Difference between revisions of "Xbox Game Disc"

From xboxdevwiki
Jump to: navigation, search
(Security Sectors (SS.bin))
(Security Sectors (SS.bin))
Line 25: Line 25:
 
! Offset !! Type !! Field !! Notes
 
! Offset !! Type !! Field !! Notes
 
|-
 
|-
|0 || u8 || Level ||
+
|0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored
 
|-
 
|-
 
|1 || u8 || Challenge id ||
 
|1 || u8 || Challenge id ||
Line 31: Line 31:
 
|2 || u32 || Challenge value ||
 
|2 || u32 || Challenge value ||
 
|-
 
|-
|6 || u8 || Response modifier ||
+
|6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?!
 
|-
 
|-
 
|7 || u32 || Response value ||
 
|7 || u32 || Response value ||
Line 73: Line 73:
 
|720 || u32 || Unknown ||
 
|720 || u32 || Unknown ||
 
|-
 
|-
|768 || u8 || Version of challenge table ||
+
|768 || u8 || Version of challenge table || Always 1
 
|-
 
|-
|769 || u8 || Number of challenge entries ||
+
|769 || u8 || Number of challenge entries || Always 23
 
|-
 
|-
|770 || Challenge entry[] || Challenge entries ||
+
|770 || Challenge entry[] || Encrypted challenge entries ||
 
|-
 
|-
 
|1055 || u64 || || Some large number timestamp?
 
|1055 || u64 || || Some large number timestamp?
Line 83: Line 83:
 
|1083 || u8[16] || || Unknown
 
|1083 || u8[16] || || Unknown
 
|-
 
|-
|1183 || Unknown1 || || Unknown
+
|1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries
 
|-
 
|-
 
|1503 || Unknown1 || || Unknown
 
|1503 || Unknown1 || || Unknown
Line 89: Line 89:
 
! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes)
 
! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes)
 
|-
 
|-
|1632 || u8 || Number of security sector ranges ||
+
|1632 || u8 || Number of security sector ranges || Always 23
 
|-
 
|-
|1633 || Security sector range[23] || Security sector ranges || Only 16 of which are used.
+
|1633 || Security sector range[] || Security sector ranges || Only 16 of which are used.
 
|-
 
|-
|1840 || Security sector range[23] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)''
+
|1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)''
 
|}
 
|}
  
 
All other fields are assumed to be zero!
 
All other fields are assumed to be zero!
 +
 +
===== Decryption of challenge entries =====
 +
 +
Starting at offset 1183, a 44 byte SHA-1 hash is generated.
 +
The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770).
 +
 +
There'll only be a handful of valid entries in the challenge entries.
 +
However there'll be at least 2.
  
 
=== Dumping ===
 
=== Dumping ===

Revision as of 13:01, 24 May 2017

Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD).

Dumps

Files

Disc Manufacturing Information (DMI.bin)

2048 Bytes

READ DVD STRUCTURE with format 0x04

Physical Format Information (PFI.bin)

2048 Bytes Read from the Lead-In.

READ DVD STRUCTURE with format 0x00

Security Sectors (SS.bin)

Challenge entry (11 Bytes):

Offset Type Field Notes
0 u8 Valid Always 1 if the challenge is valid, else the challenge is ignored
1 u8 Challenge id
2 u32 Challenge value
6 u8 Response modifier multimedia.cx says this might be a Response id. However, it's always 0 anyway?!
7 u32 Response value

Security sector range (9 Bytes)

Offset Type Field Notes
3 u24 Start PSN
6 u24 End PSN

Unknown1 (320 Bytes)

Offset Type Field Notes
0 u64 Yet another timestamp?! (Similar to 1183 in complete format)
8 u32 Unknown
27 u8 Unknown
28 u8[16] Unknown
44 u8[20] Unknown
64 u8[256] Unknown

Complete format (2048 Bytes):

Offset Type Field Notes
0 PFI Physical Format Information PFI for the actual data, unknown size
720 u32 Unknown
768 u8 Version of challenge table Always 1
769 u8 Number of challenge entries Always 23
770 Challenge entry[] Encrypted challenge entries
1055 u64 Some large number timestamp?
1083 u8[16] Unknown
1183 Unknown1 Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries
1503 Unknown1 Unknown
End of data readable by a stock Xbox drive (1632 Bytes)
1632 u8 Number of security sector ranges Always 23
1633 Security sector range[] Security sector ranges Only 16 of which are used.
1840 Security sector range[] Security sector ranges Only 16 of which are used.
(Copy from Offset 1633)

All other fields are assumed to be zero!

Decryption of challenge entries

Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770).

There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2.

Dumping

To dump Xbox Game Discs you need one of the following drives / firmwares:

Drive Standard Original Firmware download Name of modified Firmware for dumping
[citation needed] 0800
Toshiba SD-M2012C IDE Kreon[citation needed]
Samsung SH-D162C IDE SB00 Kreon 0.60 (July 30th 2006)
SB00 Kreon 0.80 (September 9th 2006)
SB01 Kreon 1.00 (October 9th 2007)
Samsung SH-D162D IDE SB00
SB01
SB02[citation needed]
SB03
SB04
SB00 Kreon 1.00 (November 18th 2007)
Toshiba TS-H352C IDE Kreon[citation needed]
Toshiba TS-H352D IDE Kreon[citation needed]
Samsung SH-D163A SATA SB01 Kreon 1.00 (October 9th 2007)
Samsung SH-D163B SATA Kreon 1.00 (November 18th 2007)
Toshiba TS-H353A SATA [citation needed]
Toshiba TS-H353B SATA [citation needed]

Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated.

Flashing software:

  • TSDNMAC for MacOS
  • SFDNWIN for Microsoft Windows 2000 and XP
  • TSDNWIN for Microsoft Windows Vista and 7
  • Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS

For current dumping instructions see the Dumping Guide by the Redump Project.

Xbox related commands

Enable Unlock 1 (xtreme) state

Supported by: Kreon 1.00

FF 08 01 01

Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead.

Set Lock State

Supported by: Kreon 1.00

FF 08 01 11 xx
  • xx=00 - Drive locked (no unlock state)
  • xx=01 - Unlock State 1 (xtreme) enabled
  • xx=02 - Unlock state 2 (wxripper) enabled

SS extract command

Supported by: Kreon 1.00

AD 00 FF 02 FD FF FE 00 08 00 xx C0

This is the well known from the xtreme firmware.

Get Feature List

Supported by: Kreon 1.00

FF 08 01 10

This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (0x0000). The two first words of the returned list always reads as 0xA55A 0X5AA5 in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list.

An example feature list could be: 0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000

This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below:

XBOX 360 related features:

  • 0x0100 : The drive supports the unlock 1 state (xtreme)
  • 0x0101 : The drive supports the unlock 2 state (wxripper)
  • 0x0120 : The drive can read and decrypt the SS
  • 0x0121 : The drive has full challenge response functionality

XBOX related features:

  • 0x0200 : The drive supports the unlock 1 state (xtreme)
  • 0x0201 : The drive supports the unlock 2 state (wxripper)
  • 0x0220 : The drive can read and decrypt the SS
  • 0x0221 : The drive has full challenge response functionality

General drive features:

  • 0xF000 : The drive supports the lock (cancel any unlock state) command
  • 0xF001 : The drive supports error skipping

This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list.

References and links