DosFlash V2.0 Release Date 03.09.

2011
---------------------------------------
- Key extraction task "LiteOn Key V3 (Tarablinda)" now supports the Slim firmware
versions 9504, 0272, 0225,
0401, 1071 and also tries to discover the key on unknown firmware versions
- 2 new tasks added named "Lock SPI Flash" and "Unlock SPI Flash"
The new unlock SPI flash task is used in combination with Geremia's MXIC and
Winbond Unlock method.
It is very much influenced by Geremia's unlockSPI program, which was the first
bruter to unlock Winbond SPI
flashes. To relock the flash after you have finished writing a patched firmware
to it, use the lock SPI flash
task. This will instantly make the SPI flash write protected for all blocks. BP0,
BP1 and SRP status bits are
activated afterward, so handle this function with care!
- Read Flash task now can create a full firmware dump of the Slim firmware versions
9504, 0272, 0225, 0401 and 1071
To create full firmware dumps of 0225 drives and above you should get a
compatible SATA2 controller and set
it to IDE mode. In addition you should be able to do Geremia's MXIC or Winbond
unlock method. The compatible
SATA2 controller is needed to unlock the MTK. Any installed drivers should be
uninstalled, because they will
switch the controller back to AHCI mode. In combination with the SPI flash status
register unlock you are able
to write to the firmware and inject Geremia's 8051 trojan, which can then dump
the complete firmware. A risk
level is added to show you how risky it is for your individual flash chip and
firmware combination to write
the patched firmware to obtain a full dump.
- Possibility during "Read Flash" task to write firmware sector 3E of Slim drives
with unknown firmware version
This feature should be useful if new, unknown Slim firmware versions get out. If
you write the patched 3E sector
to a new and unknown firmware version this could potentially kill your drive. So
handle it with care!
- Portio.sys reimplemented as separate driver for DosFlash32 and DosFlash64
The driver files portio32.sys and portio64.sys are again separated from the
executable file. This way the
user has the possibility to sign the drivers on his x64 system with the Driver
Signature Enforcement Overrider.
- SATA and IDE adapter list updated

Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504
and DosFlash32/64
-----------------------------------------------------------------------------------
------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it
on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "LiteOn Key V3 (Tarablinda)"
- press "LiteOn Key V3" button
- choose a destination directory for the extracted files
- after this DosFlash32/64 displays your DVD-Key and saves your key and identify
data
- then DosFlash32/64 displays the following message:
There seems to be a LiteOn Slim drive connected as Master
to port 0xA000.
You should try SATA2 MTK unlock method.
- Use a compatible SATA2 controller set to IDE mode
- Repower the drive which is connected to the SATA 2 controller
- Press "Yes" if you are ready
Are you ready?
- do the above and press "Yes"
- this repower is used to get DosFlash32/64 back to a known MTK state

Geremia's Tarablinda method on LiteOn PLDS DG-16D4S with other firmware than 9504
and DosFlash16
-----------------------------------------------------------------------------------
---------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it
on yet
- power up PC and boot into Ms-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "LITEON K"
- as extraction method choose "V3"
- choose a destination directory for the extracted files
- after this DosFlash16 displays your DVD-Key and saves your key and identify data

Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and
DosFlash32/64
-----------------------------------------------------------------------------------
---
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it
on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Unlock SPI Flash"
- press "Unlock SPI Flash" button
- you will hear a test sound from the PC speaker and the following message is
displayed:
The sound that just played was a test. You will hear the
same sound if unlocking is successful later on. If you
have not heard a sound, you should skip the unlock and
check your PC speaker.
Unlocking the SPI flash requires you to use Geremia's MXIC
or Winbond Unlock method. Proceed like follows:
- Press "Yes" if you are ready
- Start Geremia's MXIC / Winbond Unlock
- Stop if you hear the sound
 Are you ready?
(Press ESC key to abort!)
- press "Yes"
- start MXIC or Winbond dremel unlock
- stop if you hear the test sound again
- the SPI flash should now be successfully unlocked

Unlock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
-----------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it
on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "U" for "Unlock SPI Flash"
- you will hear a test sound from the PC speaker and the following message is
displayed:
The sound that just played was a test. You will hear the
same sound if unlocking is successful later on. If you
have not heard a sound, you should skip the unlock and
check your PC speaker.
Unlocking the SPI flash requires you to use Geremia's MXIC or Winbond Unlock
method. Proceed like follows:
- Press "Yes" if you are ready
- Start Geremia's MXIC / Winbond Unlock
- Stop if you hear the sound
Are you ready?
(Press ESC key to abort!)
- confirm with 'Y' for "Yes"
- start MXIC or Winbond dremel unlock
- stop if you hear the test sound again
- the SPI flash should now be successfully unlocked

Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
-----------------------------------------------------------------------------------
-
- you should have unlocked the SPI flash prior to reading the flash, otherwise the
following steps will not work
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it
on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Read Flash"
- press "Read Flash" button
- enter the name of your flash firmware output file e.g. fulldump.bin
- you read the following (the displayed checksum and risk level can vary):
Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.
Firmware sectors 0x3D000 and 0x3E000 match known checksum
0xFFFFF800.
Do you want to write firmware with patched code to be able to read
 the firmware?
- press "Yes"
- then DosFlash32/64 displays the following message:
There seems to be a LiteOn Slim drive connected as Master
to port 0xA000.
You should try SATA2 MTK unlock method.
- Use a compatible SATA2 controller set to IDE mode
- Repower the drive which is connected to the SATA 2 controller
- Press "Yes" if you are ready
Are you ready?
- do the above and press "Yes"
- after this DosFlash32/64 saves your firmware dump and displays the above message
again, repower
the drive again and press "OK"
- the last repower is used to get DosFlash32/64 back to a known MTK state

Read flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
---------------------------------------------------------------------------------
- you should have unlocked the SPI flash prior to reading the flash, otherwise the
following steps will not work
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it
on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "R" for "Read Flash"
- enter the name of your flash firmware output file e.g. fulldump.bin
- you read the following (the displayed checksum and risk level can vary):
Risk Level: Minimal! Winbond SPI flash with empty 3D3E sectors.
Firmware sectors 0x3D000 and 0x3E000 match known checksum 0xFFFFF800.
Do you want to write firmware with patched code to be able to read
the firmware (Y/N)?
- confirm with 'Y' for "Yes" and press Enter
- then DosFlash16 displays the following message:
There seems to be a LiteOn Slim drive connected as Master to port 0xA000.
You should try SATA2 MTK unlock method.
- Use a compatible SATA2 controller set to IDE mode
- Repower the drive which is connected to the SATA 2 controller
- Press "Yes" if you are ready
Are you ready (Y/N)?
- do the above and press 'Y' for "Yes"
- after this DosFlash16 saves your firmware dump

Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash32/64
-----------------------------------------------------------------------------------
-
- connect your Slim drive to a SATA2 controller set to IDE mode
- make sure the drivers for the SATA2 controller are uninstalled
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it
on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32/64
- the drive and flash chip should identify properly
- choose the task "Lock SPI Flash"
- press "Lock SPI Flash" button
- read the displayed warning carefully, because locking the flash is very risky
- press "Yes"
- the SPI flash should now be successfully locked

Lock flash on LiteOn PLDS DG-16D4S with other firmware than 9504 and DosFlash16
---------------------------------------------------------------------------------
- connect your Slim drive to a SATA2 controller set to IDE mode
- connect a separate power supply unit to the LiteOn PLDS DG-16D4S, don't turn it
on yet
- power up PC and boot into MS-DOS 6.22
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- the drive and flash chip should identify properly
- choose your drive number
- as task choose "L" for "Lock SPI Flash"
- read the displayed warning carefully, because locking the flash is very risky
- confirm with 'Y' for "Yes"
- the SPI flash should now be successfully locked

DosFlash16 Manual Mode Examples for LiteOn Slim 0225

------------------------------------------------------
- Extract drive key on a "PLDS DG-16D4S 0225"
DOSFLASH LITEON K V3 1010 A0

- Unlock SPI Flash on a "PLDS DG-16D4S 0225"

DOSFLASH U 1010 1 A0 3 0

- Read firmware on a "PLDS DG-16D4S 0225"

DOSFLASH R 1010 1 A0 3 0 4 FWOUT.BIN 0

- Write firmware on a "PLDS DG-16D4S 0225"

DOSFLASH W 1010 1 A0 3 0 4 FWIN.BIN 0

- Erase firmware on a "PLDS DG-16D4S 0225"

DOSFLASH E 1010 1 A0 3 0 4 C7 0

- Lock SPI Flash on a "PLDS DG-16D4S 0225"

DOSFLASH L 1010 1 A0 3 0

Excellent work on the MXIC / Winbond unlock by Geremia and Maximus.

As the Duke would say: Hail to the kings baby!
Kai Schtrom

***********************************************************************************
*************

DosFlash V1.9 Release Date 01.01.2011

---------------------------------------
- SATA and IDE port scan improved in DOS and Windows
The ports are now enumerated with the CONFIG_ADDRESS and CONFIG_DATA register
instead of using interrupts
in DOS and SetupDixx functions in Windows. This change will detect more ports in
Windows than the old
 SetupDixx method.
- Settings saved to ini file for DosFlash32 and DosFlash64
Settings like Port, Position, Task, COM Port, Enable Drives and DvdKey state are
now saved to an ini file
inside the program folder. If the ini file is not present it is created after the
first run. On the first
startup DosFlash will choose the most common and stable settings.
- EnableDrives option included in dialog as a check box
Due to high demand we removed the "Enabling CD-/DVD-ROMs" MessageBox on program
termination and included
a check box "Enable Drives" inside the dialog. For security and more stability
this is deactivated on the
first run. If you enable it the checked state is saved to the ini file.
- enabling drives in Windows caused some hangs from time to time, this is now fixed
by a recoded enable
drives function
- port drivers portio32.sys and portio64.sys are now added to the executable and
unpacked during runtime
- PATA and SATA controllers list updated
- Fix for NForce motherboards in combination with drives like the "Samsung SH-
D163C", "LG DH18NS40" or
"LiteOn iHDS118"
Some drives have problems with flash identify, read, write and erase. This is
clearly related to the
NVidia NForce chipset. For manual mode in DosFlash16 an additional command line
parameter is added called
"NFORCE FIX". This parameter should be set to 1 for NForce chipsets if you
experience strange problems.
In DosFlash32 and DosFlash64 we added a static control which shows if the NForce
Fix is applied or not.
Remember there is no need to activate this with every drive. It seems to be a
combination between drive
and NForce chipset that causes the problem. The fix is automatically applied for
DosFlash16 in auto mode,
DosFlash32 and DosFlash64.
- DosFlash32 and DosFlash64 are now DPI Aware for Windows7
- New task Verfiy Key/Inject Key added for verification/injection of drive keys
All DosFlash versions now have the possibility to validate drive keys against an
XBOX360 drive and set
the key for an XBOX360 drive. We use the same authentication method like the
console to verify a key.
In the Windows versions you have the choice to paste the drive key from the
clipboard to our custom hex
edit control or load a key file. To add a key simply click right inside the hex
edit control and select
your choice from the shortcut menu. In DosFlash16 you can enter the key in the
format "1A-2B-3C" without
quotes. Remember that a key has 16 bytes of data. The key file to import should
also have 16 bytes of data
like the key files exported by LiteOn Key functions.
- Removed multiple key extractions for LiteOn Key functions, added Verify Key after
extraction
For LiteOn Key functions we removed the multiple extractions, because the key is
now verified immediately
against the XBOX360 drive.
- LiteOn Key V1 and V2 now also extract the file Serial.bin and the 2nd inquiry
file Inquiry2.bin
We added the file Serial.bin and Inquiry2.bin to LiteOn Key functions.
Inquiry2.bin is only generated for
 LiteOn drives V1 and V2.
- The drive key of Maximus patched UART drives can be extracted by using the task
"LiteOn Key V1 (DvdKey)"
The drive check has been removed from LiteOn Key functions. This way we can
extract a key from an UART
patched drive firmware by Maximus.
- LiteOn files are now extracted to a destination folder instead of prompting the
user for every file name.
- LiteOn key extraction tasks separated per drive version in "LiteOn Key V1
(DvdKey)", "LiteOn Key V2 (FreeKey)"
and "LiteOn Key V3 (Tarablinda)"
- In DosFlash32 and DosFlash64 the number of installed COM ports in the system are
now enumerated instead of
adding port 1 to 4
- For failing cdb commands the sense code is returned
- Geremia's Tarablinda functionality added
We added all Tarablinda tasks to every DosFlash version. You can extract the key
by choosing the task
"LiteOn Key V3 (Tarablinda)". For read, write and erase of the flash simply use
the standard functions.
Pay attention that the "LiteOn Erase V1/V2" task is only available for older
LiteOns and not for the Slim.
You should use "Read Flash", "Write Flash" and "Erase Flash" for the Slim.
"LiteOn Key V3 (Tarablinda)"
extracts 1 additional file in comparison to Tarablinda v04b, this file is called
Xtram.bin and contains
a dump of the XTRAM8000 area. This can differ in a few bytes from one dump to the
next.
- Device Reset in DosFlash16 manual mode is now done automatically, there is no
option to turn it off anymore
- Code optimization to work with modern SATA2 controllers added, remember to set
SATA controllers to IDE and
not AHCI mode otherwise Port I/O will not work
- Warning: The read, write and erase of the Slim drive is considered risky in
general! So pay attention and
always remember you use DosFlash on your own risk every time! Even during flash
read the Slim gets flashed
with a patched firmware sector to retrieve the complete dump!
- We had to change many command line arguments for DosFlash16 Manual Mode, because
of the NForce Fix, added
Tarablinda support and splitting of LiteOn Key functions. To get a better
understanding we added the example
section below.

DosFlash16 Manual Mode Examples

---------------------------------
- Extract drive key on a "PLDS DG-16D2S 74850C" over UART -> "LiteOn Key V1
(DvdKey)"
DOSFLASH LITEON K V1 0970 A0 1

- Extract drive key on a "PLDS DG-16D2S 83850C" over SATA -> "LiteOn Key V2
(FreeKey)"
DOSFLASH LITEON K V2 0970 A0

- Extract drive key on a "PLDS DG-16D4S 9504" over SATA -> "LiteOn Key V3
(Tarablinda)"
DOSFLASH LITEON K V3 0970 A0
- Read firmware on a "PLDS DG-16D4S 9504" -> "Read Flash" this is considered risky!
DOSFLASH R 0970 1 A0 3 0 4 FWOUT.BIN 0

- Write firmware on a "PLDS DG-16D4S 9504" -> "Write Flash" this is considered
risky!
DOSFLASH W 0970 1 A0 3 0 4 FWIN.BIN 0

- Erase firmware on a "PLDS DG-16D4S 9504" -> "Erase Flash" this is considered
risky!
DOSFLASH E 0970 1 A0 3 0 4 C7 0

- Erase firmware on a "PLDS DG-16D2S 74850C" or a "PLDS DG-16D2S 83850C" -> "LiteOn
Erase V1/V2"
DOSFLASH LITEON E 0970 A0

- Read firmware on a "Samsung SH-D163C", "LG DH18NS40" or "LiteOn iHDS118" and a

NForce motherboard -> "Read Flash"
DOSFLASH R 0970 1 A0 2 0 4 FWOUT.BIN 1

- Write firmware on a "Samsung SH-D163C", "LG DH18NS40" or "LiteOn iHDS118" and a

NForce motherboard -> "Write Flash"
DOSFLASH W 0970 1 A0 2 0 4 FWIN.BIN 1

- Erase firmware on a "Samsung SH-D163C", "LG DH18NS40" or "LiteOn iHDS118" and a

NForce motherboard -> "Erase Flash"
DOSFLASH E 0970 1 A0 2 0 4 C7 1

- Verify drive key on a XBOX360 drive, enter the drive key manual
DOSFLASH V 0970 A0 12-34-56-78-90-AB-CD-EF-12-34-56-78-90-AB-CD-EF

- Verify drive key on a XBOX360 drive, load a drive key file

DOSFLASH V 0970 A0 KEY.BIN

- Inject drive key on a XBOX360 drive, enter the drive key manual
DOSFLASH I 0970 A0 12-34-56-78-90-AB-CD-EF-12-34-56-78-90-AB-CD-EF

- Inject drive key on a XBOX360 drive, load a drive key file

DOSFLASH I 0970 A0 KEY.BIN

For DosFlash drives on which we can extract the key via UART are considered V1.
Drives we get the key over
SATA are considered V2. The new Slim is considered V3 but only firmware version
9504 is supported atm.

Many thanks to Geremia, Modfreakz, Redline99 and Tiros for their support. Special
thanks to Geremia and
Modfreakz for drive sponsoring, testing, coding and much more. It is always a
pleasure to work with you
professional guys! Respect to Maximus for his UART enable patch. I'm looking
forward to your magic Lizard
hardware flasher!

Happy new year 2011!

Kai Schtrom

***********************************************************************************
*************
DosFlash V1.8 Release Date 08.08.2009
---------------------------------------
- now supports LiteOn PLDS DG-16D2S 83850C V2 Geremia/Maximus LiteOn FreeKey method
- huge firmware read/write speed increase, especially if run from a floppy disk
- updated IDE/SATA motherboard chipset list
- new IDE/SATA detection for Windows and DOS
- DosFlash.typ embedded in executable file
- LiteOn V1 drive key is now extracted 10 times and compared against each other,
after the extraction a summary is displayed sorted by the most common matches
- LiteOn V2 drive key is extracted 2 times and compared
- new BenQ unlock keys added to unlock all known BenQ drive firmwares
- command line parameter "EnableDrives" removed, DosFlash asks the user on
application close if he wants to enable the drives or not, during the tests it
seems that IDE drives have problems with the enable, SATA drives seem to
work fine
- new 64-bit DosFlash edition added called DosFlash64, because some driver
functions don't work as expected in the 32 bit compatibility mode on Windows x64
- Beta state removed
- ready and tested on Windows7 X86 and x64

Geremia/Maximus FreeKey method with DosFlash16

------------------------------------------------
We have added one cmd line parameter for DosFlash16 in manual mode. The COM port
is simply ignored and can have any value for the V2 drives.
Use the following command line to extract your free key from 83850C:
- DosFlash LITEON K 0970 1 inquiry.bin identify.bin key.bin dummy.bin enckey.bin

Tips for running DosFlash on Windows 7

----------------------------------------

Since Windows Vista 64 Bit and upwards it is necessary that every driver is signed.
Because
the DosFlash driver will not be signed by MS due to some unknown reason we need to
circumvent
this check. You have the following 2 possibilities to do this.

Safe Way of Disabling Driver Signature Enforcement

1) On Windows 7 bootup press F8 to get to the extended boot options screen
2) Choose "Disable Driver Signature Enforcement"
3) To start DosFlash right click on it in Windows Explorer and choose
"Run as administrator" > answer the message box with "Yes"
4) Short after the program started a "Program Compatibility Assistant" warning
message
is displayed, you can simply ignore this by pressing the "Close" button

Recommended Way of Disabling Driver Signature Enforcement

1) Disable User Account Control (UAC)
- go to "Start Menu" > "Control Panel" > "User Accounts and Family Safety" >
"User Accounts"
- click on "Change User Account Control settings"
- set the slider bar to the lowest value (Never notify) > click "OK"
2) Sign the DosFlash driver
- download the "Driver Signature Enforcement Overrider" (DSEO) from
http://www.ngohq.com/home.php?page=dseo
- start DSEO > click "Next" > "Yes" > choose "Sign a System File" > "Next" >
enter the path to
 the used driver (portio32.sys or portio64.sys) > "OK" > "OK"
3) Disable Driver Signature Enforcement
- start DSEO > click "Next" > "Yes" > choose "Enable Test Mode" > "Next" > "OK"
4) Restart the computer

Keep in mind that with the recommended way the changes will have effect on every
reboot without
doing anything manual. The first way needs to be done over and over again. In
addition the second
way can be used to sign every driver that doesn't run natively on Windows 7.

For use of the VIA Cards in Windows 7 it is recommended to uninstall the VIA
driver. This can be
done like follows:
- start "Device Manager" > expand "Storage controllers" > right click on "VIA RAID
Controller" >
choose "Uninstall" > "OK"
- rename C:\Windows\inf\vsmraid.inf to vsmraid.inf_
- rename C:\Windows\inf\vsmraid.PNF to vsmraid.PNF_
- rename C:\Windows\System32\drivers\vsmraid.sys to vsmraid.sys_
- reboot computer

Much respect and credits go to Geremia and Maximus for their money saving FreeKey
app
and their lightning like decryption speed!

In Dedication To The Birth Of FreeKey On August Fifth 2009

Kai Schtrom

***********************************************************************************
*************

DosFlash and DosFlash32 V1.7 Beta Release Date 23.12.2008

-----------------------------------------------------------
- now supports LiteOn PLDS DG-16D2S 74850C and Geremia's LiteOn Erase and DvdKey
method

The following only applies to the new XBox360 LiteOn drive PLDS DG-16D2S 74850C.

Geremia's DvdKey method with DosFlash16 with the PC's psu

-----------------------------------------------------------
- disable CD-ROM boot option in BIOS
- connect LiteOn to your PC's power supply unit and SATA port
- power up PC, wait until bootup is finished
- eject tray of the LiteOn and shutdown PC completely
- push the LiteOn tray half in
- power up PC and boot into DOS
- run DosFlash16 in auto mode
- if you read the following:
MTK Vendor Intro failed on port 0x????.
If you choose to resend the command you should turn the drive off and on
after you pressed "Yes".
Do you want to resend the command until the drive responds (Y/N)?
- press 'N' for "No"
- choose the number of your LiteOn ATAPI drive
- enter "LITEON K" to read the drive key
- type the names of inquiry.bin, identify.bin, key.bin and dummy.bin output files
- enter the number of the COM port
- if you read the following:
To receive the drive key use Geremia's DvdKey method like follows:
- Connect your drive with a serial cable to the COM port
- Eject drive tray
- Power off drive
- Push drive tray in until it is half open
- Power on drive
- Press "Yes" if you are ready
Are you ready (Y/N)?
- simply press 'Yes' without doing anything of the above, because we
already did that before
- after this DosFlash16 displays your DVD-Key and saves your key and identify data
- to do the above steps in manual mode use the following command line if your drive
is connected to port 0x0970 and serial cable is on COM port 1
DosFlash LITEON K 0970 1 inquiry.bin identify.bin key.bin dummy.bin

Geremia's DvdKey method with DosFlash16 and 2nd psu

-----------------------------------------------------
- connect a separate power supply unit to the LiteOn, don't turn it on yet
- power up PC and boot into DOS
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- if you read the following:
MTK Vendor Intro failed on port 0x????.
If you choose to resend the command you should turn the drive off and on
after you pressed "Yes".
Do you want to resend the command until the drive responds (Y/N)?
- press 'N' for "No"
- choose the number of your LiteOn ATAPI drive
- enter "LITEON K" to read the drive key
- type the names of inquiry.bin, identify.bin, key.bin and dummy.bin output files
- enter the number of the COM port
- if you read the following:
To receive the drive key use Geremia's DvdKey method like follows:
- Connect your drive with a serial cable to the COM port
- Eject drive tray
- Power off drive
- Push drive tray in until it is half open
- Power on drive
- Press "Yes" if you are ready
Are you ready (Y/N)?
- do the above and press 'Yes'
- after this DosFlash16 displays your DVD-Key and saves your key and identify data

Geremia's LiteOn Erase method with DosFlash16 and 2nd psu

-----------------------------------------------------------
- connect a separate power supply unit to the LiteOn, don't turn it on yet
- power up PC and boot into DOS
- turn on the LiteOn psu
- run DosFlash16 in auto mode
- if you read the following:
MTK Vendor Intro failed on port 0x????.
If you choose to resend the command you should turn the drive off and on
 after you pressed "Yes".
Do you want to resend the command until the drive responds (Y/N)?
- press 'N' for "No"
- choose the number of your LiteOn ATAPI drive
- Warning!!! Keep in mind that you will need the drive key before you erase the
flash,
without the drive key your XBox360 will not work anymore
- enter "LITEON E" to erase the flash
- the first time after the LiteOn Erase the drive needs to be repowered to give
flash chip access, this can be achieved by repowering the drive before another
DosFlash16 start in auto mode or by doing a MTK Vendor Intro Power Brute
- in my tests it did not work to power the drive with the PC's psu, because it will
always respond with busy status
- DosFlash16 can now read, write and erase the flash chip like usual
- to do the above steps in manual mode use the following command line if your drive
is connected to port 0x0970
DosFlash LITEON E 0970

Geremia's DvdKey method with DosFlash32 with the PC's psu

-----------------------------------------------------------
- disable CD-ROM boot option in BIOS
- connect LiteOn to your PC's power supply unit and SATA port
- power up PC, wait until bootup is finished
- eject tray of the LiteOn and shutdown PC completely
- push the LiteOn tray half in
- power up PC and boot into Windows
- run DosFlash32
- if you read the following:
MTK Vendor Intro failed on port 0x????.
If you choose to resend the command you should turn the drive off and on
after you pressed "Yes".
Do you want to resend the command until the drive responds?
- press 'No'
- choose "LiteOn DvdKey" as flashing task
- choose the COM port number
- press on "LiteOn DvdKey" button
- enter the names of inquiry.bin, identify.bin, key.bin and dummy.bin output files
- if you read the following:
To receive the drive key use Geremia's DvdKey method like follows:
- Connect your drive with a serial cable to the COM port
- Eject drive tray
- Power off drive
- Push drive tray in until it is half open
- Power on drive
- Press "Yes" if you are ready
Are you ready?
- simply press 'Yes' without doing anything of the above, because we
already did that before
- after this DosFlash32 displays your DVD-Key and saves your key and identify data

Geremia's DvdKey method with DosFlash32 and 2nd psu

-----------------------------------------------------
- connect a separate power supply unit to the LiteOn, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32
- if you read the following:
 MTK Vendor Intro failed on port 0x????.
If you choose to resend the command you should turn the drive off and on
after you pressed "Yes".
Do you want to resend the command until the drive responds?
- press 'No'
- choose "LiteOn DvdKey" as flashing task
- choose the COM port number
- press on "LiteOn DvdKey" button
- enter the names of inquiry.bin, identify.bin, key.bin and dummy.bin output files
- if you read the following:
To receive the drive key use Geremia's DvdKey method like follows:
- Connect your drive with a serial cable to the COM port
- Eject drive tray
- Power off drive
- Push drive tray in until it is half open
- Power on drive
- Press "Yes" if you are ready
Are you ready?
- do the above and press 'Yes'
- after this DosFlash32 displays your DVD-Key and saves your key and identify data

Geremia's LiteOn Erase method with DosFlash32 and 2nd psu

-----------------------------------------------------------
- connect a separate power supply unit to the LiteOn, don't turn it on yet
- power up PC and boot into Windows
- turn on the LiteOn psu
- run DosFlash32
- if you read the following:
MTK Vendor Intro failed on port 0x????.
If you choose to resend the command you should turn the drive off and on
after you pressed "Yes".
Do you want to resend the command until the drive responds?
- press 'No'
- the LiteOn flash is not identified
- choose "LiteOn Erase" as flashing task
- Warning!!! Keep in mind that you will need the drive key before you erase the
flash,
without the drive key your XBox360 will not work anymore
- press on "LiteOn Erase" button
- the first time after the LiteOn Erase the drive needs to be repowered to give
flash chip access, this can be achieved by repowering the drive before another
DosFlash32 start or by doing a MTK Vendor Intro Power Brute
- in my tests it did not work to power the drive with the PC's psu, because it will
always respond with busy status
- DosFlash32 can now read, write and erase the flash chip like usual

Respect to Geremia, Modfreakz, Podger, Redline99 and Tiros.

Like a wise man said: "0x2E is the MTK Intro of Death"

Kai Schtrom

***********************************************************************************
*************

DosFlash and DosFlash32 V1.6 Beta

-----------------------------------
- fixed power brute unlock bug for VIA cards, this can stop your VIA from working
with the power brute unlocking in Version 1.5
- for DosFlash16 in auto mode on DOS my VIA card works best if I do a cold boot
and power up the drive short before or with the PC
- for DosFlash32 on Windows my VIA card works best if I power up the drive short
before starting DosFlash32
- for me the VIA works with internal and external connectors on DOS and Windows

Sorry for the trouble!

Kai Schtrom

***********************************************************************************
*************

DosFlash and DosFlash32 V1.5 Beta

-----------------------------------
- now supports serial flash chip MT1309E with mediatek status 0x72 like the SH-
D163B, SH-D162D,
Asus DVD-E616A3, Asus DVD-E818A3, Sony Optiarc DDU1671S
- SST25LF020A and SST25LF040A chip support added
- DosFlash32.exe ported from MFC to plain Windows API, exe size is now 22 KB
- new port i/o driver, because giveio.sys can't be compiled for 64 Bit Windows
- DosFlash16 changed slighly in manual mode, one parameter is added to support
SST25LF020A and
SST25LF040A
- two new methods of BenQ soft unlock are now possible on all motherboards with
only one power
supply unit
- 1st method is powered by Geremia's unlock core, thanks for the complete idea,
concept and
source to Geremia
- 2nd method is the Magic28 key send, this only works on BenQ VAD6038 firmware,
thanks to
c4eva and podger for the initial idea
- the two unlock methods are send one after the other if the drive is a possible
unlock
candidate, first the Magic28 command, then Geremia's unlock commands and after
that the
already known power brute unlock is send to the drive, you can cancel any of
these methods
before they are send to the target, this only applies to BenQ drives with a
locked flash
- DosFlash.typ updated
- other minor improvements
- DosFlash32 is now ready for
- Windows 2000
- Windows XP 32 Bit
- Windows XP 64 Bit
- Windows Server 2003 32 Bit
- Windows Server 2003 64 Bit
- Windows Vista 32 Bit
- Windows Vista 64 Bit
- Warning: Drivers for Windows Vista 64 Bit need to be signed, because we can't
afford the
money to let portio64.sys sign you need to do the following:
1) Log on as Administrator
 2) Enter the following command in a Dos-Box:
"bcdedit -set loadoptions DDISABLE_INTEGRITY_CHECKS"
(we made sure there are no typos in the line above) :)
3) Press enter and reboot your PC
4) Press F8 key upon initial system boot up
5) Choose to disable forced driver signing enforcement for that boot session

The following only applies to drives with a locked BenQ flash.

Geremia's BenQ unlock with DosFlash16 / DosFlash32 on any motherboard with the PC's
psu
-----------------------------------------------------------------------------------
------
- disable CD-ROM boot option in BIOS
- connect BenQ to your PC's power supply unit and SATA port
- power up PC, wait until bootup is finished
- eject tray of the BenQ and shutdown PC completely
- push the BenQ tray half in
- power up PC and boot into DOS for DosFlash16 or Windows for DosFlash32
- run DosFlash16 in auto mode for DOS or DosFlash32 for Windows
- if you read the following:
MTK Vendor Intro failed on port 0x????. Because there seems
to be a BenQ drive connected you should try Geremia's
unlock method.
- Eject drive tray
- Power off drive
- Push drive tray in until it is half open
- Power on drive
- Press "Yes" if you are ready
Are you ready (Y/N)?
- simply press 'Yes' without doing anything of the above, because we
already did that before starting DosFlash16 / DosFlash32
- the BenQ flash should now be identified
- go on like usual

Geremia's BenQ unlock with DosFlash16 / DosFlash32 on any motherboard with 2nd psu
-----------------------------------------------------------------------------------
-
- connect a separate power supply unit to the BenQ, don't turn it on yet
- power up PC and boot into DOS
- run DosFlash16 in auto mode for DOS or DosFlash32 for Windows
- if you read the following:
MTK Vendor Intro failed on port 0x????. Because there seems
to be a BenQ drive connected you should try Geremia's
unlock method.
- Eject drive tray
- Power off drive
- Push drive tray in until it is half open
- Power on drive
- Press "Yes" if you are ready
Are you ready (Y/N)?
- do the above and press 'Yes'
- the BenQ flash should now be identified
- go on like usual
Magic28 BenQ unlock with DosFlash16 / DosFlash32 on any motherboard
---------------------------------------------------------------------
- connect BenQ to your PC's power supply unit and SATA port
- power up PC and boot into DOS for DosFlash16 or Windows for DosFlash32
- run DosFlash16 in auto mode for DOS or DosFlash32 for Windows
- if you read the following:
MTK Vendor Intro failed on port 0x????. Because there seems
to be a BenQ VAD6038 drive connected you should try the
Magic28 unlock method.
Do you want to send the Magic28 command?
- press 'Yes'
- the BenQ flash should now be identified
- go on like usual

Thanks to Redline99 and Tiros for help and support.

It's all about DOS!

Thanks guys for the excellent team work!
Geremia, Modfreakz and Kai Schtrom

***********************************************************************************
*************

DosFlash and DosFlash32 V1.4 Beta

-----------------------------------
- DROM6316 flashing support
- a flash erase is now always done with a chip erase and not a sector erase
command, because
the sector erase gives problems for some Winbond flash chips including the
DROM6316
- DosFlash.typ corrected and updated
- for a detailed explanation on the soft unlock look at the included file
SoftUnlockByIriez.txt,
it contains a very good explanation by Iriez from XBS, thanks for that one!

Thanks to Iriez, Jumba, Redline99 and Tiros for help and support.

Happy DROM bricking!

Team Modfreakz and Kai Schtrom

***********************************************************************************
*************

DosFlash and DosFlash32 V1.3 Beta

-----------------------------------
- BenQ optimization in unlocking the flash chip, it should now be possible to
read/write/erase
the flash without any soldering or wire tricks, the drive is polled for the
correct mtk
unlocking status after power on, this only works for VIA cards and NForce boards
atm
- DosFlash32 has one additional parameter, if you start it with the parameter
"EnableDrives"
all the DVD-ROMs are enabled in device manager after flashing, this could give
BSOD on some
systems, therefor you need to create a DosFlash32 link and add that parameter
manual to use it
- DosFlash16 has one additional parameter "Send ATAPI Device Reset" in manual mode,
this could
give better chances for soft flashing on some VIA - motherboard combinations
- better support of Intel chipsets, drives can now be flashed if the controller is
not set to
native mode in the BIOS
- the following controller list includes vendor and device IDs that are hardcoded
to identify
the controller type (IDE or SATA), this is needed if the BIOS uses IDE ports like
0x01F0 or
0x0170 as SATA and not as IDE channels, this list is NOT related to soft flashing
- the following chipset support is added
- VIA cards
- all VIA cards with a 6420 chipset
- IDE Controllers
- NVIDIA nForce 2 IDE Controller
- NVIDIA nForce 4 IDE Controller
- Intel ICH9
- Intel ICH (i810,i815,i840)
- Intel ICH0
- Intel ICH2M
- Intel ICH2 (i810E2,i845,850,860)
- Intel C-ICH (i810E2)
- Intel ICH3M
- Intel ICH3 (E7500/1)
- Intel ICH4 (i845GV,i845E,i852,i855)
- Intel ICH5
- Intel ESB (855GME/875P + 6300ESB)
- Intel ICH6 (and 6) (i915)
- Intel ICH7/7-R (i945, i975)
- Intel PIIX3 for the 430HX etc
- Intel PIIX4
- Intel PIIX4 for the 430TX/440BX/MX chipset
- Intel PIIX
- SATA Controllers
- NVIDIA nForce 4 SATA Controller
- NVIDIA nForce 2 SATA Controller
- NVIDIA nForce 3 SATA Controller
- NVIDIA nForce MCP04 SATA Controller
- NVIDIA nForce MCP51 SATA Controller
- NVIDIA nForce MCP55 SATA Controller
- NVIDIA nForce MCP61 SATA Controller
- Intel 82801EB (ICH5)
- Intel 6300ESB (ICH5)
- Intel 82801FB/FW (ICH6/ICH6W)
- Intel 82801FR/FRW (ICH6R/ICH6RW)
- Intel 82801FBM ICH6M
- Intel Enterprise Southbridge 2 (631xESB/632xESB)
- Intel 82801GB/GR/GH (ICH7, identical to ICH6)
- Intel 2801GBM/GHM (ICH7M, identical to ICH6M)
- Intel SATA Controller IDE (ICH8)
- Intel Mobile SATA Controller IDE (ICH8M)
- Intel SATA Controller IDE (ICH9)
- Intel SATA Controller IDE (ICH9M)
The following only applies to a software flash on a locked flash. The methods have
been tested
with the BenQ and the Sammy. The VCC trick will work on any motherboard, but you
need to do
some soldering and cut traces.

Soft Flashing the BenQ in DOS with a VIA card and DosFlash16 in manual mode
-----------------------------------------------------------------------------
- first you need to know the port addresses of your VIA card, you can get these by
starting
msinfo32 on Windows XP and looking at the port listing for SCSI devices
- for the 6421 the 1st port is internal SATA, 2nd is external SATA and 3rd is
internal IDE
- for the 6420 the 1st and 3rd port are internal SATA
- you need the starting address e.g. 0xD000 or 0x7000
- be warned that these addresses can change from computer to computer, they are
assigned
at bootup, but Windows XP should display the ones you need for flashing in DOS
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be
XBOX360 or
Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer,
cause we
need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- at the prompt type:
DosFlash r 7000 1 a0 1 4 a:\orig.bin 0
- instead of port 7000 use the starting address your VIA card uses
- press return
- DosFlash16 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something
like 0x7F,
this will change during the next few steps
- turn on the BenQ psu and wait 2 or more seconds, status changes between 0x51 and
0xD1
- turn off the BenQ psu and wait 2 or more seconds, status will stay at 0xD1
- turn on the BenQ psu, you should get a good drive status 0x73 and flashing should
start
- this worked only one time after the computer is powered on or resetted for me
- writing and erasing works the same way
- for writing type:
DosFlash w 7000 1 a0 1 4 a:\ixtreme.bin 0
- for erasing type:
DosFlash e 7000 1 a0 1 4 D8 0 (D8 is the sector erase opcode for the BenQ flash,
if you need
to erase another drive, lookup the value in the datasheet or DosFlash.typ)
- if you experience any problems try to use 1 as the parameter to the ATAPI Device
Reset, cause
the same VIA card will react differently on another motherboard sometimes

Soft Flashing the BenQ in DOS with a NForce motherboard and DosFlash16 in manuel
mode
-----------------------------------------------------------------------------------
----
- first you need to know the port addresses of your NForce motherboard, you can get
these by
 starting msinfo32 on Windows XP and looking at the port listing for IDE devices
- on most motherboards the 1st and 3rd ports are used for SATA
- you need the starting address e.g. 0x0970 or 0xE900
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be
XBOX360 or
Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer,
cause we
need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- at the prompt type:
DosFlash r 0970 1 a0 1 4 a:\orig.bin 1
- instead of port 0970 use the starting address your NForce motherboard uses
- press return
- DosFlash16 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something
like 0xD1,
this will change during the next few steps
- turn on the BenQ psu, you should get a good drive status 0x73 and flashing should
start
- writing and erasing works the same way
- for writing type:
DosFlash w 0970 1 a0 1 4 a:\ixtreme.bin 1
- for erasing type:
DosFlash e 0970 1 a0 1 4 D8 1 (D8 is the sector erase opcode for the BenQ flash,
if you need
to erase another drive, lookup the value in the datasheet or DosFlash.typ)

Soft Flashing the BenQ in DOS with a NForce motherboard and DosFlash16 in auto mode
-----------------------------------------------------------------------------------
--
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be
XBOX360 or
Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer,
cause we
need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- wait until you are at the cmd prompt
- turn on the BenQ psu
- at the prompt type:
DosFlash
- press return
- during scann of the BenQ's port DosFlash16 will ask you if you wanna resend the
mtk vendor
intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something
like 0xD1,
this will change during the next few steps
- turn off the BenQ psu and wait 2 or more seconds, status will stay at 0xD1
- turn on the BenQ psu, you should get a good drive status 0x73 and flash access is
granted
- you can now continue as usual using DosFlash
- writing and erasing works the same way
- if the ports are scanned there is the possibility that you'll get the resend
question for
 other drives like a NEC, this is because the NEC has no MTK chip and returns a
bad status,
if you know the NEC is at that port you should press No and press Yes only if the
port of
the BenQ is shown or simply disconnect the NEC

Soft Flashing the BenQ in Windows XP with a VIA card or NForce motherboard and
DosFlash32
-----------------------------------------------------------------------------------
--------
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be
XBOX360 or
Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer,
cause we
need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- turn on the BenQ psu when you are in Windows XP
- start DosFlash32
- DosFlash32 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- turn off the BenQ psu and wait 2 or more seconds
- turn on the BenQ psu, the DosFlash32 dialog should show up
- the flash should be recognized by DosFlash32
- you can now read, write or erase the flash
- you should be able to do the flashing more than one time in Windows, only do the
power
off/on trick again
- if the ports are scanned there is the possibility that you'll get the resend
question for
other drives like a NEC, this is because the NEC has no MTK chip and returns a
bad status,
if you know the NEC is at that port you should press No and press Yes only if the
port of
the BenQ is shown or simply disconnect the NEC

Many thanks to jumba for the great idea of BenQ polling!

Thanks to Iriez, Jumba, Redline99, TeamModfreakz, Tiros and all the IRC people for
testing
and support.

Join us on IRC efnet at the channel #dosflash for support.

Don't brick your BenQ!

Kai Schtrom

***********************************************************************************
*************

DosFlash and DosFlash32 V1.2 Beta

-----------------------------------
- bug fix for BenQ recognition
- manufacturer and device id are sometimes 0x00 for a correct installed switch
- this issue is fixed with an additional ATAPI device reset before the mtk vendor
intro is sent
Thanks to Redline99 who fixed my buggy code by adding one line! :)

***********************************************************************************
*************

DosFlash and DosFlash32 V1.1 Beta

-----------------------------------
- DosFlash.typ modified for better BenQ support
- DosFlash16 Flash Manufacturer and Device ID screen output restructured
- flash chips are first erased before writing starts
- DosFlash32 no reenable of DVD-ROMs in device manager after flashing, this means
you can't see the drive
and maybe have to activate it manually again in device manager, this could give
better compatibility and
hopefully no more blue screens

Many thanks to Jumba, Redline99, TeamModfreakz and Tiros for inspiration and help!

***********************************************************************************
*************

DosFlash and DosFlash32 V1.0 Beta

-----------------------------------
DosFlash can be used to read/write/erase the flash chips of most CD/DVD-ROM drives
that have a mediatek chipset installed. DosFlash is for DOS flashing, DosFlash32
for Windows flashing.

Features:
-----------
- flashes IDE and SATA drives
- supports parallel and serial flash chips
- flash drives in Windows with direct port access
- no vendor cdb flashing commands are used
- tested with the following drives:
- TS-H943A MS25, MS28
- SH-D162C
- SH-D163A
- and some other drives like Liteon, Hitachi, ...
- NEC drives are not supported, cause they have no mediatek chipset installed

DosFlash
----------
DosFlash supports two flashing modes, Auto and Manual. If you type DOSFLASH at a
DOS prompt it
will start in Auto mode. All drives and the corresponding flash chips are detected
automatically.
If you can't get a flash chip recognized due to a bad flash or other problems you
should use the
Manual mode. In Manual mode you can enter all the parameters used for flashing by
hand. The
following help screen is displayed if you start DosFlash with a wrong number of
parameters:
DOSFLASH by Kai Schtrom, 08/05/2007 (Ver 1.0 Beta)
DOSFLASH [R|W|E] [PORT] [PORT TYPE] [DRIVE POS] [FLASH TYPE]
[FLASH SIZE] [FLASH SECTOR ERASE OPCODE] [FILE NAME]
R: Read FLASH
W: Write FLASH
E: Erase FLASH
PORT: Port to send command to
PORT TYPE: 0 for IDE, 1 for SATA
DRIVE POS: A0 for Master, B0 for Slave
FLASH TYPE: 0 for parallel flash, 1 for serial flash
FLASH SIZE: size of flash chip in number of banks
FLASH SECTOR ERASE OPCODE: individual sector erase opcode command byte
this is only needed for erasing a serial flash
FILE NAME: name of the file to read/write from/to flash
All numbers are intepreted as hex values!

Example Usage:
"DOSFLASH R 01F0 0 A0 1 4 C:\flash.bin"
=> Read serial flash with a size of 4 bank (262144 bytes) from Master Device
on IDE port 0x01F0
"DOSFLASH E C000 1 A0 1 4 D8"
=> Erase serial flash with opcode 0xD8 and a size of 4 banks (262144 bytes)
from Master Device on SATA port 0xC000

Explanation of the Parameters:

--------------------------------

[R|W|E]
---------
- this will set the mode of flashing, it is recommended to first try read on any
drive, if the read will fail, it is highly unlikely that a write or erase will
succeed

[PORT]
--------
- the port to which the drive is connected, a port number should always be entered
in hexadecimal and have 4 hex digits, valid ports are: 01F0, 0170, C000, C800
- this option can be used if your PCI adapter card or on board IDE/SATA ports are
not identified by the auto mode

[PORT TYPE]
-------------
- the port type tells DosFlash what type of port is installed on the before entered
port address
- valid values are 0 for IDE and 1 for SATA
- make sure you never mix the wrong port with the wrong port type, this could give
strange results or in the worst case a bricked drive

[DRIVE POS]
-------------
- old style IDE channels have the possibility to connect two drives at one IDE
channel, the first drive is called the master, the second drives is called the
slave
- you can select which drive should be flashed on the channel, A0 selects Master,
B0 selects Slave
- on SATA ports this value is always A0, cause you can only connect one drive to
a SATA port, so for SATA you will always type A0 here
- it is not recommended to flash IDE drives with another drive connected to the
same IDE channel, this could be risky if something in the Master/Slave selection
fails

[FLASH TYPE]
--------------
- there are two types of flash chips out for CD/DVD-ROM drives atm
- the older type is parallel flash, which is also supported by mtkflash for example
- the newer type is serial flash, which is supported by flashers like XSF
- the problem here is that no tool is out that can flash serial flash chips on
SATA ports

[FLASH SIZE]
--------------
- this is specifies the flash chip size in banks
- one bank is always 65.536 bytes in size
- if you know your drive has a flash chip of 262.144 bytes in size you need to
enter 4

[FLASH SECTOR ERASE OPCODE]

-----------------------------
- the opcode used in the flash chips datasheet for erasing
- for serial chips this command can be different from the standard and needs to be
entered for flash erase
- for parallel flash chips you can enter a dummy cmd byte, the integrated command
should work on all parallel flash chips without a prob

[FILE NAME]
-------------
- name of the file that should be used for flashing
- for reading operations this should be the output file
- for writing operations this should be the input file

Hints and Warnings

--------------------
- read, write erase TS-H943A MS28 after the firmware stealth has been disabled with
Enable0800 disc
- this only works one time, after the first mtk vendor specific intro cmd is send
- if the mtk vendor specific outro cmd is send the chip goes back to stealth mode
and you need
again the Enable0800.iso to disable it
- therefor the mtk vendor specific intro is send at program start to all present
devices and the
mtk outro is sent at program end
- if you have a chip manufacturer id of 0x02 and a chip device id of 0x02 for the
TS-H943A
the flash chip is in stealth mode and won't give access to any reading,
writing, erasing
- always have a look at the DataSum generated, this is exactly the DataSum of
mtkflash
- the DataSum is calculated as the sum of all bytes of the firmware in a short
integer
- to make 100% sure that the flash is written right compare that DataSum to a
known one
- this tool has not been tested on all drives out there, the typ list is simply
copied from well
known programs like mtkflash and XSF
- always try a flash read on a not yet tested drive before doing anything else
 - if the read doesn't succeed it is highly unlikely that a write or erase will
- some LiteOn drives seem to have probs to write the firmware correct, this prob
seems to be
related to windows register flashing, cause even an assembler app can't do this
error free
- if you get errors on LiteOn drives, write the flash two times in a row
- for direct port I/O in windows the givoio.sys driver is used, this driver is
loaded at DosFlash32
start and unloaded at program end, be warned, this driver can possibly make your
system unstable,
it's intention is to let privileged assembler instruction like in and out pass,
even in windows,
if this driver is not used you will not be able to get direct access to port
registers
- DosFlash was tested on MS-DOS 6.22 and later, you can easily copy it on a MS-DOS
boot disk created
in Windows XP and start DosFlash directly from the disk
- don't forget to also copy the DosFlash.typ file, it has all the informations
about flash chips
for auto mode flashing
- DosFlash32 was tested without a prob on Windows XP SP2, you'll need also the typ
file for the
win version
- DosFlash32 will deactivate all CD-ROMs in device manager at startup, this is
better for flashing,
cause Windows seems to poll the drives all the time and this could result in a
bad fw file or
a program hang, the drives are activated again at program end
- you should make sure that the flash is not in an erased state at program end,
cause device manager
don't like drives that do not respond to the inquiry command
- deactivating all CD-ROMs could take a few seconds, so please be patient at
program start
- DosFlash and DosFlash32 will try to scan for the VIA 6421L Raid Controller card,
based on vendor
id 1106 and device id 3249, it doesn't matter if the card driver is installed or
not

Many thanks to Dale Roberts and his Direct Port I/O driver giveio.sys!

Avoid a bad flash!

Kai Schtrom