360 Flash Dump Tool V0.1

[robinsod]

- How about support for devkit dumps?  (I can supply you with raw_dumps + cpu_key + ......)

Sure, I think the XEX keys may have changed (1BL key is all 0's iirc)

- The HK/Asia-EU bug is still there, did you fixed it?

No, this was just a quick fix to get secdata.bin support "out there", v89 should add several fixes though

- What do you think about integrating "Degraded.exe" into "360 Flash Dump Tool"

Maybe, it uses the same code....

[MODFREAKz]

wonderful !!

I send you PM with related files and dumps.

[Pitfall6667]

Thanks Robinsod.


Team MODFREAKz (thanks you too): TF supports Dev dump 3215, 4548 but not the Dev dump 6683 (), i can extract/mod the kv but i can't extract the FS ( ).
XEX1=A26C10F71FD935E98B99922CE9321572
XEX2=20B185A59D28FDC340583FBB0896BF91
1BL key : DD88AD0C9ED669E7B56794FB68563EFA

try xex1 & 2 = (others => 0)

[zouzzz]

Ok thanks.

Theory :
- extract the FS of debug box
- create an image with FS of debug box and dump of retail box
- flash the retail boxe to pass retail in debug/retail

Do you think this theory is possible or not?

[Pitfall6667]

sure, why not try? sounds like a brand new idea

[MODFREAKz]

here is my bug fixed/patched versions of 360 Flash Dump Tool

What's new?

360 Flash Dump Tool v0.88b  -  DevKit Only          Download
- Open/Save 64MB dev dumps only
- Fixed the Region bug (HK/Asia <=> EU)
- Add Dev Region (DEV 0x7FFF)
- Redesigned (XP style)
- Some bugfixes


360 Flash Dump Tool v0.88b  -  Retail Only           Download
- Open/Save 16MB retail dumps only
- Fixed the Region bug (HK/Asia <=> EU and AUS)
- Redesigned (XP style)
- Some bugfixes


btw. I hope robinsod don't mind this!

[schwatter]

thank you. The DevKitversion works great
Also with the 16mbRetailmethodDumb from xdk

[zouzzz]

Great. Thanks!

[itsfakemon]

dankeschoen!

[MoDInside]

here is my bug fixed/patched versions of 360 Flash Dump Tool

What's new?

360 Flash Dump Tool v0.88b  -  DevKit Only          Download
- Open/Save 64MB dev dumps only
- Fixed the Region bug (HK/Asia <=> EU)
- Add Dev Region (DEV 0x7FFF)
- Redesigned (XP style)
- Some bugfixes


360 Flash Dump Tool v0.88b  -  Retail Only           Download
- Open/Save 16MB retail dumps only
- Fixed the Region bug (HK/Asia <=> EU and AUS)
- Redesigned (XP style)
- Some bugfixes


btw. I hope robinsod don't mind this!

Thanks.

[mushy408]

This is great news Nice to see that you guys have been hard at work making the unimaginable... well... do-able to those who haven't got a clue. I've just read through all those pages and I've got a bit of a headache now Time for a cuppa and then start making notes on this shizzel!

Big thanx to all the contributors and creators of this tool. Microsoft - the time is nigh!

[Ell3X]

Hi,

just found a "bug" in fdt0.88b.
i have a "jap" box and the regioncode is "unknown 0101".
but it should be a normal jap ?

 


 

[joeylw]

ok sorry for this noob question... i have some xbox 360's but no orginal dvd drives and from what i understand you can use 360 flash dump tool v.88 to get this key off the motherboard. can anyone give me some kind of direction or a tutorial on how to get the dvd key?... how do you connect your 360 motherboard to ypur pc?

Thank You for your help!

[Arakon]

there is no way to get the key off the MB if you don't have a working drive with the key in the first place.

[braza]

Problem..

I try to patch the region (JAPAN TO eua) on KV.BIN on NXe dashboard and  get  error.,  2 red ligths UP and 2 green lights DOWN ,!

tHE Flash Dump Tool  is not compatible com latest dash ??

[cjack]

Hi! Just dumped the NAND of a Jasper motherboard. Seems that the data structure is changed compared to old version of flash.
Need to manage the new size of NAND too. FlashTool update required  See you guys

[Ell3X]

Hi! Just dumped the NAND of a Jasper motherboard. Seems that the data structure is changed compared to old version of flash.
Need to manage the new size of NAND too. FlashTool update required  See you guys

useless !

jasper has no vulnerable cb, this meens no downgrading, no cpu-key and so on ...

[Redline99]

does anyone have the sources to .88b or anything newer than .87? If you do please pm me. thanks

[Shaun]

Im assuming via your own programmer cjack ? (guessing infectus support for new flash id is a way off lol)
Not seen any details about it as obviously is has to be in a different format 1 way or another.

[arnezami]

Bugfix info regarding CD decryption. If you have a 1920+ CD version it doesn't decrypt CD properly. This was because the "DerivedKey" was only calculated in CE (which was decrypted properly) but should have been done in CD already.

Since 0.88b is already out I will post my changes: (only 0.88a source is released)

Change part of FlashFile.ccp into this (CD decrypt now gets the cpu key, not CE decrypt):

Code:

m_CDSection.Initialise(CString("CD"),Base,&m_BlockDriver,m_CBSection.GetKey(),m_CBSection.GetVersion() >= 1920 ? m_pFuse : NULL);
Base += m_CDSection.GetLength();

m_CESection.Initialise(CString("CE"),Base,&m_BlockDriver,m_CDSection.GetKey());

This means removing this line in CXSection.h:

Code:

BOOL Initialise(CString& rName, unsigned int BaseAddress, CBlockDriver * pBlockDriver, unsigned char * pKey, unsigned char * pCPUKey);

and changing CD Initialise into this line:

Code:

BOOL Initialise(CString& rName, unsigned int BaseAddress, CBlockDriver * pBlockDriver, unsigned char * pKey, unsigned char * pCPUKey);

also remove CCESection::Initialise from CXSection.cpp.

Then change CCDSection::Initialise in CXSection.cpp into this:

Code:

BOOL CCDSection::Initialise(CString& rName, unsigned int BaseAddress, CBlockDriver * pBlockDriver, unsigned char * pKey, unsigned char * pCPUKey)
{
BYTE* pData;

m_Name = rName;
m_DecryptedData = NULL;

m_StartBlock = BaseAddress/0x4000;

if(!ReadSection(m_StartBlock,BaseAddress-(m_StartBlock * 0x4000),0x20,&pData,pBlockDriver))
{
return FALSE;
}

if(pKey)
{
Decrypt(pKey,pData,pCPUKey);
}
delete pData;
return TRUE;
}

and add CCDSection::Decrypt to CXSection.cpp:

Code:

BOOL CCDSection::Decrypt(unsigned char *pK0, unsigned char * pData, unsigned char * pCPUKey)
{
unsigned char Digest[SHA_DIGEST_LENGTH];

RC4_KEY RC4Key;

if(*pK0 == 0x00)
{
return FALSE;
}

m_DecryptedData = new unsigned char[m_Length];

CalculateHMACSHA(pK0,&pData[0x10],0x10,Digest);

if (pCPUKey) {
CalculateHMACSHA(pCPUKey,Digest,0x10,Digest);
}

memcpy(m_Hdr,pData,0x10);
memcpy(m_Key,Digest,0x10);


//first 16 bytes of Digest is the key
RC4_set_key(&RC4Key, 0x10, Digest);
RC4(&RC4Key,
m_Length - 0x10,
&pData[0x20],
m_DecryptedData);

return TRUE;
}

and of course change CXSection.h accordingly:

Code:

virtual BOOL Initialise(CString& rName,unsigned int BaseAddress, CBlockDriver * pBlockDriver, unsigned char * pKey, unsigned char * pCPUKey);
virtual BOOL Decrypt(unsigned char *pK0, unsigned char * pData, unsigned char * pCPUKey);

The above was discussed here.

Regards,

arnezami