ALERT!
Click here to register with a few steps and explore all our cool stuff we have to offer!
Home
Upgrade
Credits
Help
Search
Awards
Achievements
 1629

Generating 100F0 at Dashboard

by the1Domo - 06-25-2020 - 07:25 PM
#1
generating 100F0 at dashboard
  1. things you will need is a Xbox 360 on the latest dashboard
  2. a USB update of the latest update
  3. Le fluffie for extracting from the update
  4. kernel updater for updating the kernel
  5. 1888 kernel
  6. XEbuild
so first of all we're going to talk about ECC cached data is created on the PPC CPU.
the information below was taken from Wikipedia to give you a better understanding of the system.
ECC:
Error-correcting code memory is a type of computer data storage that
can detect and correct the most-common kinds of internal data corruption.
ECC memory is used in most computers where data corruption cannot be tolerated under
any circumstances, such as for scientific or financial computing. Wikipedia
System on a chip:
A system on a chip is an integrated circuit that integrates all or most components of a
computer or other electronic system. These components almost always include a central processing unit,
memory, input/output ports and secondary storage – all on a single substrate or microchip,

the size of a coin. Wikipedia
hypervisor:
A hypervisor is computer software, firmware or hardware that creates and runs virtual machines.
A computer on which a hypervisor runs one or more virtual machines is called a host machine,
and each virtual machine is called a guest machine. Wikipedia
now that you understand these different systems.

(P.S. if you have any questions about these
 systems if you write a reply I will respond)
#1 so the first thing we're going to do is we're going to want to create a base kernel 1888 to 17559

#2 so the first step at this point will be to generate 100F0. a starter base kernel for generating data later

#3 to do this you're going to want to add code to your XC build patches for your system.

you're going to find out what system you have I have a Jasper so I'm going to use the Jasper patches. you're going to want to open the patch up in your hex editor such as hxd

now at the end of those patches you'll see a 4bytes of 0xFFFFFFFF make sure it's at the end of the file in your hex editor. 
make sure the null Terminator the 0xFFFFFFFF remains it tells the system that the patches are over

Code:
00 00 20 E4 00 00 00 01 60 00 00 00 00 00 20 F0 00 00 00 01 60 00 00 00 00 01 01 00 00 00 00 0C 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55

disable key generation patches

00 00 20 E4 - address in hypervisor
00 00 00 01 - number of the patches and 0x04 bytes interval sizes
60 00 00 00 - patches

00 00 20 F0 - address in hypervisor
00 00 00 01 - number of the patches and 0x04 bytes interval sizes
60 00 00 00 - patches

Place hard-coded key patches
00 01 01 00 - address in hypervisor
00 00 00 0C - number of the patches and 0x04 bytes interval sizes

the key data that you want a patch to 0x010100 in hypervisor
55 55 55 55 55 55 55 55 55 55 55 55 55
55 55 55 55 55 55 55 55 55 55 55 55 55
55 55 55 55 55 55 55 55 55 55 55 55 55
55 55 55 55 55 55 55 55 55

what we're doing here is resetting our keys to the default keys.

just like how the system does it before the reboot and re-initialization of the hypervisor

void FUN_000020b0(bool param_1)
if you go to this address inside of the hypervisor you will find a function that is used for checking hypervisor encryption date cashing.
the function takes an bool parameter and it can be a 0 {false} or 1 {true}
0 = uninitialized first instance of hypervisor boot in the chain
1 = initialize hypervisor 100F0 generated and keys set


so in this function were generating or setting our keys.
Code:
  puVar3 = (byte*)HvpGetSocMMIORegs(0x24000);
  lVar7 = ZEXT48(&0x10100) + in_r2;
  lVar2 = in_r2;
  if (param_1 == 0) {
    lVar8 = 0xc;
    lVar6 = lVar7;
    do {
      *(undefined4 *)lVar6 = 0x55555555;
      lVar6 = lVar6 + 4;
      lVar8 = lVar8 + -1;
    } while (lVar8 != 0);
  }
  else {
    J_XeCryptRandom(lVar7, 0x30);
  }


inside of this function if the perimeter is given a 0 it does the initial initialization of the hypervisor with the keys set to all 5's
which is necessary for generating 100F0 is generated off the exact same data that is used for the ECC calculation.

however with the difference the keys are set to 55555 for generating the 100F0 hash.

technically this hash can be generated off for the machine if you know how to initialize the data. and create SOC memory. 

for that I would recommend looking into a powerpc G5 processor weirdly enough shares a lot of similarities to the Xbox 360.

on 1st initialization it sets the keys to 5555 for generating 100F0 off of clean hypervisor data.
but at this point our data is not clean we are just talking about the setup process.

hypervisor is encrypted with AES:
if you want to do some more digging to understand how the key is how it uses the second key to Salt the primary key to generate the actual key for decryption an AES.
and there is no IV set

https://github.com/g91/XBLS/blob/master/...HV_17559.c
if people would like I will go into more detail of the security engine if requested.

okay let's get back on topic.
now that we know where the keys are being set and we're hard code keys to 5555. we can now clean the hypervisor data and dump the 100F0 hash.

this is the example code you can run this code or a variation of it to achieve the same goal.
after you run this code you should have a clean hypervisor what 100F0 set properly.

source code and test tool for testing after you have the key set
https://github.com/g91/100F0
if you like my posts and want to see more please plus rep
Reply
#2
flaming will not be tolerated on this thread or any thread in this section warnings will not be given no more bans will be issued
Reply
#3
This is literally the XeNoN method which has been released for years.
This account is currently banned
Ban reason: affiliation with king/giths.
Reply
#4
(06-25-2020 - 08:07 PM)Matthew Wrote: This is literally the XeNoN method which has been released for years.

This is bits and pieces of code and half ass explanations scattered across the web...
I can't wrap my head around his weird intentions here..
[Image: nArZdh1.png]
Discord: Tommy#4321
Ride till' I die.
Reply
#5
again at this isn't Xenon method this is a method for hard codeing keys for the encryption of the hypervisor and SOC memory. my intentions is to try to teach people how to do things. I'm not trying to stroke my ego I'm not trying to be mean to anyone I'm trying to help people learn how to do something. that's it why do you have to keep doing this.

literally all this is is applying patches to the end of your XE patches to stop the keys that are generated to encrypt the hypervisor. so you can hard-code your own set of keys. maybe I should go into some more detail I will try to rework it a little bit.
if you like my posts and want to see more please plus rep
Reply
#6
(06-25-2020 - 08:11 PM)Tom Wrote:
(06-25-2020 - 08:07 PM)Matthew Wrote: This is literally the XeNoN method which has been released for years.

This is bits and pieces of code and half ass explanations scattered across the web...
I can't wrap my head around his weird intentions here..
Half of it’s not related the OP’s Topic either. Although informative, I think a quick and to  the point explanation without the Wikipedia nonsense. Especially considering most ppl don’t care and are just gonna leech this.
Freelance .NET & PHP Developer and Personal/Product GFX Artist
[Image: glJMOVQ.gif]
Reply
#7
garbage garbage garbage
This account is currently banned
Ban reason: Multi
Reply

Users browsing: 2 Guest(s)