So after a few posts here and there about the xbox live accounts i "recovered" and shared for your pleasure and research, ive decided to greate a dedicated topic for this part. This might also help the research for a opensource xbox live, for I have discovered some things that might already be known but might surprice others. ive shared 2 accounts and the fIrst bytes of a working MU for your research if you dint have any. http://codeasm.com/xbox/files/Accounts/ Ive made a basic tutorial to add a live account to a MU here: http://assemblergames.com/l/threads/phantasy-star-online-xbox-gamertag.49737/#post-725868 Not everyone apears to find it easy to use, so I realy hope hexediting and just trying wont scare you. How and why does it work like this First some basics, an Xbox connects to live servers and authenticates the xbox with a "Machine account". This account is stored on the harddrive and is encrypted/hashed using a unique per xbox key. (I have some doc telling more details, will add soon) Then when the servers found this account to be vallid and not banned, a user live account is either send or one can recover a live account from the servers. (or create one) If the xbox is missing a machine account or incorrect one, the xbox cant connect to the xbox live server. This is the case with most xboxes where the harddrive is formated using unofficial tools. Or with Xqemu, no or formated drive is used. Xbox live accounts are also stored on the harddrive and are encrypted/hashed using the same basic principle as machine accounts, but can be transfered to a Memory Unit (MU). When stored on the MU, it can ofcourse not be encrypted using a unique machine specific code, because another Xbox cannot decrypt it using its own keys (These unique keys are never shared or transfered.) Thus MS has used a general key that all xboxes know and use to decrypt and vallidify the live accounts on a MU. when stored on the HDD, its encrypted using the xbox unique key. (its actualy not 1 key, its a combination of things like the Harddrive serial number, lock key and Online key (stored on eeprom).)* MS did actualy tell in their internal documents that they expect "us" to find the key used to encrypt the live account on a MU. Thus they expected Live accounts to be stolen, lent or even created out of thin air to be stored on a harddrive after alteration on a PC. Here comes the chain-of-trust, MS only allows live accounts from a xbox that logged in using a verified Machine account. Machine accounts are created on first logon to the internet. Its created by sending a connect request and a geneoligy database is queried with the serial number and more?* when the Database has records of this combination and no machine account had been made, one is created with a keypair. The key for the xbox is send over and the other part stored on the live server side* When a xbox with no machine account or invallid one connects, its returned with a error. Users are allowed to send the xbox to MS for repair (ofcourse that nolonger the case) They will have performed a sort of refurbishment by checking the xbox for problems and run a refurbishment program (wich installs a new serialnumber, updates the dashboard and then they normaly would have send it back... asuming that "hackers" and "modders" wont send their precious boxes to MS to be "fixed" yes, MS actualy knew and though about this. So far Ive figured this much (some poeple might know more. Code: 0x00-05 unkown SHA/3DES ? 0x06 unkown 0x09 TAB - Horizontal Tabulation? 0x1C flag 0x01/0x00 pincode 0x20-23 pincode [01 left trigger, 02 right trigger, (03 A, 04 B), 05 X, 06 Y, ] 0x24-2B Domain xbox.com Domain 0x38-43 K Realm PASSPORT.NET Kerberos Realm 0x50-5F unkown SHA/3DES ?* 0x60-63 unkown Same as on HDD and XMU(Angul) 0x64-6B unkown SHA/3DES ?* Where SHA/3DES doesnt realy mean its the hashcode, I just dont know its exact location, but the live account IS verified by the xbox. when the useraccount is stored on the harddrive, the first 6, and last two bigger bits of unkown code change (by the key used and hashing) (the x60-63 stays the same for some reason) Xqemu Xqemu sofar doesnt allow me to add a live account, maybe because by default the xbox uses the eeprom from Bunnie (we can change this, in source) And the harddrive I use, has no machine account (yet, I have machine accounts and eeprom pairs to try soon for myself) To connect a USB MU, there are simple instructions to connect real USB hardware. To connect a image of a usb stick use the following: Code: -drive if=none,id=stick,file=harddisk/mu.raw -device usb-storage,bus=usb-bus.0,port=3.3,drive=stick probably the usb part after you made the hub, and the name "stick" could be anything, please note its definition earlier in the line of code. This has been tested on Linux There has been added some basic Network support and Ive captures 4 packets of a early DHCP request. I want to create a reply server of some sorts and start some basic authentication. Others seem to have great succes already on this part. Whats next? Ill see if I can dump a eeprom and machine account pair for public use, unless others like to share something like that themselfes. Some kind of Xbox live simulated OS or program to allow some basic live account menus to function. (maybe to simulate account recovery, creditcard changing, pincode removal (could be handy) Find the magic keys for the MU, so we can change a Live account name. Hints I got, 3DES with a fixed key that every xbox knows. I asume only after a machine account has been created or connected to xbox live atleast once (because my Xqemu, machine accountless xbox does not detect an embeded xbox account on the MU, but the used space does have a value.) Rewrite the tutorial a bit and place it here in this thread. I would have never started this research or topic if I havent known assemblergames, thanks to alott of people here we can have nice things, so consider if you read this to Donate some money to the Assemblergames website, support some fundraisers for awesome prototype games and I hope you enjoy. So this first post might be edited alott in time, I try not to do so in replies so much. *might be slightly incorrect, will verfiy.
Do you happen to have xbox live profiles as stored on the hard drive, you say in your post the fields have changed, do you have a copy of a profile as stored on your HD, and a copy of your HD key from the EEPROM? also, I'm pretty sure this is the layout of the profiles, but the key and signature seem to be encrypted somehow. Code: xuid [ userId[8] userFlags[4] ] name[16] userOptions[1] (0x01 == pin) pin[4] domain[20] realm[24] key[16] signatureTime[4] signature[8]
That would help alott I think. Thanks, where did you find this, or figured out yourself? (would be a shame if I overlooked it many times in the 4400, barnabase Dash source tree) I could check how many xboxs I have with a orginal xbox live account on them. Should not be important, so I could just take a box, put a account on it and dumb that region with the corresponding hdd key. (any account on the hdd is encrypted, including the hdd key thingy) I dont know the IV or key used, but on the memorycard, once we have these, modding/renaming can start. on the harddrive its encrypted with machine specific info.. I could take alook and see if I want to share all keys and live parts of a xbox I have (that can actualy store a live account. Bunnie huang shared his eprom, but I cant store a live account on a harddrive in a xqemy image) Yes, I probably overlooked it, your info checks out so it seems: Code: typedef struct { XUID xuid; CHAR name[XONLINE_NAME_SIZE]; CHAR kingdom[XONLINE_KINGDOM_SIZE]; DWORD dwUserOptions; BYTE pin[XONLINE_PIN_LENGTH]; // // The following 5 fields are marked as reserved in the public structure // The combined size should add up to XONLINE_USER_RESERVED_SIZE // CHAR domain[XONLINE_USERDOMAIN_SIZE]; CHAR realm[XONLINE_REALM_NAME_SIZE]; BYTE key[XONLINE_KEY_LENGTH]; DWORD dwSignatureTime; BYTE signature[XONLINE_USER_SIGNATURE_LENGTH]; HRESULT hr; DWORD index; } XONLINEP_USER, *PXONLINEP_USER; there are more intresting things there (and I just see them now ?!?) like _XOnlineGetUserFromMU (also FromHD) dont have that, but could we partialy reconstruct using dumped beta eeproms?