Reflashing a semi-bricked Hitachi/LG XBox 360 dvd drive

This app will flash single sectors in the Hitachi/LG firmware using debug flash erase/program routines that exist in the 3120L firmware. The difference to SeventhSon’s or the usual flashers is that it utilizes code that isn’t located
in one of the sectors that are changed when applying a hacked firmware. So if something went wrong during flashing, there might be a wee chance that the debug code works and can still be used to fix your drive.

All of this is based on Kev’s/SeventhSon’s work. I simply put together two of his programs to create a flasher that uses the Hitachi debug commands to flash sectors in the drive’s flash. All credit goes to SeventhSon. I even copied this text from his site. :) Unfortunately, his site vanished, so there are none of his notes left.

Use at your own risk, this may break your 360, 360 DVD drive and/or PC if done improperly (or if I happen to have made any mistakes).

Note: This does not work in recovery mode. This tool only helps if your checksum was patched (reports ok), but flashing does not work due to overwritten upload/execute handlers. If you don’t know what I’m talking about, leave it be.

Warning: This app is an interim solution intended only for hackers who know what they are doing. It is very easy to kill your drive with this program. If you fail to update the firmware checksum before you power down the drive, you will break your drive. If you overwrite any of the upload and execution command handlers with broken code, you will break your drive. If you overwrite your flash entry point code, you will break your drive. If you overwrite the sector containing your AES key without backing up your key first, you will break your drive and will not be able to repair it. If you do not understand everything that I just said, then this app isn’t for you.

Download

Flashing sectors in the Hitachi/LG drive’s firmware from a PC

In the following examples encrypted_fw.bin is a full firmware dump. It must be encrypted. Encrypt it after you make your changes and before you run the flasher. There are tools somewhere on the internet that allows you to de/encrypt firmware images. So, encrypted_fw.bin would be created like so (in Windows),

C:\> memdump_win e 12200 8 8000 firmware.bin

(then modify your target sector within firmware.bin)

C:\> FirmCrypt e firmware.bin encrypted_fw.bin

(then flash the modified sector as per the examples below)

You will almost certainly break your drive if you do not encrypt the firmware image before flashing.

The next argument is the address of the target sector in the MN103’s address space in hexadecimal. Just add 0x90000000 to the sector’s offset into the firmware dump to get this value. The final argument is the sector size. The 3120L erase/program routines support a few devices, some appear to have 8KB sectors (0x2000 bytes), others 4KB sectors (0x1000 bytes). My drive has a SST39SF020A flash device (with 4KB sectors). I’m not sure if any Hitachi-LG drives exist with a different chip, but my app supports them just in case. Make sure you specifiy the sector size in hexadecimal.

Please. Don’t use this app if you don’t understand all of the above.

Linux example:

$ ./debug_flashsec /dev/sdb ./encrypted_fw.bin 9003F000 1000

Windows example:

C:\> debug_flashsec_win e encrypted_fw.bin 9003F000 1000

Note that the drive does not restart after each sector flash, nor does it need to be restarted. So you can change multiple sectors in one sitting. For example, a typical session might look like this (in Windows)

C:\> debug_flashsec_win e encrypted_fw.bin 90006000 1000
C:\> debug_flashsec_win e encrypted_fw.bin 90010000 1000
C:\> debug_flashsec_win e encrypted_fw.bin 90027000 1000
C:\> debug_flashsec_win e encrypted_fw.bin 9003E000 1000

This example shows 3 sector changes followed by a final sector change to update the firmware with a new correct checksum value. This final checksum update flash must always be performed unless you actually want the checksum to fail the next time your drive powers up (which will leave you stranded in recovery mode, not a great place to be).

Leave a Reply

Your email address will not be published. Required fields are marked *