ANSWERED repairing flagged console

chriss179 · Jun 19, 2011

Hi everyone, i was thinking about this. I've got a flagged console here which hasn't connected to xbox live since it's flagged. Probarbly never will again. But that means no trusted content, corrupted profiles, saves, etc.

Now i tried removing the flag but dashboard updates do detect a nulled block in the nand so it got flagged once again.

I was thinking of simply using a different nand (not soldering but dumping another nand to that xbox) altogether, inject the KV and raw config and that way remove the flag even in any update to come...

Could that work? This is what you do if you transplant a CPU.. So why not remove the secdata flag that way??

I know it's a bit more work, but i really don't care about how much work it is. If it works once, it will be repeatable. And simply nulling blocks could lead to corruption in any part of the system.

Yeah system updates recognise the nulled block, repair the nand and restore the flag.

Martin C · Jun 19, 2011

So you have the CPU key for this console, yes?

Are you aware that mostly all the content on the NAND is encrypted with the CPU key?

chriss179 · Jun 20, 2011

you mean the kv and config not the entiren nand right? i mean 360flash tool is able to recognise a file system, bad blocks, etc with just the 1lb key.

chriss179 · Jun 20, 2011

In fact i've got it's (flagged 360) nand opened right now in 360 flash dump tool and it shows me everything except the KV, even the SMC_config is shown. So i stand corrected, only the KV is encrypted with the cpu serial. I think it'd be stupid to encrypt files in the nand with the cpu key indeed, as you would then be able to calculate the key as you know the contents of these files from jtagged consoles. the KV actually holds the serial of the cpu so you can't know or predict it's content.

Martin C · Jun 20, 2011

chriss179 said:
In fact i've got it's (flagged 360) nand opened right now in 360 flash dump tool and it shows me everything except the KV, even the SMC_config is shown. So i stand corrected, only the KV is encrypted with the cpu serial. I think it'd be stupid to encrypt files in the nand with the cpu key indeed, as you would then be able to calculate the key as you know the contents of these files from jtagged consoles. the KV actually holds the serial of the cpu so you can't know or predict it's content.

The KV doesn't hold the CPU key. Nothing in the NAND holds the CPU key. The CPU holds the CPU key!

The KV holds the console ID, OSIG, DVD key, etc.

chriss179 · Jun 20, 2011

The KV is encrypted using the cpu key, now that means as much as holding the cpu key.

Martin C · Jun 20, 2011

chriss179 said:
The KV is encrypted using the cpu key, now that means as much as holding the cpu key.

No, it's not the same thing at all. There is nothing in the NAND which holds the CPU key.

Since it's 32^16, have fun finding it.

BGAMods · Jun 20, 2011

you will not manually decrypt a nand, well not in this lifetime.

you should listen to martin, he knows what hes talking about and so do i and hes right. the kv is locked with a key and that key is located in the cpu, its like locking a padlock and storing the key elsewhere.

chriss179 · Jun 20, 2011

Ok and back on topic. The KV comes from the xbox360 console and i don't need to know it's contents. I don't care. It's unexploitable. What could i do with it's cpu key anyways?????? Run a jtag??? It's kernel 13416 or whatever the newest kernel version is. Fuses are long blown. My question was much more simple.

I have a flagged console. Now removing the flag by nulling the secdata nand block is recognised on a system update. That nandblock isn't remapped. It's not damaged. So it has been tampered with. So the flag returns.

There is a procedure to transplant a cpu from one motherboard to another, which is to keep the nand on the donor board, but inject the KV and RAW CONFIG. What my intentions were, is to read a nand from another xbox, a falcon as that one is a falcon too. Then inject the KV and RAW CONFIG. ENCRYPED. Never ever decrypting it as it's contents don't matter to me. I can't and i don't want to read them. I want to remove the flag! Thats the topic. Not the cpu serial. Now Martin told me that the "entire" nand is encrypted with the cpu key, which is untrue. We all check our nands in degraded and 360 flash tool before we even write something new when we jtag. I'm just connecting the dots here... Try it. You can extract every last file, look into the smc_config and everything just with the 1LB key.

Now since transplanting a cpu is possible with just injecting the KV and CONFIG FROM the orrigional to the donor board, i could imagine that actually writing a nand from a donor board and injecting the KV would work too. That was my question.

Just open up any nand in 360 flash dump tool of which you don't have the cpu serial and you'll be greeted with a bad KV. But i don't need to know anything about the KV since all i want is to remove the flag.
The KV isn't going on a different motherboard, neither is the processor. The dvd drive isn't going to be changed, nor is the mac adress, nor is anything going to be changed. Everything BUT the KV and config can be altered tho. I'm just connecting all the dots here to get a clear picture on what is what in the nand. Because "if" this is possible, i can clean up alot of stupid flags.

I mean it's easy to shout impossible, but at least tell me why. Saying the nand is all encrypted just isn't true. Why then can we read the entire nand except for the KV without the cpu serial?

I guess i'm simply going to do this and post results. All i really care for is that i don't have to short out my nand because the xbox won't turn on anymore (bad flash restore). i can always write the nand back if it doesn't work. But if it won't even turn on because it crashes immediatly when you insert the power plug then you have to pull a short on the nand to put it in mfg mode. which can damage the motherboard.

Martin C · Jun 20, 2011

"Why then can we read the entire nand except for the KV without the cpu serial?"

You don't understand - because you can dump the contents of the NAND, doesn't mean anything - the contents are still encrypted. You still need to have the CPU key to decrypt.

Even if you use 360 Flash Dump Tool to extract various sections of the NAND, the important stuff will be useless to any other console as you CANNOT DECRYPT THEM.

Drop $50 into my PayPal and I'll source you a paper on the 360 Security and CPU encryption. I'm not here to do your homework. If you believe it's possible, go do it. I'm telling you it can't be done and I'm not in the mood to argue with you.

chriss179 · Jun 20, 2011

Here's the thing now. I've unpacked a couple of nands with 360 flash tool to compare the files. Whats strange considering your explanation is that the files from different nands are identical, which they shouldn't be if they were encrypted using the cpu serial.... right?

Wrong.. They are identical. This can't be the one in a gazillion kind of luck. So no matter if your not willing to debate this. I'm still going to investigate further and see what i come up with. Lots of people with flagged consoles around..

So if you don't want to find it. I do!

But again it's untrue that the file system is encrypted with cpu key. You try it yourself. They have identical files....

chriss179 · Jun 20, 2011

here is a list of files thats different in the 2 nands i just compared... You can draw your conclusions, i know i'm drawing mine.:

clr.bin
extended.bin
odd.bin
secdata.bin
sysupdate.xexp1
sysupdate.xexp2

All the other files are 100% identical.

Now maybe i have your attention....

I bet you still have a nand around to reproduce this. i have done many jtags, so i have lots of nands around.... But this was my 10 cents yesterday... There have been cpu transplants by just replacing the KV and raw config. The rest of the nand was kept orrigional. That means this can be a valid unflagging method. only stupid question is why would nobody come up with that idea. The flag isn't stored in the cpu.......

Martin C · Jun 20, 2011

Maybe you should read my post again.

Here, I'll paste the important bit:

Even if you use 360 Flash Dump Tool to extract various sections of the NAND, the important stuff will be useless to any other console as you CANNOT DECRYPT THEM.

Congratulations - you've discovered that the system files are generic. Well done.

However I don't see the kv.bin, smc_config.bin, secdata.bin or smc.bin listed above.

Why's that?

Because, that's where the 'magic' happens (I call it magic as you fail to understand the importance of encryption).

There have been cpu transplants by just replacing the KV and raw config.

Yes, because the key needed to decrypt the important stuff is in the CPU you've just transplanted.

The flag isn't stored in the cpu.......

No, it's in the NAND, in secdata.bin which is encrypted by the CPU. You would need to decrypt a clean secdata.bin using the CPU key from that console, then encrypt it with your new CPU key and finally inject back into the NAND. The reason why the various NAND repair programs work without a CPU key is because at no point are you changing the signature of secdata.bin - you're just changing which instance is loaded.

Just tell me what part of the above you don't get and I'll do my best to explain it to you. I have three children under the age of ten so I'm quite used to having to break things into simpler terms.

Martin C · Jun 20, 2011

For clarity, if you were to transplant the CPU and NAND from an unbanned console, you would effectively unflag/unban it.

Really - is this the point you've been making all along?

chriss179 · Jun 20, 2011

I get it.... The "important stuff".

But now that you've actually repeated me you've shown that you were unaware of what you were saying. Because there is a inconsistency in what you're claiming now. I mean with a "nand repair" as you call it, you'd get an output like:

blablablabla
Creating patched filetables:
Patchedfiletable01D7By01D5.bin

Use:
nandpro.exe lpt: -w16 Patchedsecdata0226.bin 1D6 1
nandpro.exe lpt: -w16 Patchedfiletable01D7By01D5.bin 1D7 1

But when injecting a KV and raw config you'd get:
nandpro XBR.bin: -w16 rawkv.bin 1 1
nandpro XBR.bin: -w16 rawconfig.bin 3de 2

the "important stuff" you've been talking about isn't touched. So the new cpu on the donor board wouldn't be able to read the "important stuff" either. As it was orrigionaly created with a different cpu serial. So there is an inconsistency in your claim. Or someone who told that he transplanted a cpu with injecting the kv and raw config is full of sh*t. And i think i've broken it down for you.

Martin C · Jun 20, 2011

This is what happens when a child questions someone, when they know FA about something.

Who are you arguing with here?

Read what I've written again regarding NAND repairs. The secdata.bin sectors which you're moving around are from the SAME CONSOLE. They are still encrypted by the SAME CONSOLE. You cannot physically edit the secdata.bin as it's ENCRYPTED with the SAME CONSOLE.

Do you know what's involved in transplanting a CPU?

Truskillzz69 · Jun 20, 2011

some people never get perfectly explanations..you argument to Martin is pointless and your wasting your time with this when i know 100% you do not have the technology/money/program and what ever if possible to do by means of the "small man" to do this with out the right keys and what not your just wasting your time. Do you think your the only one who has tried this sort of thing?? i say you have a lot of research/reading to do before you come in and try and argue with people here who know what we are talking about when we say it cant be done. move along and get over yourself

Martin C · Jun 20, 2011

No no no, this guy's a certified genius - he's obviously stumbled upon something which everyone else has missed.

oh wait - no, he's not.

Truskillzz69 · Jun 20, 2011

Martin C said:
No no no, this guy's a certified genius - he's obviously stumbled upon something which everyone else has missed.

oh wait - no, he's not.

yea forgot that..my b..

i'll just let him do all the genius work myabe next week i can jtag my slim with all this new info hes finding "now"

chriss179 · Jun 20, 2011

Well thanks for being patient with me then. I'll scrap this project and be done with it.

And your last question. DO i know whats involved in a cpu transplant? Well i'd copy the entire nand, but i read you could keep everything, but simply inject the KV and raw config. I can't find the thread but it's on this forum i'm sure.

if i'd transplant a cpu it's only be if i had a fubar jtag. And then you'd have to overwrite the entire nand anyway. And yeah, it means you have to reball the thing. Which i have done many times before. I even tried to transplant a cpu

http://www.team-xecuter.com/forums/showthread.php?p=378074#post378074

It didn't work. So yeah i do have a clue on whats involved. Thats the very reason i created this thread and came up with the idea.

Search

Search

ANSWERED repairing flagged console

chriss179

Junior Member

Martin C

chriss179

Junior Member

chriss179

Junior Member

Martin C

chriss179

Junior Member

Martin C

BGAMods

chriss179

Junior Member

Martin C

chriss179

Junior Member

chriss179

Junior Member

Martin C

Martin C

chriss179

Junior Member

Martin C

Truskillzz69

Martin C

Truskillzz69

chriss179

Junior Member