Hacking [HACKING]: XK3Y (X360Key) AES-Keys released

nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
 
  • Like
  • Love
  • Haha
Reactions: Gyron_Oldvic, Racxie, _47iscool and 12 others
K3Nv2

K3Nv2

Village Idiot
Member
Level 15
Joined
May 26, 2013
Messages
1,450
Trophies
3
Age
32
XP
5,042
Country
United States
Xk3y has long since been discontinued as far as I know, I have one in my system but it's been years since I messed with it iirc I just put the bin file inside the MicroSD card and it worked I don't remember the file structure used.
 
  • Like
Reactions: SylverReZ
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
862
Trophies
0
Age
27
XP
1,689
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
This is AMAZING great work!
 
  • Love
Reactions: SylverReZ
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
  • Like
Reactions: SylverReZ
Visual Studio

Visual Studio

Developer
Developer
Level 9
Joined
Aug 25, 2016
Messages
123
Trophies
0
Age
30
XP
1,707
Country
United States
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
If you want a project to use that ChipWhisperer to use on; try dumping an Xecuter DemoN.
 
  • Like
Reactions: SylverReZ
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
126
Country
Switzerland
M4x1mumReZ said:
Lucky
Click to expand...
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Thank you for sharing the encryption key. Would you be able to provide the command to decrypt and re-encrypt as I am sure this is not that easy.

Thank you very very much
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
126
Country
Switzerland
nitr8 said:
This is what you get when you "really" care about customers...


The purpose of this thread is to expose the firmware encryption keys of the XK3Y (also called "X360Key") - a modchip that was once manufactured for the XBOX360.



As you should know, all of the stuff on the XK3Y is encrypted - like the bootloader, the Kernel etc.


The reason why I'm releasing the keys is that I had my tests going on on what it takes to make your own dumps to run on a XBOX360 and it was a massive turn-out into some - kind of - frustrating FAIL at all levels. Me realizing that it needs much more than just like a modchip made me sick of it. So I went for doing stuff for the public which might be interested in extending the firmware - if not - even make it further open or what not...


Here we go...:



XK3Y Bootloader AES key: C0681465325EE0169F0C3E4AA28C54B2
XK3Y ROOTFS AES key: 60BD0BB7084A1C104141B6B6D95B97C4 (for XKEY firmware < v1.06)
XK3Y ROOTFS AES IV: 00000000000000000000000000000000 (ALL XKEY ROOTFS firmwares)
XK3Y ROOTFS AES key: FC815A31137863C5B078FB6F1C31A58E (for XKEY firmware >= v1.06)
XK3Y KERNEL AES key: 2B06C0D6B5A057F20FB949037860D056
XK3Y KERNEL AES IV: 508E4724DA2EF3B7E861A6032D1EEDC6
XK3Y SRAM EMUKEY: 3C51DDF6AF5CEAD5C3B3327830B336D6 (whatever that might be for)
XK3Y "Anti-Clone" key: 2B00B610000000000000000000000000 (who would even clone this CRAP)
XK3Y "Anti-Clone" data: E7F2A5F6E9A53948426685B65530417E


Hopefully people can use this for something else successif...


You btw. should know that dumping these keys was done / possible as described within the The WODE just got HACKED thread.

I'm not going to release the bootloader AES IV for a very certain reason.
You might search on your own for it.
If you might ask yourself on this one if I got it on my own: I do!

Have fun with those keys and what else above.
I'm just p*ssed r/n about what modchip manufacturers have come to - whereby I do believe that the XK3Y is a product which was once manufactured by Team Xecuter.


* Signing out *
Click to expand...
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Armandooooo said:
Hi Nitr8,

Would you be able to share the commands to decrypt and encrypt using the keys?
What is the reason for keeping the bootloader AES IV? Just curious

Thank you for releasing.
Click to expand...
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
 
A

Armandooooo

Member
Newcomer
Level 2
Joined
Mar 28, 2019
Messages
16
Trophies
0
Age
44
XP
126
Country
Switzerland
nitr8 said:
Regarding the bootloader AES IV:

It is unclear whether the bootloader AES IV is customer-related or globally equal to each of the LPC3143 MCU's by NXP.

It might be that, if a customer of NXP orders a LPC3143 package, they burn the BOOTROM into the package and the bootloader AES IV is then related to this customer of NXP. I'm writing of "related" because the bootloader AES IV is stored within the BOOTROM of the LPC3143 MCU itself. I do have some other PCB right here which also carries a LPC3143 MCU and is no modchip after all but I also didn't make it to dump the BOOTROM of this particular MCU of that PCB. I hope to get this done so I can compare the results. If they differ, releasing the bootloader AES IV might be a thing but if they are equal: no chance. So dumping it on your own would be the only option after all.
Click to expand...
Hi nitr8,
Thank you for the explanation. In regards to my other query for the commands, you don’t reply because you don’t want to share or any other reason?

Thank you
 
nitr8

nitr8

Well-Known Member
OP
Member
Level 8
Joined
Apr 4, 2007
Messages
366
Trophies
1
Website
vermillion57.wixsite.com
XP
1,453
Country
Gambia, The
Hussain363 said:
Does that means we will be seeing xk3y device again in the market ?
Click to expand...
Basically "NO".

For that to happen, one would need the design files like PCB data sheets, GERBER files / BOM etc.

Aside from that, the FPGA security needs to be exploited. The Lattice holding the bitstream data is AES encrypted as well but hacking a FPGA like that is near to impossible to accomplish.

Like seen on the WODE before, which has an ACTEL ProASIC3 FPGA, for the Lattice it's most likely the case that the AES key for the bitstream data is hidden within the FPGA itself. There are no known - like - tutorials on how to extract an AES key from IC's like these nor how to crack / exploit their security.
 
  • Like
Reactions: Hussain363
TheStonedModder

TheStonedModder

Well-Known Member
Member
Level 9
Joined
Dec 25, 2022
Messages
862
Trophies
0
Age
27
XP
1,689
Country
United States
nitr8 said:
That's the Bootloader and Kernel source code of the XKEY.

Unfortunately, like on the WODE, it's missing the required binary for interaction with the XKEY module which handles mounting of games. They never made the source code to it available to the public.
Click to expand...
Interesting there seems to maybe be some extra information shared on the PS3 wiki? Under the 360 goodness section

https://www.psdevwiki.com/ps3/User_talk:Zecoxao#3K3Y_Goodness
 

Site & Scene News

Go to forum More news

Popular threads in this forum

Flash a Hitachi Drive on a Old Xbox 360

"Detected storage drive device. Refreshing mounted drives." & restoring Xbox Classics Partition Question

Hacking  Dual nand hdd upgrade?

Looking for Dragon Age Checksum Fixer (Xbox 360)

fatxplorer question

General chit-chat
Help Users
  • AncientBoi @ AncientBoi:
    ooowwww a new way for me to beat NFS 510 :D @SylverReZ
     +1
  • SylverReZ @ SylverReZ:
    @AncientBoi, Yeah, believe you can do PSP games as well. But a Pi5 is much powerful in comparison.
     +2
  • Psionic Roshambo @ Psionic Roshambo:
    https://www.youtube.com/watch?v=y0LPrmtVWsA
  • Psionic Roshambo @ Psionic Roshambo:
    Not sure about other models of Pi4 but the Pi 4 B with 8GBs OCed to 2Ghz handles PSP really great except like 1 game I found and it is playable it just looks bad lol Motor Storm Arctic something or other.
  • Psionic Roshambo @ Psionic Roshambo:
    Other games I can have turned up to like 2X and all kinds of enhancements, Motorstorm hmmm nope 1X and no enhancements lol
  • Veho @ Veho:
    Waiting for Anbernic's rg[whatever]SP price announcement, gimme.
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    I will admit that one does seem more interesting than the usual Ambernic ones, and I already liked those.
  • Veho @ Veho:
    https://www.youtube.com/watch?v=JXkq9vjOa-0
     +1
  • Veho @ Veho:
    I dread the price point.
     +1
  • Veho @ Veho:
    This looks like one of their premium models, so... $150 :glare:
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    To me that seems reasonable.
  • Psionic Roshambo @ Psionic Roshambo:
    I mean since basically all the games are errmmm free lol
  • Veho @ Veho:
    I mean yeah sure but the specs are the same as a $50 model, it's just those pesky "quality of life" things driving up the price, like an actually working speaker, or buttons that don't melt, and stuff like that.
     +1
  • Psionic Roshambo @ Psionic Roshambo:
    I think all in my Pi 4 was well north of 200 bucks 150ish for the Pi 4 the case the fancy cooler, then like 70 for the 500GB MicroSD then like 70 for the Xbox controller. But honestly it's a nice set up I really enjoy and to me was worth every penny. (even bought more controllers for 2 or 4 player games.) hmmm have never played any 2 player games yet :(
  • Veho @ Veho:
    Yeah that's what I hate about the RPi, it's supposedly $30 or something but it takes an additional $200 of accessories to actually turn it into a working something.
  • Psionic Roshambo @ Psionic Roshambo:
    yes that's the expensive part lol
  • Veho @ Veho:
    I mean sure it's flexible and stuff but so is uremum but it's fiddly.
  • Psionic Roshambo @ Psionic Roshambo:
    Yeah a lot of it I consider a hobby, using Batocera I am constantly adjusting the collection adding and removing stuff, scraping the artwork. Haven't even started on some music for the theme... Also way down the road I am considering attempting to do a WiiFlow knock off lol
  • Veho @ Veho:
    I want everything served on a plate plz ktnx, "work" is too much work for me.
  • Psionic Roshambo @ Psionic Roshambo:
    lol
  • Veho @ Veho:
    Hmm, with that in mind, maybe a complete out-the-box solution with all the games collected, pacthed and optimized for me would be worth $150 :unsure:
  • Psionic Roshambo @ Psionic Roshambo:
    Yeah it's all choice and that's a good thing :)
  • Bunjolio @ Bunjolio:
    animal crossing new leaf 11pm music
  • Bunjolio @ Bunjolio:
    avatars-kKKZnC8XiW7HEUw0-KdJMsw-t1080x1080.jpg
    wokey d pronouns
  • SylverReZ @ SylverReZ:
    What its like to do online shopping in 1998: https://www.youtube.com/watch?v=vwag5XE8oJo
    SylverReZ @ SylverReZ: What its like to do online shopping in 1998: https://www.youtube.com/watch?v=vwag5XE8oJo