Difference between revisions of "Xbox Game Disc"
(Created page with "Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). == References and links == * [https://web.archive.org/web/20150616131202/http://dark....") |
(→Security Sectors (SS.bin)) |
||
(56 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). | Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD). | ||
+ | |||
+ | == Visible information on ring == | ||
+ | |||
+ | '''The DVD inner ring usually contains:''' | ||
+ | |||
+ | (The examples are from a German [[FIFA Soccer 2003]] disc) | ||
+ | |||
+ | An outer portion with labels: | ||
+ | * Outer ring Layer 1 | ||
+ | ** Code 39 Barcode of the the Mastering Code (*EA02302E L1*) | ||
+ | ** Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline) | ||
+ | ** Mastering SID Code ("IFPI L126") | ||
+ | * Inner ring for Layer 0 | ||
+ | ** Code 39 Barcode of the the Mastering Code (*EA02302E L0*) | ||
+ | ** Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline) | ||
+ | ** Mastering SID Code ("IFPI L126") | ||
+ | |||
+ | An inner porition with Xbox logo: | ||
+ | * 3 times "XBOX" text with "X Logo" in the background on each side | ||
+ | * 1 time "XBOX" text with blank background | ||
+ | * 3 times "XBOX" text with "X Logo" in the background on each side | ||
+ | * Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo) | ||
+ | ** 4 times a Xbox logo | ||
+ | ** 2 times the word "genuine" | ||
+ | ** and in the middle the word ASPnnnn where n is a number{{citation needed}} | ||
+ | |||
+ | ''' ASP code ''' | ||
+ | [[File:Asp demodisk.jpg|thumb|right|Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)]] | ||
+ | The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. | ||
+ | The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. | ||
+ | It is rumoured it might be a version string of some sorts slowly raising in xbox years old. {{citation needed}} | ||
+ | {| class="wikitable" | ||
+ | |- | ||
+ | ! ASP number | ||
+ | ! found on | ||
+ | ! game serial | ||
+ | |- | ||
+ | | ASP0180 | ||
+ | | Xbox Hardware Refresh Disc | ||
+ | | XB01101W | ||
+ | |- | ||
+ | | ASP0380 | ||
+ | | Tom Clancy's Splinter Cell Exclusive Playable Demo | ||
+ | | US01251E | ||
+ | |- | ||
+ | | ASP0980 | ||
+ | | Tom Clancy's Rainbow Six 3 DEMO DISC | ||
+ | | US03152E-US | ||
+ | |- | ||
+ | | ASP5080 | ||
+ | | The official xbox 50 best games (Demo disk) | ||
+ | | IM00113E-IM | ||
+ | |- | ||
+ | | ASP5180 | ||
+ | | Rayman 3 hoodlum havoc | ||
+ | | | ||
+ | |- | ||
+ | | ASP5280 | ||
+ | | Xbox Music Mixer | ||
+ | | MS09005A-MS | ||
+ | |} | ||
+ | |||
+ | == Dumps == | ||
+ | |||
+ | === Files === | ||
+ | |||
+ | ===== Example timestamps ===== | ||
+ | |||
+ | Timestamps for [[Petit Copter]]: | ||
+ | <pre> | ||
+ | 126779196239020000ULL, // XDVDFS timestamp | ||
+ | 126956823480700000ULL, // SS timestamp | ||
+ | 126957328439576418ULL, // SS unk3 timestamp | ||
+ | 126957649743869476ULL, // DMI Timestamp | ||
+ | 126961143392830592ULL, // SS unk4 timestamp | ||
+ | </pre> | ||
+ | |||
+ | ==== Disc Manufacturing Information (DMI.bin) ==== | ||
+ | |||
+ | READ DVD STRUCTURE with format 0x04 | ||
+ | |||
+ | DMI (2048 Bytes): | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Offset !! Type !! Field !! Notes | ||
+ | |- | ||
+ | |0 || u32? || Unknown || Always 1? | ||
+ | |- | ||
+ | |4 || u32? || Unknown || Always zero? | ||
+ | |- | ||
+ | |8 || ascii_char[8] || Mastering Code || Example: EA02302E <br> Also see [[Xbe#Title_ID]] | ||
+ | |- | ||
+ | |16 || u64 || || Some timestamp? | ||
+ | |- | ||
+ | |24 || u32? || Unknown || Always 2? | ||
+ | |} | ||
+ | |||
+ | ==== Physical Format Information (PFI.bin) ==== | ||
+ | |||
+ | READ DVD STRUCTURE with format 0x00 | ||
+ | |||
+ | Read from the Lead-In. | ||
+ | |||
+ | PFI (2048 Bytes): | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Offset !! Type !! Field !! Notes | ||
+ | |- | ||
+ | |0 || u8 || <code>booktype << 4 <nowiki>|</nowiki> part_version</code> || 4 bit each | ||
+ | |- | ||
+ | |1 || u8 || <code>disc_size << 4 <nowiki>|</nowiki> maximum_rate</code> || 4 bit each | ||
+ | |- | ||
+ | |2 || u8 || <code>number_of_layers << 5 <nowiki>|</nowiki> track_path << 4 <nowiki>|</nowiki> layer_type</code> || 1 bit padding, 2 bit, 1 bit, 4 bit | ||
+ | |- | ||
+ | |3 || u8 || <code>linear_density << 4 <nowiki>|</nowiki> track_density</code> || 4 bit each | ||
+ | |- | ||
+ | |4 || u8 || || Always zero | ||
+ | |- | ||
+ | |5 || u24 || Starting Physical Sector Number of Data Area || | ||
+ | |- | ||
+ | |8 || u8 || || Always zero | ||
+ | |- | ||
+ | |9 || u24 || End Physical Sector Number of Data Area || | ||
+ | |- | ||
+ | |12 || u8 || || Always zero | ||
+ | |- | ||
+ | |13 || u24 || End Sector Number in Layer 0 || Always 0x2033AF for original Xbox discs | ||
+ | |} | ||
+ | |||
+ | From [ftp://ftp.avc-pioneer.com/Mtfuji_5/Proposal/Jan01/RDVDSTRC.pdf] (page 4) | ||
+ | |||
+ | ==== Security Sectors (SS.bin) ==== | ||
+ | |||
+ | Challenge entry (11 Bytes): | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Offset !! Type !! Field !! Notes | ||
+ | |- | ||
+ | |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored | ||
+ | |- | ||
+ | |1 || u8 || Challenge id || | ||
+ | |- | ||
+ | |2 || u32 || Challenge value || | ||
+ | |- | ||
+ | |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! | ||
+ | |- | ||
+ | |7 || u32 || Response value || | ||
+ | |} | ||
+ | |||
+ | Security sector range (9 Bytes) | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Offset !! Type !! Field !! Notes | ||
+ | |- | ||
+ | |3 || u24 || Start PSN || | ||
+ | |- | ||
+ | |6 || u24 || End PSN || | ||
+ | |} | ||
+ | |||
+ | Unknown1 (44 Bytes) | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Offset !! Type !! Field !! Notes | ||
+ | |- | ||
+ | |0 || u64 || || Yet another timestamp?! (Similar to 1183 in complete format) | ||
+ | |- | ||
+ | |8 || u32 || || Unknown (XBE Certificate timestamp for 1183, empty for 1503) | ||
+ | |- | ||
+ | |27 || u8 || || Unknown | ||
+ | |- | ||
+ | |28 || u8[16] || || Unknown | ||
+ | |} | ||
+ | |||
+ | Complete format (2048 Bytes): | ||
+ | |||
+ | {| class="wikitable" | ||
+ | ! Offset !! Type !! Field !! Notes | ||
+ | |- | ||
+ | |0 || PFI || Physical Format Information || PFI for the actual data, unknown size | ||
+ | |- | ||
+ | |720 || u32 || Unknown || | ||
+ | |- | ||
+ | |768 || u8 || Version of challenge table || Always 1 | ||
+ | |- | ||
+ | |769 || u8 || Number of challenge entries || Always 23 | ||
+ | |- | ||
+ | |770 || Challenge entry[] || Encrypted challenge entries || | ||
+ | |- | ||
+ | |1055 || u64 || || Some large number timestamp? | ||
+ | |- | ||
+ | |1083 || u8[16] || || Unknown | ||
+ | |- | ||
+ | |1183 || Unknown1 || || Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries | ||
+ | |- | ||
+ | |1227 || u8[20] || SHA-1 hash A || Hash until here (of the complete format) | ||
+ | |- | ||
+ | |1247 || u8[256] || Signature A || For hash in previous field | ||
+ | |- | ||
+ | |1503 || Unknown1 || || Unknown | ||
+ | |- | ||
+ | |1547 || u8[20] || SHA-1 hash B || Hash until here (of the complete format) | ||
+ | |- | ||
+ | |1567 || u8[64] || Signature B || For hash in previous field (note that this is somewhat shorter than the other signature?!) | ||
+ | |- | ||
+ | ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) | ||
+ | |- | ||
+ | |1632 || u8 || Number of security sector ranges || Always 23 | ||
+ | |- | ||
+ | |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. | ||
+ | |- | ||
+ | |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' | ||
+ | |} | ||
+ | |||
+ | All other fields are assumed to be zero! | ||
+ | |||
+ | ===== Decryption of challenge entries ===== | ||
+ | |||
+ | Starting at offset 1183, a 44 byte SHA-1 hash is generated. | ||
+ | The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted. | ||
+ | |||
+ | There'll only be a handful of valid entries in the challenge entries. | ||
+ | However there'll be at least 2. | ||
+ | |||
+ | === Dumping === | ||
+ | |||
+ | To dump Xbox Game Discs you need one of the following drives / firmwares: | ||
+ | |||
+ | {| class="wikitable" | ||
+ | !Drive | ||
+ | !Standard | ||
+ | !Original Firmware download | ||
+ | !Name of modified Firmware for dumping | ||
+ | |- | ||
+ | |{{FIXME|reason=Which drives?}} | ||
+ | | | ||
+ | | | ||
+ | | | ||
+ | * 0800{{citation needed}} | ||
+ | |- | ||
+ | |Toshiba SD-M2012C | ||
+ | |IDE | ||
+ | | | ||
+ | | | ||
+ | * Kreon{{citation needed}} | ||
+ | |- | ||
+ | |Samsung SH-D162C | ||
+ | |IDE | ||
+ | |[https://web.archive.org/web/20091206023615/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200506021808200872_SH-D162C_TS02.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS02] <br> [https://web.archive.org/web/20090604123608/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509161625477201_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS03<sup>Korean</sup>] <br> [https://web.archive.org/web/20091105003814/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200509261128121531_SH-D162C_TS03.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS03] <br> [https://web.archive.org/web/20100217012245/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200512221448334972_SH-D162C_TS04.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ TS04<sup>Korean</sup>] <br> [https://web.archive.org/web/20110920084807/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701091709466301_SH-D162C_TS05.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ TS05] | ||
+ | |||
+ | |rowspan=2 | | ||
+ | * TS04 Kreon 0.5 (June 23rd 2006) | ||
+ | * TS04 Kreon 0.60 (July 30th 2006) | ||
+ | * TS04 Kreon 0.80 (September 9th 2006) | ||
+ | * TS04{{FIXME|reason=README claims SB00}} Kreon 0.81 (October 4th 2006) | ||
+ | * TS05{{FIXME|reason=README claims SB01}} Kreon 1.00 (October 9th 2007) | ||
+ | |- | ||
+ | |Toshiba TS-H352C | ||
+ | |IDE | ||
+ | |[https://web.archive.org/web/20110921065924/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200505121909111802_TS-H352C_SC00.bin&path=/UploadFiles/FW/FWDOWNLOAD/KOR/ SC00<sup>Korean</sup>] | ||
+ | |- | ||
+ | |Samsung SH-D162D | ||
+ | |IDE | ||
+ | |[https://web.archive.org/web/20090601193905/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200706281644411972_SH-D162D_SB00.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB00] <br> [https://web.archive.org/web/20090916202345/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200811051941150901_SH-D162D_SB01.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] <br> SB02{{citation needed}}[http://www.firmwarehq.com/download_995-file_SH-D162D_SB02.exe.html unknown if safe or legit] <br> [https://web.archive.org/web/20090402052613/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191825218171_SH-D162D_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20120123040117/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200909281412336931_SH-D162D_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] | ||
+ | |rowspan=2 | | ||
+ | * SB00 Kreon 1.00 (November 18th 2007) | ||
+ | |- | ||
+ | |Toshiba TS-H352D | ||
+ | |IDE | ||
+ | |CH01{{FIXME|reason=http://samsungodd.com/korLib/download.asp?no=200904281542399901_TS-H352D_CH01.exe&fname=200904281542399901_TS-H352D_CH01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> CM01{{FIXME|reason=https://web.archive.org/web/20100105225621/http://samsungodd.com/korLib/download.asp?no=200904281539184301_TS-H352D_CM01.exe&fname=200904281539184301_TS-H352D_CM01.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ dead}} <br> [https://web.archive.org/web/20100105234118/http://samsungodd.com/korLib/download.asp?no=200910081442017201_TS-H352D_CM02.exe&fname=200910081442017201_TS-H352D_CM02.exe&path=/chn/UploadFiles/FW/FWDOWNLOAD/ CM02] | ||
+ | |||
+ | |- | ||
+ | |Samsung SH-D163A | ||
+ | |SATA | ||
+ | |[http://web.archive.org/web/20090601191704/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200701031704489471_SH-D163A_SB01.bin&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB01] | ||
+ | |||
+ | |rowspan=2 | | ||
+ | * Kreon 0.80 (October 17th 2006) | ||
+ | * SB01 Kreon 1.00 (October 9th 2007) | ||
+ | |- | ||
+ | |Toshiba TS-H353A | ||
+ | |SATA | ||
+ | | | ||
+ | |- | ||
+ | |Samsung SH-D163B | ||
+ | |SATA | ||
+ | |[https://web.archive.org/web/20090402052540/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200903191824214901_SH-D163B_SB03.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB03] <br> [https://web.archive.org/web/20091204131429/http://www.samsungodd.com:80/korlib/download.asp?no=&fname=200910081448023301_SH-D163B_SB04.exe&path=/UploadFiles/FW/FWDOWNLOAD/ENG/ SB04] | ||
+ | |rowspan=2 | | ||
+ | * Kreon 1.00 (November 18th 2007) | ||
+ | |- | ||
+ | |Toshiba TS-H353B | ||
+ | |SATA | ||
+ | |CH01{{FIXME|reason=https://web.archive.org/web/*/http://samsungodd.com/chn/globalLib/Download.asp?path=Info_FWDownload&fname=200904281544595271_TS-H353B_CH01.exe dead}} | ||
+ | |} | ||
+ | |||
+ | Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. | ||
+ | Patch files to patch original firmwares into dumping-firmwares would be appreciated. | ||
+ | |||
+ | Flashing software: | ||
+ | |||
+ | * [https://web.archive.org/web/20160904080433/http://www.tsstodd.com:80/TotalLib/popup/Download.asp?path=program&lang=eng&fname=TSDNMAC.ZIP TSDNMAC] for MacOS | ||
+ | * [http://web.archive.org/web/20070301000000/http://www.samsungodd.com/KorLib/File/sfdnwin.exe SFDNWIN] for Microsoft Windows 2000 and XP | ||
+ | * [https://web.archive.org/web/20100105230358/http://samsungodd.com/KorLib/File/Tsdnwin.exe TSDNWIN] for Microsoft Windows Vista and 7 | ||
+ | * [https://web.archive.org/web/20060328075340/http://www.samsungodd.com/eng/information/Application/Files/sfdndos.exe SFDNDOS] [https://web.archive.org/web/20060328072528/http://www.samsungodd.com/eng/information/Application/Files/Sfdndosm.exe SFDNDOSM] and the newer TSDNDOS ([https://www.dell.com/support/home/de/de/debsdt1/drivers/driversdetails?driverid=r205571 included here]) for Microsoft DOS | ||
+ | |||
+ | For current dumping instructions see [http://forum.redump.org/topic/6073/xbox-1-360-dumping-instructions/ the Dumping Guide by the Redump Project]. | ||
+ | |||
+ | ==== USB Adapters ==== | ||
+ | |||
+ | There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives. | ||
+ | |||
+ | {|class="wikitable" | ||
+ | ! Adapter Model / USB VID:DID | ||
+ | ! Drive Model | ||
+ | ! Notes | ||
+ | |- | ||
+ | | [https://www.amazon.com/Vantec-CB-ST00U3-NexStar-Optical-Storage/dp/B07452Z3KH Vantec CB-ST00U3 NexStar USB 3.0 to SATA 6Gbps Optical/Storage Adapter] | ||
+ | <code>152d:0578 JMicron Technology Corp. / JMicron USA Technology Corp</code> | ||
+ | | TS-H353B/DEWH | ||
+ | <code>H/W:A Ver.B APRIL 2007</code> | ||
+ | | Windows 11. No extra drivers required. Drive flashed. Works with MFP 2.3. | ||
+ | |- | ||
+ | | [https://www.amazon.de/gp/product/B016UBXH3O UGREEN USB 3.0 to SATA Adapter] | ||
+ | <code>174c:55aa ASMedia Technology Inc.</code> | ||
+ | | SH-D163B/BEBE | ||
+ | <code>H/W:A Ver.B SEPTEMBER 2008</code> | ||
+ | | Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. '''These adapters did NOT work with two separate TS-H353B drives on Windows (No media detected, extremely slow to respond).''' | ||
+ | |- | ||
+ | | [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9] | ||
+ | <code>1f75:0611 Innostor Technology Corporation</code> | ||
+ | | SH-D162D/BEWE | ||
+ | <code>H/W:A Ver.D JULY 2007</code> | ||
+ | | Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. | ||
+ | |} | ||
+ | |||
+ | === Xbox related commands === | ||
+ | |||
+ | ==== Enable Unlock 1 (xtreme) state ==== | ||
+ | |||
+ | Supported by: Kreon 1.00 | ||
+ | <pre>FF 08 01 01</pre> | ||
+ | |||
+ | Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. | ||
+ | This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead. | ||
+ | |||
+ | ==== Set Lock State ==== | ||
+ | |||
+ | Supported by: Kreon 1.00 | ||
+ | <pre>FF 08 01 11 xx</pre> | ||
+ | |||
+ | * <code>xx=00</code> - Drive locked (no unlock state) | ||
+ | * <code>xx=01</code> - Unlock State 1 (xtreme) enabled | ||
+ | * <code>xx=02</code> - Unlock state 2 (wxripper) enabled | ||
+ | |||
+ | ==== SS extract command ==== | ||
+ | |||
+ | Supported by: Kreon 1.00 | ||
+ | <pre>AD 00 FF 02 FD FF FE 00 08 00 xx C0</pre> | ||
+ | |||
+ | This is the well known from the xtreme firmware. | ||
+ | |||
+ | ==== Get Feature List ==== | ||
+ | |||
+ | Supported by: Kreon 1.00 | ||
+ | <pre>FF 08 01 10</pre> | ||
+ | |||
+ | This command will return a list of the additional features supported by the drive. | ||
+ | All values returned are 16 bit values, and the list is terminated with null (<code>0x0000</code>). | ||
+ | The two first words of the returned list always reads as <code>0xA55A 0X5AA5</code> in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list. | ||
+ | |||
+ | An example feature list could be: <code>0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000</code> | ||
+ | |||
+ | This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below: | ||
+ | |||
+ | XBOX 360 related features: | ||
+ | |||
+ | * <code>0x0100</code> : The drive supports the unlock 1 state (xtreme) | ||
+ | * <code>0x0101</code> : The drive supports the unlock 2 state (wxripper) | ||
+ | * <code>0x0120</code> : The drive can read and decrypt the SS | ||
+ | * <code>0x0121</code> : The drive has full challenge response functionality | ||
+ | |||
+ | XBOX related features: | ||
+ | |||
+ | * <code>0x0200</code> : The drive supports the unlock 1 state (xtreme) | ||
+ | * <code>0x0201</code> : The drive supports the unlock 2 state (wxripper) | ||
+ | * <code>0x0220</code> : The drive can read and decrypt the SS | ||
+ | * <code>0x0221</code> : The drive has full challenge response functionality | ||
+ | |||
+ | General drive features: | ||
+ | |||
+ | * <code>0xF000</code> : The drive supports the lock (cancel any unlock state) command | ||
+ | * <code>0xF001</code> : The drive supports error skipping | ||
+ | |||
+ | This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list. | ||
== References and links == | == References and links == | ||
* [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] | * [https://web.archive.org/web/20150616131202/http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf http://dark.ellende.eu/public/360DVDfirmwareRelatedInfo.pdf] | ||
+ | * [https://multimedia.cx/eggs/xbox-sphinx-protocol/ Overview of the challenge/response security protocol] | ||
+ | * [http://redump.org/discs/system/xbox/ Xbox Game Discs preserved by the Redump Project] | ||
+ | * [http://wiki.redump.org/index.php?title=Discs_not_yet_dumped#Microsoft_Xbox Missing Xbox Game Disc dumps at Redump Project] |
Latest revision as of 13:26, 4 July 2023
Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD).
Contents
Visible information on ring
The DVD inner ring usually contains:
(The examples are from a German FIFA Soccer 2003 disc)
An outer portion with labels:
- Outer ring Layer 1
- Code 39 Barcode of the the Mastering Code (*EA02302E L1*)
- Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline)
- Mastering SID Code ("IFPI L126")
- Inner ring for Layer 0
- Code 39 Barcode of the the Mastering Code (*EA02302E L0*)
- Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline)
- Mastering SID Code ("IFPI L126")
An inner porition with Xbox logo:
- 3 times "XBOX" text with "X Logo" in the background on each side
- 1 time "XBOX" text with blank background
- 3 times "XBOX" text with "X Logo" in the background on each side
- Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo)
- 4 times a Xbox logo
- 2 times the word "genuine"
- and in the middle the word ASPnnnn where n is a number[citation needed]
ASP code
The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. [citation needed]
ASP number | found on | game serial |
---|---|---|
ASP0180 | Xbox Hardware Refresh Disc | XB01101W |
ASP0380 | Tom Clancy's Splinter Cell Exclusive Playable Demo | US01251E |
ASP0980 | Tom Clancy's Rainbow Six 3 DEMO DISC | US03152E-US |
ASP5080 | The official xbox 50 best games (Demo disk) | IM00113E-IM |
ASP5180 | Rayman 3 hoodlum havoc | |
ASP5280 | Xbox Music Mixer | MS09005A-MS |
Dumps
Files
Example timestamps
Timestamps for Petit Copter:
126779196239020000ULL, // XDVDFS timestamp 126956823480700000ULL, // SS timestamp 126957328439576418ULL, // SS unk3 timestamp 126957649743869476ULL, // DMI Timestamp 126961143392830592ULL, // SS unk4 timestamp
Disc Manufacturing Information (DMI.bin)
READ DVD STRUCTURE with format 0x04
DMI (2048 Bytes):
Offset | Type | Field | Notes |
---|---|---|---|
0 | u32? | Unknown | Always 1? |
4 | u32? | Unknown | Always zero? |
8 | ascii_char[8] | Mastering Code | Example: EA02302E Also see Xbe#Title_ID |
16 | u64 | Some timestamp? | |
24 | u32? | Unknown | Always 2? |
Physical Format Information (PFI.bin)
READ DVD STRUCTURE with format 0x00
Read from the Lead-In.
PFI (2048 Bytes):
Offset | Type | Field | Notes |
---|---|---|---|
0 | u8 | booktype << 4 | part_version |
4 bit each |
1 | u8 | disc_size << 4 | maximum_rate |
4 bit each |
2 | u8 | number_of_layers << 5 | track_path << 4 | layer_type |
1 bit padding, 2 bit, 1 bit, 4 bit |
3 | u8 | linear_density << 4 | track_density |
4 bit each |
4 | u8 | Always zero | |
5 | u24 | Starting Physical Sector Number of Data Area | |
8 | u8 | Always zero | |
9 | u24 | End Physical Sector Number of Data Area | |
12 | u8 | Always zero | |
13 | u24 | End Sector Number in Layer 0 | Always 0x2033AF for original Xbox discs |
From [1] (page 4)
Security Sectors (SS.bin)
Challenge entry (11 Bytes):
Offset | Type | Field | Notes |
---|---|---|---|
0 | u8 | Valid | Always 1 if the challenge is valid, else the challenge is ignored |
1 | u8 | Challenge id | |
2 | u32 | Challenge value | |
6 | u8 | Response modifier | multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |
7 | u32 | Response value |
Security sector range (9 Bytes)
Offset | Type | Field | Notes |
---|---|---|---|
3 | u24 | Start PSN | |
6 | u24 | End PSN |
Unknown1 (44 Bytes)
Offset | Type | Field | Notes |
---|---|---|---|
0 | u64 | Yet another timestamp?! (Similar to 1183 in complete format) | |
8 | u32 | Unknown (XBE Certificate timestamp for 1183, empty for 1503) | |
27 | u8 | Unknown | |
28 | u8[16] | Unknown |
Complete format (2048 Bytes):
Offset | Type | Field | Notes |
---|---|---|---|
0 | PFI | Physical Format Information | PFI for the actual data, unknown size |
720 | u32 | Unknown | |
768 | u8 | Version of challenge table | Always 1 |
769 | u8 | Number of challenge entries | Always 23 |
770 | Challenge entry[] | Encrypted challenge entries | |
1055 | u64 | Some large number timestamp? | |
1083 | u8[16] | Unknown | |
1183 | Unknown1 | Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries | |
1227 | u8[20] | SHA-1 hash A | Hash until here (of the complete format) |
1247 | u8[256] | Signature A | For hash in previous field |
1503 | Unknown1 | Unknown | |
1547 | u8[20] | SHA-1 hash B | Hash until here (of the complete format) |
1567 | u8[64] | Signature B | For hash in previous field (note that this is somewhat shorter than the other signature?!) |
End of data readable by a stock Xbox drive (1632 Bytes) | |||
1632 | u8 | Number of security sector ranges | Always 23 |
1633 | Security sector range[] | Security sector ranges | Only 16 of which are used. |
1840 | Security sector range[] | Security sector ranges | Only 16 of which are used. (Copy from Offset 1633) |
All other fields are assumed to be zero!
Decryption of challenge entries
Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted.
There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2.
Dumping
To dump Xbox Game Discs you need one of the following drives / firmwares:
Drive | Standard | Original Firmware download | Name of modified Firmware for dumping |
---|---|---|---|
[FIXME] |
| ||
Toshiba SD-M2012C | IDE |
| |
Samsung SH-D162C | IDE | TS02 TS03Korean TS03 TS04Korean TS05 |
|
Toshiba TS-H352C | IDE | SC00Korean | |
Samsung SH-D162D | IDE | SB00 SB01 SB02[citation needed]unknown if safe or legit SB03 SB04 |
|
Toshiba TS-H352D | IDE | CH01[FIXME] CM01[FIXME] CM02 | |
Samsung SH-D163A | SATA | SB01 |
|
Toshiba TS-H353A | SATA | ||
Samsung SH-D163B | SATA | SB03 SB04 |
|
Toshiba TS-H353B | SATA | CH01[FIXME] |
Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated.
Flashing software:
- TSDNMAC for MacOS
- SFDNWIN for Microsoft Windows 2000 and XP
- TSDNWIN for Microsoft Windows Vista and 7
- SFDNDOS SFDNDOSM and the newer TSDNDOS (included here) for Microsoft DOS
For current dumping instructions see the Dumping Guide by the Redump Project.
USB Adapters
There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives.
Adapter Model / USB VID:DID | Drive Model | Notes |
---|---|---|
Vantec CB-ST00U3 NexStar USB 3.0 to SATA 6Gbps Optical/Storage Adapter
|
TS-H353B/DEWH
|
Windows 11. No extra drivers required. Drive flashed. Works with MFP 2.3. |
UGREEN USB 3.0 to SATA Adapter
|
SH-D163B/BEBE
|
Windows 10. No extra drivers required. Drive flashed. Works with DiscImageCreator. These adapters did NOT work with two separate TS-H353B drives on Windows (No media detected, extremely slow to respond). |
Sabrent USB-DSC9
|
SH-D162D/BEWE
|
Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator. |
Enable Unlock 1 (xtreme) state
Supported by: Kreon 1.00
FF 08 01 01
Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead.
Set Lock State
Supported by: Kreon 1.00
FF 08 01 11 xx
-
xx=00
- Drive locked (no unlock state) -
xx=01
- Unlock State 1 (xtreme) enabled -
xx=02
- Unlock state 2 (wxripper) enabled
SS extract command
Supported by: Kreon 1.00
AD 00 FF 02 FD FF FE 00 08 00 xx C0
This is the well known from the xtreme firmware.
Get Feature List
Supported by: Kreon 1.00
FF 08 01 10
This command will return a list of the additional features supported by the drive.
All values returned are 16 bit values, and the list is terminated with null (0x0000
).
The two first words of the returned list always reads as 0xA55A 0X5AA5
in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list.
An example feature list could be: 0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000
This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below:
XBOX 360 related features:
-
0x0100
: The drive supports the unlock 1 state (xtreme) -
0x0101
: The drive supports the unlock 2 state (wxripper) -
0x0120
: The drive can read and decrypt the SS -
0x0121
: The drive has full challenge response functionality
XBOX related features:
-
0x0200
: The drive supports the unlock 1 state (xtreme) -
0x0201
: The drive supports the unlock 2 state (wxripper) -
0x0220
: The drive can read and decrypt the SS -
0x0221
: The drive has full challenge response functionality
General drive features:
-
0xF000
: The drive supports the lock (cancel any unlock state) command -
0xF001
: The drive supports error skipping
This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list.