DosFlash and DosFlash32 V1.3 Beta
-----------------------------------
- BenQ optimization in unlocking the flash chip, it should now be possible to read/write/erase
  the flash without any soldering or wire tricks, the drive is polled for the correct mtk
  unlocking status after power on, this only works for VIA cards and NForce boards atm
- DosFlash32 has one additional parameter, if you start it with the parameter "EnableDrives"
  all the DVD-ROMs are enabled in device manager after flashing, this could give BSOD on some
  systems, therefor you need to create a DosFlash32 link and add that parameter manual to use it
- DosFlash16 has one additional parameter "Send ATAPI Device Reset" in manual mode, this could
  give better chances for soft flashing on some VIA - motherboard combinations
- better support of Intel chipsets, drives can now be flashed if the controller is not set to
  native mode in the BIOS
- the following controller list includes vendor and device IDs that are hardcoded to identify
  the controller type (IDE or SATA), this is needed if the BIOS uses IDE ports like 0x01F0 or
  0x0170 as SATA and not as IDE channels, this list is NOT related to soft flashing
- the following chipset support is added
  - VIA cards
    - all VIA cards with a 6420 chipset
  - IDE Controllers
    - NVIDIA nForce 2 IDE Controller
    - NVIDIA nForce 4 IDE Controller
    - Intel ICH9
    - Intel ICH (i810,i815,i840)
    - Intel ICH0
    - Intel ICH2M
    - Intel ICH2 (i810E2,i845,850,860)
    - Intel C-ICH (i810E2)
    - Intel ICH3M
    - Intel ICH3 (E7500/1)
    - Intel ICH4 (i845GV,i845E,i852,i855)
    - Intel ICH5
    - Intel ESB (855GME/875P + 6300ESB)
    - Intel ICH6 (and 6) (i915)
    - Intel ICH7/7-R (i945, i975)
    - Intel PIIX3 for the 430HX etc
    - Intel PIIX4
    - Intel PIIX4 for the 430TX/440BX/MX chipset
    - Intel PIIX
  - SATA Controllers
    - NVIDIA nForce 4 SATA Controller
    - NVIDIA nForce 2 SATA Controller
    - NVIDIA nForce 3 SATA Controller
    - NVIDIA nForce MCP04 SATA Controller
    - NVIDIA nForce MCP51 SATA Controller
    - NVIDIA nForce MCP55 SATA Controller
    - NVIDIA nForce MCP61 SATA Controller
    - Intel 82801EB (ICH5)
    - Intel 6300ESB (ICH5)
    - Intel 82801FB/FW (ICH6/ICH6W)
    - Intel 82801FR/FRW (ICH6R/ICH6RW)
    - Intel 82801FBM ICH6M
    - Intel Enterprise Southbridge 2 (631xESB/632xESB)
    - Intel 82801GB/GR/GH (ICH7, identical to ICH6)
    - Intel 2801GBM/GHM (ICH7M, identical to ICH6M)
    - Intel SATA Controller IDE (ICH8)
    - Intel Mobile SATA Controller IDE (ICH8M)
    - Intel SATA Controller IDE (ICH9)
    - Intel SATA Controller IDE (ICH9M)


The following only applies to a software flash on a locked flash. The methods have been tested
with the BenQ and the Sammy. The VCC trick will work on any motherboard, but you need to do 
some soldering and cut traces.


Soft Flashing the BenQ in DOS with a VIA card and DosFlash16 in manual mode
-----------------------------------------------------------------------------
- first you need to know the port addresses of your VIA card, you can get these by starting
  msinfo32 on Windows XP and looking at the port listing for SCSI devices
- for the 6421 the 1st port is internal SATA, 2nd is external SATA and 3rd is internal IDE
- for the 6420 the 1st and 3rd port are internal SATA
- you need the starting address e.g. 0xD000 or 0x7000
- be warned that these addresses can change from computer to computer, they are assigned
  at bootup, but Windows XP should display the ones you need for flashing in DOS
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be XBOX360 or 
  Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer, cause we
  need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- at the prompt type: 
  DosFlash r 7000 1 a0 1 4 a:\orig.bin 0 
  - instead of port 7000 use the starting address your VIA card uses
- press return
- DosFlash16 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something like 0x7F,
  this will change during the next few steps
- turn on the BenQ psu and wait 2 or more seconds, status changes between 0x51 and 0xD1
- turn off the BenQ psu and wait 2 or more seconds, status will stay at 0xD1
- turn on the BenQ psu, you should get a good drive status 0x73 and flashing should start
- this worked only one time after the computer is powered on or resetted for me
- writing and erasing works the same way
- for writing type:
  DosFlash w 7000 1 a0 1 4 a:\ixtreme.bin 0
- for erasing type:
  DosFlash e 7000 1 a0 1 4 D8 0 (D8 is the sector erase opcode for the BenQ flash, if you need
  to erase another drive, lookup the value in the datasheet or DosFlash.typ)
- if you experience any problems try to use 1 as the parameter to the ATAPI Device Reset, cause
  the same VIA card will react differently on another motherboard sometimes


Soft Flashing the BenQ in DOS with a NForce motherboard and DosFlash16 in manuel mode
---------------------------------------------------------------------------------------
- first you need to know the port addresses of your NForce motherboard, you can get these by 
  starting msinfo32 on Windows XP and looking at the port listing for IDE devices
- on most motherboards the 1st and 3rd ports are used for SATA
- you need the starting address e.g. 0x0970 or 0xE900
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be XBOX360 or 
  Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer, cause we
  need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- at the prompt type: 
  DosFlash r 0970 1 a0 1 4 a:\orig.bin 1 
  - instead of port 0970 use the starting address your NForce motherboard uses
- press return
- DosFlash16 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something like 0xD1,
  this will change during the next few steps
- turn on the BenQ psu, you should get a good drive status 0x73 and flashing should start
- writing and erasing works the same way
- for writing type:
  DosFlash w 0970 1 a0 1 4 a:\ixtreme.bin 1
- for erasing type:
  DosFlash e 0970 1 a0 1 4 D8 1 (D8 is the sector erase opcode for the BenQ flash, if you need
  to erase another drive, lookup the value in the datasheet or DosFlash.typ)


Soft Flashing the BenQ in DOS with a NForce motherboard and DosFlash16 in auto mode
-------------------------------------------------------------------------------------
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be XBOX360 or 
  Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer, cause we
  need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- boot from a DOS disk, I used a Windows XP MS-DOS startup disk
- wait until you are at the cmd prompt
- turn on the BenQ psu
- at the prompt type: 
  DosFlash
- press return
- during scann of the BenQ's port DosFlash16 will ask you if you wanna resend the mtk vendor
  intro cmd, press Yes
- after you pressed Yes the drive status is shown on the screen, it's something like 0xD1,
  this will change during the next few steps
- turn off the BenQ psu and wait 2 or more seconds, status will stay at 0xD1
- turn on the BenQ psu, you should get a good drive status 0x73 and flash access is granted
- you can now continue as usual using DosFlash
- writing and erasing works the same way
- if the ports are scanned there is the possibility that you'll get the resend question for
  other drives like a NEC, this is because the NEC has no MTK chip and returns a bad status,
  if you know the NEC is at that port you should press No and press Yes only if the port of
  the BenQ is shown or simply disconnect the NEC


Soft Flashing the BenQ in Windows XP with a VIA card or NForce motherboard and DosFlash32
-------------------------------------------------------------------------------------------
- connect a separate power supply unit to the BenQ, don't turn it on yet (can be XBOX360 or 
  Xecuter Connectivity Kit)
- don't use the Xecuter Kit to power the drive with the same psu as your computer, cause we
  need to power the drive off and on during soft flashing
- cold reboot or reset the computer
- turn on the BenQ psu when you are in Windows XP
- start DosFlash32
- DosFlash32 will ask you if you wanna resend the mtk vendor intro cmd, press Yes
- turn off the BenQ psu and wait 2 or more seconds
- turn on the BenQ psu, the DosFlash32 dialog should show up
- the flash should be recognized by DosFlash32
- you can now read, write or erase the flash
- you should be able to do the flashing more than one time in Windows, only do the power 
  off/on trick again
- if the ports are scanned there is the possibility that you'll get the resend question for
  other drives like a NEC, this is because the NEC has no MTK chip and returns a bad status,
  if you know the NEC is at that port you should press No and press Yes only if the port of
  the BenQ is shown or simply disconnect the NEC


Many thanks to jumba for the great idea of BenQ polling!
Thanks to Iriez, Jumba, Redline99, TeamModfreakz, Tiros and all the IRC people for testing
and support.

Join us on IRC efnet at the channel #dosflash for support.

Don't brick your BenQ!
Kai Schtrom


************************************************************************************************


DosFlash and DosFlash32 V1.2 Beta
-----------------------------------
- bug fix for BenQ recognition
  - manufacturer and device id are sometimes 0x00 for a correct installed switch
  - this issue is fixed with an additional ATAPI device reset before the mtk vendor intro is sent

Thanks to Redline99 who fixed my buggy code by adding one line! :)


************************************************************************************************


DosFlash and DosFlash32 V1.1 Beta
-----------------------------------
- DosFlash.typ modified for better BenQ support 
- DosFlash16 Flash Manufacturer and Device ID screen output restructured
- flash chips are first erased before writing starts
- DosFlash32 no reenable of DVD-ROMs in device manager after flashing, this means you can't see the drive
  and maybe have to activate it manually again in device manager, this could give better compatibility and
  hopefully no more blue screens

Many thanks to Jumba, Redline99, TeamModfreakz and Tiros for inspiration and help!


************************************************************************************************


DosFlash and DosFlash32 V1.0 Beta
-----------------------------------
DosFlash can be used to read/write/erase the flash chips of most CD/DVD-ROM drives
that have a mediatek chipset installed. DosFlash is for DOS flashing, DosFlash32
for Windows flashing.


Features:
-----------
- flashes IDE and SATA drives
- supports parallel and serial flash chips
- flash drives in Windows with direct port access
- no vendor cdb flashing commands are used
- tested with the following drives:
  - TS-H943A MS25, MS28
  - SH-D162C
  - SH-D163A
  - and some other drives like Liteon, Hitachi, ...
- NEC drives are not supported, cause they have no mediatek chipset installed
 

DosFlash
----------
DosFlash supports two flashing modes, Auto and Manual. If you type DOSFLASH at a DOS prompt it
will start in Auto mode. All drives and the corresponding flash chips are detected automatically.
If you can't get a flash chip recognized due to a bad flash or other problems you should use the
Manual mode. In Manual mode you can enter all the parameters used for flashing by hand. The
following help screen is displayed if you start DosFlash with a wrong number of parameters:


DOSFLASH by Kai Schtrom, 08/05/2007 (Ver 1.0 Beta)
DOSFLASH [R|W|E] [PORT] [PORT TYPE] [DRIVE POS] [FLASH TYPE]
         [FLASH SIZE] [FLASH SECTOR ERASE OPCODE] [FILE NAME]
                        R: Read FLASH
                        W: Write FLASH
                        E: Erase FLASH
                     PORT: Port to send command to
                PORT TYPE: 0 for IDE, 1 for SATA
                DRIVE POS: A0 for Master, B0 for Slave
               FLASH TYPE: 0 for parallel flash, 1 for serial flash
               FLASH SIZE: size of flash chip in number of banks
FLASH SECTOR ERASE OPCODE: individual sector erase opcode command byte
                           this is only needed for erasing a serial flash
                FILE NAME: name of the file to read/write from/to flash
All numbers are intepreted as hex values!

Example Usage:
"DOSFLASH R 01F0 0 A0 1 4 C:\flash.bin"
=> Read serial flash with a size of 4 bank (262144 bytes) from Master Device
   on IDE port 0x01F0
"DOSFLASH E C000 1 A0 1 4 D8"
=> Erase serial flash with opcode 0xD8 and a size of 4 banks (262144 bytes)
   from Master Device on SATA port 0xC000
   
   
Explanation of the Parameters:
--------------------------------

[R|W|E]
---------
- this will set the mode of flashing, it is recommended to first try read on any
  drive, if the read will fail, it is highly unlikely that a write or erase will
  succeed

[PORT]
--------
- the port to which the drive is connected, a port number should always be entered
  in hexadecimal and have 4 hex digits, valid ports are: 01F0, 0170, C000, C800
- this option can be used if your PCI adapter card or on board IDE/SATA ports are
  not identified by the auto mode

[PORT TYPE]
-------------
- the port type tells DosFlash what type of port is installed on the before entered
  port address
- valid values are 0 for IDE and 1 for SATA
- make sure you never mix the wrong port with the wrong port type, this could give
  strange results or in the worst case a bricked drive
  
[DRIVE POS]
-------------
- old style IDE channels have the possibility to connect two drives at one IDE
  channel, the first drive is called the master, the second drives is called the
  slave
- you can select which drive should be flashed on the channel, A0 selects Master,
  B0 selects Slave
- on SATA ports this value is always A0, cause you can only connect one drive to
  a SATA port, so for SATA you will always type A0 here
- it is not recommended to flash IDE drives with another drive connected to the
  same IDE channel, this could be risky if something in the Master/Slave selection
  fails
  
[FLASH TYPE]
--------------
- there are two types of flash chips out for CD/DVD-ROM drives atm
- the older type is parallel flash, which is also supported by mtkflash for example
- the newer type is serial flash, which is supported by flashers like XSF
- the problem here is that no tool is out that can flash serial flash chips on 
  SATA ports
  
[FLASH SIZE]
--------------
- this is specifies the flash chip size in banks
- one bank is always 65.536 bytes in size
- if you know your drive has a flash chip of 262.144 bytes in size you need to enter 4

[FLASH SECTOR ERASE OPCODE]
-----------------------------
- the opcode used in the flash chips datasheet for erasing
- for serial chips this command can be different from the standard and needs to be
  entered for flash erase
- for parallel flash chips you can enter a dummy cmd byte, the integrated command
  should work on all parallel flash chips without a prob
  
[FILE NAME]
-------------
- name of the file that should be used for flashing
- for reading operations this should be the output file
- for writing operations this should be the input file


Hints and Warnings
--------------------
- read, write erase TS-H943A MS28 after the firmware stealth has been disabled with Enable0800 disc
  - this only works one time, after the first mtk vendor specific intro cmd is send
  - if the mtk vendor specific outro cmd is send the chip goes back to stealth mode and you need
    again the Enable0800.iso to disable it
  - therefor the mtk vendor specific intro is send at program start to all present devices and the
    mtk outro is sent at program end
  - if you have a chip manufacturer id of 0x02 and a chip device id of 0x02 for the TS-H943A
    the flash chip is in stealth mode and won't give access to any reading, writing, erasing
- always have a look at the DataSum generated, this is exactly the DataSum of mtkflash
  - the DataSum is calculated as the sum of all bytes of the firmware in a short integer
  - to make 100% sure that the flash is written right compare that DataSum to a known one
- this tool has not been tested on all drives out there, the typ list is simply copied from well
  known programs like mtkflash and XSF
  - always try a flash read on a not yet tested drive before doing anything else
  - if the read doesn't succeed it is highly unlikely that a write or erase will
- some LiteOn drives seem to have probs to write the firmware correct, this prob seems to be
  related to windows register flashing, cause even an assembler app can't do this error free
  - if you get errors on LiteOn drives, write the flash two times in a row
- for direct port I/O in windows the givoio.sys driver is used, this driver is loaded at DosFlash32
  start and unloaded at program end, be warned, this driver can possibly make your system unstable,
  it's intention is to let privileged assembler instruction like in and out pass, even in windows,
  if this driver is not used you will not be able to get direct access to port registers
- DosFlash was tested on MS-DOS 6.22 and later, you can easily copy it on a MS-DOS boot disk created
  in Windows XP and start DosFlash directly from the disk
- don't forget to also copy the DosFlash.typ file, it has all the informations about flash chips
  for auto mode flashing
- DosFlash32 was tested without a prob on Windows XP SP2, you'll need also the typ file for the 
  win version
- DosFlash32 will deactivate all CD-ROMs in device manager at startup, this is better for flashing,
  cause Windows seems to poll the drives all the time and this could result in a bad fw file or
  a program hang, the drives are activated again at program end
- you should make sure that the flash is not in an erased state at program end, cause device manager
  don't like drives that do not respond to the inquiry command
- deactivating all CD-ROMs could take a few seconds, so please be patient at program start
- DosFlash and DosFlash32 will try to scan for the VIA 6421L Raid Controller card, based on vendor
  id 1106 and device id 3249, it doesn't matter if the card driver is installed or not


Many thanks to Dale Roberts and his Direct Port I/O driver giveio.sys!

Avoid a bad flash!
Kai Schtrom