FreeBOOT Patch Format

[kittonkicker]

Hey everyone,

I've written a program to convert the FreeBOOT patches back into a "re-compilable" format which can be used by Dashlaunch (mainly to further my knowledge of how the patches affect the system). I've been looking at how the FreeBOOT/Dashlaunch patches are formed and I just wanted to confirm a few details with anyone "in the know" since there seems to be such little resource for this sort of thing on any of the 360 hacking forums.

Basic structure:

Code:

VA (for Dashlaunch) -or- File Offset (for FreeBOOT) to patch - size int,
(Length of opcodes / 4) - size int,
PPC ASM opcodes - length divisible by 4 (I'm guessing all PPC opcodes are 4bytes minimum in length? ... that's weird coming from x86 ASM!!)
-- Repeated --
0xffffffff (To end a patch section)

C++ Interpretation:

Code:

struct patch {
long dwAddress;
long dwLength;
char* bData;
bool bEndBlock;
};

Example "re-compilable" format:

Code:

.set UnkFunc30, 0x00000948

# ============================================================================
# UnkFunc30 - VA: 818d0948, Offset: 00000948
# ============================================================================
.long UnkFunc30
.long (9f - 0f) / 4
0:
cmpwi        cr6, %r11, 0xc # 2f 0b 00 0c
addi         %r9, %r9, 0x3360 # 39 29 33 60
9:

The main thing I'm getting confused about with the patches is whether the "address to patch" specified in the FreeBOOT patches is relative to the start of the executable (e.g. xam.xex), or the end of the PE header?

Any help would be really appreciated!

[cory1492]

Freeboot doesn't patch xam. From freeboot 0.02 patch source sample:

Code:

# ============================================================================
#   Kernel 8955 Patches
# ============================================================================

# This file contains all the patches freeBOOT applies to the kernel. Patches
# for 1BL, CB, CD, and hypervisor were done with a different tool and are
# provided as files patches_<console>_base.bin. In order to yield a valid
# patches_<console>.bin file, the assembly of this file has to be appended to
# the corresponding patch_<console>_base.bin file. The included Makefile will
# automate this task.
#
# Patches for 1BL, CB, CD, hypervisor, and kernel all share the same format
# described herein. Since hypervisor and kernel patches are applied in the
# same run, hypervisor patches contained in patches_<console>_base.bin file
# are not terminated with 0xffffffff. It is therefore possible to add further
# hypervisor patches through this file. As seen by the patch engine, the
# hypervisor starts at address 0x00000000 and the kernel at address
# 0x00040000.

.globl _start

_start:

# ============================================================================
#   Disable XEX Signature Check
# ============================================================================

# Each sequence of patches starts with a target address and the number of
# patches in this sequence. The patches themselves follow directly. The target
# address must be aligned on a 4 byte boundary. All data in a patch sequence
# must be encoded in 32-bit big endian format.
#
# There can be an arbitrary number of patch sequences. The last patch sequence
# must be terminated with 0xffffffff.

.long 0x0007784c                # target address
.long (9f - 0f) / 4             # number of patches

0:
nop                             # patches
9:

As it says above, kernel and hypervisor above 64K are not relocated at the time freeboot patches them so the offsets apply as if you were patching kernel.exe extracted using flash tool. Dash launch uses the virtual/actual address to do patching rather than a relative one because that is where the code is in memory when the patch is applied.

edit:/ btw, check these out: risc cisc

[kittonkicker]

Thanks for that! After reading the FreeBOOT documentation I can see that the "addresses" in the FreeBOOT patch files are actually for the kernel/HV, etc, makes much more sense now since the patches didn't seem to have any relevance to xam... lol.

I feel a bit stupid now >.>.

On a side note, does anyone know how I can extract the kernels from a nand dump? 360 Flash Tool is crashing when I try to extract them from my 9199 FreeBOOT dump...

[mojobojo]

Thanks for that! After reading the FreeBOOT documentation I can see that the "addresses" in the FreeBOOT patch files are actually for the kernel/HV, etc, makes much more sense now since the patches didn't seem to have any relevance to xam... lol.

I feel a bit stupid now >.>.

On a side note, does anyone know how I can extract the kernels from a nand dump? 360 Flash Tool is crashing when I try to extract them from my 9199 FreeBOOT dump...

You can't extract from freeboot because 360 flash tool doesn't support it. I uploaded the Hypervisor and Kernel for you.
http://www.mojobojo.net/downloads/Xbox 360/X360HVKernel.rar

[kittonkicker]

Oh awesome, thanks very much !

The only kernel dump I was able to retrieve myself was 7371 from my original rip and the FreeBOOT patches don't match up much lol.

If you don't mind me asking, how did you manage to extract the kernel from your dump? Did you manually dump CE, CF, CG and then extract the cab and split the files, or is there a useful tool I'm missing?!

Cheers again!

[mojobojo]

Oh awesome, thanks very much !

The only kernel dump I was able to retrieve myself was 7371 from my original rip and the FreeBOOT patches don't match up much lol.

If you don't mind me asking, how did you manage to extract the kernel from your dump? Did you manually dump CE, CF, CG and then extract the cab and split the files, or is there a useful tool I'm missing?!

Cheers again!

No problem. I obtained a nand dump from a friend back when the 9199 kernel was released. It came from a box that the cpu key was pulled when it was exploitable then updated afterwards. To my understanding freeboot interferes with dumping the kernel sections for some reason. If you want to obtain a dump, reupdate with the R6T3 removed then dump the nand and reflash with a new freeboot when your done.

[kittonkicker]

Will give that a go whenever the new dash/kernel is released!

Thanks again.