Print

[Gadorach]

Can't edit last anymore so again, next post.

To get a clear idea of what was originally done to accomplish a boot into a patched dashboard, I dug up the original project data from Xboxhacker. From this, I determined that all that is required to boot the dashboard is the dashboard patches themselves and perhaps a CD patch to ignore the loss of permissions.
As the RGH method already loads a hacked CB for us, and that CB will load "ANY" CD, regardless of contents, all that needs to be done is replace the included CD, that comes with the RGH, with a patched CD/Dash combo. From there, it should boot right up without any fuss at all.

Seeing as I assume we already have the patches for the dash, as it's being used by JTAGers currently, all that has to be done is write a program that applies the patches to the virgin dash [and CD if necessary] and flash it back to the exploitable 360.
If anyone can test that theory that would be great as, even if it doesn't boot, you haven't lost anything if you have a NAND backup, and we would then know if it worked or didn't. Point is that this is looking like there's no need at all for any additional software besides a patcher. All we need is the patches, which should already exist.

If someone can find the patches, and perhaps the Falcon's timing, I have 6 Falcons, 1 Trinity, and 2 Jaspers are on the way. I'll be willing to test it on all of the models I own when I receive my glitch board. Until then, I'll go looking for the patch data myself for the 13599 Dash.

I encourage anyone interested to help as confirming this would make the RGH much more viable and remove the need to worry about JTAGing all together.

 - Gadorach

[Gadorach]

Though I'd normally edit new things in, I feel that this should be a separate post for a few reasons, none of which matter.

Anyways, Here's my theory for getting the RGH booting a hacked dash.
I'll list the complete process, just because.

1) Extract NAND of the target Xbox 360.
2) Make a Backup of this NAND and don't touch it yet.
3) Patch NAND using the files and method in the RGH guide, by GliGli.
4) Build and program your Coolrunner using GliGli's guide.
5) Flash your RGH-patched NAND to the target Xbox 360.
6) Install your Coolrunner to the Target Xbox 360.
7) Startup the Xbox 360 and grab your keys with Xell.
Make another copy of your Backup NAND.
[Unsure if JTAG Tool will accept the 13599 native NAND image]
9) Throw the NAND image into JTAG Tool [or perhaps Exploit 360, I haven't check the features yet so...]
10) Install the 13599 Freeboot Dash to your NAND.
11) After patching is complete, Click "Convert XBR to Original", wait for it to finish.
12) Flash Image to Xbox 360.
[Speculation From Here On]
13) Obtain your real CD from the NAND image you backed up (your original NAND)
[^^Haven't found method yet, Please inform me if there is an easy way to do this.^^]
14) Using the Build.py in GliGli's guide, use this to make it work:
         python common\imgbuild\build.py original_nand.ecc [NAND CD Folder]\[YOUR CD]
[Don't know how original CD will react to a Patched Dash, also, Xell is eliminated so I'm unsure if it will even compile. I don't have a NAND to test it with yet, but you can bet I'll even build a *gulp* LPT Cable *shiver* just to try it before my NANDX arrives!]
15) Flash output ECC file to the NAND the same way as before.
16) Boot your Xbox 360.
17) Jump for joy or commence the flaming.

I'm sure there's some flaws with my reasoning here, but all we need to do is modify the CD and, Assuming the JTAG Tool did, in fact, patch the dash, Make sure there's no traces of anything left.

In contrast, I have a funny feeling the the current versions of Freeboot and XBR use a Boot-time Ram-Poke method to apply the patches to memory. If this is the case, removing Freeboot from the image is the same as restoring it to it's original state.

Basically, we need both those Dash Patches and a Patched CD for a much closer to 100% "It's Gonna Work" idea and a way to patch the files without relying on Build.py
Also, doing a HEX compare on the CD's should tell anyone skilled enough what was changed.
And though I haven't checked it yet, apparently the CD provided with GliGli's guide is in an un-encrypted,
"plaintext" format. If we have an original plaintext CD, one for each 360 revision, we may be able to build a custom CD with it and modify the permissions to resemble the patched, plaintext CD from a JTAG.

Most of this is still speculation so please Help out if you have any ideas that are relevant!

*Update*
To add on to a problem with step 14, the new, hacked CB will NOT decrypt an encrypted CD as it's been modified to expect a plaintext CD in NAND.

Basically, someone needs to hack those CDs!
Once we have working CDs that are in plaintext and set to accept all dashboards, regardless of patches,  we'll be ready to move on.

Edit - If you do have the ability, and resources to create a hacked CD, DON'T POST IT HERE OR LINK TO IT.
The CD most definitely contains M$ copyrighted code.

Better yet, It would be better if we could decrypt our own CD's and apply a patch to them as the patch wouldn't contain M$ code it's self.
I "Think" the cpu key can be used to decrypt the CD, but it may be the private key so no guarantees.
Anyways, as this is grey area talk, I'll just move right along...

Another thing I'd like to know is if the custom plaintext CD's included in the RGH are re-code-able to act similarly enough to the real ones to continue the boot process as normal into a hacked dash.

Any ideas?

[Gadorach]

After thinking things through and reading up on the CD a bit more, It seems that the plaintext, original CD isn't required at all.
What we need is GliGli's modded CD, and a way to make our own payload.
If we simply create a payload designed to boot a patched dashboard, it should patch with the build.py and do what ever we want. Perhaps it could just run XBR as a start, until someone patches a dashboard.
XBR should, theoretically, be compatible with every 360, seeing as all it does is reboot the kernel to a specified version with hooks.
Can someone figure out how the Xell-gggggg.bin works and make an XBR.bin instead?
Just a thought, though it should work....

[Gadorach]

Here's the updated steps list:

1) Extract NAND of the target Xbox 360.
2) Make a Backup of this NAND and don't touch it yet.
3) Patch NAND using the files and method in the RGH guide, by GliGli.
4) Build and program your Coolrunner using GliGli's guide.
5) Flash your RGH-patched NAND to the target Xbox 360.
6) Install your Coolrunner to the Target Xbox 360.
7) Startup the Xbox 360 and grab your keys with Xell.
Make another copy of your Backup NAND.
9) Throw the NAND image into JTAG Tool
10) Install the 13599 Freeboot Dash to your NAND.
11) After patching is complete, Click "Convert XBR to Original", wait for it to finish.
12) Flash Image to Xbox 360.
13) Using the Build.py in GliGli's guide, Patch the custom CD with XBR.bin

python common\imgbuild\build.py original_nand.ecc common\cdxell\CD[version] common\XBR\XBR.bin

[Need to make either XBR.bin payload or another payload solution]

14) Flash output ECC file to the NAND the same way as before.
15) Boot your Xbox 360.

---------------------------------------------------------------------

Just an update:

I'm working on de-compiling the CD and gggggg-Xell.bin to figure out how they're connected and what calls are made.
If anyone's interested in helping, I'm using IDA so any information should be related to the use of IDA.
Else, if you've got a better way, go for it!

I'll be sure to post when I figure it out.

Please PM me if you're interested in helping (and know enough to help)!

 - Gadorach

[Gadorach]

Not a confirmed theory or anything, and probably not yet compatible with the slim, but I think that now that the CB and CD can be Zero Paired, the LDV could simply be adjusted in the older, exploitable kernel using the consoles CPU key and then booted into, thus achieving a JTAG environment.
Just saying...

All we need, in reality, is a DEVKIT CD and NAND to boot into a unlocked Dash.
Just find a DEVKIT kernel that has the same fuseline value as 13599 expects and we won't even have to patch it.
It's really that easy.
The only problem that's ever prevented other kernels from running is CB's hash check.

SO.

Install a DEVKIT Nand with correct Fuseset, patch it with Retail CB.
DONE.

List of things to grab:

DevKit NAND Donor with correct LDV
?
Profit?



EDIT:

Forgot to add that the NAND can't be just FLASHED, it'll have to have everything that the 360 natively encrypts with the CPU Key re-encrypted with the CPU Key. As all you need is the NAND of the DEVKIT, Your NAND, The CPU Key of the DEVKIT Donor, and your CPU Key, It's not a big deal, and rather obvious to anyone with NAND Donor experience.

[Gadorach]

Anyways, I'm now working with a clean Falcon 5761 NAND Image and a Banned KV for testing.
My new idea goes like this:

Install JTAG hardware.

Build XBR 13599 from Test Falcon 5761 NAND with MY smc settings.

Patch 4BL (CD) to not check fuse count.

Flash to NAND.

Run as usual JTAG would.

so I just have to finish patching the 4BL and I'm ready for testing.

I'll have my Coolrunner and NAND-X by this friday I think so I'll post my results as soon as I can.

I'll patch 4BL first though and post an update when I'm done.

Don't expect me to post a patched 4BL though because I won't.

I'll consider making a script to patch other 4BLs though.

NO PROMISES!

 - Gadorach

[Gadorach]

Figured out the basic construction of the CD.

[Gadorach]

After scanning through the boards at XH, I found a team doing this as well.
I'm going to join up and see what we can make, especially now that GliGli has released the source code
Also, for those of you who don't think this can boot a patched kernel yet, there's few finished builds floating around in the private sectors so it's been done, and likely won't be released by them any time soon (stupid eliteists >_>)

Anyways, when it's done and ready, I'll make a new topic on it covering the team and probably a patcher application.

Until next time.

 - Gadorach

[hangover]

Put the sugar away and go and get some sleep  

[Gadorach]

Just to keep things going, I've joined team lprot and we're working on a new rebooter so those of us with small 16Mb NANDs can enjoy the usage of the xdk on our 360s. I'll be working on it for the next while. For anyone interested in progress, The other team has put together a working build for Jasper BBs, though don't expect to have access to it for a bit unless you want to help test it, at which point, I'd advise getting in contact with stoker when he gets back as he's the one working on it.

[skullcrusher]

I find your work so far very encouraging! Please keep it up.

Regards

[Gadorach]

QUOTE(skullcrusher @ Sep 27 2011, 07:07 AM)

I find your work so far very encouraging! Please keep it up.

Regards

I plan to do as much as I can on this, but I can't really say I've heavily contributed yet, as we can't figure any more out until we have more testers. At this point, my biggest goal is to see how much PPC ASM I can cram into my brain in a short period of time. Most of us are waiting on parts before we can finish setting up, like me, and the one person that had everything setup, had a HDD die on him
More to the point though, progress will be slow until we all have our equipment.

Also, kinda funny, but just as I woke up and signed into #rgloader, stoker logged off so I have little to no idea of what he's been up to since he left, though from the 2-3 posts I did catch, I think he finally got a 360 donated to him. << -- Good News!

 - Gadorach

[skullcrusher]

QUOTE(Gadorach @ Sep 27 2011, 02:38 PM)

we can't figure any more out until we have more testers.

Well i'm running a glitched brand new slim and have a few max232s I could use to throw a serial cable together if anything needs to be tested. Just let me know!

Regards

[ravendrow]

hey i got a ton of original exploitable nand dumps plus the cpu key for most of them so you can decrypt them dont know if they will help but i figured i would offer

[Gadorach]

@Skullcrusher I think I saw you on the IRC already, Great! Love to see people take part
@ravendrow Just having the NAND's and CPU keys isn't enough. If you want to help, get one of those boxes glitched and serial'd, for serial

 - Gadorach