Too many updates to cover

Author: John Dong

Patches/macros.S

@@ -11,107 +11,107 @@
 
 #;Arg0 is address, Arg1 is label used for handler
 .macro MAKEPATCH PAddress 
-.if(\PAddress)
-	#;Patch structure
-	.set 	PatchAddr, \PAddress
-	.long	PatchAddr
-	.long (9f - 0f) / 4  					#;Length of patch in dwords
-.endif
+	.if(\PAddress)
+		#;Patch structure
+		.set 	PatchAddr, \PAddress
+		.long	PatchAddr
+		.long (9f - 0f) / 4  					#;Length of patch in dwords
+	.endif
 .endm
 
 #;Arg0 is address, Arg1 is label used for handler
 .macro KMAKEPATCH PKAddress 
-.if(\PKAddress)
-	#;Patch structure
-	.set 	PatchAddr, (\PKAddress-KBASE)
-	.set 	RealAddr, (\PKAddress)
-	.long	PatchAddr
-	.long (9f - 0f) / 4  					#;Length of patch in dwords
-.endif
+	.if(\PKAddress)
+		#;Patch structure
+		.set 	PatchAddr, (\PKAddress-KBASE)
+		.set 	RealAddr, (\PKAddress)
+		.long	PatchAddr
+		.long (9f - 0f) / 4  					#;Length of patch in dwords
+	.endif
 .endm
 
 #;Arg0 is hook address, Arg1 is destination
 .macro MAKEHOOKL PKAddress PKDest
-.if(\PKAddress)
-	#;Patch structure
-	.set 	PatchAddr, (\PKAddress)
-	.set 	RealAddr, (\PKAddress)
-	.long	PatchAddr
-	.long (9f - 0f) / 4  					#;Length of patch in dwords
-0:
-	MAKEBRANCHL (\PKDest)
-9:
-.endif
+	.if(\PKAddress)
+		#;Patch structure
+		.set 	PatchAddr, (\PKAddress)
+		.set 	RealAddr, (\PKAddress)
+		.long	PatchAddr
+		.long (9f - 0f) / 4  					#;Length of patch in dwords
+	0:
+		MAKEBRANCHL (\PKDest)
+	9:
+	.endif
 .endm
 
 #;Arg0 is hook address, Arg1 is destination
 .macro KMAKEHOOKL PKAddress PKDest
-.if(\PKAddress)
-	#;Patch structure
-	.set 	PatchAddr, (\PKAddress-KBASE)
-	.set 	RealAddr, (\PKAddress)
-	.long	PatchAddr
-	.long (9f - 0f) / 4  					#;Length of patch in dwords
-0:
-	MAKEBRANCHL (\PKDest-KBASE)
-9:
-.endif
+	.if(\PKAddress)
+		#;Patch structure
+		.set 	PatchAddr, (\PKAddress-KBASE)
+		.set 	RealAddr, (\PKAddress)
+		.long	PatchAddr
+		.long (9f - 0f) / 4  					#;Length of patch in dwords
+	0:
+		MAKEBRANCHL (\PKDest-KBASE)
+	9:
+	.endif
 .endm
 
 #;Arg0 is hook address, Arg1 is destination
 .macro KMAKEHOOK PKAddress PKDest
-.if(\PKAddress)
-	#;Patch structure
-	.set 	PatchAddr, (\PKAddress-KBASE)
-	.set 	RealAddr, (\PKAddress)
-	.long	PatchAddr
-	.long (9f - 0f) / 4  					#;Length of patch in dwords
-0:
-	MAKEBRANCH (\PKDest-KBASE)
-9:
-.endif
+	.if(\PKAddress)
+		#;Patch structure
+		.set 	PatchAddr, (\PKAddress-KBASE)
+		.set 	RealAddr, (\PKAddress)
+		.long	PatchAddr
+		.long (9f - 0f) / 4  					#;Length of patch in dwords
+	0:
+		MAKEBRANCH (\PKDest-KBASE)
+	9:
+	.endif
 .endm
 
 #;Arg0 is destination address
 .macro MAKEBRANCH DAddress
-.if(\DAddress)
+	.if(\DAddress)
 		#;Patch structure
-	b	\DAddress - ((.-0b)+PatchAddr)
-.endif
+		b	\DAddress - ((.-0b)+PatchAddr)
+	.endif
 .endm
 
 #;Arg0 is destination address
 .macro MAKEBRANCHL DAddress 
-.if(\DAddress)
+	.if(\DAddress)
 		#;Patch structure
-	bl	\DAddress - ((.-0b)+PatchAddr)
-.endif
+		bl	\DAddress - ((.-0b)+PatchAddr)
+	.endif
 .endm
 
 #;Arg0 is destination address
 .macro KMAKEBRANCH DAddress
-.if(\DAddress)
+	.if(\DAddress)
 		#;Patch structure
-	b	(\DAddress-KBASE) - ((.-0b)+PatchAddr)
-.endif
+		b	(\DAddress-KBASE) - ((.-0b)+PatchAddr)
+	.endif
 .endm
 
 #;Arg0 is destination address
 .macro KMAKEBRANCHL DAddress 
-.if(\DAddress)
+	.if(\DAddress)
 		#;Patch structure
-	bl	(\DAddress-KBASE) - ((.-0b)+PatchAddr)
-.endif
+		bl	(\DAddress-KBASE) - ((.-0b)+PatchAddr)
+	.endif
 .endm
 
 #;Arg0 is destination address
 .macro BLMAKEBRANCH DAddress
-		#;Patch structure
+	#;Patch structure
 	b	\DAddress - ((.-0b)+PatchAddr)
 .endm
 
 #;Arg0 is destination address
 .macro BLMAKEBRANCHL DAddress 
-		#;Patch structure
+	#;Patch structure
 	bl	\DAddress - ((.-0b)+PatchAddr)
 .endm

Patches/remap_bootanim_17559.S

@@ -0,0 +1,48 @@
+# A patch to remap the bootanim from flash to the HDD
+
+.include "macros.S"
+
+.set HvxPostOutput, 0x80061000
+.set AniStartBootAnimation, 0x80061730
+.set SataDiskInitialize, 0x8015DB18
+.set SataCdRomInitialize, 0x8015D678
+
+# set new bootanim path
+    KMAKEPATCH 0x80166C00
+0:
+    .string "\\Device\\Harddisk0\\Partition1\\bootanim.xex\0"
+    .align 2
+9:
+
+# initialize SATA driver before bootanim
+    KMAKEPATCH 0x80061298
+0:
+    # li r3, 0x73
+    # KMAKEBRANCHL HvxPostOutput
+    nop
+    nop
+    # init HDD before bootanim
+    KMAKEBRANCHL SataDiskInitialize
+    # li r3, 0x72
+    # KMAKEBRANCHL HvxPostOutput
+    nop
+    nop
+    li r3, 0
+    KMAKEBRANCHL AniStartBootAnimation
+    # init DVD after bootanim
+    KMAKEBRANCHL SataCdRomInitialize
+9:
+
+# remove bound path limit, set new bootanim path, and remove the minimum bootanim version
+    KMAKEPATCH 0x80061754
+0:
+    lis r11, -0x7FEA  # r11 = 0x80160000
+    addi r3, r11, 0x6C00  # r3 = r11 + 0x6C00
+    addi r6, r1, 0x50  # unmodified
+    li r5, 0  # minimum version
+    li r4, 9  # flags
+9:
+
+# ============================================================================
+	.long 0xFFFFFFFF
+# ============================================================================

XeCrypt.py

@@ -35,11 +35,11 @@
 XECRYPT_SD_SALT  = b"XBOX_ROM_4"
 BUFFER_SIZE      = 4096
 
-UINT8_MASK   = 0xFF
-UINT16_MASK  = 0xFFFF
-UINT32_MASK  = 0xFFFFFFFF
-UINT64_MASK  = 0xFFFFFFFFFFFFFFFF
-UINT128_MASK = 0xFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFFF
+UINT8_MASK   = int.from_bytes(b"\xFF", "little")
+UINT16_MASK  = int.from_bytes(b"\xFF" * 2, "little")
+UINT32_MASK  = int.from_bytes(b"\xFF" * 4, "little")
+UINT64_MASK  = int.from_bytes(b"\xFF" * 8, "little")
+UINT128_MASK = int.from_bytes(b"\xFF" * 16, "little")
 
 # public key sizes
 XECRYPT_RSAPUB_1024_SIZE = 0x90
@@ -443,11 +443,15 @@ def reset(self) -> None:
 	def new(key: Union[bytes, bytearray]):
 		return XeCryptRc4(key)
 
-	def encrypt(self, data: Union[bytes, bytearray]) -> bytes:
+	# encrypt and decrypt are exactly the same for RC4
+	def crypt(self, data: Union[bytes, bytearray]) -> bytes:
 		return self._cipher.encrypt(data)
 
+	def encrypt(self, data: Union[bytes, bytearray]) -> bytes:
+		return self.crypt(data)
+
 	def decrypt(self, data: Union[bytes, bytearray]) -> bytes:
-		return self._cipher.decrypt(data)
+		return self.crypt(data)
 
 # DES
 class XeCryptDes:

assembler.py

@@ -6,17 +6,28 @@
 
 REG_EXP = re.compile(r"(r\d+)")
 
+# 0x80066354 = li r4, 0
+# 0x80066358 = addi r3, r11, 0xC00
+# 0x80066360 = li r5, 0
+
 def main() -> None:
 	print("Xbox 360 Interactive Assembler")
 
+	addr = 0
+	line_split = None
 	ks = Ks(KS_ARCH_PPC, KS_MODE_PPC32 + KS_MODE_BIG_ENDIAN)
 
 	capturing = False
 	code_lines = []
 	while True:
+		line_split = None
 		line = input("ASM> ").strip()
+		if ": " in line:
+			line_split = line.split(": ")
+
 		# commands
 		if line.lower() in ["exit", "quit", "close"]:
+			print("Done!")
 			break
 		elif line.lower() in ["start", "begin"]:
 			code_lines = []
@@ -41,17 +52,29 @@ def main() -> None:
 			continue
 
 		# parse as assembly
-		line = REG_EXP.sub(r"%\1", line)
 		try:
-			(code, line_num) = ks.asm(line)
-			code = bytes(code)
-			if capturing:
-				code_lines.append((line, code))
+			if len(line_split) == 2:
+				line_split[1] = REG_EXP.sub(r"%\1", line_split[1])
+				(code, line_num) = ks.asm(line_split[1], int(line_split[0], 16))
+				code = bytes(code)
+				if capturing:
+					code_lines.append((line_split[1], code))
+				else:
+					print(code.hex().upper())
+					code = ", ".join([f"0x{x:02X}" for x in code])
+					code = f"BYTE code[] = {{ {code} }}; // {line_split[1]}"
+					print(code)
 			else:
-				print(code.hex().upper())
-				code = ", ".join([f"0x{x:02X}" for x in code])
-				code = f"BYTE code[] = {{ {code} }}; // {line}"
-				print(code)
+				line = REG_EXP.sub(r"%\1", line)
+				(code, line_num) = ks.asm(line)
+				code = bytes(code)
+				if capturing:
+					code_lines.append((line, code))
+				else:
+					print(code.hex().upper())
+					code = ", ".join([f"0x{x:02X}" for x in code])
+					code = f"BYTE code[] = {{ {code} }}; // {line}"
+					print(code)
 		except Exception as e:
 			print(e.message)
 

patch_compile.py

@@ -13,6 +13,8 @@ def main() -> None:
 	assemble_patch("Patches/Zero/SD/sd_17489_patches.S", "Output/Zero/xell.bin", PATCH_DIR)
 	assemble_patch("Patches/Spoofy.S", "Output/Spoofy.bin", PATCH_DIR)
 
+	assemble_patch("Patches/remap_bootanim_17559.S", "Output/remap_bootanim_17559.bin", PATCH_DIR)
+
 	# assemble_patch("C://Users/John/Desktop/BlowFuselines.S", r"C://Users/John/Desktop/BlowFuselines.bin", PATCH_DIR)
 
 	vfuses_data = Path("Output/Zero/vfuses_17489.bin").read_bytes()

scratch.py

@@ -5,11 +5,9 @@
 from XeCrypt import *
 
 def main() -> None:
-	pub_key = Path("Keys/Master_pub.bin").read_bytes()
-	kv_data = Path("KV/banned.bin").read_bytes()
-
-	# this CPU key is banned!
-	print(XeCryptKeyVaultVerify(bytes.fromhex("9179C6012E1ECD5EE5378335AC99C960"), kv_data, pub_key))
+	_1bl_key = PY_XECRYPT_RSA_KEY(Path("Keys/1BL_pub.bin").read_bytes())
+	print(_1bl_key.n)
+	print(_1bl_key.e)
 
 if __name__ == "__main__":
 	main()

se_patcher.py

@@ -13,10 +13,13 @@ def main() -> None:
 	sd_data = bytearray(Path("Output/Winchester/sd_17489.bin").read_bytes())
 	se_data = bytearray(Path("Output/Winchester/hypervisor.bin").read_bytes() + Path("Output/Winchester/kernel.exe").read_bytes())
 
+	sd_data = apply_patches(sd_data, Path("C://Users/John/Desktop/patch.bin").read_bytes())
+
 	# apply patches
-	se_data = apply_patches(se_data, Path("Output/Zero/HVK.bin").read_bytes())
+	# se_data = apply_patches(se_data, Path("Output/Zero/HVK.bin").read_bytes())
 	# compress SE
-	se_data = bytearray(compress_se(se_data))
+	# se_data = bytearray(compress_se(se_data))
+	se_data = bytearray(0x20) + se_data
 	# magic, build, QFE, flags, and entry point
 	pack_into(">2s 3H I", se_data, 0, b"SE", 17559, 0x8000, 0, 0)
 	# get length of SE without padding
@@ -26,7 +29,7 @@ def main() -> None:
 	# set SE size
 	pack_into(">I", se_data, 0xC, se_len_nopad)
 	# append padding AFTER
-	se_data += (b"\x00" * calc_pad_size(se_len_nopad))
+	# se_data += (b"\x00" * calc_pad_size(se_len_nopad))
 	# compute SE hash
 	se_hash = XeCryptRotSumSha(se_data[:0x10] + se_data[0x20:])
 	# patch SE hash into SD