Copy Link
Add to Bookmark
Report

HddHackr how it works

Dreamcast's profile picture
Published in 
xbox360
 · 3 years ago

Introduction:


This article is my attempt to understand the method by which HddHackr modifies a WD drive in order to make it compatible with an Xbox 360. As I don't have an Xbox, or a supported WD drive, I'm relying purely on research. Therefore there may be errors.


How HddHackr works:


HddHackr reads the HDD firmware version, serial number, model number, and capacity in LBAs from sector 16 of the original Xbox HDD, and then writes this information to a supported WD drive of equal or larger capacity. It does this by using WD's vendor specific commands (VSC) to modify the HDD's firmware. AIUI, in the case of a ROYL drive, the relevant firmware modules are 0D and 02. The result of this hack is that the WD drive then identifies itself in the same way as the original drive, eg Fujitsu MHV2020BH. The WD drive's original modules are backed up in an UNDO.BIN file.

LBAs 16 - 22 are referred to as the Hard Drive Security Sectors and are also copied from the source drive to the target drive. HddHackr backs up these sectors in a HDDSS.BIN file.

The structure of the security sectors is described here:
http://beta.ivc.no/wiki/index.php/Xbox_360_Hard_Drive_Upgrade

Here is an example for a 20GB Fujitsu HDD:
http://beta.ivc.no/xbox360/hddhackr/20GB_HDDSS.rar

Here is a hex dump of sector 16:

HDDSS-20.BIN --- this file is a backup of LBAs 16 -> 22

 ======================================================================== 
0000 20 20 20 20 20 20 20 20-4E 57 35 38 54 35 41 32 NW58T5A2
0010 35 4E 48 50 30 30 39 33-30 30 32 43 46 55 4A 49 5NHP0093002CFUJI
0020 54 53 55 20 4D 48 56 32-30 32 30 42 48 20 20 20 TSU MHV2020BH
0030 20 20 20 20 20 20 20 20-20 20 20 20 20 20 20 20
0040 20 20 20 20 3B 0F D7 3F-82 77 FE 41 C6 F6 A2 5D ;..?.w.A...]
0050 FC 17 2C 17 7A D4 F8 D6-80 29 54 02 D3 79 C9 61 ..,.z....)T..y.a
...
========================================================================


 Offset         Description                  Data 
--------------------------------------------------------------------------------------------
00 -> 13 --- serial number (20 bytes) - <8 spaces>NW58T5A25NHP
14 -> 0B --- firmware version (8 bytes) - 0093002C
0C -> 43 --- model number (40 bytes) - FUJITSU MHV2020BH<spaces>
58 -> 5B --- total LBAs (little endian) - 0x02542980 LBAs x 512 bytes/LBA = 20 003 880 960 bytes
5C -> --- encrypted stuff (256 bytes)


Here are hex dumps of modules 0D and 02 from a WD2500BEKT drive:

MOD 0D --- contains firmware version

 ========================================================================= 
0000 52 4F 59 4C 04 00 1E 00-0D 00 01 00 1F FF 0C 3F ROYL...........?
0010 30 30 30 31 30 30 30 30-00 00 00 00 00 00 00 01 00010000........
0020 31 31 2E 30 31 41 31 31-00 01 03 01 00 00 50 01 11.01A11......P.
0030 4E E2 01 AD 6F FB 00 01-FE FF 00 00 00 00 00 00 N...o...........
0040 01 00 00 00 00 00 00 00-00 00 64 00 00 00 00 00 ..........d.....
=========================================================================

MOD 02 --- contains serial number, model number, capacity in LBAs (and passwords?)

 ========================================================================= 
0000 52 4F 59 4C 01 00 30 00-02 00 03 00 30 75 7B EC ROYL..0.....0u{.
0010 30 30 30 38 30 30 30 30-09 1D 09 00 00 00 00 00 00080000........
...
02A0 33 00 4E 04 02 00 00 01-57 44 2D 57 58 45 36 30 3.N.....WD-WXE60
02B0 38 50 4C 37 31 30 39 00-00 00 00 00 00 01 10 3F 8PL7109........?
02C0 00 00 00 00 6F 59 1C 1D-6F 59 1C 1D 6F 59 1C 1D ....oY..oY..oY..
02D0 6F 59 1C 1D 00 01 A4 03-00 00 00 00 07 7F 00 00 oY..............
...
04D0 00 00 00 00 01 57 44 43-20 57 44 32 35 30 30 42 .....WDC WD2500B
04E0 45 4B 54 2D 30 30 46 33-54 30 20 20 20 20 20 20 EKT-00F3T0
=========================================================================

Total LBAs = 0x1D1C596F + 1

Capacity = 0x1D1C5970 LBAs x 512 bytes/sector = 250 059 350 016 bytes

(Note to self: Would it be possible to use HddHackr to view the passwords on a WD drive?)

Here are the HddHackr files, as I understand them:

 ========================================================================== 
EC.bin --- original WD 512-byte Identify Device data (ATA command ECh)
SD.bin --- hacked WD module 0D ("sector D")
S2.bin --- hacked WD module 02 ("sector 2")
UNDO.BIN --- original WD module 0D plus module 02
HDDSS.BIN --- backup of LBAs 16 -> 22 on original Xbox drive
==========================================================================

Here are examples of WD modules after they have been hacked:

MOD 02 after hack (S2.BIN)

 ======================================================================== 
0100 52 4F 59 4C 01 00 30 00-02 00 02 00 49 FB A3 F2 ROYL..0.....I...
0110 30 30 30 38 30 30 30 30-08 1B 09 00 00 00 00 00 00080000........
...
01A0 02 00 00 01 4E 5A 32 58-54 37 32 32 45 4A 39 32 ....NZ2XT722EJ92
01B0 00 00 00 00 00 00 00 00-00 01 10 3F 00 00 00 00 ...........?....
01C0 AF 4B F9 0D AF 4B F9 0D-AF 4B F9 0D AF 4B F9 0D .K...K...K...K..
...
0380 03 01 00 01 00 00 00 00-00 00 00 01 46 55 4A 49 ............FUJI
0390 54 53 55 20 4D 48 57 32-31 32 30 42 48 00 00 00 TSU MHW2120BH...
========================================================================

MOD 0D after hack (SD.BIN)

 ======================================================================== 
0100 52 4F 59 4C 04 00 1E 00-0D 00 01 00 43 16 C7 B6 ROYL........C...
0110 30 30 30 37 30 30 33 38-00 00 00 00 00 00 00 01 00070038........
0120 30 30 39 33 30 30 31 33-00 01 01 01 00 00 50 01 00930013......P.
========================================================================

Here are the text strings which I extracted from hddhackr.com (v0.91):

 Error ! Drive not found! 
$Error ! Drive has no ID data packet for us !
$Error ! BUSY timeout expired !
$Error ! DRDY timeout expired !
$Controller has 5 ports !! !
$Device Is a Mass Storage controller !! !
$Error while looking up PCI device reg !
$Addr port found !
$s2.bin
sd.bin
ec.bin
hddss.bin
undo.bin
File acces error, could not save data !
$Serial IDENTIFY DEV:
$Model IDENTIFY DEV:
$Bios version IDENTIFY DEV:
$Serial in hddss.bin file:
$Model string in hddss.bin file:
$Bios version in hddss.bin file:
$Serial on sector 2:
$Model on sector 2:
$Bios version on sector 2:
$****************************************
* HddHacker v0.91 *
* For the WD BEVS Scorpio series *
* *
* (c) 2007 The Specialist *
****************************************

$Detecting drives, please wait...
$
Usage:
HddHackr -d To dump sector 16-22 to file hddss.bin
HddHackr -f Flash FW with hddss.bin file
HddHackr -u Restore original FW from undo.bin
$Drive should work in your 360 !!
$(1) $Fatal error, the EC serial string was not found in the FW
$Fatal error, the EC model string was not found in the FW
$Fatal error, the EC bios string was not found in the FW
$Fatal error, the EC sector count was not found in the FW
$Fatal error occured
$Some SATA device responded ...
$Information on sector 16 does NOT match the firmware info.
Want to flash this firmware to make it compatible with sector 16 ? (y/n
$Trying to flash your firmware, DO NOT turn off your computer
$User Aborted
$Error ! drive not supported, make sure it a SATA WD Scorpio BEVS !
$Drive supports flash commands
$Fatal error, Not enough room in FW for your serial
$Fatal error, Not enough room in FW for your model string
$Fatal error, Not enough room in FW for your Bios string
$Error, could not open file
$Error reading file
$Could not detect drive. Make sure you are running this from pure MS-DOS
$Do you want to create an undo file ? (y/n)
$Are you sure you want to flash undo.bin to this drive ? (y/n)
$Error, please select y/n
$Error, undo.bin is invalid
$Uploaded flash to drive. NOW TURN OFF YOUR COMPUTER !!!
Then wait 10 seconds, turn on your computer and restart this
tool to see if it worked with the same option again: hddhackr -f
$Saved sectors to file hddss.bin. Now shut down your computer and replace
the HDD with the western digital. Then run:
HddHackr -f
$Error, data on sec 16 till 22 incorrect
$Error, data in hddss.bin seems incorrect
$Data on sectors 17 to 22 seems correct
$Data on sectors 17 to 22 seemed correct, so didnt touch that
$Copied data from hddss.bin to sector 16-22
$No drive found in Enhanced mode, now scanning in Legacy mode
$Type the nr of the drive you want to use (1 to 4, x=exit) $
Invalid Input
$Undo.bin file already exists, exiting program, see readme file !!!
$Fatal error, the length of FW mod2 is not as expected !!!
$Port number was edited, using edited port values, please wait ...
$port=MPRT


References


Xbox 360 Hard Drive Upgrade - Drive Structure:
http://beta.ivc.no/wiki/index.php/Xbox_360_Hard_Drive_Upgrade

HDDHackr home page (downloads and command syntax):
http://www.xboxhacker.org/index.php?topic=11813.0

How to hack a 250gb or 320gb sata drive to work in the Xbox 360 and Xbox 360 Slim:
http://digiex.net/guides-reviews/console-guides/xbox-360-guides/3152-how-hack-250gb-320gb-sata-drive-work-xbox-360-xbox-360-slim.html

Collection of WD UNDO.BIN files:
http://digiex.net/attachments/guides-reviews/console-guides/xbox-360-guides/7416d1317194998-how-hack-250gb-320gb-sata-drive-work-xbox-360-xbox-360-slim-undo.bins-wd.zip

Fujitsu Hard Drive Security Sectors:
http://beta.ivc.no/xbox360/hddhackr/120GB_HDDSS.rar
http://beta.ivc.no/xbox360/hddhackr/60GB_HDDSS.rar
http://beta.ivc.no/xbox360/hddhackr/20GB_HDDSS.rar

Xbox 360 250GB Hard Drive Security Sector:
http://digiex.net/attachments/downloads/download-center-2-0/consoles-homebrew/3814d1265962341-xbox-360-250gb-hard-drive-security-sector-download-hddss-bin-hddss_250gb-bin-hddss_250gb.zip

Xbox 360 320GB Hard Drive Security Sector
http://digiex.net/attachments/downloads/download-center-2-0/consoles-homebrew/7395d1316560295-xbox-360-320gb-hard-drive-security-sector-download-hddss-bin-hddss320-bin-hddss320.zip

HddHackr v1.30 Build 20110303 and earlier:
http://www.one-winged-angelz.eu/XBOX360/Apps/HddHackr/HddHackr_v1.30_Build_20110303.rar
http://www.one-winged-angelz.eu/XBOX360/Apps/HddHackr/HddHackr_v1.25_Build_20101114.rar
http://www.one-winged-angelz.eu/XBOX360/Apps/HddHackr/HddHackr_v1.24_Build_20100904.rar

Xplorer 360 250gb Edition:
http://digiex.net/attachments/downloads/download-center-2-0/consoles-homebrew/3816d1265962341-xbox-360-250gb-hard-drive-security-sector-download-hddss-bin-hddss_250gb-bin-xplorer360-250gb-edition.zip

Salvation Data article showing structure of WD modules:
http://www.salvationdata.com/blog/wp-content/uploads/2009/08/081909_0942_FixIdentifi5.png
http://www.salvationdata.com/blog/fix-identification-problem-caused-by-corruption-of-ata-overlay-module-or-rom-content/

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT