You are viewing our Forum Archives. To view or take place in current topics click here.
Work?
Yes
28.57% (4 votes)
28.57% (4 votes)
No?
71.43% (10 votes)
71.43% (10 votes)
Total Votes: 14
Jtag Online Method. Maybe.
Posted:
Jtag Online Method. Maybe.Posted:
Status: Offline
Joined: Nov 26, 201112Year Member
Posts: 144
Reputation Power: 6
Status: Offline
Joined: Nov 26, 201112Year Member
Posts: 144
Reputation Power: 6
Why was this deleted last time?
You compress it into a xex file
Then run it
It gives you another file with the challenges
You put those challenges in the kxam patch builder
Reflash your xbox
Bam
Jtag can go online
Some of the code turned into Smileys. If you going to try it ur gonna have to replace the smileys with the corresponding symbols
[b]
You compress it into a xex file
Then run it
It gives you another file with the challenges
You put those challenges in the kxam patch builder
Reflash your xbox
Bam
Jtag can go online
Some of the code turned into Smileys. If you going to try it ur gonna have to replace the smileys with the corresponding symbols
typedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hook\n");
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge \n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt File\n");
HalReturnToFirmware(6);
}
DbgPrint("File Created\n");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Salt\n");
else DbgPrint("Could not save HV Salt \n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping resp\n");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response File\n");
HalReturnToFirmware(6);
}
DbgPrint("Response File Created\n");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response data\n");
else DbgPrint("Could not save response data \n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting System\n");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL) ;)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hook\n");
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge \n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt File\n");
HalReturnToFirmware(6);
}
DbgPrint("File Created\n");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Salt\n");
else DbgPrint("Could not save HV Salt \n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping resp\n");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response File\n");
HalReturnToFirmware(6);
}
DbgPrint("Response File Created\n");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response data\n");
else DbgPrint("Could not save response data \n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting System\n");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL) ;)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);
#2. Posted:
Status: Offline
Joined: May 01, 201113Year Member
Posts: 670
Reputation Power: 26
because this probly wont work
- 0useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Nov 26, 201112Year Member
Posts: 144
Reputation Power: 6
Status: Offline
Joined: Nov 26, 201112Year Member
Posts: 144
Reputation Power: 6
Did you try it bro? Didnt think so
- 0useful
- 1not useful
#4. Posted:
Status: Offline
Joined: Sep 25, 200915Year Member
Posts: 1,272
Reputation Power: 65
Status: Offline
Joined: Sep 25, 200915Year Member
Posts: 1,272
Reputation Power: 65
it worked but when you connected to XBL there was a update.
And the update didn't work.
It was closed until it works , so like run xex and unsigned code on XBL.
- Panic
And the update didn't work.
It was closed until it works , so like run xex and unsigned code on XBL.
- Panic
- 1useful
- 0not useful
#5. Posted:
Status: Offline
Joined: Feb 21, 201113Year Member
Posts: 1,636
Reputation Power: 67
deserteagle9021 wrote because this probly wont workif you havent tried it, do say it doesnt work. Prove that it doesnt work,.
- 0useful
- 0not useful
#6. Posted:
Status: Offline
Joined: Dec 23, 201112Year Member
Posts: 379
Reputation Power: 20
Status: Offline
Joined: Dec 23, 201112Year Member
Posts: 379
Reputation Power: 20
How do you compress it? And I was the original poster in the gold section; its not deleted...
- 0useful
- 0not useful
#7. Posted:
Status: Offline
Joined: Sep 25, 200915Year Member
Posts: 1,272
Reputation Power: 65
Status: Offline
Joined: Sep 25, 200915Year Member
Posts: 1,272
Reputation Power: 65
danieldaniel wrote How do you compress it? And I was the original poster in the gold section; its not deleted...
You wans't the original poster lol.
This was found out by good coders.
all you did was copy and paste and you don't even know what your doing
GTFO Kid
- Panic
- 2useful
- 4not useful
#8. Posted:
Status: Offline
Joined: Nov 26, 201112Year Member
Posts: 144
Reputation Power: 6
Status: Offline
Joined: Nov 26, 201112Year Member
Posts: 144
Reputation Power: 6
If you were the orginal poster why are u asking how to compress it, lol
- 3useful
- 0not useful
#9. Posted:
Status: Offline
Joined: Jul 27, 201113Year Member
Posts: 66
Reputation Power: 2
Status: Offline
Joined: Jul 27, 201113Year Member
Posts: 66
Reputation Power: 2
i have a working tu7 bypass and know how to get jtags online pm me for proof
- 0useful
- 9not useful
#10. Posted:
Status: Offline
Joined: Nov 26, 201112Year Member
Posts: 144
Reputation Power: 6
Status: Offline
Joined: Nov 26, 201112Year Member
Posts: 144
Reputation Power: 6
This method Works For me and my clan...
- 0useful
- 1not useful
You are viewing our Forum Archives. To view or take place in current topics click here.