generating 100F0 at dashboard
- things you will need is a Xbox 360 on the latest dashboard
- a USB update of the latest update
- Le fluffie for extracting from the update
- kernel updater for updating the kernel
- 1888 kernel
- XEbuild
so first of all we're going to talk about ECC cached data is created on the PPC CPU.
the information below was taken from Wikipedia to give you a better understanding of the system.
ECC:
Error-correcting code memory is a type of computer data storage that
can detect and correct the most-common kinds of internal data corruption.
ECC memory is used in most computers where data corruption cannot be tolerated under
any circumstances, such as for scientific or financial computing. Wikipedia
System on a chip:
A system on a chip is an integrated circuit that integrates all or most components of a
computer or other electronic system. These components almost always include a central processing unit,
memory, input/output ports and secondary storage – all on a single substrate or microchip,
the size of a coin. Wikipedia
hypervisor:
A hypervisor is computer software, firmware or hardware that creates and runs virtual machines.
A computer on which a hypervisor runs one or more virtual machines is called a host machine,
and each virtual machine is called a guest machine. Wikipedia
now that you understand these different systems.
(P.S. if you have any questions about these
systems if you write a reply I will respond)
#1 so the first thing we're going to do is we're going to want to create a base kernel 1888 to 17559
#2 so the first step at this point will be to generate 100F0. a starter base kernel for generating data later
#3 to do this you're going to want to add code to your XC build patches for your system.
you're going to find out what system you have I have a Jasper so I'm going to use the Jasper patches. you're going to want to open the patch up in your hex editor such as hxd
now at the end of those patches you'll see a 4bytes of 0xFFFFFFFF make sure it's at the end of the file in your hex editor.
make sure the null Terminator the 0xFFFFFFFF remains it tells the system that the patches are over
Code:
00 00 20 E4 00 00 00 01 60 00 00 00 00 00 20 F0 00 00 00 01 60 00 00 00 00 01 01 00 00 00 00 0C 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55 55disable key generation patches
00 00 20 E4 - address in hypervisor
00 00 00 01 - number of the patches and 0x04 bytes interval sizes
60 00 00 00 - patches
00 00 20 F0 - address in hypervisor
00 00 00 01 - number of the patches and 0x04 bytes interval sizes
60 00 00 00 - patches
Place hard-coded key patches
00 01 01 00 - address in hypervisor
00 00 00 0C - number of the patches and 0x04 bytes interval sizes
the key data that you want a patch to 0x010100 in hypervisor
55 55 55 55 55 55 55 55 55 55 55 55 55
55 55 55 55 55 55 55 55 55 55 55 55 55
55 55 55 55 55 55 55 55 55 55 55 55 55
55 55 55 55 55 55 55 55 55
what we're doing here is resetting our keys to the default keys.
just like how the system does it before the reboot and re-initialization of the hypervisor
void FUN_000020b0(bool param_1)
if you go to this address inside of the hypervisor you will find a function that is used for checking hypervisor encryption date cashing.
the function takes an bool parameter and it can be a 0 {false} or 1 {true}
0 = uninitialized first instance of hypervisor boot in the chain
1 = initialize hypervisor 100F0 generated and keys set
so in this function were generating or setting our keys.
Code:
puVar3 = (byte*)HvpGetSocMMIORegs(0x24000);
lVar7 = ZEXT48(&0x10100) + in_r2;
lVar2 = in_r2;
if (param_1 == 0) {
lVar8 = 0xc;
lVar6 = lVar7;
do {
*(undefined4 *)lVar6 = 0x55555555;
lVar6 = lVar6 + 4;
lVar8 = lVar8 + -1;
} while (lVar8 != 0);
}
else {
J_XeCryptRandom(lVar7, 0x30);
}inside of this function if the perimeter is given a 0 it does the initial initialization of the hypervisor with the keys set to all 5's
which is necessary for generating 100F0 is generated off the exact same data that is used for the ECC calculation.
however with the difference the keys are set to 55555 for generating the 100F0 hash.
technically this hash can be generated off for the machine if you know how to initialize the data. and create SOC memory.
for that I would recommend looking into a powerpc G5 processor weirdly enough shares a lot of similarities to the Xbox 360.
on 1st initialization it sets the keys to 5555 for generating 100F0 off of clean hypervisor data.
but at this point our data is not clean we are just talking about the setup process.
hypervisor is encrypted with AES:
if you want to do some more digging to understand how the key is how it uses the second key to Salt the primary key to generate the actual key for decryption an AES.
and there is no IV set
https://github.com/g91/XBLS/blob/master/...HV_17559.c
if people would like I will go into more detail of the security engine if requested.
okay let's get back on topic.
now that we know where the keys are being set and we're hard code keys to 5555. we can now clean the hypervisor data and dump the 100F0 hash.
this is the example code you can run this code or a variation of it to achieve the same goal.
after you run this code you should have a clean hypervisor what 100F0 set properly.
source code and test tool for testing after you have the key set
https://github.com/g91/100F0
if you like my posts and want to see more please plus rep
![[Image: FiHzeWA.jpg]](https://i.imgur.com/FiHzeWA.jpg)
![[Image: nArZdh1.png]](https://i.imgur.com/nArZdh1.png)
![[Image: glJMOVQ.gif]](https://i.imgur.com/glJMOVQ.gif)
