You are viewing our Forum Archives. To view or take place in current topics click here.
Is this topic useful?
Yes
25.53% (12 votes)
25.53% (12 votes)
No
48.94% (23 votes)
48.94% (23 votes)
Kinda
25.53% (12 votes)
25.53% (12 votes)
Total Votes: 47
#71. Posted:
Status: Offline
Joined: Feb 10, 201311Year Member
Posts: 23
Reputation Power: 0
Status: Offline
Joined: Feb 10, 201311Year Member
Posts: 23
Reputation Power: 0
Dont worry, there will be more services soon since there already appeared 3 new this month.
Lets see this as a iPhone the 1rst was new, best and no other phone was able to defeat it. But it was expensive. Later Android phones came. Not as good as iPhone but still. Currently you have much better phones (s4) than iPhone BUT! They are cheaper. Its a matter of time. Till online cheap jtags will be back
Lets see this as a iPhone the 1rst was new, best and no other phone was able to defeat it. But it was expensive. Later Android phones came. Not as good as iPhone but still. Currently you have much better phones (s4) than iPhone BUT! They are cheaper. Its a matter of time. Till online cheap jtags will be back
- 1useful
- 0not useful
#72. Posted:
Status: Offline
Joined: Dec 27, 201013Year Member
Posts: 85
Reputation Power: 3
Status: Offline
Joined: Dec 27, 201013Year Member
Posts: 85
Reputation Power: 3
If he has wrote a function to read the CPU key from the fuse line's, he will have defined this address into a var somewhere "0x20000020000ULL", then added in the offset to get fuse lines 3 and 4, or 5 and 6 to get the CPU key, or he might of defined it with the fuse line offset already added. But either way he would have the result of that in a var somewhere in memory. So you could use that address to find his function then edit in a jump to your function and edit his vars or edit his function in the XEX to point to a different place in memory were you have your spoofed Efuse data.
Edit,
I find it funny people trying to protect a bypass on security, since for the same reasons they are able to hack Xbox live security there security is pointless. We have the ability to read and write memory at anytime, run our own code at any time, edit pretty much any function and finally intercept any function and calls at run time.
The only thing we can't edit on the Xbox 360 is the Efuses and the 1BL code in the CPU's ROM. If we could edit the 1BL there would of been no timing attack hack, SMC Hack or RGH. Heck if we could just edit the Efuses there would of been no need for the timing attack or RGH. But that doesn't matter the main point is you could bypass his CPU key check.
I find it funny people trying to protect a bypass on security, since for the same reasons they are able to hack Xbox live security there security is pointless. We have the ability to read and write memory at anytime, run our own code at any time, edit pretty much any function and finally intercept any function and calls at run time.
The only thing we can't edit on the Xbox 360 is the Efuses and the 1BL code in the CPU's ROM. If we could edit the 1BL there would of been no timing attack hack, SMC Hack or RGH. Heck if we could just edit the Efuses there would of been no need for the timing attack or RGH. But that doesn't matter the main point is you could bypass his CPU key check.
- 1useful
- 0not useful
#73. Posted:
Status: Offline
Joined: Jul 01, 201013Year Member
Posts: 587
Reputation Power: 25
Status: Offline
Joined: Jul 01, 201013Year Member
Posts: 587
Reputation Power: 25
from what I remember seeing about this method after viewing the reversed code, is that you do download two files, the hv and xam. These files are downloaded and then used to patch your current ones on your jtag/rsg. That way you have the xbl bypass. Now these files are probably deleted after you disconnect from xbl or turn off your jtag. There is a way to capture the files after you have patched your jtag, but I won't tell you. cause it's so easy you should know.
- 0useful
- 0not useful
#74. Posted:
Status: Offline
Joined: Feb 01, 201014Year Member
Posts: 667
Reputation Power: 28
MuthaFknRAMBO wrote from what I remember seeing about this method after viewing the reversed code, is that you do download two files, the hv and xam. These files are downloaded and then used to patch your current ones on your jtag/rsg. That way you have the xbl bypass. Now these files are probably deleted after you disconnect from xbl or turn off your jtag. There is a way to capture the files after you have patched your jtag, but I won't tell you. cause it's so easy you should know.
This has been said countless times. You can't dump the files because they are never physically on the console.
- 0useful
- 0not useful
#75. Posted:
Status: Offline
Joined: Nov 11, 201112Year Member
Posts: 153
Reputation Power: 12
Status: Offline
Joined: Nov 11, 201112Year Member
Posts: 153
Reputation Power: 12
NITRAMMODZ wrote
If he has wrote a function to read the CPU key from the fuse line's, he will have defined this address into a var somewhere "0x20000020000ULL", then added in the offset to get fuse lines 3 and 4, or 5 and 6 to get the CPU key, or he might of defined it with the fuse line offset already added. But either way he would have the result of that in a var somewhere in memory. So you could use that address to find his function then edit in a jump to your function and edit his vars or edit his function in the XEX to point to a different place in memory were you have your spoofed Efuse data.
Edit,
I find it funny people trying to protect a bypass on security, since for the same reasons they are able to hack Xbox live security there security is pointless. We have the ability to read and write memory at anytime, run our own code at any time, edit pretty much any function and finally intercept any function and calls at run time.
The only thing we can't edit on the Xbox 360 is the Efuses and the 1BL code in the CPU's ROM. If we could edit the 1BL there would of been no timing attack hack, SMC Hack or RGH. Heck if we could just edit the Efuses there would of been no need for the timing attack or RGH. But that doesn't matter the main point is you could bypass his CPU key check.
I know this is old but I feel like sharing it anyway, it's a good bit of info for anyone interested.
CPU key is stored at 0x20 in the HV. Function that handles this is sub_9EF0 in 16202.
The only reason I say that is because JTAG eFuse data is not stored at the usual spot. Instead it is moved to 0x8000020000019B00 during setup. This is way JTAGs require extra HV patches, they need to make sure all fuse checks are rerouted. RGH consoles still use the retail location and require no further HV patches.
- 1useful
- 0not useful
You are viewing our Forum Archives. To view or take place in current topics click here.