- 精华
- 0
- 帖子
- 2
- 威望
- 0 点
- 积分
- 4 点
- 种子
- 0 点
- 注册时间
- 2009-7-25
- 最后登录
- 2020-1-4
|
此次破解对应建兴光驱固件 83450c-v2 , 93450c, 也就是2009年9月以后的新固件。
需要拆机,DumpKey的方法见下面,有了Key以后就之前的7XXX破解一样了。
附件为修改后的IX固件,请将dump出来的key合并后写入即可。
破解有风险,请勿轻易尝试
原文转载:Again i've heard around big words about secret preservation in the name of the scene life, requesting a little sacrifice in $. There is a guy that owns a topsecret way to dump drive fw, and i'm not going to reveal, cause it's something he should do, not me. I'm sure i would have been able to discover myself, and i'm sure he would have been able to discover himself without my hints, why not, but i'm sure too that someone else can do it the same way. I've spent a lot of time reversing the 7xxx fw to find an alternative solution, but now some flashed 93450 appeared on the mod market (lame 7xxx spoofed as 93450, probably you great modder don't have the mkt scrambling/descrambling app to change the original inquiry) with epoxy removed and reapplied (great security, i'm sure MS can't see it). So, i'm sure the scene prefers to pay a MSproof modding to help the scene(rs), but if anyone wants to do some experiment and find the secret by himself, i'm happy to share something from my pocket, i'm sure someone with no $ in mind can report back some interesting result. As you know, liteons have embedded spi flash, it's an MX25L2005 and a winbond in some cases. during powerup, the spi is read by the mmtk internal flash controller, descrambled and copied to an internal sram. This sram is then connected to address and data pins of the 8051 core, which will start executing the code. The mtk checkmodule checks for the first 0x200 bytes of spi flash, if are blank (all FF), the vendormode is full enabled with an ata status 72 and you can access the spi flash (and dosflash can read/write). If the first 0x200 bytes are not blank, you can enter vendormode but you can't access the spi flash (status 52). What i tried times ago, was to mess with the pins of the mtk chip to find a way to disable the spi flash during powerup, cause in many cases of spi imlementation, if the spi flash does not pull down MISO pin, the spi master reads all FF (lifting one pin makes an old psp battery pandorized, same principle). The problem is that the embedded spi flash pins are not present outside of the mtk chip, except vcc and ground which are shared with other internal stuff). Use some imagination, and feel free to do what you want with your discovery.
上文大致内容如下:重申当我得知了重大的破解消息,以后将不成为美元的***。我并不是在卖弄,我是从一个知道方法的小子那里得到的破解信息。但是我确信我可以找到这个方法,并且我也确信他不需要我的提示也能找到它,为什么不?我相信其他人也可以。正当我花了一点时间研究建兴光驱7xxx的固件的时候,新的固件93450出现在市场上,而且它没有办法被破解。因此,我确定大多数人还是很期待破解的,也有很多人关注破解进展。 建兴集成了SPI FLASH, 型号为 MX25L2005。当打开电源时, MMTK Internal FLASH Controller读取SPI后再执行启动代码。解密并拷贝到内部存储器中。 MTK检查从SPI读取出来的前0x200个字节, 如果都是FF, vendormode全部开放,可以得到 ATA status 72,此时可以用工具(dosflash)读取key。 如果前0x200字节不是FF, vendormode同样开启,此时的ATA status 52,你不能通过工具读取key。我试验了很多次后,找到了方法。
Dumped Steps:
-Lift pin 101 and 122
-solder a cable to pin 100, pin 101 and one to 3,3V
-use a 2-way switch which either connects 101 to 3,3V or to 100
-put the switch into the position so that it connects 100 to 101
-power drive
-start Dosflash, it will recognise the SPI with Status x72
-if you read it out now, it will just give you a .bin full of FFFFFFFF, but thats OK, this is how we tricked the Flash Controller to think the SPI is empty
-put the switch in the other position (so that 101 is connected to 3,3V)
-now read the flash
[quote][/quote]
Ixtreme 1.6 for Liteon 83V2 and 93450
[quote]临时文件下载:
ix16_templates.rar (提取码:c5ddddb9735738e243be64587c1ec7d8). |
|
川公网安备 51019002005286号
楼主
发表于 2009-12-1 20:01 · 日本
