Xbox live (accounts, xqemu and MU)

Discussion in 'Xbox (Original console)' started by CodeAsm, Mar 7, 2016.

  1. CodeAsm

    CodeAsm ohci_write: Bad offset 30

    Joined:
    Dec 22, 2010
    Messages:
    1,499
    Likes Received:
    175
    DASH 5960 might have isues with this method. please comment your finding with real hardware.

    So after a few posts here and there about the xbox live accounts i "recovered" and shared for your pleasure and research, ive decided to greate a dedicated topic for this part.
    This might also help the research for a opensource xbox live, for I have discovered some things that might already be known but might surprice others.

    ive shared 2 accounts and the fIrst bytes of a working MU for your research if you dint have any.
    http://codeasm.com/xbox/files/Accounts/
    Ive made a basic tutorial to add a live account to a MU here:
    http://assemblergames.com/l/threads/phantasy-star-online-xbox-gamertag.49737/#post-725868 Not everyone apears to find it easy to use, so I realy hope hexediting and just trying wont scare you.

    How and why does it work like this
    First some basics, an Xbox connects to live servers and authenticates the xbox with a "Machine account". This account is stored on the harddrive and is encrypted/hashed using a unique per xbox key. (I have some doc telling more details, will add soon)
    Then when the servers found this account to be vallid and not banned, a user live account is either send or one can recover a live account from the servers. (or create one)

    If the xbox is missing a machine account or incorrect one, the xbox cant connect to the xbox live server. This is the case with most xboxes where the harddrive is formated using unofficial tools. Or with Xqemu, no or formated drive is used.
    Xbox live accounts are also stored on the harddrive and are encrypted/hashed using the same basic principle as machine accounts, but can be transfered to a Memory Unit (MU).

    When stored on the MU, it can ofcourse not be encrypted using a unique machine specific code, because another Xbox cannot decrypt it using its own keys (These unique keys are never shared or transfered.) Thus MS has used a general key that all xboxes know and use to decrypt and vallidify the live accounts on a MU. when stored on the HDD, its encrypted using the xbox unique key. (its actualy not 1 key, its a combination of things like the Harddrive serial number, lock key and Online key (stored on eeprom).)*

    MS did actualy tell in their internal documents that they expect "us" to find the key used to encrypt the live account on a MU. Thus they expected Live accounts to be stolen, lent or even created out of thin air to be stored on a harddrive after alteration on a PC.
    Here comes the chain-of-trust, MS only allows live accounts from a xbox that logged in using a verified Machine account.

    Machine accounts are created on first logon to the internet. Its created by sending a connect request and a geneoligy database is queried with the serial number and more?* when the Database has records of this combination and no machine account had been made, one is created with a keypair. The key for the xbox is send over and the other part stored on the live server side*

    When a xbox with no machine account or invallid one connects, its returned with a error. Users are allowed to send the xbox to MS for repair (ofcourse that nolonger the case)
    They will have performed a sort of refurbishment by checking the xbox for problems and run a refurbishment program (wich installs a new serialnumber, updates the dashboard and then they normaly would have send it back... asuming that "hackers" and "modders" wont send their precious boxes to MS to be "fixed" ;) yes, MS actualy knew and though about this.

    So far Ive figured this much (some poeple might know more.
    Code:
    0x00-05    unkown            SHA/3DES ?
    0x06    unkown  0x09        TAB - Horizontal Tabulation?
    0x1C    flag    0x01/0x00    pincode
    0x20-23 pincode            [01 left trigger, 02 right trigger, (03 A, 04 B), 05 X, 06 Y, ]
    0x24-2B    Domain    xbox.com    Domain
    0x38-43    K Realm    PASSPORT.NET    Kerberos Realm
    0x50-5F    unkown            SHA/3DES ?*
    0x60-63 unkown            Same as on HDD and XMU(Angul)
    0x64-6B    unkown            SHA/3DES ?*
    Where SHA/3DES doesnt realy mean its the hashcode, I just dont know its exact location, but the live account IS verified by the xbox.

    when the useraccount is stored on the harddrive, the first 6, and last two bigger bits of unkown code change (by the key used and hashing) (the x60-63 stays the same for some reason)

    Xqemu
    Xqemu sofar doesnt allow me to add a live account, maybe because by default the xbox uses the eeprom from Bunnie (we can change this, in source)
    And the harddrive I use, has no machine account (yet, I have machine accounts and eeprom pairs to try soon for myself)
    To connect a USB MU, there are simple instructions to connect real USB hardware. To connect a image of a usb stick use the following:
    Code:
    -drive if=none,id=stick,file=harddisk/mu.raw -device usb-storage,bus=usb-bus.0,port=3.3,drive=stick 
    probably the usb part after you made the hub, and the name "stick" could be anything, please note its definition earlier in the line of code. This has been tested on Linux

    There has been added some basic Network support and Ive captures 4 packets of a early DHCP request. I want to create a reply server of some sorts and start some basic authentication. Others seem to have great succes already on this part.

    TUTORIAL to write or read a live acount to MU
    First of all, you can transfer 1 account per MU. getting a usb stick to work on the xbox is the easiest aswell. PLEASE, try the Hxd editing method first, its faster. Also, dont just try editing the name, it wont work*
    With https://mh-nexus.de/en/hxd/ you can even skip the xplorer step.
    Also, for making a backup, this is easy.
    Make sure you use a MU or usbstick that is formated by the xbox. We wont try doing it ourselfes, the xbox might not accepting it and just formats it anyway. great test to check compatibility anyway. SO FORMAT IN XBOX FIRST.

    WARNING If your xbox is new, softmodded, harddrive replaced... you might not be able to transfer the live account, for your system lacks the necesairy "machine account". and these are no longer made, for the live servers are gone*

    Windows, with Xplorer
    1. Connect a MU with an account to your PC (DONT FORMAT IN PC PLEASE)
    2. open Xplorer and find your MU (you can transfer whatever you want, but you CANT find the live account)
    3. Make a full MU backup to file (Drive>Backup Image...)
    4. Open HxD or your favorite editor,
    5. Open your just made backup
      Go to step 4 of "Windows, direct edit..."
    Windows , direct edit with HxD(or any hexeditor with raw diskediting)
    1. Connect a MU with an account to your PC (DONT FORMAT IN PC PLEASE)
    2. Open HxD or any Hexeditor that can open usb storage devices and can edit them (unless only getting the data is required) (TIP2, open as administrator)
    3. Please use HxD, press the disk icon(next to the chip) named "open disk" you can leave the readonly on, if you only want to get the account, writing one, requires the dangerous "editing" mode...be save, stay of any harddrives.. smartass.
    4. If you have done everything good so far, you should see your live account or atleast the MU name you gave it, or MS did by formating. IF THE FIRST WORD is NOT FATX, GET OF THAT DEVICE. its not formated or its your windows drive
      [GALLERY=media, 314]Xbox Memory by CodeAsm posted Aug 26, 2015 at 11:22 AM[/GALLERY]
    5. select the bytes 50(hex) to and with BB(hex) (a total of 6C(hex), or 108bytes)
      (decimal 80-187)
      xboxmu.png
      Tis, is your live account. Or you OVERWRITE a live account of 108bytes into here.
      Here you can view the selected account, regardless of the contents, it should contain your account. OR you "overwrite" the bytes there with the ones you want to have.
    6. Save, hope it works :D if you saved to a just made backup if you followed this with xplorer. go to step 7, else,... save and done :D
    7. Right, so you saved back to your backup (can take a while if a large MU is used)
    8. Xplorer, go to the (Drive>Restore Image...) and again, this can take a while...

      You should now have either a backup of your live account "encrypted" with the general encryption key, ready for writing to a MU. Or its on you MU and your xbox should see it.... BUT

      A big isue I found, if your xbox has NEVER EVER been on xbox live. and/or had his harddrive replaced and contents replaced with like slayersdisk... LONG STORY SHORT
      your xbox does NOT have a machine account, it wont decrypt the MU, you wont see any live accounts. maybe you can fix that by a devkit menu and generating some fake accounts but why you need this tutorial.
    *Your system is hacked, modded or Xqemu and has NO machine account? your out of luck today, but this is also a reason we need a opensource xbox live or smart people finding out how the xbox live system works. Please, if you DO have a working xbox with live accounts. Make a EEPROM backup and FULL hdd backup (or atleast the full config sectors... no idea? full hdd, its just 8gb)
    Now you should have a working combo of eeprom and machine account (maybe record the hdd lock key aswell)

    Linux
    I am a linux user myself, but using DD for this small bit I still prefer a hexeditor (Graphical, CLI) Did try to find a way for dd but it doesnt work if the underlaying system cant access bytes for bytes (like default is 512 bytes for a reason ;) )
    but if you want to try, PLEASE check yourself,... I could not entirely make it work on some images I got.
    get live account (seems to be broken)
    Code:
    dd if=~/xqemu/harddisk/mutest.raw bs=1 count=108 skip=50 of=liveaccount.xbla
    
    Write live account (cant work on devices with read/write larger than a byte?)
    Code:
    dd if=angul.xbla bs=1 count=108 seek=50 of=~/xqemu/harddisk/mutest.raw
    

    Just try HxD or something, it works under wine aswell. just dd the drives first few sectors and edit that image. later write back the image ;)

    Whats next?



      • Ill see if I can dump a eeprom and machine account pair for public use, unless others like to share something like that themselfes. (do we have the eeprom from the godfather xdk kit? does it contain a machine account?)
      • Some kind of Xbox live simulated OS or program to allow some basic live account menus to function. (maybe to simulate account recovery, creditcard changing, pincode removal (could be handy) generate machineaccounts?
      • Find the magic keys for the MU, so we can change a Live account name. Hints I got, 3DES with a fixed key that every xbox knows. I asume only after a machine account has been created or connected to xbox live atleast once (because my Xqemu, machine accountless xbox does not detect an embeded xbox account on the MU, but the used space does have a value.)
    Updates:
    24-7-2016
    : Added my newest tutorial. No spellcheck yet, sorry. Hope it works. thinking about a linux one.

    14-11-2016: Using xqemu it apears 5960 might have trouble reading your xbox live account. please report if you are using dash 5960 and either have succes or trouble getting your live account from MU on Xbox hdd.

    Word of thanks
    I would have never started this research or topic if I havent known assemblergames, thanks to alott of people here we can have nice things, so consider if you read this to Donate some money to the Assemblergames website, support some fundraisers for awesome prototype games and I hope you enjoy.
     
    Last edited: Nov 14, 2016
  2. TerdFerguson

    TerdFerguson ls ~/

    Joined:
    Apr 27, 2015
    Messages:
    645
    Likes Received:
    340
    Very interesting. I really hope eventually you guys get this working. It will be a good day indeed
     
  3. ToXZiN 1

    ToXZiN 1 Spirited Member

    Joined:
    Sep 22, 2015
    Messages:
    178
    Likes Received:
    50
    Any headway with this?
     
  4. CodeAsm

    CodeAsm ohci_write: Bad offset 30

    Joined:
    Dec 22, 2010
    Messages:
    1,499
    Likes Received:
    175
    Nope, dint had time. but also shared it in the hope someone had new clues.
     
    TerdFerguson and ToXZiN 1 like this.
  5. Darksecond

    Darksecond Member

    Joined:
    Feb 20, 2016
    Messages:
    6
    Likes Received:
    7
    Do you happen to have xbox live profiles as stored on the hard drive, you say in your post the fields have changed, do you have a copy of a profile as stored on your HD, and a copy of your HD key from the EEPROM?

    also, I'm pretty sure this is the layout of the profiles, but the key and signature seem to be encrypted somehow.

    Code:
    xuid [
           userId[8]
           userFlags[4]
         ]
    name[16]
    userOptions[1] (0x01 == pin)
    pin[4]
    domain[20]
    realm[24]
    key[16]
    signatureTime[4]
    signature[8]
     
    Last edited: Jun 15, 2016
  6. CodeAsm

    CodeAsm ohci_write: Bad offset 30

    Joined:
    Dec 22, 2010
    Messages:
    1,499
    Likes Received:
    175
    That would help alott I think. Thanks, where did you find this, or figured out yourself? (would be a shame if I overlooked it many times in the 4400, barnabase Dash source tree)
    I could check how many xboxs I have with a orginal xbox live account on them. Should not be important, so I could just take a box, put a account on it and dumb that region with the corresponding hdd key. (any account on the hdd is encrypted, including the hdd key thingy)
    I dont know the IV or key used, but on the memorycard, once we have these, modding/renaming can start. on the harddrive its encrypted with machine specific info.. I could take alook and see if I want to share all keys and live parts of a xbox I have (that can actualy store a live account. Bunnie huang shared his eprom, but I cant store a live account on a harddrive in a xqemy image)

    Yes, I probably overlooked it, your info checks out so it seems:
    Code:
    typedef struct {
        XUID xuid;
        CHAR name[XONLINE_NAME_SIZE];
        CHAR kingdom[XONLINE_KINGDOM_SIZE];
        DWORD dwUserOptions;
        BYTE pin[XONLINE_PIN_LENGTH];
    
        //
        // The following 5 fields are marked as reserved in the public structure
        // The combined size should add up to XONLINE_USER_RESERVED_SIZE
        //
        CHAR domain[XONLINE_USERDOMAIN_SIZE];
        CHAR realm[XONLINE_REALM_NAME_SIZE];
        BYTE key[XONLINE_KEY_LENGTH];
        DWORD dwSignatureTime;
        BYTE signature[XONLINE_USER_SIGNATURE_LENGTH];
     
        HRESULT hr;
        DWORD index;
    
    } XONLINEP_USER, *PXONLINEP_USER;
    there are more intresting things there (and I just see them now ?!?) like _XOnlineGetUserFromMU (also FromHD)

    dont have that, but could we partialy reconstruct using dumped beta eeproms?
     
    Last edited: Jun 17, 2016
  7. CodeAsm

    CodeAsm ohci_write: Bad offset 30

    Joined:
    Dec 22, 2010
    Messages:
    1,499
    Likes Received:
    175
    In dashboard 5960 and maybe some below there might be some additional checking or crc checksums added to not allow us to add a live account with this method. im trying to figure out what they did.

    EDIT:
    An empty MU now contains this (FATX0 ...) wich leads me to believe the xbox has changed some of its MU formating way. corrupting my example MU !.
    Code:
    46 41 54 58 30 D1 12 BD 04 00 00 00 01 00 00 00 00 00
    Now my MU contains this. slightly diferent, and note, an noname MU gets the Live accounts name by default (never noticed this)
    Code:
    46 41 54 58 30 D1 12 BD 04 00 00 00 01 00 00 00 41 00 70 00 69 00 65 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF F8 95 24 49 92 E4 2E 2E 2E 2E 2E 2E 41 6E 67 75 6C 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 78 62 6F 78 2E 63 6F 6D 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 50 41 53 53 50 4F 52 54 2E 4E 45 54 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 2E 51 FB 71 D8 70 2E F1 57 B5 B7 43 45 94 F5 6C 62 2E FF D4 2E D3 24 63 C7 53 E1 96 CC FF FF FF FF FF FF FF FF
    or... Its only my account Angul thats affected.. do all accounts require a certain entry or config? did I dump it incorrectly and 5960 is more strickt? Ill try to find out more.

    Both 46 41 54 58 (FATX)
    compared to dash 4627, just after FATX, 4627 writes:
    20 93 73 03
    and 5960 writes
    30 D1 12 BD
    bothfollowed by 04 00 00 00 01 00 00 00 00 00

    could be a version string... and they upconvert the contents?
     
    Last edited: Nov 14, 2016
    Xbox Loyalists likes this.
  8. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    207
    Likes Received:
    91
    The beginning of codeasm's MU dump:
    Code:
    46 41 54 58 20 1D 8D 09 04 00 00 00 01 00 00 00 | FATX ...........
    41 00 73 00 73 00 65 00 6D 00 62 00 6C 00 65 00 | A.s.s.e.m.b.l.e.
    72 00 47 00 61 00 6D 00 65 00 73 00 2E 00 63 00 | r.G.a.m.e.s...c.
    6F 00 6D 00 20 00 43 00 6F 00 64 00 65 00 41 00 | o.m. .C.o.d.e.A.
    73 00 6D 00 00 00 AF 00 19 42 07 00 00 00 20 00 | s.m......B.... .
    F8 95 24 49 92 E4 09 00 00 00 00 00 41 6E 67 75   X  (0x50-0xBB)
    6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 78 62 6F 78 2E 63 6F 6D 00 00 00 00       B
    00 00 00 00 00 00 00 00 50 41 53 53 50 4F 52 54
    2E 4E 45 54 00 00 00 00 00 00 00 00 00 00 00 00           L
    51 FB 71 D8 70 08 F1 57 B5 B7 43 45 94 F5 6C 62
    08 FF D4 02 D3 24 63 C7 53 E1 96 CC FF FF FF FF               A
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF
    
    Volume header data value descriptions (offset 0x00-0x4F):
    Code:
    #define FAT_VOLUME_SIGNATURE   'XTAF'
    
    ULONG Signature = FAT_VOLUME_SIGNATURE;
    //  saved little endian Signature reads "FATX" on memory unit
    
    ULONG SerialNumber;
    // volume serial number; not sure when this may get changed as version
    // 4267 dashboard had one value and 5960 dash another for codeasm
    // my flash drive has a volume SerialNumber of 0x00000000.
    
    ULONG SectorsPerCluster;
    // 0x00000004 = sectors per cluster (4 * 512-byte sectors = 2048 bytes)
    
    ULONG RootDirFirstCluster;
    // 0x00000001 = root directory first cluster ?? (duh!)
    
    WCHAR VolumeName[FAT_VOLUME_NAME_LENGTH];
    // FAT_VOLUME_NAME_LENGTH = 32
    /* 2 bytes per character so "AssemblerGames.com CodeAsm" is saved as:
     *    41 00 73 00 73 00 65 00 6d 00 62 00 6c 00 65 00 | A.s.s.e.m.b.l.e.
     *    72 00 47 00 61 00 6d 00 65 00 73 00 2e 00 63 00 | r.G.a.m.e.s...c.
     *    6F 00 6D 00 20 00 43 00 6F 00 64 00 65 00 41 00 | o.m. .C.o.d.e.A.
     *    73 00 6D 00 00 00 AF 00 19 42 07 00 00 00 20 00 | s.m......B.... .
     *    (Total of 64 bytes used to store the MU VolumeName)
     *    End of string 0x0000 (5th and 6th bytes on last line) remainder
     *    of any previous content left unchanged. (AF 00 19 42 07...??)
     */
    UCHAR OnlineData[FAT_ONLINE_DATA_LENGTH];
    // FAT_ONLINE_DATA_LENGTH = 2048 ?? 1 cluster
    
    // Unused space in the block is filled with 0xFF bytes.
    
    I've had no problem copying an Xbox Live account (XBLA) from an older dashboard to the lastest 5960 by using a MU to transfer the account data. I've not tried to inject data directly from one Xbox HDD into another. The console had an XBLA already so they had a machine account. Transferred a couple other XBLA's via MU copy so it now has 4 accounts. There can be a maximum of 8 on a console and only 1 on a MU.

    First portion of 64MB memory unit without an Xbox Live Account:
    Code:
    46 41 54 58 00 00 00 00 08 00 00 00 01 00 00 00 |FATX............
    00 00 FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................ <-XBL account info start but 0xFF's as none
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    
    SerialNumber = 0x00000000, 8 sectors per cluster and cluster 0x00000001 holds the root directory on my USB Flash drive. The empty volume name terminated with 0x0000 (WCHAR NULL) on the start of second line of hex values.

    Directory listing started at offset 0x2000. (Not cluster 1 = 2048th byte or even 4,096th byte but at 8,192th byte:
    Code:
    E5 10 4E 65 77 20 46 6F 6C 64 65 72 FF FF FF FF |..New Folder....
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF E0 01 00 00 |................
    00 00 00 00 4E 8C 52 22 4E 8C 52 22 4E 8C 52 22 |....N.R"N.R"N.R"
    08 10 32 31 35 38 35 35 35 34 FF FF FF FF FF FF |..21585554......
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF EA 01 00 00 |................
    00 00 00 00 B1 8C 52 22 B1 8C 52 22 B1 8C 52 22 |......R"..R"..R"
    08 10 34 35 34 31 30 30 30 64 FF FF FF FF FF FF |..4541000d......
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF 00 03 00 00 |................
    00 00 00 00 EB 8C 52 22 EB 8C 52 22 EB 8C 52 22 |......R"..R"..R"
    08 10 34 64 35 33 30 30 31 37 FF FF FF FF FF FF |..4d530017......
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF 09 03 00 00 |................
    00 00 00 00 F6 8C 52 22 F6 8C 52 22 F6 8C 52 22 |......R"..R"..R"
    08 10 35 35 35 33 30 30 30 63 FF FF FF FF FF FF |..5553000c......
    FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF FF |................
    FF FF FF FF FF FF FF FF FF FF FF FF 12 03 00 00 |................
    00 00 00 00 03 8D 52 22 03 8D 52 22 03 8D 52 22 |......R"..R"..R"
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 |................
    
    Sure would make things simplier if the copy/paste from Hex Edit v4.0 did the char equivalent part too at the end of each line. Adding that data manually is a pain.

    Each directory entry is 64 bytes in length. The first byte is the filename length or a flag value indicating one of three things: 0xE5 - directory entry deleted (as seen above for "New Folder", 0x00 - unused entry, or 0xFF - unused entry. Next byte, offset 0x01 file attributes ?? directory or file ??. At offset 0x02, the filename -- FATX max of 42 characters (bytes). Offset 0x2c unsigned long first cluster ?? not quite sure how to use this value doesn't seem to represent what I thought it did. Offset 0x30 unsigned long value contains the file size followed by three (3) 4-byte long timestamp entries: creation time, last write time (modified time) and last access time.

    Xplorer360 Backups of MU without and with XBLA (codeasm's naming) data (64MB each):
    XboxBackup NO XBLA.bin
    XboxBackup with Angul.XBLA Injected.bin

    I need to use an original 8MB MU instead of the 64MB USB flash drive so the backups are not so large!
     
    Last edited: Sep 16, 2017
  9. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    207
    Likes Received:
    91
    Seems the info I've found conflicts with that shown from archived data from xbox-linux.org.

    Offset / Size / Description
    0 / 4 / "FATX" string (ASCII)
    4 / 4 / Volume ID (int)
    8 / 4 / Cluster size in (512 byte) sectors
    12 / 2 / Number of FAT copies
    14 / 4 / Unknown (always 0?) -> 14 / 2 / Unknown (padding for ULONG alignment)
    18 / 4078 / Unused -> (16 / 4080 / Volume Label and XBOnline Account + unkwn)

    Offset 12 2 bytes with number of FAT copies and not the firstCluster of the root directory.

    ULONG RootDirFirstCluster; // offset 12 - 4 bytes
    // 0x00000001 = root directory first cluster ?? (as this didn't seem to work out!)

    vs xbox-linux.org's varibles (but the Unknown only has 2 bytes left before we see the Volume Label at offset 20.

    USHORT NumFATCopies; // offset 12 - 2 bytes
    // 0x0001 = number of FAT copies (this makes more sense)

    ULONG Unknown_xxx; // offset 14 - 4 bytes
    // 0x00000000 always
    should be
    USHORT Unknown_xxx; // offset 14 - 2 bytes
    // 0x0000 always

    and a bit more about the 4078 or 4080 unknown bytes containing the Volume Label of 32 WCHAR elements (64 bytes) and XBOnline account (108 bytes) on a memory unit/hard drive but 2048 bytes allocated just the first 108 have actual data the rest is padding/filler of 0xFF.

    UCHAR OnlineData[FAT_ONLINE_DATA_LENGTH];
    // FAT_ONLINE_DATA_LENGTH = 2048 ?? 1 cluster
    // and the rest of the
    // Unused space in the block or is it cluster is filled with 0xFF bytes.

    And, another statement from xbox-linux.org's differences between FAT and FATX article (https://web.archive.org/web/2010061.../Differences_between_Xbox_FATX_and_MS-DOS_FAT):
    but not so on MU, mine is set to 8 sectors/cluster and codeasm's was 4 sectors/cluster.

    The (single) File Allocation Table always starts at position 4 KB of the filesystem. FAT size in bytes = ((partition size in bytes / cluster size) * cluster map entry size) rounded
    up to the nearest 4096 byte boundary.

    So, 4KB for the boot block/superblock (in Linux jargon) and 4KB (on MU) for the 1 copy of the FAT. Makes the start of the ROOT dirent at the 8,192nd byte, exactly where I found it.

    The Xbox 360 uses FATX too but has a few differences offset 12 of the boot block is again listed at http://free60.org/wiki/FATX as being the first cluster of the root directory. Argh!!! :(
     
    Last edited: Sep 13, 2017
    Xbox Loyalists and TerdFerguson like this.
  10. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    207
    Likes Received:
    91
    Evoxdash's backup command dumps the disk config area (first 1024 sectors [512KB] of the HDD) to a file called disk.bin saved along with the EEPROM backup - eeprom.bin, BIOS backup - bios.bin, hddinfo.txt and hddkey.bin files.

    From evoxdash's backup of the Xbox's HDD config area in disk.bin, the first Xbox Live Account (XBLA) data set is found at disk byte offset 0x1800 [sector #12 sector count starting with 0 being the first sector on the HDD at offset 0x0000 (or should this be sector 1 at offset 0x0000 making the first XBLA stored at sector #13)]:
    Code:
    0x1800: 68 25 13 79 01 00 00 00 01 00 00 00 F8 95 24 49 | h%.y..........$I
    0x1810: 92 E4 09 00 00 00 00 00 41 6E 67 75 6C 00 00 00 | ........Angul...
    0x1820: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x1830: 78 62 6F 78 2E 63 6F 6D 00 00 00 00 00 00 00 00 | xbox.com........
    0x1840: 00 00 00 00 50 41 53 53 50 4F 52 54 2E 4E 45 54 | ....PASSPORT.NET
    0x1850: 00 00 00 00 00 00 00 00 00 00 00 00 53 E4 40 59 | ............S@.Y
    0x1860: 72 AF CE 28 AE 75 AE 3B 7C 9B 8D 4A 08 FF D4 02 | r..(.u.;|..J....
    0x1870: D8 DD FE 97 C2 57 99 15 00 00 00 00 00 00 00 00 | .....w..........
    0x1880: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    repeats 22 more lines of 16 bytes of 0x00
    0x19F0: 00 00 00 00 00 00 00 00 54 73 7F 83 00 00 55 AA | ........Ts....U.
    
    I need to verify the the following two (2) HDDKey data values. Something seems to be amiss.

    EEPROM HDDKey (Encrypted) (EEPROM.BIN offset 0x0C-0x1B):
    Code:
    0x0 000C:                                     61 F8 77 C3 |             a.w.
    0x0 0010: B7 FB AD F4 A2 95 D3 12 9F B3 2B CB             | ..........+.
    
    HDDKey possibly decrypted value ?? from Evox Backup file hddkey.bin:
    Code:
    0x0 0000: DC E8 66 1D CD 84 3F 91 E0 B4 C1 76 68 F6 24 ED | ..f...?....vh.$.
    0x0 0010: 0C BE D0 7C 00 00 00 00 00 00 00 00 00 00 00 00 | ...|............
    
    Not sure why hddkey.bin contains 32 bytes (well first 20 non-zero bytes + 12 0x00's) as the hddkey value is 16-bytes long. Update: This file's content is not what I think of as the HDDKey in the EEPROM, but the value is the HDD Unlock password. The decrypted HDDKey from the EEPROM is:
    Code:
    D7 75 3B FC 89 F6 9E 22 CF 15 BA 95 68 6D B5 AA
    Verified!

    Note: The lower case c and e in the font used to show the hex value (need to use UPPERCASE instead) from Configmagic v1.6 Final are so hard to clearly makeout on my SD TV. :( I'll try Rocky5's updated ConfigMagic v1.6.1. He's fixed a few bugs in the original 1.6-Final and uses a different font still lowercase though. :( HEX values should be printed in all UPPERCASE for readability.

    The second XBLA copied from a MU to the HDD is saved in the next sector starting at byte offset 0x1A00 of the HDD. And, I'm guessing that the next six (6) sectors will contain the other six (6) XBLA's as the Xbox can have eight (8) stored to the HDD. (A MU can only store/hold one (1) Xbox Live Account.)

    HDD Starting Offset - XBLA # - Ending offset (sector # decimal)
    -----
    0x1800 - XBLA 1 - 0x19FF (12)
    -----
    0x1A00 - XBLA 2 - 0x1BFF (13)
    -----
    0x1C00 - XBLA 3 - 0x1DFF (14)
    -----
    0x1E00 - XBLA 4 - 0x1FFF (15)
    -----
    0x2000 - XBLA 5 - 0x21FF (16)
    -----
    0x2200 - XBLA 6 - 0x23FF (17)
    -----
    0x2400 - XBLA 7 - 0x25FF (18)
    -----
    0x2600 - XBLA 8 - 0x27FF (19)
    -----
    XBLA is codeasm's nomenclature/extension for an Xbox Live Account dataset/filename. The data set is 108 bytes in length. There are no homebrew tools to add these directly to the Xbox HDD's config area or to a memory unit/thumb drive (MU). The data must be injected with actual valid Xbox Live account data copied to a MU using xboxdash, MU backup saved with Xplorer360 and a hex editor to extract the data set (108 bytes in length starting at offset 0x50 and ending at offset 0xBB). Injection of an Xbox Live account to the HDD follows the opposite order: hex editor injection (paste), Xplorer360 restore updated (injected XBLA) image to MU, and xboxdash to copy from MU to HDD.

    Possible Xbox Live Machine Account (sector starting at byte offset 0x1600):
    Code:
    0x1600: 68 25 13 79 01 00 00 00 01 00 00 00 01 00 00 00 | h%.y............
    0x1610: 05 3D 0A EE B4 48 BC E6 01 00 00 00 25 AA 8C 2E | .=...H......%...
    0x1620: F9 62 53 F8 00 00 00 00 00 00 00 00 00 00 00 00 | .bS.............
    0x1630: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    repeated 27 more times, lines with 16 0x00's
    0x17F0: 00 00 00 00 00 00 00 00 B8 47 F1 E0 00 00 55 AA | .........G....U.
    
    The two sectors prior to this one are full of 0x00's from 0x1200-0x15FF. No checksum or ending 0x55AA just 0x00's.

    The sector at 0x1000 may be the actual machine account for Xbox Live. It contains 2 sections with data other than lines of 16 bytes of 0x00's:
    Code:
    0x0 1000: 68 25 13 79 01 00 00 00 01 00 00 00 22 CA 60 1A | h%.y........".`.
    0x0 1010: C9 1C E6 BC 6F 0C A5 97 DA EB A4 10 5C 12 2C E0 | ....o.......\.,.
    
    0x0 1020: C0 A8 64 0A FF FF FF 00 C0 A8 64 01 00 00 00 00 | ..d.......d.....
    192.168.100.10, 255.255.255.0, 192.168.100.1, 0.0.0.0
    IP Address ??, Subnet Mask ?? , Gateway IP ??,  ?? DNS ?? not at address shown
    from xbox-linux.org article linked below.
    
    0x0 1030: 00 00 00 00 38 8A 42 DC 3B E3 0B FC E9 79 6E 60 | ....8.B.;....yn`
    0.0.0.0, ???
    
    0x0 1040: CB BA 14 87 F8 32 57 F6 32 56 42 58 0C 00 00 00 | .....2W.2VBX....
    offset 0x104c 2 bytes 0x000C xbox live settings ?? DHCP, Static, PPPOE ??
    offset 0x104e listed as MAC address in xbox-linux article, 6 bytes but all 0x00's
    
    0x0 1050: 00 00 00 00 C0 A8 64 0A FF FF FF 00 C0 A8 64 01 | ......d.......d.
    last 4 MAC address, Xbox Live IP address, subnet mask, default gateway
    remaining 4 bytes of MAC address ?? ,  192.168.100.10, 255.255.0 192.168.100.1
    
    0x0 1060: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    Xbox live primary DNS (4 bytes), secondary DNS (4 bytes), Xbox Live Hostname (40 bytes = 8 here + 32 more next 2 lines of 0x00's)
    
    0x0 1070: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 1080: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    End of Xbox Live Hostname at 0x01080F
    
    0x0 1090: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 10A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 10B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 10C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    Xbox Live PPPOE Username (64 bytes) from 0x1090-0x10CF
    
    0x0 10D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 10E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 10F0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 1100: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    Xbox Live PPPOE Password (64 bytes) from 0x10D0-0x110F
    
    Hmm, 40 bytes of padding next 2 1/2 lines of 0x00's
    0x0 1110: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 1120: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 1130: 00 00 00 00 00 00 00 00                         | ........
    
    40 bytes Xbox Live PPPOE Service Name
    0x0 1138:                         00 00 00 00 00 00 00 00 |         ........
    0x0 1140: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 1150: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    
    0x0 1160: 80 23 C1 A8 69 13 D3 01 32 4F 01 00 C0 A8 01 81 | .#..i...2O......
    ?? first 12 bytes then last 4 bytes are My Xbox's IP Address: 192.168.1.129
    
    0x0 1170: FF FF FF 00  C0 A8 01 01  C0 A8 01 01  00 00 00 00 | ................
    Subnet Mask, Gateway IP address, DNS Server 1, DNS Server 2 (none set)
    255.255.255.0, 192.168.1.1, 192.168.1.1, 0.0.0.0
    
    I'd rather Netgear routers pass the real DNS servers onto the devices via DHCP
    instead of proxying DNS at its gateway address. (I could just set them manually.)
    
    0x0 1180: 00 00 00 00 00 00 00 00 C0 A8 01 01 00 00 00 00 | ................
    more IP addresses ??
    
    0x0 1190: 00 00 00 00 00 00 00 00 84 1B 5E 74 CE 9B 02 0C | ..........^t....
    0x0 11A0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 11B0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 11C0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 11D0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 11E0: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 | ................
    0x0 11F0: 00 00 00 00 50 43 42 58 E5 F6 9D 4C 00 00 55 AA | ....PCBX...L..U.
    
    Sector #3 Xbox uses to know that the HDD is formatted FATX
    (Source: https://web.archive.org/web/2010061...wiki/Xbox_Partitioning_and_Filesystem_Details)
    Some of the offsets listed on this page do not match those observed on my HDD. Especially the Xbox IP address offsets. (Different dashboard versions?) Ah, there should be PPPOE settings saved in the sector at offset 0x1000 too above but I'm not using PPPOE. I need to enable PPPOE and see if the user name, password, and service name are saved where indicated on the wiki page.
    Code:
    0x0 0600: 42 52 46 52 53 03 00 00 00 22 C2 FE 27 6E C1 01 | BRFRS...."..'n..
    
    (Offsets are from start of disk)

    Offset - Size in bytes - Description (Value)
    0x600 - 4 - "BRFR" (really 0x52465242 = "RFRB" little endian ??)
    0x604 - 4 - Number of boots (0x00000353 = 851 decimal)
    0x608 - 4 - Unknown (0xFEC22200 ??)
    0x60c - 4 - Unknown (0x01C16E27 ??)

    Remainder of this sector is all 0x00's no boot signature 0x55AA at the end just 0x00's.

    Sector starting at offset 0x800 contains:
    Code:
    86 52 31 97 02 00 00 00 08 E0 AC 0F 01 00 00 00
    01 00 00 00 C0 FA AC 0F 02 00 00 00 01 00 00 00
    06 00 53 55 00 00 00 00 01 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 55 AA 00 00 00 00
    
    Boot signature 4 bytes before end of sector ??.

    The rest of the 512KB not noted above is full of 0x00's.

    More research required to figure out more!
     
    Last edited: Sep 16, 2017
    TerdFerguson likes this.
  11. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    207
    Likes Received:
    91
    PPPOE settings saved in config area (all offsets from start of configuration area 0x0 0000)

    PPPOE Username: offset 0x1090 (64 bytes however only 63 could be used as last byte 0x00 (NULL) string terminator.) Shorter strings end with a NULL terminator added after the last character of the username. Similar for the password and service name values set on the Xbox dashboard's Settings -> Network Settings -> PPPOE Settings screen.

    PPPOE Password: offset 0x10D0 (64 bytes however only 63 could be used as last byte 0x00 (NULL) string terminator.)

    PPPOE Service name: offset 0x1138 (40 bytes only 39 could be used as the last is 0x00 (NULL) string terminator.)

    Source: https://web.archive.org/web/2010061...wiki/Xbox_Partitioning_and_Filesystem_Details

    Offset Size Description
    0x104c 2 Xbox Live Settings ( 0x0000 when PPPOE was enabled, maybe? see below)
    0x104e 6 Xbox Live MAC Address
    0x1054 4 Xbox Live IP Address
    0x1058 4 Xbox Live Subnet Mask
    0x105c 4 Xbox Live Default Gateway
    0x1060 4 Xbox Live Primary DNS
    0x1064 4 Xbox Live Secondary DNS
    0x1068 40 Xbox Live Hostname
    0x1090 64 Xbox Live PPPOE Username
    0x10d0 64 Xbox Live PPPOE Password
    0x1110 40 Padding? <<<<-----Wrong offset address given in source: 0x1100 should be 0x1110.
    0x1138 40 Xbox Live PPPOE Service Name

    Note: Maybe a value of 0x0000 at offset 0x104c Xbox Live Settings when PPPOE enabled because when I entered xboxdash again PPPOE was OFF but the values were still set for the Username, Password and Service name once PPPOE was turned back on. But, to save the disk configuration area I had to exit xboxdash using IGR. Back to XBMC4Xbox (my default dashboard) then run RemoteX (Evolution-X dashboard) as an app. Executed Evoxdash's backup menu to save the config area to the file disk.bin. Then, FTP'd the file to my PC to take a look at the content.

    Will need to do more testing with Evox as my default dashboard instead of XBMC4Xbox. Also I did not set the Advanced Network Settings values:
    • Wireless ( enables MN-740 wireless access if not connected shows that "No Wireless Adapter" was detected.
    • Hostname (0x1068) Enter the host or machine name if required by your ISP.
    • Mac Address (this may be the MAC address stated at 0x104e - 0x000000000000 uses consoles MAC address saved in EEPROM instead of cloning the gateway's MAC address if required by your ISP.)

      Testing Hard Drive content starting at offset 0x0 1000 (sector #8 512 bytes):
      Code:
      68 25 13 79 01 00 00 00 01 00 00 00 EA D6 A2 8D
      CC 10 0D B8 10 AA 4A 52 F1 BC 8D 23 A3 7E 90 A0
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 62 97 D9 64 E2 B2 FC 4D 23 F2 57 E8
      EE 64 C3 3B 20 AD 53 C8 32 56 42 58 00 00 00 00
      00 00 00 00 C0 A8 01 81 FF FF FF 00 C0 A8 01 01
      C0 A8 01 01 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36
      37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32
      33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38
      39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 00
      31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36
      37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32
      33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38
      39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 31 32 33 34 35 36 37 38
      39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34
      35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 00
      00 00 00 00 00 00 00 00 21 4E 01 00 C0 A8 01 81
      FF FF FF 00 C0 A8 01 01 C0 A8 01 01 00 00 00 00
      00 00 00 00 00 00 00 00 C0 A8 01 01 00 00 00 00
      00 00 00 00 00 00 00 00 84 1B 5E 74 CE 9B 02 0C
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
      00 00 00 00 50 43 42 58 D9 F5 90 AE 00 00 55 AA
      
     
    Last edited: Sep 15, 2017
    Xbox Loyalists and TerdFerguson like this.
  12. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    207
    Likes Received:
    91
    Code:
    68 25 13 79 01 00 00 00 01 00 00 00 BC 04 75 2A
    12 39 29 13 FF 35 FB 04 33 2B 7A 81 AB 2C D4 AC
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 A6 65 63 C1 55 AB B2 A9 01 AA 59 6B
    94 E3 7A FB E4 61 75 78 32 56 42 58 00 00 00 00 (last 2 bytes are MAC Address first 2 bytes of 6. (00 00 instead of 00 50 that I setup!)
    F2 BA 2A FD C0 A8 01 81 FF FF FF 00 C0 A8 01 01 <-First 4 bytes are MAC Address last 4 bytes of 6 set in Advanced Network Settings
    C0 A8 01 01 00 00 00 00 31 32 33 34 35 36 37 38 <- 0x31 start of hostname 39 bytes + NULL terminator (0x1068-0x108F)
    39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34
    35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 00 <- 0x00 NULL terminator
    31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 <- PPPOE Username not cleared (0x1090-0x10CF)
    37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32
    33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38
    39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 00 <- 0x00 end of PPPOE Username
    31 32 33 34 35 36 37 38 39 30 31 32 33 34 35 36 <-PPPOE Password not cleared (0x10D0-0x110F)
    37 38 39 30 31 32 33 34 35 36 37 38 39 30 31 32
    33 34 35 36 37 38 39 30 31 32 33 34 35 36 37 38
    39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 00 <- 0x00 end of PPPOE Password
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 <- 0x1110-0x1137 padding ?
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 31 32 33 34 35 36 37 38 <- 0x31 is start of PPPOE Service Name which is not cleared when PPPOE disabled [OFF] (0x1138-0x115F)
    39 30 31 32 33 34 35 36 37 38 39 30 31 32 33 34
    35 36 37 38 39 30 31 32 33 34 35 36 37 38 39 00 <- 0x00 end of PPPOE Service Name
    00 00 00 00 00 00 00 00 7E 51 01 00 C0 A8 01 81
    FF FF FF 00 C0 A8 01 01 C0 A8 01 01 00 00 00 00
    00 00 00 00 00 00 00 00 C0 A8 01 01 00 00 00 00
    00 00 00 00 00 00 00 00 84 1B 5E 74 CE 9B 02 0C
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    00 00 00 00 50 43 42 58 26 7D 68 17 00 00 55 AA
    
    Set the Advanced Network Settings Hostname (offset 0x1068) 39 useable bytes and 1 NULL string terminator character.

    Set a different MAC address and it does show some bytes changed but seems like XBMC4Xbox or RemoteX used the EEPROM's MAC address and not the alternate set from xboxdash as the value saved after setting it to "0050f2ba2afd" (no formatting characters such as a '-' or ':' between the octets (bytes) of the 6 bytes entered in xboxdash. The value found in disk.bin at offset 0x104e is 00 00 f2 ba 2a fd. Somewhere, the second byte value of 0x50 was changed to 0x00!

    You'll also notice that the PPPOE settings values are still present even though PPPOE is OFF. So the 0x0000 Xbox Live Settings value must not mean PPPOE but automatic settings using Static. ??

    XBMC4Xbox's System -> System Info -> Network shows:
    • Type: Static
    • Link: 100mbps Full duplex
    • MAC address: 00:50:F2:BA:2A:FD
    • IP Address: 192.168.1.129
    • Subnet mask: 255.255.255.0
    • Gateway: 192.168.1.1
    • Primary DNS: 192.168.1.1
    • Secondary DNS: 0.0.0.0
    • Internet Connected
    Xboxdash Advanced Network Settings no longer shows a value for the MAC address override value. The entry box is blank.
     
    Last edited: Sep 15, 2017
    Xbox Loyalists and TerdFerguson like this.
  13. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    207
    Likes Received:
    91
    First XBLA data set on HDD stored in sector #12 starting at offset 0x1800:
    Not sure what the first 12 bytes are but the following portion of the Angul XBLA I'd injected is the same on MU or HDD just at different starting offsets.

    XBLA data starting offset relative to the beginning of the XBLA HDD sector is 0x0C or MU is 0x50. This offset contains the first byte and continues for 0xBB more bytes (a total of 0xBC - 108 decimal bytes).

    The first 80 bytes (0x50) of the XBLA data set are the same on HDD and MU:
    Code:
    0x0000: F8 95 24 49 92 E4 09 00 00 00 00 00 41 6E 67 75
    0x0010: 6C 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
    0x0020: 00 00 00 00 78 62 6F 78 2E 63 6F 6D 00 00 00 00
    0x0030: 00 00 00 00 00 00 00 00 50 41 53 53 50 4F 52 54
    0x0040: 2E 4E 45 54 00 00 00 00 00 00 00 00 00 00 00 00
    
    The values differ on MU and HDD in the remaining 28 bytes.

    MU content: (remember 0x0050 here is relative (added) to 0x50 the starting address of XBLA content on a MU)
    Code:
    0x0050: 51 FB 71 D8 70 08 F1 57 B5 B7 43 45 94 F5 6C 62
    0x0060: 08 FF D4 02 D3 24 63 C7 53 E1 96 CC
    
    My HDD content: (again remember, 0x0050 is relative (added) to the sector starting offset from the beginning of an XBLA # sector on the disk + 0x000C the starting address of XBLA content stored on the HDD.)
    Code:
    0x0050: 53 E4 40 59 72 AF CE 28 AE 75 AE 3B 7C 9B 8D 4A
    0x0060: 08 FF D4 02 D8 DD FE 97 C2 57 99 15
    
    There are 4 bytes, 0x60-0x63 that remain unchanged between MU and HDD. These represent DWORD dwSignatureTime.

    The Signature TIme was: ??? (Need to decode this time's value)

    The MU content from 0x50 - 0xBC is the XBLA data set (e.g., angul.xbla).

    An Xbox Live account is copied from the HDD to a MU (thumbdrive or Xbox MU).
    This operation is performed by xboxdash in the Memory menu for the Xbox Hard Disk scroll down the game saves list the last entry titled "Xbox Live Accounts". Move to the right (D-pad) to select the account to be copied to the MU, press A, press A again to copy to the installed MU. Next, on the PC open Xplorer360 and select Drive -> Open -> Hard Drive or Memcard... then select Drive -> Backup Image..., enter the filename to save the backup to a default is given but can be changed to help remember what this .bin file contains. Open the backup file you just saved in a Hex Editor of your choosing. Copy the data from 0x50 to 0xBB. Open a new empty file in the hex editor, paste the copied data and save it as <account_name>.xbla (or .bin) as XBLA extension is made up. You can associate the hex editor as the application to always open .XBLA extension filenames if you like.

    I've not tried to take the data directly from the HDD and inject it into a memory card backup. Remember there are 28 bytes that differ in value on the HDD as compared to the MU copied account. The values of the HDD copy might be invalid to use directly on a MU. The Xbox might not see the MU's Xbox Live Account when plugged into the Xbox and viewed in the Memory -> MU menu.

    More experiments to do!
     
    Last edited: Sep 16, 2017
  14. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    207
    Likes Received:
    91
    I found the IP settings that are saved in the config area of my Xbox's HDD. These value are listed in a prior post of this thread.

    IP address 192.168.100.10
    Subnet mask: 255.255.255.0
    Gateway: 192.168.100.1
    Primary DNS: 0.0.0.0
    Secondary DNS: 0.0.0.0
    Code:
    0x0 1000: 68 25 13 79 01 00 00 00 01 00 00 00 22 CA 60 1A | h%.y........".`.
    0x0 1010: C9 1C E6 BC 6F 0C A5 97 DA EB A4 10 5C 12 2C E0 | ....o.......\.,.
    
    0x0 1020: C0 A8 64 0A FF FF FF 00 C0 A8 64 01 00 00 00 00 | ..d.......d.....
    IP Address: 192.168.100.10, Subnet Mask: 255.255.255.0, Gateway: 192.168.100.1, Primary DNS: 0.0.0.0
    
    0x0 1030: 00 00 00 00 38 8A 42 DC 3B E3 0B FC E9 79 6E 60 | ....8.B.;....yn`
    Secondary DNS: 0.0.0.0, ??? (0x38 8A 42...)
    ...
    
    They are the static settings I had used before with EvolutionX dashboard. Not sure why they were still present in the IP configuration as I've been using automatic or dynamic addressing with DHCP assigning: 192.168.1.129, 255.255.255.0, 192.168.1.1, 192.168.1.1, 0.0.0.0 for all the IP settings respectively. And, these DHCP settings are visible later in the IP settings sector.
    Code:
    0x0 116C:                                     C0 A8 01 81 |             ....
    My Xbox's IP Address: 192.168.1.129
    
    0x0 1170: FF FF FF 00 C0 A8 01 01 C0 A8 01 01 00 00 00 00 | ................
    Subnet Mask: 255.255.255.0, Gateway: 192.168.1.1, Primary DNS: 192.168.1.1, Secondary DNS: 0.0.0.0
    
    And, a few more with some 0.0.0.0's where I think the Xbox IP address and subnet mask for PPPOE may be stored:
    Code:
    0x0 1180: 00 00 00 00 00 00 00 00 C0 A8 01 01 00 00 00 00 | ................
    Possible PPPOE IP settings: IP address, subnet mask, gateway, primary DNS
    
    0x0 1190: 00 00 00 00 00 00 00 00 84 1B 5E 74 CE 9B 02 0C | ..........^t....
    secondary DNS, ...
    
    I don't have access to a PPPOE service so I can't verify if IP address entries here are for PPPOE. Not sure why C0 A8 01 01, 192.168.1.1, is already filled in as I've never had PPPOE service setup.

    Therefore, the Xbox may be saving IP address settings for static (manually configured), automatic (DHCP) and PPPOE connections at three (3) different locations and not all were documented by the xbox-linux.org team.
     
    Last edited: Sep 18, 2017
  15. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    207
    Likes Received:
    91
    I need to figure out, if I'd already not, what the first 12 bytes on the HDD sector represent as the XBLA's 108 bytes starts at offset 0x0C of XBLA [1-8] sectors. (first XBLA sector at offset 0x1800 of Evoxdash's disk.bin backup.)

    Evoxdash's System Util -> Backup saves not only the eeprom.bin backup but the HDD's config area (first 1024 sectors - 512KB).
     

Share This Page