Difference between revisions of "XDVDFS"

Revision as of 20:52, 19 November 2017

XDVDFS (Also known as XISO) is the image format used for Xbox Game Discs. It is stored in the data area.

Format

Each sector is 2048 bytes.

Filesystem

^[FIXME]

Volume descriptor

32 sectors which are zero-filled. The Volume descriptor is 4096 bytes, but split into 2x 2048 sections.

• Section 1: The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". ^[FIXME]
• Section 2: The first data is the magic at sector 32. It is always "MICROSOFT*XBOX*MEDIA". ^[FIXME]

Examples

• Azurik - Rise of Perathia (NTSC)
  • xblayout version: 1.0.3926.1
  • xbpremaster version: 1.0.3926.1
  • Starting bruteforce
  • Found seed 0x7EA870D7
  • Completed bruteforce (Success)
• Genma Onimusha (PAL)
  • xblayout version: 1.0.4039.1
  • xbpremaster version: 1.0.4039.2
  • Starting bruteforce
  • Found seed 0x25BAB84C
  • Completed bruteforce (Success)
• Max Payne (PAL)
  • xblayout version: 1.0.4134.1
  • xbpremaster version: 1.0.4242.1
  • Starting bruteforce
  • Found seed 0x62BBC340
  • Completed bruteforce (Success)
• Petit Copter (Japanese)
  • xblayout version: 1.0.4361.1
  • xbpremaster version: 1.0.4361.2
  • Starting bruteforce
  • Found seed 0xF401863E
  • Completed bruteforce (Success)
• 007 - Agent Under Fire (PAL)
  • xblayout version: 1.0.4432.1
  • xbpremaster version: 1.0.4432.1
  • Starting bruteforce
  • Found seed 0x1796C12A
  • Completed bruteforce (Success)
• Metal Gear Solid 2 - Substance (NTSC)
  • xblayout version: 1.0.4721.1
  • Starting bruteforce
  • Found seed 0xFACBB379
  • Completed bruteforce (Success)
• Battle Engine Aquila (PAL)
  • xblayout version: 1.0.4831.1
  • Starting bruteforce
  • Completed bruteforce (Failure)
• Metal Gear Solid 2 - Substance (PAL)
  • xblayout version: 1.0.5120.1
  • Starting bruteforce
  • Completed bruteforce (Failure)
• Shenmue II (PAL)
  • xblayout version: 1.0.5120.1
  • Starting bruteforce
  • Completed bruteforce (Failure)
• Star Wars - Knights of the Old Republic (PAL)
  • xbgamedisc version: 2.1.0.5233.1
  • mastering tool version: 2.1.0.5233.1
  • Starting bruteforce
  • Completed bruteforce (Failure)
• Indiana Jones and the Emperor's Tomb (PAL)
  • xbgamedisc version: 2.1.0.5233.1
  • mastering tool version: 2.1.0.5233.1
  • Starting bruteforce
  • Completed bruteforce (Failure)
• Dynasty Warriors 4 (PAL)
  • xbgamedisc version: 2.1.0.5344.1
  • mastering tool version: 2.1.0.5344.1
  • Starting bruteforce
  • Completed bruteforce (Failure)
• The Matrix - Path of Neo (PAL)
  • xbgamedisc version: 2.1.0.5849.1
  • mastering tool version: 2.1.0.5849.1
  • Starting bruteforce
  • Completed bruteforce (Failure)
• The Suffering - Ties That Bind
  • xbgamedisc version: 2.1.0.5849.1
  • mastering tool version: 2.1.0.5849.1
  • Starting bruteforce
  • Completed bruteforce (Failure)
• Reservoir Dogs (PAL)
  • xbgamedisc version: 2.1.0.5849.1
  • mastering tool version: 2.1.0.5849.1
  • Starting bruteforce
  • Completed bruteforce (Failure)

Directory Entry

Version 4361

File entry flags:

• READONLY = 0x01
• HIDDEN = 0x02
• SYSTEM = 0x04
• DIRECTORY = 0x10
• ARCHIVE = 0x20
• NORMAL = 0x80

File data blocks

Version 4361

Incomplete sectors are padded with 0x00 bytes.

Random blocks

Version 3926 - 4721

Seeded and then starting to emit bytes in data area. Filled with the following algorithm:

// State
uint32_t a;
uint32_t b;
uint32_t c;

// Helper
static uint32_t Value(void) {
  uint64_t result;
  result = c;
  result += 1;
  result *= b;
  result %= 0xFFFFFFFB;
  c = result & 0xFFFFFFFF;
  return c ^ a;
}

// buffer must be at even address, length must be multiple of 2
void Fill(uint16_t* buffer, size_t length) {
  while(length >= 2) {
    *buffer++ = Value() >> 8;
    length -= 2;
  }
}

void Seed() {
  const uint32_t b_seeds[8] = {
    0x52F690D5,
    0x534D7DDE,
    0x5B71A70F,
    0x66793320,
    0x9B7E5ED5,
    0xA465265E,
    0xA53F1D11,
    0xB154430F
  };

  FILETIME ft;
  GetSystemTimeAsFileTime(&ft);
  uint32_t seed = ft.dwLowDateTime ^ ft.dwHighDateTime;
  a = 0;
  b = b_seeds[seed & 7];
  c = seed;
  a = Value();
}

The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1.

Version 4831 - 5849

The algorithm was switched to RC4-256-drop-2048.

#include <openssl/rc4.h>

RC4_KEY rc4key;

void Fill(uint8_t* buffer, size_t length) {
  // We need a zero buffer as OpenSSL will want to XOR the keystream with data.
  // The XDVDFS random data is the keystream without changes, so we let XOR OpenSSL XOR with 0x00 bytes.
  uint8_t zero_buffer[length];
  memset(zero_buffer, 0x00, length);
  RC4(&rc4key, length, zero_buffer, buffer);
}

void Seed() {
  union {
    uint8_t raw[16];
    struct {
      struct _FILETIME SystemTimeAsFileTime; // first 8 bytes, little-endian
      uint64_t tsc; // later 8 bytes, little-endian
    };
  } key;

  // Initialize seed
  key.tsc = rdtsc();
  GetSystemTimeAsFileTime(&key.SystemTimeAsFileTime);
  RC4_set_key(&rc4key, 16, &key);

  // Drop the first 2048 bytes of the RC4 keystream
  uint8_t discard_buffer[2048];
  Fill(discard_buffer, 2048);
}

The RNG is seeded when the mastering tool / wizard is started. The first portion of the code to use this random number generator is the code which generates layer 0 and layer 1.

Security blocks

Version 4361

Treated like random block.

Tools

• XBISO
• extract-xiso