Hacking [HACKING]: XK3Y (X360Key) AES-Keys released

nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
 
  • Like
  • Love
  • Haha
Reactions: Gyron_Oldvic, Racxie, _47iscool and 12 others
K3Nv2

K3Nv2

Village Idiot
Member
Level 15
Joined
May 26, 2013
Messages
1,439
Trophies
3
Age
32
XP
4,963
Country
United States
Xk3y has long since been discontinued as far as I know, I have one in my system but it's been years since I messed with it iirc I just put the bin file inside the MicroSD card and it worked I don't remember the file structure used.
 
  • Like
Reactions: SylverReZ
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
824
Trophies
0
Age
27
XP
1,628
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
This is AMAZING great work!
 
  • Love
Reactions: SylverReZ
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
  • Like
Reactions: SylverReZ
Visual Studio

Visual Studio

Developer
Developer
Level 9
Joined
Aug 25, 2016
Messages
123
Trophies
0
Age
30
XP
1,707
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
If you want a project to use that ChipWhisperer to use on; try dumping an Xecuter DemoN.
 
  • Like
Reactions: SylverReZ
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
120
Country
Switzerland
M4x1mumReZ said:
Lucky
Click to expand...
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Thank you for sharing the encryption key. Would you be able to provide the command to decrypt and re-encrypt as I am sure this is not that easy.

Thank you very very much
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
120
Country
Switzerland
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Armandooooo said:
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
Click to expand...
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
120
Country
Switzerland
nitr8 said:
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
Click to expand...
Hi nitr8,
Thank you for the explanation. In regards to my other query for the commands, you don’t reply because you don’t want to share or any other reason?

Thank you
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Hussain363 said:
Does that means we will be seeing xk3y device again in the market ?
Click to expand...
Basically "NO".

For that to happen, one would need the design files like PCB data sheets, GERBER files / BOM etc.

Aside from that, the FPGA security needs to be exploited. The Lattice holding the bitstream data is AES encrypted as well but hacking a FPGA like that is near to impossible to accomplish.

Like seen on the WODE before, which has an ACTEL ProASIC3 FPGA, for the Lattice it's most likely the case that the AES key for the bitstream data is hidden within the FPGA itself. There are no known - like - tutorials on how to extract an AES key from IC's like these nor how to crack / exploit their security.
 
  • Like
Reactions: Hussain363
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
824
Trophies
0
Age
27
XP
1,628
Country
United States
nitr8 said:
That's the Bootloader and Kernel source code of the XKEY.

Unfortunately, like on the WODE, it's missing the required binary for interaction with the XKEY module which handles mounting of games. They never made the source code to it available to the public.
Click to expand...
Interesting there seems to maybe be some extra information shared on the PS3 wiki? Under the 360 goodness section

https://www.psdevwiki.com/ps3/User_talk:Zecoxao#3K3Y_Goodness
 

Site & Scene News

Go to forum More news

Popular threads in this forum

360 won't connect to the internet/sign into xbox live no matter what

Controller Not Working in 1 Game Specifically

Save file problem

Hacking  Dual nand hdd upgrade?

Missing resistor near pll

General chit-chat
Help Users
  • No one is chatting at the moment.
    K3Nv2 @ K3Nv2: Lol rappers still promoting crypto