RGH 2.0 Released by Team SQUIRT

[Tony_Amigozs]

 
http://www.360squirt.com/news.php


Available now online in SUPPORT AREA:
- SQUIRT RGH 2.0 Bitstreams
- SQUIRT RGH 2.0 user manual and diagrams

Features:
- Hack now works on new CB's (14717/14719 update)
- Hack now works with all Refurbished Split CB's (4577, 5772, 6752)
- Zephyr CB 4577, 4575
- Falcon/Opus CB 5772, 5773
- Jasper CB 6752, 6753

Honestly, today we make you squirt... the happiness is unbelievable!

[damox]

RGH 2.0 Released by Team SQUIRT

Are you kidding me

Cunt bags.

http://team-xecuter.com/xecuter-rgh2-0-official-release/

[Tony_Amigozs]

its not strange to believe that another team could have vigured out how to glitch new dashboard..

[Intruder]

scumbags nothing more.....

Int

[uf6667]

haha, I am glad someone is finally going against TX
what's hard about this is finding a refurb box, that's it

hell, even then, I could make a better RGH using just 9188!


here's how I'd do it, though:

1) prepare 9188 CB_B to not do anything but load decrypted CB 6750, patch CB 6750, branch to CB 6750, just like old rebooter
2) using the plain-text attack on RC4, I'd modify CB_B of 6753 (kudos to whoever extracted them, you know who you are ) to modify to our CB_B made in step 1)
3) flash
4) boot to xell

it ain't no big deal, TX just has their panties in a bunch because someone corrupted their big margin profit market

TBH I would have held off from releasing until finding timings appropriate for PLL_BYPASS, but still, comparing the two versions (TX claims someone leaked it due to the same patches... which are btw hilarious because they're the exact same used for 9188, released with 9230 imgbuild), TX's "version" requires you to have the cpu key, for which they can of course charge you some more for some more hardware you'd require (dumping over post bus... don't you get it? you can dump it over SERIAL, much more convenient!)


if you can tell me this is all false, please prove it to me with factual information, not some made up leak here, leak there bull$#!t
if you can tell me that what I am suggesting is infeasible in any way, I will apologize and be forever your bitch (grab the opportunity Tiros!!! xD)

[nice69]

@uf6667: how could you get the decrypted 9188 files?

[peshkohacka]

Bitchin' about the scene, not releasing sources.

...Classy TX, classy

[nice69]

aren't they always like that?
if someone made it first, they will say it was 'stolen' under their nose or it's not perfect blablabla.
if they copy other's work, they will say their's is different & much better.

thank you squirt team.

[interista82]

Oh my god.... messiah is come... thANks TO you

[TIB182]

haha, I am glad someone is finally going against TX
what's hard about this is finding a refurb box, that's it

hell, even then, I could make a better RGH using just 9188!


here's how I'd do it, though:

1) prepare 9188 CB_B to not do anything but load decrypted CB 6750, patch CB 6750, branch to CB 6750, just like old rebooter
2) using the plain-text attack on RC4, I'd modify CB_B of 6753 (kudos to whoever extracted them, you know who you are ) to modify to our CB_B made in step 1)
3) flash
4) boot to xell

it ain't no big deal, TX just has their panties in a bunch because someone corrupted their big margin profit market

TBH I would have held off from releasing until finding timings appropriate for PLL_BYPASS, but still, comparing the two versions (TX claims someone leaked it due to the same patches... which are btw hilarious because they're the exact same used for 9188, released with 9230 imgbuild), TX's "version" requires you to have the cpu key, for which they can of course charge you some more for some more hardware you'd require (dumping over post bus... don't you get it? you can dump it over SERIAL, much more convenient!)


if you can tell me this is all false, please prove it to me with factual information, not some made up leak here, leak there bull$#!t
if you can tell me that what I am suggesting is infeasible in any way, I will apologize and be forever your bitch (grab the opportunity Tiros!!! xD)

LOL! First off, compare the code in the builders. The XOR hack function is exactly the same, as well as the layout.  We are not idiots, you can't expect to fool us by changing a few variable names and adding some messages.  Don't know about you but, if they can't even make xebuild patches then I doubt they could make a python builder.  And what do you mean kudos to who extracted 5773.. its stored unencrypted in the update files for 14717 and also can be dumped by anyone with 360 flash tool and a cpukey -.- .

No need to use CBB 9188 at all, just pop in 6750 as CBB and replace the build in the header.  The NAND building part of this really is pretty simple, aside from the XOR hack.  I'd be surprised if squirt even has any actual vhdl source or understands the hardware side to this though.

Oh and guess what, you can't use uart until the end of CBB! You really think that TX wouldn't do uart if they could? How can you use that before the hardware is initialized -.- 

And what big margin profit? Xecuter released the f***ing hacks for FREE - and the CoolRunner is only $15 - yeah HUGE profits

Its pretty sad to now see just how little you actually know about whats going on inside this..  now, will you forever be my bitch as promised ?

[Tony_Amigozs]

TX did not release anything squirt team did. after that TX had no choice but to release theirs.. perhaps we had to wait even more months for rgh2.0.. so my kudos go's out to team squirt..  now more people can work on and tweak the hack

[uf6667]

haha, I am glad someone is finally going against TX
what's hard about this is finding a refurb box, that's it

hell, even then, I could make a better RGH using just 9188!


here's how I'd do it, though:

1) prepare 9188 CB_B to not do anything but load decrypted CB 6750, patch CB 6750, branch to CB 6750, just like old rebooter
2) using the plain-text attack on RC4, I'd modify CB_B of 6753 (kudos to whoever extracted them, you know who you are ) to modify to our CB_B made in step 1)
3) flash
4) boot to xell

it ain't no big deal, TX just has their panties in a bunch because someone corrupted their big margin profit market

TBH I would have held off from releasing until finding timings appropriate for PLL_BYPASS, but still, comparing the two versions (TX claims someone leaked it due to the same patches... which are btw hilarious because they're the exact same used for 9188, released with 9230 imgbuild), TX's "version" requires you to have the cpu key, for which they can of course charge you some more for some more hardware you'd require (dumping over post bus... don't you get it? you can dump it over SERIAL, much more convenient!)


if you can tell me this is all false, please prove it to me with factual information, not some made up leak here, leak there bull$#!t
if you can tell me that what I am suggesting is infeasible in any way, I will apologize and be forever your bitch (grab the opportunity Tiros!!! xD)

LOL! First off, compare the code in the builders. The XOR hack function is exactly the same, as well as the layout.  We are not idiots, you can't expect to fool us by changing a few variable names and adding some messages.  Don't know about you but, if they can't even make xebuild patches then I doubt they could make a python builder.  And what do you mean kudos to who extracted 5773.. its stored unencrypted in the update files for 14717 and also can be dumped by anyone with 360 flash tool and a cpukey -.- .

No need to use CBB 9188 at all, just pop in 6750 as CBB and replace the build in the header.  The NAND building part of this really is pretty simple, aside from the XOR hack.  I'd be surprised if squirt even has any actual vhdl source or understands the hardware side to this though.

Oh and guess what, you can't use uart until the end of CBB! You really think that TX wouldn't do uart if they could? How can you use that before the hardware is initialized -.-  

And what big margin profit? Xecuter released the f***ing hacks for FREE - and the CoolRunner is only $15 - yeah HUGE profits

Its pretty sad to now see just how little you actually know about whats going on inside this..  now, will you forever be my bitch as promised ?

I'm truly sorry, but I have to slam down your offer, that is becoming your bitch

let me elaborate a bit further wrt 15$ profits... how come you're defending not only one but two teams? IMHO they should release the sources for the vhdl, mainly because of this:


constant POST_B8 : integer := 12;
constant POST_BA : integer := 13;
constant POST_BB : integer := 14;


(well f*** me, I found this out myself using my LA, you're very welcome)

this is all you need between trinity and "RGH 2.0"... myself, I had to choose the point after the 1k resistor because it wasn't strong enough (to live without you, strong enough, bla bla bla, you know the deal yo)
but hey, gimme your next best shot

[boby2pc]

Big thanks to Squirt Team to release RGH 2.0. Propobly without You it woudn't be released ever.

[MastaG]

From TX's page:

With RGH2, a cpu_key is necessary for building the NAND image. The reason for this is because cpu_key encryption starts at CB, and in RGH1 there was only one CB which meant that CD was encrypted with cpu_key but CB could be "zero paired" which meant that the cpu_key would not be applied. When split-CB was added, they started the encryption at CBA and removed the zero pairing option, which means that cpukey encryption on CBB is mandatory.

Bottom line is, after the 14717 update they turned all phats into a split CB boot chain but using unglitchable bootloaders. We can still glitch these boxes even when we don't know the cpu_key because we can use the "XOR hack" to embed the RGH2 bootloaders. For older images (pre-14717) we need the cpu_key to encrypt the new loaders because there is not a CBB already in the image that we can derive a keystream from.

So if I would like to glitch my 14719 trinity, I can only glitch it to run xell -IF- I have my cpu-key.
And in order to get my cpu-key I need to use the XOR Hack right?

Correct me if I'm wrong but the XOR hack relies on the way they use RC4 encryption, now what if MS will update the way they use the RC4 encryption patching the RC4 vulnerability.
Then some day we end up with updated boxes which we are unable to extract the cpu-key...?

[Tony_Amigozs]

you don't have to worry about that xor hack etc the python script will do that all for you. and about the xor or rc4 exploit.. I don't think ms can change that.. otherwise groups squirt and tx wouldn't claim left and right that is not patchable anymore.

[cory1492]

They can change whatever they want, whenever they want - keep in mind, with this we can't modify the BL that gets loaded by the CPU ROM. What they can't do is stop us from using these CB_A to glitch machines we already have the CPU key for regardless of whatever updates are applied in the future, as they have no lockdown fuse checks in them - in that sense it's indeed not patchable.

This release and the previous slim update only caters to people who updated to 14717+ before getting their cpu key, next update there may very well not be any run-around.

[MastaG]

Thanks cory1492,

So both TX and Team Squirt can shoot themself in the foot one day claiming it's unpatchable.
If MS changes it so it won't be able to extract they cpu-key anymore then we're still screwed.

[Tony_Amigozs]

They can change whatever they want, whenever they want - keep in mind, with this we can't modify the BL that gets loaded by the CPU ROM. What they can't do is stop us from using these CB_A to glitch machines we already have the CPU key for regardless of whatever updates are applied in the future, as they have no lockdown fuse checks in them - in that sense it's indeed not patchable.

This release and the previous slim update only caters to people who updated to 14717+ before getting their cpu key, next update there may very well not be any run-around.

They can modify the cb_a all they want we are not going to use the new cb_a .They have bootloaders from the rerfurbish consoles with no fuse check remember + 1bl key also not changeable so its not true that they can change everything.

[cory1492]

Hi Tony, your reply stating the things I said right back at me as an argument has to be one of the funniest things I've seen on this board in a long while. Thanks    Though wait... you do realize CB_B has the CPU key factored into it's encryption and the only reason we are able to use this method to get the CPU key is because of the RC4 plaintext fail right?

MastaG: yes, to a degree it is unpatchable - if you have the CPU key before they fix it and you update, you're golden into the future with the current solutions. Unlike JTAG you can update away and have little fear you will be unable to hack the console after updating. Also, in saying that, I wouldn't be so quick to count out one-off/less reliable methods to glitch at other points simply to gain the CPU key even if the RC4 stuff is fixed.

And who knows, some day a humble ninja may deliver us the 1BL RSA private key... one can always hope, I guess  

[Tony_Amigozs]

no you said they can change everything and that is not true..  

They can change whatever they want, whenever they want - keep in mind, with this we can't modify the BL that gets loaded by the CPU ROM. What they can't do is stop us from using these CB_A to glitch machines we already have the CPU key for regardless of whatever updates are applied in the future, as they have no lockdown fuse checks in them - in that sense it's indeed not patchable.

This release and the previous slim update only caters to people who updated to 14717+ before getting their cpu key, next update there may very well not be any run-around.