Xbox 360 Lamprey Board (Ship Worldwide)

Hi all,

I'm sure you know what this is if you are into 360 development. It can be seen as a holy grail item to some as it is the only known board to be out in public hands. It was used by microsoft to flash NANDs, ROL boards, debug the system kernal etc. I believe it would've also been used to convert retail 360 kits into development kits as seen in that document that got leaked. I have no programming knowledge so while it has been in possession, I have never tried such tasks.
​

Here is some info on converting a retail to XDK:
http://digiex.net/downloads/downloa...s/7966-detailed-xbox-360-efuses-document.html

Full document for converting retail to XDK: https://mega.nz/#!EEEDSSbY!NrT_lc0f_wJN6ucWcgIDcMDeGCNQs5qLfoeIsNogOzw​

I have included a photo of it conected to a stress test kit (stress test kit is NOT included in the sale!) just so people can see what it looks like hooked up.​

Price:
SOLD
Trades considered for XDKs!

Feedback Thread: http://assemblergames.com/l/threads/deep3r.35321/​

Thanks for looking!​

 

This could make buku money starting an XDK conversion service...... GLWS! Also curious about the document...

 

What is the Leaked document.?

 

Updated the thread with the dated photo!

I will hunt it down today and post it here when I find that document people! Unless a moderator informs me not to before

EDIT: Found a thread with some useful info, it's not the full document, but still informative. He states you require a lamprey board to perform the task. I think I have the full document at home somewhere so when I'm next there, I will upload here! Link added to OP

http://digiex.net/downloads/downloa...s/7966-detailed-xbox-360-efuses-document.html

The efuse document

Spoiler

MADE BY xXXBOXxHACKERXx Kinect Dashboard Leaker
DO NOT COPY AS YOUR OWN WORK!
some infor from http://free60.org/Fusesets
SCROLL DOWN FOR INFO!

DEVKIT FUSES:

FUSESET 00:C0FFFFFFFFFFFFFF
FUSESET 01:0F0F0F0F0F0FF00F
FUSESET 02:0000000000000000
FUSESET 03:XXXXXXXXXXXXXXXX
FUSESET 04:XXXXXXXXXXXXXXXX
FUSESET 05:YYYYYYYYYYYYYYYY
FUSESET 06:YYYYYYYYYYYYYYYY
FUSESET 07:0000000000000000
FUSESET 08:0000000000000000
FUSESET 09:0000000000000000
FUSESET 10:0000000000000000
FUSESET 11:0000000000000000

RETAIL FUSES:

FUSESET 00:C0FFFFFFFFFFFFFF
FUSESET 01:0F0F0F0F0F0F0FF0
FUSESET 02:0F00000000000000
FUSESET 03:XXXXXXXXXXXXXXXX
FUSESET 04:XXXXXXXXXXXXXXXX
FUSESET 05:YYYYYYYYYYYYYYYY
FUSESET 06:YYYYYYYYYYYYYYYY
FUSESET 07:0000000000000000
FUSESET 08:0000000000000000
FUSESET 09:0000000000000000
FUSESET 10:0000000000000000
FUSESET 11:0000000000000000

RETAIL BINARY FUSES:

Fuseset 00: 1100011111111111111
Fuseset 01: 0101010101010110
Fuseset 02: 0100000000000000
Fuseset 03: 1001111110110000000101110100000000010101011101000101000000000000
Fuseset 04: 1001111110110000000101110100000000010101011101000101000000000000
Fuseset 05: 1101010101101001101110101101011010010101100011011011000000000000
Fuseset 06: 1101010101101001101110101101011010010101100011011011000000000000
Fuseset 07: 1111000000000000
Fuseset 08: 0000000000000000
Fuseset 09: 0000000000000000
Fuseset 10: 0000000000000000
Fuseset 11: 0000000000000000

ACTUAL RETAIL DUMP FOR BINARY:

fuseset 00: C0FFFFFFFFFFFFFF
fuseset 01: 0F0F0F0F0F0F0FF0
fuseset 02: 0F00000000000000
fuseset 03: 9FB0174015744DAF
fuseset 04: 9FB0174015744DAF
fuseset 05: D569BAD6958DAE9D
fuseset 06: D569BAD6958DAE9D
fuseset 07: FFFF000000000000
fuseset 08: 0000000000000000
fuseset 09: 0000000000000000
fuseset 10: 0000000000000000
fuseset 11: 0000000000000000

INFO:

FUSES 10-11 = 0A-0B
x+Y= CPU KEY


The dev kit fuseSet 2 is different. In another document by microsoft to make retail a dev it says:

6) Reset the console type from Retail to Dev (Agile doc H03710)
RETAIL 00000002
DEVELOPMENT 00000001

DEV:
Fuseset 01:0F0F0F0F0F0FF00F
RETAIL:
Fuseset 01:0F0F0F0F0F0F0FF0

DEV BINARY:
Fuseset 01: 0101010101011001
RETIAL BINARY:
Fuseset 01: 0101010101010110

so this means that it reverses 4 fuses in the procceses and retail is 2 so if retail is 0110
and dev is 1001 this mean you convert 2 together to 1-2 apart to get f00f


The size of the Retail version is: 16.5 MB (17,301,504 bytes)
The size of veron Devkit fact: 66.0 MB (69,206,016 bytes)


The Xbox 360's Xenon CPU has 768 bits of eFUSE, a technology invented by IBM, and implemented
in some of it's processors. eFUSEs are hardware fuses on the CPU, and can be "blown" to a binary
value (1 being blown, and 0 being un-blown) in the Xbox 360, there are 768 fuses, that make up
the fusesets. Though each fuseset can be blown individually, they are blown in groups of 8 to
make a hexadecimal value for the CPU key, and fuseline 00, instead of a binary value, which is
what XeLL will actually display. Technically, there are only 192 viewable fuses.


Fusesets 00 and 01
These are burned at the factory, after the console is manufactured, they show whether
the console is a devkit or not. They also disable CPU JTAG after the console's flash is programed.

Fuseset 02
This is the lockdown counter for the 2BL/CB (The 2nd Bootloader, stored in NAND Flash)
One of these are burned everytime the console updates it's bootloader (Which isn't very often)
this is the reason that there is no way to recover a JTAG that has been updated to 2.0.8***.0,
even is you have the CPU key, (2BL is encrypted with the CPU/1BL key, but is signed with
Microsoft's private key so you can't change the lockdown counter in the NAND. The bootloader
will fail signature checks, and panic)

Fusesets 03-06
These make up the CPU key. These start out as all zero's, and are burned presumably at random when
the console boots for the first time, they are used to encrypt the keyvault, and the bootloader
sections. The CPU key is unique to each console, and is sometimes refered to as the "per-box key"
To find the CPU key, add fusesets 03, and 05, OR 04 and 06. For example, this console's CPU key
would be "XXXXXXXXXXXXXXXXYYYYYYYYYYYYYYYY."

Fusesets 07-11
These make up the console's "Lockdown Counter." They are blown after each dashboard update starting
with the update from 4532/4548 to 4598. They prevent a previous version of the dashboard from being
run on an updated console. There are enough eFUSEs in this section for Microsoft to update the
console roughly 80 times. The lockdown counter of this console is at FFFF00000..., this means that
it has recieved 4 dashboard updates since 2.0.4548.0 ran on it. Microsoft originally intended to
only blow an eFUSE when a system update patched a critical vulnerability (Like the HV vulnerability
in 4532 and 4548) but has now decided to blow an eFUSE with every update since the update to 4598.
In the NAND's 6BL(CF) section, there is another lockdown counter that should match the one of the
eFUSEs. If it doesn't match, the console will panic on boot, and will show a RRoD. Now, here's the
good part! If we know the CPU key of the console, we can decrypt the 6BL, and change the lockdown
counter in the NAND to match the one on the console, and therefore run an older dashboard. Since
the 6BL isn't signed with Microsoft's private key, we can edit it as we please, so long as we have
our CPU key.

EDIT 2: Found

 

Don't you need the other part to convert retail 360 kits and to do like the main things with it?

 

They are just add on boards, for other stuff, I had the other board on the top which is a prototype argon board but I sold it. The lamprey board is the main board.

EDIT: As you can see I tried editing the other post but it messed up but anyway! Found the full document and posted link to OP.

@Bad_Ad84

 

That actually looks pretty straightforward.

Hope someone with the money and soldering skills gets it and posts some feedback. While I have the skills, I lack the money ;-)

I would assume you need the USB part to reprogram the nand though, as serial would take forever....

But as long as it can change the fuses, you could flash nand another way

 

The thing is that it can't change fuses - it can only program them, and once they are programmed there is no way of setting them back to '0' - and a retail console has fuses blown in it that have to be set to 0 for an XDK. The only way to reset them is to swap the CPU for a new one that doesn't have those fuses blown. That procedure is based on new boards from production that have never been configured, and hence don't have any of the fuses blown - so you can program them any way you like. This also means that the CPU key is all zeros, so you can use exactly the same binary on all the boards to set them up.

Basically, you don't just need that board - you also need a supply of completely unprogrammed mainboards.

 

Yes of course, I forgot that you cant change the fuses once blown. (so you might be able to change a 0 to a 1 but not a 1 to a 0 (or vice versa, which ever way it works). So you are never going to be able to set it to DEV.

 

You can set them from 0 to 1, but not the other way around. The flags are in the last 2 bits of fuseset 1 - programmed to "10" on a retail board and "01" on a XDK. Programming them to "11" results in a RRoD.

 

Not only that but its possible to burn fuses (i.e. write a 0 to a 1) from software. There's just a certain address you write to and then it takes care of it. This is how those really shitty brick xex's worked. So the lamprey can't do anything special it seems. That's a bit unfortunate, I always thought it was going to be cooler.

I did look through the document though and it very clearly indicates that you can go from retail to dev.

Its a shame we will probably never see the mysterious Agile doc H03710. Now I'm not so sure about it anymore.

Also there was an old thread about this topic:
http://assemblergames.com/l/threads/lamprey-board.36893/

-doulomb

 

So.....what's your asking price?

 

For some reason, it's gone into the ether somehow :/

$1000 mate, I'll update it later!

 

No, it doesn't - read it again. It's not telling you how to convert a retail board into an XDK, it's telling you how to convert a retail BOM into an XDK one. A BOM is a "bill of materials" - a list of all the parts that go into a unit, and that doc describes how you change it to build an XDK from it instead. I assume that "Agile doc" that's mentioned tells you how to change the console type on the MTE system so that when you run the consoles through test they get configured as XDKs and not retails.

The other reason that I'm quite sure you can't unprogram an e-fuse is simple - the technology was specifically designed to make it impossible to do so. The actual mechanism is what's known as electromigration - and once the fuse is blown it's impossible to reverse because it's open circuit and you can't get it to carry any more current. If you are interested in the gory technical details, here is an IBM research paper describing their e-fuse technology (which is the one used in the 360 Xenon CPU).

http://paris.utdallas.edu/ssiri08/Tonti_SSIRI_eFuse_V2.pdf

Incidentally, if you could unblow those fuses you could also run any bootloader or dash you wanted, since it's the same mechanism that's used to prevent downgrading.

 

Do you have any information for the add-on board? I'm curious as to what it does that a standard Lamprey can't?

 

Bump

 

Bump

 

Is the price $10.00? Did you forget a decimal point?

 

Bump