Difference between revisions of "Xbox Game Disc"

From xboxdevwiki
Jump to: navigation, search
(Add a table containing info on which adapters are known to work well with Kreon drives.)
Line 312: Line 312:
 
| [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9]
 
| [https://www.amazon.com/Sabrent-5-25-INCH-Converter-Activity-USB-DSC9/dp/B00DQJME7Y Sabrent USB-DSC9]
 
<code>1f75:0611 Innostor Technology Corporation</code>
 
<code>1f75:0611 Innostor Technology Corporation</code>
| SH-D162D (<code>H/W:A Ver.D JULY 2007</code>)
+
| SH-D162D/BEWE
| Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. Drive flashed. Works with Xbox Backup Creator.
+
<code>H/W:A Ver.D JULY 2007</code>
 +
| Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator.
 
|}
 
|}
  

Revision as of 03:23, 11 January 2019

Xbox games are shipped on DVDs. They are commonly referred to as Xbox Game Discs (XGD).

Visible information on ring

The DVD inner ring usually contains:

(The examples are from a German FIFA Soccer 2003 disc)

An outer portion with labels:

  • Outer ring Layer 1
    • Code 39 Barcode of the the Mastering Code (*EA02302E L1*)
    • Text for Mastering code ("EA02302E L1 02 0MM", where "02" is a smaller font and slightly higher than the previous baseline, followed by "0MM" on the original baseline)
    • Mastering SID Code ("IFPI L126")
  • Inner ring for Layer 0
    • Code 39 Barcode of the the Mastering Code (*EA02302E L0*)
    • Text for Mastering code ("EA02302E L0 06", where "06" is a smaller font and slightly higher than the previous baseline)
    • Mastering SID Code ("IFPI L126")

An inner porition with Xbox logo:

  • 3 times "XBOX" text with "X Logo" in the background on each side
  • 1 time "XBOX" text with blank background
  • 3 times "XBOX" text with "X Logo" in the background on each side
  • Another tiny pattern segmented into 7 portions in alternating position,(opposite of the "XBOX" text without logo)
    • 4 times a Xbox logo
    • 2 times the word "genuine"
    • and in the middle the word ASPnnnn where n is a number[citation needed]

ASP code

Detail of the DVD hologram, reflecting the ASP5080 by the flash of the camera. found on a demodisk (IM00113E-IM)

The following table lists known ASPnnnn numbers found on Xbox dvd disks, they are also on 360 disks but we dont list those in this wiki. The games listed are examples, its known for sure more disks can have these numbers and further research can be done, to determine the meaning. It is rumoured it might be a version string of some sorts slowly raising in xbox years old. [citation needed]

ASP number found on game serial
ASP0180 Xbox Hardware Refresh Disc XB01101W
ASP0380 Tom Clancy's Splinter Cell Exclusive Playable Demo US01251E
ASP0980 Tom Clancy's Rainbow Six 3 DEMO DISC US03152E-US
ASP5080 The official xbox 50 best games (Demo disk) IM00113E-IM
ASP5180 Rayman 3 hoodlum havoc
ASP5280 Xbox Music Mixer MS09005A-MS

Dumps

Files

Example timestamps

Timestamps for Petit Copter:

126779196239020000ULL, // XDVDFS timestamp
126956823480700000ULL, // SS timestamp
126957328439576418ULL, // SS unk3 timestamp
126957649743869476ULL, // DMI Timestamp
126961143392830592ULL, // SS unk4 timestamp

Disc Manufacturing Information (DMI.bin)

READ DVD STRUCTURE with format 0x04

DMI (2048 Bytes):

Offset Type Field Notes
0 u32? Unknown Always 1?
4 u32? Unknown Always zero?
8 ascii_char[8] Mastering Code Example: EA02302E
Also see Xbe#Title_ID
16 u64 Some timestamp?
24 u32? Unknown Always 2?

Physical Format Information (PFI.bin)

READ DVD STRUCTURE with format 0x00

Read from the Lead-In.

PFI (2048 Bytes):

Offset Type Field Notes
0 u8 booktype << 4 | part_version 4 bit each
1 u8 disc_size << 4 | maximum_rate 4 bit each
2 u8 number_of_layers << 5 | track_path << 4 | layer_type 1 bit padding, 2 bit, 1 bit, 4 bit
3 u8 linear_density << 4 | track_density 4 bit each
4 u8 Always zero
5 u24 Starting Physical Sector Number of Data Area
8 u8 Always zero
9 u24 End Physical Sector Number of Data Area
12 u8 Always zero
13 u24 End Sector Number in Layer 0 Always 0x2033AF for original Xbox discs

From [1] (page 4)

Security Sectors (SS.bin)

Challenge entry (11 Bytes):

Offset Type Field Notes
0 u8 Valid Always 1 if the challenge is valid, else the challenge is ignored
1 u8 Challenge id
2 u32 Challenge value
6 u8 Response modifier multimedia.cx says this might be a Response id. However, it's always 0 anyway?!
7 u32 Response value

Security sector range (9 Bytes)

Offset Type Field Notes
3 u24 Start PSN
6 u24 End PSN

Unknown1 (44 Bytes)

Offset Type Field Notes
0 u64 Yet another timestamp?! (Similar to 1183 in complete format)
8 u32 Unknown
27 u8 Unknown
28 u8[16] Unknown

Complete format (2048 Bytes):

Offset Type Field Notes
0 PFI Physical Format Information PFI for the actual data, unknown size
720 u32 Unknown
768 u8 Version of challenge table Always 1
769 u8 Number of challenge entries Always 23
770 Challenge entry[] Encrypted challenge entries
1055 u64 Some large number timestamp?
1083 u8[16] Unknown
1183 Unknown1 Unknown, this structure is SHA-1 hashed, to generate a RC4 key to decrypt challenge entries
1227 u8[20] SHA-1 hash A Hash until here (of the complete format)
1247 u8[256] Signature A For hash in previous field
1503 Unknown1 Unknown
1547 u8[20] SHA-1 hash B Hash until here (of the complete format)
1567 u8[64] Signature B For hash in previous field (note that this is somewhat shorter than the other signature?!)
End of data readable by a stock Xbox drive (1632 Bytes)
1632 u8 Number of security sector ranges Always 23
1633 Security sector range[] Security sector ranges Only 16 of which are used.
1840 Security sector range[] Security sector ranges Only 16 of which are used.
(Copy from Offset 1633)

All other fields are assumed to be zero!

Decryption of challenge entries

Starting at offset 1183, a 44 byte SHA-1 hash is generated. The first 7 byte of the resulting hash are used as the key in RC4 decryption. The 253 Bytes of the challenge entries (Offset 770) will be decrypted.

There'll only be a handful of valid entries in the challenge entries. However there'll be at least 2.

Dumping

To dump Xbox Game Discs you need one of the following drives / firmwares:

Drive Standard Original Firmware download Name of modified Firmware for dumping
[FIXME]
Toshiba SD-M2012C IDE
Samsung SH-D162C IDE
  • SB00 Kreon 0.60 (July 30th 2006)
  • SB00 Kreon 0.80 (September 9th 2006)
  • SB01 Kreon 1.00 (October 9th 2007)
Toshiba TS-H352C IDE
Samsung SH-D162D IDE SB00
SB01
SB02[citation needed]unknown if safe or legit
SB03
SB04
  • SB00 Kreon 1.00 (November 18th 2007)
Toshiba TS-H352D IDE
Samsung SH-D163A SATA SB01
  • Kreon 0.80 (October 17th 2006)
  • SB01 Kreon 1.00 (October 9th 2007)
Toshiba TS-H353A SATA
Samsung SH-D163B SATA
  • Kreon 1.00 (November 18th 2007)
Toshiba TS-H353B SATA

Please note that the modified firmwares are based on copyrighted material and can therefore not be legally shared here. Patch files to patch original firmwares into dumping-firmwares would be appreciated.

Flashing software:

  • TSDNMAC for MacOS
  • SFDNWIN for Microsoft Windows 2000 and XP
  • TSDNWIN for Microsoft Windows Vista and 7
  • Dell SFDNDOS and the newer TSDNDOS for Microsoft DOS

For current dumping instructions see the Dumping Guide by the Redump Project.

USB Adapters

There are many USB-IDE/SATA adapters on the market. The following have been known to work well with the Kreon-compatible drives.

Adapter Model / USB VID:DID Drive Model Notes
Sabrent USB-DSC9

1f75:0611 Innostor Technology Corporation

SH-D162D/BEWE

H/W:A Ver.D JULY 2007

Ubuntu 18.04 host with VirtualBox WinXP VM. USB pass-thru of adapter. No extra drivers required. Drive flashed. Works with Xbox Backup Creator.

Xbox related commands

Enable Unlock 1 (xtreme) state

Supported by: Kreon 1.00

FF 08 01 01

Enable Unlock 1 (xtreme) state' as we already know it from the 360 xtreme modded drives. This command is supported for legacy reasons only. Custom applications should use the new 'Set Lock State' instead.

Set Lock State

Supported by: Kreon 1.00

FF 08 01 11 xx
  • xx=00 - Drive locked (no unlock state)
  • xx=01 - Unlock State 1 (xtreme) enabled
  • xx=02 - Unlock state 2 (wxripper) enabled

SS extract command

Supported by: Kreon 1.00

AD 00 FF 02 FD FF FE 00 08 00 xx C0

This is the well known from the xtreme firmware.

Get Feature List

Supported by: Kreon 1.00

FF 08 01 10

This command will return a list of the additional features supported by the drive. All values returned are 16 bit values, and the list is terminated with null (0x0000). The two first words of the returned list always reads as 0xA55A 0X5AA5 in order to guarantee that a reply from a drive not supporting this command correctly isn't mistaken for a feature list.

An example feature list could be: 0xA55A, 0x5AA5, 0x0100, 0xF000, 0xF001, 0x0000

This list would indicate that the drive supports XBOX360 Unlock 1, Lock and Error Skip, as it can be seen from the values defined below:

XBOX 360 related features:

  • 0x0100 : The drive supports the unlock 1 state (xtreme)
  • 0x0101 : The drive supports the unlock 2 state (wxripper)
  • 0x0120 : The drive can read and decrypt the SS
  • 0x0121 : The drive has full challenge response functionality

XBOX related features:

  • 0x0200 : The drive supports the unlock 1 state (xtreme)
  • 0x0201 : The drive supports the unlock 2 state (wxripper)
  • 0x0220 : The drive can read and decrypt the SS
  • 0x0221 : The drive has full challenge response functionality

General drive features:

  • 0xF000 : The drive supports the lock (cancel any unlock state) command
  • 0xF001 : The drive supports error skipping

This is the complete list of defined features at the moment. If you're working on a custom application you might want to contact me in order to get the latest list.

References and links