You are viewing our Forum Archives. To view or take place in current topics click here.
how a xbox 360 booting security works
Posted:
how a xbox 360 booting security worksPosted:
Status: Offline
Joined: Oct 24, 201014Year Member
Posts: 46
Reputation Power: 1
Status: Offline
Joined: Oct 24, 201014Year Member
Posts: 46
Reputation Power: 1
Original Source
[ Register or Signin to view external links. ]
System startup
TheSpecialist, Xboxhacker.net:
[ Register or Signin to view external links. ] # msg47935
Speaking from the start then:
1. 1BL (first boot program stored in the ROM in the CPU), responsible for loading the decrypted and start CB.
2. CB (2BL, the second boot program, stored in the NAND years), responsible for loading the decrypted and start CD.
3. CD is responsible for loading, decryption and decompression CE, CE contains the basic kernel + basic HV. CE is also responsible for loading the decrypted start CF.
4. CF is responsible for loading, decryption and decompression CG, CG patch containing the core and the HV. Then, it uses the patch fixes kernel and HV, start the patched HV, and then start the patched kernel. Finally, it will start the dashboard.
So basically is this: 1BL -> 2BL -> patch the kernel and HV patch, start them -> start the dashboard.
Each step the next step of course will check the visa.
Encryption Structure
The following is Arnezami different hash value encryption summary:
[ Register or Signin to view external links. ] # msg55035
Using the boot process 3 visa:
- RSA Visa: CB and CF is the RSA visa. Basically because it is the use of asymmetric encryption, there is no way to break (the private key only MS has). These (visa) will prevent us to change the boot code.
- SHA1 hash value: CD, CE and CG visa. The hash value is contained in that part of the visa within the RSA, we can not break it (the time difference can not be attacked.) These (visa) should be regarded as the RSA CB and CF expansion of the visa, and once again to prevent us to change the boot code.
- SHA1-HMAC Authentication: This is done by the CB and CF (but your CPU has its own key.) Prevent the effects it can produce, so you can not release the freedom to choose the boot section of any area or dashboard and so on. Fortunately, it can be applied to the time difference attack. (Editors note: This means you can interrupt the normal import process from here will come to replace the core code has been cracked version, then you can play a lot of free space. Current XBReboot or FreeBoot are made from the insert code here , and then back again with a new version of the necessary things such as dashboard, etc.)
Dump data
There are 3 basic components of the data you will want to dump it from the Xbox 360: NAND flash, fusesets and 1BL first boot process. The former is located in Hynix HY27US08281A flash memory chips, the latter two are located in IBMs PowerPC CPUs Xeon processors inside.
NAND flash memory
NAND flash memory can be obtained in two ways:
* Use Infectus Microchips flash burner, reads the NAND flash memory entity.
* Vulnerability and Linux using the diamond out from the memory dump.
Fusesets and 1BL
Both can only use Linux dump out. Please refer to the section after the Syrian Linux part of the instructions about how to extract.
View the contents of
To view the content of NAND flash memory dump, please download the latest version of 360 Flash Dump Tool to open the BIN file.
To decode all encrypted content, you need the CPU Key is located fusesets in CPU ROM and the 1BL Key. The key is to use the King Kong shader loopholes and XeLL (Xeon Linux Loader) to a specific version of the firmware, such as the 4532 and 4548 before we can find.
1BL Key
1BL short program is the first boot, it is stored in the ROM inside the CPU. This program size is 32KB, and the 1BL Key all are the same on the Xbox 360. To dump 1BL, you need to compile dump32.c, and run it to extract fuses.txt, nand.bin and 1bl.bin.
( [ Register or Signin to view external links. ] # msg50090)
Because the static nature of key legal behind, you have to find it yourself (think about the situation of AACS). To find 1bl.bin internal key, you need to install the IDA, and use the PPC processor settings to disassemble.
Find 1BL Key:
( [ Register or Signin to view external links. ] # msg49740)
Began in sub_4240, please remember to encrypt the data in the 08000_0200_C800_0000, encrypted data without the destination is 08000_0200_0001_0000, Key is 010 bytes long. % Rtoc 0. To find out whether you found the right key to open the 360 Flash Dump Tool, type the key, and check if there is a paired data project.
[ Register or Signin to view external links. ]
System startup
TheSpecialist, Xboxhacker.net:
[ Register or Signin to view external links. ] # msg47935
Speaking from the start then:
1. 1BL (first boot program stored in the ROM in the CPU), responsible for loading the decrypted and start CB.
2. CB (2BL, the second boot program, stored in the NAND years), responsible for loading the decrypted and start CD.
3. CD is responsible for loading, decryption and decompression CE, CE contains the basic kernel + basic HV. CE is also responsible for loading the decrypted start CF.
4. CF is responsible for loading, decryption and decompression CG, CG patch containing the core and the HV. Then, it uses the patch fixes kernel and HV, start the patched HV, and then start the patched kernel. Finally, it will start the dashboard.
So basically is this: 1BL -> 2BL -> patch the kernel and HV patch, start them -> start the dashboard.
Each step the next step of course will check the visa.
Encryption Structure
The following is Arnezami different hash value encryption summary:
[ Register or Signin to view external links. ] # msg55035
Using the boot process 3 visa:
- RSA Visa: CB and CF is the RSA visa. Basically because it is the use of asymmetric encryption, there is no way to break (the private key only MS has). These (visa) will prevent us to change the boot code.
- SHA1 hash value: CD, CE and CG visa. The hash value is contained in that part of the visa within the RSA, we can not break it (the time difference can not be attacked.) These (visa) should be regarded as the RSA CB and CF expansion of the visa, and once again to prevent us to change the boot code.
- SHA1-HMAC Authentication: This is done by the CB and CF (but your CPU has its own key.) Prevent the effects it can produce, so you can not release the freedom to choose the boot section of any area or dashboard and so on. Fortunately, it can be applied to the time difference attack. (Editors note: This means you can interrupt the normal import process from here will come to replace the core code has been cracked version, then you can play a lot of free space. Current XBReboot or FreeBoot are made from the insert code here , and then back again with a new version of the necessary things such as dashboard, etc.)
Dump data
There are 3 basic components of the data you will want to dump it from the Xbox 360: NAND flash, fusesets and 1BL first boot process. The former is located in Hynix HY27US08281A flash memory chips, the latter two are located in IBMs PowerPC CPUs Xeon processors inside.
NAND flash memory
NAND flash memory can be obtained in two ways:
* Use Infectus Microchips flash burner, reads the NAND flash memory entity.
* Vulnerability and Linux using the diamond out from the memory dump.
Fusesets and 1BL
Both can only use Linux dump out. Please refer to the section after the Syrian Linux part of the instructions about how to extract.
View the contents of
To view the content of NAND flash memory dump, please download the latest version of 360 Flash Dump Tool to open the BIN file.
To decode all encrypted content, you need the CPU Key is located fusesets in CPU ROM and the 1BL Key. The key is to use the King Kong shader loopholes and XeLL (Xeon Linux Loader) to a specific version of the firmware, such as the 4532 and 4548 before we can find.
1BL Key
1BL short program is the first boot, it is stored in the ROM inside the CPU. This program size is 32KB, and the 1BL Key all are the same on the Xbox 360. To dump 1BL, you need to compile dump32.c, and run it to extract fuses.txt, nand.bin and 1bl.bin.
( [ Register or Signin to view external links. ] # msg50090)
Because the static nature of key legal behind, you have to find it yourself (think about the situation of AACS). To find 1bl.bin internal key, you need to install the IDA, and use the PPC processor settings to disassemble.
Find 1BL Key:
( [ Register or Signin to view external links. ] # msg49740)
Began in sub_4240, please remember to encrypt the data in the 08000_0200_C800_0000, encrypted data without the destination is 08000_0200_0001_0000, Key is 010 bytes long. % Rtoc 0. To find out whether you found the right key to open the 360 Flash Dump Tool, type the key, and check if there is a paired data project.
#2. Posted:
Status: Offline
Joined: Mar 02, 201014Year Member
Posts: 485
Reputation Power: 30
Status: Offline
Joined: Mar 02, 201014Year Member
Posts: 485
Reputation Power: 30
so old lol , cf and cg are not rsa'd they are signed via cpu , its the cb cd which are singed out the a with priv rsa ,
proving after 8955 ms can still read our keys we cant
and why u cant
change a 2nd bl rsa !
proving after 8955 ms can still read our keys we cant
and why u cant
change a 2nd bl rsa !
- 0useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Dec 09, 201013Year Member
Posts: 63
Reputation Power: 2
Status: Offline
Joined: Dec 09, 201013Year Member
Posts: 63
Reputation Power: 2
great post man thanks
- 0useful
- 0not useful
#4. Posted:
Status: Offline
Joined: Jan 31, 201113Year Member
Posts: 410
Reputation Power: 17
Status: Offline
Joined: Jan 31, 201113Year Member
Posts: 410
Reputation Power: 17
imjtagerjeff wrote so old lol , cf and cg are not rsa'd they are signed via cpu , its the cb cd which are singed out the a with priv rsa ,
proving after 8955 ms can still read our keys we cant
and why u cant
change a 2nd bl rsa !
Wow i been reading alot of your comments and you are a encyclopedia of kwnolage. Thanks fot putting this right. To many people are getting there hopes up all the time. When basicaly even if we knew how we do not have the kwnolage to implement it
- 0useful
- 0not useful
#5. Posted:
Status: Offline
Joined: Jul 01, 201014Year Member
Posts: 587
Reputation Power: 25
Status: Offline
Joined: Jul 01, 201014Year Member
Posts: 587
Reputation Power: 25
None of this matters when trying to get jtags online, (if this is why you posted it). All we have to do is patch the challenges and you can get online. Everything you posted has already been dealt with by the makers of freeboot and fbbuild. They did the hard work. So all we need to do is learn to add patches to the patches bin files that will patch out the hv/kernel security checks and we will get online. I am working on this all this week and I'll see what I can get done.
- 0useful
- 0not useful
#6. Posted:
Status: Offline
Joined: Oct 24, 201014Year Member
Posts: 46
Reputation Power: 1
Status: Offline
Joined: Oct 24, 201014Year Member
Posts: 46
Reputation Power: 1
we all cant me as smart as you jtagerjeff. since you know so much why dont you produce the info needed to go online. let me guess you dont wont jtags online? why do i see you all over anything that looks like info on the subject then? people like u hinder a job being completed as a group cause peeps dont post or do post then cats like you talk shit. you know what they say about people who talk down on others to make there self feel ok. but thats kool you feel smart know jtagerjeff huh?
- 0useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.