- 精华
- 0
- 帖子
- 493
- 威望
- 0 点
- 积分
- 541 点
- 种子
- 5 点
- 注册时间
- 2006-9-6
- 最后登录
- 2022-8-18
|
Detials of why the Lite-On Drive Cant be hacked.
source http://www.xboxhacker.net/index.php?PHPSESSID=2466b34d20289113442fb5364ae1fe56&topic=9647.0
trios--
Now onto the patent:
The way I read it, the FW can go in but does not ever come out. The host needs to verify the programming, so instead of reading it out, and exposing it, a hw "chksum" is calced as the device is being programmed inside the device. This value, NOT the code, is returned to the host, and the host also calcs it to determine if the verify was succesfull. Using this method there is no reason for the drive to EVER dump its code back to the host.
So at power up the device checks its rom, if its "blank" or marked as so, the programming "gate" becomes enabled. This allows an entire FW to be injected into the device by the host. The programming verification is performed internally, as the device calcs the xsum of the code, and reports the result to host. The host compares the xsum to expected, and if correct, it knows the device was programmed correctly. This is an effective verify operation, without reading back the code, as is usually done in most mem devices.
So what about reprogramming?
There is also a method for the host to erase or mark the device as erased. When this operation is completed, the device detects the condition and enables the programming "gate", see above. At this point the ENTIRE fw may be once again re written.
So if you had a complete dump, and knew how to mark the device as "erased" you could possibly rewrite the enitre FW.
However, how will you get the dump? Say you got one with a physical attack on the chip, well youd only have the aes keys for that particular unit. IE you still dont have a key to use on another target, so the painfull PHY attack would need to be repeated for each unit. Of course the console can set this key during manufacturing mode, but you have no way of finding out what it set it to as you cant read it back.
Bottom line is what goes in does not come out. No reason for it to ever. The "old" reason was to verify programming of memory, but now a different method is being used to verify, that does not require the host to read back the programming to determine success.
trios--
The patent isnt bullshit, misimplemented, a distraction, or any thing else.
The drive was designed ON PURPOSE not to be read out. Get over it!
No amount of random $#!t is gonna dump that drive. Random $#!t never hacked any part of this system.
A physical attack (aka flylogic) to get the key or the flash contents would need to be repeated for each drive.
This is destructive, and not cost effective. Additionally flash contents are invisible to scanning electron microscope.
The drive key is set by a special command, common to all models. After that it never appears on the bus again.
There is NO WAY EVER to brute force, sniff, or guess the key. This situation has been discussed MANY times prior to this drives appearance. Think about it, if there were such a thing, there wouldnt be all the "lost my drive key, oh what will I do?" posts.
As Arakon has stated, "there is NO other way to launch the sploit other than kk"
I would add that KK is the ONLY sploit that works. The KK sploit demands that the drive be equipped with a dvd key. The title involved is signed to ONLY run from xdvd. The title will not run from anywhere else. THERE IS NO WAY TO RUN THE KK SPLOIT FROM HDD OR ANYWHERE ELSE! There is no *secret* sploit, gamesave sploit or any other kind of sploit. This has been true since the sploit was discovered and remains true today.
The *only* way any of you are ever gonna play "backups" again is if a new system exploit is found or if MTK leaks details of a backdoor. Both scenarios are highly unlikely.
There has been little to no progress on that front in quite some time now, and not being able to launch a modified xdvd, due to the new drives inability to play "backups", makes it more unlikely than ever before.
"The experts" are not even working on this, there is essentially no place to star
patent information - http://www.xbins.org/iriez/mediatekpatent.pdf
section of patent about dumping fw
 . |
|
川公网安备 51019002005286号
楼主
发表于 2008-7-21 19:36 · 上海
