Aller au contenu
remy

Dosflash V2 Fonction Unlock Winbond/MXIC

Messages recommandés

Kai Schtrom publie une nouvelle version de DosFlash permettant le flash des lecteurs XBOX360 sous DOS16, 32 ou 64 en incluant la fonction unlock Méthode de Géremia et MAximus pour les XBOXSLIM avec chipset Winbond ou MXIC.

 

Changelog:

Citation :

DosFlash V2.0 Release Date 03.09.2011

---------------------------------------

- Key extraction task "LiteOn Key V3 (Tarablinda)" now supports the Slim firmware versions 9504, 0272, 0225,

0401, 1071 and also tries to discover the key on unknown firmware versions

- 2 new tasks added named "Lock SPI Flash" and "Unlock SPI Flash"

The new unlock SPI flash task is used in combination with Geremia's MXIC and Winbond Unlock method.

It is very much influenced by Geremia's unlockSPI program, which was the first bruter to unlock Winbond SPI

flashes. To relock the flash after you have finished writing a patched firmware to it, use the lock SPI flash

task. This will instantly make the SPI flash write protected for all blocks. BP0, BP1 and SRP status bits are

activated afterward, so handle this function with care!

- Read Flash task now can create a full firmware dump of the Slim firmware versions 9504, 0272, 0225, 0401 and 1071

To create full firmware dumps of 0225 drives and above you should get a compatible SATA2 controller and set

it to IDE mode. In addition you should be able to do Geremia's MXIC or Winbond unlock method. The compatible

SATA2 controller is needed to unlock the MTK. Any installed drivers should be uninstalled, because they will

switch the controller back to AHCI mode. In combination with the SPI flash status register unlock you are able

to write to the firmware and inject Geremia's 8051 trojan, which can then dump the complete firmware. A risk

level is added to show you how risky it is for your individual flash chip and firmware combination to write

the patched firmware to obtain a full dump.

- Possibility during "Read Flash" task to write firmware sector 3E of Slim drives with unknown firmware version

This feature should be useful if new, unknown Slim firmware versions get out. If you write the patched 3E sector

to a new and unknown firmware version this could potentially kill your drive. So handle it with care!

- Portio.sys reimplemented as separate driver for DosFlash32 and DosFlash64

The driver files portio32.sys and portio64.sys are again separated from the executable file. This way the

user has the possibility to sign the drivers on his x64 system with the Driver Signature Enforcement Overrider.

- SATA and IDE adapter list updated

 

 

Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64

-----------------------------------------------------------------------------------------------------

- connect your Slim drive to a SATA2 controller set to IDE mode

- make sure the drivers for the SATA2 controller are uninstalled

- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet

- power up PC and boot into Windows

- turn on the LiteOn psu

- run DosFlash32/64

- the drive and flash chip should identify properly

- choose the task "LiteOn Key V3 (Tarablinda)"

- press "LiteOn Key V3" button

- choose a destination directory for the extracted files

- after this DosFlash32/64 displays your DVD-Key and saves your key and identify data

- then DosFlash32/64 displays the following message:

There seems to be a LiteOn Slim drive connected as Master

to port 0xA000.

You should try SATA2 MTK unlock method.

- Use a compatible SATA2 controller set to IDE mode

- Repower the drive which is connected to the SATA 2 controller

- Press "Yes" if you are ready

Are you ready?

- do the above and press "Yes"

- this repower is used to get DosFlash32/64 back to a known MTK state

 

 

Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16

--------------------------------------------------------------------------------------------------

- connect your Slim drive to a SATA2 controller set to IDE mode

- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet

- power up PC and boot into Ms-DOS 6.22

- turn on the LiteOn psu

- run DosFlash16 in auto mode

- the drive and flash chip should identify properly

- choose your drive number

- as task choose "LITEON K"

- as extraction method choose "V3"

- choose a destination directory for the extracted files

- after this DosFlash16 displays your DVD-Key and saves your key and identify data

 

 

Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64

--------------------------------------------------------------------------------------

- connect your Slim drive to a SATA2 controller set to IDE mode

- make sure the drivers for the SATA2 controller are uninstalled

- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet

- power up PC and boot into Windows

- turn on the LiteOn psu

- run DosFlash32/64

- the drive and flash chip should identify properly

- choose the task "Unlock SPI Flash"

- press "Unlock SPI Flash" button

- you will hear a test sound from the PC speaker and the following message is displayed:

The sound that just played was a test. You will hear the

same sound if unlocking is successful later on. If you

have not heard a sound, you should skip the unlock and

check your PC speaker.

Unlocking the SPI flash requires you to use Geremia's MXIC

or Winbond Unlock method. Proceed like follows:

- Press "Yes" if you are ready

- Start Geremia's MXIC / Winbond Unlock

- Stop if you hear the sound

Are you ready?

(Press ESC key to abort!)

- press "Yes"

- start MXIC or Winbond dremel unlock

- stop if you hear the test sound again

- the SPI flash should now be successfully unlocked

 

 

Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16

-----------------------------------------------------------------------------------

- connect your Slim drive to a SATA2 controller set to IDE mode

- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet

- power up PC and boot into MS-DOS 6.22

- turn on the LiteOn psu

- run DosFlash16 in auto mode

- the drive and flash chip should identify properly

- choose your drive number

- as task choose "U" for "Unlock SPI Flash"

- you will hear a test sound from the PC speaker and the following message is displayed:

The sound that just played was a test. You will hear the

same sound if unlocking is successful later on. If you

have not heard a sound, you should skip the unlock and

check your PC speaker.

Unlocking the SPI flash requires you to use Geremia's MXIC or Winbond Unlock

method. Proceed like follows:

- Press "Yes" if you are ready

- Start Geremia's MXIC / Winbond Unlock

- Stop if you hear the sound

Are you ready?

(Press ESC key to abort!)

- confirm with 'Y' for "Yes"

- start MXIC or Winbond dremel unlock

- stop if you hear the test sound again

- the SPI flash should now be successfully unlocked

 

 

Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64

------------------------------------------------------------------------------------

- you should have unlocked the SPI flash prior to reading the flash, otherwise the following steps will not work

- connect your Slim drive to a SATA2 controller set to IDE mode

- make sure the drivers for the SATA2 controller are uninstalled

- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet

- power up PC and boot into Windows

- turn on the LiteOn psu

- run DosFlash32/64

- the drive and flash chip should identify properly

- choose the task "Read Flash"

- press "Read Flash" button

- enter the name of your flash firmware output file e.g. fulldump.bin

- you read the following (the displayed checksum and risk level can vary):

Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.

Firmware sectors 0x3D000 and 0x3E000 match known checksum

0xFFFFF800.

Do you want to write firmware with patched code to be able to read

the firmware?

- press "Yes"

- then DosFlash32/64 displays the following message:

There seems to be a LiteOn Slim drive connected as Master

to port 0xA000.

You should try SATA2 MTK unlock method.

- Use a compatible SATA2 controller set to IDE mode

- Repower the drive which is connected to the SATA 2 controller

- Press "Yes" if you are ready

Are you ready?

- do the above and press "Yes"

- after this DosFlash32/64 saves your firmware dump and displays the above message again, repower

the drive again and press "OK"

- the last repower is used to get DosFlash32/64 back to a known MTK state

 

 

Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16

---------------------------------------------------------------------------------

- you should have unlocked the SPI flash prior to reading the flash, otherwise the following steps will not work

- connect your Slim drive to a SATA2 controller set to IDE mode

- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet

- power up PC and boot into MS-DOS 6.22

- turn on the LiteOn psu

- run DosFlash16 in auto mode

- the drive and flash chip should identify properly

- choose your drive number

- as task choose "R" for "Read Flash"

- enter the name of your flash firmware output file e.g. fulldump.bin

- you read the following (the displayed checksum and risk level can vary):

Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.

Firmware sectors 0x3D000 and 0x3E000 match known checksum 0xFFFFF800.

Do you want to write firmware with patched code to be able to read

the firmware (Y/N)?

- confirm with 'Y' for "Yes" and press Enter

- then DosFlash16 displays the following message:

There seems to be a LiteOn Slim drive connected as Master to port 0xA000.

You should try SATA2 MTK unlock method.

- Use a compatible SATA2 controller set to IDE mode

- Repower the drive which is connected to the SATA 2 controller

- Press "Yes" if you are ready

Are you ready (Y/N)?

- do the above and press 'Y' for "Yes"

- after this DosFlash16 saves your firmware dump

 

 

Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64

------------------------------------------------------------------------------------

- connect your Slim drive to a SATA2 controller set to IDE mode

- make sure the drivers for the SATA2 controller are uninstalled

- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet

- power up PC and boot into Windows

- turn on the LiteOn psu

- run DosFlash32/64

- the drive and flash chip should identify properly

- choose the task "Lock SPI Flash"

- press "Lock SPI Flash" button

- read the displayed warning carefully, because locking the flash is very risky

- press "Yes"

- the SPI flash should now be successfully locked

 

 

Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16

---------------------------------------------------------------------------------

- connect your Slim drive to a SATA2 controller set to IDE mode

- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet

- power up PC and boot into MS-DOS 6.22

- turn on the LiteOn psu

- run DosFlash16 in auto mode

- the drive and flash chip should identify properly

- choose your drive number

- as task choose "L" for "Lock SPI Flash"

- read the displayed warning carefully, because locking the flash is very risky

- confirm with 'Y' for "Yes"

- the SPI flash should now be successfully locked

 

 

DosFlash16 Manual Mode Examples for LiteOn Slim 0225

------------------------------------------------------

- Extract drive key on a "PLDS DG-16D4S 0225"

DOSFLASH LITEON K V3 1010 A0

 

- Unlock SPI Flash on a "PLDS DG-16D4S 0225"

DOSFLASH U 1010 1 A0 3 0

 

- Read firmware on a "PLDS DG-16D4S 0225"

DOSFLASH R 1010 1 A0 3 0 4 FWOUT.BIN 0

 

- Write firmware on a "PLDS DG-16D4S 0225"

DOSFLASH W 1010 1 A0 3 0 4 FWIN.BIN 0

 

- Erase firmware on a "PLDS DG-16D4S 0225"

DOSFLASH E 1010 1 A0 3 0 4 C7 0

 

- Lock SPI Flash on a "PLDS DG-16D4S 0225"

DOSFLASH L 1010 1 A0 3 0

 

Excellent work on the MXIC / Winbond unlock by Geremia and Maximus.

As the Duke would say: Hail to the kings baby!

Kai Schtrom

 

Merci à Razkar pour l'information.

 

download.gif?Dosflash V2

 

homesite.gif? Site officiel : http://www.xbins.org/nfo.php?file=xboxnfo2125.nfo

Partager ce message


Lien à poster
Partager sur d’autres sites

×
×
  • Créer...