You are viewing our Forum Archives. To view or take place in current topics click here.
Xbox 360 Software Specific Information
Posted:

Xbox 360 Software Specific InformationPosted:

TGK
  • TTG Senior
Status: Offline
Joined: Oct 03, 201310Year Member
Posts: 1,409
Reputation Power: 64
Status: Offline
Joined: Oct 03, 201310Year Member
Posts: 1,409
Reputation Power: 64
First off, I'm just going to say that some of this information may be misleading or even wrong. If you have any complaints, please tell me and I will fix it.
This was made just to see if there is anyone in the community still willing to learn. And since this is a popular subject that actually relates to Xbox software specifics, it would be nice to introduce people to software specifics through this.


Research Links:
[ Register or Signin to view external links. ] (Has a bunch of Xbox 360 information!)
[ Register or Signin to view external links. ] (Also has a bunch of Xbox 360 information!)

Required Knowledge:
Xbox 360 software specifics
C++
PPC
Basic IDA knowledge

Software:
XeDumpHV (For dumping a live HV):

Can't post DL. PM.

Chaldump (For dumping decrypted challenge data, response and HV salt):

Can't post DL. PM.

IDA (For reversing. Can't Supply Download)
HxD (Helpful for reversing. Can't Supply Download)

General Info:
In reversing terms, XeCryptShaInit starts a hash and XeCryptShaFinal ends one. If you don't find that out from reversing, then I feel bad for you.
If you're confused about stuff that's in other's sources, just start reversing. It will help.

Hypervisor Info:
HV = Hypervisor
HV is first 256KB of the Xbox kernel.
The HV is dirty until you have reversed everything, not just XeBuild changes, but the hashes too. That is a fully clean HV. SHA-1 is a type of hash algorithm that takes any combination of parameters and generates a specific key just for the combination of parameters. Now in Xbox terms, the hypervisor checks certain parts of memory to generate the hash. That data that it checks happens to be modified on a JTAG/RGH, therefore making the entire hash value incorrect. So your goal is to reverse the function that generates the hash on the HV and figure what data it hashes and do more reversing to figure out how to get that data back to it's original state so the hash value will be correct. Also, you will need the HV to be in "live" state, which means that the hypervisor was dumped from memory whilst the Xbox was on.

Where to Start (if you want to learn about the HV):
If you've already learned at least basic PPC instructions and C++'s data types, then the first thing to do would be to start reversing. You should start at sub_2210 and reverse the whole function so you will understand what it does. After you reversed sub_2210, you should move onto the challenge data. Sub_2210 in the 16537/16547/16747 HV generates the hash at 0x100F0.

HV Hashes:
0x100F0, generated by sub_2210. Needed by all hack types.
0x100C0, generated by. Needed if you plan on using the method with a JTAG.
0x100E0, generated by. Needed if you plan on using the method with a JTAG.

HV Functions to Note:
sub_B4D0 = XeCryptShaInit
sub_B4D8 = XeCryptShaUpdate
sub_B4C8 = XeCryptShaFinal

Challenge Info:
There are 2 things that someone could be referring to when they say 'challenges'. Either it's the challenge response, or it's the challenge data. The challenge data generates the challenge response and the challenge response is what

Where to Start (if you want to learn about the challenge data):
The actual challenge starts at 0x120. View info on the hashes to know what to reverse.

Challenge Hashes:
The first hash starts at 0x1A4 and ends at 0x1D8.
The second hash starts at 0x1DC and ends at 0x2B8.
The third hash starts at 0x2BC and ends at 0x2D0.
The fourth ha- well, it's not a hash. It just copies random bytes off of the HV. It starts at 0x2DC and ends at 0x300.

Challenge Functions to Note:
sub_328 = XeCryptShaInit
sub_330 = XeCryptShaUpdate
sub_338 = XeCryptShaFinal

How to Get xam.xex Easily:
First off, you need to go to ENTER which has the offline USB update files needed to update the console. Download the USB update files. After you've completed downloading it, open the file and look for a file like this su00000000_00000000 (will be different). After you've found it, go ahead and extract the file to your desired location. Once you've extracted the file, open up Horizon and go to Tools > Package Manager > Open and select the file we've extracted. Go to 'Contents' and look for a file called $flash_xam.xex. After you've found it, right click it and press 'Extract File' and put the file name as "xam.xex" and select 'Save'.

Getting MmGetPhysicalAddress and XeKeysExecute's offsets (found in xam.xex):
Getting the most updated offsets is easy. All you need to do is open the most recent xam.xex and search for the "XamExecuteChallenge" and the "XeKeysExecute" functions. XamExecuteChallenge has the offset that we need in order to patch the branch to MmGetPhysicalAddress. You can get to XamExecuteChallenge & XeKeysExecute easily by going to the top then pressing Jump > Jump to function and then when the dialog comes up, type "XamExecuteChallenge". (NOTICE: Don't use the MmPatchPhysicalAddress offset! It will patch the whole function which is not what we want to do! We want to patch the branch to the function.) In XamExecuteChallenge, search for a line that looks like this, ".text:00000000 bl MmGetPhysicalAddress" and copy the offset to the left and you got it! Now for XeKeysExecute, you can simply get the offset of the function.

16747 Function Info (same as 16547):
XamExecuteChallenge's Branch to MmGetPhysicalAddress: 0x81679904
XeKeysExecute: 0x81A732DC

Credits:
chrispro1994 (HV info and just helping me when I had troubles)
TEIR1plus2 (Finding function's offsets)
TGK AKA Me (For making this and trying to revise as best as I could)

I will be updating this and editing it as times go by.

DON'T PM ME ASKING YOU TO DO ANYTHING FOR YOU OR GIVE YOU ANY FILES. DOING SO WILL GET YOU BLOCKED.

I will help you, but I WILL NOT SPOONFEED YOU! I've done that enough.


Last edited by TGK ; edited 4 times in total

The following 6 users thanked TGK for this useful post:

TheWeekendModder (05-11-2014), Sempiternal (05-10-2014), Dumb_Modz (05-10-2014), NTMGHM (05-10-2014), XBMC (05-10-2014), Sikie (04-04-2014)
#2. Posted:
IDA
  • Powerhouse
Status: Offline
Joined: Sep 21, 201310Year Member
Posts: 454
Reputation Power: 26
Status: Offline
Joined: Sep 21, 201310Year Member
Posts: 454
Reputation Power: 26
nice thread, should be really helpful
#3. Posted:
Forie
  • Ladder Climber
Status: Offline
Joined: Jan 19, 201410Year Member
Posts: 304
Reputation Power: 12
Status: Offline
Joined: Jan 19, 201410Year Member
Posts: 304
Reputation Power: 12
Aha , nice post

P.S Answer my Skype
#4. Posted:
chrispro1994
  • Powerhouse
Status: Offline
Joined: Jan 03, 201113Year Member
Posts: 408
Reputation Power: 17
Status: Offline
Joined: Jan 03, 201113Year Member
Posts: 408
Reputation Power: 17
This thread should be very helpful to those that don't know how to research since all this information can be found by an easy google search lol
#5. Posted:
SK7
  • Powerhouse
Status: Offline
Joined: May 26, 201310Year Member
Posts: 491
Reputation Power: 22
Status: Offline
Joined: May 26, 201310Year Member
Posts: 491
Reputation Power: 22
I learned from those sites and XboxHacker.

NOTE PEOPLE: This is where to START, if you want to learn about the 360.
#6. Posted:
TGK
  • TTG Senior
Status: Offline
Joined: Oct 03, 201310Year Member
Posts: 1,409
Reputation Power: 64
Status: Offline
Joined: Oct 03, 201310Year Member
Posts: 1,409
Reputation Power: 64
SK7 wrote I learned from those sites and XboxHacker.

NOTE PEOPLE: This is where to START, if you want to learn about the 360.

Kind of stinks that XboxHacker (at least the good one AKA .net) isn't up anymore. I want to extend my knowledge of the 360 and there was a lot of great information on that site.
#7. Posted:
chrispro1994
  • Powerhouse
Status: Offline
Joined: Jan 03, 201113Year Member
Posts: 408
Reputation Power: 17
Status: Offline
Joined: Jan 03, 201113Year Member
Posts: 408
Reputation Power: 17
TGK wrote
SK7 wrote I learned from those sites and XboxHacker.

NOTE PEOPLE: This is where to START, if you want to learn about the 360.

Kind of stinks that XboxHacker (at least the good one AKA .net) isn't up anymore. I want to extend my knowledge of the 360 and there was a lot of great information on that site.
Anyone know why XboxHacker got shut down?
#8. Posted:
TGK
  • TTG Senior
Status: Offline
Joined: Oct 03, 201310Year Member
Posts: 1,409
Reputation Power: 64
Status: Offline
Joined: Oct 03, 201310Year Member
Posts: 1,409
Reputation Power: 64
Updated to 16747. Everything is pretty much the same.
#9. Posted:
HKM
  • TTG Senior
Status: Offline
Joined: Jul 10, 201112Year Member
Posts: 1,624
Reputation Power: 79
Status: Offline
Joined: Jul 10, 201112Year Member
Posts: 1,624
Reputation Power: 79
This actually contains a lot of helpful information. Bookmarking this.
#10. Posted:
Excllusive
  • Resident Elite
Status: Offline
Joined: Dec 25, 201211Year Member
Posts: 284
Reputation Power: 12
Status: Offline
Joined: Dec 25, 201211Year Member
Posts: 284
Reputation Power: 12
nice bro glad to see someone spoon feeding ttg kids
Jump to:
You are viewing our Forum Archives. To view or take place in current topics click here.