Jump to content
Search In
  • More options...
Find results that contain...
Find results in...
Welcome Guest!

Join us now to get access to all our features. Once registered and logged in, you will be able to create topics, post replies to existing threads, give reputation to your fellow members, get your own private messenger, and so, so much more. It's also quick and totally free, so what are you waiting for?


How M$ Killed The XOR Hack

6 posts in this topic

With the new 15*** update, M$ has added a new key to their hash calculation for the rc4 key. It's basically just the first 16 bytes of the header, which include the version number, entrypoint, and size. These are all per-CB, per-version, so we cannot take a keystream from a 15*** CBB and use it to make a 14*** CB because the CBA on 14*** is unable to calculate the rc4 key no matter what we change.

What this means:

In order to RGH2 an xbox with 15***, you need either:

1) The cpu_key

2) A previous exploitable dump from the SAME XBOX. Must fit one of the following:

- Phats: 14717, 14719

- Slims: 13146, 13599, 14699, 14717, 14719

Older dumps will NOT WORK with RGH2/RGH3 !


What do we do now:

We are looking into ways of exploiting the rc4.

To make it clear, the new way of generating the CBB decryption rc4 key is as follows:

Secret = CBA[0x10:0x20]

Ingest = CBB[0x10:0x20] + CPU_Key + CBA[0:6] + 0×0000 + CBA[6:0x10]

def decrypt_CB_Cpu(CB):

assert cpukey

secret = CB_A[0x10:0x20]

h = hmac.new(secret,None, sha);



v = struct.unpack(">h", CB_A[0x6:0x8])[0]

print " * checking flag: %X" % v

if( v & 0x1000):

print " ** Using new encryption scheme"

h.update(CB_A[0:0x6] + "\x00\x00" + CB_A[8:0x10]);

key = h.digest()[0:0x10]

CB = CB[0:0x10] +key+ RC4.new(key).decrypt(CB[0x20:])

return CB

source: Team-xecuter

Share this post

Link to post
Share on other sites

Jason - to answer your question, pretty much yes.

wait, are you talking about modding the dvd drive or using the RGH hack?

Share this post

Link to post
Share on other sites

same reason they killed JTag they do not want unsigned codes ran on their system and some people were still tryin to go online with the systems and running modded lobbies in games

Share this post

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now