To quote: As a first step toward a "release", I've committed the tool to build an image suitable for the hack, as well as some additional information and a description of "how it works".
I understand that not all of the required binaries are available right now, but we'll work on provider ways to derive them from nand dumps. But those of you who are able to recover the required binaries should be able to build an image which boots right into xell.
There are 3 things that we have to take care about:
- The 1920+ CB/CD. If somebody has a 1920 box, just do the timing attack, extract your cpu key, add that cpukey into "decrypt_CD", and use that image. You'll get the decrypted CB/CD in your "output"-directory. I'll then describe how to build the 1921 and the other CDs from that.
- the hacked SMC for kicking off the read. You basically need to add writing to the nand command register in command 04. The command you need to write is 07. I can explain this more, but there are people who understand the SMC code much better than I do, so maybe they can drop in here.
- the SMC JTAG stuff, which Tiros wrote, so you only need to add resistors instead of a uC.
The generated image will run on all boxes of that type [Xenon (no HDMI), Zephyr (HDMI, but 90nmCPU/80nm GPU), Falcon/Opus (60nm CPU) or Jasper (new Southbridge, 60nm GPU, 60nm CPU)]. So we need 4 images in total, nothing more.
But for each box type, we need to extract a decrypted CD *once*. Due to copyright reasons I cannot just put them up here, so I will give an explanation of *how you can extract those* instead.
The CD.1920 is the simplest, so let's start with that one: Just TA, and use that to decrypt.
1921 is more complicated, since we cannot TA those boxes, but you can patch CD.1920 until it matches the hash of CD.1921 (i.e. until you have the CD.1921 binary - this is not a hash collision, it's a "plaintext recovery"). If you have 1921, the other ones will be easy again. I can help here, but first step is 1920.