JungleFlasher

(v0.1.59 beta)

Basic User Guide v1.0b

 Introduction
JungleFlasher is developed by Team Jungle in an effort to bring all 360 DVD-Drive flashing
functions together in one easy to use Win32 Application.

JungleFlasher provides several functions that up until now where carried by several different
apps in both Dos and Win32.

The first tab you will see is the FirmwareTool 32 tab. In this window you can load f/w files,
Jungle Flasher will parse the files and identify the f/w type and display relevant information, like
the all important DVD key and OSIG strings etc. On the Target sub-tab, it will also conduct MD5
hash checking of iXtreme files to confirm authenticity etc. With both source and target files
loaded the relevant source data can be transferred to the Target ( a.k.a. Spoofed ), which can
then be flashed to the target drive.

The next tab is DVDKey 32, this tab is used to extract info from Lite-On the undumpable drive.
All, unique information is extracted: Drive Key, Unique Inquiry and Identify strings and Drive
serial information. This info is all stored in 1 easy to use file, ”Dummy.bin”, this is a 256kb file
that mimics the approximate structure of a Benq f/w file and is automatically loaded to the
source sub-tab in the FirmwareTool 32 Tab. Jungle Flasher v0.1.55b also brings the unique
feature of dumping “Dummy.bin” from iXtreme flashed Lite-On Drives over S-ATA alone.
There is also a facility to create a “dummy.bin” from previously extracted files, although, fresh
extractions should be completed where possible. Every effort has been made to make the key
extraction as reliable as possible, multiple dumps with comparison to account for the slightest
chance that the serial data could become corrupt.

The Third tab is MTKFlash 32. You can use this tab to Unlock Benq and Samsung drives and
then dump the current flash for use in the source sub-tab in Firmware Tool 32 tab. You can also
erase a Lite-on in preparation for flashing. All 3 drives can be flashed in this tab.

The last tab is Hitachi. This is on its own as it is flashed in the different way to the MTK based
drives above. Hitachi is flashed as a “Live” drive, on a sector by sector basis. This revision of
JungleFlasher now incorporates full read / write access of Hitachi DVD Drives.

JungleFlasher is intended to be rich in information giving as much relevant and useful

information as possible. On the DVDKey 32 and MTKFlash 32 tabs, all IO and COM port
information is detected and displayed as well as drive and device properties for the currently
selected drive.

Page 2 of 89
 Pre requisites
• If using a VIA 6421x PCI Sata card, it is advisable to remove the drivers from the
\Windows\System 32\Drivers\ directory as they do not handle erased Lite-On’s very
well at all, causing the infamous ‘Lite-On + VIA Freeze’

• You must install PortIO32

• net framework 2.0 Or later for Windows XP machines – I believe you need .net
framework 3.5 SP1 on Windows Vista Machines

• JungleFlasher Firmware Pack (vital for Hitachi Drives)

Page 3 of 89
 Lite-On PLDS DG-16D2S 74850c.

There is no soft method for stock Lite-On PLDS DSG-16D2S Drives.

However, Lite-On drives currently modded with iXtreme 1.5+ can be dumped using S-ATA only.

Overview
Things become a little different with the Lite-On drives as there is no software only way of
unlocking the drive and reading the firmware, it requires the utilization of a RS232 to TTL serial
hardware, or a popular variant such as Connectivity Kit v3 (optional probe) or Maximus
Xtractor (with optional spear). This is necessary to extract the key/inquiry/identify/dummy .bin
files. These files are necessary for spoofing & gathering your key, even if you are just flashing
the 1.51 IXtreme to a Lite-On drive (unless already flashed with iXtreme). They contain serial
information that is required for proper identification and security related issues.

You only really need the probe / spear if you fear soldering as these eliminate the need to do
this although if doing a few drives they can be more convenient.

If you choose to solder the R707 serial point back together, please ignore
reference to probe / spear instructions – Serial should be intact before
proceeding in your case (R707 bridged)

Page 4 of 89
 Obtaining Key/Inquiry/Identify and Dummy.bin from iXtreme flashed Lite-On
Drives
For this method, we still need to power on the drive with the “half open tray”.

If using a 360 to power the drive this method can be tricky to accomplish.

You need to power on the drive with Eject status closed but Tray Half Open – To do this using
an Xbox 360 as Power source, eject the DVD drive, then, press eject to ‘close’ the tray. Now this
is the important part – you MUST remove the DVD power plug from the DVD Drive BEFORE it
closes fully.

Wait for a few seconds and replace the power plug into the DVD drive taking extreme caution
to plug the plug the right way around – once done, the drive is now powered, console thinks its
closed but it is in fact half open.

Using a Connectivity Kit / Xtractor to power the drive

The easiest way to do this is to use manual eject before powering the drive, to manual eject
simply push this slider along until the tray is released.

Then, pull the tray out fully and push half way back in. Now, hook it up to the PC using
Connectivity Kit and Sata then power on.
Page 5 of 89
Now, with the eject status set, Open JungleFlasher, you will be presented with the Welcome
Screen.

After a few seconds the main window will load.

Now, click the DVDKey32 Tab

Page 6 of 89
Select Correct I/O port (check for drive properties in the Drive Properties section) it should
report as PLDS DG-16D2S (unless spoofed), you can choose to dump dummy.bin only as
opposed to all 4 files (Key, Inquiry, Identify and dummy.bin)

Then, simply click Dummy from iXtreme.

Save as prompted, and proceed from Page 13.

Page 7 of 89
 Using DVDKey32 to obtain Key/Inquiry/Identify/Dummy.bin.
If using a 360 to power the drive this method can be tricky to accomplish.

You need to power on the drive with Eject status closed but Tray Half Open – To do this using
an Xbox 360 as Power source, eject the DVD drive, then, press eject to ‘close’ the tray. Now
this is the important part – you MUST remove the DVD power plug from the DVD Drive
BEFORE it closes fully.

Wait for a few seconds and replace the power plug into the DVD drive taking extreme caution
to plug the plug the right way around – once done, the drive is now powered, console thinks its
closed but it is in fact half open.

Check Drive Properties for PLDS DG-16D2S.

Using a Connectivity Kit / Xtractor to power the drive.

The easiest way to do this is to use manual eject before powering the drive, to manually eject
simply push this slider along until the tray is released.

Page 8 of 89
 Then, pull the tray out fully and push half way back in. Now, hook it up to the PC using
Connectivity Kit and Sata and power on.

With the correct eject/tray status we can run DVDKey 32 either from Command Line, or as
depicted below in JungleFlasher.

Open JungleFlasher, you will be presented with the Welcome Screen.

After a few seconds the main window will load.

As you are using DVDKey 32 to obtain data, select DVDKey32 Tab.

Page 9 of 89
Select Correct I/O port (check for drive properties in the Drive Properties section) and COM
port, then insert probe / spear into R707 via, optionally, choose to dump dummy.bin only as
opposed to all 4 files (Key, Inquiry, Identify and dummy.bin). Xtractor USB user should enable
USB Xtractor Switch check box (shown in blue)

Good status on Probe / Spear has LED showing.

Page 10 of 89
 Now, click Get Key, Create Dummy.bin, Open as Source.

Providing serial connection was good, DVDKey 32 will dump the key 6 times and compare each
dump – then prompt you to save key.bin, inquiry.bin, identify.bin and dummy.bin.

Of course, should you have enabled the ‘Dummy.bin Only’ option you will only be prompted
to save Dummy.bin.

Page 11 of 89
Although extracting the key 6 times increases the chances of correct
key being obtained and checks are carried out on validity – There is
only one way to know for sure the key is GOOD.

You should, where possible, spoof the data into a different drive and
test to see it works BEFORE erasing the Lite-On Drive.

There is no harm in running DVDKey 32 multiple times, increasing the

number of key extractions.

Page 12 of 89
 JungleFlasher will then prompt you asking if you would like to auto-load iXtreme for Lite-On
Drives. You must have installed the JungleFlasher Firmware Pack into the same directory as
JungleFlasher.exe if you wish to benefit from this feature.

Click Yes to auto load iXtreme 1.51 for Lite-On into the Target Buffer, JungleFlasher will also
load your previously dumped Dummy.bin as Source Firmware. Then, copy data from source to
target automatically.

Just verify Source data reports as it should, DVDKey 32 Extract with OSIG of PLDS DG-16D2S
with the same key you dumped (check log for reference).

Now, verify unique Source Data matches that in Target Buffer and click save to file if you wish
to backup your Hacked firmware.

Page 13 of 89
Page 14 of 89
 The Next step is to ERASE the drive, its vitally important you
only do this once you KNOW you are ready and have read the
tutorial, in full, to understand the risks.

IMPORTANT!!!!!
Sending the erase command to the Lite-On using VIA chipsets with drivers
installed poses the potential risk of the system locking up due to the VIA chipset
polling the erased Lite-On and not liking the response!!!!!!!

Please see Appendix (Page 70) and follow instructions to remove Drivers.

You should, where possible spoof the data into a different drive and
test to see it works BEFORE erasing the Lite-On Drive.

There is no harm in running DVDKey 32 multiple times, increasing the

number of key extractions.

Page 15 of 89
 Erasing a Lite-On PLDS DG-16D2S.

PLEASE READ THE WARNINGS ABOVE.

Once you erase the drive, there is NO GOING BACK.

Click the MTKFlash 32 Tab.

Verify I/O Port is correct and click Lite-On Erase.

JungleFlasher will warn of the importance of having a verified Good Drive Key.

Please Note, the only way to know 100% that a key is good, is to flash a different drive and
test BEFORE sending erase command.

Click Yes if you wish to Proceed.

JungleFlasher will present you with another warning.

Page 16 of 89
 Read this carefully, in most cases JungleFlasher wil return a Running Log similar to this: We
have had 0xD0 / 0x80 / 0xF2 / 0xD1 and all worked fine.

After pressing yes and during the sequence of dots shown below, Power Off / On drive ONCE.

Hopefully you will see good Flash Chip Properties and Status 0x72 (2 known SPi Chips for Lite-
On’s, Winbond and MXIC) Winbond Shown, drive will appear in Vendor Mode under Drive
Properties.

Page 17 of 89
 Drive is now in Vendor Mode (0x72).

Click the Write button to write Target Buffer to the drive.

Write Verified OK! in Running Log signals good write.

Now send an Outro to the drive.

This will release a drive from Vendor Mode and send ATA Reset to the Drive. It then sends an
inquiry command to the drive.

This will save you power cycling the drive and then changing port away and change it back
again, with the click of a button, the drive will ‘reset’ itself and JungleFlasher will send an
inquiry command to the drive. If successfully flashed the drive should Inquire correctly and
display drive properties.

Page 18 of 89
 Samsung (TS-H943) MS25 /MS28.
Overview.
The steps to modifying / restoring a Samsung Drive follow the basic outline of:

• Unlocking the Drive (MS28 or Xtreme 4.0+ Firmwares)

• Reading the Original firmware

• Patching Key into hacked Firmware

• Writing Drive

The tutorial will state multiple unlock methods, once drive is Unlocked / In Vendor Mode
(0x70) you should proceed to the next step of reading the firmware from the drive.

Now, we can proceed to modifying the drive.

Power drive with it connected to PC via SATA then open JungleFlasher.exe. You will be
presented with the Welcome Screen.

After a few seconds the main window will load.

Page 19 of 89
 Unlocking the drive.
Before we can do anything to the drive, it must be in Vendor Mode (status 0x70).

All Unlocking is taken place under the MTKFlash 32 tab.

Please note, unmodified Samsung MS25’s have no FirmGuard therefore do not need an unlock
method to be applied, simply click Intro / DeviceID and check flash chip properties for status
0x70.

Stock MS28’s (Unmodified).

There are 2 methods of unlock for Stock Drives, the first, is Sammy UnLock.

Select correct I/O Port (check for TS-H943 in the Drive Properties) and click Sammy UnLock.

Page 20 of 89
You will be presented with the following warning notifying you that Sammy UnLock only works
on stock drives and how to unlock if using (i)Xtreme.

Select yes and watch the Running Log in JungleFlasher; this is a ‘good’ return message,
JungleFlasher will also automatically send the intro command and put the drive in Vendor
Mode.

The drive should be in Vendor Mode (0x70) now and return good flash chip properties; you can
check under Flash Chip Properties, Drive Properties should show “Drive in Vendor Mode!”.

Page 21 of 89
 Xtreme 4.0 -> iXtreme 1.4 Unlock using Activate.iso.
For this you need the Activate.iso found in the upper right hand corner of the MTKFlash 32 tab,
burnt to Dual Layer + R Media (this is vital for later firmwares). Simply burn it with no
layerbreak settings, with all data present on first Layer, IMGBurn 2.4.2.0 will do this fine just
select the ISO and confirm you want to burn to a large capacity disc with all data present on L0
(Layer 0).

Once burned, simply place it in your Samsung drive while connected to the PC, wait 30 seconds
and run JungleFlasher.

Click MTKFlash 32 tab.

Page 22 of 89
You will presented with a screen resembling this, select correct I/O Port (check for TS-H943 in
the Drive Properties) and click Intro / Device ID and then check the Running Log.

If Activate.iso worked correctly, you will get good flash chip properties (0x70) and drive will
appear in Vendor Mode in Drive Properties.

Page 23 of 89
 DeviceID Unlock / Vcc Trick (VIA/Nforce only) Stock + Modified Drives.

This method has only really been tested on VIA (no drivers, or 530c drivers) and Nforce Chipsets,
although there is no harm in trying on others, this method works on Hacked and Stock Drives.

Load JungleFlasher, and select MTKFlash 32 tab.

Select correct I/O Port (check for TS-H943 in Drive Properties) and click Intro / Device ID.

JungleFlasher will prompt you with instructions.

Page 24 of 89
 Click Yes the Running Log will display something similar to this.

When ……. Are appearing, do as previously instructed by JungleFlasher. Power off the drive
then, within 1 second power it back on.

The drive should be in Vendor Mode (0x70) now and return good flash chip properties, you can
check in the Running Log or Flash Chip Properties, The drive should also show as “Drive In
Vendor Mode!” in the Drive Properties.

Once we have the drive in Vendor Mode (status 0x70 with good flash chip properties) we can
read / write / erase the firmware.

Page 25 of 89
 Reading the Firmware from the drive.
Now, we would like to read the firmware from the drive first, so select read.

Again, watch the Running Log for constant status updates.

Firmware reading:

Once the firmware has been successfully read, JungleFlasher will prompt you to save it.

Page 26 of 89
 Once saved, JungleFlasher will then prompt you asking if you would like to auto-load iXtreme
for Samsung Drives. You must have installed the JungleFlasher Firmware Pack into the same
directory as JungleFlasher.exe if you wish to benefit from this feature.

Click Yes to auto load iXtreme 1.51 for Samsung into the Target Buffer, JungleFlasher will also
load your previously dumped Sam-OFW.bin as Source Firmware. Then, copy data from Source
to Target automatically.

Just verify Source data reports as it should, OSIG of TSSTcorpDVD-Rom TS-H943 with a key with
no multiple FF / 00 / 77 bytes

Page 27 of 89
 To save a firmware file based on what’s currently in Target Buffer click, Save to File.

JungleFlasher will ask you where to save the hacked firmware and what you want to name it,
and then you can proceed to write the firmware to the drive.

Page 28 of 89
 Writing Firmware to the drive
To write the firmware, as long as drive is still unlocked (Vendor Mode) we just click MTKFlash
32 tab.

Verfify you have good flash chip properties still.

Then, click Write.

Write Command, will erase and flash all 4 banks in turn, then read back the flash and verify.
Page 29 of 89
 A series of 16 …..’s is JungleFlasher writing the 16 sectors of each bank (4 banks, 0/1/2/3)

After writing all 64 sectors, signaled by 64 dots (16 dots across 4 banks) JungleFlasher will verify
what it wrote by reading back and comparing against the Target Buffer. So, what we really
want to see is Write Verified OK!

Ok, now you have flashed your Samsung Drive successfully, should you not get Write Verified
OK! Please ask for support in the JungleFlasher support channel, found at irc.efnet.net -
channel #JungleFlasher.

Page 30 of 89
 BenQ VAD6038 (62430c and 64930c)

Overview
The BenQ Drive revision is tackled in a very similar way to the Samsung Drives.

The steps to modifying / restoring a BenQ Drive follow the basic outline of:

• Unlocking the Drive

• Reading the Original firmware

• Patching Key into hacked Firmware

• Erasing Drive

• Writing Drive

The tutorial will state multiple unlock methods, once drive is Unlocked / In Vendor Mode
(0x73) you should proceed to the next step of reading the firmware from the drive.

Now, we can proceed to modifying the drive.

Power drive with it connected to PC via SATA then open JungleFlasher.exe. You will be
presented with the Welcome screen.

After a few seconds the main window will load.

Page 31 of 89
 Unlocking the drive.
Before we can do anything to the drive, it must be in Vendor Mode (status 0x73), the majority
of the unlock methods are found under MTKFlash32 tab, with the exception of Half Open Tray
unlock, please read on for more details on the unlock methods.

Half Open Tray Unlock for iXtreme 1.5+.

If using a 360 to power the drive this method can be tricky to accomplish as the 360 likes to
close the DVD Drive after powering it on.

You need to power on the drive with the Tray Half Open – To do this using an Xbox 360 as
Power source, eject the DVD drive and then remove the power lead from the Drive.

Close the tray half way and plug the DVD Drive power cable back into the drive, being VERY
cautious to ensure the plug is the right way around.

Using a Connectivity Kit / Xtractor to power the drive.

The easiest way to do this is to simply use the eject button on your connectivity kit to eject the
drive tray, power off the connectivity kit, push the tray half in and power back on the
connectivity kit.

Ok, now we half the half open tray, we navigate to MTKFlash32 tab if you haven’t already.

Click Intro / DeviceID.

If tray status is correct, drive should return good Flash Chip Properties showing status 0x73,
Drive Properties should show “Drive In Vendor Mode!”.

Page 32 of 89
Once drive is in Vendor Mode, you can proceed with Reading the Drives Firmware.

Page 33 of 89
 BenQ UnLock Stock/ iXtreme 1.1 -> 1.41 / Xtreme Firmware’s Only.
Please note, BenQ-Un-Lock WILL NOT work on drives that have iXtreme 1.5 firmware on them
(please use VCC Trick or Half Open Tray)

Connect your BenQ drive up via sata to your PC, power on, and run JungleFlasher.

You will be presented with the Welcome Screen shown below.

After a few seconds you will be taken to the main application.

Click the MTKFlash32 tab.

Then, select correct I/O Port by verifying PBDS VAD6038 shows in the Drive Properties and
click BenQ UnLock.

Page 34 of 89
 JungleFlasher will send the Magic Keys to unlock the drive and should return this message in
the Running Log. JungleFlasher has also sent the Intro command to the drive.

The drive should be in Vendor Mode (0x73) now and return good flash chip properties, you can
check in the Running Log, Drive Properties or Flash Chip Properties.

Once the drive is in Vendor Mode, you can proceed with Reading the Drives Firmware.

Page 35 of 89
 DeviceID Unlock / Vcc Trick (VIA/Nforce only) Stock + Modified Drives (inc iXtreme 1.5+).

This method has only really been tested on VIA (no drivers, or 530c drivers) and Nforce Chipsets,
although there is no harm in trying on others, this method works on Hacked and Stock Drives.

Load JungleFlasher, and select MTKFlash32 tab.

Then, select correct I/O Port by verifying PBDS VAD6038 shows in the Drive Properties and
click Intro / Device ID.

JungleFlasher will prompt you with instructions.

Page 36 of 89
 Click Yes the Running Log will display something similar to this.

When ……. are appearing, do as previously instructed by JungleFlasher. Power off the drive,
then, within 1 second power it back on.

The drive should be in Vendor Mode (0x73) now and return good flash chip properties, you can
check in the Running Log or Flash Chip Properties, Drive properties should display “Drive in
Vendor Mode!”.

Once drive is in Vendor Mode, you can proceed with Reading the Drives Firmware.

Page 37 of 89
 Reading the Firmware from the drive.
Now, we would like to read the firmware from the drive first, so select read.

Check the Running Log and you will see it reading the firmware from the drive.

Once the firmware has been read JungleFlasher will prompt you to save the firmware. Name it
what you wish and select directory path of your choice and click Save.

Page 38 of 89
 Once saved, JungleFlasher will then prompt you asking if you would like to auto-load iXtreme
for BenQ Drives. You must have installed the JungleFlasher Firmware Pack into the same
directory as JungleFlasher.exe if you wish to benefit from this feature.

Click Yes to auto load iXtreme 1.51 for BenQ into the Target Buffer, JungleFlasher will also load
your previously dumped BenQ-OFW.bin as Source Firmware. Then, copy data from Source to
Target automatically.

Just verify Source data reports as it should, OSIG of VAD 6038 with a key with no multiple
FF/00/77 bytes.

Now, verify unique Source Data matches that in Target Buffer and click save to file if you wish
to backup your Hacked firmware.

Page 39 of 89
 .

You can now save the Target Buffer to file by clicking Save to File.

Page 40 of 89
 Writing Firmware to the drive.
To write the firmware, as long as drive is still unlocked (Vendor Mode) we just click MTKFlash
32 tab.

Verfify you have good flash chip properties still.

Then, click Write.

Write Command, will send Chip Erase prior to writing and then proceed to write the 4 banks of
the firmware (banks 0/1/2/3).

A series of 16 …..’s is JungleFlasher writing the 16 sectors of each bank (4 banks, 0/1/2/3).

Page 41 of 89
After writing all 64 sectors, signaled by 64 dots (16 dots across 4 banks) JungleFlasher will verify
what it wrote by reading back and comparing against the Target Buffer what we really want to
see is Write Verified OK!

Now send an Outro to the drive.

This will release a drive from Vendor Mode and send ATA Reset to the Drive. It then sends an
inquiry command to the drive.

This will save you power cycling the drive and then changing port away and change it back
again, with the click of a button, drive will ‘reset’ itself and JungleFlasher will send an inquiry
command to the drive. If successfully flashed the drive should Inquire correctly and display
drive properties.

Page 42 of 89
 Hitachi GDR-3120L.
Rom Versions 32/36/40/46/47/58/59/78/79.

Overview.
Hitachi drives are completely different in the way and which they are modded. We modify
Hitachis on a sector by sector basis.

JungleFlasher can be used over Windows API or PortIO.

PortIO functionality was added for VIA 6421 Sata users who removed drivers to hack the Lite-
On drives without freezing issues.

To enable PortIO usage, check VIA Ports Only under DVDKey 32 tab.

WinAPI should used where possible, although WinAPI requires the drive to be assigned a drive
letter, this isnt possible with a VIA 6421 with Drivers Removed.

Regardless of option chosen, the Hitachi Drive must still be in ModeB, this is essential to be
assigned a drive letter in Windows, for using WinAPI, but, also vital for PortIO users as most
dump and flash commands require it.

VIA users with no drivers, must either install drivers or utilise PortIO – you will not be
assigned a drive letter in windows with no drivers!!!
To enable PortIO usage, check VIA Ports Only under DVDKey32 tab

• Windows API Users, after setting ModeB, you must wait for hardware changes to be
detected (15 secs) If nothing is detected, click “Refresh”

JungleFlasher uses a unique way of calculating the checksum of the firmware and
JungleFlasher will also take over from the user as soon as possible to prevent user error, its
not necessary to dump the drive to patch the firmware, JungleFlasher will dump before you
try to do anything to the drive.

JungleFlasher also incorporates a “Stability Test” prior to modifying the drive, as safety is
paramount.

Page 43 of 89
 Setting ModeB
Hook up your Hitachi Drive via sata, power it on, then open JungleFlasher and you will be
presented with the welcome screen

Then, click the Hitachi GDR-3120 tab

You will be presented with the dedicated Hitachi tab shown below (or similar to)

Page 44 of 89
Note the Hitachi Drive inquires on my I/O Port and that PortIO is disabled (using non-VIA
chipset)

The drive needs to inquire on I/O port for Raw ModeB Commands to work (this applies to
spoofed drives also)

Once it inquires, Click send ModeB, you will be presented with the following message, its
advised you do as it states as the ModeB button on Connectivity Kit, can cause issues

Page 45 of 89
 Once done, click Ok

The drive should now report as in ModeB

Once ModeB is set, if using WinAPI, JungleFlasher will scan for hardware changes automatically
after 15 seconds

WinAPI users should seen similar to this under the ‘Drive’ section

If not, click Refresh List

JungleFlasher WILL NOT scan for Hardware Changes after setting ModeB for PortIO users.

Instead, the tasks are carried out, as long as the drive Inquires on the I / O Port

Page 46 of 89
 JungleUSB Drivers and USmodeB

JungleUSB is a hacked USB Storage driver that enables windows to see a Mode A drive over
USB, this enables USmodeB command to be sent and the drive.

Installing JungleUSB Driver

First you need to connect the drive to your PC with a Sata-USB Bridge Adapter

Windows will automatically install the device as

USB Mass Storage Device

You will need to update driver and install JungleUSB

Open Device manager and Find USB Mass Storage Device under Universal Serial Bus
Controllers. Right click on it and Update Driver.

Page 47 of 89
 .

Select No, not this time. Then click Next

Select Install from specific location and click Next

Page 48 of 89
Select Don`t search I will choose the driver to install and click Next.

Click Have Disk

Page 49 of 89
Now click Browse and Navigate to JungleUSB.inf which is located in the Manual install
folder Bundled with JungleFlasher. Select it and click Open. Then click OK

Now click next and the Driver should install.

Page 50 of 89
 Click finish and Return to Device manager.

If all went well you should now have JungleUSB 360 Mass Storage Driver listed under
Universal Serial Bus Controllers and HL-DT-ST DVD-ROM GDR3120 USB Device listed under
DVD/CD ROM drives.

Page 51 of 89
Now Start JungleFlasher and select the Hitachi GDR3120 tab, Click The USmodeB button

JungleFlasher will scan for any 360 Hitachi Drives connected via USB and send Mode-b
Command to that drive. The Drive should now be selectable in the drop down box.

Page 52 of 89
 Dumping the Firmware from the drive (Pre v78)
Older ROM Versions of the drive, v32, v36, v40, v46, v47, v58 and v59 are dumped using Classic
Mode, Mode Select, or RAM upload. For the purpose of the tutorial, I’ll use Mode Select

** Dumping the firmware from a Drive Using ‘Classic Mode’ will be fooled by firmware
stealth, this means, it WILL report as stock even though it isnt. **

As the drive is in ModeB already, we simply ensure drive revision matches that of the drive

Select Dump Drive and Mode Select

Page 53 of 89
 Then, click Read to Source

You should see something similar to below

Once firmware is read, JungleFlasher will prompt you to save it.

Page 54 of 89
Upon saving the Firmware from the Drive, you can verify the key appears good and it reports as
GDR 3120 (ROM Ver)

The Running Log should also show this data.

Page 55 of 89
 Dumping the Firmware from the drive (v78 /79)
The newer revisions of the GDR-3120L are a little different.

The v78 or v79 cannot be dumped using Classic Mode or Mode Select, so, instead, we use the
RAM Upload method.

Ensure ModeB is set

V79 ONLY
The Hitachi v79 requires ‘unlocking’ via Audio CD which can be downloaded here

Burn the .bin, using the cue sheet in IMGBurn and write to CD-R

Insert the disc into the Hitachi v79, and click 79 unlock

Page 56 of 89
 JungleFlasher should display a log similar to the one below.

The Drive is now unlocked!

V78 / V79
Now, onto dumping the drive. With the V79 unlocked, or the v78 in ModeB We can now dump
the drive using RAM Upload method

So, click Read to Source

Page 57 of 89
 JungleFlasher will now dump the drive using RAM Upload Method

Once it has read the Firmware it will prompt you to save the Firmware.

Once saved, it will open it as Source in FirmwareTool32.

Page 58 of 89
 Flashing iXtreme to a stock Hitachi Drive
Flashing iXtreme to a Hitachi has taken a huge step in development with JungleFlasher’s
methods.

JungleFlasher WILL NOT allow you to flash iXtreme over iXtreme, it will detect the checksum
and detect its hacked by checksum and force restore first.

Typical error if user tries:

So, onto flashing iXtreme

You will need the JungleFlasher Firmware Pack for this to work.

With the drive in ModeB and Unlocked (v79) simply select Flash iXtreme from the Flashing
Options list

Page 59 of 89
 Then, click Flash Hacked f/w

JungleFlasher will then dump the drive so it can compare sectors that will need to be written.

It will prompt you to save it. It’s heavily advised you do just in case.

Page 60 of 89
 JungleFlasher will seemingly take control, don’t worry, this is normal.

If you view the log, you see that JungleFlasher has automatically loaded iXtreme 1.51, copied all
your data (key sector 90004000 isn’t touched unless using flash keys).into iXtreme, and flashed
a test sector for stability.

The stability test should return as stable, if so, you will see this message.

If you wish to proceed, click Yes

Again, JungleFlasher will take over and you will see it flashing the sectors like below:

Once finished, JungleFlasher will verify the firmware written to the drive and report back

Page 61 of 89
 Restoring from Hacked Firmware
As the title suggests, it is simply a reversal of flashing the Drive with Hacked Firmware. This also
applies to Hitachi Drives Spoofed as other Drive types / Revisions.

Again, JungleFlasher will depend on the JungleFlasher Firmware Pack being in the same
directory as JungleFlasher.exe

With the Drive in ModeB and unlocked (v79) simply select Restore Firmware from the Flashing
Options list

Then, click Restore to Stock

Page 62 of 89
JungleFlasher will dump the Hacked Firmware from the drive, check key location and compare
to the corresponding Original Firmware in the Firmware Pack

JungleFlasher will take control throughout this.

After it has dumped and compared the firmware, It will flash a test sector. If this flashes ok, It
will report it has passed the Stability Test

It should show as below

Page 63 of 89
 Click Yes to proceed

Again, JungleFlasher will take control and flash the sectors required

It will then check the checksum and prompt you to fix the Checksum.

Clicking Ok will fix Checksum for you

Check Log for confirmation

Page 64 of 89
 Spoofing a Hitachi Drive to report as a Different Drive Revision / Version

If you wish to flash a Hitachi Drive using JungleFlasher and change the Drive String ID, you
should follow the procedure of:

• Restore to Stock if necessary (Pg 56)

• Flash iXtreme to the Drive (Pg 53)

• Flash Key Sector (Pg 60)

• Flash Spoof Data (Pg 63)

Flash iXtreme to the drive first before flashing key / spoof data!!

Page 65 of 89
 Flashing Key Sector (90004000)
As usual you will need to first get the Drive into ModeB (v79 unlocked) and assigned a drive
letter (VIA / No Drivers, utilize PortI0)

The drive should, as above, be flashed with iXtreme to start (Page 53)

Open JungleFlasher and proceed to the Hitachi GDR3120L tab

Ensure correct Drive Revision is selected; choose chosen transfer method (Pre78 use Mode
Select or RAM Upload, v78/79 users can only use RAM Upload)

Then, select Flash Key Sector

Page 66 of 89
 Then, click Flash Keys

JungleFlasher will then automatically read the drive and prompt you to save it, its advised
that you do!

Upon saving, JungleFlasher will present you with a Spoof section; note that only the key area is
accessible, this is to prevent you spoofing before flashing Keys.

Here, you can manually load a Key.bin from a previous dump, (Key.bin can be saved by loading donor drives
firmware in FirmwareTool32 as Source and Clicking Save Drive Key.)

You can also manually type it in, but it is advisable that you allow the software do it as typing
errors could result in a bad key.

Page 67 of 89
Simply click Load key.bin and navigate to your desired Key.bin and click Open

Verify key is the one you required and looks unique, then, click OK

Page 68 of 89
Just like Restore/Flash iXtreme, JungleFlasher will flash a test sector and ask if you want to
proceed.

Click Yes to Proceed

JungleFlasher will then Flash Key Sector (Sector 90004000)

Once written it will re-dump Key Sector and verify it has new key set.

Page 69 of 89
 Flashing Spoof Data / Drive String ID (OSIG)

As with all Hitachi Tasks, you must set ModeB first, have a drive letter assigned if using Win API,
or, PortIO for VIA / No Drivers.

Ensure Drive is flashed with iXtreme and correct Key prior to spoofing!
(See Page 53 for Details)

Open JungleFlasher and proceed to the Hitachi GDR3120L tab

Ensure correct Drive Revision is selected; choose chosen transfer method (Pre78 use Mode
Select or RAM Upload, v78/79 users can only use RAM Upload)

Page 70 of 89
Then, select Flash Spoof Data

Then, click Flash ID’s

Page 71 of 89
 JungleFlasher will then automatically read the drive and prompt you to save it, it’s advised
that you do!

Upon saving, JungleFlasher will present you with a Spoof section; note that only the OSIG (Drive
String ID) area is accessible.

Select the Drive Type / OSIG that you want the Hitachi to report as to the console from the drop
down box.

Page 72 of 89
 If choosing to spoof to any other drive apart from Lite-On PLDS DG-16D2S, upon selecting
Spoofed OSIG, simply click ok to Proceed.

If spoofing as a Lite-On PLDS DG-16D2S, upon selecting Spoofed OSIG JungleFlasher will enable
the Lite-On Barcode Section

If you have the Identify.bin from the Donor Lite-On, you can load it through Load Inquiry.bin
button and navigating to the file and opening it.

If you have the Donor Lite-On Drive to hand, you can manually type the Alphanumeric code on
the top of the Drive like shown below

Page 73 of 89
You can manually type this in the box and click Check

This will enable the Ok Button, Click it to Proceed

Page 74 of 89
Upon clicking OK JungleFlasher will Flash a test sector and ask if you wish to Proceed

Click Yes to Proceed

JungleFlasher will then Flash Drive String ID Sector (Sector 9003D000)

Once written it will re-dump Drive String ID Sector and verify it has been changed.

Page 75 of 89
 Appendix
This section is for more advanced users, and the lesser used funtions of
JungleFlasher

Removing VIA drivers (Windows XP)

NOT TO BE DONE IF YOUR MAIN HARD DRIVE IS ON VIA SATA CARD
This is how I done it, it worked fine, may not be 100%

Right Click My Computer, select properties

Click the “Hardware” tab

Page 76 of 89
 Then, click “Device Manager”

Navigate to “SCSI and RAID Controllers” and click the + sign to expand the list

Page 77 of 89
Right Click the VIA 6421 RAID Controller (may report as 3249 if using 550b drivers or above) and
select Disable

Acknowledge the warning by clicking Yes

It should now show as disabled in Device Manager like so:

Now, to remove drivers we must navigate to where viamraid.sys is

Mine were located, and most will be: C :\WINDOWS\system32\drivers\viamraid.sys – once

found, delete this file.

Once deleted, go back to device manager using the same steps outlined above.

Find your disabled VIA 6421 Card, right click and select enable

Page 78 of 89
 It should now show as the image below

If so, reboot your PC

Upon reboot, verify VIA 6421 still has a Yellow Exclamation Mark in Device Manager

You have successfully removed VIA drivers from your machine

Page 79 of 89
 Installing PortIO32
PortIO32 is a driver and library which allows you to do low-level port IO from any programming
language which can use a DLL in Windows

Simply double click PortIO32.exe found in the JungleFlasher package and wait

Look for the confirmation message (image taken from Windows Vista)

If you require .net framework, follow link / instructions here:

http://www.microsoft.com/downloads/details.aspx?familyid=0856eacb-4362-4b0d-8edd-
aab15c5e04f5&displaylang=en

Page 80 of 89
 Save key to file
With the element of risk involved with manually input keys JungleFlasher supports outputting
to key.bin for all drives.

DVDKey32 will create it for BenQ / Lite-On but JungleFlasher also supports dumping key.bin
from source firmware.

To do this, Open Source Firmware in FirmwareTool32 and click Save Drive Key select where
you want to store it and click Save

Load from previous dump files

Found under DVDKey32,

The only real reason you should be using this feature is if you DO NOT have your Original Lite-
On PLDS DG-16D2S but have Key/Inquiry.Identify .bin files

Simply click this, read the warning, if you want to proceed, click Yes, then proceed to load each
file in turn and click OK

This will create Dummy.bin and load it into FirmwareTool32

IF YOU CAN OBTAIN YOUR DATA FROM THE DRIVE ITSELF ITS HIGHLY RECOMMENDED THAT
YOU DO – THIS SHOULD BE USED AS A LAST RESORT ONLY.

Page 81 of 89
 Manual Spoofing
Hopefully the excellent key, OSIG and serial spoofing of FirmwareTool32 should satisfy your
needs, but sometimes you need the manual method for whatever reason.

Located in FirmwareTool32

You need the firmware you wish to Spoof loaded into the target buffer

Once loaded, Click Manual Spoofing

Changing Drive Keys

Here you can manually type a Drive Key – It must be in Hex-Decimal format. It should ONLY
EVER really be used if you have your Drive Key in a text file or email.

If you have a key.bin or ‘Original Firmware’ you can save to key.bin as shown above in the Save
key to file section and use the Load key.bin option

Just click load key.bin and navigate to your key.bin file, select it then it will automatically load it
into the Manual Spoof Window.

Changing Drives OSIG (String ID)

Simply select the drive you want your new drive to report to the console as, from the drop
down list and click OK.

If Changing OSIG to a Lite-On PLDS DG-16D2S this will activate the Lite-On Barcode section of
Manual Spoofing, please see below for instructions.
Page 82 of 89
 Spoofing Lite-On Barcode into Inquiry String
This is for Spoofing a drive in place of a Lite-On manually, once Drive Key is inserted, you will
want to spoof as PLDS DG-16D2S, next you want to load your identify.bin by clicking Load
Inquiry.bin and navigating to Inquiry.bin, upon selecting it, JungleFlasher will load it into the
window, now you can click OK to finish spoofing the firmware.

If you don’t have the Inquiry.bin file, JungleFlasher will let you manually type the barcode
(located on the top of the Lite-On) into the cox, in the format of 17 Alpha-Numberic Characters
followed by 3 spaces. You MUST include the spaces manually.

e.g.

D608CG82690600G2W___

Then, click Ok to finish Spoofing the Firmware

Page 83 of 89
 VIA Ports only & Include Non IDE ports
Found under DVDKey32 tab,

VIA Ports Only

This feature suits those who have quirky onboard Sata Cntrollers ( SIL, JMicron) and a VIA6421
PCI Sata Card.

Checking the box removes all non-via sata ports, this will stop you trying to Inquire / DVDKey a
drive on your non-via SATA/IDE ports. Some chipsets don’t like the Inquiry and will hang the
system.

**NOTE** If you do not actually have any VIA ports, JungleFlasher will itself uncheck the box
and re-enable the non VIA ports

Include non-IDE Ports

This option allows you to scan port for contollers Classed as SCSIAdapter. Some newer chipset
use the Class rather than hdc (aka IDE). However this will also show actual SCSI contoller which
are obviously of no use for flashing. Please avoid this function unless you know what you are
doing.

Page 84 of 89
 LiteOn ‘Serial Fixer’
If you are prompted that serial data is missing in an error similar to this:

To fix proceed, click Yes.

JungleFlasher will then, ask if you wish to repair this data (only possible if you have original
source liteon available).

Click yes to rebuild data.

JungleFlasher will then pop up the Serial Rebuilder Applet

Page 85 of 89
To rebuild the Serial Data you must copy the information from the physical drive itself, into the
boxes in the applet shown.

The data required is located in 4 places:

1. The Drive Chassis / Shell

2. The Hardware Revision of the drive

3. The Laser

4. The PCB of the drive itself

1. The Drive chassis / Shell

Located on the top of the drive, and 17 Characters long

Insert into the cover area on the Serial Rebuilder

2. Hardware Revision
Possibly the easiest of the four, located on the top sticker of the drive and usually
A0A1 or A0A2

Insert this data into the HW Ver section of the Serial Rebuilder
Page 86 of 89
 3. The Laser
Self explanitory, located on the base of the laser.

Insert this into the Laser area of the Serial Rebuilder

4. The PCB of the Drive

You will need to remove the top of the Drive Case to see this data and it is sometimes obscured
by pen.

The Data will start S4P…… It’s the 2nd and 3rd Line you require

Insert this data to the PCB section of the Serial Rebuilder

Once done, click Ok, and save Dummy_fixed.bin when prompted

Page 87 of 89
 Registry Settings
Only really for troubleshooting and debugging and should only be attempted by those
confident enough to play about in the systems registry settings

Click Start, click run, type regedit and press enter

Navigate to HKEY_CURRENT_USER
Click on JungleFlasher

You will see something similar to this:

• Adview - Remembers • DoIO - Enumerates I / O • ScsiPorts - enumerate

whether Advanced View was ports, for debug use only SCSIAdapter IO ports also
selected or not (NON-IDE)
• IOPort - Remembers last IO
• COMPort - Remembers last Port selected, number • Top - Remembers postion of
COM Port selected, number represents position in drop JungleFlasher window (Top
represents position in drop down menu
down menu • ViaPortsOnly - enumerate
• Left - Remembers postion of only Via IO ports, for safety
• DoCom - Enumerates JungleFlasher window (left (Value 1) Lists all if removed
comports, for debug use only hand side) or Value 0

• DoDevID – Will send Intro if • Position –No longer in use,

drive reports as in Vendor was used in .026b release of
Mode JungleFlasher

• DoDrives - Enumerates drive

letters, for debug use only

Page 88 of 89
 JungleFlasher v0.1.55 beta

Thanks to:

Team Jungle

&

The testers for all the hard work!

Page 89 of 89