Documentation notes for Chimp26:
1. It is originally packaged with a Mechassault gamesave. If you can run unsigned code already, you need 4 files only from the package:
a. default.xbe
b. linuxboot.cfg
c. vmlinuz
d. initrd
Ftp the 4 files to a folder of your choice on E or F or G drive and run default.xbe.
2. Chimp26 is Linux based and the files appear to be derived from an earlier version of Xebian. As per normal boot process, after kernel boots, linuxrc is executed. There is a typo in inittab and this is only apparent if initrd can't be found in the same folder.
3. Linuxrc loads chimp and starts a telnet and ftp daemon. It tries to uses DHCP and if that fails, a hardcoded IP of 192.168.0.3 is used. This IP address is independent of Xbox's network settings and
cannot be changed. If you have a Xbox 1.6, suggestion is to use crossover cable for a direct connection and set your PC's IP to the same subnet. If you have a nUSB keyboard, you will have keyboard access.
4. The bulk of the work is done in 3 shell scripts: chimp, cloneab, and lockhdb. xboxdumper is used to write the magic value of BRFR to the correct place to identify the target hard drive as a xbox drive. Originally it followed xboxhdm's approach of using dd to do that but this was later commented out and xboxdumper was used.
The relevant section of lockhdb is reproduced below , authorship belongs to Chimpanzee:
CODE
#!/bin/sh
REALOP="$1"
TARGET=/dev/hdb
PASSWORD_OPT=" -a "
PASSWORD_SRC="Motherboard"
if [ -z "$1" ]; then
echo "usage: $0 "
exit 1
fi
if [ "$2" != "" ]; then
pass=$(echo $2 | grep hdpass.txt)
eeprom=$(echo $2 | grep eeprom.bin)
hddkey=$(echo $2 | grep hddkey.txt)
if [ -e "$2" ]; then
if [ "$eeprom" != "" ]; then
PASSWORD_OPT="-e $2"
PASSWORD_SRC="$2"
elif [ "$pass" != "" ]; then
pass=$(cat $2)
[ -z "$pass" ] && echo "$2 empty" && exit 1
PASSWORD_OPT="-p $pass"
else
hddkey=$(cat $2)
[ -z "$hddkey" ] && echo "$2 empty" && exit 1
PASSWORD_OPT="-k $hddkey"
fi
PASSWORD_SRC="$2"
fi
fi
if [ -e $TARGET ]; then
hdtool2 $PASSWORD_OPT -d $TARGET -o unlock | head -n 11 > /tmp/abc.$$
info=$(cat /tmp/abc.$$)
if [ "$1" != "unlock" ]; then
dialog --defaultno --title "Password generated from $PASSWORD_SRC, choose Yes to $1" --yesno "$info" 15 75
case $? in
0 ) lock="yes";;
esac
rm /tmp/abc.$$
clear
if [ "$lock" != "" ]; then
if [ "$hddkey" != "" ]; then
hdtool2 -d $TARGET $PASSWORD_OPT -o disable-pw > /tmp/pass.$$
[ "$1" != "disable-pw" ] && echo "y" | hdtool2 -d $TARGET $PASSWORD_OPT -o $REALOP >> /tmp/pass.$$
else
hdtool -d $TARGET $PASSWORD_OPT -o disable-pw > /tmp/pass.$$
[ "$1" != "disable-pw" ] && echo "y" | hdtool -d $TARGET $PASSWORD_OPT -o $REALOP >> /tmp/pass.$$
fi
dialog --title "Done, Password used(generated from $PASSWORD_SRC),also in /tmp/pass.$$" --textbox /tmp/pass.$$ 15 75
clear
fi
else
dialog --title "$1 result - password generated from $PASSWORD_SRC" --msgbox "$info" 15 75
clear
fi
fi
As can be seen, the script can lock,unlock hdd and disable security from motherboard, eeprom file or hddkey file.
Clonead also supports selective cloning of partitions or drive to drive dumps. However it uses .67 convention of LBA48 (F and G drives) so .6 LBA48 (F drive only) users are better off using drive to drive dumps. Edit: Seems that .6 is supported.
This post has been edited by ldotsfan: Apr 15 2008, 03:04 AM