Keydrive in news fimrwares Ms28 - Offset 0x4506

[Flash78]

I have a firmware ms28 original with "rare key", This firmwares can't copy key zone with X360SAM 0.6 or Keygen and anothers programs with scan key limit (0x43FF).

Need new programs to copy this keys or modify key to move in normal limit.

[garyopa]

I have a firmware ms28 original with "rare key", This firmwares can't copy key zone with X360SAM 0.6 or Keygen and anothers programs with scan key limit (0x43FF).

Need new programs to copy this keys or modify key to move in normal limit.

Yep, MS loves to move those keys around. But really all "key" programs should search or copy from >4000 to >5FFF,
as this area is reserved for KEY placement, MS can put it anyplace they want!

[skye001]

if you need help copying the key can do it for you, got flamed in my post saying the key wasnt at 4000, seems to be increasing the rare key i thought i was the only one.. oh well

[gigabite]

I had same problem trying to be a genious :p I thought lets see if the key is really in the $4000 range etc, meh didn't work just got bored and used the make files :p - just wanted a test also had a Samsung

gigabite

[brue]

Yep, MS loves to move those keys around. But really all "key" programs should search or copy from >4000 to >5FFF,
as this area is reserved for KEY placement, MS can put it anyplace they want!

Is there any algorithm to find the key in that range? Is there any tool to find keys in any given firmware? If not, it could be interesting discusing about programming a little tool to convert key finding in almost an automatic task. I've reading the philips drive thread and they are still looking for the key. Having that unit at a quarter or less the price of another replacement drive (ie. sam & hit), perhaps it'll be interesting to do some progress in it.

What do you think about it? Is it just a nonsense?

[gigabite]

^^ Yeah I mean it was something like $9US or something, why dosn't OPA, C4e etc buy it and try do something with it.... my main guess is because those drives don't come with the 360 anymore...BUT it could be a very good reason for repairs

gigabite

[Flash78]

make a program to find key it's easy, I think. 

Key Zone:

[Offset 4000]
01XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
02XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
03XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
...
...
0AXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
0BXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
0CXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
...
...
...
??EEEEEEEEKEYKEYKEYKEYKEYKEYKEYKEYKEYKEYKE
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
...
...
...
[Offset 5FFF]

[gigabite]

^^ if it was that easy then how come we havn't been able to get the key!!

gigabite

[garyopa]

Finding the key on the Samsung is EASY, it is always in the range of >4000 to >5FFF and it is always followed in front by a number of bytes containing >EE

Finding the key on the Hitachi is EASY, it WAS always at >4F00 in the older drives, and now on the v78 it moves up or down in the area of >4000 to >4FFF with a block of >74 bytes before and afterwards.

Finding the key on the Philips or Lite-On drive is IMPOSSIBLE because it is NOT there and NOT needed, on
the Philips drive the firmware would have to be re-written with the AES parts added and a key area layout,
as the dev-kit never needed that, so it was not written in the firmware, as such no KEY area is there.

The same problem with Hitachi v10, v27, v32 , v36 placing the key in the right spot will not work as the
drive firmware does not contain any AES code to handle it, as these units were for debug-kits and demo
machines, that is the reason why you need to upgrade tyhe v32/v36 ebay replacement drives to v40
before they will work with your "drive key".

[LordX]

I found something interesting in HL v78.
if you place the KEY in v78 in deferent line it will not work,
example you move the key from 4E10 to 4B00 ( both can have keys there , in v78 ).
it will not work , drive will look for KEY only in the 4E10. but how he know where to look ? I am sure somewhere in the firmware he have the exactly address where to look for KEY, any idea where ?
in Samsung you can move the key and it will work , in old MS25 key starts in 401A then they move it to 4116 and in new MS28 KEY is starts from 40EC, if you move the key all works and in hitachi no, any comments about it ?

[caster420]

Finding the key on the Samsung is EASY, it is always in the range of >4000 to >5FFF and it is always followed in front by a number of bytes containing >EE

Yes, samsung keys are very easy to find.  They follow this sequence:

01 EE EE EE EE - 16 byte key location - 02 11 11 11 11 - 16 byte key location - 03 EE EE EE EE - 16 byte key location - .... etc ....

I have already written a dos based program to jump to each potential key location and check for repeating values.  It then copys from file1 to file2 and compares those two files.  File1 is ideally orig.bin and file2 hacked.bin.  If there are more than 3 repeating values in the key, it is said not to be valid and continues on to the next potential location.  The only thing I did wrong, was only look in the $4000-4400 block.  I will fix this right now and it will be done with.  Here is the code, written in turbo pascal(I do not program a lot, so it is sloppy and could probably be reduced a lot more than it is):

program KeyTool;
uses crt,dos;

function hexbyte(B : Byte) : String;
const
HexDigits : ARRAY[0..15] OF Char = '0123456789ABCDEF';
var Temp : String;
begin
Temp[0] := #2;
Temp[1] := HexDigits[B SHR 4];
Temp[2] := HexDigits[B AND $F];
hexbyte := Temp;
end;

type
block = array[0..$3ff] of byte;

var
block1, block2, block3:block;
file1, file2:file of block;
match,validkey1,validkey2,validkey3:boolean;
bytematch,keyread2,keystop2,keyread1,keystop1,keyread3,keystop3,i,j,k:integer;

begin
TextColor(LightBlue);
writeln;
writeln('----------------------------------------------------------------------------');
writeln('Firmware KeyTool v0.420 by Caster420 & Klutsh');
writeln('--------------------------------------------[360mods.net]-[x-projects.org]--');
writeln;
TextColor(LightGray);

if (paramstr(1)='') or (paramstr(2)='') then
begin
TextColor(LightRed);
writeln('ERROR: You did not satisfy the required paramaters.');
TextColor(LightGray);
writeln('Proper Usage: KeyTool File1 File2');
halt(1);
end;

assign(file1,paramstr(1));
assign(file2,paramstr(2));
{$i-} reset(file1); {$i+}
if IOResult <> 0 then
begin
TextColor(LightRed);
writeln('ERROR: File ',paramstr(1),' does not exist!');
TextColor(LightGray);
halt(1);
end;

{$i-} reset(file2); {$i+}
if IOResult <> 0 then
begin
TextColor(LightRed);
writeln('ERROR: File ',paramstr(2),' does not exist!');
TextColor(LightGray);
halt(1);
end;

writeln('Copying Key...');
seek(file1,16);
seek(file2,16);
read(file1,block3);

validkey3:=false;

bytematch:=0;
i:=5;

while (i<$400) do
begin
j:=i;
k:=i+1;
while (j<i+15) do
begin
while (k<i+14) do
begin
if (block3[j]=block3[k]) then
begin
bytematch:=bytematch+1;
end;
k:=k+1;
end;
k:=j+2;
j:=j+1;
end;
if (bytematch>3) then
i:=i+21
else
begin
keyread3:=i;
keystop3:=i+16;
i:=$400;
validkey3:=true;
end;
bytematch:=0;
end;

if validkey3 then
begin
write(file2,block3);
writeln;
writeln('Checking Keys...');
writeln;
end;
if not validkey3 then
begin
TextColor(LightRed);
write ('*** ERROR ***');
TextColor(LightGray);
write (' Valid key structure not found!');
halt(1);
end;

seek(file1,16);
seek(file2,16);
read(file1,block1);
read(file2,block2);
close(file1);
close(file2);
match:=true;
validkey1:=false;

bytematch:=0;
i:=5;

while (i<$400) do
begin
j:=i;
k:=i+1;
while (j<i+15) do
begin
while (k<i+14) do
begin
if (block1[j]=block1[k]) then
begin
bytematch:=bytematch+1;
end;
k:=k+1;
end;
k:=j+2;
j:=j+1;
end;
if (bytematch>3) then
i:=i+21
else
begin
keyread1:=i;
keystop1:=i+16;
i:=$400;
validkey1:=true;
end;
bytematch:=0;
end;

write ('Key from ',paramstr(1),': ');
while (keyread1<keystop1) and (validkey1) do
begin
TextColor(White);
write(hexbyte(block1[keyread1]),'');
TextColor(LightGray);
keyread1:=keyread1+1;
end;
if not validkey1 then
begin
TextColor(LightRed);
write ('*** ERROR ***');
TextColor(LightGray);
write (' Valid key structure not found!');
end;

writeln;

validkey2:=false;
bytematch:=0;
i:=5;

while (i<$400) do
begin
j:=i;
k:=i+1;
while (j<i+15) do
begin
while (k<i+14) do
begin
if (block2[j]=block2[k]) then
begin
bytematch:=bytematch+1;
end;
k:=k+1;
end;
k:=j+2;
j:=j+1;
end;
if (bytematch>3) then
i:=i+21
else
begin
keyread2:=i;
keystop2:=i+16;
i:=$400;
validkey2:=true;
end;
bytematch:=0;
end;

write ('Key from ',paramstr(2),': ');
while (keyread2<keystop2) and (validkey2) do
begin
TextColor(White);
write(hexbyte(block2[keyread2]),'');
TextColor(LightGray);
keyread2:=keyread2+1;
end;

if not validkey2 then
begin
TextColor(LightRed);
write ('*** ERROR ***');
TextColor(LightGray);
write (' Valid key structure not found!');
end;
writeln;

keyread1:=keystop1-16;
keyread2:=keystop2-16;

while (keyread1<keystop1) and (match) do
begin
if block1[keyread1]<>block2[keyread2] then match:=false;
keyread1:=keyread1+1;
keyread2:=keyread2+1;
end;

writeln;

if not (validkey1) or not (validkey2) then
begin
TextColor(LightRed);
writeln('*** One or both keys are not valid ***');
TextColor(LightGray);
writeln;
writeln('Here is a brief explination of the valid key not found error...');
writeln;
writeln('Key Check locates the key by comparing the all bytes of the key against');
writeln('the other bytes in the 16 byte key. If there are more than 3 identical');
writeln('bytes in the 16 byte key, it moves to the next logical key location in ');
writeln('key block. So, if all of the 32 key locations have more than 3 identical');
writeln('bytes, then it will respond with valid key structure not found. It is');
writeln('very uncommon for keys to have repeating bytes and the most I have found');
writeln('to date is 3. Double check your images (original or hacked) BEFORE flashing.');
halt(1);
end;

if not match then
begin
TextColor(LightRed);
writeln ('*** WARNING ***');
TextColor(LightGray);
writeln ('Keys do not match, do not flash!!!');
writeln ('Checked dumped and patched image.');
halt(1);
end;
TextColor(LightGreen);
writeln('*** SUCCESS ***');
TextColor(LightGray);
writeln('Drive Key Copied.');
writeln;
writeln('Now unplug the SATA cable and power-cycle the PC & DVD drive');
writeln('On reboot run: FlashDrive');
end.


Anyways, i just need to change the size of the block that is taken from the file and it will be fixed.

Caster.

[caster420]

Here is the new code which copies and checks $4000-5fff.  I'll toss this up somewhere for download, probably on 360mods.net.

Caster.

__________________________code________________________________________

program KeyTool;
uses crt,dos;

function hexbyte(B : Byte) : String;
const
HexDigits : ARRAY[0..15] OF Char = '0123456789ABCDEF';
var Temp : String;
begin
Temp[0] := #2;
Temp[1] := HexDigits[B SHR 4];
Temp[2] := HexDigits[B AND $F];
hexbyte := Temp;
end;

type
block = array[0..$1fff] of byte;

var
block1, block2, block3:block;
file1, file2:file of block;
match,validkey1,validkey2,validkey3:boolean;
bytematch,keyread2,keystop2,keyread1,keystop1,keyread3,keystop3,i,j,k:integer;

begin
TextColor(LightBlue);
writeln;
writeln('----------------------------------------------------------------------------');
writeln('Firmware KeyTool v0.420 by Caster420 & Klutsh');
writeln('--------------------------------------------[360mods.net]-[x-projects.org]--');
writeln;
TextColor(LightGray);

if (paramstr(1)='') or (paramstr(2)='') then
begin
TextColor(LightRed);
writeln('ERROR: You did not satisfy the required paramaters.');
TextColor(LightGray);
writeln('Proper Usage: KeyTool File1 File2');
halt(1);
end;

assign(file1,paramstr(1));
assign(file2,paramstr(2));
{$i-} reset(file1); {$i+}
if IOResult <> 0 then
begin
TextColor(LightRed);
writeln('ERROR: File ',paramstr(1),' does not exist!');
TextColor(LightGray);
halt(1);
end;

{$i-} reset(file2); {$i+}
if IOResult <> 0 then
begin
TextColor(LightRed);
writeln('ERROR: File ',paramstr(2),' does not exist!');
TextColor(LightGray);
halt(1);
end;

writeln('Copying Key...');
seek(file1,2);
seek(file2,2);
read(file1,block3);

validkey3:=false;

bytematch:=0;
i:=5;

while (i<$1fff) do
begin
j:=i;
k:=i+1;
while (j<i+15) do
begin
while (k<i+14) do
begin
if (block3[j]=block3[k]) then
begin
bytematch:=bytematch+1;
end;
k:=k+1;
end;
k:=j+2;
j:=j+1;
end;
if (bytematch>3) then
i:=i+21
else
begin
keyread3:=i;
keystop3:=i+16;
i:=$2000;
validkey3:=true;
end;
bytematch:=0;
end;

if validkey3 then
begin
write(file2,block3);
writeln;
writeln('Checking Keys...');
writeln;
end;
if not validkey3 then
begin
TextColor(LightRed);
write ('*** ERROR ***');
TextColor(LightGray);
write (' Valid key structure not found!');
halt(1);
end;

seek(file1,2);
seek(file2,2);
read(file1,block1);
read(file2,block2);
close(file1);
close(file2);
match:=true;
validkey1:=false;

bytematch:=0;
i:=5;

while (i<$1fff) do
begin
j:=i;
k:=i+1;
while (j<i+15) do
begin
while (k<i+14) do
begin
if (block1[j]=block1[k]) then
begin
bytematch:=bytematch+1;
end;
k:=k+1;
end;
k:=j+2;
j:=j+1;
end;
if (bytematch>3) then
i:=i+21
else
begin
keyread1:=i;
keystop1:=i+16;
i:=$2000;
validkey1:=true;
end;
bytematch:=0;
end;

write ('Key from ',paramstr(1),': ');
while (keyread1<keystop1) and (validkey1) do
begin
TextColor(White);
write(hexbyte(block1[keyread1]),'');
TextColor(LightGray);
keyread1:=keyread1+1;
end;
if not validkey1 then
begin
TextColor(LightRed);
write ('*** ERROR ***');
TextColor(LightGray);
write (' Valid key structure not found!');
end;

writeln;

validkey2:=false;
bytematch:=0;
i:=5;

while (i<$1fff) do
begin
j:=i;
k:=i+1;
while (j<i+15) do
begin
while (k<i+14) do
begin
if (block2[j]=block2[k]) then
begin
bytematch:=bytematch+1;
end;
k:=k+1;
end;
k:=j+2;
j:=j+1;
end;
if (bytematch>3) then
i:=i+21
else
begin
keyread2:=i;
keystop2:=i+16;
i:=$2000;
validkey2:=true;
end;
bytematch:=0;
end;

write ('Key from ',paramstr(2),': ');
while (keyread2<keystop2) and (validkey2) do
begin
TextColor(White);
write(hexbyte(block2[keyread2]),'');
TextColor(LightGray);
keyread2:=keyread2+1;
end;

if not validkey2 then
begin
TextColor(LightRed);
write ('*** ERROR ***');
TextColor(LightGray);
write (' Valid key structure not found!');
end;
writeln;

keyread1:=keystop1-16;
keyread2:=keystop2-16;

while (keyread1<keystop1) and (match) do
begin
if block1[keyread1]<>block2[keyread2] then match:=false;
keyread1:=keyread1+1;
keyread2:=keyread2+1;
end;

writeln;

if not (validkey1) or not (validkey2) then
begin
TextColor(LightRed);
writeln('*** One or both keys are not valid ***');
TextColor(LightGray);
writeln;
writeln('Here is a brief explination of the valid key not found error...');
writeln;
writeln('Key Check locates the key by comparing the all bytes of the key against');
writeln('the other bytes in the 16 byte key. If there are more than 3 identical');
writeln('bytes in the 16 byte key, it moves to the next logical key location in ');
writeln('key block. So, if all of the 32 key locations have more than 3 identical');
writeln('bytes, then it will respond with valid key structure not found. It is');
writeln('very uncommon for keys to have repeating bytes and the most I have found');
writeln('to date is 3. Double check your images (original or hacked) BEFORE flashing.');
halt(1);
end;

if not match then
begin
TextColor(LightRed);
writeln ('*** WARNING ***');
TextColor(LightGray);
writeln ('Keys do not match, do not flash!!!');
writeln ('Checked dumped and patched image.');
halt(1);
end;
TextColor(LightGreen);
writeln('*** SUCCESS ***');
TextColor(LightGray);
writeln('Drive Key Copied.');
writeln;
writeln('Now unplug the SATA cable and power-cycle the PC & DVD drive');
writeln('On reboot run: FlashDrive');
end.

[caster420]

Available for download here: http://www.x-projects.org/index.php?name=Downloads&file=details&id=11

Enjoy.

Caster.

[caster420]

IF anyone downloaded v0.421, do not use it, it had an improper seek command.  THe above code is correct but the wrong code was compiled.

Make sure you have v0.422 when you download it.

Caster.

[caster420]

Finding the key on the Samsung is EASY, it is always in the range of >4000 to >5FFF and it is always followed in front by a number of bytes containing >EE

Gary,

Are you sure it is always preceeded by four bytes of EE?  That means that it only uses even numbered placements.  All the fw's i have do have an even numbered placement - just curious if anyone has an odd numbered placement and if the four bytes of 11 are then replaced by EE. 

Also, has anyone ever seen a fw with two valid key structures in it?  I have one that the 10th and 12th placement both have valid key structures and the repeating routine of key locations is terminated after the 12th (FF to $5FFF).

Caster.

[garyopa]

Gary,

Are you sure it is always preceeded by four bytes of EE?  That means that it only uses even numbered placements.  All the fw's i have do have an even numbered placement - just curious if anyone has an odd numbered placement and if the four bytes of 11 are then replaced by EE. 

Also, has anyone ever seen a fw with two valid key structures in it?  I have one that the 10th and 12th placement both have valid key structures and the repeating routine of key locations is terminated after the 12th (FF to $5FFF).

Caster.

From all the Samsung's I have see, the following is always true.

Even placement of key's, but it could be odd, since a table entry is an ODD number of bytes.

Always the table counts in numbers from >01 and up, never see one which skips numbers,
don't know if a messed-up table would work or not.

Each entry after the table number is always one of the following:

Four >11's followed by a blank key of 16 >FF's.
Four >EE's followed by three BB's and 13 >FF's.
Four >EE's followed by VAILD KEY.

If a table has two key's, which I never see, it seems the xbox uses the last entry,
but I have not done enough tests myself, to confirm this completely,
or to see if it would be possible to have a table builted with two key's,
and have the drive work in two different 360's without editing the firmware,
but I don't think it would.

[caster420]

Each entry after the table number is always one of the following:

Four >11's followed by a blank key of 16 >FF's.
Four >EE's followed by three BB's and 13 >FF's.
Four >EE's followed by VAILD KEY.

Ok, i have seen the same.  Thanks gary.

Caster.