Research Links: www.free60.org/Boot_Process www.free60.org/Hypervisor www.youtube.com/playlist?list=PLAE85DE8440AA6B83 www.youtube.com/watch?v=hNFcuvzXSeY Required Knowledge: Xbox 360 software specifics C++ PPC Basic IDA knowledge Software: XeDumpHV IDA HxD IDA Plugins Used: XEXLoader PPC Where to Start (if you want to learn about the HV): If you've already learned at least basic PPC instructions and C++'s data types, then the first thing to do would be to start researching. You should start at sub_2210 and reverse everything so you will understand what it does and what the instructions and the function are trying to accomplish. After you reversed sub_2210, you should have the basic understanding of what to do next after reading all of this information. Hypervisor Info: HV = Hypervisor HV is first 256KB of the Xbox kernel. Sub_2210 in 16537/16547 in the HV generates the hash at 0x100f0. The HV is dirty until you have reversed everything, not just XeBuild changes, but the hashes too. That is a fully clean HV. SHA-1 is a type of hash algorithm that takes any combination of parameters and generates a specific key just for the combination of parameters. Now in Xbox terms, the hypervisor checks certain parts of memory to generate the hash. That data that it checks happens to be modified on a jtag/rgh, therefore making the entire hash value incorrect. So your goal is to reverse the function that generates the hash on the hv and figure what data it hashes and do more reversing to figure out how to get that data back to it's original state so the hash value will be correct. Also, you will need the HV to be in "live" state, which means that the hypervisor was dumped from memory whilst the Xbox was on. How to Get xam.xex Easily: First off, you need to go to support.xbox.com/en-US/xbox-360/...4b5c1f100d which has the offline USB update files needed to update the console. After you've completed downloading it, open the file and look for a file like this su00000000_00000000 (will be different). After you've found it, go ahead and extract the file to your desired location. Once you've extracted the file, open up Le Fluffie and go to File > Open a file and select the file we've extracted. Go to 'Contents' and look for a file called $flash_xam.xex. After you've found it, right click it and press 'Extract File' and put the file name as "xam.xex" and select 'Save'. Getting Basic Function's Updated Offsets (found in xam.xex): Getting the most updated offsets is easy. All you need to do is open the most recent xam.xex and search for the "XamExecuteChallenge" and the "XeKeysExecute" functions. XamExecuteChallenge has the offset that we need in order to patch the branch to MmGetPhysicalAddress. You can get to XamExecuteChallenge & XeKeysExecute easily by going to the top then pressing Jump > Jump to function and then when the dialog comes up, type "XamExecuteChallenge". (NOTICE: Don't use the MmPatchPhysicalAddress offset! It will patch the whole function which is not what we want to do! We want to patch the branch to the function.) In XamExecuteChallenge, search for a line that looks like this, ".text:00000000 bl MmGetPhysicalAddress" and copy the offset to the left and you got it! Now for XeKeysExecute, you can simply get the offset of the function. 16547 Offsets: Branch to MmPatchPhysicalAddress: 0x81679904 XeKeysExecute: 0x81A732DC Credits: chrispro1994 TEIR1plus2 Me IDA Liability I will be updating this and editing it as times go by. Links to software and plugins will be posted soon. This information is used to help you do what you please. These tutorials and information were not made to help you accomplish any specific task.
