- 精华
- 0
- 帖子
- 3
- 威望
- 0 点
- 积分
- 4 点
- 种子
- 0 点
- 注册时间
- 2010-12-2
- 最后登录
- 2020-1-6
|
本帖最后由 jasonelite 于 2012-4-16 10:28 编辑
由于时间关系 只翻译了前半段,请高手赶紧学习早日全民破解:-)
Team Xecuter RGH2.0 For CoolRunner Rev A and B
前段时间由于脉冲硬件的启动时间不稳定,我们还没有准备好发布这个版本。但是因为最近我们的源代码被开发组的一名人员泄露给外方涉及版权和拥有权,我们不得不提前发布。对方甚至懒到连补丁包都没有修改,所有文件都原封不动的复制过来。太差劲了,对于一些开发组来说他们可能认为这只不过是Wii或者Playstation一样可以随意拿来***。他们甚至都没有感激cOz作为SMC打包补丁的始创人 - 因为他们根本不知道这是来自cOz的作品。
我们不想被扯进这些无味的鬼话 - 因为你们大多数人也不会在意,但是很多人员在这份劳动成果中付出了很大努力,到最后被轻而易举的偷窃并且不存任何感激,真是悲哀。无论如何。。。
TX开发组很荣幸宣布脉冲自制第二代对于CoolRunnerA版和B版的破解正式发出。所有厚机都被彻底破解,并且不需要先前版本的NAND或CPU KEY来完全的进行脉冲破解(同样适用于更新到14717/14719的薄机Trinity)
我们已收录了所有的build.py和xebuild文件,如果我们的成果对您有用,请对我们给予评价。
TX RGH2.0特性介绍
适用于新的CB((14717/14719 版本)
适用于所有的改版(4577, 5772, 6752)
Zephyr CB 4578, 4575, 4577
Falcon/Opus CB 5771, 5772, 5773
Jasper CB 6750, 6752, 6753
Trinity (Slim) CB 9188, 9230
确认一点,我们可以脉冲破解所有的厚机,无论任何内核任何bootloader,只要你有cpu key,你就可以用TX Demon转换为完全破解的NAND,然后无论更新到什么版本或者电子保险无论怎么爆裂,都可以正常运行!
技术信心
薄机中,引导链CB被分为两部分。第一部分开始编码然后读取第二部分,第二部分检查熔断器和老版本CB所起到的所有作用。脉冲第一部分(CBA)后,我们在检查熔断器前已经获得了系统的控制权并对其打补丁。薄机引导链一直是这样运作,一些开发组甚至试图将薄机的CBA放到厚机上使用,也就是将先前厚机的第一代脉冲自制CB作为CBB。如果设置正确的话,这样脉冲式可以起作用的,但有一些厚机已含有独特的引导链,这些引导链大多数都被修改过(CB 5772, 6752, 4577).
我们所做的就是瞬时获得这些改版机的脉冲时间,倒空cpu key,破译引导链,并对其加以端口以运行到任何厚机上。这意味着在厚机上我们可以在检查熔断器之前对其进行脉冲破解然后就可以获得一个不可打补丁的破解系统,就像trinity一样。
新的TX CoolRunner - 第二版
Team Xecuter RGH2.0 For CoolRunner Rev A and B
We were not quite ready to release this due to it's unstable boot times on older glitch hardware, but as our code was leaked from a team member AGAIN we had to release this due to another team stealing the code and claiming as their own work. They were even too lazy to change any of the patches to make it look like their own – they are 1:1 same as our original sources. Super lame. It seems some teams think this is the Wii or PlayStation scene and you can act like this. They don't even give credits to cOz for his SMC patcher – because they didn't even know that code was from him of course.
We don't want to get dragged down into bullshit scene politics – most of you won't care anyway, but a lot of guys work very hard on this stuff only to have it stolen with no effort and no credits is just sad. Anyway……
The Xecuter RGH Development Team are pleased to announce the official release of the RGH2.0 hack for all CoolRunner Rev A and Rev B dev boards. All Phat consoles have now been defeated and are totally glitch-able without having a previous NAND dump or CPU KEY (the same applies to Slim Trinity that have been updated to 14717/14719).
We have included all of the build.py and xebuild scripts for your convenience. Please give the correct credits if you use our work.
Xecuter RGH2.0 Features introduced:
Hack now works on new CB's (14717/14719 update)
Hack now works with all Refurbished Split CB's (4577, 5772, 6752)
Zephyr CB 4578, 4575, 4577
Falcon/Opus CB 5771, 5772, 5773
Jasper CB 6750, 6752, 6753
Trinity (Slim) CB 9188, 9230
To confirm, we can now glitch Phats with any kernel and any bootloader. As soon as you have your CPU KEY, and you are using an Xecuter DemoN you will ALWAYS be able to switch to a fully hacked NAND and it can never be stopped no matter what update you apply and no matter which efuses are blown !
Technical Info
In the slim boot chain the 2nd bootloader (CB) is split into two pieces. The first part simply starts encryption and loads the second part, which does fuse checks and all the things that the old single CB did. By glitching the first part (CBA), we take control of the system before the fuse checks occur and can patch them out. The slim bootchain has always used this layout and some groups have even tried bringing the slim CBA to phat and using the old single phat (RGH1) CB as CBB. Glitching this way will work if you set it up right, but there are actually phat xboxes that already have their own split CB boot chain which were mostly ones that had been refurbished (CB 5772, 6752, 4577).
What we have done is simultaneously find glitch timings for these refurbs, dump their cpu_key, decrypt the boot chain, and port it to run on every other phat! This means that on phats we can now glitch before the fuse check and thus have an unpatchable hack just like trinity!
New Xecuter CoolRunner v2 Hardware
There have been many obstacles to cross with this because CBA glitching does not behave quite the same as CB glitching. The Coolrunner revisions A&B will glitch for RGH2.0 but results will vary and with some, boot times can be worse than trinity and with others they may be instant. These boot times are unacceptable and this is why we have spent the last few weeks designing a new glitch chip that will solve all these problems and will even help with trinity and corona boot times
New Xecuter CoolRunner v2 Upcoming Features:
Corona support
Much better glitch times for RGH1 and RGH2
All-in-One code for all versions
Demon integration
Level shifted POST output
…and much more
Development is almost complete – find an image of the CR v2 dev unit in this release pack.
Building an Image
With RGH2, a cpu_key is necessary for building the NAND image. The reason for this is because cpu_key encryption starts at CB, and in RGH1 there was only one CB which meant that CD was encrypted with cpu_key but CB could be "zero paired" which meant that the cpu_key would not be applied. When split-CB was added, they started the encryption at CBA and removed the zero pairing option, which means that cpukey encryption on CBB is mandatory. Because of a vulnerability in the way they use RC4, if you have a stock NAND image that already has a CBB encrypted on it, we can derive the keystream used in that image because we know what the CBB looks like decrypted (we have already decrypted that version before). Because of this, we can embed the older vulnerable CBB into the NAND image using the keystream.
Bottom line is, after the 14717 update they turned all phats into a split CB boot chain but using unglitchable bootloaders. We can still glitch these boxes even when we don't know the cpu_key because we can use the "XOR hack" to embed the RGH2 bootloaders. For older images (pre-14717) we need the cpu_key to encrypt the new loaders because there is not a CBB already in the image that we can derive a keystream from.
Once the cpu_key is retrieved, you can always build a NAND image for RGH2'ing your machine. You can flash back to stock, update, even burn all your fuses and you would still be able to run RGH2.
For building a xell image, read the readme in XECUTER_RGH2_Xell.
For an xebuild image (if you have your cpu_key already) browse to XECUTER_RGH2_Xebuild.
Instructions
First wire up your Xecuter CoolRunner according to the diagram provided. RGH2.0 Requires that you either already have your cpu_key or you are on dashboard 14717/14719. This means that if you do not have your cpu_key, you must run xell first to retrieve your fuses.
COOLRUNNER CPLD PROGRAMMING
The XSVF files are located in \xsvf folder. Start with the xsvf recommended below, however every xsvf should run on every motherboard, but one of them will work best for your setup.
Falcon/Opus: Program either TX_RGH2_B.xsvf, or TX_RGH2_C.xsvf
Jasper: Program either TX_RGH2_A.xsvf, or TX_RGH2_D.xsvf
Zephyr: Program either TX_RGH2_D.xsvf, or TX_RGH2_C.xsvf
Please enjoy this release and report any interesting tweaks you may find.
CREDITS:
If you are going to use RGH2.0 please give credits to the Team Xecuter RGH development Team. Don't be lame and try to claim the work as your own.
Thanks to Tiros & GliGli for their original RGH work.
Thanks to cOz for his universal SMC patcher.
Thanks to all the Xecuter developers and official testers. You know who you are.
Thanks to Ubergeek for the diagram.
Thanks to the asshole who leaked our code for others to steal and claim as theirs. Super lame.
DOWNLOAD COMPLETE PACKAGE HERE
|
|