An effort to make open source firmware for burning anything other than Blu-Ray data onto plastic discs with a BD-R drive.
__ __ __ .----.-----.---.-.-----| |_.-----.----.--------.-----| | |_ | __| _ | _ |__ --| _| -__| _| | -__| | _| |____|_____|___._|_____|____|_____|__| |__|__|__|_____|__|____| --A fun way to break your Blu-Ray burner-----------------------
The coastermelt project is an effort to make open source firmware for creatively repurposing BD-R drives.
Follow the video channel: https://vimeo.com/channels/coastermelt
The new firmware is still not real yet, this project is still in the early stages of reverse engineering.
For the Samsung SE-506CB external Blu-Ray burner, it provides a way to install 'backdoored' firmware to support a set of programmatic and interactive reverse engineering tools.
Mac OS X only for now. Requires an ARM cross compiler (arm-none-eabi-gcc and friends) as well as a local compiler (XCode).
NOTE that there are NO copyrighted firmware images included here in this open source project! To be on the safe side, we don't include large disassemblies or reverse engineering databases either. The installation process requires patching a specific version of firmware, which we download from the official firmware update site during the build process.
The documentation here is an original effort created without access to any data sheets or official documentation for the MT1939 chip. I started with a marketing blurb about the chip, the "ARM" logo lasered on top, and some firmware updates. Everything else here is based on extensive guesswork and experimentation. If anything sounds authoritative, that is completely by accident. I have no idea what I'm doing here.
brew install sdcc
backdoordirectory to build the patched firmware and the Python extensions
If the update worked, you'll see my backdoor signature show up when you run mtflash. This is how you can tell your drive has the patch! Otherwise it should mostly work, though of course it's totally untrustworthy at this point. I mean, we just turned off all the bootloader integrity checks.
cylindroid:flasher micah$ ./mtflash Inquiry: 0: 05 80 00 32 1f 00 00 00 54 53 53 54 63 6f 72 70 ...2....TSSTcorp 10: 42 44 44 56 44 57 20 53 45 2d 35 30 36 43 42 20 BDDVDW SE-506CB 20: 54 53 30 31 20 20 30 35 32 38 20 20 20 20 20 20 TS01 0528 30: 20 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ............... 40: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 50: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ Firmware version: 0: 00 06 01 01 54 53 20 00 ....TS . Backdoor signature: 0: 7e 4d 65 53 60 31 34 20 76 2e 30 33 ~MeS`14 v.03
But hooray! Now if you have IPython, you can start the interactive shell. For more about what you can do with it, take a look at the shell recipe book.
cylindroid:backdoor micah$ ./cmshell.py__ __ __
.----.-----.---.-.-----| |.-----.----.--------.-----| | | | | _ | _ | --| | -__| | | -| | | |||.|___|____|_|| ||||_____||__| --IPython Shell for Interactive Exploration--------------------
Read, write, or fill ARM memory. Numbers are hex. Trailing _ is short for 0000, leading _ adds 'pad' scratchpad RAM offset. Internal _ are ignored so you can use them as separators.
rd 1ff_ 100 wr _ 1febb ALSO: rdw, orr, bic, fill, watch, find peek, poke, read_block
Disassemble, assemble, and invoke ARM assembly:
dis 3100 asm _4 mov r3, #0x14 dis _4 10 ea mrs r0, cpsr; ldr r1, =0xaa000000; orr r0, r1 ALSO: tea, blx, assemble, disassemble, evalasm
Or compile and invoke C++ code with console output:
ec 0x42 ec ((uint16_t*)pad)[40]++ ecc println("Hello World!") ALSO: console, compile, evalc
Live code patching and tracing:
hook -Rrcm "Eject button" 18eb4 ALSO: ovl, wrf, asmf
You can use integer globals in C++ and ASM snippets, or define/replace a named C++ function:
fc uint32_t* words = (uint32_t*) buffer buffer = pad + 0x100 ec words[0] += 0x50 asm _ ldr r0, =buffer; bx lr
You can script the device's SCSI interface too:
sc c ac # Backdoor signature sc 8 ff 00 ff # Undocumented firmware version ALSO: reset, eject, sc_sense, sc_read, scsi_in, scsi_out
Happy hacking! -- Type 'thing?' for help on 'thing' or ~MeS`14 '?' for IPython, '%h' for this again.
In [1]: