Dumping & Downgrading firmware on UHD Friendly Devices.

Discussion in 'CD/DVD/BD Drives' started by TeddyRaspin, Feb 4, 2018.

  1. TeddyRaspin

    TeddyRaspin Well-Known Member

    Hi guys,

    here is my own guide to successfully dump and downgrade firmware on any "UHD Friendly" devices, such as Asus BC-12D2HT / BW-16D1HT or LG BH16NS40/NS55 (WH16NS40/NS55) (SVC Code NS50) and similar drives having MediaTek chipset inside them.


    Requirements
    :

    • Asus or LG UHD Friendly drive
    • An USB stick DOS bootable (which can be made by Rufus tool)
    • A motherboard having SATA controller set as IDE (not AHCI !!!)
    • DOSFLASH modified version (attached below)
    • WinHEX (Hed Editor for advanced users)
    • Patience. :)

    Steps for dumping firmware : (Windows Method)

    • Download the Windows 7 Live (Portable Edition) ISO from here.
    • Use Rufus and select the ISO image previously downloaded and prepare the USB stick.
    • Unzip on USB stick root the DOSFLASH_Windows7.zip attached file below.
    • Enable CMS in BIOS option in order to boot from the USB stick (NOT UEFI !!!!) and configure SATA controller as IDE !!
    • Wait few seconds to allow Windows 7 properly loaded and as soon as the Windows 7 desktop appears, go to "My Computer", open the USB device letter, and run DOSFLASH32_BH16NS40.exe.
    • Now, you should see the BH16NSxx (or ASUS) device listed. If not you have not properly set the SATA controller or it is not compatible with DOSFLASH.
    • If everything looks fine, select first "Read Flash", in order to dump the current firmware.
    • After the reading/dumping process, you will need to take the clean 1.02 (or any other UHD Friendly firmware) and prepare it with data imported from the original dump. To do this, you can send me your dump, or doing yourself via HEX Editing process (see below).
    • Once you have prepared the UHD friendly firmware, reboot Windows 7 Live PE from USB and run DOSFLASH_BH16NS40.exe again. This time, select first "Erase Flash", and then "Write Flash".
    • Select the firmware you prepared before, and wait for the task to be completed.
    • Now, you can restore SATA Configuration settings, disabling CSM (needed for a full UEFI boot), and enjoy your UHD friendly device.

    Steps for dumping firmware
    : (DOS Method)

    1. Prepare an USB FreeDOS bootable stick, using Rufus (which can be downloaded here).
    2. Unzip on USB root the DOSFLASH.zip attached file.
    3. Enter into motherboard BIOS settings and set SATA Controller as IDE (or Legacy). If you can handle only AHCI, DOSFLASH will not properly work, or it could not work at all.
    4. Be sure to connect your ASUS/LG drive alone, as SATA Primary Master (USE SATA1 or SATA2 controller ports).
    5. Enable CSM (Compatibility Support Mode) and boot from the USB stick in Legacy Mode.
    6. At the command Prompt, type "DOSFLASH" and press Enter. If it does not detect anything, retype again. It could be needed to type DOSFLASH 3-4 times before ASUS/LG device be properly detected.
    7. It should show the Manufacter ID of your device, namely "MediaTek MT1959".
    8. Press the relative number of the detected device (1 in my case) and press "R" (without quotes) to dump eeprom firmware.
    9. Save firmware with the name you like and keep it safe.
    10. At this point you can follow the below guide for modding firmware by yourself, or zip it and send this file to me and I will create a 100% working firmware in order to turn back the UHD capabilities as well as to fix the "Drive Signature DV value" or "Bus Encryption" error shown in AnyDVD HD !!!!

    Steps for dumping firmware
    : (Devilsclaw's Method only for old firmwares)

    1. Download the Devilsclaw's flasher from here
    2. Unzip the relative version (32 or 64 bit) into C:\TEMP (for example) and open an Elevated Command Prompt (that is with admin privileges).
    3. Go to C:\TEMP directory (or any other dir in which you've previously unzipped flasher) and type : "flasher -D" (without quotes) to display the Device ID of your drive(s).
    4. Now type "flasher -d [driveid] -l firmware.bin 6 00000000 00200000" (without quotes) and press enter. A file called firmware.bin will be created.
    5. Keep it safe and send it to me if you want to upgrade to a newer version.
    I've written "for old firmwares" because, it seems that the latest ASUS/LG firmwares, which fixes the AACS 1.0 loophole (for UHD reading), inhibit the devilsclaw's flasher and you could not be able to have a valid dump.


    Steps for importing data from backup firmwares
    : (Hex Editing)

    1. Install WinHEX (or any other similar Hex Editor).
    2. Open the dumped DOSFLASH firmware and the new one you want to flash on your device. (*)
    3. On the backup firmware (the dumped one) select hex range starting from 0x1E8000 offset to 0x1E84FF and copy it in the same range of the new firmware. (**)
    4. Do the same as point 3. but starting now from 0x1E9000 to 0x1EBFFF. (***)
    5. At last, copy range from 0x1F0000 to the end. (***)
    6. Save the new firmware (for example as TEST.BIN).
    7. You are now ready for flashing (or crossflashing) the new firmware (or a downgrade version).
    * - It is important that the dumped firmware must be the DOSFLASH dump and not the Devilsclaw's one !!

    ** - This point is the most important of all, as it contains the Drive Signature (DV Value) needed for the bus encryption and it is specific for each drive !!!!

    *** - This point is useful for importing the correct laser calibration data but I've found that ASUS/LG devices have almost the same behaviour even with different calibration data.


    Steps for importing data from backup firmwares : (Automatic Method)

    1. Unzip the EEPROM Data Mover attached below.
    2. Open it, select first the dumped original firmware.
    3. Select now a clean firmware to insert data (clean firmwares can be found here).
    4. Type now a firmware name (i.e. TEST.BIN) which will be the one you will eventually need to flash on your drive.

    Steps for flashing firmware : (DOSFLASH modified method)

    1. Follow the same steps written for the dumping method, until you arrive at the DOSFLASH command prompt.
    2. Be sure to have copied the new prepared (TEST.BIN) firmware onto root of your USB stick.
    3. Press the relative number of your detected device under DOSFLASH (1 in my case).
    4. Type "E" (without quotes) to fully erase your drive eeprom and wait for the end of the task.
    5. Now type again DOSFLASH, press the relative number and the "W" letter (without quotes) for writing firmware.
    6. Type the firmware name (TEST.BIN in this example) and wait 1 min or less to the end of the process. (It has to write 32 rom banks starting from 0 to 31).
    7. Eventually you will see the blue light of your device blinking. This is the proof your drive has been initialized again and ready to work.
    8. Reconnect your devices as before, do the same with bios settings for UEFI support and boot your Windows OS.
    9. Now you're ready to see if your work has been properly done and your device working again with UHD discs !!! :)

    Important note :

    If you forget to make a valid dump of your drive before flashing or try to flash a dump taken on the net, there is a high risk (> 90%) your device will be useless
    and you will have to throw it in the WC
    . :D

    To be updated if needed. ;)

    P.S.
    Please avoid to ask on main thread for specific modded fw. Anyone can do this job for himself. Just read and apply what has been carefully written. Thanks for your cooperation.
     

    Attached Files:

    Last edited: Jul 2, 2018
  2. coopervid

    coopervid Well-Known Member

    Teddy,

    you provide the 2008 version of DOSFLASH. On myce they use a newer version DOSFLASH V2.0 dated 2011.
    In addition they also describe how to transfer laser calibration data from your dumped firmware to the "to be flashed version". This tool is also provided as well as "clean firmwares (w/o calibration data)". You transfer the laser calibration data from your dumped firmware to those before flashing your drive.

    Question: Do you know the differences between the two Dosflash versions?
     
  3. TeddyRaspin

    TeddyRaspin Well-Known Member

    I've attached a specific DOSFLASH version, modified by myself, for this purpose. It was not a mistake using an older version instead of the 2.0 (which does not support the ASUS/LG MediaTek eeprom).

    The calibration data tool is a good thing, but it's not mine. I've used the "old school method" via hex editing, but I will modify guide in order to accomodate this tool.
     
  4. coopervid

    coopervid Well-Known Member

    Thanks for the info. I saw your other tutorial using WinHex in the other forum.
    I didn't know that you have your own patched version of Dosflash. Actually at myce they claim that that's the reason why they came up with Dosflash V2.0 for the same purpose to handle newer LG drives and downgrades.
     
  5. TeddyRaspin

    TeddyRaspin Well-Known Member

    Yes but that dosflash version requires Windows 32 bit and the portio32.sys which requires to disable the signature driver. It requires a huge amount of luck and, as described in their guide itself,
    it can generate read/write errors during the flashing process.
     
    Tha Watcher likes this.
  6. Hackerjac

    Hackerjac Well-Known Member

    Read out the 3.0.1 firmware from Asus BC-12D2HT, using the modded dos flasher from pure dos, the devilclaws flasher woulden read the firmware

    I then send it to TeddyRaspin, he made a new one for me using the Asus BW-16d1HT firmware as donor, since noone have made a backup of the 3.0.0 BC-12D2HT
    I flashed it and the drive reads UHD again, even though the drive being reportet as Asus BW-16D1HT by Windows, its probbely just some inf in the firmware as has nothing to say

    i now have a friend thats gonna be real happy

    This read and writing flash reminds me about the good old days when flashing/spoofing Xbox360 drives
     
    TeddyRaspin likes this.
  7. coopervid

    coopervid Well-Known Member

    Teddy,

    OK, great! Now it's clear to me. Nice to see that you added the EEPROM_Data_Mover.
     
    Last edited: Feb 4, 2018
  8. coopervid

    coopervid Well-Known Member

    I just ordered another LG BH16NS55 as back-up if my other one with 1.02 will fail some day. I'm quite curious with what version of firmware it will arrive. If 1.03 my plan is to make it an ASUS with 3.02.
     
  9. Hackerjac

    Hackerjac Well-Known Member

    I made my NS55 to Asus 3.00, and later 3.0.2, but went back to 3.0.0 again since 3.0.2 started giving alot of read errors
     
  10. coopervid

    coopervid Well-Known Member

    Interesting! I read only about the faster read speed of ASUS 3.02 but never of any disadvantages.
     
  11. Hackerjac

    Hackerjac Well-Known Member

    The read problem came arround 47-52%, seems like it could be a problem with the layer shift, only tried on DL 50 and 66 disk, so far i haven't found any tripple layer disk in my country
     
  12. coopervid

    coopervid Well-Known Member

    You mean with burned discs and not with original UHD discs?
     
  13. Hackerjac

    Hackerjac Well-Known Member

    no i mean original UHD disks
     
  14. Chuck_IV

    Chuck_IV New Member

    I can attest to Teddy's method, at least for MakeMKV. It worked perfectly for my LG WH16NS40. Mine came with the evil 1.03 firmware, so I pulled the firmware and sent it to Teddy. He sent me a working copy of 1.02 based on the 1.03 and after flashing, I was able to rip the UHD version of Blade Runner 2049 without issue with MakeMKV.

    It also worked with AnyDVD...
    Summary for drive G: (AnyDVD HD 8.2.1.9, BDPHash.bin 18-01-30)
    HL-DT-ST BD-REWH16NS40 1.02
    Drive (Hardware) Region: 0 (not set!)
    Current profile: BD-ROM
    Media is a Blu-ray disc.

    Total size: 43815744 sectors (85577 MBytes)
    Video Blu-ray label: Blade_Runner_2049
    Media is AACS protected!
    Drive supports bus encryption!
    Disc wants bus encryption!
    AACS MKB version 61
    UHD Blu-ray disc.
    Removed AACS copy protection!
    Bad sector protection not found.
     
    Last edited: Feb 5, 2018
  15. Interesting observation. I have a WH16NS40. The file flash_HL-DT-ST_BD-RE_WH16NS40_1.02_NS50.bin in the archive here appears to actually be a 1.03 file. When I grab my calibration data from my drive's 1.03 image and insert it into this file, my reflashed drive keeps showing 1.03 for the firmware. However, if I use the file flash_HL-DT-ST_BD-RE_BH16NS40_1.02_NS50.bin instead, grab my calibration data from my drive and insert that into that file, my reflashed drive shows 1.02 for the firmware.
     
  16. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    Just curious why you can't post instructions for users to do this themselves?
     
  17. Tourist

    Tourist Well-Known Member

    Aren't it the instructions (manual & automatic) that he posted in his guide ?
     
  18. Pelvis Popcan

    Pelvis Popcan Well-Known Member

    Oh, is the stuff on the bottom what he does if you send the firmware to him?

    Just to be clear, I mean absolutely no disrespect here, I'm at this point still learning about the whole UHD thing and am trying to understand and absorb information. I'm kinda dumb. :)

    TeddyRaspin is the kind of user I like to see on the Internet, I fear as time goes on there will be less and less of those like him.
     
    spicy likes this.
  19. Tourist

    Tourist Well-Known Member

    Neither do I (y)
    I am just guessing there's no other 100% working method aside from "importing data from backup firmwares".
     
  20. coopervid

    coopervid Well-Known Member

    @teddy,

    I received my second (backup) LG 16BHNS55 today. Manufactured December 2017 with firmware 1.03.
    Immediately flashed it to ASUS BW16D1HT 3.02 transferring the laser calibration data from my original firmware. All is working perfectly! Thank you!
    Rips are faster compared to the LG firmware with peak at about 33 Mb/s and the drive is quieter with this firmware. Right now I'm burning a BD-R 50 GB w/o issues. It finished without issues.

    However, DOSFLASH did not report any ATAPI drive initially after booting up. I suggest you edit your cook book and highlight this part with bold letters:

    At the command Prompt, type "DOSFLASH" and press Enter. If it does not detect anything, retype again. It could be needed to type DOSFLASH 3-4 times before ASUS/LG device be properly detected.

    This happened reading the EEPROM and also when I tried to write it. I had to enter DOSFLASH several times on command type level.

    Anyway... It worked perfectly!
     
    Last edited: Feb 6, 2018