Flashing a hitachi 79 from TEXTBOOK

[sadalius]

[NeoRio]

Wow...truly great. Thanks!

[lilrevuk]

What is that .wav file??

[sadalius]

I'm not exactly sure what its a wav of, or what exactly it does, but it works. When I first downloaded it, I tried to extract the bin file, but I couldn't find anything that would extract it. I couldn't even mount it to a virtual drive. I had to burn it to a disk. Then I could get the wave file from it.

[MsK]

What is that .wav file??

This has been discussed on multiple forums & I believe that podger is mostly active on xbox-scene.com

but as per the thread on xboxhacker >> http://www.xboxhacker.net/index.php?PHP ... ic=10102.0" onclick="window.open(this.href);return false;

http://www.xboxhacker.net/index.php?PHP ... 1#msg65251" onclick="window.open(this.href);return false;

Have not a v79 with original fw to test, but this sounds to work and it's very tricky:)
Just a question:
the "jump to ram" CDB jumps to 8000000, so, does the hitachi uses that ram location also for CDTEXT audio cds?
Cause you expect to have the firt sectors of the disc just there.

BTW, great job!

http://www.xboxhacker.net/index.php?PHP ... 2#msg65252" onclick="window.open(this.href);return false;

@Geremia not difficult at all... Flooded the entire track with 0xCB or NOP's.... then dotted the code

BSET 0x10, (0x5BD) // FE 80 BD 05 10
MOV 4, D0 // 80 04
MOV D0, (0x6F1) // 02 F1 06
RETS // F0 FC

around the place a good bit...

Doesn't matter where it lands the execute runs thought the NOP's til it hits the code....
BTW the
MOV 4, D0 // 80 04
MOV D0, (0x6F1) // 02 F1 06
BTW this makes the 79 release the SATA bus and return properly, before I had this I needed to force a timeout in the C code as PLSCSI would never come back..... It's at the end of the E7 handler for all the subcommands that were takenout...

I'm no expert but what I can make from this is he used an audio sample & injected some relative code...
it makes no difference what sound it gives - only thing that matters is the code it is able to parse

[NeoRio]

I had to burn it to a disk. Then I could get the wave file from it.

Right...there is no WAV file in the RAR archive...I guess you can't see the WAV file till you burn it to CD.

[MsK]

It's actually quite interesting how this hack seems to of come about - via the sharing of knowledge & a proposel for possibilities ~ at the time of publishing were speculated on but not completly known/proved.

http://www.xboxhacker.net/index.php?PHP ... 4#msg65244" onclick="window.open(this.href);return false;

Following Schtrom's idea, i patched an aspi.sys for dos (found somewhere i don't remember) and a dos plscsi to handle with 360 drives, basically they sends the custom INQUIRY 12 00 00 00 24 C0 instead of standard 12 00 00 00 24 00.
Don't know if it's usefull, maybe for exploring CDBs or just to switch Hitachis into modeb (i've not an hitachi to test, but should work).
As usual, use at your own risk
http://rapidshare.de/files/40045622/360 ... s.rar.html" onclick="window.open(this.href);return false;

[MsK]

I had to burn it to a disk. Then I could get the wave file from it.

Right...there is no WAV file in the RAR archive...I guess you can't see the WAV file till you burn it to CD.

It's there.. it's contained in the "image" .. use the .cue file to burn it to cd
You could open it with an image reader like MagicISO or Daemon Tools or something simular but there's no point...

just burn it // it needs to be run from the cdr .. no need to mess with it

[sadalius]

I was trying to extract from the image file. Not the rar file. I tried magic iso, daemon tools, isobuster and a few other image tools that I have and not one of them would mount it. I had to burn it before I could access it.

[MsK]

I was trying to extract from the image file. Not the rar file. I tried magic iso, daemon tools, isobuster and a few other image tools that I have and not one of them would mount it. I had to burn it before I could access it.

I don't want to harp on about this because it really does not matter at all..
But let me try to explain why it did not appear to open in daemon tools...

The image consists of 3 files...

• Image.cue // <<-- the index file : that points to all the components & sets the burning criteria
  Image.cdt // <<-- the cdtext file which contains cdtext info
  Image.bin // <<-- the binary file that contains the actual wav data

To burn the data correctly you must run the cue (index) file...
it has the criteria to burn the image under the correct conditions (very simular to a .dvd file)

Now.. lets examine the contents of the cue file by simply opening in notepad...

• CDTEXTFILE "Image.cdt"
  CATALOG 22481000000;0
  FILE "Image.bin" BINARY
  TRACK 01 AUDIO
  TITLE "Success"
  PERFORMER "Success"
  FLAGS DCP
  INDEX 01 00:00:00

The reason I suspect the image would not work under daemon tools is because it holds criteria that daemon tools does not digest/understand // "CDTEXT"

I'm 100% certain if you opened the cue file & removed the CDTEXT info & re-saved it > it should then be capable of mounting the image & then allow you to play the audio...

Change the cue file to :

• FILE "Image.bin" BINARY
  TRACK 01 AUDIO
  TITLE "Success"
  PERFORMER "Success"
  FLAGS DCP
  INDEX 01 00:00:00

& it will work

but as I have tried to explain already.. the exploit is not completly about the audio // it's about the whole image which also contains CDTEXT // this is a key component of the exploit.

Please don't get me wrong - I'm not trying to teach anybody to suck eggs here...
I'm just trying to explain what i'm tryiing to explain .. it needs to burnt to CD from the CUE file to work - If you strip to just the wav it will not work.

If you want to satisfy curiosity & check out the wav without burning to cdr then you can by following my instructions above

[sadalius]

I know what your saying MsK. The whole reason behind me wanting the wav file was so I could have the wav and the cd-text file to play with for another experiment. I already have the wav file as I explained, after I burnt the CD so it was of no consequence to try and extract it from the bin file any longer. I was merely clarifying that I did not try to extract the wave file from the rar file as was suggested, but rather from the actual image.bin file instead.