How To: Dumping 1BL & Fuse Data from Linux

[Kiss]

So someone have an working 32Bit code for the Xenon May 8 release ?

[do0my]

I have dumped the 1BL (initial boot loader, 32k) and disassemble the rom data using ida pro. however, I am a newbie of powerpc assemble code, so I will really appreciate it if anyone here can tell me the 1BL key offset in the rom data.

Hmmm. Not sure if that's allowed. And it's definitely cheating But a hint should be okay.

start at sub_4240 and remember that encrypted data is at 0x8000_0200_C800_0000 and destination of unencrypted data is 0x8000_0200_0001_0000 and key is 0x10 bytes long. %rtoc is 0. Don't get sidetracked digging too deeply into each and every bl off sub_4240.

Thanks a lot for your hints. just figured out the key. now I have 1BL key, fuse data and flash dump. However, I got the dump using linux, so flash dump tool will crask because of the lack of ECC data in the flash dump file. Is there a tool to add ECC data to this file?

Yes, there is a tool to add ECC data to this file, although the algorithm used to add the ECC bytes used by this tool isn't the exact one used by the Xbox 360.  I wouldn't advise you to flash a dump with ECC bits added from this tool, unless you have a surefire way of recovering.

In other words, as of now, until the ECC algorithm is completely figured out, Infectus or bust.

[do0my]

Yes, the tool I am referring to is Probutus' NAND tools (specifically crc32.exe)

It says in the Readme that it indeed does use Dr. Matrix's altorithm for adding ECC bytes.

By the way, I solved my compiler errors by adding ULL to the end of the ioremap address.

Code:

int main(int argc, char **argv)
{
volatile unsigned long long *r = ioremap(0x20000020000ULL, 0x10000);
int i;
for (i=0; i<0x10; ++i)
printf("%08x: %016llx\n", i, r[i*0x200/8]);
}

[jacksback]

Not too sure if this will work as I'm currently away on business and don't have time to test it on my Xbox 360. I have compiled readfuses on a 32 and 64 bit Linux system and uploaded the binaries to rapidshare.

Anyone care to try it out and let me know if it works?

http://rapidshare.com/files/38433540/readfuses.rar.html

Thanks

[do0my]

I can't get either one of those binaries to execute.

Sorry.

And can someone verify the code for fuse dumping in my previous post?  I'd really appreciate it if I knew that the fuse values I have are valid.

Thanks.

[Kiss]

Not too sure if this will work as I'm currently away on business and don't have time to test it on my Xbox 360. I have compiled readfuses on a 32 and 64 bit Linux system and uploaded the binaries to rapidshare.

Anyone care to try it out and let me know if it works?

http://rapidshare.com/files/38433540/readfuses.rar.html

Thanks

I think you compiled it for x86 but for the xbox we need it for ppc

[TheSpecialist]

Not too sure if this will work as I'm currently away on business and don't have time to test it on my Xbox 360. I have compiled readfuses on a 32 and 64 bit Linux system and uploaded the binaries to rapidshare.

Anyone care to try it out and let me know if it works?

http://rapidshare.com/files/38433540/readfuses.rar.html

Thanks

I think you compiled it for x86 but for the xbox we need it for ppc

LOL, it's compiled for x86 indeed. What's all this fuzz about dumping the fuses anyway, the XELL loader does this for you, why would you want to do it from linux ?

[sentinel0]

I don't have a serial cable yet.  So is there away with xell to still get the fuse set?  MY understanding was that xell outputed the fuse set through the terminal.  Does it display that info on the screen instead?

[jacksback]

Not too sure if this will work as I'm currently away on business and don't have time to test it on my Xbox 360. I have compiled readfuses on a 32 and 64 bit Linux system and uploaded the binaries to rapidshare.

Anyone care to try it out and let me know if it works?

http://rapidshare.com/files/38433540/readfuses.rar.html

Thanks

I think you compiled it for x86 but for the xbox we need it for ppc

My Bad 

I had a friend compile it for me and didn't realise he did it on an x86

I'll find out if he can do it on ppc

Thanks for trying anyway

[jacksback]

LOL, it's compiled for x86 indeed. What's all this fuzz about dumping the fuses anyway, the XELL loader does this for you, why would you want to do it from linux ?

I had problems compiling it on my Xbox 360 running Unbuntu Linux. I was told it was because I was running 32bit Linux so I asked a friend of mine to compile it on both 32 and 64 bit platforms. I don't have the serial adaptor in my 360 so there is no otherway for me to get my fuse data

[TheSpecialist]

LOL, it's compiled for x86 indeed. What's all this fuzz about dumping the fuses anyway, the XELL loader does this for you, why would you want to do it from linux ?

I had problems compiling it on my Xbox 360 running Unbuntu Linux. I was told it was because I was running 32bit Linux so I asked a friend of mine to compile it on both 32 and 64 bit platforms. I don't have the serial adaptor in my 360 so there is no otherway for me to get my fuse data

It doesn't matter on which platform you compile, but it matters FOR which platforn you compile. Here's a x86 compiler, that compiles for powerpc-elf, 64 bit, try that: http://www.macraigor.com/cgi_bin/counters/unicounter.pl?name=counters/gnu_win_ppc&deliver=http://www.ocdemon.com/gnutools-powerpc-elf-2.05.exe (it will need the cygwin1.dll, so you either need to install cygwin or just d/l the dll)

[Kiss]

LOL, it's compiled for x86 indeed. What's all this fuzz about dumping the fuses anyway, the XELL loader does this for you, why would you want to do it from linux ?

First prob is me dont have an MAX2323 at home so it would be great to have an way to read it from linux and the 2nd smaller prob ist that my mainpc dont have an serial port at all

[sentinel0]

The max3232 you can get free as samples from a couple different places but the missing serial port kinda sol.  I heard some people had success with a cell phone data cable in the usb serial cable thread.

[jacksback]

It doesn't matter on which platform you compile, but it matters FOR which platforn you compile. Here's a x86 compiler, that compiles for powerpc-elf, 64 bit, try that: http://www.macraigor.com/cgi_bin/counters/unicounter.pl?name=counters/gnu_win_ppc&deliver=http://www.ocdemon.com/gnutools-powerpc-elf-2.05.exe (it will need the cygwin1.dll, so you either need to install cygwin or just d/l the dll)

Thanks Specialist

I'll give it a try when I get back from my business trip

[Anaki]

Hmm, could some linux guru please clear something up for me plz?

linux is new to me,

This code (above) is for 64bit linux, this is different i assume than a live cd with a 64 bit toolchain? - being the one i downloaded, the very same one that this code doesn't work on.

so i thought to myself, ok, i'll try and build my own live cd 64 bit version

I have looked around for versions of ubuntu, but it only seems to come in 3 flavours, x86, 64 bit( amd ) and powerpc mac, - which has left me utterly confused, i assume the version on this live cd is the powerpc version to run on the 360, why isn't it 64 bit?

Could this also be why linux crashes when i try to dump my NAND? ( only lets me dump 13mb of the 16mb flash, if i try to dump the full 16mb everything locks up after it reaches 0xc8dxxxxx )

I am trying to learn,but something keeps throwing a curve ball at me

Regards

Anaki

[sentinel0]

The code above is for 64bit PPC -powerpc linux.  The ppc is the type of cpu in the 360.  Man I'm tired.

[Anaki]

The code above is for 64bit PPC -powerpc linux.  The ppc is the type of cpu in the 360.  Man I'm tired.

Thanks sentinel, i assumed the live cd was the ppc version? since it has to be to run with the xbox cpu? i don't really understand why i cant use things like mmap64?

unless the compiler on the livecd is 32bit? in which case,

http://linux.softpedia.com/get/System/Operating-Systems/Linux-Distributions/Free60-Gentoo-LiveCD-Xenon-27739.shtml

i dont understand where it says "It also offers an entire 64-bit PowerPC compiler toolchain for developers"

This is what is confusing me tbh

[stonersmurf]

Anaki the livecd is 32bit, I am not sure why they mentioned it offers 64-bit PPC compiler.

[Anaki]

Hi stonesmurf thanks for your reply it maks sense now

im currently installing to the hdd, hopefully for an easier life! 

[arnezami]

Hello guys .

I've bought an xbox 360 this week and am quite busy with it...

For those that use the live cd and want a dumper I modified the (64-bit) dumper posted here and made it into a 32-bit dumper. With the help of xt5 it also dumps the NAND and 1BL. It reads the fuses using the inline assembly given by tmbinc.

Here is the source: http://rs24.rapidshare.com/files/39038437/dump32.c.html
And here is the binary: http://rs24.rapidshare.com/files/39038675/dump32.html

This should work when booted with the live cd. Easiest (and still safe) way is probably to connect your xbox to the internet after the king kong exploit has opened your drive and before you put in the linux bootdisc. That way you will have internet access and can simply download the files from here. Putting them in for example the /home/gentoo dir and using Ctrl-Alt-f1 and executing it should do the trick. Ctrl-Alt-f7 to go back and upload the files to wherever you want. But you could use an usb-stick or something aswell of course.

I have these fuse settings:

Code:

00: c0ffffffffffffff
01: 0f0f0f0f0f0f0ff0
02: 0f00000000000000
03: xxxxxxxxxxxxxxxx
04: xxxxxxxxxxxxxxxx
05: yyyyyyyyyyyyyyyy
06: yyyyyyyyyyyyyyyy
07: 0000000000000000
08: 0000000000000000
09: 0000000000000000
0a: 0000000000000000
0b: 0000000000000000

The fuses 3/5 combined and 4/6 combined seem to contain the same 16 byte (unique) key. Values I get from positions 0c and higher only have ff's in them so they don't appear to be fuses (I believe this was also said somewhere).

Can somebody verify it is working correctly? That would be great .

Regards,

arnezami