Jump to content


Photo

Just An Interesting Idea...


  • Please log in to reply
34 replies to this topic

#16 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 23 September 2011 - 09:05 AM

Well, Seeing as I can't sleep anyways, I'll post my new thoughts on this.

First, to clarify, has there been any appearances of a modified version of the SD NAND Mod that would allow for a SD card to act as the second NAND of the Trinity [Slim] Motherboard?
If so, that would make testing easier as I could just write a program that treats the SD card as a NAND and writes to it as such from my computer.
Next, though I do plan to dissect the modified CB (to understand the modifications) and CD (To understand the boot structure for loading Xell and anything else) I think I'll work on my multi-Homebrew Launcher for Xell instead, as it'll be less difficult to debug without having the RGH installed yet.

[EDIT]
After some more research, I discovered that first of all, it's the XD cards used for the dual NAND mod. After that, it seems that even though people are testing it out and trying to figure out all the right points on the Trinity, it hasn't been confirmed yet as working. There's also no word on whether the Cygnos can be adapted or not, though that's also being tested currently. When it's been confirmed as working, I'll update this with links. And either point to a good tutorial or condense the information and make one myself.
For those interested, here are the current threads:

http://forums.xbox-s...howtopic=735452 - Cygnos Adaption + Some details of XD & PDF
http://www.xboxhacke...p?topic=16997.0 - Some XD Information
[EDIT]

Though, I'm more wondering on a programming side here, but will LibXenon let me run hooks on other programs and launch other LibXenon-Based applications through my application?
As far as hooks are concerned, I mean memory hooks, like those seen with the Action Replay for the Nintendo Gamecube that make certain combinations of button presses activate additional commands in a given program or game that weren't there originally.
The thought behind this is that I can just add a hook into the launching process of the Homebrew in order to enable a certain set of button presses to kill the current Homebrew and load my launcher back up in order to switch between the Homebrew without resetting the Xbox 360.

Thanks for your responses!

- Gadorach

Edited by Gadorach, 23 September 2011 - 09:24 AM.


#17 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 23 September 2011 - 10:25 AM

Can't edit last anymore so again, next post.

To get a clear idea of what was originally done to accomplish a boot into a patched dashboard, I dug up the original project data from Xboxhacker. From this, I determined that all that is required to boot the dashboard is the dashboard patches themselves and perhaps a CD patch to ignore the loss of permissions.
As the RGH method already loads a hacked CB for us, and that CB will load "ANY" CD, regardless of contents, all that needs to be done is replace the included CD, that comes with the RGH, with a patched CD/Dash combo. From there, it should boot right up without any fuss at all.

Seeing as I assume we already have the patches for the dash, as it's being used by JTAGers currently, all that has to be done is write a program that applies the patches to the virgin dash [and CD if necessary] and flash it back to the exploitable 360.
If anyone can test that theory that would be great as, even if it doesn't boot, you haven't lost anything if you have a NAND backup, and we would then know if it worked or didn't. Point is that this is looking like there's no need at all for any additional software besides a patcher. All we need is the patches, which should already exist.

If someone can find the patches, and perhaps the Falcon's timing, I have 6 Falcons, 1 Trinity, and 2 Jaspers are on the way. I'll be willing to test it on all of the models I own when I receive my glitch board. Until then, I'll go looking for the patch data myself for the 13599 Dash.

I encourage anyone interested to help as confirming this would make the RGH much more viable and remove the need to worry about JTAGing all together.

- Gadorach

#18 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 23 September 2011 - 11:47 AM

Though I'd normally edit new things in, I feel that this should be a separate post for a few reasons, none of which matter. tongue.gif

Anyways, Here's my theory for getting the RGH booting a hacked dash.
I'll list the complete process, just because.

1) Extract NAND of the target Xbox 360.
2) Make a Backup of this NAND and don't touch it yet.
3) Patch NAND using the files and method in the RGH guide, by GliGli.
4) Build and program your Coolrunner using GliGli's guide.
5) Flash your RGH-patched NAND to the target Xbox 360.
6) Install your Coolrunner to the Target Xbox 360.
7) Startup the Xbox 360 and grab your keys with Xell.
8) Make another copy of your Backup NAND.
[Unsure if JTAG Tool will accept the 13599 native NAND image]
9) Throw the NAND image into JTAG Tool [or perhaps Exploit 360, I haven't check the features yet so...]
10) Install the 13599 Freeboot Dash to your NAND.
11) After patching is complete, Click "Convert XBR to Original", wait for it to finish.
12) Flash Image to Xbox 360.
[Speculation From Here On]
13) Obtain your real CD from the NAND image you backed up (your original NAND)
[^^Haven't found method yet, Please inform me if there is an easy way to do this.^^]
14) Using the Build.py in GliGli's guide, use this to make it work:
python common\imgbuild\build.py original_nand.ecc [NAND CD Folder]\[YOUR CD]
[Don't know how original CD will react to a Patched Dash, also, Xell is eliminated so I'm unsure if it will even compile. I don't have a NAND to test it with yet, but you can bet I'll even build a *gulp* LPT Cable *shiver* just to try it before my NANDX arrives!]
15) Flash output ECC file to the NAND the same way as before.
16) Boot your Xbox 360.
17) Jump for joy or commence the flaming.

I'm sure there's some flaws with my reasoning here, but all we need to do is modify the CD and, Assuming the JTAG Tool did, in fact, patch the dash, Make sure there's no traces of anything left.

In contrast, I have a funny feeling the the current versions of Freeboot and XBR use a Boot-time Ram-Poke method to apply the patches to memory. If this is the case, removing Freeboot from the image is the same as restoring it to it's original state.

Basically, we need both those Dash Patches and a Patched CD for a much closer to 100% "It's Gonna Work" idea and a way to patch the files without relying on Build.py
Also, doing a HEX compare on the CD's should tell anyone skilled enough what was changed.
And though I haven't checked it yet, apparently the CD provided with GliGli's guide is in an un-encrypted,
"plaintext" format. If we have an original plaintext CD, one for each 360 revision, we may be able to build a custom CD with it and modify the permissions to resemble the patched, plaintext CD from a JTAG.

Most of this is still speculation so please Help out if you have any ideas that are relevant!

*Update*
To add on to a problem with step 14, the new, hacked CB will NOT decrypt an encrypted CD as it's been modified to expect a plaintext CD in NAND.

Basically, someone needs to hack those CDs!
Once we have working CDs that are in plaintext and set to accept all dashboards, regardless of patches, we'll be ready to move on.

Edit - If you do have the ability, and resources to create a hacked CD, DON'T POST IT HERE OR LINK TO IT.
The CD most definitely contains M$ copyrighted code.

Better yet, It would be better if we could decrypt our own CD's and apply a patch to them as the patch wouldn't contain M$ code it's self.
I "Think" the cpu key can be used to decrypt the CD, but it may be the private key so no guarantees.
Anyways, as this is grey area talk, I'll just move right along...

Another thing I'd like to know is if the custom plaintext CD's included in the RGH are re-code-able to act similarly enough to the real ones to continue the boot process as normal into a hacked dash.

Any ideas?

Edited by Gadorach, 23 September 2011 - 12:44 PM.


#19 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 23 September 2011 - 09:30 PM

After thinking things through and reading up on the CD a bit more, It seems that the plaintext, original CD isn't required at all.
What we need is GliGli's modded CD, and a way to make our own payload.
If we simply create a payload designed to boot a patched dashboard, it should patch with the build.py and do what ever we want. Perhaps it could just run XBR as a start, until someone patches a dashboard.
XBR should, theoretically, be compatible with every 360, seeing as all it does is reboot the kernel to a specified version with hooks.
Can someone figure out how the Xell-gggggg.bin works and make an XBR.bin instead?
Just a thought, though it should work....

#20 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 24 September 2011 - 08:32 PM

Here's the updated steps list:

1) Extract NAND of the target Xbox 360.
2) Make a Backup of this NAND and don't touch it yet.
3) Patch NAND using the files and method in the RGH guide, by GliGli.
4) Build and program your Coolrunner using GliGli's guide.
5) Flash your RGH-patched NAND to the target Xbox 360.
6) Install your Coolrunner to the Target Xbox 360.
7) Startup the Xbox 360 and grab your keys with Xell.
8) Make another copy of your Backup NAND.
9) Throw the NAND image into JTAG Tool
10) Install the 13599 Freeboot Dash to your NAND.
11) After patching is complete, Click "Convert XBR to Original", wait for it to finish.
12) Flash Image to Xbox 360.
13) Using the Build.py in GliGli's guide, Patch the custom CD with XBR.bin

python common\imgbuild\build.py original_nand.ecc common\cdxell\CD[version] common\XBR\XBR.bin

[Need to make either XBR.bin payload or another payload solution]

14) Flash output ECC file to the NAND the same way as before.
15) Boot your Xbox 360.

---------------------------------------------------------------------

Just an update:

I'm working on de-compiling the CD and gggggg-Xell.bin to figure out how they're connected and what calls are made.
If anyone's interested in helping, I'm using IDA so any information should be related to the use of IDA.
Else, if you've got a better way, go for it!

I'll be sure to post when I figure it out.

Please PM me if you're interested in helping (and know enough to help)!

- Gadorach

Edited by Gadorach, 24 September 2011 - 08:42 PM.


#21 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 25 September 2011 - 04:58 AM

Not a confirmed theory or anything, and probably not yet compatible with the slim, but I think that now that the CB and CD can be Zero Paired, the LDV could simply be adjusted in the older, exploitable kernel using the consoles CPU key and then booted into, thus achieving a JTAG environment.
Just saying...

All we need, in reality, is a DEVKIT CD and NAND to boot into a unlocked Dash.
Just find a DEVKIT kernel that has the same fuseline value as 13599 expects and we won't even have to patch it.
It's really that easy.
The only problem that's ever prevented other kernels from running is CB's hash check.

SO.

Install a DEVKIT Nand with correct Fuseset, patch it with Retail CB.
DONE.

List of things to grab:

DevKit NAND Donor with correct LDV
???????
Profit?

happy.gif

EDIT:

Forgot to add that the NAND can't be just FLASHED, it'll have to have everything that the 360 natively encrypts with the CPU Key re-encrypted with the CPU Key. As all you need is the NAND of the DEVKIT, Your NAND, The CPU Key of the DEVKIT Donor, and your CPU Key, It's not a big deal, and rather obvious to anyone with NAND Donor experience.

Edited by Gadorach, 25 September 2011 - 05:27 AM.


#22 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 25 September 2011 - 07:31 AM

Anyways, I'm now working with a clean Falcon 5761 NAND Image and a Banned KV for testing.
My new idea goes like this:

Install JTAG hardware.

Build XBR 13599 from Test Falcon 5761 NAND with MY smc settings.

Patch 4BL (CD) to not check fuse count.

Flash to NAND.

Run as usual JTAG would.

so I just have to finish patching the 4BL and I'm ready for testing.

I'll have my Coolrunner and NAND-X by this friday I think so I'll post my results as soon as I can.

I'll patch 4BL first though and post an update when I'm done.

Don't expect me to post a patched 4BL though because I won't.

I'll consider making a script to patch other 4BLs though.

NO PROMISES!

- Gadorach

#23 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 25 September 2011 - 07:35 PM

Figured out the basic construction of the CD.
^^not that difficult, after being un-encrypted of course^^

Currently working out how the original patches affect the HV and CD
Seeing as this stuff has already been figured out, It'll probably only take me until my Coolrunner gets here to come up with a prototype NAND image. I'm not gonna release a patcher until I confirm it's working completely.
Also, if a rebooter is released before I'm done, I'll just not bother releasing it, considering how dirty the method idea is, it's best kept private unless necessary... >_>

anyways, I'll post updates as necessary, until next time...

[I feel like this whole topic is turning into a development blog...]

#24 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 26 September 2011 - 04:50 AM

After scanning through the boards at XH, I found a team doing this as well.
I'm going to join up and see what we can make, especially now that GliGli has released the source code biggrin.gif
Also, for those of you who don't think this can boot a patched kernel yet, there's few finished builds floating around in the private sectors so it's been done, and likely won't be released by them any time soon (stupid eliteists >_>)

Anyways, when it's done and ready, I'll make a new topic on it covering the team and probably a patcher application.

Until next time.

- Gadorach

#25 hangover

hangover

    X-S Expert

  • Members
  • PipPipPip
  • 675 posts
  • Location:Melbourne, Australia
  • Xbox Version:v1.4
  • 360 version:v4.0 (jasper)

Posted 26 September 2011 - 11:36 AM

Put the sugar away and go and get some sleep tongue.gif

#26 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 26 September 2011 - 04:51 PM

QUOTE(hangover @ Sep 26 2011, 07:36 AM) View Post

Put the sugar away and go and get some sleep tongue.gif


Ha, you CAN'T stop me from drinking my 4L's of Pepsi!
MAXIMUM GLUCOSE!

Also, things seem to be coming along well with the booter, I'll jump on as soon as I find a use for myself, I'm currently just snooping on progress and keeping track of everything though.
For anyone who's interested, and actually willing to help, Join the team at #rgloader

- Gadorach

#27 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 27 September 2011 - 04:56 AM

Just to keep things going, I've joined team lprot and we're working on a new rebooter so those of us with small 16Mb NANDs can enjoy the usage of the xdk on our 360s. I'll be working on it for the next while. For anyone interested in progress, The other team has put together a working build for Jasper BBs, though don't expect to have access to it for a bit unless you want to help test it, at which point, I'd advise getting in contact with stoker when he gets back as he's the one working on it.

Also, a note to aspiring testers, you must have the glitch setup, a good NAND dump, your CPU Key, and serial debugging hardware installed. Without those, you're not ready to help with testing.

Links for getting yourself setup:

Serial Debugger via. MAX232 - http://www.free60.org/Level_Shifter
[code has been made to allow for a teensy 2.0 to be used for serial debugging as well, ask for it on the irc]
360 Pin-out for your Serial Debugger - http://www.free60.org/Serial_Console
RGH 1.1 - http://www.xbox-scen...VpVItwKUCST.php

You'll also need your choice of a NAND read/write solution. I'd advise on a usb-based one but, as they're more expensive, you might want to go LPT.

as before, for more info and live updates on the progress of everything, visit #rgloader

- Gadorach

#28 skullcrusher

skullcrusher

    X-S Senior Member

  • Members
  • PipPip
  • 165 posts

Posted 27 September 2011 - 11:07 AM

I find your work so far very encouraging! Please keep it up.

Regards

#29 Gadorach

Gadorach

    X-S Enthusiast

  • Members
  • 25 posts
  • Location:Canada
  • Xbox Version:v1.1
  • 360 version:v5.0 (360S - trinity)

Posted 27 September 2011 - 02:38 PM

QUOTE(skullcrusher @ Sep 27 2011, 07:07 AM) View Post

I find your work so far very encouraging! Please keep it up.

Regards


I plan to do as much as I can on this, but I can't really say I've heavily contributed yet, as we can't figure any more out until we have more testers. At this point, my biggest goal is to see how much PPC ASM I can cram into my brain in a short period of time. Most of us are waiting on parts before we can finish setting up, like me, and the one person that had everything setup, had a HDD die on him sleep.gif
More to the point though, progress will be slow until we all have our equipment.

Also, kinda funny, but just as I woke up and signed into #rgloader, stoker logged off so I have little to no idea of what he's been up to since he left, though from the 2-3 posts I did catch, I think he finally got a 360 donated to him. << -- Good News!

- Gadorach

#30 skullcrusher

skullcrusher

    X-S Senior Member

  • Members
  • PipPip
  • 165 posts

Posted 27 September 2011 - 09:33 PM

QUOTE(Gadorach @ Sep 27 2011, 02:38 PM) View Post

we can't figure any more out until we have more testers.


Well i'm running a glitched brand new slim and have a few max232s I could use to throw a serial cable together if anything needs to be tested. Just let me know!

Regards




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users