Hacking [HACKING]: XK3Y (X360Key) AES-Keys released

nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
 
  • Like
  • Love
  • Haha
Reactions: Gyron_Oldvic, Racxie, _47iscool and 12 others
K3Nv2

K3Nv2

Village Idiot
Member
Level 15
Joined
May 26, 2013
Messages
1,457
Trophies
3
Age
32
XP
5,058
Country
United States
Xk3y has long since been discontinued as far as I know, I have one in my system but it's been years since I messed with it iirc I just put the bin file inside the MicroSD card and it worked I don't remember the file structure used.
 
  • Like
Reactions: SylverReZ
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
868
Trophies
0
Age
27
XP
1,706
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
This is AMAZING great work!
 
  • Love
Reactions: SylverReZ
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
  • Like
Reactions: SylverReZ
Visual Studio

Visual Studio

Developer
Developer
Level 9
Joined
Aug 25, 2016
Messages
123
Trophies
0
Age
30
XP
1,707
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
If you want a project to use that ChipWhisperer to use on; try dumping an Xecuter DemoN.
 
  • Like
Reactions: SylverReZ
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
129
Country
Switzerland
M4x1mumReZ said:
Lucky
Click to expand...
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Thank you for sharing the encryption key. Would you be able to provide the command to decrypt and re-encrypt as I am sure this is not that easy.

Thank you very very much
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
129
Country
Switzerland
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Armandooooo said:
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
Click to expand...
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
129
Country
Switzerland
nitr8 said:
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
Click to expand...
Hi nitr8,
Thank you for the explanation. In regards to my other query for the commands, you don’t reply because you don’t want to share or any other reason?

Thank you
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Hussain363 said:
Does that means we will be seeing xk3y device again in the market ?
Click to expand...
Basically "NO".

For that to happen, one would need the design files like PCB data sheets, GERBER files / BOM etc.

Aside from that, the FPGA security needs to be exploited. The Lattice holding the bitstream data is AES encrypted as well but hacking a FPGA like that is near to impossible to accomplish.

Like seen on the WODE before, which has an ACTEL ProASIC3 FPGA, for the Lattice it's most likely the case that the AES key for the bitstream data is hidden within the FPGA itself. There are no known - like - tutorials on how to extract an AES key from IC's like these nor how to crack / exploit their security.
 
  • Like
Reactions: Hussain363
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
868
Trophies
0
Age
27
XP
1,706
Country
United States
nitr8 said:
That's the Bootloader and Kernel source code of the XKEY.

Unfortunately, like on the WODE, it's missing the required binary for interaction with the XKEY module which handles mounting of games. They never made the source code to it available to the public.
Click to expand...
Interesting there seems to maybe be some extra information shared on the PS3 wiki? Under the 360 goodness section

https://www.psdevwiki.com/ps3/User_talk:Zecoxao#3K3Y_Goodness
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Flash a Hitachi Drive on a Old Xbox 360

"Detected storage drive device. Refreshing mounted drives." & restoring Xbox Classics Partition Question

Hacking  Dual nand hdd upgrade?

Looking for Dragon Age Checksum Fixer (Xbox 360)

fatxplorer question

How to backup game updates to XboxUnity?

General chit-chat
Help Users
  • No one is chatting at the moment.
  • Quincy @ Quincy:
    Usually when such a big title leaks the Temp will be the first to report about it (going off of historical reports here, Pokemon SV being the latest one I can recall seeing pop up here)
  • K3Nv2 @ K3Nv2:
    I still like how a freaking mp3 file hacks webos all that security defeated by text yet again
  • BigOnYa @ BigOnYa:
    They have simulators for everything nowdays, cray cray. How about a sim that shows you playing the Switch.
  • K3Nv2 @ K3Nv2:
    That's called yuzu
     +1
  • K3Nv2 @ K3Nv2:
    https://www.verizon.com/home/intern...0a82b82a&vendorid=CJM&PID=552179&AID=11365093 can I cancel and keep the switch lol
     +1
  • BigOnYa @ BigOnYa:
    I want a 120hz 4k tv but crazy how more expensive the 120hz over the 60hz are. Or even more crazy is the price of 8k's.
  • K3Nv2 @ K3Nv2:
    No real point since movies are 30fps
  • BigOnYa @ BigOnYa:
    Not a big movie buff, more of a gamer tbh. And Series X is 120hz 8k ready, but yea only 120hz 4k games out right now, but thinking of in the future.
  • K3Nv2 @ K3Nv2:
    Mostly why you never see TV manufacturers going post 60hz
  • BigOnYa @ BigOnYa:
    I only watch tv when i goto bed, it puts me to sleep, and I have a nas drive filled w my fav shows so i can watch them in order, commercial free. I usually watch Married w Children, or South Park
  • K3Nv2 @ K3Nv2:
    Stremio ruined my need for nas
  • BigOnYa @ BigOnYa:
    I stream from Nas to firestick, one on every tv, and use Kodi. I'm happy w it, plays everything. (I pirate/torrent shows/movies on pc, and put on nas)
  • K3Nv2 @ K3Nv2:
    Kodi repost are still pretty popular
  • BigOnYa @ BigOnYa:
    What the hell is Kodi reposts? what do you mean, or "Wut?" -xdqwerty
  • K3Nv2 @ K3Nv2:
    Google them basically web crawlers to movie sites
  • BigOnYa @ BigOnYa:
    oh you mean the 3rd party apps on Kodi, yea i know what you mean, yea there are still a few cool ones, in fact watched the new planet of the apes movie other night w wifey thru one, was good pic surprisingly, not a cam
  • K3Nv2 @ K3Nv2:
    https://www.aliexpress.us/item/3256...acdffdfd18f8a017742186da306980d9cf365d&gclid= lol ali
     +1
  • BigOnYa @ BigOnYa:
    Damn, only $2.06 and free shipping. Gotta cost more for them to ship than $2.06
     +1
  • BigOnYa @ BigOnYa:
    I got my Dad a firestick for Xmas and showed him those 3rd party sites on Kodi, he loves it, all he watches anymore. He said he has got 3 letters from AT&T already about pirating, but he says f them, let them shut my internet off (He wants out of his AT&T contract anyways)
  • K3Nv2 @ K3Nv2:
    That's where stremio comes to play never got a letter about it
  • BigOnYa @ BigOnYa:
    I just use a VPN, even give him my login and password so can use it also, and he refuses, he's funny.
  • BigOnYa @ BigOnYa:
    I had to find and get him an old style flip phone even without text, cause thats what he wanted. No text, no internet, only phone calls. Old, old school.
  • K3Nv2 @ K3Nv2:
    https://youtu.be/z9E_uv5IT-o?si=0qMdVEnRK8mmclzS
  • K3Nv2 @ K3Nv2:
    @BigOnYa, https://m.youtube.com/watch?v=qRJog...com/&source_ve_path=MjM4NTE&feature=emb_title
  • Psionic Roshambo @ Psionic Roshambo:
    @BigOnYa, Lol I bought a new USB card reader thing on AliExpress last month for I think like 87 cents. Free shipping from China... It arrived it works and honestly I don't understand how it was so cheap.
    Psionic Roshambo @ Psionic Roshambo: @BigOnYa, Lol I bought a new USB card reader thing on AliExpress last month for I think like 87...