Monday, October 11, 2010

Replacing the DVD drive in an XBox360

Microsoft realised after the original XBox that folks would find ways around the games' DRM and so in the case of the 360 they make it as hard as possible to use anything other than the stock optical drive that came with the machine. Every motherboard and DVD drive pair each have half of an AES key pair and so if you install another drive it'll play video DVDs but not games. They hoped this would stop people sticking in non-stock drives that could (for example) read home-burned disks. However, the hacking scene around XBox is extensive and so in pretty short-order there were hacker tools to read the drive's key and then flash it into a replacement drive.
Microsoft got wise to this pretty quickly and the summer 2008 update to XBox requires not only the key halves to work together but the drive ID strings to match. So - if you had a machine with an Hitachi drive and replaced it with a BenQ drive (for example), even if you extracted the key from the Hitachi and re-flashed the BenQ the XBox's OS would now query the drive ID and stop it working if that came back wrong.
Hackers are clever people and since v4.5 of Firmware Toolbox it's been possible to include the old drive's ID in the firmware for the new drive. This is what they refer to as 'spoofing'. It turns out that the drive ID is just that - a string that has no bearing on the drive's operation. So - your BenQ drive can now report it's an Hitachi 79 with this key and the XBox is happy.
Well, it's spy vs spy and the rumor is that the next update to XBox will include routines to test the ballistics and responses of the DVD drive to ensure it's the model it claims it is...!

So - if you have an XBox with a DVD drive that is on the way out (and it's almost always the laser) then you have three options which may/may not work;
  1. Open the machine, remove the DVD drive, open it and clean the lens with some IPA or some such. Seems to work for lots of people.
  2. Buy an identical model DVD drive on eBay (there are plenty of all four kinds for sale sub £20 from broken machines or around £30 for brand new ones). Then swap the controller cards between the drives. This means you have the old electronics but new mechanics/optics.
  3. Extract your old drive and using the right tools read-out the key and drive IDs, save them and then write them into a replacement drive (which can be another brand and model). This is potentially the most risky as anyone who has flashed firmware into any device will tell you. Browsing the forums reveals many folks complaining about having bricked their newly acquired drives. Also - if the XBox detects what you've done you'll be kicked off XBox-Live (both your machine and your account).
Anyway, if you're any kind of engineer and have any experience opening up equipment the first two are trivial. If you choose the third way (Mr Blair!) then it's worth giving some guidelines.
Whichever way you proceed you'll need to open the thing up and it's mostly held together with fragile plastic clips, and so here is the best tear-down instructions I have found.
Also remember - the XBox DVD drives have a standard SATA connector but a proprietary power connector. For all these tests I left the drive in the XBox (which powered the drive) and I used a long SATA cable to go to the eSATA port on the back of the PC. Now then - the XBox has a class-two (double-insulated) design and so the internal metalwork is floating at some undefined DC voltage. I suggest an earthing lead from the XBox's internal chassis to the PC's metalwork.


Extracting that precious key from the broken DVD drive
  1. Connect the "Original/Broken DVD drive" to your PC via SATA or USB-SATA adaptor.
  2. Place the DVD drive into MODE B with SLAX - SLAX is a live Linux CD that allows you to issue SATA commands directly. A good tutorial is here
  3. Please Note: Once you have the drive in MODE B you will notice it will take 3 presses on the eject button to close the drive.
  4. With the Original/Broken drive now in MODE B restart your PC and make sure that the new drive has been identified by Windows. Once the new hardware has been found and installed it will be shown in the my computer/explorer area on your PC as a additional DVD drive.
  5. Insert a DVD Movie or an XBOX 360 game into the "Original/Broken DVD drive". Even if the laser is nearly dead it may read a DVD movie just fine so try it.
  6. Open Firmware Toolbox (at least v. 4.5.1.6) and choose 'Tools -> Direct Drive Dump (GDR ONLY)
  7. On the next screen choose 'RAW DUMP' and save the file as "original.bin". If you have problems with 'RAW DUMP' try 'CLASSIC DUMP', eg. c:/xbox360/hitachi0047/606HG324277-may2006/original.bin
  8. Make sure you can identify the backup firmware in future by placing it in a directory that matches the serial number which is located on the sticker of the DVD drive. This will make it much easier to identify in the future.
Replacement Xbox 360 DVD Drive
  1. Connect the replacement DVD drive to your PC via SATA connection.
  2. Place the DVD drive into MODE B with SLAX
  3. Please Note: Once you have the drive in MODE B you will notice it will take 3 presses on the eject button to close the drive.
  4. With the replacement drive now in MODE B restart your PC and make sure that the new drive has been identified by Windows. Once the new hardware has been found and installed it will be shown in the my computer/explorer area on your PC as a additional DVD drive.
  5. Insert a DVD Movie or an XBOX 360 game into the Replacement DVD drive.
  6. Open Firmware Toolbox and choose 'Tools -> Direct Drive Dump (GDR ONLY)
  7. On the next screen choose 'RAW DUMP' and save the file as "original.bin". If you have problems with 'RAW DUMP' try 'CLASSIC DUMP'. eg. c:/xbox360/hitachi0046/606HG324240-may2006/original.bin
  8. Make sure you can identify the backup firmware in future by placing it in a directory that matches the serial number which is located on the sticker of the DVD drive. This will make it much easier to identify in the future.
  9. When the firmware is backed up it will ask you if you want to open it. Choose"yes". Now select "Tools->Spoof Firmware" from the Firmware Toolbox 4.5 menus.
  10. Choose the version that you would like the fw to report back as. Leave all other options as they are.
  11. Please note: - Spoofing a drive as itself has the effect of UNSPOOFING it
  12. Now Click "APPLY SPOOF"
  13. Choose "Tools->Smart Hack Patcher", a window warning will appear, choose OK.
  14. Choose the output file name, I suggest calling it "final.bin" and save it at the same location as the original. The ruleset option should be automatically selected for you so leave it alone. eg. c:/xbox360/hitachi0046/606HG324240-may2006/final.bin
  15. Push the "Generate File" button, if everything goes fine the file will be generated almost instantly
  16. Once the file has been generated it will ask you if you want to open it. Choose "Yes". The Main Window will show the generated file (final.bin). You will notice that the spoofed information is shown in bold.
Original/Broken Firmware Key
  1. Open the old original/broken DVD drive firmware which you backed up in step 1. Choose the Browse for file button "..." to load the original/broken DVD firmware.
  2. With the old broken DVD firmware now loaded you will notice the "Key Information @" area in the center of the 360 Firmware Toolbox application.
  3. Highlight the entire key and copy it by right clicking your mouse and selecting copy or press Ctrl + C so you can paste it into our new replacement drive.
  4. Open the replacement DVD drive firmware named "final.bin" which you created in step 2. Choose the Browse for file button "..." to load the firmware.
  5. Paste the Key into the "Key Information
  6. Click on "Replace Key" and it will update the firmware with the new key you have just pasted.
Check Firmware Differences

Before flashing the drive I suggest re-opening the old firmware from step 1. Then open the final.bin firmware you just created in step 3 and make sure keys and other information match just to be safe. If you're happy that your keys etc match then move onto flashing the drive.
  1. Choose "Tools->Direct Drive Flash->Differential Flash Patch". Make sure the DVD drive you want to flash is selected
  2. Click the "Read Drive and Detect Differences" button, after a few seconds the sectors list below the button should be populated.
  3. It will now ask you if you would like to keep the keys from the drive.. Choose 'No'.
  4. Click the "Start Flashing" button and choose the flash mode.. I suggest using the 0047 flasher for 47 drives etc etc..
  5. After a few seconds the flashing is complete.
Replace the DVD drive into the XBox and test - you don't need to re-build the case and re-attach the hard drive.


Resources;
SLAX Linux live CD
Firmware Toolbox

3 comments:

matsaddress said...

Ahhhhh!! Never IPA on any laser diode or laser assembley unless you can be absolutely certain they are made of glass. You'll deform the plastic in far more cases than you'll ever "clean".

Use a very, very dilute soap solution (fairy liquid etc...) and remember not to use cotton buds with glue in them or you'll just end up adding a fine layer of glue to the top of the laser!!!!!

MW

Phil Crawley said...

Wise words from the Ward - I'd forgotten 'bout the damage Isopropynol can do to cheap laser diode lenses.

hks1966 said...

I've repaired a few XBOXs. I did this exact repair last year when a tired spindle motor needed replaced. I replaced the whole assembly bar the pcbs. I've also repaired two RROD XBOXs using the crude but highly effective nuts and nylon washer mod available on eBay. Then re-ball the CPUs by overheating them! It works, never seen any back. I also recommend attaching an external fan assembly (eBay) to keep the whole lot cool as they tend to be kept in warm sitting rooms and in cabinets.