2BL Mac OS

Apple MacBook Pro 15 inch RETINA / CORE i7 / 1TB SSD / 16GB / WARRANTY / OS-2015. $599.00 to $1,189.00. Apple MacBook Pro 16' Intel Core i7 16GB AMD 5300M 512GB Space Gray MVVJ2LL/A. 5 out of 5 stars. .This system can run the last version of OS X 10.7 'Lion.' It is not supported booting into 64-bit mode when running Mac OS X 10.6 'Snow Leopard.' It does not support 'OpenCL' either. Please also note that OS X Lion is not capable of running Mac OS X apps originally written for the PowerPC processor as it does not support the 'Rosetta' environment.

Apple MacBook Pro 15 inch RETINA ⊙ i7 ⊙ 1TB SSD ⊙ 16GB ⊙ 3 YR WARRANTY ⊙ OS-2019. $464.03 to $1,423.91. Apple 2020 MacBook Air 13' 1.2 GHz Core i7 2TB SSD 16GB 3733MHz RAM LOADED. $10.00 shipping. APPLE MACBOOK PRO 15' RETINA MAC LAPTOP / QUAD CORE I7 / 2TB SSD / 16GB / OS2020. CB (aka 2BL) The second bootloader. This is decrypted/loaded by 1BL and is stored within the NAND. RSA signed using asymmetric crypto. Loaded/decrypted by CB. This loads, decrypts and decompresses CE, which contains the base kernel + base HV (Hypervisor). Loaded/decrypted by CD. The Macintosh II is a personal computer designed, manufactured, and sold by Apple Computer from March 1987 to January 1990. Based on the Motorola 68020 32-bit CPU, it is the first Macintosh supporting color graphics. When introduced, a basic system with monitor and 20 MB hard drive cost US$5,498 (equivalent to $12,373 in 2019). With a 13-inch color monitor and 8-bit display card the price.

Boot-up

TheSpecialist, Xboxhacker.net [1]:

Keyvault is decrypted by the Hypervisor using the CPU Key [2].

Crypto structure

Arnezami's summary of the different crypto hashes [3]:

Dump Data

There are 3 essential parts of data you want to dump from the Xbox 360; the NAND flash, the fusesets, and the 1BL first bootloader. The former located in the HYNIX HY27US08281A flash and the two latter in the IBM PowerPC Xeon CPU.

NAND

There are two ways to get the NAND flash:

  • Physically read the flash using the Infectus NAND Microchip Flasher
  • Dump it from memory using the King Kong Exploit and Linux

Fusesets and 1BL

These two can only be dumped using Linux. Follow the 'Linux' section below to extract the parts.

Dumping

Infectus

Linux

Start by upgrading to a vulnerable kernel, 4532 or 4548, and patch the King Kong game ISO to load the XeLL loader from a LiveCD, here.

There are two different ways to dump the necessary data, one with dump32 to get the 1BL, CPU Key and NAND dump, and the other tmbincdump to get the true NAND dump with the correct ECC values.

dump32

When Linux is loaded, start one of the webbrowsers (assuming you have a network cable plugged in) and browse to this page to download arnezami's dump32.c (mirror). Save it to the desktop.

Open a new Terminal from the menus, and 'cd Desktop'. Now compile the dump32 using the following command:

As shown, now execute the application by typing 'sudo ./dump32'. Make sure to make it executable by typing 'chmod +x' first. The application will now dump the fuses, 1bl and NAND to the current directory.

Backup these files to another computer through SCP, USB pen, website upload, FTP transter, or similar. I used SCP to another Mac OS X machine:

To SCP in from a Windows machine, download WinSCP and set a password for the root account with 'sudo passwd' and enter a password. Find the IP address of the 360 using the network tool from the menus.

tmbincdump

Get the tmbinc code (mirror) and save it to the desktop as tmbincdump.c. You have to change the writereg command from:

to:

This enables the correct mode to dump the NAND flash. Mode 2 shows all the blank and empty banks, while mode 3 only dumps the necessary data and auto corrects for bad blocks.

Compile it using:

Now execute the dumper:

The complete dump will be saved to a file named tmbincdump.bin. Transfer this to a computer using one of the methods referred to

View Content

2bl Mac Os X

To view the content of the dumped NAND flash download the latest version of 360 Flash Dump Tool and open the BIN file.

To decode all of the encrypted content you need the CPU Key located in the fusesets and the 1BL Key located in the CPU ROM. These are found using the King Kong shader exploit and XeLL (Xeon Linux Loader) on vulnerable firmware version, e.g 4532 and 4548, as shown above.

1BL Key

The 1BL is the 'First Boot Loader' and is stored in the ROM inside the CPU. The loader is 32KB and the 1BL key is the same for all Xbox 360 machines. To dump the 1BL you need to compile dump32.c and execute it to extract fuses.txt, nand.bin and 1bl.bin.

Due to the nature of the legality behind the static key, you have to find it yourself (think AACS). To find the key inside 1bl.bin you need to install IDA and disassemble using the PPC processor setting.

Discover the 1BL key [4]:

2bl Mac Os Download

To figure out if you've found the correct key, open 360 Flash Dump Tool, enter the key, and check if there's a 'Pairing Data' entry.

Fuses

There are 12 fusesets and they form the fundament for the Xbox 360 hypervisor security [5]. The fusesets (12) are located inside the CPU and thus hard to modify externally.

For a description of what the purpose of each set, see this thread post.

CPU / Per-Box Key

The CPU Key is used to only encrypt the Keyvault (which is then encrypted by the 1BL Key). By altering the the Keyvault you can change the lockdown counter on a vulnerable kernel, re-encrypting the Keyvault with the CPU Key, and downgrading to vulnerable kernel by flashing the NAND. A prior NAND dump from a vulnerable kernel is still needed and you have to already acquired the CPU Key using the King Kong exploit.

It is now possible to downgrade to a vulnerable kernel by time attacking the hash value of the lockdown counter. The counter is unsigned and the hash is compared bytewise.

The CPU Key can be found by combining fusetset #03 + #05 (or #04 + #06). The final string should be 16 bytes long, e.g xxxxxxxxxxxxxxxxyyyyyyyyyyyyyyyy.

To extract the fusesets use XeLL (shown below) or arnezami's dump32.

XeLL Output

This shows the XeLL output from the serial cable method.

Keyvault

The Keyvault contains unsigned information about the system, like serial number, manufacture date, DVD key, certificates, etc. It's encrypted by the CPU Key.

Downgrade

Downgrading is restricted by changing a lockdown counter in the NAND and the value of a fuseset. If these two don't match, e.g lockdown counter is lower than the value of the fuseset, the machine refuses to boot. It's possible to disable the change of the fuseset by removing power the the fuse and essentially disabling it. More about how to remove the R6T3 resistor.

It is still possible to downgrade if the fuseset has increased, but it requires CPU Key and altering of the old NAND dump to increase the lockdown counter. (As of 9th Aug. 2007 the CPU Key can only be found on a exploitable 4532 or 4548 system).

Counters

While upgrading to 4532 or 4552, fuseset #07 is changed and the lockdown counter in the NAND is increase by 1, for each update. I.e.:

Fix lockdown counter

You can't directly flash a 4532 dump after updating to 4552. The fuseset has increased and the 4532 dump will not boot if the lockdown counter is lower than the fuseset, i.e refuses to boot if lockdown count > fuseset count.

To bypass this you need to decrypt the CF section of the 4532 dump and change the byte at 0x21F to something higher. The 360 Flash Dump Tool will patch and properly re-encrypt the flash image.

Region code

It's possible make a PAL system act as a NTSC system, and vice versa, by changing the region bit in the Keyvault [6].

Apparently you need both the 1BL and CPU Key to perform this with 360 Flash Dump Tool v0.8.

Region codes [7]:

Future hacks

2bl mac os x
  1. Downgrade allowed via timing attack for all current machines, as of 2007-08-19 / kernel 5766 [8]
  2. Dual kernels via switches or xD cards, one for exploitable kernel (4532 or 4548), another for Xbox Live/latest kernel
  3. King Kong game required to boot homebrew
  4. Find kernel exploits in 4532 or 4548 to make an on-boot exploit to not require King Kong

References

Retrieved from 'https://beta.ivc.no/wiki/index.php?title=Xbox_360_Kernel&oldid=4817'