360 Flash Dump Tool V0.1

[TheSpecialist]

do we have the ability to encrypt it again with the correct signature for it to boot on the xbox? 

We're working on adding that ability to the tool right now.

[fickdiach]

yeah but what advantage does this bring for us ?
i mean everything is encrypted, all we could flash is the same we dumped before , or am i wrong?

[TheSpecialist]

yeah but what advantage does this bring for us ?
i mean everything is encrypted, all we could flash is the same we dumped before , or am i wrong?

Eh ? The tool decrypts everything, not sure what you mean with 'everything is encrypted'.

[fickdiach]

yeah but what advantage does this bring for us ?
i mean everything is encrypted, all we could flash is the same we dumped before , or am i wrong?

Eh ? The tool decrypts everything, not sure what you mean with 'everything is encrypted'.

Sorry, I was a little bit tired. I meant what advantage does reencrypting bringt to us, since we cant modify the Kernel/HV/Dash... since its signed.
Of course this shows us how all this works, but I think many people here think its as easy as on the PSP where you can simply flash a modified Firmware.

[TheSpecialist]

Sorry, I was a little bit tired. I meant what advantage does reencrypting bringt to us, since we cant modify the Kernel/HV/Dash... since its signed.
Of course this shows us how all this works, but I think many people here think its as easy as on the PSP where you can simply flash a modified Firmware.

For starters, the Keyvault (containing for example region code) is not signed. Secondly, some very interesting data, like the pairing stuff and the stuff that keeps us from downgrading kernels, is not signed either. And then there's a bit more of data that's not signed and may be interesting to play with.

[anita999]

... the day our 360's will boot directly into XBMC ...

well, haven't been here for a while. I am really glad to see there progresses. And for sure that your signature is what most people are expecting, including me. Good job, specialist and all the team members here.

[Bydox]

yeah but what advantage does this bring for us ?
i mean everything is encrypted, all we could flash is the same we dumped before , or am i wrong?

Eh ? The tool decrypts everything, not sure what you mean with 'everything is encrypted'.

Sorry, I was a little bit tired. I meant what advantage does reencrypting bringt to us, since we cant modify the Kernel/HV/Dash... since its signed.
Of course this shows us how all this works, but I think many people here think its as easy as on the PSP where you can simply flash a modified Firmware.

So what performs the signature check of the new kernel image?  Is it something fixed in hardware (like the CPU/MMU) or is it done by code in the previous kernel/dash?  If the check is software driven, can't we just remove that routine from the modded image before we flash it back?

[robinsod]

The checks are daisy chained, the 1BL (in ROM in the CPU) checks CB which checks CD which CE. We cant modify 1BL so we can't tamper with the others

[Kiss]

This is all "good stuff" but a little OT, so I propose to split it into a new thread - Everyone ok with that?

@robinsod Yes pls

@all, someone manage to create an working 32bit code from this ?

[robinsod]

http://rapidshare.com/files/38552194/tool.06.rar.html

This release supports downgrading if you know your CPU key. Right click on a CF section and choose "Fix Version Lock", enter the new lock down number, click ok & then click "Patch" and choose the directory/filename for your patched flash image. The file produced is all fixed up and ready to be flashed into your 360.

In my case I had a dump of 4532 (with Lockdown Counter = 1) and upgraded to 4552 (the Lockdown Counter incremented to 2). I patched the 4532 flash image to change the Lockdown Counter to 2 and flashed my 360, now I have a vulnerable kernel (again).

[jacksback]

http://rapidshare.com/files/38552194/tool.06.rar.html

This release supports downgrading if you know your CPU key. Right click on a CF section and choose "Fix Version Lock", enter the new lock down number, click ok & then click "Patch" and choose the directory/filename for your patched flash image. The file produced is all fixed up and ready to be flashed into your 360.

In my case I had a dump of 4532 (with Lockdown Counter = 1) and upgraded to 4552 (the Lockdown Counter incremented to 2). I patched the 4532 flash image to change the Lockdown Counter to 2 and flashed my 360, now I have a vulnerable kernel (again).

Nice work Robinsod

Am I right in thinking you can now downgrade without having removed the R6T3 resistor?

[Arakon]

only if you first got your cpu key with a vulnerable kernel.

[zillionare]

This release supports downgrading if you know your CPU key. Right click on a CF section and choose "Fix Version Lock", enter the new lock down number, click ok & then click "Patch" and choose the directory/filename for your patched flash image. The file produced is all fixed up and ready to be flashed into your 360.

In my case I had a dump of 4532 (with Lockdown Counter = 1) and upgraded to 4552 (the Lockdown Counter incremented to 2). I patched the 4532 flash image to change the Lockdown Counter to 2 and flashed my 360, now I have a vulnerable kernel (again).

This is really great news!! Congrats robinsod

I thought it would be a flip/flop from an odd fuse # to an even fuse #. much like dss. guess it still could be. Since whole numbers are even/odd but this is more than just a bit...it's a string.

Are you going to try with the new kernal 5759? *RISKY*... I'm still waiting on some programming hardware.....but will try when parts arrive.

Seems if your allready upgraded at 4554 or newer tho "can't get fuses = no key" your still dead in the water.

Once again, thanks for sharing your tools.

peace,
zil

[Arakon]

I have successfully downgraded from 5759 to 4532 using an infectus, with the efuse resistor removed.. so at least there's no additional changes beyond the efuses for downgrade protection.

[robinsod]

I thought it would be a flip/flop from an odd fuse # to an even fuse #. much like dss. guess it still could be. Since whole numbers are even/odd but this is more than just a bit...it's a string.

I am surprised that there seems to be only 16 Version Lockdown fuses - I wonder what happens if you blow them all, I might spend a bit of time up & downgrading......

Are you going to try with the new kernal 5759? *RISKY*... I'm still waiting on some programming hardware.....but will try when parts arrive.

Nah, I doubt there's anything else to prevent downgrading.

Seems if your allready upgraded at 4554 or newer tho "can't get fuses = no key" your still dead in the water.

Yeah, this anti "hero attack" technology is working really well, if you don't have the CPU keys a lot of the interesting stuff is unavailable to you.

[tmbinc]

I am surprised that there seems to be only 16 Version Lockdown fuses - I wonder what happens if you blow them all, I might spend a bit of time up & downgrading......

No, the last 4 fuselines can also be used, unless another condition is met (which is never).

[sectroyer]

Hi.
So we can downgrade without removing R6T3 if we know the CPU Key. The same CPU Key that is used to decrypt/encrypt the kernel/HV itself? So isn't it possible to brute-force the CPU Key? We have the dump from infectus. We know what to expect (some static data i.e.) and we could brute force the cpu key without ever dumping it?
Regards.

[TheSpecialist]

Hi.
So we can downgrade without removing R6T3 if we know the CPU Key. The same CPU Key that is used to decrypt/encrypt the kernel/HV itself? So isn't it possible to brute-force the CPU Key? We have the dump from infectus. We know what to expect (some static data i.e.) and we could brute force the cpu key without ever dumping it?
Regards.

Kernel/HV is not encrypted with a per box key, only the Keyvault is encrypted with the cpu key. Brute force is not possible on a 16 bytes key. But yeah, if you'd find a way to get the CPU key (fuse data), then you've 'won', because you then can downgrade the kernel and run unsigned code.

[sectroyer]

  But does the encryption/decryption use whole 16byte key at once ? or do they divide it for example in two parts? Maybe it does something similar as windows with LM Hashes  ? Of course brute forcint 16 byte key  at once may be hard. But brute forcing parts of it seems possible

[TheSpecialist]

But does the encryption/decryption use whole 16byte key at once ? or do they divide it for example in two parts? Maybe it does something similar as windows with LM Hashes  ? Of course brute forcint 16 byte key  at once may be hard. But brute forcing parts of it seems possible

They use Hmac-sha1/Rc4, no way you can bruteforce that.