I'm posting my research so far on shadowboot rom files that are typically used, as far as I can see, in recoveries. My reason for doing this was to allow a lot more control on my dev kit on later recoveries. I know of the HV expansion method but that's been patched with the newer recoveries as far as I'm aware. I saw a few scattered hits around the internet about shadow booting being a method to do this with no further details. All of my code so far can be found at: https://github.com/kimoi/XeTool This includes a little tool to extract information and decrypt/decompress the bootloaders. You'd be better off reading the code, but here's a quick summary. The shadow boot ROM files (typically named xboxromw2d.bin) contain a header with usual offset/length values and MS copyright, encrypted SMC and SB, SC, SD and SE bootloaders. SE is the whole HV+kernel binary, no delta patches like we find in the bootloader slots on a flash dump. The SMC is encrypted using a custom algo (refer to the code above or code to 360 Flash Dump Tool). The bootloaders are encrypted with RC4, using a key derived from HMAC-SHA. Now nothing in the ROM file seems to be signed at all. Just a simple HMAC-SHA+RC4, which we can re-encrypt w/o issues. So in theory we would be able to modify any part of the boot chain from the 2BL up. Unfortunately my XDK broke on me before I could actually put any of this into practise. Hopefully someone else will find this information and code useful.
