SATA cable hack for the XBox 360

This guide describes an easy method how to make your XBox360 DVD drive accessible from the outside so that you can easily reflash it whenever you want without going through the pain of unbuilding your XBox each time. Ah, and you’ll loose your warranty.

I guess others did this before, but I haven’t found anything on the web, so I figured I describe how to do it.

You need:

  • tools/knowledge to open your XBox360 – I assume that you can do that, if not, search on the web
  • 1x SATA cable 90° angle, ~20cm
  • 1x SATA extension cable, ~20cm
  • tools to cut metal (e.g., a Dremel)
  • 1 zip-tie
Step

Disconnect the existing SATA cable from the DVD and the mainboard. Remove the DVD drive. It might be hard to find a longer cable with the proper angled connector, so here’s a closeup of it. It took me 3 tries to get the right one, so here are the DeLOCK model numbers:

Step

Search for a good position to cut a hole into the casing and mark it. Protect the rest of your XBox with paper that you tape into position. In the end, only the soon-to-be-hole should be visible; all the rest should be under a thick layer of paper.

Step

Take your Dremel and cut a hole into the XBox as marked, carefully avoiding to damage any of the components. Make the whole big enough that the two SATA cables can fit through.

Or, in my case: take your el-cheapo Dremel, start it up, notice the smell, realize the thing is going into meltdown, curse, burn yourself, unplug the thing, wait for the smoke to clear, open it up, yep, it actually melted, order a new one, be too impatient to wait, take out the drill and pipe wrench, and go ahead mistreat your XBox.

Step

Carefully remove all the metal dust with a vaccum cleaner; remove the paper. End up with a nice and clean hole. Or in my case the worst exectured casemod ever.

Step

Connect the angled SATA connector to the mainboard (just under the DVD drive, see first picture). Then, fiddle the cable through the hole. Fiddle the SATA extension cable through the hole as well, with the extension connector on the outside (d’oh). Plug the SATA connector into the DVD drive and put the drive back into your XBox. Connect the two SATA cables on the outside. It should now look like the image above.

Step

Attach the SATA cables to the case using a zip-tie. This prevents the you from pulling the cable off the DVD drive when messing with the connectors on the outside. Use a strong wirecutter to cut a hole in the outer plastic casing. Reassemble your XBox.

You’re done! If you want to flash your drive, just connect a normal SATA cable from the extension plug to your PC (remember to have your XBox switched on and the video connector plugged in!)

Reflashing a semi-bricked Hitachi/LG XBox 360 dvd drive

This app will flash single sectors in the Hitachi/LG firmware using debug flash erase/program routines that exist in the 3120L firmware. The difference to SeventhSon’s or the usual flashers is that it utilizes code that isn’t located
in one of the sectors that are changed when applying a hacked firmware. So if something went wrong during flashing, there might be a wee chance that the debug code works and can still be used to fix your drive.

All of this is based on Kev’s/SeventhSon’s work. I simply put together two of his programs to create a flasher that uses the Hitachi debug commands to flash sectors in the drive’s flash. All credit goes to SeventhSon. I even copied this text from his site. :) Unfortunately, his site vanished, so there are none of his notes left.

Use at your own risk, this may break your 360, 360 DVD drive and/or PC if done improperly (or if I happen to have made any mistakes).

Note: This does not work in recovery mode. This tool only helps if your checksum was patched (reports ok), but flashing does not work due to overwritten upload/execute handlers. If you don’t know what I’m talking about, leave it be.

Warning: This app is an interim solution intended only for hackers who know what they are doing. It is very easy to kill your drive with this program. If you fail to update the firmware checksum before you power down the drive, you will break your drive. If you overwrite any of the upload and execution command handlers with broken code, you will break your drive. If you overwrite your flash entry point code, you will break your drive. If you overwrite the sector containing your AES key without backing up your key first, you will break your drive and will not be able to repair it. If you do not understand everything that I just said, then this app isn’t for you.

Download

Flashing sectors in the Hitachi/LG drive’s firmware from a PC

In the following examples encrypted_fw.bin is a full firmware dump. It must be encrypted. Encrypt it after you make your changes and before you run the flasher. There are tools somewhere on the internet that allows you to de/encrypt firmware images. So, encrypted_fw.bin would be created like so (in Windows),

C:\> memdump_win e 12200 8 8000 firmware.bin

(then modify your target sector within firmware.bin)

C:\> FirmCrypt e firmware.bin encrypted_fw.bin

(then flash the modified sector as per the examples below)

You will almost certainly break your drive if you do not encrypt the firmware image before flashing.

The next argument is the address of the target sector in the MN103’s address space in hexadecimal. Just add 0x90000000 to the sector’s offset into the firmware dump to get this value. The final argument is the sector size. The 3120L erase/program routines support a few devices, some appear to have 8KB sectors (0x2000 bytes), others 4KB sectors (0x1000 bytes). My drive has a SST39SF020A flash device (with 4KB sectors). I’m not sure if any Hitachi-LG drives exist with a different chip, but my app supports them just in case. Make sure you specifiy the sector size in hexadecimal.

Please. Don’t use this app if you don’t understand all of the above.

Linux example:

$ ./debug_flashsec /dev/sdb ./encrypted_fw.bin 9003F000 1000

Windows example:

C:\> debug_flashsec_win e encrypted_fw.bin 9003F000 1000

Note that the drive does not restart after each sector flash, nor does it need to be restarted. So you can change multiple sectors in one sitting. For example, a typical session might look like this (in Windows)

C:\> debug_flashsec_win e encrypted_fw.bin 90006000 1000
C:\> debug_flashsec_win e encrypted_fw.bin 90010000 1000
C:\> debug_flashsec_win e encrypted_fw.bin 90027000 1000
C:\> debug_flashsec_win e encrypted_fw.bin 9003E000 1000

This example shows 3 sector changes followed by a final sector change to update the firmware with a new correct checksum value. This final checksum update flash must always be performed unless you actually want the checksum to fail the next time your drive powers up (which will leave you stranded in recovery mode, not a great place to be).