Would it be possible

[Xumpy]

Ok, do not shout at me if it's a very stupid question. But how is microsoft knowing witch version that the CB has.
Is it comparing the entire system so it must match to a specific code. Or is the CPU just looking at offset 0800. I found in various topics that encryption is the problem. How is it? The CB isn't encrypted right??

I have read a lot about this in this forum (great forum btw!!!). And my (limited) understanding is that when a fuse is burn the CB is blacklisted. But if it is just the version that is blacklisted, wouldn't it be possible to change this version in XBR at offset 0800 to match to your current CB version. Upload the XBR in your box and enjoy your cpu code.

I am willing to try this but currently I'm at work so I'm posting this question if anyone allready tried this (probably someone has). But I want to know the result cause it would be pointless to do it myself when this is not working. Although I have again learned something new.

Thanks for the responds,

Br

Xump

[maximilian0017]

And my (limited) understanding is that when a fuse is burn the CB is blacklisted. But if it is just the version that is blacklisted, wouldn't it be possible to change this version in XBR at offset 0800 to match to your current CB version. Upload the XBR in your box and enjoy your cpu code.

As this has been talked about x times before i would suggest you use the search function.

In short, the CPU will load the first bootloader that is located in the cpu itself, as it cannot be changed it is considered safe, that sets up the whole security.

The first bootloader boots a second bootloader after making sure it hasn't been altered, etc etc and that is where the story ends.

The new CB cannot load xbr
You cannot edit it because it wouldn't load
You cannot replace it with an older version because of the burned fuses

[Xumpy]

Ok thanks for the repley, and euhm btw: as this has been discussed about x times before and answered x times before just like you do, it is nearly impossible to get a good search result/repley.

So I have already searched for some info about the first boot loader checks. (the search button gives me 0 results :p). Though I found some info about the first bootloader, mostly about the jtag hack and *that* it has been dissabled.

It would be nice if someone could send me a link of a thread where more about this first bootloader, the encryption, the second bootloader and the fourth bootloader is discussed.

Or maybe explain to me how the first bootloader is doing this checks (I already knew there was a check, just not that the first bootloader was doing this, I believed it was all in the CPU as I told already in my original question). Apparently microsoft is able to change this first bootloader. Is encryption holding us back for doing the same So how is it encrypted, do we not know it's location or maybe is the first bootloader in the CPU?

I have searched already a couple of eve's to learn more, so please do not give me anymore crap of using the search butten (I know how it works)

Ok I'm a noob!!! already knew this, you do not need to tell me again. I'm not doing this cause I want to play f***ng games, just doing this because I want to learn more about the art of hacking an xbox and the architecture behind this. Apparently because it's already beeing discussed over x times maybe a summary of what we already know is in place, wouldn't you agree?

Br,

Xump

[littlestevie360]

first stage bootloader in the CPU cant be updated, its on-die ROM, what microsoft updated was the 2nd stage bootloader, which microsoft can do because they have the signing key. second stage is in the nand, and is the first code executed off the nand

[Xumpy]

Thank you littlestevie360. You confirmed what I expected. But if the first boot loader can not be changed and is checking for the second bootloader if it may or may not run. Than it should know a way to identify the version of this bootloader, or a way to check if the bootloader has changed. If microsoft can not change 'this way of checking' in the first bootloader we should be able to use it to make a second bootloader that can run, right???
What I need to know is how this hole process is handled. Is this already known or are we still investigating this???

Thanks in advantage,

Br,

Nico

[Xumpy]

Ok stupid search button... I have searched the entire software forum for any help but did not do this in the general xboxhacking toppic.  So I would like to apologizes and this thread may be removed. I will post my further questions in the sticky post of the general help.

Br

Nico

[Icekiller]

the trick is this: they blow efuses.
you can't unblow them...

The first BL checks the efuses and compares them what it needs to have @ 2BL, if you replace the 2BL with the old one (the one that allows 45xx to be booted) then the efuses don't match and it won't load the 2BL.

if you know your cpu key etc then there _may_ be a way for you to make it boot 45xx..  but seeing as most persons don't have it.. chances are slim...

But lets say they find an exploit in 3xxx tomorrow or 6xxx or 5xxx (non 45xx) then you can basicly reuse this "method" and software.

[pemt512]

As I got it the 1BL always decrypt, verify and load CB which checks the second fuseline itself and compares to its hardcoded fusecount. If they don't match CB halts execution.

[Blackaddr]

Sometimes it's hard to find what you're looking for with the search function because people use thread titles like "would it be possible" instead of what the thread is actually about, so you get no hits.

Searching the body of threads for what you're looking for often brings way too many hits, most of which have nothing to do with what you are looking forward.

So sometimes, you need to do just a little bit of MANUAL searching. Visually scan the first half dozen or dozen pages of thread topics and look for something that might be relevant.  We don't have a thousand sub forums here so check all of them.

People are far less forgiving for asking questions that have already been answered every day for the past month.

- Blackaddr