Hacking RGH 15xxx CPU key theory

[overlord00]

Just a question that's been playing on my mind for a while.
was gonna post this directly to TX and see how that went but apparently im a noob. well played TX.

Right now the 15xxx dash in un-RGH-able because of new crypto.
Because of this, you cant get the CPU key string.
Why not dump the NAND onto something like the DAEMON and with custom version of XELL that iterates/bruteforces its way through every combination of keys to see if it matches?
Theres no wear on your NAND and the first time you run XELL you dont have your CPU key anyway which is the point of running it.
Is there more to the crypto stuff that stop XELL from being able to boot? There must be.
I understand a bruteforce attack would take a LONG time, but perhaps for now it could be a possibility?

probably the ramblings of a mad man, but still, anyone?

 

[Relys]

Simple answer: no.

Long answer: Learn about the time complexity for finding all possible combinations of a string of size n in a given language.

 

[Rydian]

I understand a bruteforce attack would take a LONG time

Do you know how long?

For a 128-bit key, if you have a computer that can try 50,000 keys a second, it would take 11,698,848 years to try them all.

 

[Armadillo]

Whether you believe them or not is up to you, but according to xecuter 15574 is pretty much done, http://team-xecuter.com/forums/showpost.php?p=635873&postcount=458 and probably just waiting for a new dash to appear before release. http://forums.team-xecuter.com/showpost.php?p=668012&postcount=612, I'd guess if they do have a way, probably won't see it to after christmas, get as many exploitable consoles out, before it's patched again.

 

[DinohScene]

The current Kernel has a new Keystream cypher for the bootloaders.
In dash 1888 - 14719 it was all the same.

Ofcourse bootloaders got updated but the essetial Keystream cypher was the same.


@[member='Armadillo']
That's highly likely yes.
TX is known for those things and indeed it wouldn't surprise me that they have found a way to kick it into XeLL with some additional hardware.

 

[overlord00]

ok, cool.
just checking. thought it seemed unlikely.
thanks guys

 

[DinohScene]

Welcomes~

 

[Armadillo]

@[member='Armadillo']
That's highly likely yes.
TX is known for those things and indeed it wouldn't surprise me that they have found a way to kick it into XeLL with some additional hardware.

Xecuter say a lot though. Like when the other chips appeared with built in crystal as Corana ready, they claimed it's not enough. Yet what is the cr3, same thing. They've claimed on the forum, that the Matrix video is fake and they can prove it, yet they have not yet. Just suppose to take their word for it. Always seem to be taking shots at other teams as well.

Good hardware, decent support, but talk too much. Should let their hardware do the talking.

 

[DinohScene]

I fully agree on that.

They do indeed have some kind of vendetta with Matrix.

CR3 has additional DIP switches that adds various cap sizes to the PLL_BYPASS and CPU_RST.
That might help smoothen out the Corona glitching?

But yeah.
I never had a TX product fail on me so I tend to only get hardware from them.

 

[Armadillo]

I fully agree on that.

They do indeed have some kind of vendetta with Matrix.

CR3 has additional DIP switches that adds various cap sizes to the PLL_BYPASS and CPU_RST.
That might help smoothen out the Corona glitching?

But yeah.
I never had a TX product fail on me so I tend to only get hardware from them.

The bypass and cpu_rst is for everything, not just Corona. People found adding certain caps/resistor combinations helped with boot times on stubborn boxes. PLL_bypass is for fat console using RGH1, RST is for all. Can do the same manually, just this is more convenient. Corona qsb for the old rev c just adds a crystal though, nothing special.

Corona's just seem to not play nice from reading around. CR3 pro is supposed to fix them, meant to be use a different chip for glitching and a different method, but been coming for ages now.

I agree about their hardware though. Never had a problem with it. Had a xecuter chip in my original xbox, had their programmer for it (I had a bad flash), have their xlinx lpt cable and a coolrunner rev c in my slim. All works great, has to be set to phat for it to get good times on my slim, but it does say that on their forum and well, that's just the nature of the glitch I guess.

 

[DinohScene]

Got a Falcon on RGH1.
CR rev A
No added hardware and it glitches within seconds.

But indeed.
A glitch is unreliable in nature.


I hope Xecuter will do what he promises.
Then I can grab my CPUkey + NAND from my flashed box.

 

[Armadillo]

Falcons are meant to be really good on RGH1, dunno why. Crap on 2. My trinity is ok. Normally boots within 30 seconds or so with the switch set to phat, with it on slim it was 1 minute or more.Averaging about 20 seconds, few boots instant, few boots nearer the 30s, but most somewhere in between. Pretty much the default install though, I have the cpu_rst qsb, so could have tried that and experimented with differnt wire, or the shielded cable, but I'm lazy. Time is fine though, switch it on, grab controller and it'll be booted by the time I sit down and get comfortable.

Still on the falcon jtag for now though, slim is just backup. Jtag dies, just pull the slim out and it's ready to go .

 

[DinohScene]

Indeed they are.
RGH'd a few Falcons and their extremely great.

Well atleast your slim is glitching.
I still have trouble getting the Zephyr to glitch.

Going to install a CR3 soon and give it another shot.
So hope it'll work.

 

[Armadillo]

Aren't Zephyrs meant to really crap at glitching? Dunno if I would have the patience, probably end up out a window or something. Wonder what it is with those consoles, they were a pain with the jtag as well to start with, always giving e79, until the alternate method came along.

 

[DinohScene]

Zephyrs are a special breed of Mobo.

Some are glitchable.
Some aren't.

Generally their an extreme pain to glitch.
Both jTAG and RGH indeed.

 

[Vappy]

http://team-xecuter.com/forums/showthread.php?t=95156 They've made the announcement. Newest dashboards 155xx/16197 can have their CPU/DVD keys extracted using the new CR3 Pro in conjunction with an addon device CR3-DGX, which only needs to be connected when initially extracting the keys.

 

[DinohScene]

I've made a newspost about it yep.