XboxHacker BBS
 
*
Welcome, %1$s. Please login or register.
Did you miss your activation email?
June 24, 2016, 06:41:41 PM




Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 »

Author Topic: 360 Flash Dump Tool V0.1  (Read 170028 times)

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #120 on: September 01, 2007, 12:29:48 PM »

Flash dump tool is not open source, thus only Robinsod can help you but he already said that usually, if it crashes it's because keys are wrong.

What is sure, is that the software dump (command 3) is great because I don't think it can be wrong. And if you can dump by hardware too, you can compare both. But since your removed the Nand, it may be too late to get that software dump. That might have been interesting to be sure that dump is 100% correct.

About bad sectors, I don't know. I'm really just at the beginning of the understanding path (1bl)...

The more logical thing is to consider that your 1bl key is wrong.

What robinsod can do is add verifications to warn that a key is wrong and avoid nasty crashes... but not more I guess.
« Last Edit: September 01, 2007, 12:31:35 PM by atiman »
Logged

TSX1

  • Hacker
  • ***
  • Posts: 94
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #121 on: September 01, 2007, 12:47:00 PM »

Thanks a lot 'atiman'  :)
Hopefully, I didn't erase my NAND! it's unsoldered now. if you think it will help, I can resolder it to the mainboard and then run the program you've mentioned. but I need some help on running that program on linux because I don't have much experience in Linux. If you can point me in right direction then maybe I can dump firmware by software and then compare it to my NAND dump and see what are the differences.
Again thank you and all the people on XBOXHACKER.NET  ;)
Logged

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #122 on: September 01, 2007, 12:59:23 PM »

Logged

TSX1

  • Hacker
  • ***
  • Posts: 94
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #123 on: September 01, 2007, 02:51:33 PM »

to 'atiman':
I read that topic which you linked, before and I used DUMP32 to catch my FUSES.txt and 1BL.BIN and other files.
But I want to know how can I use the software you mentioned ?

to 'robinsod' :
Is this possible that 1BL.bin obtained from DUMP32 to be incorrect ?
Because I extracted 1BL key from 1BL.bin.
And another problem is this:
when I'm using Flash Dump Tool with NAND.bin (obtained from DUMP32) and my cpu key, and then extract KV.bin (without entering 1BL key), the result seems to be correct (I check KV.bin and offsets for region and dvd key are correct)
BUT
when I'm using Flash Dump Tool with NAND dump (obtained from programmer) with the same cpu key, and extract KV.bin, the result seems incorrect! because the resulting KV.bin is completely different from the previous one.
what can be the problem here ?

Thanks
Logged

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #124 on: September 01, 2007, 05:09:09 PM »

Dump32 creates a shorter dump that can't be compared with dump made by hardware (512 bytes per sector, 32768 sectors).

Go back to the guide, there is a reference to tmbinc's software dumper. Follow the link, get the source, replace 2 with 3 in the source, then get the dump you can compare with the one you obtained from hardware way (512+16 bytes per sector). If you get statuses with command 3, they are bad sectors report. Write them down, that can help to understand malfunctions of tools. Command 2 won't dump bad sectors if they exist, so that's why its dump is not good for reflashing or comparing. Command 2 can issue statuses, that are reports of unused/blank sectors (ofter located at end of Nand).

I don't think you can obtain a bad 1bl.bin file...

If dump made with command 3 matches hardware dump and cpu key is good then recheck if you understood what the 1bl.key is.

Logged

robinsod

  • Global Moderator
  • Xbox Hacker
  • *****
  • Posts: 648
  • Perl packed my shorts during global destruction
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #125 on: September 02, 2007, 01:04:15 AM »

to 'robinsod' :
Is this possible that 1BL.bin obtained from DUMP32 to be incorrect ?
Because I extracted 1BL key from 1BL.bin.

If you have the correct 1BL key then the flash should decrypt, if you have got it wrong odds are the tool will crash ;) I haven't looked at DUMP32 but given who the author is I can't imagine the output is wrong :) Have you verified the key you are using (i.e. PM it to me and I will check)

And another problem is this:
when I'm using Flash Dump Tool with NAND.bin (obtained from DUMP32) and my cpu key, and then extract KV.bin (without entering 1BL key), the result seems to be correct (I check KV.bin and offsets for region and dvd key are correct)
BUT
when I'm using Flash Dump Tool with NAND dump (obtained from programmer) with the same cpu key, and extract KV.bin, the result seems incorrect! because the resulting KV.bin is completely different from the previous one.
what can be the problem here ?

I suggest that you do a "binary diff" of the two dumps and verify that they are the same. If KV decrypts correctly then you have the correct CPU key & that means only the dump can be bad.

It looks like there are "several" boxes out there with bad blocks in the flash. I think it's time to add bad block support, I have one dump with a bad block, anyone got another?

BTW: I had a French guy asking a number of questions last week, turns out he has been writing some tutorials (in French) maybe they will help some people:

http://gueux-forum.net/index.php?showtopic=167103

http://gueux-forum.net/index.php?showtopic=166901

http://gueux-forum.net/index.php?showtopic=166806
Logged

zouzzz

  • Master Hacker
  • ****
  • Posts: 326
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #126 on: September 02, 2007, 01:23:00 AM »

Quote
BTW: I had a French guy asking a number of questions last week, turns out he has been writing some tutorials (in French) maybe they will help some people:

http://gueux-forum.net/index.php?showtopic=167103

http://gueux-forum.net/index.php?showtopic=166901

http://gueux-forum.net/index.php?showtopic=166806
I'm the french guy, if you have some questions, ask me by PM, email, in the gueux-forum... But i'm not a big pro :-)
Sorry for my english.
Have a nice days.
Logged

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #127 on: September 02, 2007, 02:40:27 AM »

zouzzz, your tutorial says that the "short" dump made by dump32.c (32768*512 bytes) can be edited and re-used to flash with Infectus...
But Infectus itself creates "large" dumps (32768*(512+16) bytes).
Can you confirm Infectus programmer is "intelligent" enough to just use a "short" dump, or is it a mistake in your tutorial? Thanks.
Logged

zouzzz

  • Master Hacker
  • ****
  • Posts: 326
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #128 on: September 02, 2007, 03:20:19 AM »

Yes, I have use the nand taken with my Infectus and not with the dump32.c

The nand.bin with Infectus : 16,5 Mo (17 301 504 octets)
And
The nand.bin with the dump32.c : 16,0 Mo (16 777 216 octets)

I will edit my tutorial.
Logged

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #129 on: September 02, 2007, 03:31:29 AM »

Zouzzz, you should try the tmbinc software dumper with command 3, it will give a dump re-usable by infectus (I really think the "short" nand.bin dumped by dump32.c is a bit obsolete now) and you can check it's the same as the dump created by Infectus.

About Flash Dump Tool 0.81, I got a crash first time I launched it with 1bl key wrote in it. Maybe it was because an old CxKey.txt file was there with zeroes for the 1bl key. Normaly CxKey.txt is not needed. I think there is really a glitch in v0.81 code that creates a crash the first time. Second time you launch it crash never happen again. So a first crash doesn't reveal anything (whatever keys or dumps are good or bad). You have to launch it several times (put 1Bl key in CxKey.txt, then relaunch, then delete CxKey.txt, then relaunch, etc...).
After some time it shouldn't crash anymore.

Logged

zouzzz

  • Master Hacker
  • ****
  • Posts: 326
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #130 on: September 02, 2007, 03:36:29 AM »

Zouzzz, you should try the tmbinc software dumper with command 3, it will give a dump re-usable by infectus (I really think the "short" nand.bin dumped by dump32.c is a bit obsolete now) and you can check it's the same as the dump created by Infectus.
Ok, but where is the tmbinc software dumper? please
Logged

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #131 on: September 02, 2007, 03:56:39 AM »

/finger
http://www.xboxhacker.net/index.php?topic=7290.20

For the record (since I can now finally play with flash dump tool + 1bl key...):

4532:
Patch 0 4532 LDV 1
Patch 1 2858 LDV 0

5759:
Patch 0 4532 LDV 1
Patch 1 5759 LDV 2

(LDV is important to me, because I've decided to keep resistor R6T3 in place)
Logged

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #132 on: September 02, 2007, 04:52:04 AM »

Great news!

I could downgrade from 5759 (spring update) to 4532 with R6T3 in place!
Robinsod, you are a god!

Edited 4532 image with LDV=2 and reflashed. Worked like a charm!

I could launch again Gentoo live cd

fuseset 07: f000000000000000
became
fuseset 07: ff00000000000000

I noticed something :
The X: nnnn-nnnn-nnnn-nnnn
at end of system information has changed...
Dunno what this implies...
Logged

TSX1

  • Hacker
  • ***
  • Posts: 94
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #133 on: September 02, 2007, 07:56:23 AM »

I opened the NAND file dumped by programmer and then went to offset FFFFF0 (where the NAND.bin dumped by DUMP32 ends). I checked all the offsets after FFFFF0 and all was FF. I removed all the offsets after FFFFF0 and then saved the file and opened it by Flash Dump Tool, and it opened without problem! (with CPU key and 1BL key set in the program).but because I didn't have ECC data I couldn't use Patch button.
Now I want to know, what can I do? What's the problem with those FF offsets causing the Flash Dump Tool to crash?
Is there any way to use Patch button without ECC data?
Thanks
Logged

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #134 on: September 02, 2007, 12:20:45 PM »

You really should get that software dump with tmbinc program (command 3).
It will reveal so many things.

About X: change noticed when you reflash 4532 with LDV 2, it seems that X: is the hardware signature, calculated from different signatures, and I guess that "theoretical efuses values minus current efuses values" are part of it.

I say that because I reflashed 5759 (LDV 2) and X: is now equal again to the value I could read when my kernel was 4532 with LDV 1.

If X: is wrote down by a Live server and any change is considered cheating, I bet it will bring an immediate ban. However I'm not a Live subscriber and I don't plan to, so this problem doesn't concern me. But for people wanting to play with fire and swap firmwares while playing on Live, survey X:!


Logged

arnezami

  • Master Hacker
  • ****
  • Posts: 214
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #135 on: September 02, 2007, 04:01:12 PM »

Great news!

I could downgrade from 5759 (spring update) to 4532 with R6T3 in place!
Robinsod, you are a god!

Edited 4532 image with LDV=2 and reflashed. Worked like a charm!

I guess the real question on many people's minds is whether you can do the same for the latest "guitar" update... ;)

arnezami
« Last Edit: September 02, 2007, 04:02:48 PM by arnezami »
Logged

ivc

  • Member
  • **
  • Posts: 38
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #136 on: September 02, 2007, 08:24:47 PM »

I guess the real question on many people's minds is whether you can do the same for the latest "guitar" update... ;)

Yes, I did a test yesterday on a machine with the R6T3 resistor in place. I updated from 4543 (LVD 1) -> 4548 (LVD increased to 2) -> 4552 (LVD increased to 3) -> 5759 (LVD increased to 4) -> 5766 (LVD increased to 5), and dumped the nand flash for each update using the Infectus flasher.

I then used the 360 Flash Dump Tool 0.6 with 1BL Key set to change the 4543 dump to have LVD 5 and it booted fine! I did the same for all of the other dumps, 4548, 4552, and 5759, and they all booted when the LVD was changed to match the LVD of 5766 / fuseline 4.

Btw, I made a package of the tmbincdump source code (with atiman's updates) and linux binary for both the read2 (read nand as is, ignore sector status) and read3 (read nand, but skip bad sector) command. Download it here.  View tmbinc' original post and atiman's updated tmbincdump code here.

ivc
« Last Edit: September 02, 2007, 08:30:58 PM by ivc »
Logged

arnezami

  • Master Hacker
  • ****
  • Posts: 214
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #137 on: September 03, 2007, 12:09:21 AM »

Great testing ivc :).
Logged

BurnOmatic

  • Master Hacker
  • ****
  • Posts: 197
  • Administrator
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #138 on: September 03, 2007, 01:09:08 AM »

so my question is, will there ever be a one button solution to be able to downgrade the kernals, or is it pure step by step solution ?
Logged

uberfry

  • Xbox Hacker
  • *****
  • Posts: 862
    • View Profile
Re: 360 Flash Dump Tool V0.1
« Reply #139 on: September 03, 2007, 01:41:30 AM »

BurnOmatic: soon enough there will be the Deeznutz solution to downgrade all kernels by measuring the time that the value 0x21 is shown on the post bus
Logged
Pages: « 1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 »
 
 

Powered by MySQL Powered by PHP SMF 2.0.11 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM