360 Flash Dump Tool V0.1

[robinsod]

What is it

This tool will allow you to decrypt and extract various parts of a XBox360 flash dump. The flash is devided into 2 major parts

1) The Cx sections (CB,CD,CE & 0,1 or 2 CF & CG sections).
   CB, CPU bootup
   CD, unpacker for CE
   CE, contains the HV and Kernel in a .cab archive
   CF&CG are upgrade patches

The tool will extract and decrypt sections CB, CD, CE. Additionally it will extract the .cab file in section CE. This can be opened with winrar and the content (xboxkrnl.img) extracted. The first 256K of xboxkrnl.img is the Hypervisor, the remainder is the 2.0.1888 Kernel.

2) The Flash File System.

The tool expects a dump to contain the data (512 bytes) followed by the ECC (16 bytes). The ECC bytes are used to locate FS entries & identify the version.

The tool consists of the exe and CxKey.txt. CxKey.txt is delivered with 32 '0's and they should be replaced with the key obtained from the 1BL. After all the fuss about AACS keys recently it seems risky to put the key in the exe The Cx sections extracted from a dump will only decrypt correctly if the correct hex digits are inserted in the CxKey.txt  file

How to Use it

Load a flash dump and the tool will display a tree containing the Cx Sections and the FFS. The tool displays the base Kernel version (2.0.1888) and the highest revision CF/CG patch installed.

Expand the CX Sections node and right click on a section, choose Extract (or for CE sections ExtractCAB) you will then be prompted for a directory. Hit OK and the tool will extract that section to the selected directory

Expand the ile System Roots node, each entry takes the form FS_XXXXXXXX_YY (ZZZZ) Where

XXXXXXXX is the offset into the flash of this FS root in bytes
YY is the version, we suggest extracting from the latest FS roots in case some older files have been deleted.
ZZZZ is the offset into the flash of this FS root in blocks

Expand a FS root to view the files it contains

Right click on a FS root to extract all the files in this FS entry.
Right click on a File to extract the file.

To do to it

Add support for CF & CG sections
Patch and re-encrypt pairing data in CB and CF

Download it

http://rapidshare.com/files/38552194/tool.06.rar.html

Thanks to Takires, tmbinc and TheSpecialist

[TheSpecialist]

Thanks to tmbinc and TheSpecialist

I just have to say thanks to Takires too

[warpjavier]

Congratulations, Nice tool man!
I'll look to find the keys so I can play with the decrypted files!

warpjavier

[jas0nuk]

Is it possible to make a NAND dump in Linux on a vulnerable kernel?

[Icekiller]

Is it possible to make a NAND dump in Linux on a vulnerable kernel?

yip the code is floating around here somewhere..

[Ced2911]

CxKey.txt is delivered with 32 '0's and they should be replaced with the key obtained from the 1BL.

how do i can obtain it ?with xbflash ?someone have can post an .ini file ?

[jas0nuk]

Damn, appears the dump from Linux does not contain the ECC data and so can't be used with this application.

I believe the dump you get from linux, is the same dump you can get with Infectus or any other NAND programmer but you dont have a RAW dump that way, so you will be missing the extra 16 bytes of the nand. So does not maka sense to do that if you are gonna end up with an unusable dump.

[Geremia]

Congrats for your work!

Much respect to all the kernel hackng people  

[ElijahX]

Non-rapidshare link:
home.comcast.net/~elijahx2k7/tool.01.zip

(I hate rapidshare, with a passion.)

[sentinel0]

Is the only way to obtain the key via the serial cable kk exploit.  I guess my real question is can I obtain my key with the non serial version?

[Surrido]

Great job man!

and another step closer... ;-)

[Takires]

Is the only way to obtain the key via the serial cable kk exploit.  I guess my real question is can I obtain my key with the non serial version?

It should be possible. It is not different than dumping the NAND or the fuses. Size of 1BL is 32k, the address should be in one of the posts.

[robinsod]

A little update for you

http://rapidshare.com/files/34460139/tool.02.zip.html

New:
*Decrypts CF & CG (thanks again tmbinc)
*The .cab file extracted from CE now contains 2 files, Hypervisor.bin and xboxkrnl.exe
*Exported sections now include version number in the name

Todo:
*Apply CG patch to CE and extract patched Kernel & Hypervisor
*Patch pairing data in CF and re encrypt

[Takires]

*The .cab file extracted from CE now contains 2 files, Hypervisor.bin and xboxkrnl.exe

This is a bad idea.

1) If the HV code needs to call the xboxkrnl code it will do this by direct addressing. Two examples of this are the exception processing code and the external interrupt code. One of these calls goes to 8005F9B0.

2) The xboxkrnl.exe file is a binary image. Dont let the MZ header fool you. All stuff that a MZ/PE loader normally would do has already been done. If you try to load it as a MZ file you will break the HV dependencies.

[MoDInside]

Guys, can I get the dvd drive key with flash tool 0.2, I have a dump of my 4542 (made with infectus) I opened it with flash tool and can see all the sections of the dump, I was wondering if any of the listed keys is the drive key.
I have not flashed the drive of that x360, so right now I can not compare the keys.

[robinsod]

Unfortunately no. The DVD key is in the key vault and you need the CPU key decrypt that.

I have a vulnerable box now and plan to add key vault decrypt soon.

The CG section extraction is broken A fix will be available soon 

[haute1]

There is a copy of the efuses in any Cx zone to decrypt the keyvault?
aside from the key of dvd that others keys form the Keyvault?

[robinsod]

Update:
 Fixed CG extraction (see NAND Layout thread for info http://www.xboxhacker.net/index.php?topic=6674.msg48716#msg48716)
 Reverted CE.cab to single file (thanks Takires)

Here's the file

http://rapidshare.com/files/35115132/tool.03.rar.html

[jacksback]

Hi

Could someone tell me what I am doing wrong when using the flash dump tool. I insert my DVD key into CxKey.txt and flash tool crashes when trying to open the flash dump. If I leave in all the 0's it starts up fine and I can see all the sections in my Flash. Am I using the wrong key? Which key should I use and where do I get it? I used the infectus chip to read and extract my tsop

Thanks

[robinsod]

You need the 1BL key NOT your DVD drive key. To get the 1BL key you need a dump of memory from a vulnerable (4532 or 4548) xbox