Print

[cerealkillajme]

I found this thread at XBH which tells you how you can dump your NAND flash using Linux.
http://www.xboxhacker.net/index.php?topic=7290.0

This is just the same info but much more broken down and sorted into somewhat of a guide you can follow. I might revise this more and turn it into a tutorial, but don't have the time ATM.  (IMG:style_emoticons/default/wink.gif)

First before you can run any of this you need to have a console which can be exploited using the hypervisor vulnerability (kernel 4532 or 4548), a flashed DVD drive to run the Xell patched King Kong disc (ATM Hitachi works fine, Samsung has little to no support, sometimes boots from USB), and you need to boot to Linux via a Live disc (not sure on some of the Live disc stuff, read the bottom for more info) or from the HDD (see Ubuntu HDD install). Once you are booting linux you need to open a terminal window.

Basically you need to find the NAND address using lspci. Type this command in your terminal:

CODE

lspci -v

And it will dump each of the slots. You need to look for the one that says "FLASH memory: Microsoft Corporation Unknown device 580b", then look at the 2nd line starting with "Memory", it should have a line similar to " Memory at 200c8000000 (32-bit, non-prefetchable) [size=16M]", you want the line that has the "16M" in it as that will be our 16MB NAND flash. Here is what my slot looked like:

CODE

00:08.0 FLASH memory: Microsoft Corporation Unknown device 580b
        Flags: bus master, medium devsel, latency 0, IRQ 24
        Memory at 200ea00c000 (32-bit, non-prefetchable) [size=1K]
        Memory at 200c8000000 (32-bit, non-prefetchable) [size=16M]

My address matched one of the guys addresses on XBH and was "c8000000".

Then you need to copy this code into a new document (code was created by Pec of XBH):

CODE

/*
 * Usage:
 *   volatile void *p = ioremap(MY_HARD_REG_ADDR, 4096);
 *   ...
 *   out_8(p, state ^= 0x1);
 *
 *
 *  Copyright (C) 2003 Stephane Fillod
 */


#include
#include

#include
#include
#include
#include
#include
#include

#define BUFSIZE         16777216

#ifdef __PPC__
extern inline void out_8(volatile unsigned char *addr, unsigned val)
{
        __asm__ __volatile__("stb%U0%X0 %1,%0; eieio" : "=m" (*addr) : "r" (val));
}
/* etc., cf asm/io.h */
#else
extern inline void out_8(volatile unsigned char *addr, unsigned val)
{
        *addr = val & 0xff;
}
#endif

volatile void * ioremap(unsigned long physaddr, unsigned size)
{
    static int axs_mem_fd = -1;
    unsigned long page_addr, ofs_addr, reg, pgmask;
    void* reg_mem = NULL;

    /*
     * looks like mmap wants aligned addresses?
     */
    pgmask = getpagesize()-1;
    page_addr = physaddr & ~pgmask;
    ofs_addr  = physaddr & pgmask;

    /*
     * Don't forget O_SYNC, esp. if address is in RAM region.
     * Note: if you do know you'll access in Read Only mode,
     *    pass O_RDONLY to open, and PROT_READ only to mmap
     */
    if (axs_mem_fd == -1) {
        axs_mem_fd = open("/dev/mem", O_RDWR|O_SYNC);
        if (axs_mem_fd < 0) {
                perror("AXS: can't open /dev/mem");
                return NULL;
        }
    }

    /* memory map */
    reg_mem = mmap(
        (caddr_t)reg_mem,
        size+ofs_addr,
        PROT_READ|PROT_WRITE,
        MAP_SHARED,
        axs_mem_fd,
        page_addr
    );
    if (reg_mem == MAP_FAILED) {
        perror("AXS: mmap error");
        close(axs_mem_fd);
        return NULL;
    }

    reg = (unsigned long )reg_mem + ofs_addr;
    return (volatile void *)reg;
}

int iounmap(volatile void *start, size_t length)
{
    unsigned long ofs_addr;
    ofs_addr = (unsigned long)start & (getpagesize()-1);

    /* do some cleanup when you're done with it */
    return munmap((unsigned char*)start-ofs_addr, length+ofs_addr);
}

main(int argc, char *argv[])
{
    int fd = open("./flashdump", O_RDWR | O_CREAT, 0644);
    volatile void *d_PtrA = ioremap(0xc8000000, BUFSIZE);
    char *buffer = malloc(BUFSIZE);
    memcpy((void*)buffer, d_PtrA, BUFSIZE);
    int ret = write( fd, buffer, BUFSIZE );
    close(fd);
    return 0;
}

Once you have pasted the code into your new document you need to change "MY_HARD_REG_ADDR" to the address of your NAND, in my case it was "c8000000", so here is the first part of my code:

CODE

/*
 * Usage:
 *   volatile void *p = ioremap(c8000000, 4096);
 *   ...
 *   out_8(p, state ^= 0x1);
 *
 *
 *  Copyright (C) 2003 Stephane Fillod
 */

Once you have changed the address in the document close it and save it. Now rename the document to "memdump.c"

Then you need to compile the memdump.c source into a program by using the following command:

CODE

gcc -I=/usr/include/ -O memdump.c

"/usr/include/" is the path of where you have memdump.c stored

Once the code is compiled you will get a "a.out" file, which is your program to dump the NAND with. You can then run the program and it should create a 16MB filed called "FLASHDUMP". I recommend you just rename it to "FLASHDUMP.bin" to make the rest of this guide easy.

Once you have "FLASHDUMP.bin" you can browse it using a hex editor. The first few lines on the right you should see the text string say "2004-2005 Microsoft Corporation. All rights reserved."

Also you can extract any files from the "FLASHDUMP.bin" using a great tool by "Probutus" of XBH called "NAND Tool v0.2" (I don't think it contains any copywrite code, but I'm not posting a link to it).

You need to run the NAND Tool from a command prompt. Here is the command to dump all of the files from the "FLASHDUMP.bin":

CODE

readflash FLASHDUMP.bin all

That will dump all the files from the NAND into the folder you are running NAND Tool from.

Now you have your NAND dumped and all the files contained inside.  (IMG:style_emoticons/default/biggrin.gif)

*Note* I did this on my system which I have Ubuntu installed to the HDD, so I was able to easily save the "FLASHDUMP" to the HDD, with a Live CD I don't think you have access to the HDD (unless you format and partition it) and since I'm a Linux n00b I'm not really sure how you would or if it is even possible. And forgive me for being a Linux n00b, I've only been using Linux 3-4 days now  (IMG:style_emoticons/default/laugh.gif)


Credits go to XBH, which is where I found the info to do this, Pec (of XBH) for the source code and his info in that thread, and anyone in that thread that contributed information on doing this.

This post has been edited by cerealkillajme: Apr 17 2007, 11:12 PM

[Abyss_Myth]

it hurt me so much that my xbox360 cant run linux,cause my current kernel is 4552.
Four Your Information Guys Do not Update backward compatibility on date 04_2007 it will updating your console with kernel 4552.

before my kernel is 2552. i'm out of luck indeed

By the way is nice guide to dumping nand flash.

GREAT JOB!

[ILLusions0fGrander]

nice. i just got around to booting linux tonight, so this might be something ill have to work on in the next couple days.

edit:

lspci  came back as a bad command when i typed it from a terminal window.

im using the v2 of the disk with a samsung drive, running it from CD

im not too knowledgeable with Linux, my first installation was Ubuntu on my laptop a month or so ago so the commands are all pretty foreign.

[diNgdoNg]

...when dumping between 200c8D80000-200c8E00000 Linux freezes, rest of NAND reads fine
happens on two core consoles, premium is ok. Some other ppl having the same prob - any idea ?

[casha]

Everything goes fine.
how to use 360FlashDumpTool to get my cpu key?
360FlashDumpTool need a .raw file...

[gnutellafan]

Thank you for the post. What is really needed it a much smaller linux kernal (not full OS) with just a few buttons displayed to the end user that dump the CPU key, nand flash, ect.... ideally to a USB key hooked up to the 360

[wmxp]

Could someone PLEASE attach a precompiled "a.out"? I've been struggling with GCC for hours trying to get that source code to compile, with no success at all. My NAND address is the same "c8000000" as cereal's.

I also came across this link in my quest: http://arisme.free.fr/Xbox/Fuse360/

No dice for me on that one either. I don't think the ISO it produces works on Samsung drives.
I e-mailed the author about it, but have yet to receive a reply.

In a related tidbit of information, I found the Gentoo LiveCD boots on a Samsung drive with far greater success when burning the image to a DVD+R instead of a CD-R. The 360 dvdrom is just the opposite of the original Xbox. Homebrew applications and linux builds loaded great from DVD-R, but with varied success using DVD+R, no matter what DVDrom model you had. With the 360, vice versa.

[wmxp]

Okay, ignore the request on the post above. I was being extremely thick and trying to compile the code above with the windows version of GCC (cgywin's build actually.) This is designed to be compiled on the 360 itself, as it's obviously for the PPC core. Much easier to do that with the Ubuntu 7.04 distro (thanks burgerbee!), rather than the Gentoo Live CD    

Anyways, I had a nice hour long session with tmbinc on the Free60 IRC channel and he sorted me out. (Don't go pestering him for help. The XBH guys are busy enough as is. Direct your questions here and I'll help you) The source code posted in this thread from Pec is currently outdated. Using "lspci" to lookup your NAND address is no longer required. On page 3 of the original XBH thread, tmbinc and atiman cleaned up and redesigned the code. That source code was further improved and precompiled for use in another guide I just discovered on XS:

http://forums.xbox-s...howtopic=621052

This is currently the best guide to use.


I compared the dumps made following the new guide, with my original ones made with the source I compiled. They were identical. I'll post an addendum to the new guide soon, with clearer instructions and some tips. (Such as ignoring the error messages received while dumping the NAND. They are perfectly normal)

Once you have finished dumping, make a trip over to the usual places to snag nand_tools_02.tar.gz and xbox360_flash_dump_tool_081.rar (360 -> Development)