Key Vault Contents

[tmbinc]

the keyvault isn't signed per se. However there is an *optional* signing of kv[4..0xd7]+kv[0x1fc7..0x1ddf]+kv[0x2108..0x3fe7] (all counted from offset 0x18). The hash, signed with the mighty master 'PIRS' key, is stored at 0x1DF8 (in kv).

However, keyvaults i've seen don't have this signature. I believe it's something added later.

[SeventhSon]

All this can be confirmed if we are able to change one bit (eg in a unused part filled with 00's) re-enrypt it and flash it.

I successfully changed the DVD key and region code of a 360. So it's all confirmed.

P.S. Code to reencrypt a modified KV will be around soon. It involves nothing that hasn't already been posted in this thread, but will be a  convenient way for hackers to play around with the KV contents.

[arnezami]

All this can be confirmed if we are able to change one bit (eg in a unused part filled with 00's) re-enrypt it and flash it.

I successfully changed the DVD key and region code of a 360. So it's all confirmed.

P.S. Code to reencrypt a modified KV will be around soon. It involves nothing that hasn't already been posted in this thread, but will be a  convenient way for hackers to play around with the KV contents.

Cool.

[oranginasprite]

All this can be confirmed if we are able to change one bit (eg in a unused part filled with 00's) re-enrypt it and flash it.

I successfully changed the DVD key and region code of a 360. So it's all confirmed.

P.S. Code to reencrypt a modified KV will be around soon. It involves nothing that hasn't already been posted in this thread, but will be a  convenient way for hackers to play around with the KV contents.

By saying this, do you mean that you can change, say, a EU 360 to look like a JP one and play JP Blue Dragon for instance? If that is the case (and I think it is), then congratulations for reaching one of the long awaited symbolical landmarks (and one that will owe you and all the one that deserve it a good chunk of fame on the Interwebs ).

[SeventhSon]

By saying this, do you mean that you can change, say, a EU 360 to look like a JP one and play JP Blue Dragon for instance? If that is the case (and I think it is), then congratulations for reaching one of the long awaited symbolical landmarks (and one that will owe you and all the one that deserve it a good chunk of fame on the Interwebs ).

Yes, I think so, but I don't own any foreign games to test it. All I have done is changed the code on my 360 from EU to US and seen that I get the "the region of this game does not match the region of the console" when booting an EU game. Others should be testing properly soon though. So stay tuned.

As for landmarks and interweb fame. All I did towards this was to reverse the plaintext KV signature to figure out how to modify and resign the KV contents. And even this work was built on the efforts of other hackers. For example, I didn't locate the region code in the KV and a lot of the SHA1 and RC4 encryption code was reversed and documented by others way before I started looking at it. *If* the region code tests are successful, then the following people contributed *much more* to this achievement than me.

Takires, TheSpecialist, Robinsod, tmbinc.

Direct praise thusly

[oranginasprite]

By saying this, do you mean that you can change, say, a EU 360 to look like a JP one and play JP Blue Dragon for instance? If that is the case (and I think it is), then congratulations for reaching one of the long awaited symbolical landmarks (and one that will owe you and all the one that deserve it a good chunk of fame on the Interwebs ).

Yes, I think so, but I don't own any foreign games to test it. All I have done is changed the code on my 360 from EU to US and seen that I get the "the region of this game does not match the region of the console" when booting an EU game. Others should be testing properly soon though. So stay tuned.

As for landmarks and interweb fame. All I did towards this was to reverse the KV signature and encryption to figure out how to modify the KV contents. And even this work was built on the efforts of other hackers. For example, I didn't locate the region code in the KV and a lot of the SHA1 and RC4 encryption code was reversed and documented by others way before I started looking at it. If the region code tests are successful, then the following people contributed *more* to this achievement than me.

Takires, TheSpecialist, Robinsod, tmbinc.

Well do not be too modest, as you said, you are responsible for a fair amount of hacking, albeit as you also said,this is the work of many that drove the 360 scene to where it is now. Long gone are the days where a lone hacker could defeat the security chip of the NINTENDO by lifting a pin
I am am very thankful to every single hacker, no matter the extent of its achievement, as are every self-respecting guys like me roughly understanding the complexity of what you are doing but unable to replicate it. [MY_LIFE] I am very thankful toward you in particular because you may have discover what will allow me to bring my unpatched 360 with me when I will move to Japan in September[/MY_LIFE]
Well sorry for the digression, just wanted to say thanks. No more ranting and post whoring

[TheSpecialist]

By saying this, do you mean that you can change, say, a EU 360 to look like a JP one and play JP Blue Dragon for instance? If that is the case (and I think it is), then congratulations for reaching one of the long awaited symbolical landmarks (and one that will owe you and all the one that deserve it a good chunk of fame on the Interwebs ).

Yes, I think so, but I don't own any foreign games to test it. All I have done is changed the code on my 360 from EU to US and seen that I get the "the region of this game does not match the region of the console" when booting an EU game. Others should be testing properly soon though. So stay tuned.

As for landmarks and interweb fame. All I did towards this was to reverse the plaintext KV signature to figure out how to modify and resign the KV contents. And even this work was built on the efforts of other hackers. For example, I didn't locate the region code in the KV and a lot of the SHA1 and RC4 encryption code was reversed and documented by others way before I started looking at it. *If* the region code tests are successful, then the following people contributed *much more* to this achievement than me.

Takires, TheSpecialist, Robinsod, tmbinc.

Direct praise thusly

Well, this is exactly what i like about this forum. Everybody works together, sharing info and tools, just to help others. I'm glad you got back in the game buddy and my congratulations on your success !

[robinsod]

Well, this is exactly what i like about this forum. Everybody works together, sharing info and tools, just to help others. I'm glad you got back in the game buddy and my congratulations on your success !

Seconded, what's next?

[Anaki]

Would be nice to work out what the "Unknown" keys are in the keyvault, some data is repeated  such as kv 0xB6a - 0xC6a  which also appears in the kv @ 0x460 - 0x560. Also more data in the kv @ 0x9d8 - 0xa58, repeated at kv 0x290 - 0x310.

Code:

0x09B0 Manufacturing date etc 1A8 No

The above reference contains more than the manufacturing date, it contains the Consoles local public signing key, which im lead to believe is signed somehow with the consoleid by microsofts private key, so you cannot change it. No idea where the paired key is though lol.

The data in this block is also found in profile container files, byte for byte.


As someone already pointed out in this thread, some of the data in the keyvault is reversed hex of the 1st certificate from the kv, ( in 8 byte chunks ).

There are still many keys here which are not known ( at least by me ), and there seems to be quite a lot of 0x10 length entries, the only thing i can think of is that they are perhaps md5 hashes? *shrugs*

[Arakon]

Tell me what is needed to change the region code and I will verify it, I have an US 360 with an infectus installed here, and plenty of EU games.

[SeventhSon]

Tell me what is needed to change the region code and I will verify it, I have an US 360 with an infectus installed here, and plenty of EU games.

Edit: the following assumes you have the correct 1BL key and CPU key set in the flashtool.

1. Dump the NAND from the US 360 (528-bytes-per-page)
2. Open in the latest flashtool (v0.8 ) and click [extract]
3. Edit extracted KV.bin and change 16-bits at offset 0xB8 from 0x00FF to 0x02FE
4. Open in flashtool and click [patch], check the "patch keyvault" box and select the KV.bin modified in step 3
5. Click [OK] and choose output file
6. Flash output image back to the NAND of the US 360
7. Try an EU game or two.

Thanks man. PM or ask here if you need anything.

[Arakon]

My USA 360 just booted a PAL (non-regionfree) game. the region patching WORKS.

[SeventhSon]

I've split the discussion off into Xboxhacking - general. Please keep this thread for just technical deatails.

Game region hack discussion

[Arakon]

uh oh.. problem:

To test the "properness" of the region change, I updated using the forza 2 PAL disk (worked fine) and then flatout UC to 5xxx (the latest).. still working fine as PAL system.

Then I flashed the US 4532 back, and got error 79 (according to llama.com that's the HD, but: no HDD attached!). I am flashing it again as we speak, and will also try a newer or older US kernel.

edit: strange, this time it works fine. only thing that may have an influence is that I forgot to erase the NAND first, but since the infectus writes the entire NAND anyways, that shouldn't make a difference really.
one thing I noticed is that the TV setting is changed to 480p each flash, but that's probably a setting that is stored in the NAND anyways and that's why it's back to that each time I flash.

[SeventhSon]

I've had E79s with all sorts of flash corruption problems/experiments. The forgetting to erase will be why, I should think.

Nice work. Nice results too

[Arakon]

odd how that would produce E79.. I thought a corrupted flash would always result in a dead box, but I guess the system doesn't check the entire NAND.

[Geremia]

My USA 360 just booted a PAL (non-regionfree) game. the region patching WORKS.

Does it plays also region2 dvds? you can use dvdshrink to produce a region2 disk, wich just sets region2 to video_ts.ifo at offset 0x23, the console checks this for sure, even if the movie is not CSS protected.

[Arakon]

just checked.. no, DVD movie region is still 1, not 2.

[tmbinc]

E79 should be the error code if xam.xex could not be started, i.e. probably a file system corruption.

Don't trust published error code lists! Most of them are *totally* broken, incorrect and based on FUD (Especially the ones trying to explain the RLOD errors.. but that's another topic). In doubt, only trust your disassembler.

[luxskywalker]

hello everybody,


thanks fior your great works i don(t speak english very well but i understand what you have realise here and it's very good. I hope you will win the war versus Microsoft.

Be sure all french are with you especially gx-mod and all "gueux"

good luck


Lux.


Edit: Lucky Luke got himself banned, no more spam in the technical threads please. Robinsod