xb360 jtag exploit - Discussion

[B1N4RY]

1. Will we be able to run Unsigned xex files and unofficial dashboards?
2. What do u mean by printer cable? does that mean no need for infectus? any info link will help thanks

If you have actually read, these questions were answer only a few posts up.
1. Theoretically, this can be used to boot into any dashboard (Including unofficial ones), no need to update. Just inject and boot.
2. The NAND is programmed using a JTAG method via LTP port, no infectus is needed.

[SUDDEN73]

Release date?     
I can not wait, this is the best news! Another hacked kernel (full-homebrew support, open console hardware for software manipulations), - install/booting games without original dvd in the future, and possible to run PPC based emulators on linux, or more..

Thanks for biggest hard work!   

[JBDizzle]

Hi, My dashboard version is 8495. I used the demo. Should I update to 98 or is it hackable.

[JBDizzle]

Well said, tmbinc! although I have updated my jasper to the fxxking 8xxx, I am going to buy another jasper or two from dell as soon as your hack is released. I still have an old xenon, but I am afriad it may RROD eventually. I am not sure how soon microsoft will put the 8xxx into production, so a wise decision would be to buy the jasper as soon as possible?

Hi. I just bought arcade from dell and will let you know if its pre 8xxx.

[downcastnut]

i just have one question,
Will this be able to be worked out eventually to be able to go online while having homebrew, without a dual nand?

[shadeth]

i just have one question,
Will this be able to be worked out eventually to be able to go online while having homebrew, without a dual nand?

You could probably just run the 8498 Dash.xex from a folder with the contents of an 8498 flash. Don't quote me on that, though.

Even if that worked, you'd still get banned if you ran homebrew XEX's or modded games.

[B1N4RY]

Hi, My dashboard version is 8495. I used the demo. Should I update to 98 or is it hackable.

All 849X dashboards are blacklisted I believe

Hi. I just bought arcade from dell and will let you know if its pre 8xxx.

for 99.9% chance, it have dashboard 7XXX

[B1N4RY]

Tmbinc, Do you have a workaround for the Xbox that have CB >1920?

[jester]

Tmbinc, Do you have a workaround for the Xbox that have CB >1920?

I won't comment stuff about what code to run / rebooter questions. This is simply not he place for that, we're talking about the *exploit* here.

Yes, it's the traditional idle-context-stack-overtake vector, like KK used. It's really just the KK exploit converted to be contained in a single sector (plus ecc, for the HV offset overwrite).

Post is 0x6C, iirc. Other threads have already started, yeah. But catching those is FAR more reliable than before, and works almost every time, and takes only a few microseconds.

Remember the code which checks if the pairing data is all-zero, and skips the SMC-checksum/LDV/pairing check then? We're using this codepath. It can be, since 1920, abused to boot into any kernel, because 1920 will also apply (specially patched) updates in this mode. Since it doesn't require pairing, it doesn't require knowing the CPU key, or doing the TA.

However, obtaining a decrypted CD >= 1920 (CB is easy, since it's encrypted only with the 1BL key) is a bit difficult, because you need to know the cpu key, which was a chicken/egg problem. 1920 is relatively easy, since you can TA. 1921 fixed TA, so it's much more difficult. We solved that by diff'ing 1920/1921 CB, and applying those changes to 1921 CD, and fixing alignment etc. until the hash matches. Was some days of boring work, but finally worked out. the other CDs are easy then (just changed version numbers, mostly), except for jasper, which is a totally different story (but we solved that, too).

Once you have CB/CD, you can re-encrypt them, zero the pairing data (CPU key is not used in zero-pair mode, so encryption is like <1920), and prepare a proper update (4532, also zero-paired). Console will boot up, skip the pairing check, apply the 4532, boot into kernel, do basic init, query RTC, get exploited, runs code.

[JBDizzle]

Hi, My dashboard version is 8495. I used the demo. Should I update to 98 or is it hackable.

All 849X dashboards are blacklisted I believe

Hi. I just bought arcade from dell and will let you know if its pre 8xxx.

for 99.9% chance, it have dashboard 7XXX

Appreciate the help.

[B1N4RY]

Thanks jester, I didn't know that he posted something new in that thread

[nickcas]

Tmbinc and any others who might know the answer, if we are currently on a dash prior to 8xxx and we do a dual nand mod, and then flash the hack onto one of the nands, could we then update the other nand to the 8498, thus allowing LIVE and Homebrew on the same box?


Thanks.

[B1N4RY]

Not likely. The bootloader will still be updated, black listing the exploitable kernels

[nickcas]

Not likely The bootloader will still be updated, black listing the exploitable kernels

How though? 2BL is in the nand from what I've heard, and if you had a dual nand mod, the one side of the nand with the hack should be kept safe from the other side that had the update, right?

Ah, I see you changed to "not likely" lol. I think there's a chance of that working.

[jester]

No. The bootloader will still be updated, black listing the exploitable kernels

How though? 2BL is in the nand from what I've heard, and if you had a dual nand mod, the one side of the nand with the hack should be kept safe from the other side that had the update, right?

From what we understand, yes. As long as you wait until you can run the exploit and get your CPU key, afterward we should be able to get onto live with a dedicated NAND running the latest update.

Source: http://www.xbox-scene.com/xbox1data/sep/EElkyVZlkAWyvjrKRY.php

'CB' (2nd bootloader?) and 'CF' (kernel patches) are located on the Xbox 360 on-board flash in the "CPU data" section (data which is read when the power is switched on. If invalid, console might blink red etc.).

[uN0pEn]

How though? 2BL is in the nand from what I've heard, and if you had a dual nand mod, the one side of the nand with the hack should be kept safe from the other side that had the update, right?

Ah, I see you changed to "not likely" lol. I think there's a chance of that working.

Not that this is an answer in any way, but I agree with your line of thinking sort of. I am assuming that the update is a killer with regards to grabbing an exploitable dump of your specific NAND. I assume that once you have a dump of your NAND and the necessary information extracted from your console, all bets are off and you can run latest updates on the onboard NAND and just re-encrypt whatever NAND exploit you want for your secondary NAND flash part.



EDIT: Ah, jester seems to have beat me to it

[nickcas]

It won't work. Tmbinc confirmed it.

[jester]

It won't work. Tmbinc confirmed it.

Yes he did:


http://pastebin.com/d60924e9d

[B1N4RY]

Bottom line:
Forget about updating your console to dashboard 8XXX at all for now.
I'm pretty sure most of you will live without XBL

[Redline99]

tmbinc is right, once you update you cannot go back because of the revocation fuses, even on a dual nand setup.  You update, you are outta luck on that console.