Print

[signal-to-noise-ratio]

QUOTE(CreisoN @ May 28 2007, 07:58 AM)

Seems thats the 1ºstep to have a hacked bios in xbox360.
Will us in a future b able to unban those banned 360´s i bet yes!
Imagine a 360 serial generator and we able to replace the 360 key for a good one not banned!
I hope im not that Wrong !
Peace u all!
 

QUOTE(GomerPyle @ May 28 2007, 12:28 PM)

What if those keys (console id) came from another unbanned Box???

If you start using people's 360s that arent modded and get them banned. They will be pissed. You will be banning people non modding from live unless you use console serials from other boxes you own. Ms will catch on to this and make the checks even more severe. And if you own an unbanned box already why screw that up? Also it sounds like Ms have Console serial paired with certificate as someone else said. So this won't work.

QUOTE(xlokix @ May 28 2007, 08:09 AM)

This is something new. It will help the homebrew scene downgrade from 4552 kernel to the 4532 kernel. I hope.

Quote from tmbinc:

"That means: If you know how to calculate the CF pairing data, you could modify the "expected sequence" value there (this, however, should be verified by someone.) And to be able to calculate that data, you need the "per-box-key". But if you have that, you could set the number of a 4532 to those of a 4552, and it should boot again."

Its been a while since I followed whats going on at xbhacker but this is an exciting developement. Thanks for sharing! I would love to have a downgraded box.

[bLiTz 2k]

QUOTE(signal-to-noise-ratio @ May 28 2007, 12:36 PM)

If you start using people's 360s that arent modded and get them banned. They will be pissed. You will be banning people non modding from live unless you use console serials from other boxes you own. Ms will catch on to this and make the checks even more severe. And if you own an unbanned box already why screw that up? Also it sounds like Ms have Console serial paired with certificate as someone else said. So this won't work.
Its been a while since I followed whats going on at xbhacker but this is an exciting developement. Thanks for sharing! I would love to have a downgraded box.

Thats not what hes trying to say...hes trying to suggest if you have a spare box thats possibly broken and has no warrenty, ect. could you swap the IDs. This is what hundreds of people used to do to unban themselves on the original Xbox by selling/trading/acquiring new eeproms. Regardless this application has absolutley nothing relavent to the discuission of unbanning an xbox.

Hopefully this is just the first of many chain of events to eventually lead to the future possibility of running homebrew on the 360.

[infamous_Q]

QUOTE(CreisoN @ May 28 2007, 01:54 PM)

signal-to-noise-ratio My idea is to replace the key in MB like we do now a days with the drives.
Ex: i have a friend that has a shop and he has like  50 mb from unhacked 360 that had 3 redlights those keys r in those MB and ofcourse r not bing use, in that case my question: Is it possible? maybe not now but in a near future? get those keys from those (dead 3 redlights 360´s back to live in a diferent hardware)?
I apriciate if someone can gimme a explanation of this !
Thank u ALL !
 

k..man for the time it woudl take to a) actually do that wait for someone to figure out how to do that, its gonna be a helluva long time. ur probably better off just buying a core and using it for live. OR trade w/ someone who doesn't give a damn about live but will take free games.

ne ways, on the actual topic of this post. this is wicked, with the 07 summer updated im assuming that the kernel was updated again, any word on if e-fuses were blown then too? and will there be work done to downgrade from this dash to the exploitable ones (even if only briefly in order to hack the system on the fly or something...)?

[Rustmonkey]

Ok, enough about the Xbox Live crap... MORE importantly, is the DVD drive key imbedded in the kernal or not?  This would greatly help those people that bricked their drives and have functioning mobos but no drive keys or firmwares that match that mobo.

[Chan163]

Most interesting, most interesting...

How far is it then to get an own kernel into the box?

Did I get that right? I need that Infectus-Chip? Small price to pay.



Again, I'm mainly interested to use the X360s power for a media player and emulation.... You might think I'm stupid, but THESE are the greatest things imaginable to me to do with a console.... Unbanning banned boxes would be fine, but I don't care if MicroShit bans me. IF they do I won't buy new games anymore..... so much about that.

[syntaxerror329]

QUOTE(TheSpecialist @ May 29 2007, 02:58 AM)

It's not in the kernel itself, it's in the NAND flash, stored in the 'key section'. It's encrypted with the fuse data. So, in order to decrypt you've got to have the fuse data. In order to get the fuse data, you currently need an exploitable kernel. And to get that running, you need a dvd key in the first place, because you need to boot KK.

So no luck there yet, but have some faith

So is it though to be possible to decrypt a old kernel and then re-encrypt it with updated fuse data so that we can downgrade even with blown e-fuses to an exploitable kernel?

[Rustmonkey]

QUOTE(TheSpecialist @ May 28 2007, 07:58 PM)

It's not in the kernel itself, it's in the NAND flash, stored in the 'key section'. It's encrypted with the fuse data. So, in order to decrypt you've got to have the fuse data. In order to get the fuse data, you currently need an exploitable kernel. And to get that running, you need a dvd key in the first place, because you need to boot KK.

So no luck there yet, but have some faith

Hmmm... well I'll keep my fingers crossed as I happen to have a mobo that has no firmware but DOES have an exploitable kernal... so close, yet so far  

[The Prankster]

You can't just simply 'get' the key... Do you have any idea how LONG the key actually is? There was once an attempt to 'brute force' the key, and just to let you know, just to crack a key like a DES encryption key, it would take years or more with even supercomputer type power. The point is that YOU will NEVER EVER... EVER, see the day that the M$ private key is loosy goosy in the public. Also, the 360 wouldn't just 'store' the private M$ key, it has stored algorithms to CHECK if the disc/file etc. is signed, so I doubt very much that the 360 itself has the M$ key ON it. It just knows how to check if the product is signed with it. (IMO)

Here's some links to how ridiculous your inquiry was...
http://en.wikipedia....te_force_attack
http://en.wikipedia....EFF_DES_cracker

So, $250,000 worth it? That's only for a 56-bit DES key, not even thinking about the M$ key, no one knows how LONG, that is, so direct your theories/stupidity elsewhere. Even with that type of equipment it still takes a matter of 3 days or so. WEP keys go to 128-bit, and their is 256-bit encryption and probably even more too somewhere. I've 'heard' that the NAND is encrypted with DES 56-bit, modified algorithm... but I'm not sure, just heard it.

Cheers.

[Yoshihiro]

QUOTE(colzee @ May 30 2007, 10:32 PM)

If XBOX360 checking console ID-console certificate match on boot, kernel must have access to the MS private key, I think. So it wouldn`t be problem grab that key with modded kernell or something like that. Tha question is if console certificate can be rewritten easily...

Hi all the key/certificate are in the Hypervisor all come with this function " HvxKeysMarshal "    so if you can modify your hypervisor good luck another thing  some time the hypervisor generate a ramdom key i've already get all hypervisor syscall from  my kernel  like :

HvxKeysInitialize:

HvxKeysGetKeyProperties:

HvxKeysGetStatus:

HvxKeysGetFactoryChallenge:

HvxKeysSetFactoryResponse:

HvxKeysSaveBootLoader:

HvxKeysSaveKeyVault:

HvxKeysSetKey:

HvxKeysGetKey:

HvxKeysGetDigest:

HvxKeysGenerateRandomKey:

HvxKeysRsaPrvCrypt:

HvxKeysHmacSha:

HvxKeysAesCbc:

HvxKeysDes2Cbc:

HvxKeysDesCbc:

HvxKeysObscureKey:

So it's not only one key used look just for the D.E.S encryption you have two D.E.S the encryption used by Microsoft it's not like on xbox one or other Videogames console you have seen before  here the encryption used : RSA HMAC SHA1 AES DES2 DES1 . The obscurekey is used for the XeX binary  .


Yoshihiro 88

[colzee]

QUOTE(The Prankster @ Jun 1 2007, 03:30 AM)

You can't just simply 'get' the key... Do you have any idea how LONG the key actually is? There was once an attempt to 'brute force' the key, and just to let you know, just to crack a key like a DES encryption key, it would take years or more with even supercomputer type power. The point is that YOU will NEVER EVER... EVER, see the day that the M$ private key is loosy goosy in the public. Also, the 360 wouldn't just 'store' the private M$ key, it has stored algorithms to CHECK if the disc/file etc. is signed, so I doubt very much that the 360 itself has the M$ key ON it. It just knows how to check if the product is signed with it. (IMO)

I didn`t think brute-force m$ key, of course. I just thought signature checking algorithm needs whole key have avitable, so I thought that key could be key-logged. And TheSpecialist said 360 checking console ID-console certificate match on boot-up (not logged 2 Live yet)-so I thought that key is stored somewhere in 360, waiting to be keylogged.

[The Prankster]

You couldn't 'keylog' it either, keylogging is programs that run on computers to record the keystrokes on a computer. There is no point and time where the xbox 360 would have a keylogger lol. The point is, the xbox 360 is undoubtedly NOT holstering the M$ private key. I have no evidence to actually back that up, but it wouldn't make sense to store the key on every console. Having an algorithm to CHECK if it was signed, makes much more sense, and I'm betting that's the case. And the algorithm is probably encrypted in NAND or something, who knows.

[xnoelahg]

QUOTE(The Prankster @ Jun 2 2007, 01:41 PM)

You couldn't 'keylog' it either, keylogging is programs that run on computers to record the keystrokes on a computer. There is no point and time where the xbox 360 would have a keylogger lol. The point is, the xbox 360 is undoubtedly NOT holstering the M$ private key. I have no evidence to actually back that up, but it wouldn't make sense to store the key on every console. Having an algorithm to CHECK if it was signed, makes much more sense, and I'm betting that's the case. And the algorithm is probably encrypted in NAND or something, who knows.

 I think he was referencing the syscall for saving to the 'keyvault' in the hypervisor. An algorithm to check a key would seem a good solution, except for two flaws:

1) A badly written algorithm which could have multiple results read ok, which would mean that if you can find another key similar enough, you can swap them. Not much a concern there, but still a concern nontheless if you're worried about security and the public.

2) An algorithm that can be solved. If we know the complete algorithm, why can't one fill in the blank? It's like I may not know what a peanut butter and jelly sandwich is, but if I see peanut butter + jelly + bread = ___, there's a chance I can come up with "peanut butter & jelly sandwich". Of course, that analogy isn't to be taken literally, but just an illustration.

 I'm almost 100% positive that the key would be kept onboard (albiet with a high level of encryption), and simply compared when needed (hence the hypervisor's syscall to the 'keyvault').

[The Prankster]

QUOTE(xnoelahg @ Jun 2 2007, 07:31 PM)

I think he was referencing the syscall for saving to the 'keyvault' in the hypervisor. An algorithm to check a key would seem a good solution, except for two flaws:

1) A badly written algorithm which could have multiple results read ok, which would mean that if you can find another key similar enough, you can swap them. Not much a concern there, but still a concern nontheless if you're worried about security and the public.

2) An algorithm that can be solved. If we know the complete algorithm, why can't one fill in the blank? It's like I may not know what a peanut butter and jelly sandwich is, but if I see peanut butter + jelly + bread = ___, there's a chance I can come up with "peanut butter & jelly sandwich". Of course, that analogy isn't to be taken literally, but just an illustration.

 I'm almost 100% positive that the key would be kept onboard (albiet with a high level of encryption), and simply compared when needed (hence the hypervisor's syscall to the 'keyvault').

I still think it's not held onboard, because that would be a major flaw, and simply put... if I can think that that's stupid, then M$ probably thought it would be suicide, so it's probably true that it isn't onboard. People have already exploited the 360, with earlier kernels. So anything encrypted, is easily decryptable as long as you have your fuseset values, and you can only retrieve those through running linux. The point is it's downright stupid to put the private key on every 360, and to figure out the algorithm, it would require a LOT of reverse engineering, and then you still probably wouldn't come up with the private key because it can only check to see if it's signed, completely leaving the key out of the fact.

Though on a good note, props for that wonderful explanation of algorithms lol, quite unique.

Cheers.