Due to how the kernel is loaded on Xbox, we can currently (?) not dump the entire kernel (without the MCPX key).
The dumped xboxkrnl.exe will miss the INIT section (in most cases), which creates a kernel which is runnable from a savestate / on initialized hardware. However, the kernel will be unable to initialize the hardware and boot the system.
I came up with an attack to dump the INIT section seperately on a cold-boot (as the memory location of INIT is known and it's still in memory after free()). However, gaining access to be the first XBE to run after a cold-boot is tricky, maybe even impossible without hardware hacks.
Also, if hardware is involved this tool failed it's purpose and we could also just dump the MCPX ROM directly.
= We need new attacks to dump MCPX ROM or the full Kernel image.
Due to how the kernel is loaded on Xbox, we can currently (?) not dump the entire kernel (without the MCPX key). The dumped xboxkrnl.exe will miss the INIT section (in most cases), which creates a kernel which is runnable from a savestate / on initialized hardware. However, the kernel will be unable to initialize the hardware and boot the system.
I came up with an attack to dump the INIT section seperately on a cold-boot (as the memory location of INIT is known and it's still in memory after
free()). However, gaining access to be the first XBE to run after a cold-boot is tricky, maybe even impossible without hardware hacks. Also, if hardware is involved this tool failed it's purpose and we could also just dump the MCPX ROM directly.= We need new attacks to dump MCPX ROM or the full Kernel image.