFlash32/64 displays the following message:
There seems to be a LiteOn Slim drive connected as Master
to port 0xA000.
You should try SATA2 MTK unlock method.
- Use a compatible SATA2 controller set to IDE mode
- Repower the drive which is connected to the SATA 2 controller
- Press "Yes" if you are ready
Are you ready?
- do the above and press "Yes"
- after this DosFlash32/64 saves your firmware dump and displays the above message again, repower
the drive again and press "OK"
- the last repower is used to get DosFlash32/64 back to a known MTK state
Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
---------------------------------------------------------------------------------
- you should have unlocked the SPI flash prior to reading the flash, otherwise the following steps will not work
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "R" for "Read Flash"
- enter the name of your flash firmware output file e.g. fulldump.bin
- you read the following (the displayed checksum and risk level can vary):
Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.
Firmware sectors 0x3D000 and 0x3E000 match known checksum 0xFFFFF800.
Do you want to write firmware with patched code to be able to read
the firmware (Y/N)?
- confirm with 'Y' for "Yes" and press Enter
- then DosFlash16 displays the following message:
There seems to be a LiteOn Slim drive connected as Master to port 0xA000.
You should try SATA2 MTK unlock method.
- Use a compatible SATA2 controller set to IDE mode
- Repower the drive which is connected to the SATA 2 controller
- Press "Yes" if you are ready
Are you ready (Y/N)?
- do the above and press 'Y' for "Yes"
- after this DosFlash16 saves your firmware dump
Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Lock SPI Flash"
- press "Lock SPI Flash" button
- read the displayed warning carefully, because locking the flash is very risky
- press "Yes"
- the SPI flash should now be successfully locked
Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
---------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "L" for "Lock SPI Flash"
- read the displayed warning carefully, because locking the flash is very risky
- confirm with 'Y' for "Yes"
- the SPI flash should now be successfully locked
DosFlash16 Manual Mode Examples for LiteOn Slim 0225
------------------------------------------------------
- Extract drive key on a "PLDS DG-16D4S 0225"
DOSFLASH LITEON K V3 1010 A0
- Unlock SPI Flash on a "PLDS DG-16D4S 0225"
DOSFLASH U 1010 1 A0 3 0
- Read firmware on a "PLDS DG-16D4S 0225"
DOSFLASH R 1010 1 A0 3 0 4 FWOUT.BIN 0
- Write firmware on a "PLDS DG-16D4S 0225"
DOSFLASH W 1010 1 A0 3 0 4 FWIN.BIN 0
- Erase firmware on a "PLDS DG-16D4S 0225"
DOSFLASH E 1010 1 A0 3 0 4 C7 0
- Lock SPI Flash on a "PLDS DG-16D4S 0225"
DOSFLASH L 1010 1 A0 3 0
Excellent work on the MXIC / Winbond unlock by Geremia and Maximus.
As the Duke would say: Hail to the kings baby!
Kai Schtrom