360 Flash Dump Tool V0.1

[atiman]

Thanks a lots, ivc!

(Hint : The file inside ivc's .gz file is a .tar file)

[zouzzz]

Btw, I made a package of the tmbincdump source code (with atiman's updates) and linux binary for both the read2 (read nand as is, ignore sector status) and read3 (read nand, but skip bad sector) command. Download it here.  View tmbinc' original post and atiman's updated tmbincdump code here.

ivc

Thanks,
my tmbincdump.bin : 16,5 Mo (17 301 504 octets)
like the Infectusdump.bin


edit : downgrade with the R3T6 : http://forums.xbox-scene.com/index.php?showtopic=620009

[sectroyer]

I guess the real question on many people's minds is whether you can do the same for the latest "guitar" update...

Yes, I did a test yesterday on a machine with the R6T3 resistor in place. I updated from 4543 (LVD 1) -> 4548 (LVD increased to 2) -> 4552 (LVD increased to 3) -> 5759 (LVD increased to 4) -> 5766 (LVD increased to 5), and dumped the nand flash for each update using the Infectus flasher.

I then used the 360 Flash Dump Tool 0.6 with 1BL Key set to change the 4543 dump to have LVD 5 and it booted fine! I did the same for all of the other dumps, 4548, 4552, and 5759, and they all booted when the LVD was changed to match the LVD of 5766 / fuseline 4.

ivc

Sorry since it seems a little out of topic but this man just posted very interesting info He downgraded (with R6T3 in place) from 5766 to 4532 Just wanted to point it out since in many threads I saw people wondering if it is still possible with this update.

[robinsod]

It has been possible to downgrade to/from any version for a long time IF you knew your CPU keys.... Soon we will have a (one click) to d/g to 1888 then everyone can get their CPU keys.....

[zouzzz]

I tested to change the DVDKEY of my xbox360 (4532, Hitachi 47 DVDDRIVE SPOOF MS25, Infectus), my results:
- key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF or key FAFAFAFAFAFAFAFAFAFAFAFAFAFAFAFA: no E72 but the games (original or backup) don't launch
- key coming from Hitachi46 or from Hitachi47 or from MS25: the plays launch without problem

The key cannot be invented?

[zouzzz]

I tested to change the DVDKEY of my xbox360 (4532, Hitachi 47 DVDDRIVE SPOOF MS25, Infectus), my results:
- key FFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF or key FAFAFAFAFAFAFAFAFAFAFAFAFAFAFAFA : no E72 but the games (original or backup) don't launch
- key coming from Hitachi46 or from Hitachi47 or from MS25: the plays launch without problem

The key cannot be invented?

I have test with this key : 12121212121212121212121212121212, it's OK... very strange.

[TSX1]

I resoldered TSOP to mainboard and obtained a NAND dump with tmbinc's program (with both COMMAND 2 and COMMAND 3). with this new dump, 'Flash Dump Tool 0.81' worked correctly!
I wonder why the first dump (by programmer device) wasn't good for using with 'Flash Dump Tool'!?
Are there really should be differences between Infectus dumps (or tmbinc's program dump) and other programmers dumps? or there is a problem with my friend's programmer which we used for dumping NAND!
Because I don't have an Infectus, I should use a programmer for writing the NAND back to TSOP, but before doing this I want to be sure there isn't any difference between using Infectus or a programmer.
Is there anyone who compared an Infectus dump with a dump from a programmer?
If I'll be sure about this then I can use another programmer. maybe my friend's programmer isn't good for this type of work.

[zouzzz]

The dump with Infectus is the same one as the dump with tmbinc's program.

[TSX1]

The dump with Infectus is the same one as the dump with tmbinc's program.

thank you, I know this. I want to know if the dump with Infectus or tmbinc's program is the same as the dump with a programmer!

[atiman]

Honestly, I thought Infectus could be called "a standard programmer", until now.

Tell us more about the differences you noticed. I'm interested.

- Name of the programmer
- Size difference of dumps (if any)
- Offset of first byte that is different
etc...

Thanks for any piece of information about this trouble

(PS: for readers, when we say infectus dump is same as tmbinc software dumper one, it's only 100% true if you are using command 3. If you are using command 2, dumps will be indentical ONLY IF your NAND hasn't any bad sector. DO NOT suppose you don't have bad sectors. M$ accepts bad sectors in the NAND's it purchases for 360. They are just "ignored" by software.)

[TSX1]

About differences, there are 16,557,832 differences between two files!
I don't know what's the name of the programmer and I should ask for it.
File sizes are the same and the first difference is in offset 0x205.
I wrote the NAND back to TSOP with that programmer but after resoldering TSOP to mainboard, console didn't turn on at all so I'm sure there is a problem somewhere.

[tmbinc]

0x205 - one image is contains ECC data, the other one doesn't. The first difference will be at 0x205, which will be FF in the image with ECC and 00 in the image without ECC. By the way, the ECC'ed image should be 0x210/0x200 times bigger (~3%).

As the ECC algorithm is different for each device, and in our case, the ECC data seems to contain data which isn't stored anywhere else, do NOT trust the programmer in handling ECC data.

Instead, make the programmer handle ECC data in a "raw" way. There should be a setting for that. The programmer should output a file consisting of interleaved sector,ecc data (0x200 data, 0x10 bytes ECC).

[TSX1]

Thank you for explanation tmbinc.
So, you mean I can use a programmer for writing the NAND back to TSOP but I should set some settings first, OK?
Is there any programmer that you recommend for doing this?

[TSX1]

I asked name of my friend's programmer, it's "BeeHive 4".
Anyone knows if we can use it for dumping and writing the NAND (like Infectus)?
Thanks

[CrUnc}{eR]

Ok, I read the entire thread (and many others) and still dont know how to get the 1BL key from my 1BL.bin file, nor do I have any idea where to start to get xex 1 & 2 keys.

[atiman]

I think 1bl key is given by robinsod in the post where he explains how the time attack device works.

xex1 & xex2 are optionnal, you probably dont' need them.
they help only experts in reverse engineering.

[robinsod]

Sorry for the delay, I've been lazy

Nand Tool 0.85

http://rapidshare.com/files/60153842/360_Flash_Tool.85.rar.html

Can patch CB LDV IF CPU key is known
Can extract using new v1920 CD decryption IF CPU key is known (thanks tmbinc)
Extracts SMC code

Still to do:
Decent bad block support

[zouzzz]

Thanks a lot.

[Geremia]

thanks

don't know if works for you, but i get a crash on ivc dump when extracting filesystem at ximedic (tool0.81 too)

btw, what about:
-aac.xex
-crl.bin
-secdata.bin
-odd.bin
-extended.bin

can be decrypted too?

thanks again

[robinsod]

don't know if works for you, but i get a crash on ivc dump when extracting filesystem at ximedic (tool0.81 too)

Yeah, there's a bad block in that dump in the ximedic.xex file. V0.86.....

btw, what about:
-aac.xex
-crl.bin
-secdata.bin
-odd.bin
-extended.bin

can be decrypted too?

aac.xex? That should be decrypted if its in the FS directory block.....

The others are all related to copy protection and of no interest (AFAIK) to us hackers, so I won't be decypting them