What's new

Solved CPU Key Brute Forcing

  • Thread starter Kingkat714
  • Start date
  • Views 3,905
Kingkat714

Kingkat714

Contributor
Messages
2,309
Reaction score
896
Points
285
Sin$
7
Why has no one tried brute forcing the CPU key? It is only a 16^32 character hex string? I think I will make a simple multithreaded app to generate random keys and attempt to decrypt a NAND dump and loop through until it succeeds (maybe 2 days on a 6 core processor?) Am I being high or is this logical?

Here are some peeps
XeNoN.7
Cakes
Dwack
jester --lol
Kebob
S7 Pro
Evil Tim Evil Tim
chrispro1994 v2 chrispro1994 v2
droseum20
xMODDEDxSKILLZx
Fuse
Hacksorce - If he still checks here
teh1337 - maybe.
 
Last edited:
Evil Tim

Evil Tim

Getting There
Messages
1,088
Reaction score
732
Points
225
Sin$
7
Just saying, there is a limit of people you can tag, you tagged me but I didn't get an alert haha you have to submit and edit your post after so many tags, I believe the limit is 5 but I am not sure.
 
2Quick4U

2Quick4U

Getting There
Services Seasoned Veteran Grizzled Veteran
Messages
1,139
Reaction score
466
Points
185
Sin$
0
How did you get that, every calculator I use cuts me off.

Over time, if every single person with a console and has their CPU Key put it into a huge database and then these keys were excluded from the generation, this process would go soooo much faster.
they did make a tool its has been out for at least 5 years I have it on my pc some where if you want it I will see if I can find it

ok I found it do you want it

but to just to let you know the number of different combinations is the number 2 with 128 zeroes after it or 2 to the 128 power
lol
 
Last edited:
Big_Ddog

Big_Ddog

Getting There
Messages
1,752
Reaction score
443
Points
220
Sin$
7
they did make a tool its has been out for at least 5 years I have it on my pc some where if you want it I will see if I can find it

ok I found it do you want it

but to just to let you know the number of different combinations is the number 2 with 128 zeroes after it or 2 to the 128 power
lol
I wouldn't mind trying it out. I have a xbox here that I got for free and has no cpu key, Be nice to see if the tool would work.
 
Kingkat714

Kingkat714

Contributor
Messages
2,309
Reaction score
896
Points
285
Sin$
7
I wouldn't mind trying it out. I have a xbox here that I got for free and has no cpu key, Be nice to see if the tool would work.
Stahp. It has a CPU key, unless the CPU has been removed, it has a CPU key. 
they did make a tool its has been out for at least 5 years I have it on my pc some where if you want it I will see if I can find it

ok I found it do you want it

but to just to let you know the number of different combinations is the number 2 with 128 zeroes after it or 2 to the 128 power
lol
Sure I'll take it, is it C#? I'd like to see teh source. Do you know who made it?
 
Big_Ddog

Big_Ddog

Getting There
Messages
1,752
Reaction score
443
Points
220
Sin$
7
Stahp. It has a CPU key, unless the CPU has been removed, it has a CPU key

Lol to be literal it has a cpu key smartass :wink:. Just who ever worked on it before I got it screwed something up and now there is no cpu key to remake the nand and see if I can get it going :tongue:.
 
Kingkat714

Kingkat714

Contributor
Messages
2,309
Reaction score
896
Points
285
Sin$
7
Lol to be literal it has a cpu key smartass :wink:. Just who ever worked on it before I got it screwed something up and now there is no cpu key to remake the nand and see if I can get it going :tongue:.
THE CPU KEY IS PROGRAMMED BY THE CPUS EFUSES (HARDWARE) UNLESS THE PERSON MICROSCOPICALLY REMOVED THOSE FUSES, THERE IS STILL A CPU KEY. YOU JUST DON'T KNOW THE KEY AND IT IS LOST.
 
X

XOR

Enthusiast
Messages
123
Reaction score
129
Points
125
Sin$
0
Lol ok. This actually IS unfeasible and if something like this were possible it would have been created much, much longer ago and would completely defeat the point of encryption if everything could just be bruteforced...

There are 128 bits in a 16 byte key such as a CPU key (16 bytes, which is 32 characters when you don't look at it as a number). Each bit can hold 2 values; either 0 or 1. This means that there are 2^128 (340282366920938463463374607431768211456) different possibilities, therefore making something like this pretty much impossible.
 
VexxVoid

VexxVoid

Semi Colon Close Parenthesis
Messages
929
Reaction score
170
Points
190
Sin$
7
THE CPU KEY IS PROGRAMMED BY THE CPUS EFUSES (HARDWARE) UNLESS THE PERSON MICROSCOPICALLY REMOVED THOSE FUSES, THERE IS STILL A CPU KEY. YOU JUST DON'T KNOW THE KEY AND IT IS LOST.
I think he is just trying to say the CPU key is unknown to him.
 
chrispro1994 v2

chrispro1994 v2

Enthusiast
Messages
253
Reaction score
61
Points
95
Sin$
0
What exactly can you do with someone's cpu key? Sorry for this.
Well its not to grab "someone's" CPU key, the point is to grab a CPU key off of a NAND dump in order to extract the kv.
Ill explain it this way since i know you dont understand, in order to extract a kv from a NAND dump, you need to decrypt it with the CPU key. The only way to obtain the CPU key is to perform a hack on the console and booting XeLL. In some cases (RGH2.0...), a simple hack can be very frustrating and some consoles are just too stubborn and will not glitch, therefor no CPU key, no kv, and hours of wasted time and frustration. Dumping the NAND is the easiest step and requires maybe 10 minutes of time. You really can't screw up dumping the NAND.
The whole point of this post is to figure out a way of grabbing the CPU key by attempting to decrypt the NAND with millions of attempts. ( Does 01 decrypt? No. Does 02 decrypt? No..... so on until you get a combination to decrypt the NAND. ) That will be the CPU key and no hack was every performed on the console.

OP: Honestly i have no idea on this one. I agree with others saying look for possible patterns or even some sort of algorithm. If you have your mind set on brute-forcing it. Look up source codes for brute-forcing wifi passwords? Again im not sure how its really done with winpcap and what not. But WPA-2 is AES encryption, which is an 8 byte hexadecimal key. Which in your case is half, so if you can find a source for brute-forcing AES then you may be in luck.

My opinion, unless there is some algorithm where you can simply open your NAND in a program and 'poof' a CPU key is generated... Brute-forcing will take MUCH longer than just performing the hack to the console in the first place.This may even take days, when i've done RGH's in 20 minutes. Although, this may come in handy for those consoles that are stubborn and will not boot. Good topic though!
 
Kingkat714

Kingkat714

Contributor
Messages
2,309
Reaction score
896
Points
285
Sin$
7
My opinion, unless there is some algorithm where you can simply open your NAND in a program and 'poof' a CPU key is generated... Brute-forcing will take MUCH longer than just performing the hack to the console in the first place.This may even take days, when i've done RGH's in 20 minutes. Although, this may come in handy for those consoles that are stubborn and will not boot. Good topic though!


I really am just thinking about this as a challenge more than a practical method. It would still be useful for Xenons or RROD boxes (yes, I know you can still get the keys through the network.) I'm currently looking at stuff for the AMD mantle API in order to make things a hell of a lot faster, still a long time, but a lot faster. I'm really not that experienced with cryptography in general, but if I could develop a program that could open a bunch of NANDs with known CPU keys and analyze to find a pattern I most certainly would do that over a simple brute force method.
 
TheDarkKnight

TheDarkKnight

Cracking those accounts ;) <3
Messages
604
Reaction score
164
Points
125
Sin$
0
Well its not to grab "someone's" CPU key, the point is to grab a CPU key off of a NAND dump in order to extract the kv.
Ill explain it this way since i know you dont understand, in order to extract a kv from a NAND dump, you need to decrypt it with the CPU key. The only way to obtain the CPU key is to perform a hack on the console and booting XeLL. In some cases (RGH2.0...), a simple hack can be very frustrating and some consoles are just too stubborn and will not glitch, therefor no CPU key, no kv, and hours of wasted time and frustration. Dumping the NAND is the easiest step and requires maybe 10 minutes of time. You really can't screw up dumping the NAND.
The whole point of this post is to figure out a way of grabbing the CPU key by attempting to decrypt the NAND with millions of attempts. ( Does 01 decrypt? No. Does 02 decrypt? No..... so on until you get a combination to decrypt the NAND. ) That will be the CPU key and no hack was every performed on the console.

OP: Honestly i have no idea on this one. I agree with others saying look for possible patterns or even some sort of algorithm. If you have your mind set on brute-forcing it. Look up source codes for brute-forcing wifi passwords? Again im not sure how its really done with winpcap and what not. But WPA-2 is AES encryption, which is an 8 byte hexadecimal key. Which in your case is half, so if you can find a source for brute-forcing AES then you may be in luck.

My opinion, unless there is some algorithm where you can simply open your NAND in a program and 'poof' a CPU key is generated... Brute-forcing will take MUCH longer than just performing the hack to the console in the first place.This may even take days, when i've done RGH's in 20 minutes. Although, this may come in handy for those consoles that are stubborn and will not boot. Good topic though!

So, from the NAND dump you can extract the kv?
 
Hect0r

Hect0r

Enthusiast
Messages
81
Reaction score
17
Points
95
Sin$
7
Hey everone, I kibnda solved this a while ago by writing a c varient for linux (can be ported to windows but I really cba with it as I only use linux now) anyway for all who are interested it loops thrugh the two unsigned longs, the first long is divided by the number of threads you set (must be even) and then it splits it into workable groups in threads to manage the keygeneration and make sure they do not overlap and genrate the same thing :smile:

anyway here it is for all thsoe interested :
[Click here to view this link]

all the best !

Hect0r.
 
Top Bottom
Login
Register