360 Flash Dump Tool v0.4 Posted by XanTium | June 9 22:52 EST | News Category: Xbox360

Robinsod released a new version of the 360 Flash Dump Tool(info) - a developers tool that will allow you to decrypt and extract various parts of a Xbox360 flash dump. What's new/fixed (since v0.2) * Fixed CG extraction (see NAND Layout thread for info) * Reverted CE.cab to single file (thanks Takires) * As TheSpecialist said extraction of CE section is now working, and what a pig it was Wink, you may now right click and select 'Extract' and get just the raw, decrypted CE Section or Kernel(s). Selecting Kernel(s) causes the application to extract the base (typically 1888) HV and Kernel as an uncompressed file - "xboxkrnl.1888.exe". The option to extract them as a .cab file has now been removed. If 1 or both of the patch (CF/CG) slots are occupied they will be applied to the base kernel and the result is also written as a file - xboxkrnl.XXXX.exe. For example, if you have a base kernel (1888) and 2 patches (2858 and 4552) in your flash dump, load into the tool, right click on CE and choose kernel(s) you will get 3 files: - xboxkrnl.1888.exe The base HV & kernel, no patches - xboxkrnl.2858.exe The base HV & kernel, patched to 2858 - xboxkrnl.4552.exe The base HV & kernel, patched to 4552 * I noticed an odd bug in the the upgrade process while developing this tool. I have some dumps from a box where 4532 is upgraded to 4548. As I noted the other day the first 0xBB40 bytes of CG are stored immediately after CF and the remainder is stored in FS blocks (there's a list in the CF header and they also appear in the FS as sysupdate.xexp files). Well it appears during the update process from 4532 to 4548 the CG data for 4532 was deleted but the list in CF is still valid. This is odd since 4548 was not a lock down version was it? Yet it would be impossible to roll back from a corrupt 4548 to 4532 * Its very interesting to diff. 4548 and 4552 they have << 100 bytes of differences so I guess the exploit fix was pretty small Wink Official Site: n/a, by Robinsod on xboxhacker.net Download: here

suhweet

I still dont get for whats this,dvd firmware hack or for the hypervisor exploit?

This is for the Hypervisor, looks like some great accomplishments are happening, now that the 360 dumps can be decrypted, I am getting excited homebrews really looking good now.

Hopefully this flash dump tool will lead to a big hole in the 360 kernel, hopefully even the newer ones too.

so I guess the exploit fix was pretty small Wink


id like to know what the wink is all about

i think he meant to do but put "wink" instead

this is very good, 100 bytes of difference means they added a single command or changed a couple of values, no rewritting of the hypervisor; I hope we find something good here

homebrew. i like !

Ouu I dono Id say this is only exciting for people who can already run homebrew via the HV exploits.

Maybe this will lead to new exploits, or the resetting of the efuses, allowing a downgrade using an infectus or something. Just be patient, I expect to see homebrew by the end of this year!

efuses cannot be reset. They are comparable to, lets say a fuse for your car. It has a wire that goes through it and at the right amount off current it burns out. Same goes for efuses. For cpu's that have the possibilty of becoming unstable, the fuse can be blown to save from damage. Once its blown its blown.

All in due time, Once the teams find a solution for all kernels, the previous blown efuse wont matter. For the meantime enjoy your retail games

Is this able to read the Key off the Console or is this only for the DVD drive?


I need to get the key off the console. Bad DVD drive...

http://en.wikipedia.org/wiki/EFUSE

"...the chip can instantly change its behavior by 'blowing' an eFUSE. This process does not physically destroy the eFUSE, so it is reversable and repeatable."

Wikipedia wrong.... whose heard of such?

Congrats! Free brains still win!

That's what I thought at first, but the people working on the kernel have found out that it is just a piece of data which is used as a seed to most/all of the encryption. Sort of like a fingerprint.
It is definately reversable.

The newer kernels don't run on a xbox with "unblown" fuses, because the fingerprint does not match and the hypervisor does not allow booting.

The discussion is still going on about there being actual silicon fuses and/or just an eeprom with info, but it sure as hell is reversable



Thank you, although the efuses in the xbox seem to be slightly different, this still stands.

We've JUST decrypted the key storage, containing the DVD key Next version of the tool with ability to decrypt it will be out soon. However, it's encrypted with fuse data, so you'll need to have the fuse data to get your DVD key from the motherboard. In most cases, this won't be very useful, since you probably won't have that and you can't get it without a dvd key in the first place. At least ... not yet But on the bright side ... progress again !

Man this stuff sounds good, hopefully someday well be able to flash the mobo (i have a dead 360 (E71 error)

so soon as we can flash bios onboard, or get around it....ill be happy...then 2 360's

and it's out http://www.xboxhacker.net/index.php?topic=...g49343#msg49343

You can now decrypt the whole key section if you have a valid flash dump (like from the infectus chip) and the fuse data (from the XELL loader for example) It will show you the DVD key and some other stuff, gonna do some research to find out what else of interest is in there

Incredible work from all you guys, we love you!

Progress is everything!

Incredible waht you guys can pull off! Thanks for your hard work, and keep going!

Isn't everything signed and verified by the hypervisor before anything can be executed? Also, does Microsoft scan people's 360's after the dash upgrades have taken place? They may have this info on record for Live users. Seems like something people could be missing if the ban hammer comes down again. The trick would be to get the 360 to register as the latest kernel update I'm thinking.

Yes, it seems everything past 1bl is checked and signed. Looks like all you gotta do is find a way to defeat the 1bl, and you've won. Hypervisor isn't even up until the 4th step.

Very good to heard this kind of news )) the Judjment day getting closer and closer ))

Here, Here

Micro$oft may have done a good job with the security lockdown on the 360,

BUT NO WHERE NEAR GOOD ENOUGH FOR THE MIGHTY MINDS IN THIS SCENE!

Nice work guys, keep us posted.

Even if they find a way to manipulate it *and in return completely ruining all live capability...*


to me, (and almost ALL of my friends aroun dhere...) we could honestly care less and would be glad to rid ourselves of *live* play..

as long as we would be able to get homebrew / XBMC360 (oh the dream) on our box's...

so many pros to the only one con (no xbox live)

I personally can't wait to use this tool, I bought a 360 motherboard from someone on x-s with good rep, and a bunch of sweet looking stuff, gonna try to get an infectus soon too. Those infectus's are one BITCH to get, everything is in euros + italian sites and broken english, and yeah... blah blah blah very hard to buy.

Cheers.

Where abouts are you? I got mine in the UK from mrmodchips

erm i need this info too.....bad dvdrom.......did you have any luck?

I am very interested and excited in the recent progress made with the 360.

I am in a bit of a dilemma at the moment though.

I have a 360 with one of the kernel's that allows me to run Linux through the hypervisor vulnerability. I have just purchased Forza Motorsport 2 not realising that it would need to update the kernel to play the game.

I have read on various sites about the new breakthrough in being able to downgrade the kernel, obviously this doesn't really affect me at the moment as I am running the kernel that most people will probably want to downgrade to.

The bit I can't understand from what I have read is, how do I go about extracting this CPU key so I can play Forza 2 and downgrade the kernel in the future so I can run homebrew, when it is at the same level of XBMC on the Xbox1.

Is it actually possible to extract the CPU key from my kernel 4532? If so, how do I do this, I can't find instructions and I have been searching for hours.

The other thing that I have read, is that I need to make a note of the fuseset data, does this show up after I insert the gentoo linux cd after king kong ejects?

I think I have found an example of this shown below:

***********************************
Xe>!
XeLL - Xenon linux loader 0.1
* clearing BSS...
* Attempting to catch all CPUs...
CPUs online: 01..
CPUs online: 15..
* success.
trying to initialize network...
ok now the NIC
NETIF at 8000000001459478
NIC reset
reset: 01805508
1478 before: f2050000
1478: f2050000
init tx
init rx
starting httpd server..ok!
* CPU PVR: 00710200
* FUSES - write them down and keep them safe:
fuseset 00: c0ffffffffffffff
fuseset 01: 0f0f0f0f0f0f0ff0
fuseset 02: 0f00000000000000
fuseset 03: c2666e8fab3c299a
fuseset 04: c2666e8fab3c299a
fuseset 05: c49a457d64ba4b3d
fuseset 06: c49a457d64ba4b3d
fuseset 07: f000000000000000
fuseset 08: 0000000000000000
fuseset 09: 0000000000000000
fuseset 10: 0000000000000000
fuseset 11: 0000000000000000
******************************************

If the above is a correct example, do I just need to write down all the lines that start "fuseset"?

Also can someone tell me what the "CPU PVR" line means? Is this the CPU key that I need to also make a note of?

I am really sorry if this is all completely me being a noob. I have really tried to find all the information, but can't for the want of trying. Hopefully the questions I have asked, other members also need the answers.

I know this is me being greedy, but I would really like to run homebrew similar to XBMC on the Xbox1 and be able to watch/listen videos, pictures, music streamed from my PC as well as having the ability to play games. I know a lot of people are thinking the way forward is to have 1 xbox360 for gaming and 1 for homebrew, but as I am not that fussed about Xbox Live, I think I might get away with just the 1 Xbox 360. Here's to optimism

Yup, that's it. The CPU key is fusesets 3 and 5 (or 4 and 6, they are the same).

Do I need to make a note of any other information before I update my kernel by playing Forza2?

I need some advice.

If you was in my position would you wait and just play old games or would you make a note of the fuseset data and play new games, hoping that we can in fact downgrade the kernel to run homebrew in the future?
(The CPU key is in this fuseset data the last person advised me)

I have a few questions?
I have got my nand 1bl and fuses dumped. It is in my understanding the program 360 FDT which I am using .061 wont extract or will crash if the improper 1bl key is in the cxkey.txt file. It took me some figuring (never used ida) out where to look for the key but I think I found it and it will extract all the info including the kernels. If I change a variable in the key the program crashes and if I revert back to 0000's it works but wont extract. Does this assume I have the proper key? Also now that this information has benn obtained does this mean updating is okay? Feedback appreciated guys!

Hi Pres, I want to help but your last post has just created more questions for me.

What is the nand 1bl and how do you get it?

The fuses must be the fusset data written down, is that correct?

What is 360 FDT?

Basically what are you trying to do, why and how do I do it?

I want to learn and help others on the site, but am just starting out so please be gentle with me

The nand is the internal flash memory of the xbox 360.
The 1bl is the initial boot loader of the 360.
Yes the fuse.txt is the fuse data that you previously wrote down.
360 FDT was an abbreviation to the 360 Flash Dump Tool referring to the thread we are in.

It is to my understanding you can extract your cpu data and kernel versions with in combination with the 1bl key and the cpu key. So basically I want to make sure I have everything needed to downgrade my kernel in hopes of a future exploit so that I can update for the newer games manufactured after "feb 20th."

In order for you to get these you will again need to run linux gain root access, ssh into the live cd, transfer and run some code in order for it to dump these things then transfer back to your pc. Correct me if I am wrong with anything but I am just learning as I am going.

So how we can downgrade (if knowing those fuseset keys) from kernel 5759 to 4532, if we don't have Hypervisor Vulnerability in kernel 5759?

Get a copy of kernel 4532, get an Infectus modchip (or modify an xD card reader), back up the contents of your NAND flash using the chip/reader, then use the flash dump tool on the 4532 dump to encrypt it with your key and set the version lock thingy to a suitably high value to allow it to work on an upgraded box with efuses popped. Flash this onto your NAND

You'll need to remove/doctor your hard disk, too, since otherwise it will try to upgrade you again.