So I think we have two topics:you are absolutely correct - they earned well from XGD3 protection
1: Figure out how to gain debug access to the "MSODDDSP" chip to figure out how it boots securely, for example how it encrypts, integrity protects and restricts access to its firmware flash chip. Find a way to dump the drive key and compile new firmware to flash it like on the 360. This should at least help with drive repairs even if loading backup discs aren't possible yet.
According to you at least getting into the chip is possible now?
2: Figure out the disc logical structure and topology layout to understand the possibility of C/R spoofing. From what I understand, XGD3 used a variety of "bad" sectors that are crafted in a certain way that a normal drive won't be able to read and write back identically, the drive reads raw channel bitstream and also measures angular distances between some of them, compare to the prerecorded C/R table to verify if the disc is genuine.
Is the dual overlapping track technology already present on XGD3? Or is it XGD4 exclusive? If the similar technology is already present on XGD3, we can probably move the similar "topology data" countermeasure used in LTU firmware to here.