Author Archives: darthcircuit

Move to Dropbox

I was informed the yesterday that my files were not working on Minus. I think they have disabled the download of anything that is not Text, Picture, or Audio. Since this is the case, I have moved all of my files, and a few extras, to Dropbox.

This is the new link: https://www.dropbox.com/sh/3ttzt76u70t578c/23V8V2s7is

Hopefully they will be of benefit to someone.

PuTTY, ST_MEM, and Arduino

While I still have not made as much headway as I would have liked to, I am slowly inching towards my original goal.

I have made a decent discovery. As I posted earlier when I try to flash the new firmware onto my hard drive with ST_MEM_SDLD, the flashing usually succeeds, but the but the drive refuses to see that APP code, and I am stuck in Level F. I Recently discovered, however that if I switch back and forth between PuTTY and ST_MEM, it works about 90% of the time. At first, I set the speed, and send the initial preparatory flashing command via PuTTY, then disconnect that terminal and switch to ST_MEM for the actual flashing procedure. (PuTTY doesn’t have the necessary code for the SDLD protocol. If I could find some documentation on this protocol, I would try to put it in myself.)

As it stands, the APP Code flashes successfully most of the time, and I am able to get to Level T, but as yet I still have not been able to get the CERT Code to flash correctly. I’m not sure what I am doing wrong. I keep working, though in hopes that someday soon, it’s secrets will be made know to me. We are making progress!

I have also discovered that by using an Arduino in place of my TTY/R233 adapter, I have gotten a more reliable connection. This has resulted in fewer failed flash attempts. (Prior to using this, sending the APP code would freeze half way through, and I would have to start over about 65% 0f the time)

To set up an Arduino to do this, just put a jumper wire from the Reset Pin to GND. Then your computer will detect the Arduino as a COM port. You can then hook up your hard drive to the Tx and Rx pins on the Arduino.

Arduino

 

Tagged , , , ,

Mild Success

I think alot of you have been thinking that I have forgotten this project, or have given up. This is definitely not the case. I have not really had much to report lately, but I have had a few mild, yet incomplete successes in restoring my hard drive to working condition.

With the help of Vorian, who commented on my very first post, I have been able to get a firmware that was made for my drive. I also was able to flash the first parts of the app code to the drive, and was also once able to again access the T> prompt of the drive. Unfortunately for me it would seem that st_mem_sdld is quite buggy, and very unpredictable in it’s results. Since this is the case, I am still stuck with a bricked drive. I am in the process of trying to find another/better way of sending the app code, cert code, and cert tables to the drive.

Image

As you can see, the process, when it decides to work, can work. I am still very hopeful for what the future might bring, and look forward to finishing this hack.

When I do finally figure out the best solution, I will create another post with full details of the process. If any of you have any suggestions, I am as always open, and will try my best to respond to every comment I get.

Thanks again to Vorian for all the help he has given me over the past few weeks.

Quick Update

I just wanted to thank you guys for all your help with my little project so far. I also wanted to inform you that all of the utilities I have been using have been uploaded to my personal cloud space. I was put onto st_mem_sdld and other things with your help, so to make it easier for others to find in the future, they will be available from me. I’ve also included hddhackr 1.3, Xplorer 360 250 gig, and the free version of SeDiv.

Thanks again for your support!

Check them all out here.

Hacking a Seagate Hard Drive to work in the Xbox 360

Over the past couple of months, I have been on a quest. This quest has led me to many different locales, and it is still ongoing. Unfortunately, my quest has hit a roadblock of sorts for the moment, but it has not ended. I will explain more on that in a minute, but for now, I wanted to document the things I have found out thus far.

After hours of searching the net for a solution of using a Seagate hard drive in my Xbox, there was not a whole lot of happy news, however I have pieced together many sources, and have been able to change many of the drive’s parameters manually, effectively mirroring the functions of HDDHACKR. This is the main holdup that Seagate drives face. There is no automated way of doing this like there is with a Western Digital Drive. Just for your information, the information in my post is not for the faint of heart, and you probably will kill your hard drive if you are not very careful. I take no responsibility for what you do to your hard drive. This is in no way a complete tutorial, nor can I guarantee that this will work for you. My hope is that someone will benefit from the information that I have pieced together. Even though I have not completed this project, I believe I have found enough information that someone somewhere will have better luck than I have.


It is about 2:00 in the morning as I finish typing this, and I am on my way to bed. This is a work in progress, so pictures will come at a later date. For now, I am happy with what has been written, and it will suffice for now.

Required Materials

-Hex Editor (I use HxD. It’s free, and it works quite nicely. wxHexEditor works nicely for our *Nix friends as well. You need one that is able to open a physical disc.)

-RS232 to TTL Adapter (Max32 or similar. You can even use an Arduino if you don’t have anything else)

-Jumper wires for adapter-Official Xbox 360 HDDSS.bin FROM a Seagate drive (more on this in a minute, but luckily I have found this for you, and will upload it for you.)  http://minus.com/lw50E2TwPtkJz 

-External SATA enclosure (Makes it easier to control the power to your hard drive, without having to take apart your computer.)

-A SATA Controller that is compatible with HDDHACKR(We will not be flashing the firmware with this, but we will still be creating the partitions. You can do this manually also, but I will not detail that here)

-Plenty of time to experiment, and learn how to navigate the Seagate TMOS. I will tell you the commands I used to get as far as I did, but some of these commands vary from drive to drive. Even the same model numbers with different firmware revisions will have different command sets. BE VERY CAREFUL PLAYING WITH THESE SETTINGS. Take the time to learn what the commands do for yourself. The biggest mistake I made was trying a command that wasn’t made for my drive, and I have effectively bricked it for the moment.

-An Understanding of Hex. We will be dealing with hex addresses, and hex offsets. It will be much easier to follow if you understand Hex.

-Patience. You will mess something up somewhere along the way. I can almost guarantee it. If you are not a patient person, you will just get frustrated then definitely screw something up. If you are feeling a bit frustrated, do yourself and your hard drive a favor, and take a break. It won’t do you any good to work on it while you are upset, and you’ll likely mess something else up in the process.-SeDiv (Not a requirement, but highly recommended. You can use Putty or Hyper-Terminal if you wish, but SeDiv is designed for the work that we are doing. If you do decide to download SeDiv, you will need Windows XP SP2. It does not work on Windows Vista or 7. You will also need to set your system clock back to 2007 or 2008.)

A Little Background Information

My first spark of inspiration was this site: http://tinyurl.com/6y75pxj. In this thread is a detailed list of how to manually place the security sectors of an official Xbox drive onto a different hard drive. The poster states that he has used this method to use a Seagate drive in his Xbox; however the tutorial itself was performed on a Western Digital drive. After numerous failed attempts at contacting the author of this thread and a few others, I did a bit more digging.

In short, what I learned was that when HDDHACKR modifies a hard drives firmware it changes 4 main things in the Hard Drive’s Firmware. These changes are taken from a valid hddss.bin that has been dumped from an official Xbox Hard Drive.

  1. It changes the Model Number
  2. It changes the Serial Number
  3. It changes the LBA
  4. It changes the Firmware Revision

After changing these things, it will then copy the information in the hddss.bin file to sectors 16-22 of the hard drive itself.

http://www.users.on.net/~fzabkar/HDD/HddHackr_analysis.html

The previous link details the security sector of an official drive, and how it is structured. Basically the Xbox compares the information in these sectors (or the hddss.bin) to the physical drive’s information. If even one of the things in this list is not correct, the Xbox will refuse to see the hard drive as available local storage.

So, our goal is to change all of this information on the drive ourselves. This proves somewhat difficult however because there is not very much documentation on how this is done. There is a lot of guess work, and crying. In the end, our goal will be to change the previous 4 items to the following.

  1. Model number will be ST9250315AS (Will be entered in Hex)
  2. Serial Number will be 5VCF5J11
  3. LBA will be will be 70 59 1C 1D (Hex value)
  4. Firmware Revision will be 0002CE02 (Will be entered in Hex)

Another problem that exists is that a Seagate hard drive only allows 8 character serial numbers, and most of the available hddss.bin files freely available on the net are dumped from Hitachi drives. These drives have serial numbers that are up to 15 characters. Since this is the case, there is no way to successfully spoof the drive into looking like a Hitachi. The only real solution is to use an hddss.bin file that has been dumped from an official Seagate drive.

Oh yeah, for your information, all of my findings were done on a Seagate ST9250827AS Rev. 3.AAA

Connecting with SeDiv or Putty
To test your connection, open Putty or SeDiv, and open the connection with 9600 for your baud rate, 8 data bits, no parity, 1 stop bit, and no flow control. Plug the power into the hard drive, but not the data cable. If it works you will see some text come up in the terminal. If not you may have your Tx and Rx wires reversed.If you look to the left of the Power/SATA connector on the drive you are working on you will notice a few small pins. These pins are for the diagnostics port of the drive. From right to left, the pins are Rx, Tx, Gnd. There is a fourth pin, but you need not concern yourself with it. When connecting your TTL adapter, Rx on the Drive goes with Tx on the adapter, and Tx on the drive goes with Rx on the adapter. If you use an external enclosure to supply power to the drive, you shouldn’t have to worry about the ground connection because the USB connector should take care of that. Otherwise, you will have to find a way to ground them together.

For me, it says something like:

Buzz HM SFI

!

(P)S

If you get this point, great! If not, you will need to do some more research on your own. There are quite a few tutorials about this lying around. You may have a look at https://sites.google.com/site/seagatefix/ – This will show you all the steps involved in creating a TTL adapter. The Baud rate is different from my drive, but you may need to try some different speeds to get yours working.

Basic Terminal Structure and Changing the Serial Number

So, once you have gotten the output in Putty or SeDiv, press Ctrl-Z. This should bring you to a prompt that says something like:

T>

So you know, every command that you enter in this prompt is case sensitive, so you will need to watch what you are entering. Some commands have completely different effects whether you use the upper case or lower case command. Know that if you are not paying attention you can easily brick your drive with a one letter command. Please be careful. The prompt does not recognize backspace, so if you make an error, you are kind of stuck with it. If you have a doubt about what you entered, your best option is to press Ctrl-C BEFORE hitting enter. This will restart the terminal. Sometimes this means you will probably have to re-enter everything you just did, but it’s better than overwriting something that could brick your drive. Please also know that copy and paste doesn’t work very well with the prompt. It will usually end poorly, so even though it’s a pain, I highly recommend typing every command manually.

The command prompt is separated into different levels. Each level has a different function, and different commands to go along with it. Some of the commands you can enter at a level work completely different that they would at a different level, so keep an eye on which level you are on. There is a level for the numbers 1-9, a few different letters. The letter levels I know about are C, F, and T. We will be mainly dealing with Level T. The level is shown before the > at the prompt. So the above example would be at Level T. If you want to change to Level 2 for instance, you can do so with the following command:

T>/2

(note: you only type the “/2”)

This would change the prompt to:

2>

Some Seagate hard drives can tell you a list of the commands available to you, but mine did not, at least not with the examples I found. You can try this on your drive however, by changing to Level C and using the “Q” command.

As I stated however, basically everything we need to do can be accessed from Level T. If you are not there currently, then type /T to get there and we should be back to:

T>

The first thing we are going to change is the Serial Number of the drive. This is the easiest thing to do in the console, so we are going to do this first.

At the prompt type “#

The prompt will then ask you to enter the drive’s serial number. If you open the hddss.bin file I have supplied with a hex editor, and compare it to the site I linked to before, you can see that the serial number is “5VCF5J11”. Enter this Serial Number into the prompt and hit enter. It will then ask you for the Pack-Writer Serial Number. I just left this blank, so hit enter and go on.

It will look something like this:

T>#

Enter Drive S/N 5VCF5J11

Enter Packwriter S/N

T>

Congrats! You are a fourth of the way there. You have successfully changed the Serial Number (hopefully :D)

AT Stuff, SetStuff, and Changing the Model Number

Back at Level T, the next thing you will want to do will help you find the offset of your model number. This is called “AT Stuff”. This is accomplished by pressing Ctrl-U at the prompt. (If you read the data sheets I’ve linked documenting how to use the console this will be shown as ^U. Any command in this manual with ^ in it means Ctrl+ whatever the key was. (ie: ^Z is Ctrl-Z, etc.)

So pressing Ctrl-U at the T> prompt brings something like:

T>^U

AT Stuff

0000: 0c5a  3fff  c837  0010   0000  0000  003f  0000 

0008: 0000  0000  2020  2020   2020  2020  2020  2020 

0010: 3556  4346  354a  3131   0000  4000  0004  332e 

0018: 4141  4120  2020  5354   3932  3530  3832  3741 

0020: 20ff  2020  2020  2020   2020  2020  2020  2020 

0028: 2020  2020  2020  2020   2020  2020  2020  8010 

0030: 3331  2f00  4000  0200   0200  4153  3fff  0010 

0038: 003f  3235  0000  0010   ffff  0fff  0000  0007 

0040: 0003  5320  0078  0078   0078  0000  0000  0000 

0048: 0000  0000  0000  001f   0506  0000  0048  0040 

0050: 01f0  0029  346b  2020   6103  0461  1000  4103 

0058: 007f  0000  0000  8080   fffe  0000  fe00  0000 

0060: 0000  0000  0000  0000   5970  1d1c  0000  0000 

0068: 0000  0000  4000  0606   0000  0000  0000  0000 

0070: 0004  0000  0000  0000   0000  0040  0f41  0000 

0078: 0000  0000  0040  0000   0440  0400  0800  0180 

0080: 0001  5970  1d1c  5970   1d1c  2020  0002  0ab6 

0088: 8002  0000  3c06  3c06   ffff  07c6  0100  0000 

0090: 100f  1800  0002  0080   0000  0000  6080  0000 

0098: 0000  0000  0000  0000   0000  0000  1e00  000b 

00a0: 000f  0006  0003  0000   0032  0014  0033  0024 

00a8: 000f  001e  0032  0000   0013  0022  0032  0014 

00b0: 0032  0000  003a  0000   0022  002d  0032  0000 

00b8: 0032  0000  0022  0000   001a  0000  0012  0000 

00c0: 0010  0000  003e  0000   0000  0000  0032  0000 

00c8: 0000  0000  0000  0000   0000  0000  0000  0000 

00d0: 0000  0000  0000  0000   0000  0000  0000  0000 

00d8: 0000  0000  0000  0000   0001  0002  ffff  ffff 

00e0: 0000  0000  0003  0066   1770  0015  0025  1200 

00e8: 0000  0000  0000  0000   0000  0000  0000  0096 

00f0: 0001  0000  0000  0200   0001  0000  0000  0000 

00f8: 0000  0000  0000  1556   0000  0000  0000  0000 

 

DRIVE HAS BEEN SET-STUFFED –

This is a lot of information for us, but fortunately it is also quite useful. Make sure when you run this command, you copy what you see in the windows to a text file. We will refer to it a couple more times.

On the left before the colon is the starting offset of that line. So,

0000: 0c5a  3fff  c837  0010   0000  0000  003f  0000 

        (0000)(0001)(0002)(0003)(0004)(0005)(0006)(0007)

starts at the beginning. This offset begins with 0000. So in this line offset “0000” is “0c5a”. Offset “0003” is “0010” These lines are only 8 offsets long, running from 0000 to 0007. The next line runs from 0008 to 000f, and so on. What we are looking for here at the moment is our drive’s Model number. An easy way of accomplishing this is copying and pasting each line, minus the offset number, into out hex editor. This will display the Plain Text of what our hex codes mean. So,

0c5a  3fff  c837  0010   0000  0000  003f  0000 

Translates into:

.Z?ÿÈ7…….?..

Not exactly the most helpful information in the world, but if we keep going, we find some interesting things. In particular, look for a line that has a value with “5354” this value is translates to “ST” and that is the beginning of our model number. I found mine at offset 1b. This is the line:

4141  4120  2020  5354   3932  3530  3832  3741 

Which translates into:

AAA   ST9250827A

Even though the rest of the model number spills onto the next line, we can clearly see that this is valuable information. We obviously need to change this, so we do that with the SetStuff command, which is F. This is also accessed through Level T. Our Target Model number is ST9250315AS, which in hex is 5354 3932 3530 3331 4153. We need to change the offsets one at a time, so the commands would be as follows.

T>F

SetStuff->ASCI1B5354

Stuff key 1b -> 53 54

So, we type F, which prompts us with SetStuff->, to which we enter ASCI1B5354. Every command we will enter with SetStuff will always begin with ASCI (Not to be confused with ASCII) immediately followed by the offset (1B), which is also immediately followed by what hex value we want to change it to (5354). If our command was correct, it will give us Stuff key 1b -> 53 54, showing that the operation was successful. If it doesn’t show Stuff Key ->, the operation was not successful, and you will have to try again. Make sure you typed it correctly.

So, we need to do this to all the offsets of our model number. According to some websites that I checked it is good to enter spaces (hex 20) after the model number for a few offsets to make sure that the model number doesn’t have any garbage characters after it. So,

SetStuff->ASCI1C3932

Stuff key 1c -> 39 32

T>F

SetStuff->ASCI1D3530

Stuff key 1d -> 35 30

T>F

SetStuff->ASCI1E3331

Stuff key 1e -> 33 31

T>F

SetStuff->ASCI1F4153

Stuff key 1f -> 41 53

T>F

SetStuff->ASCI202020

Stuff key 20 -> 20 20

T>F

SetStuff->ASCI212020

Stuff key 21 -> 20 20

T>F

SetStuff->ASCI222020

Stuff key 22 -> 20 20

T>F

SetStuff->ASCI232020

Stuff key 23 -> 20 20

T>W

When we finish overwriting the model number, we send the W command. This writes the changes to disc.

At this point, I would suggest restarting the terminal, and running ^U again. You can look at the AT Stuff log again, and check the offsets to see if your changes are intact. If they are ok here, power off the drive and disconnect the serial cable. Connect the data and power cables to the drive, and turn it back on. When Windows detects it, keep an eye on what model number shows up in the Device Manager. If it is our new model number, then you have been successful. If junk characters or anything extra appear next to the drive name, you may need to go back and use the SetStuff command to add spaces to a few more offsets.

Writing the LBA and the Firmware Revision

These last two are basically the same as writing the model number. I wasn’t really sure what I was looking for when I was trying to find the LBA offset, but I found this site: http://tinyurl.com/cxgvqva – This is also where I found out how to use SetStuff in the first place. If you know what your drive’s LBA is in hex before you start, you will have a huge advantage over me, but I did not. I noticed that since their Model Number Offset started at 1B, the same as mine, I figured the LBA offsets could quite possibly be the same, so I used SetStuff to modify offset 83 and 84. (NOTE: On this site, they put the whole string of numbers they wanted to change into one offset instead of doing them one by one like we did with the model number. I tried this, and it did not work for me. Instead, it started changing offsets that were incorrect, or it would just not do anything. I still think the best/safest way is to do them one at a time, even if it takes longer.) They also recommend changing offsets 3C and 3D to the same values; however I did not see that the first time I read it. After this, send ^T

So it will look something like this:

T>F

SetStuff->ASCI837059

Stuff key 83 -> 70 59

T>F

SetStuff->ASCI841C1D

Stuff key 84 -> 1c 1d

T>F

SetStuff->ASCI3C7059

Stuff key 3C -> 70 59

T>F

SetStuff->ASCI3D1C1D

Stuff key 3D -> 1c 1d

T>W

T>^T

I was never 100% I did the LBA correctly, but this was the best information that I found about that portion of the change.

Same goes for the Firmware Revision, and this is one part I got stuck on.

If you look in the AT Stuff dump you took earlier, you will notice that 3.AAA, or the Firmware Revision number for me anyways, was directly in front of the drive’s model number. It populated offsets 17-1A on my drive. I did the same SetStuff we have been doing to change it, but the drive reverts to its old offset when it is restarted. I will post what I did anyways so you can look, and hopefully have better luck than I did. We want to change the revision to the hex value of 3030 3032 9495 4345 3032

T>F

SetStuff->ASCI173030

Stuff key 17 -> 30 30

T>F

SetStuff->ASCI183032

Stuff key 18 -> 30 32

T>F

SetStuff->ASCI194345

Stuff key 19 -> 43 45

T>F

SetStuff->ASCI1A3032

Stuff key 1a -> 30 32

T>W

Like I said, running ^U before resetting the drive shows the changes I made in the correct place. After restarting the drive, it resets the offsets to what they were previously. I don’t know if this will happen to you as well, so try it out and see what happens. I have no way of testing anything else at the moment, so if it doesn’t work, I won’t be of much help.

Using HxD to Copy the Security Sectors

Power down the drive, and disconnect it from the serial cable and power. In HxD you will want to open two things. First, you will want to open the HDDSS.bin file you got from me. Second you will want to put the hard drive in your external enclosure and connect it to your computer. Inside of HxD, you will want to go to extras, then select open disk. In the physical disks section, select the last one (usually). It’s best to only have 2 disks total to make it easier. (Your main OS disk, and the Seagate we are working on.) Make sure read only is unchecked. Go back to the HDDSS.bin tab, and select everything. Edit copy. Go back to the disk tab. Scroll down to Sector 16. Select all of Sector 16 down to Sector 22. Edit paste insert. When you are feeling brave, File Save.

Using HDDHACKR to Create the Partitions

You will need to make a bootable USB stick or cd with a copy of MS-DOS on it. There are quite a few tutorials how to do this, so I won’t cover it here. You will need to copy HDDHACKR onto whatever bootable medium you choose.

Power down the computer you are going to connect the drive to, and hook your Seagate drive up. It is also a good idea to disconnect the other drives in the computer to prevent overwriting the wrong one. Power up the machine with the bootable medium connected. Boot into MS-DOS, and then run HDDHACKR. It will scan your system for discs. Select your Seagate drive from the list. We don’t need to worry about flashing the bin file, since it won’t work anyways. Select Create Partitions instead. It will probably say it was successful, but it won’t go back to the command prompt. Power down the computer when the partitions are created successfully.

What Happens When You Make a Mistake

This is where I got before I bricked my drive. I was trying a new command that I wasn’t too sure about, and it ended up disallowing me to enter the T> prompt. Instead, I am stuck in Level F, and I am unable to change levels. Currently, I am getting the following error when the device is powered on:

Buzz HM SFI

!

    Code – 43  Track 0F82F.0.01E  Sns 01E

F>

So, that is as far as I got. I had just about everything (I think, minus the Firmware Revision), and then made a mistake.

Will this guide let you use your Seagate drive in your Xbox? I can’t say for sure. I am fairly confident that if someone were able to find a way to change the firmware revision successfully, the Xbox would recognize the drive.

I do hope that the information is somewhat helpful to someone. I would love to hear back from you, and know if this has helped someone. I have no intention of quitting on this project. I hope someday soon to figure out my way past the error I am plagued with at the moment, and continue figuring out how to make this work. If anyone has any tips on what things to try, I’m all ears.

Other Sites I Found Useful

http://forum.hddguru.com/seagate-terminal-commands-t6411.html – List of Terminal Commands for Seagate Drives. It’s kind of a mess, but there a quite a few better forma

http://beta.ivc.no/wiki/index.php/Xbox_360_Hard_Drive_Upgrade – Explains the Structure of the Xbox 360s Hard Drive.

http://forums.xbox-scene.com/index.php?showtopic=690435 – Very Basic overview of the same steps I just explained.

http://files.hddguru.com/download/Datasheets/Seagate/Seagate%20Diagnostic%20RS-232%20Port/ – Datasheets for the Seagate Terminal Console. Also includes pictures of how to setup correctly the TTL Adapter

http://sediv2008.narod.ru/Easy1014.rar – Download the SeDiv Program. This serves basically the same purpose as putty or hyperterminal, but it is much more powerful when dealing with Seagate drives, as this is what it was made for.

http://www.xboxhacker.org/index.php?topic=11813.0 – hddhackr was made for western digital drives, but we can still use it to make partitions for us.

Tagged , , , , , , , ,