Hacking [HACKING]: XK3Y (X360Key) AES-Keys released

nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
 
  • Like
  • Love
  • Haha
Reactions: Gyron_Oldvic, Racxie, _47iscool and 12 others
K3Nv2

K3Nv2

Village Idiot
Member
Level 15
Joined
May 26, 2013
Messages
1,440
Trophies
3
Age
32
XP
4,977
Country
United States
Xk3y has long since been discontinued as far as I know, I have one in my system but it's been years since I messed with it iirc I just put the bin file inside the MicroSD card and it worked I don't remember the file structure used.
 
  • Like
Reactions: SylverReZ
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
837
Trophies
0
Age
27
XP
1,645
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
This is AMAZING great work!
 
  • Love
Reactions: SylverReZ
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
  • Like
Reactions: SylverReZ
Visual Studio

Visual Studio

Developer
Developer
Level 9
Joined
Aug 25, 2016
Messages
123
Trophies
0
Age
30
XP
1,707
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
If you want a project to use that ChipWhisperer to use on; try dumping an Xecuter DemoN.
 
  • Like
Reactions: SylverReZ
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
120
Country
Switzerland
M4x1mumReZ said:
Lucky
Click to expand...
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Thank you for sharing the encryption key. Would you be able to provide the command to decrypt and re-encrypt as I am sure this is not that easy.

Thank you very very much
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
120
Country
Switzerland
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Armandooooo said:
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
Click to expand...
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
120
Country
Switzerland
nitr8 said:
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
Click to expand...
Hi nitr8,
Thank you for the explanation. In regards to my other query for the commands, you don’t reply because you don’t want to share or any other reason?

Thank you
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Hussain363 said:
Does that means we will be seeing xk3y device again in the market ?
Click to expand...
Basically "NO".

For that to happen, one would need the design files like PCB data sheets, GERBER files / BOM etc.

Aside from that, the FPGA security needs to be exploited. The Lattice holding the bitstream data is AES encrypted as well but hacking a FPGA like that is near to impossible to accomplish.

Like seen on the WODE before, which has an ACTEL ProASIC3 FPGA, for the Lattice it's most likely the case that the AES key for the bitstream data is hidden within the FPGA itself. There are no known - like - tutorials on how to extract an AES key from IC's like these nor how to crack / exploit their security.
 
  • Like
Reactions: Hussain363
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
837
Trophies
0
Age
27
XP
1,645
Country
United States
nitr8 said:
That's the Bootloader and Kernel source code of the XKEY.

Unfortunately, like on the WODE, it's missing the required binary for interaction with the XKEY module which handles mounting of games. They never made the source code to it available to the public.
Click to expand...
Interesting there seems to maybe be some extra information shared on the PS3 wiki? Under the 360 goodness section

https://www.psdevwiki.com/ps3/User_talk:Zecoxao#3K3Y_Goodness
 

Site & Scene News

Go to forum More news

Popular threads in this forum

360 won't connect to the internet/sign into xbox live no matter what

Controller Not Working in 1 Game Specifically

Hacking  Dual nand hdd upgrade?

Missing resistor near pll

"Detected storage drive device. Refreshing mounted drives." & restoring Xbox Classics Partition Question

Flash a Hitachi Drive on a Old Xbox 360

Looking for Dragon Age Checksum Fixer (Xbox 360)

General chit-chat
Help Users
  • Sicklyboy @ Sicklyboy:
    I'm not familiar with the technicalities of the differences between the two versions, but I'm wondering if at least some of those differences are things that you could port over to the US version in your patch without having to include copyrighted assets from the EU version
  • TwoSpikedHands @ TwoSpikedHands:
    @Sicklyboy I am wanting to fully change the game and bend it to my will lol. I would like to eventually have the ability to add more characters, enemies, even have a completely different story if i wanted. I already have the ability to change the tilemaps in the US version, so I can basically make my own map and warp to it in game - so I'm pretty far into it!
  • TwoSpikedHands @ TwoSpikedHands:
    I really would like to make a hack that I would enjoy playing, and maybe other people would too. swapping to the EU version would also mean my US friends could not legally play it
  • TwoSpikedHands @ TwoSpikedHands:
    I am definitely considering porting over some of the EU features without using the actual ROM itself, tbh that would probably be the best way to go about it... but i'm sad that the voice acting is so.... not good on the US version. May not be a way around that though
  • TwoSpikedHands @ TwoSpikedHands:
    I appreciate the insight!
  • The Real Jdbye @ The Real Jdbye:
    @TwoSpikedHands just switch, all the knowledge you learned still applies and most of the code and assets should be the same anyway
  • The Real Jdbye @ The Real Jdbye:
    and realistically they wouldn't

    be able to play it legally anyway since they need a ROM and they probably don't have the means to dump it themselves
  • The Real Jdbye @ The Real Jdbye:
    why the shit does the shitbox randomly insert newlines in my messages
  • Veho @ Veho:
    It does that when I edit a post.
  • Veho @ Veho:
    It inserts a newline in a random spot.
  • The Real Jdbye @ The Real Jdbye:
    never had that i don't think
  • Karma177 @ Karma177:
    do y'all think having an sd card that has a write speed of 700kb/s is a bad idea?
    trying to restore emunand rn but it's taking ages... (also when I finished the first time hekate decided to delete all my fucking files :wacko:)
  • The Real Jdbye @ The Real Jdbye:
    @Karma177 that sd card is 100% faulty so yes, its a bad idea
  • The Real Jdbye @ The Real Jdbye:
    even the slowest non-sdhc sd cards are a few MB/s
  • Psionic Roshambo @ Psionic Roshambo:
    https://www.youtube.com/watch?v=SjCivnt5t50
  • Karma177 @ Karma177:
    @The Real Jdbye it hasn't given me any error trying to write things on it so I don't really think it's faulty (pasted 40/50gb+ folders and no write errors)
  • DinohScene @ DinohScene:
    run h2testw on it
     +1
  • DinohScene @ DinohScene:
    when SD cards/microSD write speeds drop below a meg a sec, they're usually on the verge of dying
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    Samsung SD format can sometimes fix them too
  • Purple_Heart @ Purple_Heart:
    yes looks like an faulty sd
  • Purple_Heart @ Purple_Heart:
    @Psionic Roshambo i may try that with my dead sd cards
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    It's always worth a shot
  • TwoSpikedHands @ TwoSpikedHands:
    @The Real Jdbye, I considered that, but i'll have to wait until i can get the eu version in the mail lol
  • I @ I-need-help-with-wup-wiiu:
    i need help with nusspli failed downloads, can someone respond to my thread? pretty please:wub:
  • I @ I-need-help-with-wup-wiiu:
    :yayu::yayu::yayu: