more freeboot re (ty Byrom!) · invoxiplaygames.uk/x360-research@c52f26e

my research and reverse engineering notes/utilities relating to the Xbox 360 (Mirrored from https://github.com/InvoxiPlayGames/x360-research)

fork atom

more freeboot re (ty Byrom!)

invoxiplaygames.uk 1 year ago c52f26e3 a889fa86

+22 -15

3 changed files

expand all

unified split

README.md

homebrew

xebuild

freeboot-like_patches.md

official-software

kernel

memory_map.md

+2 -1

README.md

··· 51 51 * [TEIR1plus2's Xbox-Reversing](https://github.com/TEIR1plus2/Xbox-Reversing) 52 52 * [ihatecompvir's x360-hv-notes](https://github.com/ihatecompvir/x360-hv-notes) 53 53 * [Grimdoomer's Xbox 360 hypervisor article](https://icode4.coffee/?p=1047) 54 + * [Byrom's Xbox_360_Research](https://github.com/Byrom90/Xbox_360_Research) 54 55 55 56 I likely wouldn't know nearly as much as I do if not for all the great open source 56 57 projects detailing how parts of this system work, and all the people behind them. 57 58 58 - And an extra shoutout to the #coding-corner channel in the 59 + And an extra shoutout to folks from the #coding-corner channel in the 59 60 [Xbox 360 Hub](https://xbox360hub.com/) Discord. 60 61 61 62 ## Removal Requests

+18 -12

homebrew/xebuild/freeboot-like_patches.md

··· 1 1 **Emma's Xbox 360 Research Notes - Homebrew - xeBuild** 2 2 3 - Updated 11th March 2025. 3 + Updated 15th March 2025. 4 4 5 5 Incomplete stub page. 6 6 ··· 18 18 19 19 All offsets for this are for the latest released hypervisor/kernel, 17559. 20 20 21 + Some information here was referenced from 22 + [Byrom's research](https://github.com/Byrom90/Xbox_360_Research) as well as the 23 + [RGLoader patchset](https://github.com/RGLoader/RGLoader-Patches). Thank you! 24 + 21 25 ## Hypervisor 22 26 23 27 ### Initialisation Patch ··· 27 31 Replaces a call to one of the startup functions with a branch to some shellcode 28 32 at `0xB510`. (See below for more) 29 33 30 - ### 0xF0 data clear 34 + ### Devkit XEX AES key 31 35 32 36 `0xF0` = `00000000 00000000 00000000 00000000` 33 37 34 - No idea. 38 + Stores the devkit XEX AES key here for later use. 35 39 36 40 ### Memory Protection Patch 37 41 ··· 78 82 Removes a check in HvxLoadImageData after a call to XeCryptMemDiff on a SHA-1 79 83 hash of an XEX's memory page(?). 80 84 81 - ### Unknown HvxResolveImports patches 85 + ### HvxResolveImports revision check patches 82 86 83 87 `0x2AA80` = `60000000` 84 88 85 89 `0x2AA8C` = `60000000` 86 90 87 - Patches two checks in HvxResolveImports. No idea what they do yet. 91 + Patches two checks in HvxResolveImports to bypass STATUS_REVISION_MISMATCH. 88 92 89 93 ### Initialisation and syscall 0 shellcode. 90 94 ··· 144 148 the keyvault. The latter of these patches forces a value at 0x74 to always be 1. 145 149 (TODO: Look into what this actually is doing.) 146 150 147 - ### Patch Media ID check? 151 + ### Patch XGD2/DVD Media ID check 148 152 149 153 `0x24D58` = `38600001 4E800020` 150 154 151 155 Replaces a function that is called by HvxImageTransformImageKey and 152 - HvxCreateImageMapping to always return 1. Seems to be related to the DVD auth 153 - media ID. 156 + HvxCreateImageMapping related to XGD2 Media ID to always return 1. 154 157 155 158 ### Patch FCRT hash check 156 159 157 160 `0x264F0` = `38600001` 158 161 159 - Replaces a branch to a hash checking function (?) within a HvxDvdAuthFcrt 160 - subroutine to always return true. 162 + Replaces a branch to a PKCS#1 verification within a HvxDvdAuthFcrt subroutine to 163 + always return true. 161 164 162 165 ### XEX key derivation patch shellcode 163 166 164 167 `0x29B08` = shellcode 165 168 166 - TODO. Looks to be to allow devkit XEXs to decrypt. 169 + TODO. Looks to be to allow devkit XEXs to decrypt, if the XEX signature check 170 + fails it will attempt to decrypt it with the devkit XEX2 AES key stored at 0xF0 171 + by one of the patches above. 167 172 168 173 ### HvxImageTransformImageKey protected flag check patch 169 174 ··· 182 187 183 188 `0x2CDD8` = `60000000` 184 189 185 - Removes a keys flags check during HvxCreateImageMapping. 190 + Removes a keys flags check during HvxCreateImageMapping. Possibly region 191 + related? 186 192 187 193 ### HvxExpansionInstall signature/encryption patches 188 194

+2 -2

official-software/kernel/memory_map.md

··· 1 1 **Emma's Xbox 360 Research Notes - Kernel** 2 2 3 - Updated 27th January 2024. 3 + Updated 15th March 2025. 4 4 5 5 # Memory Map 6 6 ··· 63 63 | `0x8D000000` | TODO | Title encrypted allocations | TODO | 64 64 | `0x8E000000` | 0x20000 | Certificate revocation list (CRL) | `0x01EF0000` | 65 65 | `0x8E030000` | 0x10000 | Hypervisor data mirror (flags, etc) | `0x01F10000` | 66 - | `0x8E050000` | 0x10000 | XEX2 header copies(?) | `0x01F20000` | 66 + | `0x8E050000` | 0x10000 | XEX2 headers | `0x01F20000` | 67 67 68 68 XEX2 images loaded into this space should have a base address between 69 69 `0x80400000 - 0x8C000000`. (TODO: check hard limits)