CaptainInsaneO Posted June 1, 2008 Report Share Posted June 1, 2008 I'm still researching a way to get into the actual OS part of the Z, and have come across something from the XBox community that may be of use to us here at avic411. http://forums.afterdawn.com/thread_view.cfm/357863 Seems they've jury-rigged an EEPROM reader, and used a program called LiveInfo to reveal the HDD key. This could potentially be used to unlock our Z drives without having to use a pay service. I'm making this new thread to be a dumping ground for ideas/links/resources for anyone who wants to participate in this little project I've embarked on. Quote Link to post Share on other sites
GnatGoSplat Posted June 5, 2008 Report Share Posted June 5, 2008 I don't think the password is stored in the OS. The Xbox EEPROM doesn't contain the OS, I think it only contains the password and possibly other configuration data. The Z probably does have an EEPROM though. If you just want to get to the OS part, you can already get to the OS files, just download the Z1 or Z2 program updates. The file you're looking for is EU060PLT.PRG. It contains the OS and the OS files can be dumped using PPC2003 extract tools. Quote Link to post Share on other sites
CaptainInsaneO Posted June 6, 2008 Author Report Share Posted June 6, 2008 Thanks for your input, I'll look into that. Quote Link to post Share on other sites
CaptainInsaneO Posted June 13, 2008 Author Report Share Posted June 13, 2008 Just as a note, I'm throwing this in here. Playing around with my drive today (not with the chip, I haven't had a whole lot of free time lately) and I've imaged it to a clean Z3. Burnt two albums and here's some things I've found: THIRD PARTITION Genres are stored under /HOLD/MUSIC/GPL01. Album titles are stored under /HOLD/MUSIC/OPL**. Your playlists are stored under /HOLD/MUSIC/PLDAT**. Your favorites and mixes are stored under /HOLD/MUSIC/UPL01. The album playlists are stored under /HOLD/MUSIC/APL**. I noticed something interesting in the MUSIC folder on this partition as well... all the song files on the AVIC-Zx are .at3 files. This is the same file format for music on the Sony PSP. Of course, as I'm sure others have, I immediately tried to convert the at3 to mp3 using GoldWave, to see if it would be feasible to do it the other way as well (mp3->at3), but I just got a lot of static. I also tried HIMdRenderer. I don't actually own a PSP, so can someone possibly pull a few of these ATRAC files from their AVIC and attempt to play them on their PSP using something like iR Shell? I'd like to see if maybe these files are encrypted/encoded a little differently than your normal ATRAC, and if so we may be shit out of luck for getting mp3s to our AVICs. I'm out of time for right now but I'll post more thoughts/findings for anyone who is interested when I work on this again. Quote Link to post Share on other sites
matt23 Posted June 30, 2008 Report Share Posted June 30, 2008 I noticed something interesting in the MUSIC folder on this partition as well... all the song files on the AVIC-Zx are .at3 files. This is the same file format for music on the Sony PSP. Of course, as I'm sure others have, I immediately tried to convert the at3 to mp3 using GoldWave, to see if it would be feasible to do it the other way as well (mp3->at3), but I just got a lot of static. interesting, i wonder if the Z* units do some sort of low-grade DRM. Like, just a simple hash against the unit's serial number or some other value. Then all the files will only play on that unit. (?) I think I'll poke around too for fun Quote Link to post Share on other sites
garrettoomey Posted June 30, 2008 Report Share Posted June 30, 2008 Music installed on a hard drive can be played in another Z if the HD is moved to another vehicle. Quote Link to post Share on other sites
Kronyk420 Posted July 8, 2008 Report Share Posted July 8, 2008 Hi, I'm only a hobby-hacker but I'd be glad to contribute what I can. I've hacked about 30 or so Xboxes, and at least 10 of them with an eeprom reader. It was actually the easiest way to mod them in the end, I just clipped on the reader to the chip, read it with an on board power supply for safety, then pre-fabbed the new HDD with the password I swiped. There were two programs involved - Ponyprog which I believe is shareware - and LiveInfo which I think may have been Xbox specific. You could also flash your eeprom chip this way but I never made it that far in my explorations. The whole process was almost identical to the Z3 upgrade except that Xbox drives are full size. You unlock the drive, transfer a proprietary drive image, relock the drive, install and voila! I'm pretty sure you could not access the OS this way but you could definitely crack the EEPROM this way. You would need someone who could translate the data you receive into a workable HDD password though. That's what LiveInfo did. It compared the data received through PonyProg with your Xbox version and used an algorithm to determine your HDD pass. That's all way above my head though. Check out Xboxscene.com for the 411. Good luck!! Quote Link to post Share on other sites
GnatGoSplat Posted July 9, 2008 Report Share Posted July 9, 2008 How does the drive relock anyway? Is it on the OS level, or hardware level? The fact there's an EEPROM makes me wonder if the relocking is a function of the ATA controller. However, if it were in the OS, someone could hack it and modify it to skip the relocking function. Quote Link to post Share on other sites
CaptainInsaneO Posted July 26, 2008 Author Report Share Posted July 26, 2008 Music installed on a hard drive can be played in another Z if the HD is moved to another vehicle. You're absolutely right, and that's got me thinking that Pioneer is using a proprietary encryption algorithm on these music files. That's why I was interested to see if anyone could get them to play on a PSP. To kronyk, thanks for the great input. Did you make your own reader, or did you buy it? If you bought it, which one is it? I've searched for clip-on ones but all I can find are the writers/programmers that you have to insert the chip into. I've got a theory that if you could access the data on that chip, you could of course copy all of it over to a storage medium and begin working with it that way. Then comes the question of whether Pioneer encrypted the OS for this unit or not. I'm really hoping they took the "security through obscurity" route and just figured no one would go through the trouble of hacking the OS and didn't bother protecting it. My main mission in doing this right now is to see if those damn warning screens/prompts are indeed stored in the registry, and if so, to TURN THEM OFF!! A lot of people have been asking for this and I really want to see if I can get it done. Oh, and sorry for lack of updates, I've been out of the U.S. for the last month or so. Quote Link to post Share on other sites
Hyperite Posted July 26, 2008 Report Share Posted July 26, 2008 Hey, do we know how to read the guidance audio files? Quote Link to post Share on other sites
GnatGoSplat Posted July 27, 2008 Report Share Posted July 27, 2008 My main mission in doing this right now is to see if those damn warning screens/prompts are indeed stored in the registry, and if so, to TURN THEM OFF!! A lot of people have been asking for this and I really want to see if I can get it done. They're not. I posted the registry awhile back, there's no reference to the warning screens. I think it's hard-coded into the application files. The OS is NOT encrypted, it can be dumped in the same way as Windows Mobile 2003 (with dumprom.exe). Quote Link to post Share on other sites
dawgbone Posted July 27, 2008 Report Share Posted July 27, 2008 That's funny... That's how I unlocked my first Z2 drive... I have an original Xbox modded with the Xecuter X3 chip.... Well...it could unlock the drive, but for some reason the disable lock didn't work... Quote Link to post Share on other sites
GnatGoSplat Posted July 28, 2008 Report Share Posted July 28, 2008 Anyone know assembly language? I found some possibly interesting code in Navi.exe that might be related to that annoying warning message. I don't know assembly at all so none of this makes any sense to me... --------------------------------------------------------------------------- .text:00108EA2 .align 4 .text:00108EA4 off_108EA4: .data.l ?NP_Printf@@YAHPBDZZ ; DATA XREF: .text:00108E90r .text:00108EA4 ; NP_Printf(char const *,...) .text:00108EA8 off_108EA8: .data.l aUin_win_safe_1 ; DATA XREF: .text:00108E92r .text:00108EA8 ; "UIN_WIN_SafetyCaution::GetPlCaution() r"... .text:00108EAC ; --------------------------------------------------------------------------- .data:00615244 off_615244: .data.l aUin_win_safety ; DATA XREF: .text:off_9DD08o .data:00615244 ; "UIN_WIN_SafetyCaution" .data:00615248 aUin_win_safe_0:.sdata "UIN_WIN_SafetyCaution" ; DATA XREF: .text:off_9DE88o .data:00615248 .data.b 0 .data:0061525E .align h'10 .rdata:0048396C aUin_win_safety:.sdata "UIN_WIN_SafetyCaution" ; DATA XREF: .data:0061520Co .rdata:0048396C ; .data:off_615244o ... .rdata:0048396C .data.b 0 .rdata:00483982 .align 4 UIN_WIN_SafetyCaution is the function that caught my interest. Just a guess... UIN = User Input WIN = Window SafetyCaution = The annoying message. So it seems like this might be the function that pops up the annoying caution message, in a window, requiring user input. Quote Link to post Share on other sites
CaptainInsaneO Posted July 28, 2008 Author Report Share Posted July 28, 2008 I think you're on to something there. I've attached my 2 cents for that file. I'm going to work more on this, give me a few days and I'll check back. navi.txt Quote Link to post Share on other sites
GnatGoSplat Posted July 28, 2008 Report Share Posted July 28, 2008 Ok, totally guessing here, but here's where I think it's doing the check. --------------------------------------------------------------------------- .text:00108E84 .text:00108E84 loc_108E84: ; DATA XREF: .rdata:004F850Co .text:00108E84 sts.l pr, @-r15 .text:00108E86 add #-h'10, r15 .text:00108E88 bsr sub_108DFC .text:00108E8A nop .text:00108E8C tst r0, r0 .text:00108E8E bf loc_108E9A .text:00108E90 mov.l @(h'10,pc), r3 ; [00108EA4] = ?NP_Printf@@YAHPBDZZ .text:00108E92 mov.l @(h'14,pc), r4 ; [00108EA8] = aUin_win_safe_1 .text:00108E94 mov.l @r3, r3 .text:00108E96 jsr @r3 .text:00108E98 nop .text:00108E9A .text:00108E9A loc_108E9A: ; CODE XREF: .text:00108E8Ej .text:00108E9A add #h'10, r15 .text:00108E9C lds.l @r15+, pr .text:00108E9E rts .text:00108EA0 mov #1, r0 .text:00108EA0 ; --------------------------------------------------------------------------- .text:00108EA2 .align 4 .text:00108EA4 off_108EA4: .data.l ?NP_Printf@@YAHPBDZZ ; DATA XREF: .text:00108E90r .text:00108EA4 ; NP_Printf(char const *,...) .text:00108EA8 off_108EA8: .data.l aUin_win_safe_1 ; DATA XREF: .text:00108E92r .text:00108EA8 ; "UIN_WIN_SafetyCaution::GetPlCaution() r"... .text:00108EAC ; --------------------------------------------------------------------------- I think the BSR on 00108E88 is running a subroutine that plugs a memory location into r0, whatever that is... a register? TST on 00108E8C is comparing r0's current value to r0's past value. BF loc_108E9A says branch if false, so if the TST above it returns false, it skips a bunch of crap, which I think is calling functions to display the safety message. I thought maybe replacing BF with a BRA to branch always might do the trick, but BRA is a delayed branch which means it will execute the command after it, so rather than replacing the BF with something, I replaced 00108E8C thru 00108E96 with NOP (No Operation) to skip right down near the end of the subroutine. I'll try copying my modified NAVI.EXE to my spare hard drive and see what happens. It'll either work, make no difference, crash, or not even try to run it if it does a checksum test! I wouldn't know what a checksum test looks like so I have no idea if it does that or not. Quote Link to post Share on other sites
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.