Welcome, Guest
You have to register before you can post on our site.

Username/Email:
  

Password
  





Search Forums

(Advanced Search)

Forum Statistics
» Members: 38
» Latest member: Little
» Forum threads: 20
» Forum posts: 30

Full Statistics

Online Users
There are currently 4 online users.
» 0 Member(s) | 3 Guest(s)
Google

Latest Threads
Dragon Nest M ENG
Forum: MMORPG Extra Releases
Last Post: theDomo
Yesterday, 10:16 AM
» Replies: 0
» Views: 36
a discussion on lasting m...
Forum: Xbox 360
Last Post: Mob
09-19-2019, 04:24 PM
» Replies: 1
» Views: 118
BFH Backend Setup
Forum: Tutorial
Last Post: TheLittlePeach
09-11-2019, 03:15 PM
» Replies: 2
» Views: 104
information about builds ...
Forum: Xbox 360
Last Post: theDomo
09-09-2019, 10:21 AM
» Replies: 0
» Views: 107
HV_Utility and info
Forum: Xbox 360
Last Post: theDomo
09-09-2019, 10:17 AM
» Replies: 0
» Views: 78
xosc
Forum: Xbox 360
Last Post: theDomo
09-09-2019, 10:03 AM
» Replies: 0
» Views: 72
challenge_16537
Forum: Xbox 360
Last Post: theDomo
09-09-2019, 09:59 AM
» Replies: 0
» Views: 78
SOCSECENG_BLOCK
Forum: Xbox 360
Last Post: theDomo
09-09-2019, 09:58 AM
» Replies: 0
» Views: 53
HvxQuiesceProcessor
Forum: Xbox 360
Last Post: theDomo
09-09-2019, 09:58 AM
» Replies: 0
» Views: 47
HvxKeysExecute
Forum: Xbox 360
Last Post: theDomo
09-09-2019, 09:57 AM
» Replies: 0
» Views: 55

 
  Dragon Nest M ENG
Posted by: theDomo - Yesterday, 10:16 AM - Forum: MMORPG Extra Releases - No Replies

Hi I'am releasing now this Files these files were given to me by my friend he paid this files. I hope you will enjoy this files and i hope dont buy anymore in other dev.

Let's stop buying the files they just got for free and they'll sell them expensive and if you dont have money will not entertain you.

lesson learn from my friend and i hope after you get this files and learn more dont forget to share this in other newbies and all people who want to use this files.

[url=https://i.imgur.com/BmU33L3.png][/url]
[Image: BmU33L3.png]

DL:
https://mega.nz/#!pN0QUYJI!rXAhInlRhZLdt...ArL5AalVvc

Print this item

  a discussion on lasting method
Posted by: theDomo - 09-18-2019, 11:19 PM - Forum: Xbox 360 - Replies (1)

method for correcting cash after cleaning hypervisor this can be used at the dashboard note you must remove all Patches from hypervisor 

void UpdateBlocks(QWORD r3, QWORD r4)
{
	for (QWORD i = r4; i > 0; i--) {
		__asm
		{
			dcbst r0, r3
		}
		r3 += 0x80;
	}

	__sync();
	__isync();
}

UpdateBlocks(0x8000010200000000, 0x200);
UpdateBlocks(0x8000010200010000, 0x200);
UpdateBlocks(0x8000010400020000, 0x200);
UpdateBlocks(0x8000010600030000, 0x200);



after removing Xe build patches and running this code
the cast on your machine will be clean however 100F0 will still need to be corrected
you can actually just put it into memory using hypervisor poke

and then you can dump clean cache from the dashboard

PBYTE pCache = (PBYTE)XPhysicalAlloc(0x1000, MAXULONG_PTR, 0, PAGE_READWRITE);
memset(pCache, 0, 0x1000);
xbox::hypervisor::peekBytes(0x8000020000010000, pCache, 0x1000);

xbox::utilities::writeFile("HDD:\\Cache.bin", pCache, 0x10);
DbgPrint("HDD:\\Cache.bin");

XPhysicalFree(pCache);

you can receive the corresponding Keys as well
PBYTE pKeyCache = (PBYTE)XPhysicalAlloc(0x30, MAXULONG_PTR, 0, PAGE_READWRITE);
xbox::hypervisor::peekBytes(0x8000010200010100, pKeyCache, 0x30);
xbox::utilities::writeFile("HDD:\\KEY.bin", pKeyCache, 0x30);
DbgPrint("HDD:\\KEY.bin");

XPhysicalFree(pKeyCache);



for the encrypted hypervisor you may not be able to dump the entire thing for that you'll just have to find the sections and dump the individual parts that are necessary
using this method you can create an API with the public API with a few modifications and last on Xbox Live
however you'll still need to find a way to generate this salt if you want to use an API

but the cool thing is you can do this with offline files and last and you will not have to dump the information if you don't want to just clean it

Print this item

  information about builds of dashboards
Posted by: theDomo - 09-09-2019, 10:21 AM - Forum: Xbox 360 - No Replies

;
;________________________________________________________________________________
;
;                        PLEASE KEEP THIS FILE Sorted!!!
;
;  This file is a list of builds to keep on the long time retention servers
;
;  It is comma delimited:
;    Build#,Comment to associate with build

;  All lines starting with ";" will be sorted to the top by the "Add Build to
;  KEEP.TXT" job. If you would like to add a comment to your build entry add
;  it at the end of the line.
;
;                        PLEASE KEEP THIS FILE Sorted!!!
;________________________________________________________________________________
9828.2,jun09 QFE 9828.2
9761,LKG CodecPack01 (as of 8/19/2009)
9610,Dev10 LKG compiler for Jan2010
9501,November XDK Tech Preview
9485,
9472,
9446,Jan2010 compiler LKG1 candidate
9328.9,jun09 QFE 9328.9
9328.8,jun09 QFE 9328.8
9328.8,9328.8 Jun09 QFE on 9/21/2009
9328.7,Jun09 QFE 9328.7 on Sep 3, 2009
9328.6,June 09 QFE Number 6
9328.5,QFE Jun09 9328.5
9328.5,QFE Jun09 9328.5
9328.4,QFE Jun09 9328.4
9328.3,jun09 QFE 9328.3 on August 3, 2009
9328.2,QFE Jun09 9328.2
9328.13,June09 XDK QFE 9328.13
9328.12,QFE for June09
9328.11,Private QFE for June 2009
9328.10,Private QFE for June 2009
9328.1,QFE from Jun09 on July 15 2009
9296,mf$(d).lib files handed off to Turn 10 for a private QFE
9199,Spring10 Munich RTM and Mar10 XDK
9189,February 2010 XDK Preview Flash Build 9189
9102,use flash-spring10_9102 for Project V Hardware Validation per Yu Meng Lim request
9074,flash-spring10 9074
9071,Green Build handed off to Manufacturing
9069,Green Signed Munich build provided on 7/6/09
9068,
9065,
9063,
9056,Last known good Omni-N build
8966,Fall09 Milan RTM (rebuild of 8955 to fix green mfg image)
8964, Vanguard released build #2
8961,Vanguard released build #1
8955,Fall09 Milan RTW Release
8953,Final RTM build for Milan, this build was only released to Manufacturing
8939,Chamaeleon Pre-Beta Test Flash
8912,Base image for OmniN DV delta patch. Includes bugcheck security mitigation.
8906,Second green-signed OmniN build
8863,LKG for Omni-N and WaveA driver
8853,
8852,Omni-N LKG
8507,Spring09 Geneva QFE Release build
8507,Requested by Brian Keogh
8498,Spring09 Geneva release
8496,Integration with 8496 flash
8492,flash-spring09
8490,Zune c9 moving to use flash 8490
8485,Chamaeleon (c9 - zune client), moving to flash 8485
8423,Chamaeleon team is currently bound to this build for development.
8403,Chamaeleon Team is currently mapped to this Flash build.
8392,Tech-Preview flash build released to select external partners.
8364,
8348,Trinity bringup applications
8329,Mar09 compiler Tech Preview 2
8311,
8310,Tech-Preview recovery released to select external partners.
8276.2,Mar09 QFE 8276.2
8276.1,Keep QFE 8276.1
8276,Mar09 - Final release build
8275,
8255,ADK recovery release to the hardware team
8228,Build was used for January GameDisc Tech Preview
8217,ADK Testing(Norm LeMieux)
8216,LKG CodecPack01 (as of 12/29/2008)
8212,
8211,
8204,ADK EV2
8190,
8184,Mar09 compiler Tech Preview 1
8182,Requested by JimVu
8106,Nov08 compiler LKG
8089,NDK Pre-Alpha Release Build
8033,February 2010 XDK Preview Flash Build
8025,NDK-Preview Dec09(flash)
8025,December 2009 XDK Technical Preview Flash Build
8014,Nov09 NDK Technical Preview Flash build (flash-redeye)
8013,Nov09 NDK Technical Preview Flash build (flash-redeye)
8011,September 2009 XDK Tech Preview
8009,
8002,
7978.3,
7978.2,
7978.1,D3D9.lib preview drop to unblock external partner
7978,Nov08 - Final release build
7972,Build that is being used by music titles to TU for wireless microphone
7945,Nov08 compiler LKG candidate
7939,main interim compiler LKG
7776.1,Aug08 private QFE include Jasper Test Kit ROMs in recovery
7776,Aug08 - Final release build
7710,main -Mar08 linker QFE
7657,Jun08-preview - Fall08 feature preview with 7308 flash
7650,Handed out to select partners - Dennis Mooney
7645.3,
7645.2,Jun08 XDK private QFE for XAUDIO2
7645.1, Jun08 QFE
7645,Jun08 - Final release build
7530,MTE 3.91 CM Suite Release
7518,MTE Xenon 3.90.0 Suite
7515,MTE 3.90 JADV Suite
7436,Kiosk 2009 Release Candidate
7371,QFE Build (addressing ODD issues) released to public
7366,Flash released in the Mar09 XDK to support ADK hardware
7363,QFE Build
7359,Fall08 flash for developer release - fixed page heap issue with checked bits.
7358,Fall08 flash for developer release
7357,Final Release build - Fall08 NXE (11/19)
7349,RC build. We have entered Cert with this build
7342,Fall08 preview flash shipped in Nov08
7327,Fall08 flash shipped in 7661 Jun08-preview
7317,LKG CodecPack01 (as of 9/16/2008) - Official Fall08 Release
7288,
7151,main Contains the latest main tree C compiler (and the Mar08 QFE compiler)
7121,gamedisc bits
7086,project N drop to Rare
7075,flash-newton - Private drop to a customer
7074,flash-newton - Private drop to a customer
7070,flash-newton - Private drop to a customer
7068,flash-newton
7048,LIPS official build for iNiS, support for v.5 Fw
7046,official LIPS build to fix XSIM, XBDM
7045,
7041,Drop for LIPS
7036,flash-lips - XMic API for external developers
7032,main - Latest compiler LKG
6995.1,Mar08 XDK Release QFE 6995.1
6995,Mar08 XDK Release
6969,Compiler LKG
6937,main - Includes dogfood compiler binaries which will likely be the next LKG
6907,Jasper EV2B/C
6840,TCS 2.60 Hotfix
6839,MTE 3.83 Suite
6836,MTE 3.82 Suite
6828,MTE 3.80.X Test suite
6784,China Home Trial
6770,RC for LIPS flash
6766,Summer 2008 system update (LIPS)
6765,official LIPS flash RC
6761,RC for spring08-lips
6723,Spr08 flash build used for test kit production
6722.2,fix for purchase history
6722.1,QFE - SPRING 08 - Remove Promotions from Media Site: Republish the default
6719,Contains continous audio drop by PGP team
6717,Spring 08 Flash update
6712,Jasper EV3B
6707,Jasper EV2C
6690,Flash-Fall07 QFE
6686,Flash-Fall07 update
6683.4,Flash-Fall07 International Video Marketplace Launch
6683.3,Flash-Fall07 IVM on with featured item fix and new storefront backgrounds for EN-UK EN-IR EN-CA FR-CA
6683.2,Flash-Fall07 IVM on with featured item fix
6683.1,Fall 07 - adCenter and Video Marketplace ALL OFF
6683,Flash-Fall07 RTM
6682.2,Flash-fall07 - adCenter and International Video Marketplace OFF
6682.1,Flash-fall07 - Video Marketplace ALL OFF
6681,Flash-fall07 - International Video Marketplace OFF
6642,carbon-iptv07 - last build from carbon-iptv07 branch
6534.7,Nov07 QFE
6534.6,Nov07 QFE
6534.5,Nov07 QFE
6534.4,Nov07 QFE - Public mandatory QFE
6534.3,Nov07 QFE
6534.2,Nov07 QFE
6534.1,Nov07 QFE
6534,Nov07
6502,Compiler LKG
6438,dogfood
6336,mte-3.7x
6329,mte-3.7x
6274.3,QFE
6274.2,QFE
6274.1,Aug07 QFE
6274,Aug07
6251,Compiler LKG
6132.6,QFE
6132.5,QFE
6132.4,QFE
6132.3,QFE
6132.2,QFE
6132.1,QFE
6132,Jun07
6130,Jun07 compiler
6036,mte-3.6x
6031,mte-3.6x
6021,dogfood
6001,dogfood
5831,Fusion 1.9 Installer
5829,Fusion 1.9
5820,fusion 1.8
5805,fusion 1.7
5789,Flash-Dawson
5787,Flash-Dawson
5770,Falcon 1GB Qimoda Qualification II
5769.3,QFE
5769.2,QFE
5769.1,QFE
5769,MTE- 5 min SATA HDD timeout
5768,Falcon 1GB Qimoda Qualification
5766,Spring07 QFE
5763,Spring07 + 6BL650
5760,Spring07 + Server fix
5759,Spring flash release
5749,Bungie preview flash release
5730, Year3 GPU Bringup and Falcon Memory Qualification
5632.5,QFE
5632.4,QFE
5632.2,QFE
5632.1,QFE
5632,Apr07
5605,private to bungie
5542,mte-3.5x
5525,Content Migration Utility RTM
5501,Memory Qualification
5426.2,QFE
5426.1,QFE
5426,Feb07
5014,Fusion 1.6
4929.7,Dec06 QFE
4929.6,Dec06 QFE
4929.5,Dec06 QFE
4929.4,Dec06 QFE
4929.3,Dec06 QFE
4929.2,Dec06 QFE
4929.1,Dec06 QFE
4929,dec06
4802.2,QFE
4802.1,Oct06 QFE
4802,oct06
4554,flash-fall06
4552,flash-fall06 RTM
4550,flash-fall06 console test
4314.1,Oct06
4314,Oct06 Original Release
4025.4,private d3d qfe for dash
4025.3,xact QFE
4025.2,QFE
4025.1,QFE
4025,Sep06
4022,Sep06 flash
3921,xefu 1.5
3529.2,QFE
3529.1,QFE
3529,Aug06
3424,jul06
3215.1,QFE
2920.2,QFE
2920.1,May06 xcam QFE
2868,spring06+monaco
2863,flash
2858,flash-spring06
2732.2,apr06
2417.5,nov05
2321,xefu launch
2258,au cache fix
2255,Jan AU
2241
21211,Approved compiler binaries for Nov12 XDK
21173.9,21173.9
21173.8,\\edge-svcs\release\xenon.v2\XDKJUL12\21173.8
21173.6,\\edge-svcs\release\xenon.v2\XDKJUL12\21173.6
21173.5,\\edge-svcs\release\xenon.v2\XDKJUL12\21173.5
21173.4,XDK QFE July 2012 #4
21173.3,XDK QFE July 12 #3
21173.3,JULY XDK QFE 3
21173.2,XDK QFE JULY 12 2
21173.10,21173.10
21173.1,XDK QFE 1
21173,XDKJUL12
21119.9,Main_XDKFEB12
21119.7,QFE 7
21119.6,XDK QFE FEB12 - 6
21119.5,March 12 XDK
21119.4,XDK QFE  4
21119.3,XDK QFE 4
21119.3,XDK QFE 3
21119.12,21119.12
21119.12,\\edge-svcs\release\XENON.v2\Main_XDKFEB12\21119.12
21119.10,XDK QFE March 2012 #10
21119,Last Full Build
21076.9,Nov11 QFE 9
21076.8,Nov11 QFE 8
21076.7,Nov11 QFE 7
21076.6,December 2011 XDK release final nov11
21076.4,Nov11 XDK QFE 4
21076.3,Nov11 XDK QFE 3
21076.2,Nov11 XDK QFE 2
21076.13,Nov11 QFE 13
21076.13,\\edge-svcs\release\XENON.v2\xdk-main-nov11\21076.13
21076.12,Nov11 QFE 12
21076.11,Nov11 QFE 11
21076.11,\\edge-svcs\release\XENON.v2\xdk-main-nov11\21076.11
21076.10,Nov11 QFE 10
21076.1,Nov2011 XDK 21076.1
21076,Xdk-Main-Nov11 last full build
2099.14
20871.7,August 2011 XDK QFE 7
20871.6,AUG11 XDK QFE 6
20871.5,AUG11 XDK QFE 5
20871.4,AUG11 XDK QFE 4
20871.3,AUG11 XDK QFE 3
20871.2,AUG11 XDK QFE 2
20871.1,AUG11 XDK QFE 1
20871,Aug11 XDK 20871
20764.9,June 2011 XDK QFE 9
20764.8,June 2011 XDK QFE 8
20764.7,June 2011 XDK QFE 7
20764.6,June 2011 XDK QFE 6
20764.5,June 2011 XDK QFE 5
20764.4,June 2011 XDK QFE 4
20764.3,June 2011 XDK QFE 3
20764.2,June 2011 XDK QFE 2
20764.11,Jun11 QFE 11
20764.10,June 2011 XDK QFE 10
20764.1,June 2011 XDK QFE 1
20764,Xdk-Main-Jun11 last full build
20680,public release for May2011 XDK Preview
20500.3,Feb11 QFE
20500.2,XDK  Feb11 QFE2
20500.1,XDK  Feb11 QFE2
20500,Feb 2011 XDK RTM
20476,Feb11 compiler Tech Preview
20353.2,Recovery Build Only
20353.1,Nov 10 QFE
20353,Nov10 XDX Build
20332,VS 2010 Private Partner Preview build
20286,Unknown preserved XDK-Main-NUIHands-Zune build
20209.3,September XDK QFE 3
20209,Sept 2010 XDK RTW
1888,
16197,Public Beta Pre-Release build
16197,16197
16195,Public Beta Candidate Pre-Release build
16194,Public Beta Candidate Pre-Release build
16191,Public Beta Candidate Pre-Release build
16189,Public Beta Candidate Pre-Release build
16186,Public Beta Candidate Pre-Release build
16178,Public Beta Candidate Pre-Release build
16167,Public Beta Candidate Pre-Release build
16165,Pre-Release Build
16154,Public Beta Candidate Pre-Release build
16145,Public Beta Candidate Pre-Release build
16144,Public Beta Candidate Pre-Release build
16133,Public Beta Candidate Pre-Release build
16127,Public Beta Candidate Pre-Release build
16113,Public Beta Candidate Pre-Release build
16113,Pre-Release build deployed to Beta
16098,Released to Takehome - London Build,Pre-Release build deployed to Beta audience.
16091,Public Beta Candidate Pre-Release build
16090,Pre-Release build deployed to Valdation/Approved compiler binaries for Nov12 XDK
16083,Released to Takehome - London Build
16078,Compiler LKG candidate for Nov12 XDK
16061,Released to Takehome - London Build
16056,Released to Takehome - London Build
16048,Released to Takehome - London Build
16048,Denali development and takehome build
16041,Released to Takehome - London Build
16025,TakeHome and Denali/Isis development build
16025,Released to Takehome - London build
16023,Released to Takehome - London build
16014,Retention for Isis/Denali Development/Takehome Build
16008,Development flash/xdk for Isis/Denali
15989,Released to Takehome - London build
15925,Denali/Isis development build
15905,May 2012 compiler tech preview
15574,Released to Takehome - Glasgow Build
15572,Released to Takehome - Glasgow build
15571,Released to Takehome - Glasgow build
15568,Released to Takehome - Glasgow build
15567,Released to Takehome - Glasgow build
15561,Released to Takehome - Glasgow build
15557,Released to Takehome - Glasgow build
15555,Released to Takehome - Glasgow build
15550,Released to Takehome - Glasgow build
15548,Released to Takehome - Glasgow build
15540,Released to Takehome - Glasgow build
15532,Glasgow flash released to Beta
15527,Glasgow build released to takehome
15512,Released to Takehome audience - Glasgow Build
15493,Released to Takehome audience - Glasgow Build
15481,Development build for Isis/Denali
15443,Denali/Isis development build
14905,Isis/Denali development build
14835,UXF build complement of Denali 14095
14810,Denali/Isis development build
14719,Released to Takehome and Beta audience
14718,Released to Takehome and Beta audience
14717,Released to Takehome and Beta audience
14715,Madrid QFE Build released to Takehome/Beta
14707,Madrid Build released to Takehome/Beta
14699,Madrid Takehome/Beta/RTW Build - RC3
14698,Madrid Takehome/Beta/RTW Build - RC2
14696,Madrid Takehome/Beta Build - Cert Build
14694,Madrid Takehome/Beta Build
14692,Madrid Takehome/Beta Build
14690,Madrid Takehome/Beta Build
14688,Madrid Takehome/Beta Build
14686,Madrid Takehome/Beta Build
14684,Madrid Takehome/Beta Build
14681,Madrid Takehome/Beta Build
14678,Madrid Takehome/Beta Build
14676,Madrid Takehome/Beta Build
14662,Madrid Takehome/Beta Build
14660,Madrid Takehome/Beta Build
14656,Madrid Takehome/Beta Build
14653,Madrid Takehome/Beta Build
14652,Madrid Takehome/Beta Build
14645,Madrid Takehome/Beta Build
14635,Madrid Takehome/Beta Build
14627,Madrid Takehome/Beta Build
14612,Madrid Takehome Build
14611,Madrid Beta Registration application
14607,Madrid Takehome Build
14598,Madrid Takehome Build
14597,Madrid Takehome Build
14586,Madrid Takehome Build
14583,Denali interim developmnet build
14478,Madrid Takehome Build
14476,Madrid Build for Takehome, 1st Beta Candidate
14474,Madrid Build for Takehome
14461,Madrid Build for Takehome
14451,Madrid Build for Takehome
14448,Madrid Build for Takehome
14436,takehome
14427,Madrid Takehome Build - August
14423,Denali exploratory build
14415,Madrid Takehome Build - August
14403,Madrid Takehome - Round 5
14403,MADRID
14385,Madrid Takehome #4 - plus targeted fixes
14385,Madrid Takehome - July XDK QFE
14282,Live-Client fix to replace 14276
14282,Klondike Exploratory Build
14276,OMU3
14267,Madrid Takehome Build
14266,Madrid Takehome Build
14265,Klondike Team Dependency
14259,DENALI Flash dependency for current builds.
14248,Madrid build for Takehome
14247,Madrid build for Takehome
14226,Madrid takehome build
14214,Denali Flash Dependent Build
14094,Build 14094
13604,Lima Build for Production QFE Release
13599,Lima build for Beta - RC build
13598,Lima build for Beta - RC build
13597,Lima build for Beta - RC build
13596,Takehome/Beta Live-Client-Lima
13592,Lima Beta/Takehome build
13572,LIma Build for Nazca Manufacturing Validation
13570,Lima build for Takehome
13569,Lima build for Takehome
13558,Lima build for Takehome
13554,lima build for MTE
13549,lima build for MTE
13544,lima build released to takehome
13535,Nazca EV2 camera Partner
13528,lima build released to takehome
1332,mar05_1332
13146,xdk
13146,bucharest-hcdf RC5
13145,Bucharest-hcdf RC4
13142,Bucharest retail build released to Beta
13141,Bucharest retail build released to Beta
13140,Bucharest retail build released to Beta
13139,Bucharest retail build released to Beta
13134,Bucharest retail build released to Beta
13131,Bucharest retail build released to Beta
13130,Bucharest retail build released to Beta
13125,Bucharest retail build released to Beta
13121,Bucharest retail build released to Beta / MTE drop
13117,Bucharest retail build released to Beta
13116,Bucharest retail build released to Beta
13115,Bucharest retail build released to Beta
13106,Bucharest retail build released to Beta
13100,Bucharest retail build released to Beta
12986,Corona EV4C console validation
12981,Corona EV4C console validation
12969,A significant Corona build, because use of 12970 and beyond requires HW rework to the boards
12951,Greensign for Ashley
12949,Build being applied to media for HCDF testing
12905,WaveA device image for Corona EV3B
12866,Live-Client-Bucharest 12866
12625,RTW build of Berlin QFE-2
12611,Live Client build 12611
12610,Berlin Build released to Beta
12609,Berlin Build released to Beta
12607,Berlin Build released to Beta
12606,Berlin Build released to Beta
12603,Berlin Build released to Beta
12599,Berlin Build released to Beta
12597,Berlin Build released to Beta
12595,Berlin Build released to Beta
12590,Berlin Build released to Beta
12589,Berlin Build released to Beta
12587,Berlin Build released to Beta
12583,Berlin Build released to Beta
12581,Berlin Build released to Beta
12580,Berlin Build released to Beta
12575,Berlin Build released to Beta
12574,Berlin Build released to Beta
12573,Berlin Build released to Beta
12569,Berlin Build released to Beta
12567,Berlin Build released to Beta
12565,Berlin Build released to Beta
12560,Berlin Build released to Beta
12558,Berlin Build released to Beta
12551,Berlin Build released to Beta
12546,Berlin Build released to Beta
12416,RTM Final build for Berlin (12416)
12413,RTM build for Berlin (12413)
12408,Berlin Build released to Beta
12404,Berlin Build released to Beta
12402,Berlin Build released to Beta
12399,Berlin Build released to Beta
12394,Berlin Build released to Beta
12392,Berlin Build released to Beta
12387,shipped in Jun10 XDK Kinect Preview Flash 3 recovery
12384,Berlin Build released to Beta
12379,Berlin Build released to Beta
12377,Berlin Build released to Beta
12366,Berlin Build released to Beta
12365,Berlin Build released to Beta
12353,Berlin Build released to Beta
12341,Berlin Build released to Beta (~07/16/2010)
12341,Berlin Build released to Beta
12340,Berlin Build released to Beta
12332,Berlin Build released to Beta
12330,Berlin Build released to Beta (~07/09/2010)
12278,Berlin Build released to Beta (~07/01/2010)
12277,Berlin Build released to Beta
12275, shipped in Jun10 XDK Kinect Preview Flash 2 recovery
12209, shipped in June10 XDK Kinect Preview Flash 1 recovery
12153,Zune final M2 flash - contact DFu, SPrabhu
12138,Xbox Zune client integration point for NUI
11886,Nov2010 compiler LKG candidate
11775.9,July 2010 XDK QFE 9
11775.8,July XDK QFE 8
11775.7,Jul10 XDK QFE 7
11775.4,July XDK QFE 4
11775.3,July 2010 XDK QFE3
11775.2,Update to the latest Berlin flash and fix and firmware updgrade fix
11775.12,Jul10 XDK QFE 12
11775.11,July XDK QFE 11
11775.1,QFE 1 July10 XDK
11775,July10 XDK First approved Kinect Libs 
11658, shipped in June2010 XDK release recovery
11626.4,Jun10 XDK QFE 4
11626.3,JUN10 XDK QFE 3
11626.2,JUN10 XDK QFE 2
11626.1,Jun10 XDK flash TechPreview 1
11626, XDK June2010 release
11620,Live-Client i386 LKG
11551, Xbox Zune client XDK integration point for NUI
11513,May10 XDK TechPreview
11512,May10 XDK TechPreview QFE
11511,May10 XDK TechPreview
11427,Mar10
11164.4, xwmadecoded lib
11164.3,February 2010 XDK QFE 11164 .3 ( on 04/09-2010)
11164.2,February 2010 XDK QFE 11164 .2 ( on 02/26-2010)
11164.1,February 2010 XDK Recovery 11164.1
11164,February 2010 XDK 11164
11117,XDK-Main
11070,December-09 XDK Tech Preview
11027, May10 XDK TechPreview lash
11026, May10 XDK TechPreview QFE flash
11025, May10 XDK TechPreview flash
11008,Mar10
10586,Keep idw tools for signing live-client
10552,Keep idw tools for signing live-client-hw
10358,Mar2010 compiler preview
10224,Integrated by Chamaeleon
10224,Feb10 compiler LKG
10217,
10112,
10090,LKG for codecpack (as of 11/9/09)
10090,Codepack01 LKG (as of 11/2/09)
10089,Dash LKGs (as of 11/2/09)
10088,First snapshot of Xenon\MAIN into Xenon-Chamaelon for C10 MQ work
10000.3,This is a test for XDK QFE automation.
10000,Test for improved add build to keep.txt script
0634,xenon_jul04_0634
0338,xenon_apr04_0338 21076.6,21076.6,Xdk-Main-Nov11 released as December 2011 XDK

Print this item

  HV_Utility and info
Posted by: theDomo - 09-09-2019, 10:17 AM - Forum: Xbox 360 - No Replies

// this file contains several security related things related to online cheating that can be abused
// removed until I can filter through it and decide what should be here and what shouldn't
// for now here's the prototypes of the functions

// 17511
// HV utility functions

// These assume they are compiled for 64bit machines, where pointers are 64 bits
// The HV handles everything in 64 bit mode

// Xbox doesn't write cachelines back unless a dcbst instruction is used
// or unless the data was being forced out of the cacheline
// This will make sure your RAM is up to date with the cache
// Used to write cachelines for a given memory range to RAM
void HvpSaveCachelines(PVOID pAddy, DWORD cAddy);

// Writes zeroed cache blocks directly to RAM without
// loading RAM into cache, zeroing, writing back to memory
// Efficient way to zero memory blocks
// Using the dbcz128 instruction effectively is documented in the SDK
void HvpZeroCacheLines(PVOID pAddy, DWORD cAddy);

// Used to invalidate cachelines for a given address range
// Takes byte count as cAddy input, NOT CACHELINE COUNT
void HvpInvalidateCachelines(PBYTE pAddy, DWORD cbAddy);

// Relocates data in 0x80 byte blocks and invalidates the old location
void HvpRelocateCacheLines(PVOID pSrc, PVOID pDest, DWORD cBlockCount);

// Sets address flags and re-writes with the new flags, returns new address
QWORD HvpRelocatePhysicalToEncrypted(PBYTE pbBuf, DWORD cbBuf);
QWORD HvpRelocatePhysicalToProtected(PBYTE pbBuf, DWORD cbBuf, BYTE bKF);

// Get the real address of a physical address
// The HV works with memory paging disabled
QWORD HvpPhysicalToReal(PVOID pAddy, DWORD cAddy);

// Gets non-zero timebase value
QWORD HvpGetTimebase();

QWORD HvpGetFlashBaseAddress();
QWORD HvpBuildSocMMIORegs(DWORD offset) ;
QWORD HvpBuildPciConfigRegs(DWORD offset);
QWORD HvpBuildHostBridgeRegs(DWORD offset);

// work in progress...

Print this item

  xosc
Posted by: theDomo - 09-09-2019, 10:03 AM - Forum: Xbox 360 - No Replies

xosc.cpp

#include "stdafx.h"
#include "xosc.h"

/*
    Reversed by: Medaka

    This is the entire XOSC module in C code.
    Please give credit where it's due, don't just copy and paste, please.
    I've worked really hard on this trying to perfect evey last bit of this.
*/

byte* xamAllocatedData;

extern "C" {
    NTSTATUS XamAlloc(int size, int size2, byte* data);
    void XamFree(PBYTE allocatedData);
    NTSTATUS IoSynchronousDeviceIoControlRequest(int io_request, void** deviceObject, void* bufferInput, int length, int r7, int r8, void* output);
    void HalReadWritePCISpace(int r3, int r4, int r5, int r6, void* buffer, int length, bool WritePCISpace);
}

NTSTATUS SysChall_GetStorageDeviceSize(char* path, int* outSize) {
    *outSize = 0;

    HANDLE file = 0;
    NTSTATUS status = STATUS_SUCCESS;

    ANSI_STRING deviceName = { 0 };
    OBJECT_ATTRIBUTES objAttr = { 0 };
    IO_STATUS_BLOCK statusBlock = { 0 };
    FILE_FS_SIZE_INFORMATION sizeInfo = { 0 };

    RtlInitAnsiString(&deviceName, path);
    InitializeObjectAttributes(&objAttr, &deviceName, OBJ_CASE_INSENSITIVE, 0);

    if (NT_SUCCESS(NtOpenFile(&file, (SYNCHRONIZE | 1), &objAttr, &statusBlock, FILE_SHARE_READ, XOSC_DEVICESIZE_OPEN_OPTIONS)))
        if (NT_SUCCESS(status = NtQueryVolumeInformationFile(file, &statusBlock, &sizeInfo, 0x18, FileFsSizeInformation)))
            *outSize = sizeInfo.TotalAllocationUnits.LowPart;

    NtClose(file);
    return status;
}

NTSTATUS SysChall_GetStorageDeviceSizes(xoscResponse* chalResp) {
    chalResp->operations |= 0x10;

    SysChall_GetStorageDeviceSize("\\Device\\Mu0\\", &chalResp->memoryUnit0);
    SysChall_GetStorageDeviceSize("\\Device\\Mu1\\", &chalResp->memoryUnit1);
    SysChall_GetStorageDeviceSize("\\Device\\BuiltInMuSfc\\", &chalResp->memoryUnitIntFlash);
    SysChall_GetStorageDeviceSize("\\Device\\BuiltInMuUsb\\Storage\\", &chalResp->memoryUnitIntUSB);
    SysChall_GetStorageDeviceSize("\\Device\\Mass0PartitionFile\\Storage\\", &chalResp->mass0PartitionFileSize);
    SysChall_GetStorageDeviceSize("\\Device\\Mass1PartitionFile\\Storage\\", &chalResp->mass1PartitionFileSize);
    SysChall_GetStorageDeviceSize("\\Device\\Mass2PartitionFile\\Storage\\", &chalResp->mass2PartitionFileSize);

    return STATUS_SUCCESS;
}

NTSTATUS SysChall_GetConsoleKVCertificate(xoscResponse* chalResp) {
    NTSTATUS keyStatus = STATUS_SUCCESS;
    WORD certificateDataLength = 0;
    XE_CONSOLE_CERTIFICATE certData = { 0 };

    if (NT_SUCCESS(keyStatus = XeKeysGetKey(XEKEY_XEIKA_CERTIFICATE, (PVOID)&certData, (PDWORD)&certificateDataLength))) {
        if (certificateDataLength > 0x110 || certData.signature[0x64] == 0x4F534947 || *(short*)certData.signature[0x68] >= 1) {
            chalResp->operations |= 2;
            memcpy((byte*)(chalResp + 0xB4), &certData.signature[0x6C], 0x24);
            *(int*)((int)chalResp + 0x80) = *(byte*)((int)&certData + 0x117);
        } else keyStatus = STATUS_INVALID_PARAMETER_1;
    }

    return chalResp->keyResultCert = keyStatus;
}

NTSTATUS SysChall_GetDeviceControlRequest(xoscResponse* chalResp) {
    chalResp->operations |= 1;

    PVOID deviceObject = NULL;
    BYTE partitionInfo[0x24] = { 0 };
    NTSTATUS status = STATUS_SUCCESS;
    STRING objectPath = { 0xE, 0xF, "\\Device\\Cdrom0" };

    if (!NT_SUCCESS(status = ObReferenceObjectByName(&objectPath, 0, 0, 0, &deviceObject)))
        return chalResp->ioCtlResult = status;

    *(long long*)((int)chalResp + 0xF0) = -1;
    *(long long*)((int)chalResp + 0xF8) = -1;
    *(long long*)((int)chalResp + 0x100) = -1;
    *(long long*)((int)chalResp + 0x108) = -1;
    *(long long*)((int)chalResp + 0x110) = -1;

    *(short*)((int)deviceObject + 0x20) = *(short*)((int)chalResp + 0xF0);

    *(char*)partitionInfo = 0x24;
    *(char*)(partitionInfo + 0x7) = 1;
    *(int*)(partitionInfo + 0x8) = 0x24;
    *(char*)(partitionInfo + 0x14) = 0x12;
    *(char*)(partitionInfo + 0x18) = 0x24;
    *(char*)(partitionInfo + 0x19) = 0xC0;

    status = IoSynchronousDeviceIoControlRequest(IOCTL_DISK_VERIFY, &deviceObject, partitionInfo, 0x24, 0, 0, 0);
    ObDereferenceObject(deviceObject);

    return chalResp->ioCtlResult = status;
}

NTSTATUS SysChall_SetupSataDiskHash(xoscResponse* chalResp) {
    XECRYPT_RSA rsa = { 0 };
    byte outDigest[0x14] = { 0 };
    int rsaSecuritySize = 0x110;

    chalResp->operations |= 0x80;

    memset((int*)((int)chalResp + 0x1D4), 0, 4);
    memset((int*)((int)chalResp + 0x1D8), 0, 4);
    memset((int*)((int)chalResp + 0x1DC), 0, 4);
    memset((int*)((int)chalResp + 0x1E0), 0, 4);
    memset((int*)((int)chalResp + 0x1E4), 0, 4);

    memset((long long*)((int)chalResp + 0x1E8), 0, 8);
    memset((long long*)((int)chalResp + 0x1F0), 0, 8);
    memset((long long*)((int)chalResp + 0x1F8), 0, 8);
    memset((long long*)((int)chalResp + 0x200), 0, 8);
    memset((long long*)((int)chalResp + 0x208), 0, 8);
    memset((long long*)((int)chalResp + 0x210), 0, 8);

    memset((int*)((int)chalResp + 0x218), 0, 4);
    memset((int*)((int)chalResp + 0x1D0), XboxHardwareInfo->Flags, 4);

    if ((XboxHardwareInfo->Flags & 0x20) == 0)
        return STATUS_SUCCESS;

    for (int i = 0; i < 5; i++) {
        memcpy(xamAllocatedData, (byte*)0x8E038400, 0x15C);
        XeCryptSha(xamAllocatedData, 0x5C, 0, 0, 0, 0, outDigest, XECRYPT_SHA_DIGEST_SIZE);
    
        if (!NT_SUCCESS(XeKeysGetKey(XEKEY_CONSTANT_SATA_DISK_SECURITY_KEY, &rsa, (PDWORD)&rsaSecuritySize)))
            continue;

        if (rsaSecuritySize != 0x110 || rsa.cqw != 0x20)
            continue;

        byte* signature = (byte*)(xamAllocatedData + 0x5C);

        XeCryptBnQw_SwapDwQwLeBe((PQWORD)signature, (PQWORD)signature, 0x20);
        if (XeCryptBnQwNeRsaPubCrypt((PQWORD)signature, (PQWORD)signature, &rsa))
            continue;

        XeCryptBnQw_SwapDwQwLeBe((PQWORD)signature, (PQWORD)signature, 0x20);
        if (XeCryptBnDwLePkcs1Verify(outDigest, signature, 0x100))
            break;
    }

    if (xamAllocatedData == 0)
        return STATUS_SUCCESS;

    memcpy((int*)(chalResp + 0x1D4), xamAllocatedData, 0x14);
    memcpy((int*)(*(int*)(chalResp + 0x1E8)), (int*)(xamAllocatedData + 0x14), 4);
    memcpy((int*)(*(int*)(chalResp + 0x1E8) + 0x4), (int*)(xamAllocatedData + 0x18), 4);

    return STATUS_SUCCESS;
}

NTSTATUS SysChall_SetupDiskVerificationHash(xoscResponse* chalResp) {
    BYTE pageData[0xA0] = { 0 };
    BYTE outDigest[0x14] = { 0 };

    for (int i = 0; i < 5; i++) {
        memcpy(pageData, (int*)0x8E038780, 0xA0);
        XeCryptSha((PBYTE)(pageData + 0x14), 0x8C, 0, 0, 0, 0, outDigest, XECRYPT_SHA_DIGEST_SIZE);

        if (memcmp((PBYTE)(pageData + 0x14), outDigest, 0x14) != 0)
            continue;

        goto nextSequence;
    }

    chalResp->sataResult = STATUS_KEY_RESULT_FAILED;
    return STATUS_SUCCESS;

nextSequence:
    chalResp->operations = 0;

    memcpy((byte*)((int)chalResp + 0x21C), (byte*)0x8E038680, 0x80);

    memcpy((int*)((int)chalResp + 0x24), (int*)(pageData + 0x14), 4);
    memcpy((int*)((int)chalResp + 0x28), (int*)(pageData + 0x18), 4);
    memcpy((int*)((int)chalResp + 0x2C), (int*)(pageData + 0x1C), 4);
    memcpy((int*)((int)chalResp + 0x30), (int*)(pageData + 0x90), 4);
    memcpy((long long*)((int)chalResp + 0xD0), (int*)(pageData + 0x70), 4);
    memcpy((int*)((int)chalResp + 0x2A4), (int*)(pageData + 0x9C), 4);
    memcpy((long long*)((int)chalResp + 0x2C8), (int*)(pageData + 0x34), 4);
    memcpy((long long*)((int)chalResp + 0x2D0), (int*)(pageData + 0x38), 4);

    memcpy((byte*)(pageData + 0x3C), (byte*)(pageData + 0x1F), 0x11);
    memcpy((byte*)((int)chalResp + 0x9D), (byte*)(pageData + 0x40), 0x20);
    memcpy((byte*)((int)chalResp + 0xBD), (byte*)(pageData + 0x60), 0x10);

    memcpy((long long*)((int)chalResp + 0xD8), (long long*)(pageData + 0x78), 8);
    memcpy((long long*)((int)chalResp + 0xE0), (long long*)(pageData + 0x80), 8);
    memcpy((long long*)((int)chalResp + 0xE8), (long long*)((pageData + 0x80) + 0x8), 8);
    memcpy((long long*)((int)chalResp + 0x29C), (long long*)(pageData + 0x94), 8);

    return chalResp->sataResult = STATUS_SUCCESS;
}

NTSTATUS SysChall_SetupSerialNumberHash(xoscResponse* chalResp) {
    byte outDigest[0x14] = { 0 };
    byte serialNumber[0xC] = { 0 };

    WORD keyProperty = XeKeysGetKeyProperties(XEKEY_CONSOLE_SERIAL_NUMBER);

    for (int i = 0; i < 5; i++) {
        memcpy(xamAllocatedData, (byte*)0x8E038000, 0x400);
        XeCryptSha((PBYTE)(xamAllocatedData + 0x14), 0x3EC, 0, 0, 0, 0, outDigest, XECRYPT_SHA_DIGEST_SIZE);
        
        if (memcmp(xamAllocatedData, outDigest, 0x14) != 0)
            continue;

        goto nextSequence;
    }

    chalResp->keyResultSerial = STATUS_KEY_RESULT_FAILED;
    return STATUS_SUCCESS;

nextSequence:
    if (xamAllocatedData == 0) {
        chalResp->keyResultSerial = STATUS_KEY_RESULT_FAILED;
        return STATUS_SUCCESS;
    }

    if (*(int*)(xamAllocatedData + 0x14) < 1) {
        chalResp->keyResultSerial = 0xC8003005;
        return STATUS_SUCCESS;
    }

    if (keyProperty < 0xC) {
        chalResp->keyResultSerial = STATUS_INVALID_PARAMETER_1;
        return STATUS_SUCCESS;
    }

    NTSTATUS keyStatus = XeKeysGetKey(XEKEY_CONSOLE_SERIAL_NUMBER, serialNumber, (PDWORD)&keyProperty);

    if (!NT_SUCCESS(keyStatus)) {
        chalResp->keyResultSerial = keyStatus;
        return STATUS_SUCCESS;
    }

    chalResp->operations |= 0x20;

    int size = (*(int*)(xamAllocatedData + 0x14) - 1);

    memcpy(&chalResp->consoleId, (long long*)(xamAllocatedData + 0x1A0), 8);
    memcpy((long long*)(*(int*)(xamAllocatedData + 0x1A0) + 0x8),
        (int*)(xamAllocatedData + 0x10),
        size = size <= 5 ? size : 5
    );

    if (size < 5 && (size - 5) != 0)
        memcpy((long long*)((int)xamAllocatedData + ((size + 0x35) * 8)), 0, (size - 5));

    memcpy((byte*)(xamAllocatedData + 0x138), serialNumber, 0xC);

    *(byte*)(xamAllocatedData + 0x144) = 0;
    return chalResp->keyResultSerial = STATUS_SUCCESS;
}

void SysChall_SetupModuleHashes(xoscResponse* chalResp) {
    chalResp->operations |= 0x8;

    DWORD flags = 0;
    SHORT settingSize = 6;
    byte unknownBuffer[0x10] = { 0 };
    byte securityDigest[0x14];
    byte macAddress[0x6];
    byte smcOut[0x5];
    byte smcMsg[0x5];

    memcpy(&chalResp->bootloaderVersion, (short*)0x8E038600, 2);
    memcpy(&chalResp->xamRegion, (short*)0x8E038602, 2);
    memcpy(&chalResp->xamOdd, (short*)0x8E038604, 2);

    memcpy(&chalResp->_unk3, (int*)0x8E03861C, 4);
    memcpy(&chalResp->flashSize, (int*)0x8E038618, 4);
    memcpy(&chalResp->xoscRegion, (int*)0x8E038614, 4);
    memcpy(&chalResp->hvFlags, (int*)0x8E038610, 4);

    memcpy(&chalResp->_unk10, (long long*)0x8E038630, 8);
    memcpy(&chalResp->_unk11, (long long*)0x8E038638, 8);
    memcpy(&chalResp->_unk12, (long long*)0x8E038640, 8);
    memcpy(&chalResp->hvProtectionFlags, (long long*)0x8E038678, 8);
    memcpy(&chalResp->_unk5, (long long*)0x8E038704, 8);

    memcpy(&chalResp->_unk6, (int*)0x8E038708, 4);
    memcpy(&chalResp->_unk8, (int*)0x8E03870C, 4);
    memcpy(&chalResp->_unk9, (int*)0x8E038710, 4);
    memcpy(&chalResp->crlVersion, (int*)0x8E000154, 4);

    PLDR_DATA_TABLE_ENTRY hXam = (PLDR_DATA_TABLE_ENTRY)GetModuleHandleA(MODULE_XAM);
    PLDR_DATA_TABLE_ENTRY hKernel = (PLDR_DATA_TABLE_ENTRY)GetModuleHandleA(MODULE_KERNEL);
    PLDR_DATA_TABLE_ENTRY hCurrTitle = (PLDR_DATA_TABLE_ENTRY)GetModuleHandleA(MODULE_TITLE);

    memcpy(securityDigest, (byte*)0x8E03AA40, 0x14);
    unknownBuffer[0xE] &= 0xF8;

    if (hXam || hKernel || hCurrTitle) {
        IMAGE_XEX_HEADER* xamHeader = (IMAGE_XEX_HEADER*)(hXam->XexHeaderBase);

        if (xamHeader) {
            XEX_SECURITY_INFO* securityInfo = (XEX_SECURITY_INFO*)(xamHeader->SecurityInfo);

            int size = ((xamHeader->SizeOfHeaders - ((int)xamHeader->SecurityInfo + 0x17C)) + (int)xamHeader);
            XeCryptSha((PBYTE)&securityInfo->AllowedMediaTypes, size, securityDigest, 0x14, unknownBuffer, 0x10, securityDigest, 0x14);
        }

        IMAGE_XEX_HEADER* krnlHeader = (IMAGE_XEX_HEADER*)(hKernel->XexHeaderBase);
        if (krnlHeader) {
            if (NT_SUCCESS(ExGetXConfigSetting(XCONFIG_SECURED_CATEGORY, XCONFIG_SECURED_MAC_ADDRESS, macAddress, 0x6, (PWORD)settingSize))) {
                XEX_SECURITY_INFO* securityInfo = (XEX_SECURITY_INFO*)(krnlHeader->SecurityInfo);

                int size = ((krnlHeader->SizeOfHeaders - ((int)krnlHeader->SecurityInfo + 0x17C)) + (int)krnlHeader);
                XeCryptSha((PBYTE)&securityInfo->AllowedMediaTypes, size, securityDigest, 0x14, macAddress, 0x6, securityDigest, 0x14);
            }
        }

        IMAGE_XEX_HEADER* currModuleHeader = (IMAGE_XEX_HEADER*)(hCurrTitle->XexHeaderBase);
        if (currModuleHeader) {
            smcMsg[0] = REQUEST_SMC_VERSION;
            HalSendSMCMessage(smcMsg, smcOut);

            XEX_SECURITY_INFO* securityInfo = (XEX_SECURITY_INFO*)(currModuleHeader->SecurityInfo);

            int size = ((currModuleHeader->SizeOfHeaders - (DWORD)&securityInfo->AllowedMediaTypes) + (int)currModuleHeader);
            XeCryptSha((PBYTE)&securityInfo->AllowedMediaTypes, size, securityDigest, 0x14, smcOut, 0x5, securityDigest, 0x14);
        }
    }

    XeCryptSha((PBYTE)0x900101A3, 0x8E59, securityDigest, 0x14, 0, 0, securityDigest, 0x14);
    securityDigest[0] = 7;

    memcpy(chalResp->kvDigest, securityDigest, 0x10);
    memcpy(chalResp->fuseDigest, (byte*)0x8E03AA50, 0x10);
}

NTSTATUS SysChall_GetPCIEDriveConnectionStatus(xoscResponse* chalResp) {
    byte data[0x100] = { 0 };
    HalReadWritePCISpace(0, 2, 0, 0, data, 0x100, 0);

    QWORD r9 = (((*(byte*)(data + 0x8) & ~0xFFFF00) | ((*(short*)(data + 0x2) << 8) & 0xFFFF00) << 8) & 0xFFFFFFFFFFFFFFFF);
    QWORD r10 = (((*(byte*)(data + 0xB) & ~0xFFFF00) | ((*(short*)(data + 0x4) << 8) & 0xFFFF00) << 8) & 0xFFFFFFFFFFFFFFFF);

    chalResp->daeResult = 0x40000012;
    chalResp->operations |= 0x100;
    chalResp->pcieHardwareInfo = ((((r9 | XboxHardwareInfo->PCIBridgeRevisionID) << 32) | r10) | *(byte*)(data + 0xA));

    return STATUS_SUCCESS;
}

NTSTATUS SysChall_Init(int task, char* tableName, int tableSize, xoscResponse* chalResp, int bufferSize) {
    if (chalResp == 0 || bufferSize == 0 || bufferSize < 0x2E0) {
        printf("[SysChall_Execute] failed\n");
        return E_INVALIDARG;
    }

    NTSTATUS exeIdStatus = STATUS_SUCCESS;
    PXEX_EXECUTION_ID executionId;

    memset(chalResp, 0, bufferSize);
    memset(chalResp, 0xAA, 0x2E0);

    chalResp->operations = 0;
    chalResp->xoscMajor = 9;
    chalResp->xoscFooterMagic = 0x5F534750;

    if (NT_SUCCESS(XamAlloc(0x200000, 0x8000, xamAllocatedData))) {
        SysChall_GetDeviceControlRequest(chalResp);
        SysChall_GetConsoleKVCertificate(chalResp);
        SysChall_SetupModuleHashes(chalResp);
        SysChall_GetStorageDeviceSizes(chalResp);
        SysChall_GetPCIEDriveConnectionStatus(chalResp);
    }

    if (NT_SUCCESS(exeIdStatus = XamGetExecutionId(&executionId))) {
        chalResp->executionResult = exeIdStatus;

        memcpy(&chalResp->xexExecutionId, &executionId, sizeof(XEX_EXECUTION_ID));
        XamLoaderGetMediaInfo(&chalResp->mediaInfo, &chalResp->titleId);

        chalResp->operations |= 0x4;
    }

    if (XamLoaderIsTitleTerminatePending())
        chalResp->operations |= XOSC_FLAG_STATUS_FLAG_TITLE_TERMINATED;

    if (XamTaskShouldExit())
        chalResp->operations |= XOSC_FLAG_STATUS_TASK_SHOULD_EXIT;

    if (xamAllocatedData != 0)
        XamFree(xamAllocatedData);

    return chalResp->result = STATUS_SUCCESS;
}


xosc.h
#ifndef __XOSC_H__
#define __XOSC_H__

#define MODULE_XOSC "xosc9v2.xex"

#define REQUEST_SMC_VERSION 0x12
#define IOCTL_DISK_VERIFY 0x4D014

#define STATUS_INVALID_HEADER 0xC8003005
#define STATUS_KEY_RESULT_FAILED 0xC8003003
#define STATUS_INVALID_PARAMETER 0xC000000D
#define STATUS_INVALID_PARAMETER_1 0xC00000EF
#define STATUS_INVALID_PARAMETER_7 0xC00000F5
#define STATUS_INSUFFICIENT_RESOURCES 0xC000009A

#define XOSC_FLAG_STATUS_TASK_SHOULD_EXIT 0x2000000000000000
#define XOSC_FLAG_STATUS_FLAG_TITLE_TERMINATED 0x4000000000000000
#define XOSC_DEVICESIZE_OPEN_OPTIONS FILE_DIRECTORY_FILE | FILE_SYNCHRONOUS_IO_NONALERT | 0x800000

struct xoscResponse {
    int result; //0x00
    short xoscMajor; //0x04
    short xoscMinor; //0x06
    long long operations; //0x08
    int ioCtlResult; //0x10
    int keyResultCert; //0x14
    int executionResult;//0x18
    int keyResultSerial; //0x1C
    int sataResult; // 0x20 0xC8003003
    byte _unk1[0x10]; //0x24 AA's
    int daeResult; //0x34 0x40000012
    XEX_EXECUTION_ID xexExecutionId; //0x38
    byte cpuKeyDigest[0x10]; //0x50
    byte kvDigest[0x10]; //0x60
    byte fuseDigest[0x10]; //0x70
    int drivePhaseLevel; //0x80 
    DWORD mediaInfo; //0x84 0
    DWORD titleId; //0x88
    byte _unk2[0x64]; //0x8C 
    byte driveIndentifier1[0x24]; //0xF0 
    byte driveIndentifier2[0x24]; //0x114
    byte consoleSerial[0xC]; //0x138
    short serialByte; //0x144 0
    short bootloaderVersion; //0x146
    short xamRegion; //0x148 
    short xamOdd; //0x14A
    int _unk3; //0x14C 0x8E03861C
    int flashSize; //0x150
    int xoscRegion; //0x154
    int hvFlags; //0x158
    int _unk4; //0x15C
    long long _unk5; //0x160
    int _unk6; //0x168
    int _unk7; //0x16C
    long long pcieHardwareInfo; //0x170
    int _unk8; //0x178
    int _unk9; //0x17C
    long long _unk10; //0x180
    long long _unk11; //0x188
    long long _unk12; //0x190
    long long hvProtectionFlags; //0x198
    long long consoleId; //0x1A0
    byte _unk14[0x28]; //0x1A8
    int hardwareFlags; //0x1D0
    byte _unk15[0xD4];  //0x1D4
    int memoryUnit0; //0x2A8
    int memoryUnit1; //0x2AC
    int memoryUnitIntFlash; //0x2B0
    int memoryUnitIntUSB; //0x2B4
    int mass0PartitionFileSize; //0x2B8
    int mass1PartitionFileSize; //0x2BC
    int mass2PartitionFileSize; //0x2C0
    int crlVersion; //0x2C4
    long long _unk16; //0x2C8
    long long _unk17; //0x2D0
    int xoscFooterMagic; //0x2D8
    int _unk18; //0x2DC
    byte unusedFiller[0x120]; //0x2E0
};

extern byte* xamAllocatedData;

#endif //__XOSC_H__

Print this item

  challenge_16537
Posted by: theDomo - 09-09-2019, 09:59 AM - Forum: Xbox 360 - No Replies

// reversed by teir
// tried to make it as optimized as I could while not disrupting the flow
// version: 0x4099 - 16537

// some of this was edited to make some people happy

#define BIT_MASK64(n) (~( ((~0ull) << ((n)-1)) << 1 ))
#define extrdi(inp, n, b) ((inp >> 64-(n+b)) & BIT_MASK64(n))
// eg: extrdi r4, r12, 10, 48 = [r4 = extrdi(r12, 10, 48)]
// eg: r4 = extrdi(r12, 10, 48) = [r4 = ((r12 >> 6) & BIT_MASK64(10))]

#define SRAM 0x8000020000010000

/*
0x50 hash info
<info removed>
*/
QWORD xAddy[0xD] = {
	0x34000C,		// 
	0x400030,		// 
	0x700004,		// 
	0x780008,		// 
	0x8081FF,		//  
	0x2000100C00040, 	// 
	0x2000103500030, 	// 
	0x20001038080BB, 	// 
	0x2000161000040, 	// 
	0x200016D200060, 	// 
	0x200016D808125, 	// 
	0x4000200008200, 	// 
	0x6000300008200  	//  
};

// 0xEC hash info
// this should give a good idea on whats the same for all consoles / bootups
QWORD zAddy[7] = {
	0x340040, 			// 0x34-0x74, 0x40 bytes
	0x78FF88, 			// 0x78-0x1000, 0xF88 bytes
	0x2000100C00040, 	// 0x2000100C0-0x200010100, 0x40 bytes
	0x2000103505DF0, 	// 0x200010350-0x200011140, 0xDF0 bytes
	0x200016D2092E0, 	// 0x200016D20-0x200017000, 0x3E0 bytes
	0x400020000FFFC, 	// 0x400020000-0x400020FFC, 0xFFC bytes
	0x600030000FFFC 	// 0x600030000-0x600030FFC, 0xFFC bytes
};

typedef struct {
	QWORD qwPad[5];
	QWORD qwMagicBuildQFE;
	QWORD qwKernelVersion;
	DWORD dwXeKeysFlags;
	DWORD dwUnk74; // ??
	QWORD qwRTOC;
	QWORD qwHRMOR;
	BYTE pbRenamedHash[0x14]; // 0x50
	BYTE pbCPUKeyHash[0x14]; // cpu key hash
	BYTE pbBuf[0x80]; // <removed, renamed>
	WORD wPageAddy; // looks like the memory page the response is located in?
	BYTE pbHvHash[6]; // 0xEC hash - NOTE: HASH THIS AS 20 BYTES BUT ONLY WRITE THE LAST 6 BYTES. in the challenge the above variables overwrite the first 14 bytes
} CHALLENGE_RESPONSE;

// Function from the HV
// Challenge doesn't use the HV function but does the same thing when its called
// Why not just use the HV function?
// sub_EE4
void FillCacheLines(QWORD Address, QWORD cCacheline)
{
	for(int i = 0; i < cCacheline; i++)
	{
		*Address+(i*0x80) = *(BYTE*)Address+(i*0x80);
		__dcbst(Address+(i*0x80));
	}
	__sync();
	__isync();
}

QWORD PhysicalToReal(QWORD arg1, QWORD arg2)
{
	if((DWORD)(arg1-4) > 0x1FFBFFFF)
		MACHINE_CHECK();
	if((DWORD)arg2 > (DWORD)(arg1-0x20000000))
		MACHINE_CHECK();
	return (arg1 & 0xFFFFFFFF) | 0x8000000000000000;
}

QWORD Challenge_16537(QWORD retbuf, QWORD HvSalt, QWORD krnlbuild)
{
	// NOTE: All addresses in the response file are offset by 0x20
	QWORD resp = retbuf + 0x20;

	// copy some stuff from the hv and misc registers
	*resp+8 = *(QWORD*)0; // hv magic + build + qfe
	*resp+0x10 = *(QWORD*)0x10; // kernel version
	*resp+0x18 = *(DWORD*)0x30; // XeKeys Flags
	*resp+0x1C = *(DWORD*)0x74;
	*resp+0x20 = 0x0000000200000000; // r2
	*resp+0x28 = 0x0000010000000000; // HRMOR

	HvSalt = PhysicalToReal(HvSalt, 0x1000);

	// start the first hash, location 0xEC in the response file
	XECRYPT_SHA_STATE sha;
	XeCryptShaInit(&sha);
	XeCryptShaUpdate(&sha, HvSalt, 0x10); // hash the salt first
	for(int i = 0; i < 7; i++)
		XeCryptShaUpdate(&sha, zAddy[i] >> 16, zAddy[i] & 0xFFF);
	XeCryptShaFinal(&sha, resp+0xCC, 0x14);

	XeCryptShaInit(&sha);

	// checking the address? purpose unknown but doesn't seem to effect online status
	QWORD tmp = resp+0x3E0;
	*resp+0xD8 = (WORD)((tmp >> 16) & 0xFFFF);

	// <info removed>
	for(int i = 0; i < 8; i++)
	{
		*tmp+(i*0x10) = *(QWORD*)HvSalt;
		*tmp+(i*0x10)+8 = *(QWORD*)HvSalt+8;
	}
	__dcbst(resp+0x3E0);
	__sync();


	// start the second hash, location 0x50 in the response file
	tmp = SRAM + (0xF800 | ((resp+0x3E0 >> 6) & 0x3FF)); // 0x50 salt, offset formula is different - look into later
	XeCryptShaUpdate(&sha, tmp, 2);
	for(int i = 0; i < 0xD; i++)
	{
		// <info removed>
		if(xAddy[i] & 0x8000)
		{
			FillCacheLines(xAddy[i] >> 16, xAddy[i] & 0x3FF);
			XeCryptShaUpdate(&sha, SRAM+((xAddy[i] >> 22) & 0xFFF), (xAddy[i] & 0x3FF) << 1);
		}
		else
		{
			FillCacheLines(xAddy[i] >> 16, 1);
			if((xAddy[i] & 0x7F) >= 0x10)
				XeCryptShaUpdate(&sha, (((xAddy[i] >> 16) & 0x3FFFF) | 0x8000000000000000), xAddy[i] & 0x7F);
			else
				XeCryptShaUpdate(&sha, xAddy[i] >> 16, xAddy[i] & 0x7F);
		}
	}
	XeCryptShaFinal(&sha, resp+0x30, 0x14);

	// hash the cpukey, location 0x64 in the response file
	XeCryptShaInit(&sha);
	XeCryptShaUpdate(&sha, 0x20, 0x10);
	XeCryptShaFinal(&sha, resp+0x44, 0x14);

	// copy other data from the HV, location 0x78 in the response file
	// <info removed>
	resp += 0x58;
	QWORD HvData = 0x200010040;
	for(int i = 0; i < 0x10; i++)
		*resp+(i*8) = *(QWORD*)HvData+(i*8);

	// done
	return 0;
}

Print this item

  SOCSECENG_BLOCK
Posted by: theDomo - 09-09-2019, 09:58 AM - Forum: Xbox 360 - No Replies

// SOCSECENG_BLOCK structure

typedef union _SECENG_FAULT_ISOLATION {
	QWORD AsULONGLONG; // 0x0 sz:0x8
	struct{
		QWORD IntegrityViolation : 1; // 0x0 bfo:0x63
		QWORD Reserved1 : 63; // 0x0 bfo:0x0
	}AsBits;
} SECENG_FAULT_ISOLATION, *PSECENG_FAULT_ISOLATION; // size 8
//C_ASSERT(sizeof(SECENG_FAULT_ISOLATION) == 0x8);

typedef struct _SECENG_KEYS { 
	QWORD WhiteningKey0High; // 0x0 sz:0x8
	QWORD WhiteningKey0Low; // 0x8 sz:0x8
	QWORD WhiteningKey1High; // 0x10 sz:0x8
	QWORD WhiteningKey1Low; // 0x18 sz:0x8
	QWORD WhiteningKey2High; // 0x20 sz:0x8
	QWORD WhiteningKey2Low; // 0x28 sz:0x8
	QWORD WhiteningKey3High; // 0x30 sz:0x8
	QWORD WhiteningKey3Low; // 0x38 sz:0x8
	QWORD AESKey0High; // 0x40 sz:0x8
	QWORD AESKey0Low; // 0x48 sz:0x8
	QWORD AESKey1High; // 0x50 sz:0x8
	QWORD AESKey1Low; // 0x58 sz:0x8
	QWORD AESKey2High; // 0x60 sz:0x8
	QWORD AESKey2Low; // 0x68 sz:0x8
	QWORD AESKey3High; // 0x70 sz:0x8
	QWORD AESKey3Low; // 0x78 sz:0x8
	QWORD HashKey0High; // 0x80 sz:0x8
	QWORD HashKey0Low; // 0x88 sz:0x8
	QWORD HashKey1High; // 0x90 sz:0x8
	QWORD HashKey1Low; // 0x98 sz:0x8
} SECENG_KEYS, *PSECENG_KEYS; // size 160
//C_ASSERT(sizeof(SECENG_KEYS) == 0xA0);

typedef struct _SOCSECENG_BLOCK { //Addr = 80000200_00024000
	SECENG_KEYS WritePathKeys; // 0x0 sz:0xA0
	QWORD TraceLogicArrayWritePathControl; // 0xA0 sz:0x8
	QWORD qwUnkn1;
	QWORD Reserved1[0x1EA]; // 0xA8 sz:0xF58
	SECENG_KEYS ReadPathKeys; // 0x1000 sz:0xA0
	QWORD TraceLogicArrayReadPathControl; // 0x10A0 sz:0x8
	SECENG_FAULT_ISOLATION FaultIsolationMask; // 0x10A8 sz:0x8
	SECENG_FAULT_ISOLATION FaultIsolation; // 0x10B0 sz:0x8 - set to zero in CB
	QWORD IntegrityViolationSignature; // 0x10B8 sz:0x8
	QWORD qwUnkn2;
	QWORD Reserved2[0x1E7]; // 0x10C0 sz:0xF40
} SOCSECENG_BLOCK, *PSOCSECENG_BLOCK; // size 8192
//C_ASSERT(sizeof(SOCSECENG_BLOCK) == 0x2000);

// the security engine contains multiple keys, this is important
// 0x00000X**_00000000 X = region, ** = key select
// x = 0 should be physical
// x = 1 should be hashed
// x = 2 should be SoC
// x = 3 should be encrypted

// notes on where this is referenced and what is inside

// sub_4D10 in CB, i think this function sets up more than just the security engine soc
SOCSECENG_BLOCK->FaultIsolationMask // sets the IntegrityViolation bit to one in CB
SOCSECENG_BLOCK->FaultIsolation // set to zero in CB

// sub_5348 in CB sets up initial values
// in sub_5348 you can see many relationships to the hypervisor functions that deal with security
// deals with that XeCryptHammingWeight thing i dont understand yet
// here is a little reversing:
void InitializeSecurityEngine() {
	post_output(0x22/*INITIALIZE_SECURITY_ENGINE*/);
	
	PSOCSECENG_BLOCK pSecEng = (PSOCSECENG_BLOCK)0x8000020000024000; // r25
	void *r27 = 0x8000020000060000; // r27 another hardware thing that i dont yet know
	// 0x8000020000060000 seems to be the random number generater
	
	// does some shit with generating some random values, loops and does math
	// im certain var_A0 and var_140 are random values, uses the time base register to generate and some random values
	
	// transform the random values to not be easily predictable
	XeCryptSha(var_140, 0xA0, var_A0, 0x60, 0, 0, var_160, 0x14);
	XeCryptRc4(var_160, var_140, 0xA0);
	
	PQWORD pqwRandomData = (PQWORD)var_140;
	PSECENG_KEYS pWritePathKeys = &pSecEng.WritePathKeys; // r29
	PSECENG_KEYS pReadPathKeys = &pSecEng.ReadPathKeys; // r30
	
	PQWORD pqwWriteKeys = (PQWORD)pWritePathKeys;
	PQWORD pqwReadKeys = (PQWORD)pReadPathKeys;
	
	// set the whitening keys
	for(DWORD X /* r11 */ = 8; X > 0; X--) {
		// set random keys
		QWORD qwRandom = *pqwRandomData;
		*pqwWriteKeys = qwRandom;
		*pqwReadKeys = qwRandom;
		
		// increment values
		pqwWriteKeys++;
		pqwReadKeys++;
		pqwRandomData++;
	}
	
	// set the aes keys, this is WRONG there is something with r27
	for(DWORD X /* r28 */ = 4; X > 0; X--) {
		// set the read path keys, they are decryption keys so no need to schedule with the shits
		pqwReadKeys[0] = pqwRandomData[0];
		pqwReadKeys[1] = pqwRandomData[1];
		
		// generate sbox
		_create_aes_sbox_128bit((PBYTE)qwRandom, r26 + 0x140); // r4 isnt that important its just the rijandael initial schedule array shit
		
		// set write key
		pqwWriteKeys[0] = pqwRandomData[0];
		pqwWriteKeys[1] = pqwRandomData[1];
		
		// increment values
		// 2 qwords equal to 0x10
		qwRandom += 2;
		pqwWriteKeys += 2;
		pqwReadKeys += 2;
	}
	
	// set the hash keys
	// dont need to write this you know whats up

	// does some weird time wait, maybe to try and prevent glitching?
	// the time wait is dependant on the random values
}


// sub_20B0 in HV deals with it again (changes keys for different security hashes)
// see research.h file for full reversal of sub_20B0
// only references the WritePathKeys and ReadPathKeys, only sets WhiteningKey0, AESKey0, and HashKey0

Print this item

  HvxQuiesceProcessor
Posted by: theDomo - 09-09-2019, 09:58 AM - Forum: Xbox 360 - No Replies

#define HSPRG1 mfspr(SPR_HSPRG1)

QWORD HvxQuiesceProcessor(BYTE Reason)
{
	PTHREAD_STATE pThreadState = (PTHREAD_STATE)HSPRG1;

	// we cannot put thread 0 to sleep, how would we wake up?
	if(pThreadState->PID == 0)
		MACHINE_CHECK();

	HvpSaveThread(Reason);
	HvpSleepThread();
	HvpRestoreThread();

	return 0;
}

void _V_RESET()
{
	QWORD HID1 = mfspr(SPR_HID1);
	HID1 = (HID1 & 0xF3FFFFBFFFFFFFFF) | (3 << 58) | (1 << 38);
	// s
	mtspr(SPR_HID1, HID1);

	PTHREAD_STATE pThreadState = (PTHREAD_STATE)HSPRG1;

	// if HSPRG1 has not been set up, this is a Power On Reset
	if(!pThreadState)
		POR();

	// if HSPRG1 has been set up but the thread was not suspended, this reset is an error
	if(!pThreadState->SUSPENDED)
		MACHINE_CHECK();

	pThreadState->SUSPENDED = 0;

	// HvpSleepThread saves SRR0 and SRR1 to these registers
	mtspr(SPR_SRR0, r7);
	mtspr(SPR_SRR1, r8);
	_cctpm()

	return;
}

// sub_84E0
void HvpSaveThread(BYTE Reason)
{
	PTHREAD_STATE pThreadState = (PTHREAD_STATE)HSPRG1;
	if(pThreadState->STATE != 0
		|| Reason > 2)
		MACHINE_CHECK();

	pThreadState->REASON = Reason;

	// notify thread 0 that this thread is ready to continue
	pThreadState->STATE = 1;

	// thread 0 handles most of the saving
	if(pThreadState->PID == 0)
	{
		// wait until all threads are ready
		PCPU_STATE pCPU = (PCPU_STATE)pThreadState;
		for(int i = 0;i < 3;i++)
		{
			int CoreNum = 2 - i;

			// virtual first
			while(pCPU->Core[CoreNum].vThread.STATE != 1)
				continue;

			// now hardware
			while(pCPU->Core[CoreNum].hThread.STATE != 1)
				continue;
		}

		_REG_611A0 = _REG_611A0 & 0xFEFF; // ei_is

		PQWORD pqwIrqlState = (PQWORD)0x2000161E0;
		pqwIrqlState[0] = _REG_56000;
		pqwIrqlState[1] = _REG_56010;
		pqwIrqlState[2] = _REG_56020;
		pqwIrqlState[3] = _REG_56030;
		pqwIrqlState[4] = _REG_56040;

		_REG_56000 = 0; // ei
		_REG_56010 = 0; // ei
		_REG_56020 = 0; // ei
		_REG_56030 = 0; // ei
		_REG_56040 = 0; // ei_is

		pqwIrqlState[5] = _REG_611C8;
		_REG_611C8 = 0; // ei_is

		for(int i = 0;i < 3;i++)
		{
			int CoreNum = 2 - i;

			// first virtual threads
			// make sure all threads are being paused for the same reason
			if(pCPU->Core[CoreNum].vThread.REASON != pThreadState->REASON)
				MACHINE_CHECK();

			// notify thread to continue with save
			pCPU->Core[CoreNum].vThread.STATE = 2;

			// wait until thread finished save
			while(pCPU->Core[CoreNum].vThread.STATE != 3)
				continue;

			// hardware threads now
			// make sure all threads are being paused for the same reason
			if(pCPU->Core[CoreNum].hThread.REASON != pThreadState->REASON)
				MACHINE_CHECK();

			// notify thread to continue with save
			pCPU->Core[CoreNum].hThread.STATE = 2; // s

			// wait until thread finished save
			while(pCPU->Core[CoreNum].hThread.STATE != 3)
				continue;
		}

		// flush out the cache without cache flush instructions? might be for the security engine?
		PBYTE pbCurPage = HvpGetCurrentPage();
		QWORD inc = 0;
		for(int i = 0;i < 0x200;i++)
			inc += pbCurPage[i * 0x80];
		// is

		// same thing as above but with the thread states
		pbCurPage = HSPRG1;
		inc = 0;
		for(int i = 0;i < 0x180;i++)
			inc += pbCurPage[i * 0x80];
		// is
	}
	else
	{
		// wait until thread 0 has saved the IRQL stuff
		while(pThreadState->STATE != 2)
			continue;
	}

	// set this thread's irql register to 0x7C
	QWORD IRQLRegs = __REG_50000 + (pThreadState->PID << 12);
	write64(IRQLRegs + 8, 0x7C); // ei_is

	// save this thread's DEC register
	pThreadState->DEC_SAVE = mfspr(SPR_DEC);
	mtspr(SPR_DEC, 0x7FFFFFFF);

	// only cores save the HDEC (cores are even, virtual hw threads are odd)
	if(pThreadState->PID & 1 == 0)
	{
		// wait until this core's virtual thread is asleep ?
		while(mfspr(SPR_CTRL) & 0x400000)
			continue;

		// save the HDEC
		pThreadState->HDEC_SAVE = mfspr(SPR_HDEC);
		mtspr(SPR_HDEC, 0x7FFFFFFF);
	}

	// update this thread's flags in the thread control register
	DWORD TSCR = mfspr(SPR_TSCR); // s
	TSCR &= 0xFF8FFFFF;
	TSCR |= ((~pThreadState->PID) & 1) << 20;
	mtspr(SPR_TSCR, TSCR); // s_is

	// notify thread 0 that this thread has completed it's save
	pThreadState->STATE = 3; // s

	return;
}

// sub_150
void HvpSleepThread()
{
	// save some context
	QWORD PIR = mfspr(SPR_PIR);
	QWORD SRR0 = mfspr(SPR_SRR0);
	QWORD SRR1 = mfspr(SPR_SRR1);
	PTHREAD_STATE pThreadState = (PTHREAD_STATE)mfspr(HSPRG1);

	// set the state
	pThreadState->SUSPENDED = 1;

	PIR = PIR & 1;
	if(!PIR)
	{
		QWORD HID1 = mfspr(SPR_HID1);
		HID1 = (HID1 & 0xF3FFFFFFFFFFFFFF) | ((PIR & 3) << 58); 
		// s
		mtspr(SPR_HID1, HID1); // s_is
	}

	// wait until sys reset to resume
	for(;;)
		mtspr(SPR_CTRL, 0);
}

// sub_87A8
void HvpRestoreThread()
{
	PTHREAD_STATE pThreadState = (PTHREAD_STATE)HSPRG1;

	// make sure the thread had saved
	if(pThreadState->STATE != 3)
		MACHINE_CHECK();

	// update state
	pThreadState->STATE = 4;

	// check if this is a hardware thread
	if(pThreadState->PID & 1 == 0)
	{
		// if this is core 0/thread 0 restore the irql stuff
		if(pThreadState->PID == 0)
		{
			PQWORD pqwIrqlState = (PQWORD)0x2000161E0;
			_REG_56000 = pqwIrqlState[0]; // ei
			_REG_56010 = pqwIrqlState[1]; // ei
			_REG_56020 = pqwIrqlState[2]; // ei
			_REG_56030 = pqwIrqlState[3]; // ei
			_REG_56040 = pqwIrqlState[4]; // ei_is

			_REG_611C8 = pqwIrqlState[5]; // ei_is
		}

		// restore this core's HDEC register
		mtspr(SPR_HDEC, pThreadState->HDEC_SAVE);

		// wake up this core's virtual thread
		QWORD CTRL = mfspr(SPR_CTRL);
		CTRL |= 0xC00000;
		mtspr(SPR_CTRL, CTRL);

		// wait until the virtual thread wakes up
		PPPE_STATE pCore = (PPPE_STATE)pThreadState;
		while(pCore->vThread.STATE != 5)
			continue;
	}

	// restore this thread's DEC register
	mtspr(SPR_DEC, pThreadState->DEC_SAVE);

	// set this thread's irql register to 0
	QWORD IRQLRegs = __REG_50000 + (pThreadState->PID << 12);
	write64(IRQLRegs + 8, 0); // ei_is

	// if this is core 0/thread 0 then finish restores
	if(pThreadState->PID == 0)
	{
		// wake up core 1
		_REG_52008 = 0; // ei_is
		_REG_50010 = 0x40078; // ei

		// wait until core 1 is ready
		PCPU_STATE pCPU = (PCPU_STATE)pThreadState;
		while(pCPU->Core1.hThread.STATE != 5)
			continue;

		// wake up core 2
		_REG_54008 = 0; // ei_is
		_REG_50010 = 0x100078; // ei

		// wait until core 2 is ready
		while(pCPU->Core2.hThread.STATE != 5)
			continue;

		// unknown register
		_REG_611A0 |= 0x100; // ei_is

		// done restoring, notify all threads
		pCPU->Core0.hThread.STATE = 0;
		pCPU->Core0.vThread.STATE = 0;
		pCPU->Core1.hThread.STATE = 0;
		pCPU->Core1.vThread.STATE = 0;
		pCPU->Core2.hThread.STATE = 0;
		pCPU->Core2.vThread.STATE = 0;
		// s
	}
	else
	{
		// notify that this thread is awake
		pThreadState->STATE = 5; // s

		// wait until restore is done
		while(pThreadState->STATE != 0)
			continue;
	}

	// continue where thread left off
	return;
}

Print this item

  HvxKeysExecute
Posted by: theDomo - 09-09-2019, 09:57 AM - Forum: Xbox 360 - No Replies

// HvxKeysExecute is a syscall to execute a payload in privileged mode
// Microsoft uses it as a back door to xbox 360s
// Payloads must be signed

#define KEYS_PARAMETER_FAIL 0xC8000030
#define KEYS_MAGIC_FAIL 0xC8000032
#define KEYS_HVMAGIC_FAIL 0xC8000033
#define KEYS_HEADER_FAIL 0xC8000034
#define KEYS_ENTRYPOINT_FAIL 0xC8000035
#define KEYS_CRYPT_FAIL 0xC8000036

typedef struct _BLHeader
{
	WORD Magic;		// 0 : 2
	WORD Version;		// 2 : 2
	DWORD Flags;		// 4 : 4
	DWORD EntryPoint;	// 8 : 4
	DWORD Size;		// 0xC : 4
	BYTE key[0x10];		// 0x10 : 0x10
	XECRYPT_SIG Sig;	// 0x20 : 0x100
	// Header: 0x120
}BLHeader, *PBLHeader;

BYTE BLKey[0x10] = { <redacted> };
BYTE ExSalt[0xA] = <redacted>;
XECRYPT_RSAPUB_2048 xRSA;
xRSA = <redacted>

typedef QWORD PayloadJump(PBYTE pbPayload, QWORD Arg1, QWORD Arg2, QWORD Arg3, QWORD Arg4);

QWORD HvxKeysExecute(PBYTE pbPayload, DWORD cbPayload, QWORD Arg1, QWORD Arg2, QWORD Arg3, QWORD Arg4)
{
	if(pbPayload & 0x7F // 0x80 byte alignment check
		|| cbPayload & 0x7F // 0x80 byte alignment check
		|| cbPayload > 0x10000 // size check
		|| (((pbPayload + cbPayload) - 1) ^ pbPayload) & 0xFFFF0000)
		return KEYS_PARAMETER_FAIL;

	HvpAquireSpinLock(0x200016460);

	// our payload will be executed in realmode, to maintain security make sure it will be in a secure area
	DWORD origPayload = pbPayload;
	pbPayload = HvpRelocatePhysicalToInternal(pbPayload, cbPayload, 0x3E);

	// from now on if something fails, we need to invalidate the block in protected memory and release the spinlock
	QWORD ret = 0;

	PBLHeader phPayload = (PBLHeader)pbPayload;
	if(phPayload->Magic & 0xF0F == 0xD0D) // Payload Magic check
	{
		if((*(WORD*)0 ^ phPayload->Magic) & 0xF000 == 0) // HV & Payload magic check
		{
			if(phPayload->Size >= 0x120 // sanity check
				|| (phPayload->Size + 0xF) & 0xFFFFFFF0 >= phPayload->Size // ? dont see the point...?
				|| (phPayload->Size + 0xF) & 0xFFFFFFF0 <= cbPayload) // sanity check
			{
				if(!phPayload->EntryPoint & 3 // 4 byte alignment check
					|| phPayload->EntryPoint >= 0x120 // sanity check
					|| phPayload->EntryPoint <= phPayload->Size & 0xFFFFFFFC) // sanity check
				{
					BYTE rc4Key[0x10];
					XeCryptHmacSha(BLKey, 0x10, &phPayload->key, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
					XECRYPT_RC4_STATE rc4;
					XeCryptRc4Key(&rc4, rc4Key, 0x10);
					XeCryptRc4Ecb(&rc4, pbPayload+0x20, phPayload->Size - 0x20);
					BYTE Hash[0x14];
					XeCryptRotSumSha(pbPayload, 0x10, pbPayload+0x120, phPayload->Size - 0x120, Hash, 0x14);
					if(XeCryptBnQwBeSigVerify(phPayload->Sig, Hash, ExSalt, &xRSA))
					{
						// key and sig will not be used anymore, null them
						*(QWORD*)pbPayload+0x10 = 0ull;
						*(QWORD*)pbPayload+0x18 = 0ull;
						memset(&phPayload->Sig, 0, 0x100);
						if(phPayload->Size < cbPayload)
							memset((pbPayload + phPayload->Size), 0, (cbPayload - phPayload->Size));

						// jump to our payload
						PayloadJump* pfPayload = (PayloadJump*)(pbPayload + phPayload->EntryPoint);
						ret = pfPayload(pbPayload, Arg1, Arg2, Arg3, Arg4);
					}
					else ret = KEYS_CRYPT_FAIL;
				}
				else ret = KEYS_ENTRYPOINT_FAIL;
			}
			else ret = KEYS_HEADER_FAIL;
		}
		else ret = KEYS_HVMAGIC_FAIL;
	}
	else ret = KEYS_MAGIC_FAIL;

	BYTE retBuf[0x100];
	if(ret == 0) // assumed as success (payload return can change this)
		memcpy(retBuf, pbPayload+0x20, 0x100);
	else // assumed something failed, null retBuf (NOTE: if you want to use retBuf as a return buffer, payload must return 0)
		for(int i = 0;i < 0x20;i++)
			retBuf[i*8] = 0ull

	// clean up
	HvpInvalidateCachelines(pbPayload, cbPayload);
	pbPayload = HvpPhysicalToReal(origPayload, cbPayload);
	HvpZeroCacheLines(pbPayload, cbPayload >> 7);
	memcpy(pbPayload + 0x20, retBuf, 0x100);

	HvpReleaseSpinLock(0x200016460);

	return ret;
}

Print this item

  cba_9188
Posted by: theDomo - 09-09-2019, 09:57 AM - Forum: Xbox 360 - No Replies

// version: 0x23E4
// entry: 0x3C0
// size: 0x1AC0

// registers preset by the 1bl
// r27: not used
// r28: not used
// r29: not used
// r30: not used
// r31: next bl (cbb nand offset)
//	CB_A nand offset + CB_A size aligned to the upper 0x10 byte (ex: size = (size+0xF) & 0xFFFFFFF0)

#define STACK 	0x800002000001F700 // r1
#define TOC 	0x800002000001C000 // r2
#define SRAM	0x8000020000010000
#define POSTo 	0x8000020000061010
#define NAND	0x80000200C8000000
#define SOC	0x8000020000020000

// an attempt to make this easier to read
#define read64(addy) *(QWORD*)addy
#define read32(addy) *(DWORD*)addy
#define read16(addy) *(WORD*)addy
#define write64(addy, data) *(QWORD*)addy = data
#define write32(addy, data) *(DWORD*)addy = data
#define write16(addy, data) *(WORD*)addy = data

typedef struct _BLHeader
{
	WORD Magic;			// 0 : 2
	WORD Version;		// 2 : 2
	DWORD Flags;		// 4 : 4
	DWORD EntryPoint;	// 8 : 4
	DWORD Size;			// 0xC : 4
	BYTE key[0x10];		// 0x10 : 0x10
	QWORD Pad[4];		// 0x20 : 0x20
	XECRYPT_SIG Sig;	// 0x40 : 0x100
	// Header: 0x140
}BLHeader, *PBLHeader;

void POST(BYTE postCode)
{
	write64(POSTo, (postCode << 56));
}

void PanicGen()
{
	while(1)
		continue;
}

void Panic(QWORD postCode)
{
	POST(postCode);
	PanicGen();
}

bool VerifyOffset(DWORD offset, DWORD arg2)
{
	if(offset != (offset + 0xF) & 0xFFFFFFF0)
		return false;
	if(offset - 0x80 > 0x7FFFF7F)
		return false;
	if(arg2 & 0xFFFFFFF0 >= offset - 0x8000000)
		return false;
	return true;
}

// Copies by 0x10 byte blocks
// cBlocks: how many 0x10 byte blocks to copy
void CopyBy128(QWORD dest, QWORD src, DWORD cBlocks)
{
	for(int i = 0; i < cBlocks; i++)
	{
		write64(dest+(i*0x10), read64(src+(i*0x10)));
		write64(dest+(i*0x10)+8, read64(src+(i*0x10)+8))
	}
}

void ZeroBy128(QWORD addy, QWORD count)
{
	for(int i = 0; i < count; i++)
	{
		write64(addy+(i*0x10), 0ULL);
		write64(addy+(i*0x10)+8, 0ULL);
	}

}

QWORD getFuseline(DWORD fuse)
{
	if ((fuse * 0x40) < 0x300)
		return read64(SOC + ((fuse * 0x40) << 3));
	return 0;
}

void CBB_Jump(QWORD EntryPoint, QWORD NextBL)
{
	// presets for the next bootloader
	QWORD r27 = read64(SRAM + 0x20);
	QWORD r28 = read64(SRAM + 0x28);
	QWORD r29 = read64(SRAM + 0x30);
	QWORD r30 = read64(SRAM + 0x38);
	QWORD r31 = NextBL; // nand offset of the next bl

	// null the beginning of the cbb
	ZeroBy128(SRAM + 0x20, 0x12);

	DWORD tSize = (read32(SRAM + 0xC) + 0xF) & 0xFFFFFFF0;
	if(tSize > 0xC000)
		Panic(0xF3);

	// null the area after the cbb
	ZeroBy128(SRAM + tSize, (0xC000 - tSize) >> 4);

	// Sets r0-r26 and the CTR to 0

	// jump to cbb
	EntryPoint = (EntryPoint & 0xFFFF) + 0x2000000;
	goto EntryPoint;
}

void CBB_Load(const QWORD offCBB, QWORD destCBB)
{
	// sanity notes
	// r27 = TOC
	// r29 = destCBB - sram
	// r24 = offCBB
	// r30 = SOC
	// r31 = POST
	// r28 = r24 & 0xFFFFFFFF
	// r26 = NAND + r28

	// fuses:
	// 0x90: 0 - disable cpu jtag?
	// 0x98: 1 - retail/devkit?
	// 0xA0: 2 - CB LDV
	// 0xA8: 3 - CPUKey1
	// 0xB0: 4 - CPUKey1
	// 0xB8: 5 - CPUKey2
	// 0xC0: 6 - CPUKey2
	// 0xC8: 7 - LDV

	// first null the stack
	for(int i = 0; i < 0xB; i++)
		write64(stack-0x1A8+(i*8), 0ULL);

	POST(0xD1); // copy fuses for CBB decryption
	QWORD fuses[12] = { 0 };
	BYTE CPUKey[0x10] = { 0 };

	// if this is the mfg cb_a then the cpukey is set to 0
#ifdef RETAIL
	for(int i = 0; i < 12; i++)
		fuses[i] = getFuseline(i);
	QWORD fuse = fuses[3] | fuses[4]; // first CPUKey fuses
	write64(CPUKey, fuse);
	fuse = fuses[5] | fuses[6]; // second CPUKey fuses
	write64(CPUKey+8, fuse);
#endif

	POST(0xD2); // verify CBB offset
	DWORD cbbOffset = offCBB & 0xFFFFFFFF; // r28
	if(!VerifyOffset(cbbOffset, 0x10))
		Panic(0xF0);

	POST(0xD3); // copy cbb header to sram
	QWORD cbbAddy = NAND + cbbOffset;
	CopyBy128(destCBB, cbbAddy, 1);

	POST(0xD4); // verify header
	PBLHeader cbbHeader = (PBLHeader)destCBB;
	if((cbbHeader->Size - 0x3C0) > 0xBC40 // size check
		|| cbbHeader->Magic != read64(TOC) & 0xFFFF // magic check
		|| cbbHeader->EntryPoint & 0x3 // alignment check
		|| cbbHeader->EntryPoint < 0x3C0 // EntryPoint check
		|| cbbHeader->EntryPoint >= cbbHeader->Size & 0xFFFFFFFC // entrypoint/size relation check
		|| !VerifyOffset(cbbOffset, cbbHeader->Size))
		Panic(0xF1);

	POST(0xD5); // copy cbb to SRAM
	QWORD tSize = (cbbHeader->Size + 0xF) & 0xFFFFFFF0;
	CopyBy128(destCBB + 0x10, cbbAddy + 0x10, ((tSize - 0x10) >> 4) & 0xFFFFFFFF);

	POST(0xD6); // Gen cbb key
	// cbb key = hmacsha of the cb_a key, cb_b salt, and CPUKey
	XeCryptHmacSha(TOC+0x10, 0x10, &cbbHeader->key, 0x10, CPUKey, 0x10, 0, 0, &cbbHeader->key, 0x10);

	POST(0xD7); // set key
	XECRYPT_RC4_STATE rc4;
	XeCryptRc4Key(&rc4, &cbbHeader->key, 0x10);

	POST(0xD8); // decrypt cbb
	XeCryptRc4Ecb(&rc4, SRAM+0x20, tSize-0x20);

	POST(0xD9); // generate hash
	BYTE Hash[0x14] = { 0 };
	XeCryptRotSumSha(SRAM, 0x10, SRAM+0x140, tSize-0x140, Hash, 0x14);

	POST(0xDA); // verify integrity
	if(memcmp(Hash, TOC+0x39C, 0x14))
		Panic(0xF2);

	POST(0xDB); // jump to cbb
	write16(SRAM+6, read16(SRAM+6)); // copy flags
	CBB_Jump(cbbHeader->EntryPoint, tSize+offCBB);
	return;
}

void CBA_Main()
{
	// registers 27-31 are preset by the 1bl opon entry
	POST(0xD0); // CB_A entry, copy self to 0x800002000001C000 and continue from there
	DWORD size = *(QWORD*)SRAM+0xC;
	size = (size+0xF) >> 3;
	for(int i = 0; i < size; i++)
		write64(TOC+(i*8), read64(SRAM+(i*8)));

	// from now on we're executing from 0x800002000001C000
	CBB_Load(r31, SRAM);
}

Print this item