restore hdd game install after ban with nand backup?

[alien.virus]

need some help, findsecdata finds only one secdata.bin, but i see 8 (in hex editor). anyway,  looks like all files have equal timestamp.
link to nand *
any suggestions?
C:\FindSecDatav0.42>FindSecData.exe nand2.bin

findsecdata v0.42 2009-11-28 by boby2pc
Controller version 1
Last filetable change: 0x3D
ECC change: 0x3D Filetbl: 0x012A Secdata: 0x01AD Timestamp: 3B7481BD 2009-11-20

Checking secdata:

Searching for recommended

Extracting secdata:
secdata01AD.bin

Extracting filetables:
filetable012A.bin

Creating patched filetables:

Use:

Old secdata.bin not found. Console might be not banned, already patched or secdata.bin overwritten.

Press ENTER

[nazster]

need some help, findsecdata finds only one secdata.bin, but i see 8 (in hex editor). anyway,  looks like all files have equal timestamp.
link to nand http://cybersec.ru/nand2.bin
any suggestions?
C:\FindSecDatav0.42>FindSecData.exe nand2.bin

findsecdata v0.42 2009-11-28 by boby2pc
Controller version 1
Last filetable change: 0x3D
ECC change: 0x3D Filetbl: 0x012A Secdata: 0x01AD Timestamp: 3B7481BD 2009-11-20

Checking secdata:

Searching for recommended

Extracting secdata:
secdata01AD.bin

Extracting filetables:
filetable012A.bin

Creating patched filetables:

Use:

Old secdata.bin not found. Console might be not banned, already patched or secdata.bin overwritten.

Press ENTER

i have the same problem and trying to look for solution. I hope I get it. All the best to you

[CrimsonIdol]

Decided to try this out the other day. Having a 512 MB Jasper, however, it's taking time

I wired it all up with five ~110 ohm resistors (turns out I was out of 100 ohm ones, had to use 2x56 ohm in series...). I also used a Schottky diode (1A/30V). Connected it to the Xbox, and fired up Nandpro (using "nandpro lpt: -r512 dump.bin"). It found the NAND and started dumping right away.

First read just finished, and apart from three read errors, it seems to have dumped fine. (I can read "© 2004-2009 Microsoft Corporation. All rights reserved." in the file, for one thing)

The errors I got:

Code:

Testing LPT device address:0378
Using LPT device at address:0378
FlashConfig:00AA3020
512MB Nand Detected
Starting Block:0x000000
Ending   Block:0x007FFF

Error: 250 reading block 550
Error: 218 reading block 555
Error: 218 reading block 556

Now, according to Free60, a couple of 25x errors aren't uncommon, but what about the 218 ones? I've just started a second dump, I'll see soon enough if I get the same errors this time.

And I'm not getting the "regular" FlashConfig:01198010, mines 00AA3020 as you can see. Does FlashConfig absolutely have to be 01198010? Like I mentioned, the file format looks okay. I even find references to secdata.bin in the first dump.

On that note, boby2pc: FindSecData crashes when I try to scan the first dump. Of course, this could be due to a corrupt dump, but it finds a couple of secdata listings before it dies on me.

Output from FindSecData before it crashes:

Code:

findsecdata v0.42 2009-11-28 by boby2pc
Controller version 2
Last filetable change: 0x00
ECC change: 0xFFFFFFE8 Filetbl: 0x901F6ED0 Secdata: 0x23C3EE7E Timestamp: 974664AC 1899-12-30
ECC change: 0xFFFFFFE7 Filetbl: 0x63B41419 Secdata: 0x755CD3E4 Timestamp: FCBEFD76 1899-12-30

Counting manually, there are 13 occurences of secdata.bin in the dump.

Edit: Dump 2 in progress and it's currently given me the same errors on blocks 550, 555 and 556.

[flatbushkidus]

im here to say thanks to boby2pc!
through your helping with others and which i have the similar problems of playing the 360 after the ban.
i solved the problem.
im willing to help others to take the load off boby2pc, if i can

boby2pc can you make a program that extract all filetable and secdata as an alt ver?
alot of the ppl here seems to have one timpstamp for like 7 secdata.bin occurance. and i personally not sure where is a good starting point to extract the hex portion after the string.
what that program i believe ppl can do test and trial to see which secdata.bin is a working one i hope.

[boby2pc]

Decided to try this out the other day. Having a 512 MB Jasper, however, it's taking time

I wired it all up with five ~110 ohm resistors (turns out I was out of 100 ohm ones, had to use 2x56 ohm in series...). I also used a Schottky diode (1A/30V). Connected it to the Xbox, and fired up Nandpro (using "nandpro lpt: -r512 dump.bin"). It found the NAND and started dumping right away.

First read just finished, and apart from three read errors, it seems to have dumped fine. (I can read "© 2004-2009 Microsoft Corporation. All rights reserved." in the file, for one thing)

The errors I got:

Code:

Testing LPT device address:0378
Using LPT device at address:0378
FlashConfig:00AA3020
512MB Nand Detected
Starting Block:0x000000
Ending   Block:0x007FFF

Error: 250 reading block 550
Error: 218 reading block 555
Error: 218 reading block 556

Now, according to Free60, a couple of 25x errors aren't uncommon, but what about the 218 ones? I've just started a second dump, I'll see soon enough if I get the same errors this time.

And I'm not getting the "regular" FlashConfig:01198010, mines 00AA3020 as you can see. Does FlashConfig absolutely have to be 01198010? Like I mentioned, the file format looks okay. I even find references to secdata.bin in the first dump.

On that note, boby2pc: FindSecData crashes when I try to scan the first dump. Of course, this could be due to a corrupt dump, but it finds a couple of secdata listings before it dies on me.

Output from FindSecData before it crashes:

Code:

findsecdata v0.42 2009-11-28 by boby2pc
Controller version 2
Last filetable change: 0x00
ECC change: 0xFFFFFFE8 Filetbl: 0x901F6ED0 Secdata: 0x23C3EE7E Timestamp: 974664AC 1899-12-30
ECC change: 0xFFFFFFE7 Filetbl: 0x63B41419 Secdata: 0x755CD3E4 Timestamp: FCBEFD76 1899-12-30

Counting manually, there are 13 occurences of secdata.bin in the dump.

Edit: Dump 2 in progress and it's currently given me the same errors on blocks 550, 555 and 556.

You have the same problem as Nazster. I'm fighting with this problem between helping other people on this forum and other forums.
So far I have recovered filetable with all indexes but it was peace of cake. The main problem is that they references to places where files don't exists. If anyone have any description of large block construction it will be very helpfull.

BTW. I have very bad news about connecting to xbox live. IF YOU RECONNECT TO XBOX LIVE THE SECDATA.BIN IS OVERWRITTEN AGAIN. A few days ago I checked it trying connecting to xbox live and secdata.bin was ok, so they changed it.

[boby2pc]

boby2pc can you make a program that extract all filetable and secdata as an alt ver?
alot of the ppl here seems to have one timpstamp for like 7 secdata.bin occurance. and i personally not sure where is a good starting point to extract the hex portion after the string.
what that program i believe ppl can do test and trial to see which secdata.bin is a working one i hope.

Application extracts all the filetables and secdata which is not corrupted. It extracts only one filetable (latest) which corresponds to each secdata. I don't know if this is really needed to have more filetables.

[Mossolb]

Here is my nand http://www.mossolb.com/files/falcon_nandtest.rar

This 360 was played a lot less than the other one I was able to restore prior to the banning, that is all I can think of.

Edit* fixed the link if anyone else wants to play with it.

Thanks for your help boby2pc.

Checked and it's another with secdata.bin overwritten. The unbanned one was in block 0x25D and something updated it 

boby2pc, I just saw your reply, thanks for checking maybe someone will discover a way around this.

[soulnos]

I've ran into a bit of a hitch. I dumped my nand and used 360 HDFR v1.03 to create the zero'd out Secdata. I then used nandpro to write the Secdata.bin. Something must have went wrong. HDD functionality was not restored and I'm also getting two blinking red lights on the left. I'm not sure if the red lights are from the soldering or the nand write. I'm going to try it again now with bob's tool and see if I get better results.

Just an update. Before I used findsecdata, I decided to restore the nand to it's original state. I then ran the recommended commands findsecdata gave me. Now the system no longer boots, no lights or fan movement. Was it a bad nand read/write? Is there anyway of fixing this, could I use another persons nand.bin for instance? Any help would be appreciated.

[boby2pc]

I've ran into a bit of a hitch. I dumped my nand and used 360 HDFR v1.03 to create the zero'd out Secdata. I then used nandpro to write the Secdata.bin. Something must have went wrong. HDD functionality was not restored and I'm also getting two blinking red lights on the left. I'm not sure if the red lights are from the soldering or the nand write. I'm going to try it again now with bob's tool and see if I get better results.

Just an update. Before I used findsecdata, I decided to restore the nand to it's original state. I then ran the recommended commands findsecdata gave me. Now the system no longer boots, no lights or fan movement. Was it a bad nand read/write? Is there anyway of fixing this, could I use another persons nand.bin for instance? Any help would be appreciated.

Are You sure that have propper backup ? (downloads twice with no difference in comparing and checked with infectus tool).
If You have it then reup to XBOX with "-w" small w option and should be ok.
Give me screenshot of findsecdata and what have You done.

[flatbushkidus]

boby2pc i was wondering that your application is to find the most recent modified values instead of looking for the more recent hex value timestamps right?

like for say i would have some timestamp that occur in the year 2005 before i was ban, let see it was made due to playing offline.
then i would go online and get another valid timestamp at year 2009 sept 9
then a timestamp of when i got ban at year 2009 nov 3
then i play some offline with the ban console getting time stamp at year 2005

the application will just display the recent banned offline play of timestamp year 2005
along with the recent two: year 2009 nov 3 and year 2009 sept 9, right?

reason i ask this is because i saw a few nand that has a big jump in block sector.
like few 2005 occur at block 090~9A then another few 2005 occurance in 200~21D, like so

[boby2pc]

boby2pc i was wondering that your application is to find the most recent modified values instead of looking for the more recent hex value timestamps right?

no, application is looking by max ECC change number (it's one byte in spare data), then steps backward till most recent online as banned one. After that steps backward to most recent online as nobanned or offline if it fails or  gives more if option to show more recommndations is set.
Thanks to Corpo for help.

like for say i would have some timestamp that occur in the year 2005 before i was ban, let see it was made due to playing offline.
then i would go online and get another valid timestamp at year 2009 sept 9
then a timestamp of when i got ban at year 2009 nov 3
then i play some offline with the ban console getting time stamp at year 2005

the application will just display the recent banned offline play of timestamp year 2005
along with the recent two: year 2009 nov 3 and year 2009 sept 9, right?

no, displays that which corresponds to record 2009 sept 9. One occurence I have met so far is that somebody got two online banned records (he didn't set clock time in dash) then app displayed wrong record.

reason i ask this is because i saw a few nand that has a big jump in block sector.
like few 2005 occur at block 090~9A then another few 2005 occurance in 200~21D, like so

it's ok. Kernel, dash and other stuff uses lot of space (compared to 16MB size)

[alien.virus]

i have the same problem and trying to look for solution. I hope I get it. All the best to you

not exactly, in my case look like that all 8 "copies" linked to single block (01ad).
boby2pc: does i have any chances?

[CrimsonIdol]

On that note, boby2pc: FindSecData crashes when I try to scan the first dump. Of course, this could be due to a corrupt dump, but it finds a couple of secdata listings before it dies on me.

Output from FindSecData before it crashes:

Code:

findsecdata v0.42 2009-11-28 by boby2pc
Controller version 2
Last filetable change: 0x00
ECC change: 0xFFFFFFE8 Filetbl: 0x901F6ED0 Secdata: 0x23C3EE7E Timestamp: 974664AC 1899-12-30
ECC change: 0xFFFFFFE7 Filetbl: 0x63B41419 Secdata: 0x755CD3E4 Timestamp: FCBEFD76 1899-12-30

You have the same problem as Nazster. I'm fighting with this problem between helping other people on this forum and other forums.
So far I have recovered filetable with all indexes but it was peace of cake. The main problem is that they references to places where files don't exists. If anyone have any description of large block construction it will be very helpfull.

BTW. I have very bad news about connecting to xbox live. IF YOU RECONNECT TO XBOX LIVE THE SECDATA.BIN IS OVERWRITTEN AGAIN. A few days ago I checked it trying connecting to xbox live and secdata.bin was ok, so they changed it.

Thanks for the input, boby2pc. Reading up on Nazsters problems, it seems we're in the same boat.

If it's of any help for further development, I could send you the NAND once I've dumped it twice and compared the two dumps? (It is a ~528 MB file though)

SecDataScan gave me 13 occurences of secdata.bin. 12 of them had the same timestamp, one had a newer. Verified this using a Hex editor as well. See screenshot below:

[boby2pc]

i have the same problem and trying to look for solution. I hope I get it. All the best to you

not exactly, in my case look like that all 8 "copies" linked to single block (01ad).
boby2pc: does i have any chances?

Checked. Sorry, it's not possible to restore old secdata

[boby2pc]

If it's of any help for further development, I could send you the NAND once I've dumped it twice and compared the two dumps? (It is a ~528 MB file though)

What would be very helpfull for testing if soulution solution is fould. Please send me link.

SecDataScan gave me 13 occurences of secdata.bin. 12 of them had the same timestamp, one had a newer. Verified this using a Hex editor as well. See screenshot below:

This huge memory in Jaspers almost guarantees that it's recoverable, but still jamed with those data which nandpro dumps. There is no correlation between those blocks and filetables entry.

[CrimsonIdol]

I'll upload the NAND dump as soon as the second one is done and I can verify that both are identical. Should have it up by tonight some time. Again, thanks a lot for all the effort you've put into this, boby2pc. (And everyone else who's done research on this of course)

In my case I've not had the Xbox online since I got banned, cable's been unplugged. I think I've only powered it up once or twice as well since then. So I don't think secdata.bin has been overwritten since the ban.

[alien.virus]

Checked. Sorry, it's not possible to restore old secdata

ok, thank you. my only hope that later someone opens possibility to decrypt and clear "cripple" flag.

[pumauk]

Does anyone mind taking a look at mine?  Whenever I replace the latest secdata (00c545d0, 3b 66 bd f9 , 02fd) it boots up to a "update failed" page with pv 0.0.0.0 and cv 2.0.8955.0....... 

http://www.mediafire.com/?mzmj2yohznj

Thanks!

[boby2pc]

Does anyone mind taking a look at mine?  Whenever I replace the latest secdata (00c545d0, 3b 66 bd f9 , 02fd) it boots up to a "update failed" page with pv 0.0.0.0 and cv 2.0.8955.0....... 

http://www.mediafire.com/?mzmj2yohznj

Thanks!

As Application displayed both old secdata sectors are overwritten. I checked it manually and there is something which is not secdata.bin. Yesterday someone have similar in that place. It looks like clock time settings, but I'm not sure. Check it at $9b*$4200 = $27f600

[pumauk]

Does anyone mind taking a look at mine?  Whenever I replace the latest secdata (00c545d0, 3b 66 bd f9 , 02fd) it boots up to a "update failed" page with pv 0.0.0.0 and cv 2.0.8955.0....... 

http://www.mediafire.com/?mzmj2yohznj

Thanks!

As Application displayed both old secdata sectors are overwritten. I checked it manually and there is something which is not secdata.bin. Yesterday someone have similar in that place. It looks like clock time settings, but I'm not sure. Check it at $9b*$4200 = $27f600

Sorry, What does that mean for my chances of uncrippling then? Is there anything I can try replacing?