# # Configuration file for xbflash # # The main RC4 key is NOT provided here, and must be provided # in order for xblflash to work!! # # The offsets/addresses in this file are for an 'original' # Xbox Flash ROM. It's possible that these have changed in # future kernel releases. # # I'm not sure if this will work on 'patched' ROMs - xbflash # relies on the data format of an original Xbox Flash ROM. # # The parser for this config file is not very forgiving - # be sure to keep the format of these lines identical to # the original if you make changes # ####################################################### # # Main RC4 key (used to decrypt 2BL image) # ####################################################### # # If this is a ROM image for a "1.0" Xbox, enter the 16-byte RC4 key # (from inside the MCPX 1.0 ROM) as: # # RC4_KEY=0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 # # # # If this is a ROM image for a "1.1" (or higher) Xbox, and you know the *internal* MCPX # RC4 key (16-bytes), enter it as: # # RC4_keymethod=1 # RC4_KEY=0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 # (don't forget the "RC4_keymethod=1") # # # If this is a ROM image for a "1.1" (or higher) Xbox, and you don't know the internal # 16-byte RC4 key, use the "mcpx 1.1 toolkit" to get the 20-byte RC4 key, and enter as: # # RC4_KEY=0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00 # # # (Note that you won't be able to 're-sign' the FBL region (using the TEA RSA hack) unless you have # the *internal* MCPX RC4 key for MCPX 1.1/higher) # # Also note that 'multi' BIOS's aren't supported, so a key of all zeros is invalid # RC4_key_encrypt=0 RC4_KEY=0x27 0x45 0xA9 0x10 0x39 0x7E 0x6A 0xA6 0x86 0xFB 0x4B 0x1A 0x4B 0xA9 0x0F 0xD2 # # Base address of 2BL in Flash # 2BL_base_ROM_address=0xffff9e00 # # Size of 2BL in Flash # 2BL_size=0x6000 # # Address in ROM to top-align the KERNEL + KERNEL initialized data segment # (normally this is the 2BL_base_ROM_address minus 1) # KERNEL_top_ROM_address=0xffff9dff # # Base address of KERNEL when executing in RAM (used to adjust # pointers into offsets into the KERNEL) # KERNEL_address_adjust=0x80010000 ############################################################## # # The following are all offsets into the decrypted 2BL image # ############################################################## # # Offset into 2BL to secondary RC4 key (used to decrypt KERNEL) # 2BL_kernelkey_offset=0x0000008c # # Offset into 2BL to DWORD containing size of KERNEL's initialized # data segment # 2BL_dwkerneldatasize_offset=0x00005fdc # # Offset into 2BL to DWORD containing number of bytes at beginning # of Flash (x-code, etc) to include in KERNEL SHA-1 hash calculation # 2BL_dwflashstart_hashsize=0x00005fe0 # # Offset into 2BL to DWORD containing the size of the COMPRESSED # KERNEL image # 2BL_dwkernelsize_offset=0x00005fe8 # # Offset into 2BL to 20-byte SHA-1 digest of KERNEL (result of # SHA-1 hash on KERNEL, KERNEL initialized data segment, and # x-code section of Flash base) # 2BL_sha_digest_offset=0x00005fec ############################################################## # # The following are all offsets into the decrypted/decompressed # KERNEL image # ############################################################## # # Offset into KERNEL to DWORD containing the size of the KERNEL # initialized data section # KERNEL_dwdatasize_offset=0x0000002c # # Offset into KERNEL to DWORD containing the base ROM address of # the KERNEL initialized data section # KERNEL_dwdataROMbase_offset=0x00000030 # # Offset into KERNEL to DWORD containing the base RAM address of # the KERNEL initialized data section (where it gets copied to # at runtime) # KERNEL_dwdataRAMbase_offset=0x00000034