What's new

Solved Custom CPU key?

  • Thread starter Evil Tim
  • Start date
  • Views 2,241
Evil Tim

Evil Tim

Getting There
Messages
1,088
Reaction score
732
Points
225
Sin$
7
If you have a brand new, never before used Xbox 360, can you burn fusesets 03-06 at your leisure to make your own CPU key (granted, you have the sufficient knowledge and tools)?

For example, having a CPU key as all Fs?
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,669
Reaction score
1,100
Points
1,045
Sin$
7
You can, on a brand new CPU, though I'm pretty sure the consoles you get from the store already come with the fuses burnt. Now, if you got a new CPU straight from the factory, then the CPU key will be all zeros as the fuses aren't bunt yet. Meaning that maybe you can customize it, maybe.
1SXJF6x.jpg
 
TEIR1plus2

TEIR1plus2

VIP
VIP
Hidden Devils
Frame In Gold Programmer A Milli
Messages
510
Reaction score
224
Points
305
Sin$
0
There is code in the HV that generates and burns the cpukey lines. However I thought it was just leftover from manufacturing. I suppose its possible on brand new consoles that the nand is encrypted with a 0'd key and the hv/kernel will set it and rewrite the nand encrypted with the new keys on it's first run. But never heard of anyone mentioning this process and never see any references in the kernel to it.

On top of that, cpukeys are generated a specific way and can be verified as being legit. The HV does this in a couple places and if its not legit, it might cause issues.
 
Evil Tim

Evil Tim

Getting There
Messages
1,088
Reaction score
732
Points
225
Sin$
7
There is code in the HV that generates and burns the cpukey lines. However I thought it was just leftover from manufacturing. I suppose its possible on brand new consoles that the nand is encrypted with a 0'd key and the hv/kernel will set it and rewrite the nand encrypted with the new keys on it's first run. But never heard of anyone mentioning this process and never see any references in the kernel to it.

On top of that, cpukeys are generated a specific way and can be verified as being legit. The HV does this in a couple places and if its not legit, it might cause issues.
How and why does it verify the integrity of the CPU key if it's a random key in the first place?
 
TEIR1plus2

TEIR1plus2

VIP
VIP
Hidden Devils
Frame In Gold Programmer A Milli
Messages
510
Reaction score
224
Points
305
Sin$
0
How and why does it verify the integrity of the CPU key if it's a random key in the first place?
Because its not random. Its generated from a random salt but can be verified by a checksum algorithm MS uses. Idk if they actually use it on live servers but it might just be another thing that they can use to confirm if your console is as it should be.
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,669
Reaction score
1,100
Points
1,045
Sin$
7
I'm pretty sure stock consoles already have the CPU key bunt before they get shipped to stores, otherwise, you can swap the nand and put in an XDK recovery disk and convert them to a devkit, no RGH chips, no JTAGs needed.
 
TEIR1plus2

TEIR1plus2

VIP
VIP
Hidden Devils
Frame In Gold Programmer A Milli
Messages
510
Reaction score
224
Points
305
Sin$
0
I'm pretty sure stock consoles already have the CPU key bunt before they get shipped to stores, otherwise, you can swap the nand and put in an XDK recovery disk and convert them to a devkit, no RGH chips, no JTAGs needed.
You would be missing some hardware that the devkit HV/kernel references. (don't know about the kernel actually, but the HV references some special registers that are not on retail. AND some parts of the cpu work differently that may cause issues). I don't know when exactly the fuses are burned, but there are algorithms in the HV to burn the patterns we all see on lines 0, 1, and to generate and blow the cpukeys. Meanwhile the LDV lines are blown through variables. For example this is the algorithm to blow line 0: https://i.imgur.com/uUjQGvD.png
As you can see, it only blows the last 56 bits of the fuse. The first 8 are untouched. And according to free60 its supposed to be programmed at the factory to disable the CPU jtag. Judging from your image, the algorithm, and free60, I believe that the C is burned at the factory and probably disables the CPU jtag. However the fact that these algorithms are in the retail HV *might* indicate that the rest of them are left unburned. At least until the hypervisor runs for the first time (which might be at the factory or it might not be).

And before someone says those algorithms are in there to brick consoles by blowing critical fuses, they don't. Like I said, they only blow the patterns we all see on our consoles, nothing more.

Back to the question at hand, it is entirely possible to blow what ever fuses you please. Its just impossible to un-blow them.
these were my fuses while I was researching things: https://i.imgur.com/4s3iczQ.png
 
Last edited:
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,669
Reaction score
1,100
Points
1,045
Sin$
7
Top Bottom
Login
Register