Ir a contenido

Pausing RSS Scroller demo

Artículos populares


Últimos comentarios


Información del archivo

  • Añadido el: Aug 28 2007 10:18
  • Actualizado el: Sep 05 2011 09:27
  • Tamaño: 183.9K
  • Visitas: 66943
  • Descargas: 16433

Descargar DosFlash 2.0








DosFlash V2.0 Release Date 03.09.2011
---------------------------------------
- Key extraction task "LiteOn Key V3 (Tarablinda)" now supports the Slim firmware versions 9504, 0272, 0225,
  0401, 1071 and also tries to discover the key on unknown firmware versions
- 2 new tasks added named "Lock SPI Flash" and "Unlock SPI Flash"
  The new unlock SPI flash task is used in combination with Geremia's MXIC and  Winbond Unlock method.
  It is very much influenced by Geremia's unlockSPI program, which was the first bruter to unlock Winbond SPI
  flashes. To relock the flash after you have finished writing a patched firmware to it, use the lock SPI flash
  task. This will instantly make the SPI flash write protected for all blocks. BP0, BP1 and SRP status bits are
  activated afterward, so handle this function with care!
- Read Flash task now can create a full firmware dump of the Slim firmware versions 9504, 0272, 0225, 0401 and 1071
  To create full firmware dumps of 0225 drives and above you should get a compatible SATA2 controller and set
  it to IDE mode. In addition you should be able to do Geremia's MXIC or Winbond unlock method. The compatible
  SATA2 controller is needed to unlock the MTK. Any installed drivers should be uninstalled, because they will
  switch the controller back to AHCI mode. In combination with the SPI flash status register unlock you are able
  to write to the firmware and inject Geremia's 8051 trojan, which can then dump the complete firmware. A risk
  level is added to show you how risky it is for your individual flash chip and firmware combination to write
  the patched firmware to obtain a full dump.
- Possibility during "Read Flash" task to write firmware sector 3E of Slim drives with unknown firmware version
  This feature should be useful if new, unknown Slim firmware versions get out. If you write the patched 3E sector
  to a new and unknown firmware version this could potentially kill your drive. So handle it with care!
- Portio.sys reimplemented as separate driver for DosFlash32 and DosFlash64
  The driver files portio32.sys and portio64.sys are again separated from the executable file. This way the
  user has the possibility to sign the drivers on his x64 system with the Driver Signature Enforcement Overrider.
- SATA and IDE adapter list updated


Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
-----------------------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "LiteOn Key V3 (Tarablinda)"
- press "LiteOn Key V3" button
- choose a destination directory for the extracted files
- after this DosFlash32/64 displays your DVD-Key and saves your key and identify data
- then DosFlash32/64 displays the following message:
  There seems to be a LiteOn Slim drive connected as Master
  to port 0xA000.
  You should try SATA2 MTK unlock method.
  - Use a compatible SATA2 controller set to IDE mode
  - Repower the drive which is connected to the SATA 2 controller
  - Press "Yes" if you are ready
  Are you ready?
- do the above and press "Yes"
- this repower is used to get DosFlash32/64 back to a known MTK state


Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
--------------------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Ms-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "LITEON K"
- as extraction method choose "V3"
- choose a destination directory for the extracted files
- after this DosFlash16 displays your DVD-Key and saves your key and identify data


Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
--------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Unlock SPI Flash"
- press "Unlock SPI Flash" button
- you will hear a test sound from the PC speaker and the following message is displayed:
  The sound that just played was a test. You will hear the
  same sound if unlocking is successful later on. If you
  have not heard a sound, you should skip the unlock and
  check your PC speaker.
  Unlocking the SPI flash requires you to use Geremia's MXIC
  or Winbond Unlock method. Proceed like follows:
  - Press "Yes" if you are ready
  - Start Geremia's MXIC / Winbond Unlock
  - Stop if you hear the sound
  Are you ready?
  (Press ESC key to abort!)
- press "Yes"
- start MXIC or Winbond dremel unlock
- stop if you hear the test sound again
- the SPI flash should now be successfully unlocked


Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
-----------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "U" for "Unlock SPI Flash"
- you will hear a test sound from the PC speaker and the following message is displayed:
  The sound that just played was a test. You will hear the
  same sound if unlocking is successful later on. If you
  have not heard a sound, you should skip the unlock and
  check your PC speaker.
  Unlocking the SPI flash requires you to use Geremia's MXIC or Winbond Unlock
  method. Proceed like follows:
  - Press "Yes" if you are ready
  - Start Geremia's MXIC / Winbond Unlock
  - Stop if you hear the sound
  Are you ready?
  (Press ESC key to abort!)
- confirm with 'Y' for "Yes"
- start MXIC or Winbond dremel unlock
- stop if you hear the test sound again
- the SPI flash should now be successfully unlocked


Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
------------------------------------------------------------------------------------
- you should have unlocked the SPI flash prior to reading the flash, otherwise the following steps will not work
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Read Flash"
- press "Read Flash" button
- enter the name of your flash firmware output file e.g. fulldump.bin
- you read the following (the displayed checksum and risk level can vary):
  Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.
  Firmware sectors 0x3D000 and 0x3E000 match known checksum
  0xFFFFF800.
  Do you want to write firmware with patched code to be able to read
  the firmware?
- press "Yes"
- then DosFlash32/64 displays the following message:
  There seems to be a LiteOn Slim drive connected as Master
  to port 0xA000.
  You should try SATA2 MTK unlock method.
  - Use a compatible SATA2 controller set to IDE mode
  - Repower the drive which is connected to the SATA 2 controller
  - Press "Yes" if you are ready
  Are you ready?
- do the above and press "Yes"
- after this DosFlash32/64 saves your firmware dump and displays the above message again, repower
  the drive again and press "OK"
- the last repower is used to get DosFlash32/64 back to a known MTK state


Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
---------------------------------------------------------------------------------
- you should have unlocked the SPI flash prior to reading the flash, otherwise the following steps will not work
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "R" for "Read Flash"
- enter the name of your flash firmware output file e.g. fulldump.bin
- you read the following (the displayed checksum and risk level can vary):
  Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.
  Firmware sectors 0x3D000 and 0x3E000 match known checksum 0xFFFFF800.
  Do you want to write firmware with patched code to be able to read
  the firmware (Y/N)?
- confirm with 'Y' for "Yes" and press Enter
- then DosFlash16 displays the following message:
  There seems to be a LiteOn Slim drive connected as Master to port 0xA000.
  You should try SATA2 MTK unlock method.
  - Use a compatible SATA2 controller set to IDE mode
  - Repower the drive which is connected to the SATA 2 controller
  - Press "Yes" if you are ready
  Are you ready (Y/N)?
- do the above and press 'Y' for "Yes"
- after this DosFlash16 saves your firmware dump


Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Lock SPI Flash"
- press "Lock SPI Flash" button
- read the displayed warning carefully, because locking the flash is very risky
- press "Yes"
- the SPI flash should now be successfully locked


Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
---------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "L" for "Lock SPI Flash"
- read the displayed warning carefully, because locking the flash is very risky
- confirm with 'Y' for "Yes"
- the SPI flash should now be successfully locked


DosFlash16 Manual Mode Examples for LiteOn Slim 0225
------------------------------------------------------
- Extract drive key on a "PLDS DG-16D4S 0225"
  DOSFLASH LITEON K V3 1010 A0

- Unlock SPI Flash on a "PLDS DG-16D4S 0225"
  DOSFLASH U 1010 1 A0 3 0

- Read firmware on a "PLDS DG-16D4S 0225"
  DOSFLASH R 1010 1 A0 3 0 4 FWOUT.BIN 0

- Write firmware on a "PLDS DG-16D4S 0225"
  DOSFLASH W 1010 1 A0 3 0 4 FWIN.BIN 0

- Erase firmware on a "PLDS DG-16D4S 0225"
  DOSFLASH E 1010 1 A0 3 0 4 C7 0

- Lock SPI Flash on a "PLDS DG-16D4S 0225"
  DOSFLASH L 1010 1 A0 3 0


Excellent work on the MXIC / Winbond unlock by Geremia and Maximus.
As the Duke would say: Hail to the kings baby!
Kai Schtrom

DosFlash
----------
DosFlash supports two flashing modes, Auto and Manual. If you type DOSFLASH at a DOS prompt it
will start in Auto mode. All drives and the corresponding flash chips are detected automatically.
If you can't get a flash chip recognized due to a bad flash or other problems you should use the
Manual mode. In Manual mode you can enter all the parameters used for flashing by hand. The
following help screen is displayed if you start DosFlash with a wrong number of parameters:


DOSFLASH by Kai Schtrom, 08/05/2007 (Ver 1.0 Beta)
DOSFLASH [R|W|E] [PORT] [PORT TYPE] [DRIVE POS] [FLASH TYPE]
         [FLASH SIZE] [FLASH SECTOR ERASE OPCODE] [FILE NAME]
                        R: Read FLASH
                        W: Write FLASH
                        E: Erase FLASH
                     PORT: Port to send command to
                PORT TYPE: 0 for IDE, 1 for SATA
                DRIVE POS: A0 for Master, B0 for Slave
               FLASH TYPE: 0 for parallel flash, 1 for serial flash
               FLASH SIZE: size of flash chip in number of banks
FLASH SECTOR ERASE OPCODE: individual sector erase opcode command byte
                           this is only needed for erasing a serial flash
                FILE NAME: name of the file to read/write from/to flash
All numbers are intepreted as hex values!

Example Usage:
"DOSFLASH R 01F0 0 A0 1 4 C:\flash.bin"
=> Read serial flash with a size of 4 bank (262144 bytes) from Master Device
   on IDE port 0x01F0
"DOSFLASH E C000 1 A0 1 4 D8"
=> Erase serial flash with opcode 0xD8 and a size of 4 banks (262144 bytes)
   from Master Device on SATA port 0xC000
  
  
Explanation of the Parameters:
--------------------------------

[R|W|E]
---------
- this will set the mode of flashing, it is recommended to first try read on any
  drive, if the read will fail, it is highly unlikely that a write or erase will
  succeed

[PORT]
--------
- the port to which the drive is connected, a port number should always be entered
  in hexadecimal and have 4 hex digits, valid ports are: 01F0, 0170, C000, C800
- this option can be used if your PCI adapter card or on board IDE/SATA ports are
  not identified by the auto mode

[PORT TYPE]
-------------
- the port type tells DosFlash what type of port is installed on the before entered
  port address
- valid values are 0 for IDE and 1 for SATA
- make sure you never mix the wrong port with the wrong port type, this could give
  strange results or in the worst case a bricked drive
  
[DRIVE POS]
-------------
- old style IDE channels have the possibility to connect two drives at one IDE
  channel, the first drive is called the master, the second drives is called the
  slave
- you can select which drive should be flashed on the channel, A0 selects Master,
  B0 selects Slave
- on SATA ports this value is always A0, cause you can only connect one drive to
  a SATA port, so for SATA you will always type A0 here
- it is not recommended to flash IDE drives with another drive connected to the
  same IDE channel, this could be risky if something in the Master/Slave selection
  fails
  
[FLASH TYPE]
--------------
- there are two types of flash chips out for CD/DVD-ROM drives atm
- the older type is parallel flash, which is also supported by mtkflash for example
- the newer type is serial flash, which is supported by flashers like XSF
- the problem here is that no tool is out that can flash serial flash chips on
  SATA ports
  
[FLASH SIZE]
--------------
- this is specifies the flash chip size in banks
- one bank is always 65.536 bytes in size
- if you know your drive has a flash chip of 262.144 bytes in size you need to enter 4

[FLASH SECTOR ERASE OPCODE]
-----------------------------
- the opcode used in the flash chips datasheet for erasing
- for serial chips this command can be different from the standard and needs to be
  entered for flash erase
- for parallel flash chips you can enter a dummy cmd byte, the integrated command
  should work on all parallel flash chips without a prob
  
[FILE NAME]
-------------
- name of the file that should be used for flashing
- for reading operations this should be the output file
- for writing operations this should be the input file


Hints and Warnings
--------------------
- read, write erase TS-H943A MS28 after the firmware stealth has been disabled with Enable0800 disc
  - this only works one time, after the first mtk vendor specific intro cmd is send
  - if the mtk vendor specific outro cmd is send the chip goes back to stealth mode and you need
    again the Enable0800.iso to disable it
  - therefor the mtk vendor specific intro is send at program start to all present devices and the
    mtk outro is sent at program end
  - if you have a chip manufacturer id of 0x02 and a chip device id of 0x02 for the TS-H943A
    the flash chip is in stealth mode and won't give access to any reading, writing, erasing
- always have a look at the DataSum generated, this is exactly the DataSum of mtkflash
  - the DataSum is calculated as the sum of all bytes of the firmware in a short integer
  - to make 100% sure that the flash is written right compare that DataSum to a known one
- this tool has not been tested on all drives out there, the typ list is simply copied from well
  known programs like mtkflash and XSF
  - always try a flash read on a not yet tested drive before doing anything else
  - if the read doesn't succeed it is highly unlikely that a write or erase will
- some LiteOn drives seem to have probs to write the firmware correct, this prob seems to be
  related to windows register flashing, cause even an assembler app can't do this error free
  - if you get errors on LiteOn drives, write the flash two times in a row
- for direct port I/O in windows the givoio.sys driver is used, this driver is loaded at DosFlash32
  start and unloaded at program end, be warned, this driver can possibly make your system unstable,
  it's intention is to let privileged assembler instruction like in and out pass, even in windows,
  if this driver is not used you will not be able to get direct access to port registers
- DosFlash was tested on MS-DOS 6.22 and later, you can easily copy it on a MS-DOS boot disk created
  in Windows XP and start DosFlash directly from the disk
- don't forget to also copy the DosFlash.typ file, it has all the informations about flash chips
  for auto mode flashing
- DosFlash32 was tested without a prob on Windows XP SP2, you'll need also the typ file for the
  win version
- DosFlash32 will deactivate all CD-ROMs in device manager at startup, this is better for flashing,
  cause Windows seems to poll the drives all the time and this could result in a bad fw file or
  a program hang, the drives are activated again at program end
- you should make sure that the flash is not in an erased state at program end, cause device manager
  don't like drives that do not respond to the inquiry command
- deactivating all CD-ROMs could take a few seconds, so please be patient at program start
- DosFlash and DosFlash32 will try to scan for the VIA 6421L Raid Controller card, based on vendor
  id 1106 and device id 3249, it doesn't matter if the card driver is installed or not


Many thanks to Dale Roberts and his Direct Port I/O driver giveio.sys!

Avoid a bad flash!
Kai Schtrom


comments powered by Disqus



  • 1838 Archivos totales
  • 22 Categorías totales
  • 4 Total de usuarios que han subido archivos
  • 2520781 Total de descargas
  • USB Loader GX Último archivo
  • Dekuwa Latest Submitter