Pass the boxe in 4532 or 4548. Boot Linux. Dump the nand and CPU key (with tmbinc dump or http://arisme.free.fr/Xbox/Fuse360/generate2.php?ip=192.168.0.200&mask=255.255.255.0) Extract the keyvault with FlashTool.
The XeDK's NAND is different than a retail Xbox 360's. I tried extracting from a NAND dump from my kit, and flashtool says that it isn't valid, but I know for a fact that it is.
That might be because it wasn't designed for a dev. We dev owners get screwed in the long run for software developed soley for retail.
I think Robinsod is adding support for the XeDK dump, as it has already been requested over at the xbh forums.
I was told that there already is a dev app that allows to dump a cpu key, but they werent willing to share it with me
I can get the CPU key, and the 1BL key, but I can't get the full output, it just gives me those 2 keys. I want to get the full output.
Well in my case i had to hex-edit the tool to change all the Cx section "names", CB/CD/CE/CF/CG, to Sx and and call CD, SC so basically change it to SB/SC/SD/SE, instead. I will explain why soon. The section "names" are actually flags and devkit sections has bit 4 of the first byte set, retail does not, presumably to indicate devkit/retail. The reson for adding SC is because the devkit dumps have an extra section in them after SB and before SD, this section does not disassemble as PPC, and i haven't really gotten around to messing with it too mutch. You can decrypt it with RC4 using the key generated by HMAC(16-zeros, SC_Seed). It has clear-text strings in it, for example: "Xbox 360 Devkit 2.0.4548.0" "HWINIT 061108a" "BL Ready" "ERROR_NBINIT_MEM_PAD_CAL_CNTL_ERROR" "EV2 Monitor Ready" And a few more, but that's enough CTRL-C+V for now. Maybe someone here knows more about this section? *cough*tmbinc*cough* So enough off-topic stuff, After you have done this hex edit of the tool, it will be able to extract your keyvault, given you have your CPU key of course. But it won't be able to extract your kernel, since the tool don't know about the extra section and fails. If you want that too, you will have to write your own tools, but it really helps having a kernel full of debug strings when you are disassembling it :icon_bigg.
3BL is the VM code, which is embedded into 2BL in retail boxes. It does the memory init, and contains the serial debug monitor. That it is not included in 2BL is just for private key management reasons, i'd guess. 1BL btw is the same, so the 1BL key is *not* zero. It's zero on old (beta) devkits, however.
