• Registered: 2015-02-24
  • Posts: 101

I've on-and-off thought for some time about the possibility of modifying firmwares to enable scrambled reads on other models of drives.

It seems like it should be possible in theory, as a number of drives don't have any kind of firmware signature and can seemingly be freely modified (e.g., all the RPC-1 hacks, riplock removal hacks, etc. for a bunch of TSST and other MediaTek drives). Hell, there might be some firmware out there in some drive that has the scramble table easily accessible in the firmware, in which case it might be possible to just zero out the table and have a drive that can only do scrambled reads.

I'm curious if anyone is looking into this / has looked into this in the past? I've been going through a lot of Plextor drives, so I'm mostly wondering aloud if anyone feels like an alternative might one day exist. It's neat that some newer drives (like the BW-16D1HT) can do scrambled reads, but it seems as though they still pale in comparison compared to the Plextor drives (issues finding offset, etc.).

  • Registered: 2021-03-09
  • Posts: 249

I am returning to this topic because I am also interested in it. I myself have a drive without scrambled mode, but I couldn't find a way to modify the firmware

  • Registered: 2015-05-23
  • Posts: 390

olofolleola4 on VGPC might have been looking at this.

  • Registered: 2021-03-09
  • Posts: 249

I asked him about it and he couldn't help it. Nevertheless, maybe this project would somehow help decode the names of functions in the software for the drive? - https://github.com/quarkslab/binbloom

  • Registered: 2021-03-09
  • Posts: 249

I did some research on this topic and in general a few projects can help me in dismantling the firmware:
ala42's program MCSE - http://ala42.cdfreaks.com/MCSE/
scanlime's project CoasterMeIt - https://github.com/scanlime/coastermelt
Repository for firmware's, patcher's etc for CD/DVD drives - http://forum.rpc1.org/
Devilsclaw's project Flasher - https://github.com/devilsclaw/flasher
The first program is only for removing the region lock, but maybe if you disassemble this program, its source code would help you understand how it works (after all, this program accesses the CD / DVD drive firmware directly), the second project is an attempt to reverse engineer the firmware for CD drives Samsung / DVD (the project is undeveloped, but its resources have been left, so maybe there would be some use for it? The third project is a page with various firmware, patchers, etc., etc. for CD / DVD drives, so disassembly at least these patchers may in this topic And the fourth project is also an attempt to dismantle the firmware for the CD / DVD drive, but this time for LG drives. This project (like the rest of the others) is not being developed either, but its resources and source code are still on GitHub so maybe it could also help in something?

  • Registered: 2015-02-24
  • Posts: 101

MrPepka wrote:

I did some research on this topic and in general a few projects can help me in dismantling the firmware:
ala42's program MCSE - http://ala42.cdfreaks.com/MCSE/
scanlime's project CoasterMeIt - https://github.com/scanlime/coastermelt
Repository for firmware's, patcher's etc for CD/DVD drives - http://forum.rpc1.org/
Devilsclaw's project Flasher - https://github.com/devilsclaw/flasher
The first program is only for removing the region lock, but maybe if you disassemble this program, its source code would help you understand how it works (after all, this program accesses the CD / DVD drive firmware directly), the second project is an attempt to reverse engineer the firmware for CD drives Samsung / DVD (the project is undeveloped, but its resources have been left, so maybe there would be some use for it? The third project is a page with various firmware, patchers, etc., etc. for CD / DVD drives, so disassembly at least these patchers may in this topic And the fourth project is also an attempt to dismantle the firmware for the CD / DVD drive, but this time for LG drives. This project (like the rest of the others) is not being developed either, but its resources and source code are still on GitHub so maybe it could also help in something?

I haven't thought about this for a while, but I'm looking for an excuse to get going on a nice RE project, so maybe I'll look into it again as I have time. Full disclosure, though: I'm not remotely good at RE. At all. I haven't even done any serious assembly language work in years.

In any case, my suspicion is that there are definitely people around who have done enough reversing on CD/DVD drive firmwares to be able to do something like this in a jiffy, but a lot of those people are probably long gone to working on newer projects.

But, at least for older drives that don't bother with any kind of encryption / signature for the firmware, it should be possible to pretty easily modify any behavior that's present in the firmware. One issue is going to be that some behavior is surely happening at a lower level. For example, I suspect the actual descrambling on most drives would be done in hardware just using a scrambling table and an XOR. However, something like blocking 0xBE from working on data discs is probably (?) handled at the firmware level. Thus, while maybe it wouldn't be possible to directly play with the descrambling code, it might be possible just to bypass the check that disallows 0xBE on data discs.

It may even be the case that someone out there has a debug firmware that allows manipulating memory values in the drive. If that were the case, it maybe would be as simple as just using such a firmware and then sending a debug command to alter the memory region holding the TOC after a disc was inserted. I.e., change it so that the drive thinks the data track is an audio track.

I would imagine at least some parts of this are doable without huge effort for someone who knows what they're doing. Unfortunately, that someone is not me. But, I'm willing to take another look at it, especially if someone gets some leads.

  • Registered: 2019-06-28
  • Posts: 178

In case it's helpful, I wrote a Ghidra SLEIGH processor spec for the MN102 processor (matsushita/panasonic) a while ago.  I'm not sure if anything recent/readily available still uses the MN102 though.

  • Registered: 2015-02-24
  • Posts: 101

Pokechu22 wrote:

In case it's helpful, I wrote a Ghidra SLEIGH processor spec for the MN102 processor (matsushita/panasonic) a while ago.  I'm not sure if anything recent/readily available still uses the MN102 though.

Thanks for the info! Last time I just picked a random old drive I had lying around to play with, and I'll probably do the same this time when I take a look at it. This gives me one more option if it turns out to be running an odd chipset. IIRC, the last one I looked at was an Intel 8501 ISA firmware, but that was, again, just because that's what I happened to have lying around.

As a general note for this thread, a potentially useful document on firmware reversing is available on Archive (https://web.archive.org/web/20101225174 … rmware.pdf). It's specifically about reversing a DVD firmware to make it region free, but a lot of what it describes would need to be done for a project like this as well. It has specific notes about locating the code within the firmware that handles A3 and A4 operations. While those aren't operations we'd likely be concerned about, locating them would likely provide insight to the general structure of the code and provide a starting point for locating and modifying code that handles other operations (like 0xBE potentially).

  • Registered: 2021-03-09
  • Posts: 249

I think at this stage it will be more of a problem to find someone who has a very good knowledge of firmware for CD / DVD drives. Maybe RibShark would help us?