Xenon CPU to Zephyr. Is it possible ?

[[email protected]]

I transplanted Xenon CPU to Zephyr and tried to get CPU key via R-JTAG. The farthest it went is Post 58 - INIT_HYPERVISOR.
Of course there is a probability that CPU didn't survive the procedure, as well as some caps around it. As I don't know the CPU key I can't create retail Zephyr image.

Post 10 - Payload/1BL started 
Post 11 - FSB_CONFIG_PHY_CONTROL 
Post 12 - FSB_CONFIG_RX_STATE 
Post 13 - FSB_CONFIG_TX_STATE 
Post 14 - FSB_CONFIG_TX_CREDITS 
Post 15 - FETCH_OFFSET 
Post 16 - FETCH_HEADER 
Post 17 - VERIFY_HEADER 
Post 18 - FETCH_CONTENTS 
Post 19 - HMACSHA_COMPUTE 
Post 1A - RC4_INITIALIZE 
Post 1B - RC4_DECRYPT 
Post 1C - SHA_COMPUTE 
Post 1D - SIG_VERIFY 
Post 12 - FSB_CONFIG_RX_STATE 
Post 10 - Payload/1BL started 
Post 11 - FSB_CONFIG_PHY_CONTROL 
Post 12 - FSB_CONFIG_RX_STATE 
Post 13 - FSB_CONFIG_TX_STATE 
Post 14 - FSB_CONFIG_TX_CREDITS 
Post 15 - FETCH_OFFSET 
Post 16 - FETCH_HEADER 
Post 17 - VERIFY_HEADER 
Post 18 - FETCH_CONTENTS 
Post 19 - HMACSHA_COMPUTE 
Post 1A - RC4_INITIALIZE 
Post 1B - RC4_DECRYPT 
Post 1C - SHA_COMPUTE 
Post 1D - SIG_VERIFY 
Post 10 - Payload/1BL started 
Post 11 - FSB_CONFIG_PHY_CONTROL 
Post 12 - FSB_CONFIG_RX_STATE 
Post 10 - Payload/1BL started 
Post 11 - FSB_CONFIG_PHY_CONTROL 
Post 12 - FSB_CONFIG_RX_STATE 
Post 13 - FSB_CONFIG_TX_STATE 
Post 14 - FSB_CONFIG_TX_CREDITS 
Post 15 - FETCH_OFFSET 
Post 16 - FETCH_HEADER 
Post 17 - VERIFY_HEADER 
Post 18 - FETCH_CONTENTS 
Post 19 - HMACSHA_COMPUTE 
Post 1A - RC4_INITIALIZE 
Post 1B - RC4_DECRYPT 
Post 1C - SHA_COMPUTE 
Post 1D - SIG_VERIFY 
Post 1E - BRANCH 
Post 20 - CB entry point reached 
Post 21 - INIT_SECOTP 
Post 22 - INIT_SECENG 
Post 2F - RELOCATE 
Post 2E - HWINIT 
Post 31 - FETCH_HEADER_4BL_CD 
Post 33 - FETCH_CONTENTS_4BL_CD 
Post 34 - HMACSHA_COMPUTE_4BL_CD 
Post 35 - RC4_INITIALIZE_4BL_CD 
Post 36 - RC4_DECRYPT_4BL_CD 
Post 37 - SHA_COMPUTE_4BL_CD 
Post 3A - BRANCH 
Post 40 - Entrypoint of CD reached 
Post 42 - FETCH_HEADER 
Post 44 - FETCH_CONTENTS 
Post 45 - HMACSHA_COMPUTE 
Post 46 - RC4_INITIALIZE 
Post 47 - RC4_DECRYPT 
Post 48 - SHA_COMPUTE 
Post 4B - LZX_EXPAND 
Post 4E - FETCH_OFFSET_6BL_CF 
Post 4F - VERIFY_OFFSET_6BL_CF 
Post 50 - LOAD_UPDATE_1 
Post 52 - BRANCH 
Post 58 - INIT_HYPERVISOR

 

[Scrufdog]

Xenon and Zephyr cpus are interchangeable. Make sure you are running everything as though it were a normal Zephyr (timing files, Nand building). Be sure to flash the correct Xell for an r-jtag Zephyr.

 

[canyou664]

Yes can be

 

[[email protected]]

I might popcorn the CPU, I see very small bubble on it
Maybe I will try to replace several capacitors around CPU, but I don't believe that I will revive this board.

 

[[email protected]]

Is it possible to build Zephyr retail image from Xenon retail image without having CPU key ? Is it possible to replace CB, SMC, SMC config ?

 

[jsinger47]

Is it possible to build Zephyr retail image from Xenon retail image without having CPU key ? Is it possible to replace CB, SMC, SMC config ?

No. Everything is encrypted by the CPU key.

In the case of a spelling error, I blame Tapatalk.

 

[[email protected]]

I soldered this CPU back to Xenon board and it works. So my experiment to get Xenon CPU key by installing it onto Zephyr board and using R-JTAG 1.1 failed.

 

[Martin C]

I soldered this CPU back to Xenon board and it works. So my experiment to get Xenon CPU key by installing it onto Zephyr board and using R-JTAG 1.1 failed.

So you think the exploit is down to the motherboard and not the CPU & Bootloaders? I could have set you straight had you just asked the question.

 

[[email protected]]

So you think the exploit is down to the motherboard and not the CPU & Bootloaders? I could have set you straight had you just asked the question.

Even though it's one and the same CPU I suspect that e-fuse set is different for Xenon and Zephyr boards, and therefore Zephyr CB might refuse working on. RGH2 doesn't check CB version though, so I thought that R-JTAG doesn't check it either. Regular JTAG and RGH1 checks CB version, I know that for sure

 

[Martin C]

Even though it's one and the same CPU I suspect that e-fuse set is different for Xenon and Zephyr boards, and therefore Zephyr CB might refuse working on. RGH2 doesn't check CB version though, so I thought that R-JTAG doesn't check it either. Regular JTAG and RGH1 checks CB version, I know that for sure

You're completely missing the point. The efuse and timing is all to do with the processor. How do you not know this??

 

[[email protected]]

You're completely missing the point. The efuse and timing is all to do with the processor. How do you not know this??

Yep, I'm missing the point, I don't understand the theory why Xenon CPU won't work on Zephyr board with R-JTAG chip. The only explanation I can come up with is that Xell-image for R-JTAG checks CB version at some point and this check fails.

 

[Martin C]

Because it's still a Xenon. It doesn't matter what board you put it on. You're still trying to R-JTAG a xenon console. Therefore you would need 'xenon timings'.

If you put a Falcon CPU on a Jasper motherboard, it's a Falcon. Bootloaders are falcon.

 

[[email protected]]

Because it's still a Xenon. It doesn't matter what board you put it on. You're still trying to R-JTAG a xenon console. Therefore you would need 'xenon timings'.

If you put a Falcon CPU on a Jasper motherboard, it's a Falcon. Bootloaders are falcon.

Good point, but if you look at my post log you will see that it passed that point where it always fails if R-JTAG doesn't glitch.
If you try to use Xenon boot chain on Zephyr board (even with Xenon CPU) it bricks the motherboard (it doesn't even power up after this), the only way to bring it back to responsive state is to short some legs on NAND chip.

 

[Martin C]

Good point, but if you look at my post log you will see that it passed that point where it always fails if R-JTAG doesn't glitch.
If you try to use Xenon boot chain on Zephyr it bricks the motherboard, the only way to bring to back to responsive state is to short some legs on NAND chip.

That's not true at all. You're getting boot chain and SMC mixed up.

 

[[email protected]]

If you put a Falcon CPU on a Jasper motherboard, it's a Falcon. Bootloaders are falcon.

I suspected that this is not true. Now it's confirmed 100%. I put Falcon JTAG'able CPU to Jasper 512 and built 7371 retail image for Jasper with Jasper bootloader 6723. Console booted up! Then I JTAG'ed it. See screenshots.