imgbuild

[tmbinc]

As a first step toward a "release", I've committed the tool to build an image suitable for the hack, as well as some additional information and a description of "how it works". You can find that work in the free60.org repository:

http://free60.cvs.sourceforge.net/viewvc/free60/imgbuild/

I understand that not all of the required binaries are available right now, but we'll work on provider ways to derive them from nand dumps. But those of you who are able to recover the required binaries should be able to build an image which boots right into xell.

There are 3 things that we have to take care about:
 - The 1920+ CB/CD. If somebody has a 1920 box, just do the timing attack, extract your cpu key, add that cpukey into "decrypt_CD", and use that image. You'll get the decrypted CB/CD in your "output"-directory. I'll then describe how to build the 1921 and the other CDs from that.
 - the hacked SMC for kicking off the read. You basically need to add writing to the nand command register in command 04. The command you need to write is 07. I can explain this more, but there are people who understand the SMC code much better than I do, so maybe they can drop in here.
 - the SMC JTAG stuff, which Tiros wrote, so you only need to add resistors instead of a uC.

PLEASE KEEP NON-TECHNICAL POSTS, SIMPLE "THANKS", RANTS, ALL KIND OF TALK REGARDING A REBOOTER AWAY FROM THIS THREAD. thanks.

[le_uberfry]

since you don't want a "thanks", I won't give you one

do you still need to catch all cores? or can you just wake them up afterwards?

nvm... I think not all cpus are init'ed when in mfgbootlauncher...

[jz_5_3]

thanks, tmbinc! great work, always.

I have a xenon which has kernel 4552, but cpu key is unknown. as you mentioned cpu key in your post, is it still required for this hack? if so, I am just wondering if I can use the nand image from anothe xenon (cannot power on) which cpu key is known. I just do not want to do TA.

[le_uberfry]

shhhhhhhh don't thank him, he'll kill you

if I read correctly (you could do just the same), you only need to do TA for boxes with encrypted CD
besides, shouldn't there be a newb discussion thread for this? I don't think the big guns appreciate us flooding their threads with newb questions

[tmbinc]

Hey, I just want to avoid useless empty "thank you"-posts, that's all.

Anyway: The generated image will run on all boxes of that type. So we need 4 images in total, nothing more.

But for each box type, we need to extract a decrypted CD *once*. Due to copyright reasons I cannot just put them up here, so I will give an explanation of *how you can extract those* instead.

The CD.1920 is the simplest, so let's start with that one: Just TA, and use that to decrypt.

1921 is more complicated, since we cannot TA those boxes, but you can patch CD.1920 until it matches the hash of CD.1921 (i.e. until you have the CD.1921 binary - this is not a hash collision, it's a "plaintext recovery"). If you have 1921, the other ones will be easy again. I can help here, but first step is 1920.

[Tiros]

do you still need to catch all cores? or can you just wake them up afterwards?

nvm... I think not all cpus are init'ed when in mfgbootlauncher...

What? Of course thay are!
The kernel has to start to run any sort of xex.
Early in kernel init all the cpus are brought online.

They guy who claims to know how to restart/reboot a kernel doesnt know something as basic as this 

[le_uberfry]

iirc, 0x6C is the first syscall to alter cpu state and because tmbinc stated that not all cpu cores are running full speed, I assumed mfgbootlauncher was < 0x6C
get off my nuts now, tiros

[utar]

Well I have CD.1920:

MD5:   1c0baff0799d522d89370c0b54d73129
SHA1: f4a7979763a5a60ef86e2152036289a7a83a8c4d

But I haven't a clue about patching this to CD.1921.


Utar

[Tiros]

iirc, 0x6C is the first syscall to alter cpu state and because tmbinc stated that not all cpu cores are running full speed, I assumed mfgbootlauncher was < 0x6C
get off my nuts now, tiros

Wrong again guido

0x6c InitSecurity
0x68 Starts the cores

mfgbootlauncher is an app, an xex,  it can't run before the kernel is fully started. duh

Better get back to the noob castle, they miss thier king

[tmbinc]

utar: sure it decrypted successfully?

[utar]

tmbinc: I was happy it had decrypted successfully but I'm guessing from your reply that the hashes are wrong!  I ran the dump through robinsod's flash dump tool.


Utar 

[ddxcb]

Hi I was Woundering makeing a diagram for the Jtag cable for the xbox 360 thanks.

[Lethal435]

i have an xbox 360 that is working perfect but no dvd drive lost the drive key so any idea when we will see whats needed to dump nand as in previous posts tmbinc was saying no dvd drive needed and no hardware needed but from what i can tell a infectus is needed 

[woop]

No you can back up your nand without a modchip. They havent released any info yet though. You could back up your flash and flash the hack to the onboard nand to retrieve your key then re-flash your backup and install a drive.

[Arakon]

guys.. any more "when" questions will be deleted, repeaters will be banned.

[benjmole1]

I too would be interested in the diagram for the JTAG cable, or whatever its called. (:
Its nice to be ready.

[Redline99]

Here, it's not pretty, but is functional.
Zoom it and you can tell the wire paths. I'm too lazy to mark it up.

( It is the red wires you are looking at, green are for something else.  )

[B1N4RY]

Those are 330 ohm resistors with a tolerance value of 5%, correct?

[Redline99]

yeah, just what I had around, oh and some smaller 1/8 watt ones would look nicer.

Edit:
My console hasn't had any evil smoke released yet. So I guess it's good.

[B1N4RY]

-snip-

Also, is the 1BL key still DD88AD0C9ED669E7B56794FB68563EFA ??