rdubbs007 kamikaze unlock tutorial

Credits and thanks for this method being possible go to turny for enlightening me on the

photo method for finding the location of the trace on the flash chip. Thanks also to Geremia

for the kamikaze method of unlock.

RDUBBS007’S WINBOND KAMIKAZE METHOD

This method of unlocking a Winbond SPI for the LiteOn DG-16D4S DVD Drive in an Xbox

360 SLIM console is developed through methods I picked up with experience and ideas from

other people, who will be credited in this tutorial. We will start with the basics, and that is

the SPI Locked LiteOn DG-16D4S PCB. When identifying your PCB, you can either connect

the drive to Jungleflasher and intro it into vendor mode, or you can take the bottom cover

off of the drive and look directly at the flash chip.

*Disclaimer: I will not be held responsible for any damage done to your property as the

result of following this tutorial, it is merely a guide and should be treated as such. Proceed

at your own risk.

This is what Jungleflasher will look like if the chip is a winbond:

This is the difference between the 2 different LiteOn DG-16D4S flash chip types:




This method involves using a digital

microscope that is capable of taking close

up photos of the flash chip. These can be

found for around $40 on eBay. A digital

camera may also be used (with macro on,

which I have not attempted) but ensure

that the chip is very well lit so that you

can see the legs. Once it is all set up,

take a picture of your DVD drive’s PCB,

zoomed on the flash chip.

We will be using this photo to determine the location of the trace that needs to be cut.

Once you have the photo taken load it up into paint. We will be using the guide photo

circulating that shows the pin count on the flash chip to make your lines. It is this photo

here:

There is no need to remove the epoxy from the pins to do this method, or mark up the chip

with an xacto knife or anything else. Simply open the photo you took with the microscope

or camera in paint, and start counting the pins and connecting them with the line tool and a

visible color (I used red because it is easily visible).




Doing this step will help you to find your chip’s specific flash chip trace location, as every

chip differs and the white chip stamp is IN NO WAY EFFECTIVE for determining the location.

It is very important that the lines be drawn so that you do not go into the wrong spot on the

chip, likely destroying the chip completely. Below you can see some examples I have done,

and how different the location can be from chip to chip. Thank you turny for this idea it has

not failed me yet.

As you can see in the

pictures, the location

can be as much as a 2

leg width difference

from chip to chip.




Now that you know where on the chip to go

in (I always use a Dremel with the .8mm bit

rigged up in a Dremel drill press) you can

connect the PCB to Jungleflasher, select the

MTK Flash 32 tab, and select the Slim circle

under the Flashing Tasks section. Hit the

Intro / Device ID button and turn the PCB off

and then back on again immediately.

The drive will intro into vendor mode and

you will be able to send the SPI unlock

command. Click the 0x8C button (in the

Flashing Tasks section in the MTK Flash 32 of

Jungleflasher).

The drive will then receive the command,

but will remain locked. Jungleflasher will

ask if you would like to continue to send

the command until unlock is achieved, click

yes.

Turn the volume up on your computer as loud as it will go before starting to dremel. It will

beep when the unlock status has been achieved. Turn your dremel on and start going into

the chip on the spot located previously where all 3 lines intersect. It is important to not

rush this process, and to go slowly and steadily. Do not go into the chip more than .5mm at

any time either. If you have gone about .5mm in and the unlock is not achieved, start

working your way around the hole (start shallow) a tiny bit at a time. You should not have

to do this because Jungleflasher 1.88 is very quick at detecting an unlock of the SPI and will

alert you immediately.

POST DREMEL IC INSIDE DREMEL CUT




Once your chip is unlocked, test it by resending the SPI lock command (click the 0x00

button in the Flashing Tasks section in the MTK Flash 32 of Jungleflasher) and then click it

once more to reunlock (this time it will be 0x8C as the SPI is locked again). Resend the

command, and then to reunlock it dip a Q tip into some rubbing alcohol and touch the hole

that you have made with the dremel with that alcohol soaked Q tip.

You may have to rub it around the area a bit to get it unlocked. A tip on this part, if it is not

unlocking easily at all with this, and it takes quite a bit of effort or time to get it to go,

relock it and then send the unlock command once more, and this time go at it with the

dremel again VERY VERY CAREFULLY AND SLOWLY, barely touching the dremel bit down

into the hole. I have found that this will make a better trace cut and reunlocking becomes

very easy. But you must be very careful not to go in any deeper at all or you will risk

ruining another trace in the flash chip.

Congratulations!

You are done. Enjoy your unlocked Winbond LiteOn DG-16D4S DVD Drive.

rdubbs007 kamikaze unlock tutorial

Documents