You are viewing our Forum Archives. To view or take place in current topics click here.
The new 14717 update Y RGH still works for Slim but no phat
Posted:
The new 14717 update Y RGH still works for Slim but no phatPosted:
Status: Offline
Joined: Dec 27, 201013Year Member
Posts: 85
Reputation Power: 3
Status: Offline
Joined: Dec 27, 201013Year Member
Posts: 85
Reputation Power: 3
This is what I have read from all over the place and I thought I would some it all up here so here goes.
The new update 2.0.14717.0 updates the CB of the Phats and the Dual CB of the Slim also bowing an efuse which updates the CB LDV. These new CB's have the POST disabled, for the RGH to work the CPLD has to know the XBOXs current POST. This is because the CPLD uses the POST so it can time the glitch correctly and reset the CPU at the correct time, plus know when the console has restarted. This is so if the glitch fails the CPLD will know when to try and glitch again.
So why slims still work
This is because the slim has a dual CB, CB_A and CB_B this is different to the Phats consoles which only have CB. (But some Phats have dual CB's as well so I will come back to that in a bit this is for the slim)
Now what is the CB anyway why are we glitching it for the RGH, the CB is a boot loader that is encrypted with the 1BL key. So we don't need the CPU key to decrypt it, but it is still signed by the private key so we can't just go and edit it to do what we want. There is not much information on this boot loader apart from it is stored in the NAND and it checks, decrypts then loads the next boot loader, which for Phats it is CD for slims it is CB_B.
Now because the slims changed the boot chain and added an extra boot loader, by splitting the CB in to two parts. They gave us a place in the boot chain to glitch that has a boot loader that is writable because its stored in the nand it can be decrypted with the 1BL key which they didnt change, when they know that we still have it from the last exploit. Also now doesnt have a Lock Down Value because it has been moved to CB_B so it doesnt matter what the efuse values are this boot loader will always load. This is why the RGH is not patchable on trinity boards at least.
Now for the slim RGH we glitch the CB_A check of the CB_B SHA hash to return true when the hash is wrong because we have a patched CB_B. This CB_B has been patched so we can run own CD which loads the CE which is the base kernel and hypervisor, so we can do anything from there. So to some up you can just go and update the slims to the newest dash it doesnt matter. All you will have to do is change the CF Lock Down Value because even in the hacked kernel it still has to match fuse line 7.
So why do Phats get patched
Because the Phats only have the CB boot loader which does have a Lock Down Value they cant still run the old 6750 CB. Now we still can edit the CB because it is stored in the nand we do it for the RGH any way by making the CB zero-paired, this is so we can use a modified SMC image. But doing this doesnt break the signature if we edited the LDV to match the new CB LDV it would break the signature. So the old CB 6750 CB wont run anymore because the Lock Down Value isnt going to match the fuse line 2 anymore because it was updated when the efuse was blown. And if were run the new CB that matches the efuses POST is disabled.
Now for Phat dual CBs, there is the 6751 and the 6752 CB now there isnt much information on these CBs and I have never had a console with one. So I havent seen or looked at them but there are some reports of some XBOXs with the 6751 CBs being downgraded, to the 6750 CB and glitching. So that means the LDV wasnt updated for the 6751 CB and it is the same as the 6750 CB, but there arent any reports of the 6752 being downgraded to the 6750 CB. But anyway the dual CB for Phats would have mean updated as well. Hell the new CB on all the Phats could be dual now I havent seen one only read that the POST has been disabled. (Will update when I get more information on this)
But it isnt over for Phats
Gligli said himself that apparently CB 9188 can run on fats, so we could still glitch the Phats using the slims dual CB. Plus the glitch would work better on the Phats because we wouldnt have to use the HANA to slow down the CPU we can use CPU_PLL_BYPASS. Which slows the CPU more than HANA PLLs can do. And the slower the CPU the better the CPLD can time the glitch and reset the CPU. So we will just have to wait and see what happens for Phats.
The new update 2.0.14717.0 updates the CB of the Phats and the Dual CB of the Slim also bowing an efuse which updates the CB LDV. These new CB's have the POST disabled, for the RGH to work the CPLD has to know the XBOXs current POST. This is because the CPLD uses the POST so it can time the glitch correctly and reset the CPU at the correct time, plus know when the console has restarted. This is so if the glitch fails the CPLD will know when to try and glitch again.
So why slims still work
This is because the slim has a dual CB, CB_A and CB_B this is different to the Phats consoles which only have CB. (But some Phats have dual CB's as well so I will come back to that in a bit this is for the slim)
Now what is the CB anyway why are we glitching it for the RGH, the CB is a boot loader that is encrypted with the 1BL key. So we don't need the CPU key to decrypt it, but it is still signed by the private key so we can't just go and edit it to do what we want. There is not much information on this boot loader apart from it is stored in the NAND and it checks, decrypts then loads the next boot loader, which for Phats it is CD for slims it is CB_B.
Now because the slims changed the boot chain and added an extra boot loader, by splitting the CB in to two parts. They gave us a place in the boot chain to glitch that has a boot loader that is writable because its stored in the nand it can be decrypted with the 1BL key which they didnt change, when they know that we still have it from the last exploit. Also now doesnt have a Lock Down Value because it has been moved to CB_B so it doesnt matter what the efuse values are this boot loader will always load. This is why the RGH is not patchable on trinity boards at least.
Now for the slim RGH we glitch the CB_A check of the CB_B SHA hash to return true when the hash is wrong because we have a patched CB_B. This CB_B has been patched so we can run own CD which loads the CE which is the base kernel and hypervisor, so we can do anything from there. So to some up you can just go and update the slims to the newest dash it doesnt matter. All you will have to do is change the CF Lock Down Value because even in the hacked kernel it still has to match fuse line 7.
So why do Phats get patched
Because the Phats only have the CB boot loader which does have a Lock Down Value they cant still run the old 6750 CB. Now we still can edit the CB because it is stored in the nand we do it for the RGH any way by making the CB zero-paired, this is so we can use a modified SMC image. But doing this doesnt break the signature if we edited the LDV to match the new CB LDV it would break the signature. So the old CB 6750 CB wont run anymore because the Lock Down Value isnt going to match the fuse line 2 anymore because it was updated when the efuse was blown. And if were run the new CB that matches the efuses POST is disabled.
Now for Phat dual CBs, there is the 6751 and the 6752 CB now there isnt much information on these CBs and I have never had a console with one. So I havent seen or looked at them but there are some reports of some XBOXs with the 6751 CBs being downgraded, to the 6750 CB and glitching. So that means the LDV wasnt updated for the 6751 CB and it is the same as the 6750 CB, but there arent any reports of the 6752 being downgraded to the 6750 CB. But anyway the dual CB for Phats would have mean updated as well. Hell the new CB on all the Phats could be dual now I havent seen one only read that the POST has been disabled. (Will update when I get more information on this)
But it isnt over for Phats
Gligli said himself that apparently CB 9188 can run on fats, so we could still glitch the Phats using the slims dual CB. Plus the glitch would work better on the Phats because we wouldnt have to use the HANA to slow down the CPU we can use CPU_PLL_BYPASS. Which slows the CPU more than HANA PLLs can do. And the slower the CPU the better the CPLD can time the glitch and reset the CPU. So we will just have to wait and see what happens for Phats.
#2. Posted:
Status: Offline
Joined: Dec 27, 201013Year Member
Posts: 85
Reputation Power: 3
Status: Offline
Joined: Dec 27, 201013Year Member
Posts: 85
Reputation Power: 3
No one even going to post come on this tuck me a while to write. Word Count 853
- 0useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Feb 06, 201113Year Member
Posts: 383
Reputation Power: 18
Status: Offline
Joined: Feb 06, 201113Year Member
Posts: 383
Reputation Power: 18
wait, your saying if I just update my RGH slim, I will still have RGH functionality?
- 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.