Difference between revisions of "Xbox Game Disc"
(→Security Sectors (SS.bin)) |
(→Security Sectors (SS.bin)) |
||
Line 25: | Line 25: | ||
! Offset !! Type !! Field !! Notes | ! Offset !! Type !! Field !! Notes | ||
|- | |- | ||
− | |0 || u8 || | + | |0 || u8 || Valid || Always 1 if the challenge is valid, else the challenge is ignored |
|- | |- | ||
|1 || u8 || Challenge id || | |1 || u8 || Challenge id || | ||
Line 31: | Line 31: | ||
|2 || u32 || Challenge value || | |2 || u32 || Challenge value || | ||
|- | |- | ||
− | |6 || u8 || Response modifier || | + | |6 || u8 || Response modifier || multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |
|- | |- | ||
|7 || u32 || Response value || | |7 || u32 || Response value || | ||
Line 73: | Line 73: | ||
|720 || u32 || Unknown || | |720 || u32 || Unknown || | ||
|- | |- | ||
− | |768 || u8 || Version of challenge table || | + | |768 || u8 || Version of challenge table || Always 1 |
|- | |- | ||
− | |769 || u8 || Number of challenge entries || | + | |769 || u8 || Number of challenge entries || Always 23 |
|- | |- | ||
− | |770 || Challenge entry[] || | + | |770 || Challenge entry[] || Encrypted challenge entries || |
|- | |- | ||
|1055 || u64 || || Some large number timestamp? | |1055 || u64 || || Some large number timestamp? | ||
Line 83: | Line 83: | ||
|1083 || u8[16] || || Unknown | |1083 || u8[16] || || Unknown | ||
|- | |- | ||
− | |1183 || Unknown1 || || Unknown | + | |1183 || Unknown1 || || Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries |
|- | |- | ||
|1503 || Unknown1 || || Unknown | |1503 || Unknown1 || || Unknown | ||
Line 89: | Line 89: | ||
! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) | ! colspan="4" | End of data readable by a stock Xbox drive (1632 Bytes) | ||
|- | |- | ||
− | |1632 || u8 || Number of security sector ranges || | + | |1632 || u8 || Number of security sector ranges || Always 23 |
|- | |- | ||
− | |1633 || Security sector range[ | + | |1633 || Security sector range[] || Security sector ranges || Only 16 of which are used. |
|- | |- | ||
− | |1840 || Security sector range[ | + | |1840 || Security sector range[] || Security sector ranges || Only 16 of which are used. <br> ''(Copy from Offset 1633)'' |
|} | |} | ||
All other fields are assumed to be zero! | All other fields are assumed to be zero! | ||
+ | |||
+ | ===== Decryption of challenge entries ===== | ||
+ | |||
+ | Starting at offset 1183, a 44 byte SHA-1 hash is generated. | ||
+ | The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770). | ||
+ | |||
+ | There'll only be a handful of valid entries in the challenge entries. | ||
+ | However there'll be at least 2. | ||
=== Dumping === | === Dumping === |
Revision as of 13:01, 24 May 2017
Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD).
Dumps
Files
Disc Manufacturing Information (DMI.bin)
2048 Bytes
READ DVD STRUCTURE with format 0x04
Physical Format Information (PFI.bin)
2048 Bytes Read from the Lead-In.
READ DVD STRUCTURE with format 0x00
Security Sectors (SS.bin)
Challenge entry (11 Bytes):
Offset | Type | Field | Notes |
---|---|---|---|
0 | u8 | Valid | Always 1 if the challenge is valid, else the challenge is ignored |
1 | u8 | Challenge id | |
2 | u32 | Challenge value | |
6 | u8 | Response modifier | multimedia.cx says this might be a Response id. However, it's always 0 anyway?! |
7 | u32 | Response value |
Security sector range (9 Bytes)
Offset | Type | Field | Notes |
---|---|---|---|
3 | u24 | Start PSN | |
6 | u24 | End PSN |
Unknown1 (320 Bytes)
Offset | Type | Field | Notes |
---|---|---|---|
0 | u64 | Yet another timestamp?! (Similar to 1183 in complete format) | |
8 | u32 | Unknown | |
27 | u8 | Unknown | |
28 | u8[16] | Unknown | |
44 | u8[20] | Unknown | |
64 | u8[256] | Unknown |
Complete format (2048 Bytes):
Offset | Type | Field | Notes |
---|---|---|---|
0 | PFI | Physical Format Information | PFI for the actual data, unknown size |
720 | u32 | Unknown | |
768 | u8 | Version of challenge table | Always 1 |
769 | u8 | Number of challenge entries | Always 23 |
770 | Challenge entry[] | Encrypted challenge entries | |
1055 | u64 | Some large number timestamp? | |
1083 | u8[16] | Unknown | |
1183 | Unknown1 | Unknown, 44 bytes SHA-1 hash are generated here to be used as RC4 key to decrypt challenge entries | |
1503 | Unknown1 | Unknown | |
End of data readable by a stock Xbox drive (1632 Bytes) | |||
1632 | u8 | Number of security sector ranges | Always 23 |
1633 | Security sector range[] | Security sector ranges | Only 16 of which are used. |
1840 | Security sector range[] | Security sector ranges | Only 16 of which are used. (Copy from Offset 1633) |
All other fields are assumed to be zero!
Decryption of challenge entries
Starting at offset 1183, a 44 byte SHA-1 hash is generated. The resulting hash - the first part of it, to be exact - is fed as the key into RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 Bytes of the challenge entries (Offset 770).
There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2.
Dumping
To dump Xbox Game Discs you need one of the following drives / firmwares:
Drive | Standard | Original Firmware download | Name of modified Firmware for dumping |
---|---|---|---|
[citation needed] | 0800 | ||
Toshiba SD-M2012C | IDE | Kreon[citation needed] | |
Samsung SH-D162C | IDE | SB00 Kreon 0.60 (July 30th 2006) SB00 Kreon 0.80 (September 9th 2006) SB01 Kreon 1.00 (October 9th 2007) | |
Samsung SH-D162D | IDE | SB00 SB01 SB02[citation needed] SB03 SB04 |
SB00 Kreon 1.00 (November 18th 2007) |
Toshiba TS-H352C | IDE | Kreon[citation needed] | |
Toshiba TS-H352D | IDE | Kreon[citation needed] | |
Samsung SH-D163A | SATA | SB01 Kreon 1.00 (October 9th 2007) | |
Samsung SH-D163B | SATA | Kreon 1.00 (November 18th 2007) | |
Toshiba TS-H353A | SATA | [citation needed] | |
Toshiba TS-H353B | SATA | [citation needed] |
Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated.
Flashing software:
- TSDNMAC for MacOS
- SFDNWIN for Microsoft Windows 2000 and XP
- TSDNWIN for Microsoft Windows Vista and 7
- Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS
For current dumping instructions see the Dumping Guide by the Redump Project.
Enable Unlock 1 (xtreme) state
Supported by: Kreon 1.00
FF 08 01 01
Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead.
Set Lock State
Supported by: Kreon 1.00
FF 08 01 11 xx
-
xx=00
- Drive locked (no unlock state) -
xx=01
- Unlock State 1 (xtreme) enabled -
xx=02
- Unlock state 2 (wxripper) enabled
SS extract command
Supported by: Kreon 1.00
AD 00 FF 02 FD FF FE 00 08 00 xx C0
This is the well known from the xtreme firmware.
Get Feature List
Supported by: Kreon 1.00
FF 08 01 10
This command will return a list of the additional features supported by the drive.
All values returned are 16 bit values, and the list is terminated with null (0x0000
).
The two first words of the returned list always reads as 0xA55A 0X5AA5
in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list.
An example feature list could be: 0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000
This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below:
XBOX 360 related features:
-
0x0100
: The drive supports the unlock 1 state (xtreme) -
0x0101
: The drive supports the unlock 2 state (wxripper) -
0x0120
: The drive can read and decrypt the SS -
0x0121
: The drive has full challenge response functionality
XBOX related features:
-
0x0200
: The drive supports the unlock 1 state (xtreme) -
0x0201
: The drive supports the unlock 2 state (wxripper) -
0x0220
: The drive can read and decrypt the SS -
0x0221
: The drive has full challenge response functionality
General drive features:
-
0xF000
: The drive supports the lock (cancel any unlock state) command -
0xF001
: The drive supports error skipping
This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list.