What's new

Discussion Jtag back online start

  • Thread starter pepsicola
  • Start date
  • Views 1,579
pepsicola

pepsicola

Enthusiast
Messages
111
Reaction score
11
Points
55
Sin$
0
With the new hot fix microsoft has blocked modified consoles from connecting to xbox live.
Many who have bypassed this update have given out some hints to the rest of us. It is said that you need to update the chal_resp.bin

I do not claim to be any good at coding at all but hopefully this information can help someone else. this was posted a while back by im not sure who but i hope it helps

ypedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);​
// Catching call to XeKeysExecute in XAM​
// Directing it to this function instead of actual Kernel function​
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)​
{​
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);​
SYSTEMTIME LocalSysTime;​
GetLocalTime( &LocalSysTime );​
DbgPrint("Entering Xbox Live Challenge hook\n");​
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);​
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",​
chalData, size, HVSalt);​
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",​
krnlBuild, r7, r8);​
// Decrypt the challenge data​
// Seems to share the same header as a bootloader​
// char[2] Magic​
// short Version​
// int Flags​
// int EntryPoint​
// int Size​
// byte[0x10] HMAC Hash -> RC4 Key​
DWORD dataSize = *(DWORD*)(chalData + 0xC);​
if(!DecryptChallenge(chalData, dataSize))​
{​
DbgPrint("Error decrypting challenge :frown:\n");​
HalReturnToFirmware(6);​
}​
// Create HV Salt file​
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,​
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);​
if( hvSalt == INVALID_HANDLE_VALUE)​
{​
DbgPrint("Error Creating HV Salt File\n");​
HalReturnToFirmware(6);​
}​
DbgPrint("File Created\n");​
// Get the HV salt​
DWORD saltOut = 0;​
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))​
DbgPrint("Saved HV Salt\n");​
else DbgPrint("Could not save HV Salt :frown:\n");​
// Close our HV Salt handle​
CloseHandle( hvSalt );​
DbgPrint("Dumping resp\n");​
// Execute the challenge​
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched​
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function​
HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,​
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);​
if( chalResp == INVALID_HANDLE_VALUE)​
{​
DbgPrint("Error Creating Response File\n");​
HalReturnToFirmware(6);​
}​
DbgPrint("Response File Created\n");​
// Save the challenge response​
DWORD respOut = 0;​
if (WriteFile( chalResp, chalData, size, &respOut, NULL))​
DbgPrint("Saved response data\n");​
else DbgPrint("Could not save response data :frown:\n");​
// Close our challange response dump​
CloseHandle( chalResp );​
// We dumped the challange data -> reboot​
DbgPrint("Dumped Challenge - Rebooting System\n");​
HalReturnToFirmware(6);​
return (0);​
}​
void patchPhysicalAddr()​
{​
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");​
UINT32* addr = (UINT32*)(0x81677EE4); // 14719​
addr[0] = 0x60000000;​
}​
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)​
{​
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");​
XECRYPT_RC4_STATE rc4;​
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);​
memcpy(decChalData, data, fileSize);​
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);​
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV​
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);​
XeCryptRc4Key(&rc4, rc4Key, 0x10);​
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);​
HANDLE hFile;​
DWORD size;​
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,​
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);​
if( hFile != INVALID_HANDLE_VALUE)​
{​
DbgPrint("Created Challenge File\n");​
if(WriteFile(hFile, decChalData, fileSize, &size, NULL) :wink:
{​
CloseHandle(hFile);​
XPhysicalFree(decChalData);​
XPhysicalFree(rc4Key);​
DbgPrint("Decrypted challenge data saved\n");​
return true;​
}​
else​
return false;​
}​
}​
//////////////////////////////////////////////////////////////////////////////////////////​
patchPhysicalAddr();​
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);​
 
I

inloxicater

Enthusiast
Messages
534
Reaction score
13
Points
70
Sin$
0
the likely hood that anyone knows how to modify this is slim and if they did they wouldn't release it. Most likely microsoft just changed the offsets in the hypervisor or added an extra hash or something for a quick fix
 
pepsicola

pepsicola

Enthusiast
Messages
111
Reaction score
11
Points
55
Sin$
0
True but im just trying to figure out what changed exactly when microsoft applied the hotfix. thats the tough part. researching should help.
 
I

inloxicater

Enthusiast
Messages
534
Reaction score
13
Points
70
Sin$
0
True but im just trying to figure out what changed exactly when microsoft applied the hotfix. thats the tough part. researching should help.
Well they supposedly just updated the challenges so you would use the code above to get the new challenge responses then replace the file that came with xelive and walla you online supposedly that the method and this is hence the meaning of this line of code
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin",
also this is very old code so if would need to be modified most likely since it was used for xbox kernel 14 something and i think some header are missing so you wouldn't even be able to use this code without the header files needed. Wish you good luck.
 
New Gaming Order

New Gaming Order

Enthusiast
Messages
161
Reaction score
2
Points
70
Sin$
0
Sorry To Say,But I Think This Is The Last XeLive Microsoft Will Just Keep Patching It So If You Find Out Keep It To Your Self
 
pepsicola

pepsicola

Enthusiast
Messages
111
Reaction score
11
Points
55
Sin$
0
Sorry To Say,But I Think This Is The Last XeLive Microsoft Will Just Keep Patching It So If You Find Out Keep It To Your Self
yes it is xelive and if it gets patched again oh well i will release because without releases i would not be where i am today
 
Savage Zombie

Savage Zombie

Enthusiast
Messages
179
Reaction score
36
Points
85
Sin$
0
yes it is xelive and if it gets patched again oh well i will release because without releases i would not be where i am today
Thats the spirit! Recieve and give back. Now only if the rest of the community thought that way!:wink:
 
pepsicola

pepsicola

Enthusiast
Messages
111
Reaction score
11
Points
55
Sin$
0
don't release that kinda of stuff publicly. Just share with your friends.. otherwise everyone gets it for like 2 days, then nobody has it.
True but people will always find a way and I feel that if i use other peoples public work to help me it is only fair that i give back to the people that helped me out in the first place. and if it gets patched so what at least people will still get to use it
 
Raging Halo 3

nergocyde

GT- Nergocyde
Messages
244
Reaction score
111
Points
85
Sin$
7
the bypass is quite easy, micro$oft didnt want to spend a lot of money on a fix and a lot of people are already pass it, so hopefully it will be released very soon
 
pepsicola

pepsicola

Enthusiast
Messages
111
Reaction score
11
Points
55
Sin$
0
the bypass is quite easy, micro$oft didnt want to spend a lot of money on a fix and a lot of people are already pass it, so hopefully it will be released very soon
I wouldnt say the bypass is "easy" but a full dashboard update would probably make it a lot harder
 
DArK x1337HaX

DArK x1337HaX

4D 79 20 4E 61 6D 65 20 49 73 20 44 61 6E
Stickied Programmer Fabled Veteran
Messages
2,914
Reaction score
1,178
Points
595
Sin$
0
LOL This is not the bypass. This has been posted many times and was originally made for dev kits. XeDumpChallenge. It will never work
 
pepsicola

pepsicola

Enthusiast
Messages
111
Reaction score
11
Points
55
Sin$
0
LOL This is not the bypass. This has been posted many times and was originally made for dev kits. XeDumpChallenge. It will never work
thank you for your help i have recently discovered this i should probably update the tread
 
Top Bottom
Login
Register