360 Flash Dump Tool V0.1

[zouzzz]

Hello,
The french version :
http://rapidshare.com/files/74160234/360_Flash_Tool.exe.html

[robinsod]

is the cpu key 100% neccesary for decrypting the KV?  I'm sure you're all gonna yell 'yes' back at me, but I can't help but think;

Yes, we are and can't you?

if regions of the KV are consistent from box to box (i.e. region code and such) could you not do something like test a key, check to see if the region is decrypted properly, and if not try a new key? 

Unfortunately modern crypto works It's not like the good old days of "Enigma" and brute force anymore, far too many combinations to try. We have to get lucky and MS have to do something really dumb for us to attack a key (like use leaky memcmps a la the Timing Attack)

Also since the Xbox is made on the assembly line I would imagine that most CPU keys have similar regions (due to probably being at least partly serial in nature) so you could start w/ cpu keys from X to Y before doing Z and W
I am not very well versed in cryptography, so if this is entirely impossible could someone take a few seconds to explain?

They all fit in 16 bytes and that's a lot

I am not very well versed in cryptography, so if this is entirely impossible could someone take a few seconds to explain?

Ok, brute force on its own can't work, the number of possible keys is just too big

[sliverstorm]

So in concept it works but there's just too many possibilities?  Ok, I can live w/ that explanation
I didn't really figure it was workable; it just seemed like a theoretically possible approach.  And I guess
from what you say it is *theoretically possible*- just, as I figured, essentially impossible.

Thanks for explaining!

edit: I calculated it out... if I've got the formula right (I'm tired, give me a break) it's just 16 possibilities per spot times the next spot 16 times (i.e. 16*16*16... or 16^16)
18,446,744,073,709,551,616 possibilities.  Yikes. 18.5 quintillion possibilities.  *sigh* where are the supercomputers when you need them

edit2: wait... so now that we can work out that little hash (the one the timing attack discovers) can that be utilized? (obviously can't magically produce CPU key from it, but maybe it could reduce the pool of possibilities to a manageable amount?)
*sigh* I want to stop bothering u guys with questions, but I keep thinking of random ideas I'm not well-versed enough to answer myself.  Feel free to ignore this edit if ya want.

[robinsod]

No, 2^128 A very big number

[sliverstorm]

oh sorry I was thinking hex, not binary.  oops :/

[tmbinc]

extended.bin is the extended keyvault, which hold additional keys. However, as far as i know, they are only DRM-related personal keys, so they are boring.

[Geremia]

extended.bin is the extended keyvault, which hold additional keys. However, as far as i know, they are only DRM-related personal keys, so they are boring.

thanks:)
right, not interesting at all

[tazphoenix]

V 0.87

did not know my region code

Region [ Unk 01FC ]

Console is Asia Region (SING/HK)

[robinsod]

Thanks, will be fixed shortly

[MODFREAKz]

- how about function to switch between languages?

[zouzzz]

How to unban the 360? ---> http://gueux-forum.net/index.php?showtopic=176311
French tutorial but can be soon in English.

[wrayal]

Quick translation:

The principle:
To unban a 360, you have to patch the nand with the keyvault of another, unbanned xbox (easier said than done!)

Requirements:
Nand: 16.5mb of code containing the dash
Keyvault: Normally called kv.bin, 16.gmb of code containing the important info about your console (region, DVD key etc)
CPU key: a unique key to each console, without which very little is possible.

FAQ:

How do I extract the keyvault?
Use Robinsod's "Flashtool"

How do I obtain the CPU key?
You must run be running either 4532 or 4548 kernels, and then follow this tutorial: http://gueux-forum.net/index.php?showtopic=166901

How do I get my 360 on 4532/4548?
Either upgrade (use the appropriate update)
or downgrade with the timing attack.


Let's go!

On BOTH consoles:
Get them onto 4532/4548
Dump nand + CPU key

On UNBANNED console:
You must obtain the kv.bin from the unbanned console to inject into the nand of the console you wish to unban. You'll need flashtool.
1) Start flashtool
2) Click "keys" and copy/paste in your 1bl key and the CPU key of the *unbanned* console

[IMG 1]

3) Click 'Dump Files' and select the nand from the *unbanned* console

[IMG 2]

4) Click extract, select the box 'Key Vault', click OK and select the place where you wish to put your kv.bin.

Voila, kv.bin has been extracted!


To unban the banned console!

You simply have to patch the banned console's nand with the kv.bin you've just extracted.
1) Run Flashtool
2) Click Keys and copy paste your CPU/1BL keys from your *banned* console, then click OK
3) Click 'Dump Files' and select the nand of the *banned* console.
4) Click 'Patch' then 'Patch Keyvault', then 'Import Keyvault'

[IMG 3]

5) In the window that's just opened, select the kv.bin you just extracted and select Ok. A second window will open asking you where you wish to save your patched nand. Call it 'deban'.bin and select 'save'.

[IMG 4]

Congratulations, you have patched your banned xbox's nand with the keyvault from the unbanned console, and it's called 'deban.bin'. Now you need only flash it onto your banned console:

1) Disconnect your console from your screen, disconnect the power cable, and wait 10 second, then reconnect it.
2) Launch the 'Infectus Programmer'. In the red rectangle appears '?' and the word 'Disconnect' is shown.

[IMG 5]

3) Connect the USB cable from your PC to the Infectus, and the '?' will be replaced by figures (in this case, AD73), and 'disconnect' will be replaced by the name of the nand, here 'HY27US08281A'

[IMG 6]

4) [[Here the instructions say 'return your chip to 0'. I don't understand this; does it make sense to those with infectus?]]. Select 'Flash Command' then 'Erase'. This will take a minute or so.

[IMG 7]

5) Select 'Flash Command' then 'Blank Check'. This will take around 4 minutes.

[IMG 8]

6) Select 'Flash Command' then 'Write'. Select 'deban.bin' then 'Open'. This flash will take about 3 minutes.

[IMG 9]

7) Disconnect your infectus, close the programmer, reconnect your console to your screen, disconnect your power cable, wait 10 seconds, then reconnect it.

Now, go test you have a working, unbanned connection to xbox live!


Note: You don't need the entire keyvault to unban a console, but merely the part from 0x148 to 0xC71 from kv.bin. So if you wish, you could just change this part with a hex editor to unban a console.

[katzoo]

Hello, I have some problem opening a flash dump from my xbox 360 elite falcon board in flashtool. Flash tools gives me the error message "couldn't read file". I have tested the dump with the XD-card mod, so it's nothing wrong with the dump.
Is it possible that microsoft took the opportunity to change the 1bl-key when they upgraded the core? This would certainly lock us out from the timing attack without changeing the CB.
Please correct me if I'm wrong. 

PM me if you wanna have a look at the dump.

[Arakon]

no. the falcon board dumps definitely work fine with flashtool.

[caster420]

Just a minor issue to note (not really an issue) - when you load a dump and enter an incorrect CPU key, it will fail to extract the KV (obviously). The next time you reload the program, it states 'Bad KV data' or something to that effect, as it should because it can't extract the data.  However, when you enter a new CPU key (the correct one), it doesn't refresh the KV labels even though it successfully extracted the KV. 

Thanks for the very handy app!

Caster.

[katzoo]

no. the falcon board dumps definitely work fine with flashtool.

Ok, thats good news.

But what the heck could be the problem?
Because as I mentioned before the flashdump i 100% OK.

[Arakon]

actually, I misread something. I thought it had said that a falcon dump works, but it was just talk about that it should work.
so no, I don't know if flashtool properly works with them.

[babb0]

Hello
I'm a buddy to katzoo and I took a look at the dump. Seems like Flashtool checks the string in the beginning of the dump and compares with:
 2004-2005 Microsoft Corporation. All rights reserved.

The thing is that the string has been changed to
 2004-2007 Microsoft Corporation. All rights reserved.

I changed the tool to the new string and it worked like a charm.

/babb0

[robinsod]

Heheh, yeah I do check the string. There will be a new NAND tool sometime next week (a few fixes, patching pairing data, inject modified SMC code) and that will fix it. Just be sure that if you are going to reflash the modified image put the string back the way it was or the ECC data will be incorrect.

[Geremia]

hum, CB/CD v5761, but CE still 1888

the bytewise memcompare in CB has not changed , hopefully it can be downgraded aswell