360 Flash Dump Tool V0.1

[robinsod]

A non ECC dump must be exactly 16MB,

Excellent work! shame i can only dump 13mb lol, could i pad it?

Yes

[sentinel0]

Just wanted to post that I loaded my non ecc corrected bin in the new tool loaded up the sections and tested my ecc corrected bin also worked great.

[arnezami]

This is great

Did you also managed to decompress/decrypt xexp patch files and to apply the xexp over the xex?
I've a xexp file that can't wait anymore

The current version only decrypts/decompresses the base xex, but the next version will be able to apply the updates. It seems the process is not that much different from the kernel patching (patch is again applied as delta compression data, at least, so it seems after looking very briefly at it). We've just finished xex decompression last night, applying the updates will be next

Xex(p) decryption and decompression is going to be really useful. Much thanks already.

I have a question which you may be able to answer more easely: is it possible xex-es have a (fixed) minimum filelength (compressed that is) of several dozens of kb? Does that make any sense? I have a feeling that this might be the case but I haven't really gone into the decompression algo yet.

Regards,

arnezami

[TheSpecialist]

is it possible xex-es have a (fixed) minimum filelength (compressed that is) of several dozens of kb? Does that make any sense? I have a feeling that this might be the case but I haven't really gone into the decompression algo yet.

It seems that the minimum length of the header is normally 4096 bytes, so yeah, it makes sense

[Anaki]

Id love to get into the crypto side of things, with the xex's etc, but having trouble finding any decent tools for RSA, i would write some but i don't feel i know enough about it, especially when dealing with large numbers such as keys. Do they generally use the key tokens instead of the keys?

If anyone has any suggestions on tools/software or tools they have written and they would like to share for encrypting/decrypting and signing with public and private keys, specifically where P and Q are not known, it would be much appreciated.

If this has gone off topic slightly, then i apologise and please move the post to somewhere if needed.


Cheers



Anaki

[robinsod]

http://rapidshare.com/files/40210622/tool.07.rar.html

A fairly large update with new features and a simplified GUI.

Changes:

There are upto 4 keys required by the tool, you can enter these by clicking the Keys button. Select the check box next to the key you are entering (checkbox must be selected for tool to consider key valid)
1) 1BL, as before
2) CPU, from Fuse data, as before
3) XEX1, the Key used by the HV when the an XEXs certificate flag has bit 2 set
4) XEX2, the Key used by the HV when the an XEXs certificate flag has bit 2 clear

Load a dump (with or without ECC data) by clicking the "..." button

The Extract button will cause the tool to extract as much as possible from the Flash dump to a directory you select. During the extraction process a log file (log.txt) is generated containing "Useful Stuff To Know", log.txt will be created in the same directory as the extracted files from the flash. Depending on the Keys and ECC data available the following will be extracted:
If 1BL is known - CB,CD,CE,CF(s),CG(s), xboxkrnl.1888.exe and xboxkrnl.XXXX.exe(s) as before
If 1BL & CPU Key is known - KeyVault.bin
If XEX1 & XEX2 & ECC data are known the tool will extract and decrypt & decompress the XEXs in the flash dump. The decrypted XEX is named xxxx.xex.bin (ie dash.xex is extracted as dash.xex.bin). More info about the xex (and its patches) is contained in the log file. You can disasm these files in IDA Pro, the image load & entry points are in the log.txt

It is now possible to zero the pairing data in the CB section (tmbinc thought this caused the mfgbootlauncher.xex plus v1888 Kernel to be loaded) by clicking the Zero PD button. The resulting file has 32 zeros written to, and encrypted in, the CB section (at offset 0x20). I have not experimented very much with this but it does seem to cause the box to go into a "funny state". Perhaps someone with a network connected box & PC could sniff for traffic? You DO need the 1BL key but you DO NOT need your CPU key for this patch.

Clicking the Patch button allows you to change the Lockdown Counter(s) in the CF sections, as before, you DO need your CPU key
 
TODO: Apply the XEXP patch files to recover later versions of the xex


Edit: Ooops, nearly forgot, thanks to Takires, TheSpecialist & tmbinc

[klipseracer]

Thanks! Great work as always. Keep it up! I'm loving this progress.

[jacksback]

First of all thanks to all involved in creating this tool

Unfortunately I have encountered a problem and was wondering if anyone else has had the same issue?

Here's what I did

Loaded the new Flash tool and added the 1BL key. I then browsed for my 5759 Kernel image and loaded it. Everything loaded up as expected but when I closed it down and re-opened it I got a "360 Flash Tool MFC Application has encountered a problem and needs to close"

I tried many times to open it all with the same result. I then tried deleting the exe, restarting my pc and re-downloading the flash tool but still the problem persists. Any suggestions as to why this is happening and if there are other files I should remove for a clean uninstall?

Much appreciated

[gerzand]

First of all thanks to all involved in creating this tool

Unfortunately I have encountered a problem and was wondering if anyone else has had the same issue?

Here's what I did

Loaded the new Flash tool and added the 1BL key. I then browsed for my 5759 Kernel image and loaded it. Everything loaded up as expected but when I closed it down and re-opened it I got a "360 Flash Tool MFC Application has encountered a problem and needs to close"

I tried many times to open it all with the same result. I then tried deleting the exe, restarting my pc and re-downloading the flash tool but still the problem persists. Any suggestions as to why this is happening and if there are other files I should remove for a clean uninstall?

Much appreciated

Thank you for bringing this up. This has happened on 2 seperate computers of mine, one running XP and the other runing Vista. After crashing the program approximately 3 times, it no long operates without crashing while trying to launching the application. Removing the files does not fix this. There must be a registry entry being made or something. Please advise. Thanks!

[DrDentz]

Code:

HKEY_LOCAL_MACHINE\SOFTWARE\Robinsod\FlashTool

Either delete this key from your registry or reset the values to their defaults.

[robinsod]

hmmmm,weird, Is anyone still having problems?

[gerzand]

hmmmm,weird, Is anyone still having problems?

Nope that fixed it (until it happens again). Thanks

[jacksback]

Removing the registry entry stopped flashtool from immediately crashing (Thanks DrDentz), however I cannot get past the key entering first menu as it crashes just like before. Heres what I am doing

Open Flashtool, I get prompted to enter up to 4 keys. As I am away on a business trip I haven't managed to get the fuse data so all I have is the 1BL key. I enter the key, tick the checkbox and click OK. Flashtool then crashes displaying the message I mentioned above. Am I right in thinking that I possibly need to enter the 1BL and the CPU key, maybe just entering the 1BL key by itself is what's causing it to crash? All other tick boxes are un-checked when I click OK. I have used the 1BL key successfully on previous versions of Flashtool without any issues.

Thanks Again

[Pres]

New to this --- I think I may have got my 1bl key but is there a way to tell for sure? Also what is the xex1 and xex2 keys and how to get? Sorry for the newb ?,s
Also tool .07 works fine every time for me, no crashes.

[jacksback]

Figured it out

I had to tick the CPU box and use the provided 32 0's. Just did it with the 1BL and CPU key box ticked and it starts up correctly now.

Thanks again to all 

[jacksback]

New to this --- I think I may have got my 1bl key but is there a way to tell for sure? Also what is the xex1 and xex2 keys and how to get? Sorry for the newb ?,s
Also tool .07 works fine every time for me, no crashes.

Easiest way to check is to load up a flash dump and see if you have Pairing Data. I would also think the flashtool will crash if you load a flash dump and the 1BL key is invalid

As for the XEX Keys, not too sure where to get them

Hope that helps

[Pres]

That was kind of what I was thinking but it just seemed to easy to find the 1BL key so I just assumed it was wrong. I also experimented changing variables in the 1BL key and the tool will crash then. By Pairing data I am assuming you mean DVD key, serial number & manufacture date. Also as for getting the ECC right now that is not possible with the linux dump is it. I would like to update to play some of the newer games but like anyone if homebrew hits I want to be able to downgrade as well. Thanks for the quick response.

[jacksback]

I would like to update to play some of the newer games but like anyone if homebrew hits I want to be able to downgrade as well. Thanks for the quick response.

I would suggest buying and installing the infectus modchip as you will then have the ability to upgrade and downgrade at will. How are your soldering skills?

[Pres]

So So, but I have never messed up with my ps2 or xbox. I just try not to unless it is a must. Is that something that can be installed later on with a non-vulnerable kernel and still have the ability to downgrade.

[jacksback]

If you have your CPU key and a flash dump then yes you can downgrade at a later date using Infectus. What  I don't know is if you can reflash a Linux dump with the ECC data missing, although I think I read somewhere in this thread that someone had successfully done it, don't quote me on that though.