Hacking [HACKING]: XK3Y (X360Key) AES-Keys released

nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
 
  • Like
  • Love
  • Haha
Reactions: Gyron_Oldvic, Racxie, _47iscool and 12 others
K3Nv2

K3Nv2

Village Idiot
Member
Level 15
Joined
May 26, 2013
Messages
1,460
Trophies
3
Age
32
XP
5,096
Country
United States
Xk3y has long since been discontinued as far as I know, I have one in my system but it's been years since I messed with it iirc I just put the bin file inside the MicroSD card and it worked I don't remember the file structure used.
 
  • Like
Reactions: SylverReZ
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
885
Trophies
0
Age
27
XP
1,736
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
This is AMAZING great work!
 
  • Love
Reactions: SylverReZ
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
  • Like
Reactions: SylverReZ
Visual Studio

Visual Studio

Developer
Developer
Level 9
Joined
Aug 25, 2016
Messages
123
Trophies
0
Age
30
XP
1,707
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
If you want a project to use that ChipWhisperer to use on; try dumping an Xecuter DemoN.
 
  • Like
Reactions: SylverReZ
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
133
Country
Switzerland
M4x1mumReZ said:
Lucky
Click to expand...
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Thank you for sharing the encryption key. Would you be able to provide the command to decrypt and re-encrypt as I am sure this is not that easy.

Thank you very very much
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
133
Country
Switzerland
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Armandooooo said:
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
Click to expand...
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
133
Country
Switzerland
nitr8 said:
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
Click to expand...
Hi nitr8,
Thank you for the explanation. In regards to my other query for the commands, you don’t reply because you don’t want to share or any other reason?

Thank you
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Hussain363 said:
Does that means we will be seeing xk3y device again in the market ?
Click to expand...
Basically "NO".

For that to happen, one would need the design files like PCB data sheets, GERBER files / BOM etc.

Aside from that, the FPGA security needs to be exploited. The Lattice holding the bitstream data is AES encrypted as well but hacking a FPGA like that is near to impossible to accomplish.

Like seen on the WODE before, which has an ACTEL ProASIC3 FPGA, for the Lattice it's most likely the case that the AES key for the bitstream data is hidden within the FPGA itself. There are no known - like - tutorials on how to extract an AES key from IC's like these nor how to crack / exploit their security.
 
  • Like
Reactions: Hussain363
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
885
Trophies
0
Age
27
XP
1,736
Country
United States
nitr8 said:
That's the Bootloader and Kernel source code of the XKEY.

Unfortunately, like on the WODE, it's missing the required binary for interaction with the XKEY module which handles mounting of games. They never made the source code to it available to the public.
Click to expand...
Interesting there seems to maybe be some extra information shared on the PS3 wiki? Under the 360 goodness section

https://www.psdevwiki.com/ps3/User_talk:Zecoxao#3K3Y_Goodness
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Flash a Hitachi Drive on a Old Xbox 360

"Detected storage drive device. Refreshing mounted drives." & restoring Xbox Classics Partition Question

Looking for Dragon Age Checksum Fixer (Xbox 360)

How to backup game updates to XboxUnity?

fatxplorer question

Aurora and Multiple Disc Games

General chit-chat
Help Users
  • Psionic Roshambo @ Psionic Roshambo:
    Lol
  • Psionic Roshambo @ Psionic Roshambo:
    "pine unf apple" doesn't count! Lol
  • Psionic Roshambo @ Psionic Roshambo:
    Employee code of conduct videos are awesome!!! Did you know eating the other employees is bad? I didn't know... Lol
     +1
  • AncientBoi @ AncientBoi:
    Anymore males there? :blush:
  • Psionic Roshambo @ Psionic Roshambo:
    All of us lol
  • AncientBoi @ AncientBoi:
    :O:unsure::unsure::D:D:wub::D:D
  • Psionic Roshambo @ Psionic Roshambo:
    I got free every channel so that's awesome lol
     +1
  • AncientBoi @ AncientBoi:
    Give me ALL the gay pron channels, since you won't be watching them :blush::D
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    Lol they exist?
     +1
  • AncientBoi @ AncientBoi:
    Si :D
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    Hmmm so Mario Does Luigi's plumbing is a bad movie? Lol
  • Psionic Roshambo @ Psionic Roshambo:
    These videos are soooo dry
  • Psionic Roshambo @ Psionic Roshambo:
    Please click all suspicious links sent your email
     +1
  • BigOnYa @ BigOnYa:
    What to do today? Cut grass for 3-4 hours, or just get drunk and play video games... Hmm
     +1
  • denpafan @ denpafan:
    :grog:
     +1
  • BigOnYa @ BigOnYa:
    I need a remote controlled mower, so I can sit on the couch and do both.
  • BigOnYa @ BigOnYa:
    Sounds good to me, video games and booze it is then.
     +1
  • denpafan @ denpafan:
    Good choice
     +1
  • BigOnYa @ BigOnYa:
    Now what to play, Starfield or Fallout4. And what to drink, beer or Whiskey and Coke. Such tough decisions.
  • BigOnYa @ BigOnYa:
    Looks like its whiskey & coke, only 4 beers left. And think ill start with Falllout. :grog:
  • rqkaiju2 @ rqkaiju2:
    THIS IMAGE IS SO SCARY WTF. THAT SURE AS HELL IS NOT A CAT THATS LIKE A FUCKING DEMON

    Untitled2.png
  • Psionic Roshambo @ Psionic Roshambo:
    Bonus points for running things over with the lawn mower?
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    Monster truck Lawn Mower extreme
     +1
  • BakerMan @ BakerMan:
    she was an apple appstore girl
    he was an uptodown boy
  • Psionic Roshambo @ Psionic Roshambo:
    He was an android boy
    Psionic Roshambo @ Psionic Roshambo: He was an android boy