invoxiplaygames.uk / x360-research
my research and reverse engineering notes/utilities relating to the Xbox 360 (Mirrored from https://github.com/InvoxiPlayGames/x360-research)
fork atom

devkit xex freeboot shellcode

invoxiplaygames.uk af9edc08 c52f26e3

options
unified split
Changed files
+24 -4
homebrew
xebuild
freeboot-like_patches.md
+24 -4
homebrew/xebuild/freeboot-like_patches.md
··· 1 1 **Emma's Xbox 360 Research Notes - Homebrew - xeBuild** 2 2 3 - Updated 15th March 2025. 3 + Updated 20th March 2025. 4 4 5 5 Incomplete stub page. 6 6 ··· 166 166 167 167 `0x29B08` = shellcode 168 168 169 - TODO. Looks to be to allow devkit XEXs to decrypt, if the XEX signature check 170 - fails it will attempt to decrypt it with the devkit XEX2 AES key stored at 0xF0 171 - by one of the patches above. 169 + ``` 170 + xex_load_patch: 171 + cmpldi cr6, r28, 0 ; r28 = address of XEX image key 172 + beq cr6, finish_load_patch ; skip past XeCryptAesKey call entirely if NULL 173 + cmpwi cr6, r3, 0 ; compare result of XeCryptSigVerify 174 + bne cr6, retail_key_path ; if it's TRUE use the retail key path 175 + li r4, 0xf0 ; if it's FALSE set r4 to address of the devkit key 176 + b do_key_decrypt ; jump to the decryption 177 + nop ; nop over some of the original code 178 + retail_key_path: 179 + cmplwi cr6, r29, 0 ; check if one of the XEX flags is set 180 + addi r4, r31, 0x440 ; set r4 to the offset of the XEX1 key 181 + bne cr6, do_key_decrypt ; if the flag isn't set, do the decrypt with XEX1 key 182 + li r4, 0x54 ; use the retail XEX2 key 183 + do_key_decrypt: 184 + mr r3, r28 185 + bl 0x200f8 ; XeCryptAesKey 186 + finish_load_patch: 187 + li r31, 0 188 + ``` 189 + 190 + If the XEX signature check fails it will attempt to decrypt it with the devkit 191 + XEX2 AES key stored at 0xF0. 172 192 173 193 ### HvxImageTransformImageKey protected flag check patch 174 194