HQ NETWORK: 360-HQ.COM | XBOXONE-HQ.COM | XBOX-HQ.COM | C64-HQ.COM | SIDAMP.COM
360 Flash Dump Tool
Current Version: 0.97 | Written by MODFREAKz


This tool will allow you to decrypt and extract various parts of a XBox360 flash dump. The flash is devided into 2 major parts

1) The Cx sections (CB,CD,CE & 0,1 or 2 CF & CG sections).
CB, CPU bootup
CD, unpacker for CE
CE, contains the HV and Kernel in a .cab archive
CF&CG are upgrade patches
The tool will extract and decrypt sections CB, CD, CE. Additionally it will extract the .cab file in section CE. This can be opened with winrar and the content (xboxkrnl.img) extracted. The first 256K of xboxkrnl.img is the Hypervisor, the remainder is the 2.0.1888 Kernel.

2) The Flash File System.
The tool expects a dump to contain the data (512 bytes) followed by the ECC (16 bytes). The ECC bytes are used to locate FS entries & identify the version.
The tool consists of the exe and CxKey.txt. CxKey.txt is delivered with 32 '0's and they should be replaced with the key obtained from the 1BL. After all the fuss about AACS keys recently it seems risky to put the key in the exe Wink The Cx sections extracted from a dump will only decrypt correctly if the correct hex digits are inserted in the CxKey.txt file

What's new/fixed v0.97:
* Improved Nand Image detection
* Added support for small XeLL Images (1,3MB)
* Added ability to extract/import Slot0/Slot1 of ZeroPaired Images [XBR/freeBOOT/small XeLL]
* Added ability to detect/convert raw Images (made with external programmer) to proper read format
* Added ability to detect/convert Images without ECC data (made with Infectus device)
* Added ability to extract/import new 'dae.bin' file [DvdAuthEx]
* Added support for "Alternate KeyVault" decrypting/extracting
* Added option to rebuild an opened Nand Image with different CPU-Key (Bootloaders/HV and generic files)
* Added option in Settings to allow randomized encryption
* Added option in Settings to allow cut short BigBlock Nand Images (64MB)
* Fixed bug, regarding to saving config block checksum at wrong offset (in rare cases)
* Changed, more accurate file extraction, automatically create subfolders
* A lot of improvements and bug fixes

Whats New/Fixed (v0.95):
* Added support for Trinity (XBOX360 Slim) dumps
* Added ability to extract new 'fcrt.bin' file (encrypted only atm)
* Added ability to display SMC Code Version
* Added ability to view Advanced KeyVault Info
* Fixed bug, patching KeyVault works again
* Fixed bug, no longer crashes if Bootloaders are small in size (in rare cases)
* Fixed bug, regarding to re-encrypting the SMC when the image is Zero Paired Image

Whats New/Fixed (v0.94):
* Added static SMC Config editing [change CPU/GPU Fan Speed, Calibration Data, MAC Address, ....] (Thanks to q36)
* Added support for single file "config.bin" editing/converting via Drag'n'Drop
* Added ability to convert Xellous/NandPro(info) raw SMC Config to different Styles and vice versa, e.g. for ibuild (Thanks to foouser)
// FreeBOOT SmallBlock Style 16Kb
// FreeBOOT BigBlock Style 128Kb
// FlashTool SmallBlock Style 64Kb
// FlashTool BigBlock Style 512Kb
// BinCrypt2 Style 32Kb
* Added checksum calculation for static SMC Config Block (Thanks to cory1492)
* Added ability to extract/import encrypted KeyVault without known CPU Key [For Advanced Users]
* Added ability to extract ibuild compatible files (..\freeBOOT\Data)
* Added ability to open 70MB images (dumped with nandpro "-r70")
* Added Option menu to enable/disable several features
* Added Tooltips and Glass Effect
* Bugfix in Multiple CPU Key handling
* Fixed a lot small bugs

What's new/fixed (since v0.91b):
* Added Support for Large Block nands (Jasper 256MB and 512MB nands)
* Added Support for DevKit images + region for DevKit
* Added Support for XBR/ZeroPaired images (still in development)
* Added Single CPU Key or Multiple CPU Key handling (max. 25 Keys)
* Added simple state indication via Progress Bar
* Added ability to display Bad Blocks with true image offsets
* Fixed bug in reading 7BL (CG) that have more blocks than specified in 6BL (CF)
* Fixed bug in reading bootloaders that are smaller than 1 block
* Fixed bug in kernel extract log with double slashes, more accurate extract log
* Fixed multiple memory leaks
* Fixed application can now start without Administrator Rights or UAC enabled
* Updated config block logic with new info
* Changed appearance for more read comfort

Whats New Updated (since v0.90):
* Decrypts CF & CG (thanks again tmbinc)
* The .cab file extracted from CE now contains 2 files, Hypervisor.bin and xboxkrnl.exe
* Exported sections now include version number in the name
* Fixed CG extraction (see NAND Layout thread for info)
* Reverted CE.cab to single file (thanks Takires)
* As TheSpecialist said extraction of CE section is now working, and what a pig it was Wink, you may now right click and select 'Extract' and get just the raw, decrypted CE Section or Kernel(s). Selecting Kernel(s) causes the application to extract the base (typically 1888) HV and Kernel as an uncompressed file - "xboxkrnl.1888.exe". The option to extract them as a .cab file has now been removed. If 1 or both of the patch (CF/CG) slots are occupied they will be applied to the base kernel and the result is also written as a file - xboxkrnl.XXXX.exe.
For example, if you have a base kernel (1888) and 2 patches (2858 and 4552) in your flash dump, load into the tool, right click on CE and choose kernel(s) you will get 3 files:
- xboxkrnl.1888.exe The base HV & kernel, no patches
- xboxkrnl.2858.exe The base HV & kernel, patched to 2858
- xboxkrnl.4552.exe The base HV & kernel, patched to 4552
* I noticed an odd bug in the the upgrade process while developing this tool. I have some dumps from a box where 4532 is upgraded to 4548. As I noted the other day the first 0xBB40 bytes of CG are stored immediately after CF and the remainder is stored in FS blocks (there's a list in the CF header and they also appear in the FS as sysupdate.xexp files). Well it appears during the update process from 4532 to 4548 the CG data for 4532 was deleted but the list in CF is still valid. This is odd since 4548 was not a lock down version was it? Yet it would be impossible to roll back from a corrupt 4548 to 4532
* Its very interesting to diff. 4548 and 4552 they have << 100 bytes of differences so I guess the exploit fix was pretty small Wink
* (v0.5) Now decrypts and extracts the Key Vault. You will need your CPU Fuses as dumped by Xell. The CxKey.txt file has changed, you need to add a ',' and your CPU Fuse data
* (v0.6) This release supports downgrading if you know your CPU key. Right click on a CF section and choose "Fix Version Lock", enter the new lock down number, click ok & then click "Patch" and choose the directory/filename for your patched flash image. The file produced is all fixed up and ready to be flashed into your 360.



Related Link: http://www.xboxhacker.net


Permalink:
https://www.360-hq.com/xbox360-homebrew-11.html