Jump to content


DosFlash 2.0


¿Quieres enterarte al momento de las nuevas descargas? Síguenos en Twitter o Mastodon!

DosFlash V2.0 Release Date 03.09.2011
---------------------------------------
- Key extraction task "LiteOn Key V3 (Tarablinda)" now supports the Slim firmware versions 9504, 0272, 0225,
  0401, 1071 and also tries to discover the key on unknown firmware versions
- 2 new tasks added named "Lock SPI Flash" and "Unlock SPI Flash"
  The new unlock SPI flash task is used in combination with Geremia's MXIC and  Winbond Unlock method.
  It is very much influenced by Geremia's unlockSPI program, which was the first bruter to unlock Winbond SPI
  flashes. To relock the flash after you have finished writing a patched firmware to it, use the lock SPI flash
  task. This will instantly make the SPI flash write protected for all blocks. BP0, BP1 and SRP status bits are
  activated afterward, so handle this function with care!
- Read Flash task now can create a full firmware dump of the Slim firmware versions 9504, 0272, 0225, 0401 and 1071
  To create full firmware dumps of 0225 drives and above you should get a compatible SATA2 controller and set
  it to IDE mode. In addition you should be able to do Geremia's MXIC or Winbond unlock method. The compatible
  SATA2 controller is needed to unlock the MTK. Any installed drivers should be uninstalled, because they will
  switch the controller back to AHCI mode. In combination with the SPI flash status register unlock you are able
  to write to the firmware and inject Geremia's 8051 trojan, which can then dump the complete firmware. A risk
  level is added to show you how risky it is for your individual flash chip and firmware combination to write
  the patched firmware to obtain a full dump.
- Possibility during "Read Flash" task to write firmware sector 3E of Slim drives with unknown firmware version
  This feature should be useful if new, unknown Slim firmware versions get out. If you write the patched 3E sector
  to a new and unknown firmware version this could potentially kill your drive. So handle it with care!
- Portio.sys reimplemented as separate driver for DosFlash32 and DosFlash64
  The driver files portio32.sys and portio64.sys are again separated from the executable file. This way the
  user has the possibility to sign the drivers on his x64 system with the Driver Signature Enforcement Overrider.
- SATA and IDE adapter list updated


Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
-----------------------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "LiteOn Key V3 (Tarablinda)"
- press "LiteOn Key V3" button
- choose a destination directory for the extracted files
- after this DosFlash32/64 displays your DVD-Key and saves your key and identify data
- then DosFlash32/64 displays the following message:
  There seems to be a LiteOn Slim drive connected as Master
  to port 0xA000.
  You should try SATA2 MTK unlock method.
  - Use a compatible SATA2 controller set to IDE mode
  - Repower the drive which is connected to the SATA 2 controller
  - Press "Yes" if you are ready
  Are you ready?
- do the above and press "Yes"
- this repower is used to get DosFlash32/64 back to a known MTK state


Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
--------------------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Ms-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "LITEON K"
- as extraction method choose "V3"
- choose a destination directory for the extracted files
- after this DosFlash16 displays your DVD-Key and saves your key and identify data


Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
--------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Unlock SPI Flash"
- press "Unlock SPI Flash" button
- you will hear a test sound from the PC speaker and the following message is displayed:
  The sound that just played was a test. You will hear the
  same sound if unlocking is successful later on. If you
  have not heard a sound, you should skip the unlock and
  check your PC speaker.
  Unlocking the SPI flash requires you to use Geremia's MXIC
  or Winbond Unlock method. Proceed like follows:
  - Press "Yes" if you are ready
  - Start Geremia's MXIC / Winbond Unlock
  - Stop if you hear the sound
  Are you ready?
  (Press ESC key to abort!)
- press "Yes"
- start MXIC or Winbond dremel unlock
- stop if you hear the test sound again
- the SPI flash should now be successfully unlocked


Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
-----------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "U" for "Unlock SPI Flash"
- you will hear a test sound from the PC speaker and the following message is displayed:
  The sound that just played was a test. You will hear the
  same sound if unlocking is successful later on. If you
  have not heard a sound, you should skip the unlock and
  check your PC speaker.
  Unlocking the SPI flash requires you to use Geremia's MXIC or Winbond Unlock
  method. Proceed like follows:
  - Press "Yes" if you are ready
  - Start Geremia's MXIC / Winbond Unlock
  - Stop if you hear the sound
  Are you ready?
  (Press ESC key to abort!)
- confirm with 'Y' for "Yes"
- start MXIC or Winbond dremel unlock
- stop if you hear the test sound again
- the SPI flash should now be successfully unlocked


Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
------------------------------------------------------------------------------------
- you should have unlocked the SPI flash prior to reading the flash, otherwise the following steps will not work
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Read Flash"
- press "Read Flash" button
- enter the name of your flash firmware output file e.g. fulldump.bin
- you read the following (the displayed checksum and risk level can vary):
  Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.
  Firmware sectors 0x3D000 and 0x3E000 match known checksum
  0xFFFFF800.
  Do you want to write firmware with patched code to be able to read
  the firmware?
- press "Yes"
- then DosFlash32/64 displays the following message:
  There seems to be a LiteOn Slim drive connected as Master
  to port 0xA000.
  You should try SATA2 MTK unlock method.
  - Use a compatible SATA2 controller set to IDE mode
  - Repower the drive which is connected to the SATA 2 controller
  - Press "Yes" if you are ready
  Are you ready?
- do the above and press "Yes"
- after this DosFlash32/64 saves your firmware dump and displays the above message again, repower
  the drive again and press "OK"
- the last repower is used to get DosFlash32/64 back to a known MTK state


Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
---------------------------------------------------------------------------------
- you should have unlocked the SPI flash prior to reading the flash, otherwise the following steps will not work
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "R" for "Read Flash"
- enter the name of your flash firmware output file e.g. fulldump.bin
- you read the following (the displayed checksum and risk level can vary):
  Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.
  Firmware sectors 0x3D000 and 0x3E000 match known checksum 0xFFFFF800.
  Do you want to write firmware with patched code to be able to read
  the firmware (Y/N)?
- confirm with 'Y' for "Yes" and press Enter
- then DosFlash16 displays the following message:
  There seems to be a LiteOn Slim drive connected as Master to port 0xA000.
  You should try SATA2 MTK unlock method.
  - Use a compatible SATA2 controller set to IDE mode
  - Repower the drive which is connected to the SATA 2 controller
  - Press "Yes" if you are ready
  Are you ready (Y/N)?
- do the above and press 'Y' for "Yes"
- after this DosFlash16 saves your firmware dump


Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
------------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Lock SPI Flash"
- press "Lock SPI Flash" button
- read the displayed warning carefully, because locking the flash is very risky
- press "Yes"
- the SPI flash should now be successfully locked


Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
---------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "L" for "Lock SPI Flash"
- read the displayed warning carefully, because locking the flash is very risky
- confirm with 'Y' for "Yes"
- the SPI flash should now be successfully locked


DosFlash16 Manual Mode Examples for LiteOn Slim 0225
------------------------------------------------------
- Extract drive key on a "PLDS DG-16D4S 0225"
  DOSFLASH LITEON K V3 1010 A0

- Unlock SPI Flash on a "PLDS DG-16D4S 0225"
  DOSFLASH U 1010 1 A0 3 0

- Read firmware on a "PLDS DG-16D4S 0225"
  DOSFLASH R 1010 1 A0 3 0 4 FWOUT.BIN 0

- Write firmware on a "PLDS DG-16D4S 0225"
  DOSFLASH W 1010 1 A0 3 0 4 FWIN.BIN 0

- Erase firmware on a "PLDS DG-16D4S 0225"
  DOSFLASH E 1010 1 A0 3 0 4 C7 0

- Lock SPI Flash on a "PLDS DG-16D4S 0225"
  DOSFLASH L 1010 1 A0 3 0


Excellent work on the MXIC / Winbond unlock by Geremia and Maximus.
As the Duke would say: Hail to the kings baby!
Kai Schtrom

************************************************************************************************


DosFlash V1.9 Release Date 01.01.2011
---------------------------------------
- SATA and IDE port scan improved in DOS and Windows
  The ports are now enumerated with the CONFIG_ADDRESS and CONFIG_DATA register instead of using interrupts
  in DOS and SetupDixx functions in Windows. This change will detect more ports in Windows than the old 
  SetupDixx method.
- Settings saved to ini file for DosFlash32 and DosFlash64
  Settings like Port, Position, Task, COM Port, Enable Drives and DvdKey state are now saved to an ini file
  inside the program folder. If the ini file is not present it is created after the first run. On the first
  startup DosFlash will choose the most common and stable settings.
- EnableDrives option included in dialog as a check box
  Due to high demand we removed the "Enabling CD-/DVD-ROMs" MessageBox on program termination and included
  a check box "Enable Drives" inside the dialog. For security and more stability this is deactivated on the
  first run. If you enable it the checked state is saved to the ini file.
- enabling drives in Windows caused some hangs from time to time, this is now fixed by a recoded enable
  drives function
- port drivers portio32.sys and portio64.sys are now added to the executable and unpacked during runtime
- PATA and SATA controllers list updated
- Fix for NForce motherboards in combination with drives like the "Samsung SH-D163C", "LG DH18NS40" or
  "LiteOn iHDS118"
  Some drives have problems with flash identify, read, write and erase. This is clearly related to the
  NVidia NForce chipset. For manual mode in DosFlash16 an additional command line parameter is added called
  "NFORCE FIX". This parameter should be set to 1 for NForce chipsets if you experience strange problems.
  In DosFlash32 and DosFlash64 we added a static control which shows if the NForce Fix is applied or not.
  Remember there is no need to activate this with every drive. It seems to be a combination between drive
  and NForce chipset that causes the problem. The fix is automatically applied for DosFlash16 in auto mode,
  DosFlash32 and DosFlash64.
- DosFlash32 and DosFlash64 are now DPI Aware for Windows7
- New task Verfiy Key/Inject Key added for verification/injection of drive keys
  All DosFlash versions now have the possibility to validate drive keys against an XBOX360 drive and set
  the key for an XBOX360 drive. We use the same authentication method like the console to verify a key.
  In the Windows versions you have the choice to paste the drive key from the clipboard to our custom hex
  edit control or load a key file. To add a key simply click right inside the hex edit control and select
  your choice from the shortcut menu. In DosFlash16 you can enter the key in the format "1A-2B-3C" without
  quotes. Remember that a key has 16 bytes of data. The key file to import should also have 16 bytes of data
  like the key files exported by LiteOn Key functions.
- Removed multiple key extractions for LiteOn Key functions, added Verify Key after extraction
  For LiteOn Key functions we removed the multiple extractions, because the key is now verified immediately
  against the XBOX360 drive.
- LiteOn Key V1 and V2 now also extract the file Serial.bin and the 2nd inquiry file Inquiry2.bin
  We added the file Serial.bin and Inquiry2.bin to LiteOn Key functions. Inquiry2.bin is only generated for
  LiteOn drives V1 and V2.
- The drive key of Maximus patched UART drives can be extracted by using the task "LiteOn Key V1 (DvdKey)"
  The drive check has been removed from LiteOn Key functions. This way we can extract a key from an UART 
  patched drive firmware by Maximus.
- LiteOn files are now extracted to a destination folder instead of prompting the user for every file name.
- LiteOn key extraction tasks separated per drive version in "LiteOn Key V1 (DvdKey)", "LiteOn Key V2 (FreeKey)"
  and "LiteOn Key V3 (Tarablinda)"
- In DosFlash32 and DosFlash64 the number of installed COM ports in the system are now enumerated instead of
  adding port 1 to 4
- For failing cdb commands the sense code is returned
- Geremia's Tarablinda functionality added
  We added all Tarablinda tasks to every DosFlash version. You can extract the key by choosing the task
  "LiteOn Key V3 (Tarablinda)". For read, write and erase of the flash simply use the standard functions.
  Pay attention that the "LiteOn Erase V1/V2" task is only available for older LiteOns and not for the Slim.
  You should use "Read Flash", "Write Flash" and "Erase Flash" for the Slim. "LiteOn Key V3 (Tarablinda)"
  extracts 1 additional file in comparison to Tarablinda v04b, this file is called Xtram.bin and contains
  a dump of the XTRAM8000 area. This can differ in a few bytes from one dump to the next.
- Device Reset in DosFlash16 manual mode is now done automatically, there is no option to turn it off anymore
- Code optimization to work with modern SATA2 controllers added, remember to set SATA controllers to IDE and
  not AHCI mode otherwise Port I/O will not work
- Warning: The read, write and erase of the Slim drive is considered risky in general! So pay attention and
  always remember you use DosFlash on your own risk every time! Even during flash read the Slim gets flashed
  with a patched firmware sector to retrieve the complete dump!
- We had to change many command line arguments for DosFlash16 Manual Mode, because of the NForce Fix, added
  Tarablinda support and splitting of LiteOn Key functions. To get a better understanding we added the example
  section below.


DosFlash16 Manual Mode Examples
---------------------------------
- Extract drive key on a "PLDS DG-16D2S 74850C" over UART -> "LiteOn Key V1 (DvdKey)"
  DOSFLASH LITEON K V1 0970 A0 1

- Extract drive key on a "PLDS DG-16D2S 83850C" over SATA -> "LiteOn Key V2 (FreeKey)"
  DOSFLASH LITEON K V2 0970 A0

- Extract drive key on a "PLDS DG-16D4S 9504" over SATA -> "LiteOn Key V3 (Tarablinda)"
  DOSFLASH LITEON K V3 0970 A0

- Read firmware on a "PLDS DG-16D4S 9504" -> "Read Flash" this is considered risky!
  DOSFLASH R 0970 1 A0 3 0 4 FWOUT.BIN 0

- Write firmware on a "PLDS DG-16D4S 9504" -> "Write Flash" this is considered risky!
  DOSFLASH W 0970 1 A0 3 0 4 FWIN.BIN 0

- Erase firmware on a "PLDS DG-16D4S 9504" -> "Erase Flash" this is considered risky!
  DOSFLASH E 0970 1 A0 3 0 4 C7 0

- Erase firmware on a "PLDS DG-16D2S 74850C" or a "PLDS DG-16D2S 83850C" -> "LiteOn Erase V1/V2"
  DOSFLASH LITEON E 0970 A0

- Read firmware on a "Samsung SH-D163C", "LG DH18NS40" or "LiteOn iHDS118" and a NForce motherboard -> "Read Flash"
  DOSFLASH R 0970 1 A0 2 0 4 FWOUT.BIN 1

- Write firmware on a "Samsung SH-D163C", "LG DH18NS40" or "LiteOn iHDS118" and a NForce motherboard -> "Write Flash"
  DOSFLASH W 0970 1 A0 2 0 4 FWIN.BIN 1

- Erase firmware on a "Samsung SH-D163C", "LG DH18NS40" or "LiteOn iHDS118" and a NForce motherboard -> "Erase Flash"
  DOSFLASH E 0970 1 A0 2 0 4 C7 1

- Verify drive key on a XBOX360 drive, enter the drive key manual
  DOSFLASH V 0970 A0 12-34-56-78-90-AB-CD-EF-12-34-56-78-90-AB-CD-EF

- Verify drive key on a XBOX360 drive, load a drive key file
  DOSFLASH V 0970 A0 KEY.BIN

- Inject drive key on a XBOX360 drive, enter the drive key manual
  DOSFLASH I 0970 A0 12-34-56-78-90-AB-CD-EF-12-34-56-78-90-AB-CD-EF

- Inject drive key on a XBOX360 drive, load a drive key file
  DOSFLASH I 0970 A0 KEY.BIN

For DosFlash drives on which we can extract the key via UART are considered V1. Drives we get the key over
SATA are considered V2. The new Slim is considered V3 but only firmware version 9504 is supported atm.


Many thanks to Geremia, Modfreakz, Redline99 and Tiros for their support. Special thanks to Geremia and
Modfreakz for drive sponsoring, testing, coding and much more. It is always a pleasure to work with you
professional guys! Respect to Maximus for his UART enable patch. I'm looking forward to your magic Lizard
hardware flasher!

Happy new year 2011!
Kai Schtrom

************************************************************************************************


DosFlash V1.8 Release Date 08.08.2009
---------------------------------------
- now supports LiteOn PLDS DG-16D2S 83850C V2 Geremia/Maximus LiteOn FreeKey method
- huge firmware read/write speed increase, especially if run from a floppy disk
- updated IDE/SATA motherboard chipset list
- new IDE/SATA detection for Windows and DOS
- DosFlash.typ embedded in executable file
- LiteOn V1 drive key is now extracted 10 times and compared against each other,
  after the extraction a summary is displayed sorted by the most common matches
- LiteOn V2 drive key is extracted 2 times and compared
- new BenQ unlock keys added to unlock all known BenQ drive firmwares
- command line parameter "EnableDrives" removed, DosFlash asks the user on
  application close if he wants to enable the drives or not, during the tests it
  seems that IDE drives have problems with the enable, SATA drives seem to 
  work fine
- new 64-bit DosFlash edition added called DosFlash64, because some driver
  functions don't work as expected in the 32 bit compatibility mode on Windows x64
- Beta state removed
- ready and tested on Windows7 X86 and x64


Geremia/Maximus FreeKey method with DosFlash16
------------------------------------------------
We have added one cmd line parameter for DosFlash16 in manual mode. The COM port
is simply ignored and can have any value for the V2 drives.
Use the following command line to extract your free key from 83850C:
- DosFlash LITEON K 0970 1 inquiry.bin identify.bin key.bin dummy.bin enckey.bin


Tips for running DosFlash on Windows 7
----------------------------------------

Since Windows Vista 64 Bit and upwards it is necessary that every driver is signed. Because
the DosFlash driver will not be signed by MS due to some unknown reason we need to circumvent
this check. You have the following 2 possibilities to do this.

Safe Way of Disabling Driver Signature Enforcement
1) On Windows 7 bootup press F8 to get to the extended boot options screen
2) Choose "Disable Driver Signature Enforcement"
3) To start DosFlash right click on it in Windows Explorer and choose
   "Run as administrator" > answer the message box with "Yes"
4) Short after the program started a "Program Compatibility Assistant" warning message
   is displayed, you can simply ignore this by pressing the "Close" button

Recommended Way of Disabling Driver Signature Enforcement
1) Disable User Account Control (UAC)
   - go to "Start Menu" > "Control Panel" > "User Accounts and Family Safety" > "User Accounts"
   - click on "Change User Account Control settings"
   - set the slider bar to the lowest value (Never notify) > click "OK"
2) Sign the DosFlash driver
   - download the "Driver Signature Enforcement Overrider" (DSEO) from
    http://www.ngohq.com/home.php?page=dseo
   - start DSEO > click "Next" > "Yes" > choose "Sign a System File" > "Next" > enter the path to
     the used driver (portio32.sys or portio64.sys) > "OK" > "OK"
3) Disable Driver Signature Enforcement
   - start DSEO > click "Next" > "Yes" > choose "Enable Test Mode" > "Next" > "OK"
4) Restart the computer

Keep in mind that with the recommended way the changes will have effect on every reboot without
doing anything manual. The first way needs to be done over and over again. In addition the second
way can be used to sign every driver that doesn't run natively on Windows 7.

For use of the VIA Cards in Windows 7 it is recommended to uninstall the VIA driver. This can be
done like follows:
- start "Device Manager" > expand "Storage controllers" > right click on "VIA RAID Controller" > 
  choose "Uninstall" > "OK"
- rename C:\Windows\inf\vsmraid.inf to vsmraid.inf_
- rename C:\Windows\inf\vsmraid.PNF to vsmraid.PNF_
- rename C:\Windows\System32\drivers\vsmraid.sys to vsmraid.sys_
- reboot computer


Much respect and credits go to Geremia and Maximus for their money saving FreeKey app
and their lightning like decryption speed!

In Dedication To The Birth Of FreeKey On August Fifth 2009
Kai Schtrom


************************************************************************************************


DosFlash and DosFlash32 V1.7 Beta Release Date 23.12.2008
-----------------------------------------------------------
- now supports LiteOn PLDS DG-16D2S 74850C and Geremia's LiteOn Erase and DvdKey method


The following only applies to the new XBox360 LiteOn drive PLDS DG-16D2S 74850C.


Geremia's DvdKey method with DosFlash16 with the PC's psu
-----------------------------------------------------------
- disable CD-ROM boot option in BIOS
- connect LiteOn to your PC's power supply unit and SATA port
- power up PC, wait until bootup is finished
- eject tray of the LiteOn and shutdown PC completely
- push the LiteOn tray half in
- power up PC and boot into DOS
- run DosFlash16 in auto mode
- if you read the following:
  MTK Vendor Intro failed on port 0x????.
  If you choose to resend the command you should turn the drive off and on
  after you pressed "Yes".
  Do you want to resend the command until the drive responds (Y/N)?
- press 'N' for "No"
- choose the number of your LiteOn ATAPI drive
- enter "LITEON K" to read the drive key
- type the names of inquiry.bin, identify.bin, key.bin and dummy.bin output files
- enter the number of the COM port
- if you read the following:
  To receive the drive key use Geremia's DvdKey method like follows:
  - Connect your drive with a serial cable to the COM port
  - Eject drive tray
  - Power off drive
  - Push drive tray in until it is half open
  - Power on drive
  - Press "Yes" if you are ready
    Are you ready (Y/N)?
- simply press 'Yes' without doing anything of the above, because we
  already did that before
- after this DosFlash16 displays your DVD-Key and saves your key and identify data
- to do the above steps in manual mode use the following command line if your drive
  is connected to port 0x0970 and serial cable is on COM port 1
  DosFlash LITEON K 0970 1 inquiry.bin identify.bin key.bin dummy.bin


Geremia's DvdKey method with DosFlash16 and 2nd psu
-----------------------------------------------------
- connect a separate power supply unit to the LiteOn, don't turn it on yet
- power up PC and boot into DOS
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- if you read the following:
  MTK Vendor Intro failed on port 0x????.
  If you choose to resend the command you should turn the drive off and on
  after you pressed "Yes".
  Do you want to resend the command until the drive responds (Y/N)?
- press 'N' for "No"
- choose the number of your LiteOn ATAPI drive
- enter "LITEON K" to read the drive key
- type the names of inquiry.bin, identify.bin, key.bin and dummy.bin output files
- enter the number of the COM port
- if you read the following:
  To receive the drive key use Geremia's DvdKey method like follows:
  - Connect your drive with a serial cable to the COM port
  - Eject drive tray
  - Power off drive
  - Push drive tray in until it is half open
  - Power on drive
  - Press "Yes" if you are ready
    Are you ready (Y/N)?
- do the above and press 'Yes'
- after this DosFlash16 displays your DVD-Key and saves your key and identify data


Geremia's LiteOn Erase method with DosFlash16 and 2nd psu
-----------------------------------------------------------
- connect a separate power supply unit to the LiteOn, don't turn it on yet
- power up PC and boot into DOS
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- if you read the following:
  MTK Vendor Intro failed on port 0x????.
  If you choose to resend the command you should turn the drive off and on
  after you pressed "Yes".
  Do you want to resend the command until the drive responds (Y/N)?
- press 'N' for "No"
- choose the number of your LiteOn ATAPI drive
- Warning!!! Keep in mind that you will need the drive key before you erase the flash,
  without the drive key your XBox360 will not work anymore
- enter "LITEON E" to erase the flash
- the first time after the LiteOn Erase the drive needs to be repowered to give
  flash chip access, this can be achieved by repowering the drive before another
  DosFlash16 start in auto mode or by doing a MTK Vendor Intro Power Brute
- in my tests it did not work to power the drive with the PC's psu, because it will
  always respond with busy status
- DosFlash16 can now read, write and erase the flash chip like usual
- to do the above steps in manual mode use the following command line if your drive
  is connected to port 0x0970
  DosFlash LITEON E 0970


Geremia's DvdKey method with DosFlash32 with the PC's psu
-----------------------------------------------------------
- disable CD-ROM boot option in BIOS
- connect LiteOn to your PC's power supply unit and SATA port
- power up PC, wait until bootup is finished
- eject tray of the LiteOn and shutdown PC completely
- push the LiteOn tray half in
- power up PC and boot into Windows
- run DosFlash32
- if you read the following:
  MTK Vendor Intro failed on port 0x????.
  If you choose to resend the command you should turn the drive off and on
  after you pressed "Yes".
  Do you want to resend the command until the drive responds?
- press 'No'
- choose "LiteOn DvdKey" as flashing task
- choose the COM port number
- press on "LiteOn DvdKey" button
- enter the names of inquiry.bin, identify.bin, key.bin and dummy.bin output files
- if you read the following:
  To receive the drive key use Geremia's DvdKey method like follows:
  - Connect your drive with a serial cable to the COM port
  - Eject drive tray
  - Power off drive
  - Push drive tray in until it is half open
  - Power on drive
  - Press "Yes" if you are ready
    Are you ready?
- simply press 'Yes' without doing anything of the above, because we
  already did that before
- after this DosFlash32 displays your DVD-Key and saves your key and identify data


Geremia's DvdKey method with DosFlash32 and 2nd psu
-----------------------------------------------------
- connect a separate power supply unit to the LiteOn, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32
- if you read the following:
  MTK Vendor Intro failed on port 0x????.
  If you choose to resend the command you should turn the drive off and on
  after you pressed "Yes".
  Do you want to resend the command until the drive responds?
- press 'No'
- choose "LiteOn DvdKey" as flashing task
- choose the COM port number
- press on "LiteOn DvdKey" button
- enter the names of inquiry.bin, identify.bin, key.bin and dummy.bin output files
- if you read the following:
  To receive the drive key use Geremia's DvdKey method like follows:
  - Connect your drive with a serial cable to the COM port
  - Eject drive tray
  - Power off drive
  - Push drive tray in until it is half open
  - Power on drive
  - Press "Yes" if you are ready
    Are you ready?
- do the above and press 'Yes'
- after this DosFlash32 displays your DVD-Key and saves your key and identify data


Geremia's LiteOn Erase method with DosFlash32 and 2nd psu
-----------------------------------------------------------
- connect a separate power supply unit to the LiteOn, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32
- if you read the following:
  MTK Vendor Intro failed on port 0x????.
  If you choose to resend the command you should turn the drive off and on
  after you pressed "Yes".
  Do you want to resend the command until the drive responds?
- press 'No'
- the LiteOn flash is not identified
- choose "LiteOn Erase" as flashing task
- Warning!!! Keep in mind that you will need the drive key before you erase the flash,
  without the drive key your XBox360 will not work anymore
- press on "LiteOn Erase" button
- the first time after the LiteOn Erase the drive needs to be repowered to give
  flash chip access, this can be achieved by repowering the drive before another
  DosFlash32 start or by doing a MTK Vendor Intro Power Brute
- in my tests it did not work to power the drive with the PC's psu, because it will
  always respond with busy status
- DosFlash32 can now read, write and erase the flash chip like usual


Respect to Geremia, Modfreakz, Podger, Redline99 and Tiros.

Like a wise man said: "0x2E is the MTK Intro of Death"
Kai Schtrom


************************************************************************************************


DosFlash and DosFlash32 V1.6 Beta
-----------------------------------
- fixed power brute unlock bug for VIA cards, this can stop your VIA from working
  with the power brute unlocking in Version 1.5
- for DosFlash16 in auto mode on DOS my VIA card works best if I do a cold boot
  and power up the drive short before or with the PC
- for DosFlash32 on Windows my VIA card works best if I power up the drive short
  before starting DosFlash32
- for me the VIA works with internal and external connectors on DOS and Windows

Sorry for the trouble!
Kai Schtrom


************************************************************************************************


DosFlash and DosFlash32 V1.5 Beta
-----------------------------------
- now supports serial flash chip MT1309E with mediatek status 0x72 like the SH-D163B, SH-D162D,
  Asus DVD-E616A3, Asus DVD-E818A3, Sony Optiarc DDU1671S
- SST25LF020A and SST25LF040A chip support added
- DosFlash32.exe ported from MFC to plain Windows API, exe size is now 22 KB
- new port i/o driver, because giveio.sys can't be compiled for 64 Bit Windows
- DosFlash16 changed slighly in manual mode, one parameter is added to support SST25LF020A and
  SST25LF040A
- two new methods of BenQ soft unlock are now possible on all motherboards with only one power
  supply unit
- 1st method is powered by Geremia's unlock core, thanks for the complete idea, concept and
  source to Geremia
- 2nd method is the Magic28 key send, this only works on BenQ VAD6038 firmware, thanks to
  c4eva and podger for the initial idea
- the two unlock methods are send one after the other if the drive is a possible unlock
  candidate, first the Magic28 command, then Geremia's unlock commands and after that the
  already known power brute unlock is send to the drive, you can cancel any of these methods
  before they are send to the target, this only applies to BenQ drives with a locked flash
- DosFlash.typ updated
- other minor improvements
- DosFlash32 is now ready for
  - Windows 2000
  - Windows XP 32 Bit
  - Windows XP 64 Bit
  - Windows Server 2003 32 Bit
  - Windows Server 2003 64 Bit
  - Windows Vista 32 Bit
  - Windows Vista 64 Bit
- Warning: Drivers for Windows Vista 64 Bit need to be signed, because we can't afford the
  money to let portio64.sys sign you need to do the following:
  1) Log on as Administrator
  2) Enter the following command in a Dos-Box:
     "bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS"
     (we made sure there are no typos in the line above) :)
  3) Press enter and reboot your PC
  4) Press F8 key upon initial system boot up
  5) Choose to disable forced driver signing enforcement for that boot session


The following only applies to drives with a locked BenQ flash.


Geremia's BenQ unlock with DosFlash16 / DosFlash32 on any motherboard with the PC's psu
-----------------------------------------------------------------------------------------
- disable CD-ROM boot option in BIOS
- connect BenQ to your PC's power supply unit and SATA port
- power up PC, wait until bootup is finished
- eject tray of the BenQ and shutdown PC completely
- push the BenQ tray half in
- power up PC and boot into DOS for DosFlash16 or Windows for DosFlash32
- run DosFlash16 in auto mode for DOS or DosFlash32 for Windows
- if you read the following:
  MTK Vendor Intro failed on port 0x????. Because there seems
  to be a BenQ drive connected you should try Geremia's
  unlock method.
  - Eject drive tray
  - Power off drive
  - Push drive tray in until it is half open
  - Power on drive
  - Press "Yes" if you are ready
    Are you ready (Y/N)?
- simply press 'Yes' without doing anything of the above, because we
  already did that before starting DosFlash16 / DosFlash32
- the BenQ flash should now be identified
- go on like usual


Geremia's BenQ unlock with DosFlash16 / DosFlash32 on any motherboard with 2nd psu
------------------------------------------------------------------------------------
- connect a separate power supply unit to the BenQ, don't turn it on yet
- power up PC and boot into DOS
- run DosFlash16 in auto mode for DOS or DosFlash32 for Windows
- if you read the following:
  MTK Vendor Intro failed on port 0x????. Because there seems
  to be a BenQ drive connected you should try Geremia's
  unlock method.
  - Eject drive tray
  - Power off drive
  - Push drive tray in until it is half open
  - Power on drive
  - Press "Yes" if you are ready
    Are you ready (Y/N)?
- do the above and press 'Yes'
- the BenQ flash should now be identified
- go on like usual


Magic28 BenQ unlock with DosFlash16 / DosFlash32 on any motherboard
---------------------------------------------------------------------
- connect BenQ to your PC's power supply unit and SATA port
- power up PC and boot into DOS for DosFlash16 or Windows for DosFlash32
- run DosFlash16 in auto mode for DOS or DosFlash32 for Windows
- if you read the following:
  MTK Vendor Intro failed on port 0x????. Because there seems
  to be a BenQ VAD6038 drive connected you should try the
  Magic28 unlock method.
  Do you want to send the Magic28 command?
- press 'Yes'
- the BenQ flash should now be identified
- go on like usual


Thanks to Redline99 and Tiros for help and support.

It's all about DOS!
Thanks guys for the excellent team work!
Geremia, Modfreakz and Kai Schtrom


************************************************************************************************


DosFlash and DosFlash32 V1.4 Beta
-----------------------------------
- DROM6316 flashing support
- a flash erase is now always done with a chip erase and not a sector erase command, because
  the sector erase gives problems for some Winbond flash chips including the DROM6316
- DosFlash.typ corrected and updated
- for a detailed explanation on the soft unlock look at the included file SoftUnlockByIriez.txt,
  it contains a very good explanation by Iriez from XBS, thanks for that one!

Thanks to Iriez, Jumba, Redline99 and Tiros for help and support.

Happy DROM bricking!
Team Modfreakz and Kai Schtrom


************************************************************************************************


DosFlash and DosFlash32 V1.3 Beta
-----------------------------------
- BenQ optimization in unlocking the flash chip, it should now be possible to read/write/erase
  the flash without any soldering or wire tricks, the drive is polled for the correct mtk
  unlocking status after power on, this only works for VIA cards and NForce boards atm
- DosFlash32 has one additional parameter, if you start it with the parameter "EnableDrives"
  all the DVD-ROMs are enabled in device manager after flashing, this could give BSOD on some
  systems, therefor you need to create a DosFlash32 link and add that parameter manual to use it
- DosFlash16 has one additional parameter "Send ATAPI Device Reset" in manual mode, this could
  give better chances for soft flashing on some VIA - motherboard combinations
- better support of Intel chipsets, drives can now be flashed if the controller is not set to
  native mode in the BIOS
- the following controller list includes vendor and device IDs that are hardcoded to identify
  the controller type (IDE or SATA), this is needed if the BIOS uses IDE ports like 0x01F0 or
  0x0170 as SATA and not as IDE channels, this list is NOT related to soft flashing
- the following chipset support is added
  - VIA cards
    - all VIA cards with a 6420 chipset
  - IDE Controllers
    - NVIDIA nForce 2 IDE Controller
    - NVIDIA nForce 4 IDE Controller
    - Intel ICH9
    - Intel ICH (i810,i815,i840)
    - Intel ICH0
    - Intel ICH2M
    - Intel ICH2 (i810E2,i845,850,860)
    - Intel C-ICH (i810E2)
    - Intel ICH3M
    - Intel ICH3 (E7500/1)
    - Intel ICH4 (i845GV,i845E,i852,i855)
    - Intel ICH5
    - Intel ESB (855GME/875P + 6300ESB)
    - Intel ICH6 (and 6) (i915)
    - Intel ICH7/7-R (i945, i975)
    - Intel PIIX3 for the 430HX etc
    - Intel PIIX4
    - Intel PIIX4 for the 430TX/440BX/MX chipset
    - Intel PIIX
  - SATA Controllers
    - NVIDIA nForce 4 SATA Controller
    - NVIDIA nForce 2 SATA Controller
    - NVIDIA nForce 3 SATA Controller
    - NVIDIA nForce MCP04 SATA Controller
    - NVIDIA nForce MCP51 SATA Controller
    - NVIDIA nForce MCP55 SATA Controller
    - NVIDIA nForce MCP61 SATA Controller
    - Intel 82801EB (ICH5)
    - Intel 6300ESB (ICH5)
    - Intel 82801FB/FW (ICH6/ICH6W)
    - Intel 82801FR/FRW (ICH6R/ICH6RW)
    - Intel 82801FBM ICH6M
    - Intel Enterprise Southbridge 2 (631xESB/632xESB)
    - Intel 82801GB/GR/GH (ICH7, identical to ICH6)
    - Intel 2801GBM/GHM (ICH7M, identical to ICH6M)
    - Intel SATA Controller IDE (ICH8)
    - Intel Mobile SATA Controller IDE (ICH8M)
    - Intel SATA Controller IDE (ICH9)
    - Intel SATA Controller IDE (ICH9M)


The following only applies to a software flash on a locked flash. The methods have been tested
with the BenQ and the Sammy. The VCC trick will work on any motherboard, but you need to do 
some soldering and cut traces.


Soft Flashing the BenQ in DOS with a VIA card and DosFlash16 in manual mode
-----------------------------------------------------------------------------
- first you need to know the port addresses of your VIA card, you can get these by starting
  msinfo32 on Windows XP and looking at the port listing for SCSI devices
- for the 6421 the 1st port is internal SATA, 2nd is external SATA and 3rd is internal IDE
- for the 6420 the 1st and 3rd port are internal SATA
- you need the starting address e.g. 0xD000 or 0x7000
- be warned that these addresses can change from computer to computer, they are assigned
  at bootup, but Windows XP should display the ones you need for flashing in DOS
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be XBOX360 or 
  Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer, cause we
  need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- at the prompt type: 
  DosFlash r 7000 1 a0 1 4 a:\orig.bin 0 
  - instead of port 7000 use the starting address your VIA card uses
- press return
- DosFlash16 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something like 0x7F,
  this will change during the next few steps
- turn on the BenQ psu and wait 2 or more seconds, status changes between 0x51 and 0xD1
- turn off the BenQ psu and wait 2 or more seconds, status will stay at 0xD1
- turn on the BenQ psu, you should get a good drive status 0x73 and flashing should start
- this worked only one time after the computer is powered on or resetted for me
- writing and erasing works the same way
- for writing type:
  DosFlash w 7000 1 a0 1 4 a:\ixtreme.bin 0
- for erasing type:
  DosFlash e 7000 1 a0 1 4 D8 0 (D8 is the sector erase opcode for the BenQ flash, if you need
  to erase another drive, lookup the value in the datasheet or DosFlash.typ)
- if you experience any problems try to use 1 as the parameter to the ATAPI Device Reset, cause
  the same VIA card will react differently on another motherboard sometimes


Soft Flashing the BenQ in DOS with a NForce motherboard and DosFlash16 in manuel mode
---------------------------------------------------------------------------------------
- first you need to know the port addresses of your NForce motherboard, you can get these by 
  starting msinfo32 on Windows XP and looking at the port listing for IDE devices
- on most motherboards the 1st and 3rd ports are used for SATA
- you need the starting address e.g. 0x0970 or 0xE900
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be XBOX360 or 
  Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer, cause we
  need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- at the prompt type: 
  DosFlash r 0970 1 a0 1 4 a:\orig.bin 1 
  - instead of port 0970 use the starting address your NForce motherboard uses
- press return
- DosFlash16 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something like 0xD1,
  this will change during the next few steps
- turn on the BenQ psu, you should get a good drive status 0x73 and flashing should start
- writing and erasing works the same way
- for writing type:
  DosFlash w 0970 1 a0 1 4 a:\ixtreme.bin 1
- for erasing type:
  DosFlash e 0970 1 a0 1 4 D8 1 (D8 is the sector erase opcode for the BenQ flash, if you need
  to erase another drive, lookup the value in the datasheet or DosFlash.typ)


Soft Flashing the BenQ in DOS with a NForce motherboard and DosFlash16 in auto mode
-------------------------------------------------------------------------------------
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be XBOX360 or 
  Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer, cause we
  need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- wait until you are at the cmd prompt
- turn on the BenQ psu
- at the prompt type: 
  DosFlash
- press return
- during scann of the BenQ's port DosFlash16 will ask you if you wanna resend the mtk vendor
  intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something like 0xD1,
  this will change during the next few steps
- turn off the BenQ psu and wait 2 or more seconds, status will stay at 0xD1
- turn on the BenQ psu, you should get a good drive status 0x73 and flash access is granted
- you can now continue as usual using DosFlash
- writing and erasing works the same way
- if the ports are scanned there is the possibility that you'll get the resend question for
  other drives like a NEC, this is because the NEC has no MTK chip and returns a bad status,
  if you know the NEC is at that port you should press No and press Yes only if the port of
  the BenQ is shown or simply disconnect the NEC


Soft Flashing the BenQ in Windows XP with a VIA card or NForce motherboard and DosFlash32
-------------------------------------------------------------------------------------------
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be XBOX360 or 
  Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer, cause we
  need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- turn on the BenQ psu when you are in Windows XP
- start DosFlash32
- DosFlash32 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- turn off the BenQ psu and wait 2 or more seconds
- turn on the BenQ psu, the DosFlash32 dialog should show up
- the flash should be recognized by DosFlash32
- you can now read, write or erase the flash
- you should be able to do the flashing more than one time in Windows, only do the power 
  off/on trick again
- if the ports are scanned there is the possibility that you'll get the resend question for
  other drives like a NEC, this is because the NEC has no MTK chip and returns a bad status,
  if you know the NEC is at that port you should press No and press Yes only if the port of
  the BenQ is shown or simply disconnect the NEC


Many thanks to jumba for the great idea of BenQ polling!
Thanks to Iriez, Jumba, Redline99, TeamModfreakz, Tiros and all the IRC people for testing
and support.

Join us on IRC efnet at the channel #dosflash for support.

Don't brick your BenQ!
Kai Schtrom


************************************************************************************************


DosFlash and DosFlash32 V1.2 Beta
-----------------------------------
- bug fix for BenQ recognition
  - manufacturer and device id are sometimes 0x00 for a correct installed switch
  - this issue is fixed with an additional ATAPI device reset before the mtk vendor intro is sent

Thanks to Redline99 who fixed my buggy code by adding one line! :)


************************************************************************************************


DosFlash and DosFlash32 V1.1 Beta
-----------------------------------
- DosFlash.typ modified for better BenQ support 
- DosFlash16 Flash Manufacturer and Device ID screen output restructured
- flash chips are first erased before writing starts
- DosFlash32 no reenable of DVD-ROMs in device manager after flashing, this means you can't see the drive
  and maybe have to activate it manually again in device manager, this could give better compatibility and
  hopefully no more blue screens

Many thanks to Jumba, Redline99, TeamModfreakz and Tiros for inspiration and help!


************************************************************************************************


DosFlash and DosFlash32 V1.0 Beta
-----------------------------------
DosFlash can be used to read/write/erase the flash chips of most CD/DVD-ROM drives
that have a mediatek chipset installed. DosFlash is for DOS flashing, DosFlash32
for Windows flashing.


Features:
-----------
- flashes IDE and SATA drives
- supports parallel and serial flash chips
- flash drives in Windows with direct port access
- no vendor cdb flashing commands are used
- tested with the following drives:
  - TS-H943A MS25, MS28
  - SH-D162C
  - SH-D163A
  - and some other drives like Liteon, Hitachi, ...
- NEC drives are not supported, cause they have no mediatek chipset installed
 

DosFlash
----------
DosFlash supports two flashing modes, Auto and Manual. If you type DOSFLASH at a DOS prompt it
will start in Auto mode. All drives and the corresponding flash chips are detected automatically.
If you can't get a flash chip recognized due to a bad flash or other problems you should use the
Manual mode. In Manual mode you can enter all the parameters used for flashing by hand. The
following help screen is displayed if you start DosFlash with a wrong number of parameters:


DOSFLASH by Kai Schtrom, 08/05/2007 (Ver 1.0 Beta)
DOSFLASH [R|W|E] [PORT] [PORT TYPE] [DRIVE POS] [FLASH TYPE]
         [FLASH SIZE] [FLASH SECTOR ERASE OPCODE] [FILE NAME]
                        R: Read FLASH
                        W: Write FLASH
                        E: Erase FLASH
                     PORT: Port to send command to
                PORT TYPE: 0 for IDE, 1 for SATA
                DRIVE POS: A0 for Master, B0 for Slave
               FLASH TYPE: 0 for parallel flash, 1 for serial flash
               FLASH SIZE: size of flash chip in number of banks
FLASH SECTOR ERASE OPCODE: individual sector erase opcode command byte
                           this is only needed for erasing a serial flash
                FILE NAME: name of the file to read/write from/to flash
All numbers are intepreted as hex values!

Example Usage:
"DOSFLASH R 01F0 0 A0 1 4 C:\flash.bin"
=> Read serial flash with a size of 4 bank (262144 bytes) from Master Device
   on IDE port 0x01F0
"DOSFLASH E C000 1 A0 1 4 D8"
=> Erase serial flash with opcode 0xD8 and a size of 4 banks (262144 bytes)
   from Master Device on SATA port 0xC000
   
   
Explanation of the Parameters:
--------------------------------

[R|W|E]
---------
- this will set the mode of flashing, it is recommended to first try read on any
  drive, if the read will fail, it is highly unlikely that a write or erase will
  succeed

[PORT]
--------
- the port to which the drive is connected, a port number should always be entered
  in hexadecimal and have 4 hex digits, valid ports are: 01F0, 0170, C000, C800
- this option can be used if your PCI adapter card or on board IDE/SATA ports are
  not identified by the auto mode

[PORT TYPE]
-------------
- the port type tells DosFlash what type of port is installed on the before entered
  port address
- valid values are 0 for IDE and 1 for SATA
- make sure you never mix the wrong port with the wrong port type, this could give
  strange results or in the worst case a bricked drive
  
[DRIVE POS]
-------------
- old style IDE channels have the possibility to connect two drives at one IDE
  channel, the first drive is called the master, the second drives is called the
  slave
- you can select which drive should be flashed on the channel, A0 selects Master,
  B0 selects Slave
- on SATA ports this value is always A0, cause you can only connect one drive to
  a SATA port, so for SATA you will always type A0 here
- it is not recommended to flash IDE drives with another drive connected to the
  same IDE channel, this could be risky if something in the Master/Slave selection
  fails
  
[FLASH TYPE]
--------------
- there are two types of flash chips out for CD/DVD-ROM drives atm
- the older type is parallel flash, which is also supported by mtkflash for example
- the newer type is serial flash, which is supported by flashers like XSF
- the problem here is that no tool is out that can flash serial flash chips on 
  SATA ports
  
[FLASH SIZE]
--------------
- this is specifies the flash chip size in banks
- one bank is always 65.536 bytes in size
- if you know your drive has a flash chip of 262.144 bytes in size you need to enter 4

[FLASH SECTOR ERASE OPCODE]
-----------------------------
- the opcode used in the flash chips datasheet for erasing
- for serial chips this command can be different from the standard and needs to be
  entered for flash erase
- for parallel flash chips you can enter a dummy cmd byte, the integrated command
  should work on all parallel flash chips without a prob
  
[FILE NAME]
-------------
- name of the file that should be used for flashing
- for reading operations this should be the output file
- for writing operations this should be the input file


Hints and Warnings
--------------------
- read, write erase TS-H943A MS28 after the firmware stealth has been disabled with Enable0800 disc
  - this only works one time, after the first mtk vendor specific intro cmd is send
  - if the mtk vendor specific outro cmd is send the chip goes back to stealth mode and you need
    again the Enable0800.iso to disable it
  - therefor the mtk vendor specific intro is send at program start to all present devices and the
    mtk outro is sent at program end
  - if you have a chip manufacturer id of 0x02 and a chip device id of 0x02 for the TS-H943A
    the flash chip is in stealth mode and won't give access to any reading, writing, erasing
- always have a look at the DataSum generated, this is exactly the DataSum of mtkflash
  - the DataSum is calculated as the sum of all bytes of the firmware in a short integer
  - to make 100% sure that the flash is written right compare that DataSum to a known one
- this tool has not been tested on all drives out there, the typ list is simply copied from well
  known programs like mtkflash and XSF
  - always try a flash read on a not yet tested drive before doing anything else
  - if the read doesn't succeed it is highly unlikely that a write or erase will
- some LiteOn drives seem to have probs to write the firmware correct, this prob seems to be
  related to windows register flashing, cause even an assembler app can't do this error free
  - if you get errors on LiteOn drives, write the flash two times in a row
- for direct port I/O in windows the givoio.sys driver is used, this driver is loaded at DosFlash32
  start and unloaded at program end, be warned, this driver can possibly make your system unstable,
  it's intention is to let privileged assembler instruction like in and out pass, even in windows,
  if this driver is not used you will not be able to get direct access to port registers
- DosFlash was tested on MS-DOS 6.22 and later, you can easily copy it on a MS-DOS boot disk created
  in Windows XP and start DosFlash directly from the disk
- don't forget to also copy the DosFlash.typ file, it has all the informations about flash chips
  for auto mode flashing
- DosFlash32 was tested without a prob on Windows XP SP2, you'll need also the typ file for the 
  win version
- DosFlash32 will deactivate all CD-ROMs in device manager at startup, this is better for flashing,
  cause Windows seems to poll the drives all the time and this could result in a bad fw file or
  a program hang, the drives are activated again at program end
- you should make sure that the flash is not in an erased state at program end, cause device manager
  don't like drives that do not respond to the inquiry command
- deactivating all CD-ROMs could take a few seconds, so please be patient at program start
- DosFlash and DosFlash32 will try to scan for the VIA 6421L Raid Controller card, based on vendor
  id 1106 and device id 3249, it doesn't matter if the card driver is installed or not


Many thanks to Dale Roberts and his Direct Port I/O driver giveio.sys!

Avoid a bad flash!
Kai Schtrom


No te pierdas nada, síguenos en Twitter o Mastodon!
¿Tienes alguna duda, petición o aporte? Utiliza el foro!

×
×
  • Crear nuevo...