more freeboot re (ty Byrom!) · invoxiplaygames.uk/x360-research@c52f26e

my research and reverse engineering notes/utilities relating to the Xbox 360 (Mirrored from https://github.com/InvoxiPlayGames/x360-research)

fork atom

more freeboot re (ty Byrom!)

invoxiplaygames.uk 1 year ago c52f26e3 a889fa86

+22 -15

3 changed files

expand all

unified split

README.md

homebrew

xebuild

freeboot-like_patches.md

official-software

kernel

memory_map.md

+2 -1

README.md

··· 51 * [TEIR1plus2's Xbox-Reversing](https://github.com/TEIR1plus2/Xbox-Reversing) 52 * [ihatecompvir's x360-hv-notes](https://github.com/ihatecompvir/x360-hv-notes) 53 * [Grimdoomer's Xbox 360 hypervisor article](https://icode4.coffee/?p=1047) 54 55 I likely wouldn't know nearly as much as I do if not for all the great open source 56 projects detailing how parts of this system work, and all the people behind them. 57 58 - And an extra shoutout to the #coding-corner channel in the 59 [Xbox 360 Hub](https://xbox360hub.com/) Discord. 60 61 ## Removal Requests

··· 51 * [TEIR1plus2's Xbox-Reversing](https://github.com/TEIR1plus2/Xbox-Reversing) 52 * [ihatecompvir's x360-hv-notes](https://github.com/ihatecompvir/x360-hv-notes) 53 * [Grimdoomer's Xbox 360 hypervisor article](https://icode4.coffee/?p=1047) 54 + * [Byrom's Xbox_360_Research](https://github.com/Byrom90/Xbox_360_Research) 55 56 I likely wouldn't know nearly as much as I do if not for all the great open source 57 projects detailing how parts of this system work, and all the people behind them. 58 59 + And an extra shoutout to folks from the #coding-corner channel in the 60 [Xbox 360 Hub](https://xbox360hub.com/) Discord. 61 62 ## Removal Requests

+18 -12

homebrew/xebuild/freeboot-like_patches.md

··· 1 **Emma's Xbox 360 Research Notes - Homebrew - xeBuild** 2 3 - Updated 11th March 2025. 4 5 Incomplete stub page. 6 ··· 18 19 All offsets for this are for the latest released hypervisor/kernel, 17559. 20 21 ## Hypervisor 22 23 ### Initialisation Patch ··· 27 Replaces a call to one of the startup functions with a branch to some shellcode 28 at `0xB510`. (See below for more) 29 30 - ### 0xF0 data clear 31 32 `0xF0` = `00000000 00000000 00000000 00000000` 33 34 - No idea. 35 36 ### Memory Protection Patch 37 ··· 78 Removes a check in HvxLoadImageData after a call to XeCryptMemDiff on a SHA-1 79 hash of an XEX's memory page(?). 80 81 - ### Unknown HvxResolveImports patches 82 83 `0x2AA80` = `60000000` 84 85 `0x2AA8C` = `60000000` 86 87 - Patches two checks in HvxResolveImports. No idea what they do yet. 88 89 ### Initialisation and syscall 0 shellcode. 90 ··· 144 the keyvault. The latter of these patches forces a value at 0x74 to always be 1. 145 (TODO: Look into what this actually is doing.) 146 147 - ### Patch Media ID check? 148 149 `0x24D58` = `38600001 4E800020` 150 151 Replaces a function that is called by HvxImageTransformImageKey and 152 - HvxCreateImageMapping to always return 1. Seems to be related to the DVD auth 153 - media ID. 154 155 ### Patch FCRT hash check 156 157 `0x264F0` = `38600001` 158 159 - Replaces a branch to a hash checking function (?) within a HvxDvdAuthFcrt 160 - subroutine to always return true. 161 162 ### XEX key derivation patch shellcode 163 164 `0x29B08` = shellcode 165 166 - TODO. Looks to be to allow devkit XEXs to decrypt. 167 168 ### HvxImageTransformImageKey protected flag check patch 169 ··· 182 183 `0x2CDD8` = `60000000` 184 185 - Removes a keys flags check during HvxCreateImageMapping. 186 187 ### HvxExpansionInstall signature/encryption patches 188

··· 1 **Emma's Xbox 360 Research Notes - Homebrew - xeBuild** 2 3 + Updated 15th March 2025. 4 5 Incomplete stub page. 6 ··· 18 19 All offsets for this are for the latest released hypervisor/kernel, 17559. 20 21 + Some information here was referenced from 22 + [Byrom's research](https://github.com/Byrom90/Xbox_360_Research) as well as the 23 + [RGLoader patchset](https://github.com/RGLoader/RGLoader-Patches). Thank you! 24 + 25 ## Hypervisor 26 27 ### Initialisation Patch ··· 31 Replaces a call to one of the startup functions with a branch to some shellcode 32 at `0xB510`. (See below for more) 33 34 + ### Devkit XEX AES key 35 36 `0xF0` = `00000000 00000000 00000000 00000000` 37 38 + Stores the devkit XEX AES key here for later use. 39 40 ### Memory Protection Patch 41 ··· 82 Removes a check in HvxLoadImageData after a call to XeCryptMemDiff on a SHA-1 83 hash of an XEX's memory page(?). 84 85 + ### HvxResolveImports revision check patches 86 87 `0x2AA80` = `60000000` 88 89 `0x2AA8C` = `60000000` 90 91 + Patches two checks in HvxResolveImports to bypass STATUS_REVISION_MISMATCH. 92 93 ### Initialisation and syscall 0 shellcode. 94 ··· 148 the keyvault. The latter of these patches forces a value at 0x74 to always be 1. 149 (TODO: Look into what this actually is doing.) 150 151 + ### Patch XGD2/DVD Media ID check 152 153 `0x24D58` = `38600001 4E800020` 154 155 Replaces a function that is called by HvxImageTransformImageKey and 156 + HvxCreateImageMapping related to XGD2 Media ID to always return 1. 157 158 ### Patch FCRT hash check 159 160 `0x264F0` = `38600001` 161 162 + Replaces a branch to a PKCS#1 verification within a HvxDvdAuthFcrt subroutine to 163 + always return true. 164 165 ### XEX key derivation patch shellcode 166 167 `0x29B08` = shellcode 168 169 + TODO. Looks to be to allow devkit XEXs to decrypt, if the XEX signature check 170 + fails it will attempt to decrypt it with the devkit XEX2 AES key stored at 0xF0 171 + by one of the patches above. 172 173 ### HvxImageTransformImageKey protected flag check patch 174 ··· 187 188 `0x2CDD8` = `60000000` 189 190 + Removes a keys flags check during HvxCreateImageMapping. Possibly region 191 + related? 192 193 ### HvxExpansionInstall signature/encryption patches 194

+2 -2

official-software/kernel/memory_map.md

··· 1 **Emma's Xbox 360 Research Notes - Kernel** 2 3 - Updated 27th January 2024. 4 5 # Memory Map 6 ··· 63 | `0x8D000000` | TODO | Title encrypted allocations | TODO | 64 | `0x8E000000` | 0x20000 | Certificate revocation list (CRL) | `0x01EF0000` | 65 | `0x8E030000` | 0x10000 | Hypervisor data mirror (flags, etc) | `0x01F10000` | 66 - | `0x8E050000` | 0x10000 | XEX2 header copies(?) | `0x01F20000` | 67 68 XEX2 images loaded into this space should have a base address between 69 `0x80400000 - 0x8C000000`. (TODO: check hard limits)

··· 1 **Emma's Xbox 360 Research Notes - Kernel** 2 3 + Updated 15th March 2025. 4 5 # Memory Map 6 ··· 63 | `0x8D000000` | TODO | Title encrypted allocations | TODO | 64 | `0x8E000000` | 0x20000 | Certificate revocation list (CRL) | `0x01EF0000` | 65 | `0x8E030000` | 0x10000 | Hypervisor data mirror (flags, etc) | `0x01F10000` | 66 + | `0x8E050000` | 0x10000 | XEX2 headers | `0x01F20000` | 67 68 XEX2 images loaded into this space should have a base address between 69 `0x80400000 - 0x8C000000`. (TODO: check hard limits)