can u make original nand with a hacked 9199 or use hacked 9199 for hacked 12611

[l_oliveira]

checked that fuses and it matches the same cpu key i been using that i pulled of xell

Then you might want to have a look on the keyvault file you put on the my_data folder for fbbuild.

Open it on winhex and you should see something like this:

Code:

Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   CB DC  2E B7  B1 D1  DE D8  00 00  00 00  00 00  00 00   ËÜ.·±ÑÞØ        
00000010   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                  
00000020   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                  
00000030   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                  
00000040   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                  
00000050   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                  
00000060   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                  
00000070   00 00  00 00  00 00  00 00  00 00  00 00  00 00  00 00                  
00000080   C4 47  2D 71  94 F5  F0 5E  52 5C  EE 03  D7 BC  FE 81   ÄG-q”õð^R\î ×¼þ�
00000090   27 51  87 7A  A9 51  EF DC  28 99  CD BB  EC 55  09 8B   'Q‡z©QïÜ(™Í»ìU ‹
000000A0   30 32  35 30  38 38  35 36  32 33  30 37  00 00  00 00   015028582307    
000000B0   88 66  55 41  31 27  62 37  00 FF  00 00  00 00  00 00   ˆfUA1'b7 ÿ      

One can clearly see the serial number on the ASCII dump at right.

Now, if you see something similar to this:

Code:

­Offset      0  1  2  3  4  5  6  7   8  9  A  B  C  D  E  F

00000000   AD 9C  90 2A  0D D1  A5 6B  D6 73  9A 56  0D A7  DC 04   ­œ�* Ñ¥kÖsšV §Ü
00000010   A5 12  6D F6  F3 80  4F B4  B1 B3  A8 97  8E 31  E3 E6   ¥ möó€O´±³¨—Ž1ãæ
00000020   9A AA  6D D1  E6 62  3F BC  A1 A0  2E F9  81 91  D9 0A   šªmÑæb?¼¡ .ù�‘Ù
00000030   6F AB  FE 90  B1 29  C7 54  73 9A  E3 F6  74 34  20 29   o«þ�±)ÇTsšãöt4 )
00000040   32 15  5D 5A  98 4D  8C 33  CF F1  36 86  E0 EC  41 05   2 ]Z˜MŒ3Ïñ6†àìA
00000050   47 BC  29 43  1D CE  02 4F  58 09  2B 95  9D 15  AE 58   G¼)C Î OX +•� ®X
00000060   74 9E  36 2A  DE 68  7B B2  AB A7  67 AF  A0 09  BC 0D   tž6*Þh{²«§g¯  ¼
00000070   E2 4D  F3 51  97 72  9D 59  C8 CE  2D 9A  F4 3E  95 C4   âMóQ—r�YÈÎ-šô>•Ä
00000080   54 75  B5 D5  7B 28  A5 D8  27 84  36 5B  8E B8  2F 16   TuµÕ{(¥Ø'„6[Ž¸/
00000090   0E 1C  85 07  BE 66  E6 3B  05 64  0F 2D  47 6B  60 96     … ¾fæ; d -Gk`–
000000A0   CF 54  FF 37  08 DA  6A EA  17 C8  68 6D  85 15  E5 E6   ÏTÿ7 Újê Èhm… åæ
000000B0   EA 1A  8A 74  37 51  1F C8  70 D3  12 81  CE 4F  BC B2   ê Št7Q ÈpÓ �ÎO¼²

It's encrypted and will not work with the rebooter. Fbbuild won't check if it's valid and will very likely run it through the crypto again instead of just putting it in the image.
As cory1492 said, the fbbuild will simply not add the security files if they're missing. The console should work though.

And for online cheaters dismay it's even easier for MS to spot JTAGs online now as their dash is not built consistently. good stuff...  

With fbbuild random pairing data being things like "0x696969" it's going to be a fun night every night for the XBOX Live enforcement team.


P.S.: Don't worry about the bit of data posted here it's an banned console I was given as scrap.

[uk_dan2k]

Then you might want to have a look on the keyvault file you put on the my_data folder for fbbuild.
P.S.: Don't worry about the bit of data posted here it's an banned console I was given as scrap.

just checked and serial numbers on the right like 1st example not far from the start of the file

[cory1492]

uk_dan2k: what type of console, and what is your drives OSIG?

phonsey: what type of console, and what is your drives OSIG? "People like you" don't need the hash check removed (which by the way has a similar effect to the previous banned console secdata/dirty xval now - getting around xmas lights is not the answer for a fully working machine which you can pass profiles between consoles and install stuff from disk still), what you need is a proper donor with the matching CPU key - like I've been saying all along. With the proper donor, with correct OSIG, worst case is you have to build an image with xellous using the hardware cpu key to change the DVD key in the DVD drive and then build again with the donor key so it will boot.

l_oliveira: it sounds to me like they are both coming from freeboot 0.30 which didn't care if you mismatched cpu key and kv - so it's highly likely neither of them have the CPU key for the keyvaults they are using.

[l_oliveira]

l_oliveira: it sounds to me like they are both coming from freeboot 0.30 which didn't care if you mismatched cpu key and kv - so it's highly likely neither of them have the CPU key for the keyvaults they are using.

There's aways better options than shortcuts.
Then people get angry with me when I say I'm against things like "toolboxes", "kits", "wavepatchers" and similar stuff.

Damn it, lazy people...  


To OP:

If your box were a Xenon I could give you some banned keyvault for you to "fix" the console. But then you need an working donor dump set and I don't happen to have an "spare" falcon KV with key... lol

[uk_dan2k]

uk_dan2k: what type of console, and what is your drives OSIG?

falcon motherboard - osig = PLDS    DG-16D2S        7485

[cory1492]

There we go, as I said with a proper KV donor and matching CPU key uk_dan2k's machine is up and booting fb12611.
 

[uk_dan2k]

annoys me that i ended up with a dodgy jtaged kv & cpu key (cheers ebay lol) but i didn't have a jtagable console and didn't want to buy blind off ebay with most users not knowing what dash they got installed & also you don't know the console history r.r.o.d. etc.

i'm sure 1st hand console out the shop must have the updated dashboards now - counter act people jtagg'in so i didn't bother with that option.

might have taken a month but..finally got there !!   

[CAPS369]

i have a donor falcon and xenon kv's will it work with a japser ?? i know the keys for both...

sorry for being a noob...

[cory1492]

The falcon one might, the xenon one only if it's a type 2 - and in either case you will still have to match the drives OSIG to the keyvault contents (not the other way around.) Try and find out?

[l_oliveira]

The falcon one might, the xenon one only if it's a type 2 - and in either case you will still have to match the drives OSIG to the keyvault contents (not the other way around.) Try and find out?

Sadly "Type 2" doesn't necessarily means it's a hashed keyvault. A LOT of Xenons do have OSIG with non hashed keyvaults.

Also I noticed that consoles which came with non hashed keyvault won't bother with AP25 checks even when running original dashboard ... O_O

[CAPS369]

smeg going to find if i have any org image on my comp for this jasper and pull the kv out and have a look ...

falcon : done
xenon : done
jasper : lets not go there

CAPS OUT

[ZerOneX]

I´m stuck with one Japser 16Mb with just the CPU key (only xell come up). After a few days reading, I´m coming to a conclusion (i hope the right one at least).

I have almost 100 nand backups + CPU Key including (Xenons, Zephyrs, Falcons, Jaspers and Jaspers BB)

So as I understood, we do have two options!!

The one proposed by Cory: If I have one backup with the same OSIG and mobo, Can I just create the freeBOOT 0.04 image from my backup image (using the CPU Keys that belongs to that backup of course) and flash it into my problematic console!!!!??? I have never thought this would even be possible!!!

Tested, working like a charm

The another one proposed by l_oliveira: I can use the CPU Key that belongs to the problematic console, then I have to catch one KV with the same mobo and OSIG (hashed one) and change it through any hexadecimal program (just to simplify)!!! After that I have to generate the freeboot image that will work with the CPU Key from the problematic machine!!!

W.I.P

Now I´m working on how to understand the virtual cpu key thing.

Regards,

ZerO

[l_oliveira]

ZerOnex, here's the things you need to consider:

The current crop of rebooters (since ibuild 0.3) are put together in a way which allow for the generated flash image to work on ANY console as long the board type matches.

If I build a flash for my Jasper small block console it should work on any other Jasper small block console.

It works that way because:

The real boot loaders are zero paired, which means they boot on any motherboard regardless of fuses and LDV values.
The JTAG exploit happens and rebooter launches the rebooter core which in turns install the virtual fuses system/patches HV&Game OS kernel/launches game OS kernel/dash.

Because of the keyvault policy protection not being patched, it's necessary that the virtual fuses data matches the donor system keyvault data encryption *AND* hashing. Meaning that the keyvault should be saved exactly as how it was on the original flash on the donor system.

This has a caveat:

Because XeLLous use the physical CPU CPUKEY to decrypt the keyvault, it can't read the donor's keyvault data, returning an error. Also because it can't read the keyvault, you can't use the DVD drive pairing function. You will have to flash the drive key on your drive with dosflash or jungle flasher.

So yes, we're saying that you CAN use ANY donor Jasper data as long you put the original CPU key from the DONOR system on the my_data folder textfile, instead of your motherboard hardware key.

[cory1492]

For the single purpose of flashing the dvd key, you should be able to build a xellous image using the hardware CPU key so xellous CAN decrypt the keyvault :p

[l_oliveira]

For the single purpose of flashing the dvd key, you should be able to build a xellous image using the hardware CPU key so xellous CAN decrypt the keyvault :p

Good point. I didn't think of that.

[ZerOneX]

Thanks cory and l_oliveira, and thanks Magnus as well, he did a great job giving some directions.

Well, following what cory and l_oliveira said, it is possible to "rebuild" one image from another donor + cpu key image from similar mobo (rebuilding xellous using the cpu key from problematic machine).

But, let suppose that I don´t have ANY image backup, now the hole is deeper.... just a few guys on the scene has one modified jasper_patches.bin capable of recreate images with KV Type 2, but this did not came out to the rest of us, because this file(s) can bring that old story up again.... the cheaters can mess with LIVE all over again, messing with the KV type2.

I´m not a expert on this subject, I just started a few months ago to study about 360. but till now, this is what I discovered.

So, for those without another donor backup, forget about it!! And for those that has the modified jasper_patches.bin, thanks for keep it safe!!!

Cheers, and thanks again.

[cory1492]

But, let suppose that I don´t have ANY image backup, now the hole is deeper.... just a few guys on the scene has one modified jasper_patches.bin capable of recreate images with KV Type 2, but this did not came out to the rest of us, because this file(s) can bring that old story up again.... the cheaters can mess with LIVE all over again, messing with the KV type2.

Lets suppose you don't have ANY image backup... the first thing to do is look for a donor kv that has the CPU key from the machine it came off of to build your image with a non-hardware cpu key. It Just Works.

When this question first came up I did a bunch of experimentation on this (I've patched kernel, hv, xam and many combinations of the same in testing and found no way to prevent this), getting rid of xmas lights is trivial - but at 12611 I started getting similar problems to secdat/xval violation from that old retail dash version people had problems with when they got banned - I can't see most of my content and only 3/5 profiles, kinect will not connect, even though all the security values in hv and xval are clean when compared to using a proper matched cpukey and kv from a donor or the originals for the machine (in both cases, type2 aka hashed keyvault, cpu key is for the console the kv came from - I even tried a type1/unhashed keyvault for kicks with no better results.)

I'm sure I missed something somewhere, but atm I can say with a straight face I looked and the answer isn't trivial - at which point I figured the note in fbbuild readme was there for a good reason and likely is a far better choice than crying about not having some xmas lights/hash check bypass which would leave folks believing fbbuild is the problem again.

Code:

(*(uint16_t*)0x6) = ((*(uint16_t*)0x6)& ~0x20)

[Dream]

Hey kv is broken

I can freeboot 0.30 it because there is no kv check.
KV swap don´t work in freeboot 0.32-->.
KV swap works in XBR.

Can someone fix my friends kv.
This console was returned from M$ repair. DVD drive was modded/broken, mb is un touched. (Same xmas console http://www.xboxhacker.org/index.php?action=printpage;topic=14557.0)
We think that M$ left the nand in factory mode.

Error code is E49 / 0301. One red light.

Orig dump and donor dump.

Orig dump @ Falcon Rikki broken kv xmas lights.
Donor dump @ Falcon OK.

I am not pro at this so if someone can help it would be nice. I know the dumps are not allowed sorry.
If you like to help i can pm you direct link to the files...

[l_oliveira]

Wait, WHAT ?  MS returned an console to a customer WITHOUT blowing the old CB revocation fuse ?

[Dream]

Wait, WHAT ?  MS returned an console to a customer WITHOUT blowing the old CB revocation fuse ?

Yes this is true. MY friend works in electronic store and this was the case.
He asked me if i could fix it and yes it was xmas jtag falcon.

All orig xmas nand dumps are good I know that for sure 6 dumps they are all the same. (USB nand reader)