So I have a few basic questions about how the 360 works with loading the different bootloaders and how they're encrypted.
1. The 1BL is on the CPU die, and cannot be changed (right?). Is it encrypted, unencrypted, or we have no (easy) way of getting at the data at all, and have no idea?
2. the 2BL is on the nand, it is encrypted with RSA (right?). The 1BL loads the 2BL, does it do any sort of hash checking other than decrypting the RSA? (so if we had MS's RSA key, we could write our own 2BL and have complete exploitability on all consoles? [I know, won't happen, just helping me figured out how it's loaded]).
3. the 2BL checks the efuses to see if it can run, if it can, what does it do? (if it can't, it throws an error). When the 2BL checks the fuses, what is it comparing to?
4. the 4BL is loaded by the 2BL and is encrypted with the consoles CPU key, right?
5. the current exploit is in the 2BL / CB, how does it work (like a brief overview)?