Slim with NAND ORIGNAL LOST

[marcelojns]

Hello guys

I am here with a Xbox Slim where the RGH was tried and was lost the file original nand.

I tried using the RGH Matrix v2 and using a slim nand another of the same CB (9230) but does not rise Xell ...

Any help?

(sorry for english, I'm brazilian)

[sascha024]

j-runner give you chance nand to build without nanddump

mfg

[marcelojns]

j-runner give you chance nand to build without nanddump

mfg

in j-runner i need of cpu key to rebuild the new file nand, but i have not the cpu key yet

[janvkem]

Flash xell to the box, glitch it and get the key. Then build a donor nand.

[marcelojns]

Flash xell to the box, glitch it and get the key. Then build a donor nand.

in the slim this not work, because the CB_B ...

[Viral Doom]

Flash xell to the box, glitch it and get the key. Then build a donor nand.

in the slim this not work, because the CB_B ...

I have the same problem with a Trinity board, and like u said you CAN'T use a donor ECC, sadly... when the bootloader (CB) is split, the original CB is need it. This metods only works on FAT with single CB (I've recover a couple of Jasper)

I did some testes on my working SLIM, I use my CB on a donor nand, and the ECC works.. the KV.bin was wrong of course..., but the CPUkey is what is need it.

LDV, CD, KV, SMC are no need it... only CB (CB_A and CB_B)

So, after the test I did, I realize that u need the original Bootloader :S

The question is:

Gligli took a FAT CB to the hack on slims, to decript CB_B (CB_B is cripted by cpukey) so, how can I do the same to get the CPUkey of this console, and a valid CB?

[marcelojns]

Viral Doom

This is the problem... CB_B 

Will the gligli can help us with this question?

I'm doing some tests, any new post here

Let's keep hope...

[boby2pc]

I have same problem with one Slim I bought with RROD 0033. Fixed RROD, but console stucks on CB_A and doesn't jump to CB_B, propobly someone swaped NAND content.

The only way to boot that console is glitch 1BL to run CB_A we want, but so far nobody did that

[marcelojns]

I have same problem with one Slim I bought with RROD 0033. Fixed RROD, but console stucks on CB_A and doesn't jump to CB_B, propobly someone swaped NAND content.

The only way to boot that console is glitch 1BL to run CB_A we want, but so far nobody did that

This is true... nobody did yet 

[Viral Doom]

I have same problem with one Slim I bought with RROD 0033. Fixed RROD, but console stucks on CB_A and doesn't jump to CB_B, propobly someone swaped NAND content.

The only way to boot that console is glitch 1BL to run CB_A we want, but so far nobody did that

This is true... nobody did yet  

Well, after reading for a while and doing some tests, I come to a conclusion:

The problem is CB is cripted by CPUKey. So, no matter what ECC you write in your nand, this one CAN'T boot cuz the CPUKey CAN'T decript the CB... so... reading the SLIM RGH documentation:

Code:

Details for the slim hack
=========================

The bootloader we glitch is CB_A, so we can run the CB_B we want.

On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn't yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it's even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus

So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.

When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don't decrypt CD, instead expect a plaintext CD in NAND.
- Don't stop the boot process if CD hash isn't good.

CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there's a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!

The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.

Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !

We have a "chicken and egg problem", cuz we need a valid CB, but the only way to get a valid CB to boot, is encripting a decripted donor CB with the CPUkey of the board... so we need the CPUkey to get a valid CB to create a valid ECC to get the CPUKey.

Gligli did it using a CB from a FAT board, so, how can we do that?

The only way to get working this board, is replacing the CPU/GPU chip for another one

[marcelojns]

Viral Doom

Even changing the cpu / gpu, is a necessary a nand chip (with valid file) can be decrypted by the key of the new cpu/gpu.

No glitch only works certain pairs: nand + cpu, because of the cpu key.

The problem now is trying to get the cpu key in these cases where there is the loss of the original file from nand, if that is possible 

[Viral Doom]

Viral Doom

Even changing the cpu / gpu, is a necessary a nand chip (with valid file) can be decrypted by the key of the new cpu/gpu.

No glitch only works certain pairs: nand + cpu, because of the cpu key.

The problem now is trying to get the cpu key in these cases where there is the loss of the original file from nand, if that is possible  

There is no need to replace the nand chip.

My idea is:

Replace the CPU/GPU chip and get the nand file from de donor board, then create a ECC file to get the CPUkey, and you are good to go.

In case of having only the CPUKey, and not a nand file in the donor board, you still can create a nand with a donor nand. You need the CPUKey of the donor nand to decrypt it and then crypt it with the new CPUKey.

Correct me if I'm wrong on this please.

And of course... the question is ¿Can we get a CPUkey without nand file? I say YES, Gligli did it, he gets the CPUKey from a FAT CB, the question is ¿How can we do that? ^^

[marcelojns]

Humm... I understand 

So, to get the cpu key, would be necessary to create the .ECC with only CB_A and CB_B of file nand of the donor board?

[Viral Doom]

Humm... I understand  

So, to get the cpu key, would be necessary to create the .ECC with only CB_A and CB_B of file nand of the donor board?

To get the CPUKey of the board without nand, we need the original CB cuz this is cripted by the CPUKey, and only the right CPUKey can decripted , or know how gligli did it with a FAT CB.

Now, about the chip repleacement, you need to do this (in theory):

Replace the CPU/GPU chip (You can u a f***ed trinity board), get the nand dump, create the ECC and get the CPUKey.

In other words, we can't access to our CPUkey, we need another CPU to get the new CPUKey hahaha, its a "radical" solution.

[marcelojns]

Hmm, I understood ... But each nand file is encrypted by a specific cpu key, no?

Because the CB_A CB_B and are encrypted by a unique cpu key, and decrypts them would need the original cpu key, or any cpu key would decrypt them?

We need to do a practice test to see if it works.

Thanks for the explanations 

[Viral Doom]

Hmm, I understood ... But each nand file is encrypted by a specific cpu key, no?

Because the CB_A CB_B and are encrypted by a unique cpu key, and decrypts them would need the original cpu key, or any cpu key would decrypt them?

We need to do a practice test to see if it works.

Thanks for the explanations 

Yup, the nand is encrypted by the CPUkey, thats why we need the dump of the donar board with the donor CPU/CGP chip

[marcelojns]

Do you have as reballing and replace the gpu / cpu your trinity board?

[Viral Doom]

Do you have as reballing and replace the gpu / cpu your trinity board?

Nop, but I'll get it and tell you the results

[peshkohacka]

The only way to get it (without changing the CPU) is to glitch earlier than CB_B (i.e. when 1BL checks the CB_A).

[Viral Doom]

The only way to get it (without changing the CPU) is to glitch earlier than CB_B (i.e. when 1BL checks the CB_A).

That would be great!, do you know how to do that?