|
Arakon
|
 |
« on: April 16, 2007, 12:56:20 PM » |
|
I got an Infectus sample today. The chip is able to read and write the 360 NAND. Since the flash content is encrypted on a per-xbox basis, is there any means yet to use another/generic flash (i.e. the older kernel) and encrypt it for my 360? or is there just no way for me at this point?
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
|
garyopa
|
|
« Reply #1 on: April 16, 2007, 01:29:42 PM » |
|
What you need to do is dump your "eFuses" and then you can decrypt the flash.
There is not much in the way of a "per-box" key, some of the flash parts have
a random seed in front like the Southbridge section.
I hoping to get my sample soon, so I can work on some programs to help on this matter.
I am also looking into the port that M$ uses to read the "eFuses" and change them,
a small row of three pins marked DB6E1 / DB6E2 / DB6E3 plus enable/ground hole just to the right.
This pins are just below the CPU heatsink plate, and just above the sometimes missing eeprom.
|
|
|
|
|
Logged
|
|
|
|
|
uberfry
|
|
« Reply #2 on: April 16, 2007, 01:43:26 PM » |
|
let me guess sponsored by uncle oscar  |
|
|
|
|
Logged
|
|
|
|
|
Arakon
|
|
« Reply #3 on: April 16, 2007, 03:34:08 PM » |
|
I can confirm now that the infectus can make a proper dump of the NAND.. however, I figure I can't downgrade anyways - the efuse for the latest update is already blown.
one issue I had was that the 360 would give me a ROD for as long as the chip was installed, as soon as I removed it, the box worked fine again.
the install is quite easy, btw.. the spots are no smaller than d0 on the old box, and already pretinned. some AWG30 wire and I was done with the solder work in 10 minutes.
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
|
DrMatrix
|
|
« Reply #4 on: April 16, 2007, 05:46:03 PM » |
|
Again, everything except the keyvault (which contains the DVD key) is *not* encrypted with a per box key. You need to read the (serial-number/key) efuses only if you want to decrypt your keyvault.
However, if you have the efuses, you could re-encrypt an update to 4532 even when the update-lock-efuse is burned (as far as i understand). But that of course helps nothing.
garyopa, is there any proof that these pads are used for reading/writing efuses? Where is this information from?
|
|
|
|
|
Logged
|
|
|
|
|
sectroyer
|
|
« Reply #5 on: April 16, 2007, 06:52:44 PM » |
|
Also should be look at are the three pins just to the North of this connector,
the ones labelled "DB6E1" / "DB6E2" / "DB6E3" plus the big round spot to right of them.
This the bus used by M$ to reprogram "the key" during the repair process in changing the drive parts.
This was taken from here: http://www.xboxhacker.net/index.php?topic=7207.msg43953#msg43953Maybe garyopa has some friends in MS  |
|
|
|
|
Logged
|
|
|
|
|
Cpasjuste
|
|
« Reply #6 on: April 16, 2007, 11:38:29 PM » |
|
I can confirm now that the infectus can make a proper dump of the NAND.. however, I figure I can't downgrade anyways - the efuse for the latest update is already blown.
one issue I had was that the 360 would give me a ROD for as long as the chip was installed, as soon as I removed it, the box worked fine again.
the install is quite easy, btw.. the spots are no smaller than d0 on the old box, and already pretinned. some AWG30 wire and I was done with the solder work in 10 minutes.
Hum it's strange because i have no problem with the chip installed. (also i can upgrade/downgrade since i have removed the efuse  ) |
|
|
|
|
Logged
|
|
|
|
|
Arakon
|
|
« Reply #7 on: April 17, 2007, 12:41:09 AM » |
|
wait, so a downgrade is possible even with the efuse blown?
how can the efuses be read?
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
|
zillionare
|
|
« Reply #8 on: April 17, 2007, 01:43:39 AM » |
|
I can confirm now that the infectus can make a proper dump of the NAND.. however, I figure I can't downgrade anyways - the efuse for the latest update is already blown.
one issue I had was that the 360 would give me a ROD for as long as the chip was installed, as soon as I removed it, the box worked fine again.
the install is quite easy, btw.. the spots are no smaller than d0 on the old box, and already pretinned. some AWG30 wire and I was done with the solder work in 10 minutes.
Hum it's strange because i have no problem with the chip installed. (also i can upgrade/downgrade since i have removed the efuse ) Cpasjuste : was your kernel @ 4552 or <4548 before you disabled your efuse/(removed your resistor)? . OR....Did you actually "remove your efuse"  and how? peace, zil |
|
|
|
|
Logged
|
Why buy one, when you can buy two for twice the price.
|
|
|
|
Cpasjuste
|
|
« Reply #9 on: April 17, 2007, 06:27:25 AM » |
|
Sorry i have said some stupid things yesterday, i was tired. I have removed the r6t3 resistor of course, not the efuse, before upgrading from 4532 to 4552 then downgrading back to 4532. http://mydedibox.fr/modules/smartsection/item.php?itemid=7 |
|
|
|
« Last Edit: April 17, 2007, 06:32:54 AM by Cpasjuste »
|
Logged
|
|
|
|
|
caster420
|
|
« Reply #10 on: April 17, 2007, 07:15:37 AM » |
|
wait, so a downgrade is possible even with the efuse blown?
how can the efuses be read?
I think what Dr. Matrix means is that if you had upgraded to 4552, and were able to retrieve the fuse set values, you could re-encrypt the key vault of a pre-4552 kernel and have it boot again. From what I understand of posts relating to the subject is that this is the only section of the kernel that is encrypted with a per box key. (Sorry Dr. M if that is wrong...) Also, based off of what i have read, was the efuse actually 'blown' or did they change the values of them, resulting in different encryption of the key vault, thus making an older kernel backup useless? Caster. |
|
|
|
|
Logged
|
|
|
|
|
DrMatrix
|
|
« Reply #11 on: April 17, 2007, 07:48:12 AM » |
|
The keyvault isn't used for the revocation, but instead the "pairing area" (0x20..0x3f) of the upgrade patches. It's a bit complicated to explain, and to be honest, i haven't reversed it completely. Reverse the CB and CE sections for more on this. It, however, boils down (if you believe me to "if you know the fuse_serial, you have won.". |
|
|
|
|
Logged
|
|
|
|
|
Surrido
|
|
« Reply #12 on: April 23, 2007, 10:47:42 AM » |
|
just for confirmation the part circled in red is to be removed?  i dont want to risk my fuses ;-) |
|
|
|
|
Logged
|
|
|
|
|
zillionare
|
|
« Reply #13 on: April 23, 2007, 03:10:58 PM » |
|
yup.... once removed, tape that little bugger to the board above FT6U4 so you dn't loose it. might need it later. |
|
|
|
|
Logged
|
Why buy one, when you can buy two for twice the price.
|
|
|
|
Cpasjuste
|
|
« Reply #14 on: April 23, 2007, 09:32:32 PM » |
|
Hehe too late for me, was lost at the exact same time it was removed |
|
|
|
|
Logged
|
|
|
|
|
Surrido
|
|
« Reply #15 on: April 24, 2007, 02:44:58 AM » |
|
i think i will make a switch to it. solder poiting downwards and wiring a small switch to it...
i was also thinking that the console might check if it is there or not during boot in a newer kernel version...
|
|
|
|
|
Logged
|
|
|
|
|
Arakon
|
|
« Reply #16 on: April 27, 2007, 07:20:45 PM » |
|
OK, this is odd.. I got an US 360 with a 2xxx kernel, dumped it with infectus, dump looks fine to me, i.e. filenames readable, copyright message, etc. Upgraded via disk to 4532, worked fine, dumped again, looks fine too. Reflashed with old 2xxx kernel, and 360 is dead.. won't even power up. The real issue however is that the infectus now detects a different device ID.. instead of AD73, it's now A822. Makes no sense.. triplechecked and redid all wiring, all good, checks out good directly on the NAND too. Can anyone think of a reason why the NAND would report the wrong ID? Also, does anyone have a known valid dump of 4532 and could send it to me to compare to mine? So I can be sure mine is valid.
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
|
zouzzz
|
|
« Reply #17 on: April 28, 2007, 03:52:25 AM » |
|
OK, this is odd.. I got an US 360 with a 2xxx kernel, dumped it with infectus, dump looks fine to me, i.e. filenames readable, copyright message, etc. Hi, Can we have a little screenshoot of your dump.bin create with Infectus chip? Thanks. |
|
|
|
|
Logged
|
hello
|
|
|
|
Arakon
|
|
« Reply #18 on: April 28, 2007, 05:50:48 AM » |
|
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
|
Cpasjuste
|
|
« Reply #19 on: April 28, 2007, 06:04:43 AM » |
|
Arakon i think that there is no problem at all, you may have just done a bad flash. Do you have solder the GND ? If no, you MUST solder it so you will have 100% success.
|
|
|
|
|
Logged
|
|
|
|
|
