pepsicola
Enthusiast
With the new hot fix microsoft has blocked modified consoles from connecting to xbox live.
Many who have bypassed this update have given out some hints to the rest of us. It is said that you need to update the chal_resp.bin
I do not claim to be any good at coding at all but hopefully this information can help someone else. this was posted a while back by im not sure who but i hope it helps
Many who have bypassed this update have given out some hints to the rest of us. It is said that you need to update the chal_resp.bin
I do not claim to be any good at coding at all but hopefully this information can help someone else. this was posted a while back by im not sure who but i hope it helps
ypedef DWORD (*XEKEYSEXECUTE)(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8);
// Catching call to XeKeysExecute in XAM
// Directing it to this function instead of actual Kernel function
DWORD XeKeysExecuteHook(BYTE* chalData, DWORD size, BYTE* HVSalt, UINT64 krnlBuild, UINT64 r7, UINT64 r8)
{
XEKEYSEXECUTE XeKeysExecute = (XEKEYSEXECUTE)resolveFunct(XBOX_KRNL, 607);
SYSTEMTIME LocalSysTime;
GetLocalTime( &LocalSysTime );
DbgPrint("Entering Xbox Live Challenge hook\n");
DbgPrint("SystemTime: %d-%d-%d\t%d:%d:%d\n", LocalSysTime.wMonth, LocalSysTime.wDay,LocalSysTime.wYear, LocalSysTime.wHour, LocalSysTime.wMinute, LocalSysTime.wSecond);
DbgPrint("r3 = 0x%08X, r4 = 0x%08X, r5 = 0x%08X\n",
chalData, size, HVSalt);
DbgPrint("r6 = 0x%016I64X, r7 = 0x%016I64X, r8 = 0x%016I64X\n",
krnlBuild, r7, r8);
// Decrypt the challenge data
// Seems to share the same header as a bootloader
// char[2] Magic
// short Version
// int Flags
// int EntryPoint
// int Size
// byte[0x10] HMAC Hash -> RC4 Key
DWORD dataSize = *(DWORD*)(chalData + 0xC);
if(!DecryptChallenge(chalData, dataSize))
{
DbgPrint("Error decrypting challenge \n");
HalReturnToFirmware(6);
}
// Create HV Salt file
HANDLE hvSalt = CreateFile("hdd:\\XeKeysExecute_HVSalt.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hvSalt == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating HV Salt File\n");
HalReturnToFirmware(6);
}
DbgPrint("File Created\n");
// Get the HV salt
DWORD saltOut = 0;
if (WriteFile( hvSalt, HVSalt, 0x10, &saltOut, NULL))
DbgPrint("Saved HV Salt\n");
else DbgPrint("Could not save HV Salt \n");
// Close our HV Salt handle
CloseHandle( hvSalt );
DbgPrint("Dumping resp\n");
// Execute the challenge
BYTE* physSalt = (BYTE*)MmGetPhysicalAddress(HVSalt); // Do what we patched
XeKeysExecute(chalData, size, physSalt, krnlBuild, r7, r8); // go to actual kernel function
HANDLE chalResp = CreateFile("hdd:\\XeKeysExecute_resp.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( chalResp == INVALID_HANDLE_VALUE)
{
DbgPrint("Error Creating Response File\n");
HalReturnToFirmware(6);
}
DbgPrint("Response File Created\n");
// Save the challenge response
DWORD respOut = 0;
if (WriteFile( chalResp, chalData, size, &respOut, NULL))
DbgPrint("Saved response data\n");
else DbgPrint("Could not save response data \n");
// Close our challange response dump
CloseHandle( chalResp );
// We dumped the challange data -> reboot
DbgPrint("Dumped Challenge - Rebooting System\n");
HalReturnToFirmware(6);
return (0);
}
void patchPhysicalAddr()
{
DbgPrint("Patching MmGetPhysicalAddress in challenge function so we can grab the HV Salt\n");
UINT32* addr = (UINT32*)(0x81677EE4); // 14719
addr[0] = 0x60000000;
}
BOOL DecryptChallenge(BYTE* data, DWORD fileSize)
{
DbgPrint("Decrypting XeKeysExecute Challenge Data\n");
XECRYPT_RC4_STATE rc4;
BYTE* decChalData = (BYTE*)XPhysicalAlloc(fileSize, MAXULONG_PTR, 0, PAGE_READWRITE);
memcpy(decChalData, data, fileSize);
BYTE* rc4Key = (BYTE*)XPhysicalAlloc(0x10, MAXULONG_PTR, 0, PAGE_READWRITE);
BYTE key[0x10] = {0xDD, 0x88, 0xAD, 0x0C, 0x9E, 0xD6, 0x69, 0xE7, 0xB5, 0x67, 0x94, 0xFB, 0x68, 0x56, 0x3E, 0xFA}; // found in HV
XeCryptHmacSha((BYTE*)key, 0x10, decChalData + 0x10, 0x10, 0, 0, 0, 0, rc4Key, 0x10);
XeCryptRc4Key(&rc4, rc4Key, 0x10);
XeCryptRc4Ecb(&rc4, decChalData + 0x20, fileSize - 0x20);
HANDLE hFile;
DWORD size;
hFile = CreateFile("hdd:\\XeKeysExecute_chalData_dec.bin", GENERIC_WRITE,
FILE_SHARE_WRITE, NULL, CREATE_ALWAYS, FILE_ATTRIBUTE_NORMAL, NULL);
if( hFile != INVALID_HANDLE_VALUE)
{
DbgPrint("Created Challenge File\n");
if(WriteFile(hFile, decChalData, fileSize, &size, NULL)
{
CloseHandle(hFile);
XPhysicalFree(decChalData);
XPhysicalFree(rc4Key);
DbgPrint("Decrypted challenge data saved\n");
return true;
}
else
return false;
}
}
//////////////////////////////////////////////////////////////////////////////////////////
patchPhysicalAddr();
patchInJump((PDWORD)(0x81A30364), (DWORD)XeKeysExecuteHook, false);