Post by: Movax on June 19, 2011, 11:06:00 AM
What I am looking for is the ability to have a system with a simple 256K bios (likely x2 4981) that I use with TSOPs that does nothing boot boot a bios loader with all the latest features. I would have the ability to have proper up-to-date lba48 support, eeprom protection, shadow C, ISO loading, etc. At the same time if i swap out the hard drive I can set it up quickly with an autoInstaller.
I haven't read about this stuff in awhile - I think i may have known how at one point but I don't know now - How should I set this up?
Post by: Heimdall on June 19, 2011, 11:16:00 AM
This post has been edited by Heimdall: Jun 19 2011, 06:19 PM
Post by: Movax on June 19, 2011, 11:24:00 AM
QUOTE
because the softmod patches the stock BIOS in-memory, and if you aren't running a stock BIOS then the patch just gives you a blank screen and an unresponsive Xbox
This.
Yes I knew that would be an issue. I am just not happy with any of the bioses out there and don't want to screw around with patchers just for ISO loading. I would probably just turn off virtual eeprom and shadow C, but this seems the most elegant solution, plus I feel softmods are the most up date (most recent work).
Post by: ldotsfan on June 20, 2011, 07:49:00 AM
Post by: Movax on June 20, 2011, 08:02:00 AM
Post by: ldotsfan on June 20, 2011, 08:51:00 AM
Post by: Movax on June 20, 2011, 09:26:00 AM
Post by: Heimdall on June 20, 2011, 01:14:00 PM
Post by: xboxmods2977 on June 21, 2011, 09:23:00 AM
QUOTE(ldotsfan @ Jun 20 2011, 03:51 PM) 
nkpatcher patches kernel by specific memory addresses for each kernel version. If you could locate the flubber animation code in the retail bios and NOP the whole chunk, nkpatcher might still work. Somebody like FrostytheSnowman could pull this off.
I'm not sure that this is possible, being as the softmod (and bios loader) wouldn't take hold of the system until the console attempts to load the dash (after the flubber has been displayed), so how can the flubber be removed beforehand?
Post by: Movax on June 21, 2011, 10:03:00 AM
QUOTE(xboxmods2977 @ Jun 21 2011, 11:23 AM)
I'm not sure that this is possible, being as the softmod (and bios loader) wouldn't take hold of the system until the console attempts to load the dash (after the flubber has been displayed), so how can the flubber be removed beforehand?
nop it.. or more likey jmp over the flubber code and flash the bios back to the chip. Not sure if, or how well the xbox validates the bios, but sounds like it would work.
QUOTE(Heimdall @ Jun 20 2011, 03:14 PM)
I'm fairly certain you have to load the BIOS patcher with an exploit because the BFM stock BIOS will only run signed code, but it should be easy - a standard softmod will do that for you. So, you install PBL as your hacked dash, use that to chainload the BFM stock BIOS, that loads the softmod xboxdash.xbe, which loads the fonts to trigger nkpatcher.
Yes I am am not sure if it is possible to skip the exploit part since you have a retail bios at that point.. but it should be possible to create a tool if one doesn't exist to load a retail bios and patch it at once, or load the bios, then load and run the patcher without calling the bios.. just ideas.
I was thinking of simply setting up a softmod bios I like and dumping the active bios uses xmans bios dumping tool and flashing to the TSOP? Not sure if there are issues there.
Post by: xboxmods2977 on June 21, 2011, 10:09:00 AM
How about this? Flash iND to the TSOP (or any bios that can skip flubber) and set it to skip flubber. Then, set the first dash to PBL. PBL then loads the retail BFM. Then, softmod the retail BFM. The softmod exploits the retail BFM, and in turn, loads it's payload BFM hacked bios.
The result: All the advantages of hardmod and the luxuries of a softmodded box.
EDIT: I may try this myself right now....
This post has been edited by xboxmods2977: Jun 21 2011, 05:43 PM
Post by: Movax on June 21, 2011, 10:53:00 AM
Post by: xboxmods2977 on June 21, 2011, 11:54:00 AM
I'm trying this out on a 1.4 xbox running X2 5035 from a chip.
So far, I have PBL (pbl-lite) set up to load as my first dash. When it starts, it boots 5101 bfm (semi) successfully to the M$dash, but the screen is garbled like there is a vertical hold issue. I thought maybe it might correct itself when I went to load the 007 game to start the exploit but it too boots garbled.
Any ideas?
Post by: Movax on June 21, 2011, 12:05:00 PM
Maybe. edit.. nevermind, you used the right version.
This post has been edited by Movax: Jun 21 2011, 07:09 PM
Post by: xboxmods2977 on June 21, 2011, 12:08:00 PM
EDIT: Not worth the trouble. Here is what happens:
It works, up until the softmod installer says "softmod installed successfully, power down now blah, blah"
When I restarted the xbox, it boots to the famous "hacked bios present with softmod" black screen. If I start it with a game, the game loads, but somewhere in the dash exploit process, things don't go good.
Here is why it isn't worth it.
All of your hardmod advantages are lost because when PBL loads, your xbox is retail again, which means no unlocked HD's and no missing DVDRom's or the M$ dash will error. Same case with after the softmod is finished, that is if someone successfully gets past post-install. (Maybe, hot-swap and then NDURE?)
So, I guess if you want to go through all this crap, just so you can hide/customize your flubber on your softmod box, be my guest. That is the only advantage.
PS, I never got it to work with 1.4 xbox. Only the 1.0 was free of the graphical issue, but still never got past the first reboot during the softmod process. (krayzies 1.1)
The hacked (flubber removal) retail bios idea is probably the only option
This post has been edited by xboxmods2977: Jun 21 2011, 08:08 PM
Post by: Movax on June 21, 2011, 01:10:00 PM
Post by: xman954 on June 21, 2011, 02:41:00 PM
QUOTE
Yes I am not sure if it is possible to skip the exploit part since you have a retail bios at that point.. but it should be possible to create a tool if one doesn't exist to load a retail bios and patch it at once, or load the bios, then load and run the patcher without calling the bios.. just ideas
here is the code to patch the public key (to run habi signed xbe)
CODE
patchpublickey:
mov ebx,[ebp+XePublicKeyData-base]
test ebx,ebx
jnz .chk
.searchkey:
mov ebx,esi
inc esi
.chk: cmp dword [ebx],31415352h
jne .searchkey
cmp dword [ebx+10h],10001h
jne .searchkey
.searchkeyend:
inc ebx
cmp dword [ebx],0A44B1BBDh
jne .searchkeyend
pushf
cli
mov ecx,cr0
push ecx
and ecx,0FFFEFFFFh
mov cr0,ecx
xor dword [ebx],2DD78BD6h
pop ecx
mov cr0,ecx
popf
mov ebx,[ebp+XePublicKeyData-base]
test ebx,ebx
jnz .chk
.searchkey:
mov ebx,esi
inc esi
.chk: cmp dword [ebx],31415352h
jne .searchkey
cmp dword [ebx+10h],10001h
jne .searchkey
.searchkeyend:
inc ebx
cmp dword [ebx],0A44B1BBDh
jne .searchkeyend
pushf
cli
mov ecx,cr0
push ecx
and ecx,0FFFEFFFFh
mov cr0,ecx
xor dword [ebx],2DD78BD6h
pop ecx
mov cr0,ecx
popf
decript the stock bios
find 31415352h ( 52534131 bytes reversed lo to hi)
verfy found location + 10h = 00010001 (010001000)
find A44B1BBD ( BD1B4BA4 ) should be next string
replace with 899C906B ( 6B909C89 )
if the bios editer lets you change the boot dash then change it to nkpatcher (default.xbe)
or change all occrences of xboxdash.xbe and/or xboxdash to nboxdash (nkpatcher.xbe)
Post by: Movax on June 22, 2011, 10:27:00 AM
1)Flash TSOP
2)set up ROM BIOS to Boot PBL + BFM retail BIOS
- Retail bios was patched to allow it to boot knpatcher (habi public key rather than MS public key)
3) Point retail bios to nkpatcher file in some manner - hex edit retail bios or rename files on disk.
So I just patch those four bytes in the retail kernel to allow nkpatcher to boot?
What about unlocked harddrives, or no DVD roms?
This post has been edited by Movax: Jun 22 2011, 05:27 PM
Post by: xman954 on June 22, 2011, 11:43:00 AM
QUOTE
So I just patch those four bytes in the retail kernel to allow nkpatcher to boot
QUOTE
What about unlocked harddrives, or no DVD roms
i have no info on that but im sure it could be done
there is a windows program that will help, IDA Pro Disassembler (bios must be decrepted first)
you could look at stock bios and a very old hacked bios to get some idea
if your brave or have a bank switch you could flash the non BFM version once you know it works
also any other habi signed xbe IE: evox as a BFM bios selector / nkpatcher
i have a old executer 1 chip non flash that nkpatcher works with but has LBA problems
could dump the Kernal as a starting point
you should be able to remove/jump over the fluber code and nkpatcher still work
This post has been edited by xman954: Jun 22 2011, 07:13 PM
Post by: xman954 on February 02, 2020, 09:44:00 PM
CODE
;;; --------------------------------------------------------------------------
;;; Helper macros for patchers
;;; --------------------------------------------------------------------------
%macro patcherinit 0
pushad
mov eax,[esp+32+12]
mov [caller_param],eax
mov edx,[esp+32+8]
push edx
mov ecx,[esp+36+4]
call init_patcher_vars
%endmacro
%macro patcherfinish 0
pop edx
call erasescrap
popad
ret 12
%endmacro
CODE_SECTION
init_patcher_vars:
push ecx
sub ecx,80010000h
mov [memdiff],ecx
then
CODE
%macro m7extra 2
%ifdef INIT_SEC_PATCHES
mov eax,[memdiff]
;; HD locking check bypass (?). No importance for nkpatcher and
;; cannot be enabled anyway because inside INIT section.
mov word [eax+%1],9090h
;; DVD drive check bypass (?). No importance for nkpatcher and
;; cannot be enabled anyway because inside INIT section.
mov byte [eax+%2],0EBh
%endif; INIT_SEC_PATCHES
%endmacro
%ifdef INIT_SEC_PATCHES
mov eax,[memdiff]
;; HD locking check bypass (?). No importance for nkpatcher and
;; cannot be enabled anyway because inside INIT section.
mov word [eax+%1],9090h
;; DVD drive check bypass (?). No importance for nkpatcher and
;; cannot be enabled anyway because inside INIT section.
mov byte [eax+%2],0EBh
%endif; INIT_SEC_PATCHES
%endmacro
also at end of nkpatcher.asm it lists all kernal versions
CODE
patcher_4034:
m7extra 800551E6h,8005558Dh
looks easy if you can find the right place in the INT section (if you want to flash moded stock bios)
NOTE that a BFM skips the init section so a stock bios chained should work with a unlocked HDD, i think...
edit::::
QUOTE
find A44B1BBD ( BD1B4BA4 ) should be next string
it's not next string its found location + 110hThis post has been edited by xman954: Yesterday, 06:34 AM
Post by: Movax on February 03, 2020, 10:50:00 AM
Post by: Movax on February 03, 2020, 01:18:00 PM
Locked the HD.. it works! Pretty cool.. got to patch the no DVD, locked HD check and it's perfect!
All I installed was PBL with retail bios, bios.xbe from Kingroach ndure setup and my dash in E:\dash\default.xbe where nkpatcher likes it. (no exploit files).
Edit.. Strange - it seems to load unleashX fine.. I can browse files, but any attempt to launch an xbe creates a lockup..IGR seems to do that same thing...?
This post has been edited by Movax: Yesterday, 09:33 PM
Post by: xman954 on June 23, 2011, 02:43:00 PM
XBtool
so you decrypted the stock bios and hex edited the 4 bytes and encryped it with BFM set ??
Post by: Movax on February 03, 2020, 01:51:00 PM
I have to go, I'll try encrypting it again tomorrow.
Post by: Movax on June 24, 2011, 07:18:00 AM
Are there other files nkpatcher needs to function correctly?
I added e:\NKP11\eeprom_off.bin,shadowc_off.bin
I also installed the ndure toolset (which freezes like other xbes)
I deleted unleashx from e:\dash and added TEAM XBMC shortcut - XBMC boots, but I still can't launch anything, which is odd considering the shortcut launches XBMC.
Why would it be happy to boot the dash and not anything else?
Post by: xboxmods2977 on June 24, 2011, 08:06:00 AM
Keep in mind that upon loading an XBE from a dash, the bios image stored in ram is "checked", or re-verified before said XBE is launched so, refresh my memory on how you have it set up. Maybe I can come up with an idea on what is going on.
So far, I got that you've modified the retail kernel a little and flashed it back to the TSOP, right? What does this bios (on the TSOP) load first?
Post by: Movax on June 24, 2011, 08:37:00 AM
1)X2 4981 (TSOP),
2)PBLmetoo+BFM 4817 patched as described, (C:\evoxdash.xbe, 4817_retail.bin)
3)nkpatcher, (C:\xboxdash.xbe)
4)XBMCshortcut, (e:\dash\default.xbe)
5)XBMC (e:\apps\xbmc\default.xbe)
XBMC works fine, shows xbox info fine, can't launch xbe s. BTW I have (and it seems faster) tried PBLite. Actually it boots extremely fast with PBLite.
Post by: xboxmods2977 on June 24, 2011, 09:28:00 AM
I have a suspicion that what is happening is redundant patching.
In your step 2, you have loaded your custom retail, which has the signature modification done, but in step 3, NKP loads the softmod bios which attempts to also patch the same section of the bios (in memory) that you've already modified (in the BFM). It should crash before it even loads the dash, but it doesn't, and for some reason, the effect of this "redundant patching" doesn't occur until you try to load an xbe after the xbox has fully booted to the dash.
Here is an idea. (I think I have this thing licked)
Try this. Take another fresh copy of retail 4817 and ONLY remove the HD check and DVD-Rom check, BFM it, and then use that in your step 2. From there, you will be "ever-so-slightly" modified retail, and should be able to install, and boot a softmod.
The reason this should work is because in theory, it isn't possible for a softmod bios to patch out the HD and DVD checks, because these checks are done before the BFM loads, therefore, it is safe to assume that BFM's don't touch the regions of memory where these checks are contained. If this is indeed the case, we should be able to remove the checks without repercussion, while still allowing NKPatcher to do it's thing.
Post by: Movax on June 24, 2011, 09:38:00 AM
Post by: ldotsfan on June 24, 2011, 09:51:00 AM
1. BFM bios was patched to execute habibi signed XBE, ie the dash, or first XBE.
2. When nkpatcher loads, it no longer finds the byte sequence hence no more patching of public key.
By the way, good work guys. It's incredible that the xbox 1 scene is capable of doing stuff like this so late in its life cycle thanks to the collective experience/knowledge of all of you who contributed in the thread.
Post by: xboxmods2977 on June 24, 2011, 10:28:00 AM
QUOTE(Movax @ Jun 24 2011, 04:38 PM)
I thought about redundant patching, but my understanding is that the code contained in the font exploit patches the four bytes I have patched (that is all I have patched thus far). Therefore nkpatcher should be getting the same kernel it would have gotten from retail+exploit.
Ok. Sounds good. So, lets explore our options. Possibilities? The only 2 are these:
1. Have you chosen the correct softmod bios for NKPatcher to load according to your kernel? (probably. SO,)
2. If so, let's go back a little further.
What you say above is true, so your setup may/must vary from a natural retail+exploit environment somehow.
Could there be any remnants of 4981 leftover in memory after PBL has loaded 4817? We know that BFMs do not overwrite all of the bios in ram.
That's all I have got.
Post by: Movax on June 24, 2011, 12:38:00 PM
Post by: Movax on June 24, 2011, 02:43:00 PM
BUT, if I rename the ndts folder to dash and have it as my dashboard I can launch other apps and my IGR works perfect (and is really fast! I was using IND before this).
A clue?
.. Oh I see PBL is there.. still.. is this helpful?
Post by: Heimdall on June 24, 2011, 02:50:00 PM
Post by: Movax on June 24, 2011, 02:56:00 PM
Post by: Heimdall on June 24, 2011, 02:59:00 PM
Yes, that means your system is working because you're reloading a different BIOS.
Post by: Movax on June 24, 2011, 05:30:00 PM
Any insight appreciated.. does this info help?
Post by: Heimdall on June 24, 2011, 05:36:00 PM
Post by: xman954 on June 24, 2011, 06:57:00 PM
QUOTE
My theory to be confirmed by xman954/Movax:
1. BFM bios was patched to execute habibi signed XBE, ie the dash, or first XBE.
2. When nkpatcher loads, it no longer finds the byte sequence hence no more patching of public key.
1. BFM bios was patched to execute habibi signed XBE, ie the dash, or first XBE.
2. When nkpatcher loads, it no longer finds the byte sequence hence no more patching of public key.
#2
QUOTE
Excellent cross-reference
Yes, that means your system is working because you're reloading a different BIOS.
that version of dash is habi signed
try signing one of your game xbe's
the loading of BFM stock bios may have different offset in mem that nkpatcher is unable to calculate for some reason or it's fixed
the 4 bytes patched are the same that ernie.xtf does
i think the direction to go is:
patch the 4 bytes
and flash it to a chip that has 2 or more banks
and see what happens
that will confirm some things
also dumping the kernal on a normal softmoded xbox
then again after PBL reloads it
Post by: Movax on July 16, 2011, 12:21:00 PM
Any help welcome.
Post by: kingroach on July 18, 2011, 09:29:00 PM