Current List of Revoked Xbox 360 Consoles

Everyone has heard about the Xbox360 bans that stop a console from connecting to Xbox Live, however not many people realise that Xbox360 consoles can also be revoked. Below you can find a list of all the currently revoked consoles at the time of the Fall’08 system update release. Read on to find out why and how an Xbox360 gets revoked and what effect it has.

Fall’08 Console Revocation List Contents
This is a list of the Console IDs of the 433 Xbox360 consoles that had been revoked when the Fall’08 update was released.

 

WHY?

There are many reasons why your Xbox360 could get revoked, but generally it means you have done something to piss off MS. So the best way to keep from being revoked? Don’t do anything liable to piss off MS. An example of a cause for revocation is the public sharing of your gamesaves or other similar files from your Xbox360 hard drive. This includes making publicly available “resigned” versions of these kinds of files. In order to be revoked you have to have done something that involves your Console ID so that MS has the ID required for revocation.

 

HOW?

Revocation is done through the use of Console Revocation Lists (CRLs) such as the list posted above. If your console’s ID is present in the revocation list, then your console has been revoked. There are two types of CRLs, static and dynamic.

A static list refers to a list that is saved onto the flash inside your Xbox360. This list is updated when system updates are performed on your console. The Fall’08 update contains an encrypted version of this list in the file “$SystemUpdate\su20076000_00000000\data.bin”.  When the list is installed onto your console another layer of encryption is added using your Xbox360’s unique fusekey and the result is saved to a crl.bin file on the internal flash.

A dynamic list refers to a list that is sent to your console when you connect to Xbox Live. This way an updated revocation list can be employed without requiring a system update.

 

SO WHAT?

So what does it mean to be revoked? Will I even notice or care?

From what I can see so far being revoked means that your console loses its “license to sign”. Data that is generated locally on your Xbox360 gets signed by a key unique to your Xbox360. This data includes Gamer Profiles and Saved Games. Being revoked does not mean that you can no longer sign this data, just that other Xbox360s will no longer recognise anything that your Xbox360 signs.

In short this means that if your console gets revoked you can no longer sign into a profile created on your Xbox360 on a friend’s Xbox360, nor can you use any gamesaves that were created on your Xbox360 on a friends Xbox360.

For most people this wouldn’t be much of an issue, however there could be further ramifications that I have not come across or thought of. I do not have a revoked console, so I cannot perform tests to see what a revoked console can and cannot do. Please note that the following are *guesses* at what may happen, and are not fact.

I do not know how Xbox Live treats consoles with respect to being revoked. Possibly being revoked could cause you to be unable to connect to Xbox Live, or appear invalid to other gamers and therefore be unable to play an online game with anyone. Another possible problem could be sharing of locally created data such as user generated levels etc that you create for a game and then upload for others to use. I would assume that such things would also be locally signed with your unique key, and so other consoles would not recognise it as being valid. There is also the potential for revocation to affect other aspects of the Xbox360 totally seperate to signing, however signing is the only place I have noticed it being used so far.

 

CONSOLE ID?

By now you may be wondering what the Console ID is of your Xbox360. There are 3 ways to find out.

1) Go to the “System Settings->Console Settings->System Info” screen on the Xbox360 dashboard and enter the Console ID displayed on this linked page.

2) Go to the “System Settings->Network Settings->Configure Network->Additional Settings->Advanced Settings” screen on the Xbox360 dashboard to get the MAC address. Then look on the back of your Xbox360 near the power socket to get the Manufacture date (YYYY-MM-DD format). Enter these on this linked page  to generate your Console ID. (Note: This is how your Xbox360’s Console ID is initially created by MS)

3) Retrieve a gamesave file from your Xbox360 hard drive or memory card and open it in a hex editor. Ensure the first 4 bytes are “CON “, and if so then your Console ID is the 5 bytes at offset 6 in the file.

Note: the savegame file MUST have been created on the Xbox360 you want to get the Console ID of otherwise it will contain the wrong ID.

If the save game file has the following data:
43 4F 4E 20 01 A8 11 22 33 44 55
Then your Console ID is: 1122334455

 

The general format of a Console ID is shown below: 

Console ID Format: ?MYm3m4m5C
?  = Unknown (4bits). Usually this is 0, but some revoked IDs show a 1 or 2 here.
M  = Month of manufacture (4bits)
Y  = year of manufacture minus 2005 (4bits)
m3 = MAC address byte-index 3 (8bits)
m4 = MAC address byte-index 4 (8bits)
m5 = MAC address byte-index 5 (8bits)
C  = CRC over Console ID (4bits)

 

The information on Console ID generation and format does not really matter to most people. Hackers, however, delight in finding the intricacies of how things work merely for the sake of knowing. It is for the hackers then that I post this extra information. :)

Please keep comments on topic, off-topic comments will go to the big /dev/null in the sky.

40 thoughts on “Current List of Revoked Xbox 360 Consoles

  1. Nice Xor, keeps us posted with further findings!
    As far as I know a lot has changed since the Halo 3 beta (the hammer flew out then) To my knowledge MS has been keeping track of this for sometime.
    Just surprised MS has yet to fully act out on any type of full bans.

  2. Excellent findings of course. We strive to find the unique differences between those who are ‘banned’ and those who have been ‘revoked’. I know many people who have been revoked, if you would like specific information from their consoles, you know how to get ahold of me.

  3. I can’t help but think that there’s a point at which information should not be shared. The people who do take the time to hack the xbox know about stuff like this, and ap2.5, and many other things, and when it gets posted on a public blog that you know is being watched, is it anything more than seeking fame? We all know the role you’ve played in xbox hacking, and everyone is thankful for it, but I think sharing some information about security, or what is known about security is going too far. The result of all of these posts has been very little techincal discussion, and a lot mass newbie pirate hysteria, as was seen with the ap2.5 post.

    While nobody is bound by rules about what they can or can not say, it’s unfair to people who do work on these things every day to just go out and tell the world what is known. I think we were all a bit pissed when the only hv exploit got reported and patched, and this blog seems to be following along those lines. Yes it’s good to share information, yes it’s good to have discussion, but this should be done privately with people who do have the moral sense to keep this info to themselves in order to stay one step ahead of the patches. What if someone is working on an exploit that involves something you post? then what, it gets patched because they know we know, and hard work = down the tubes. *annoyed*

  4. I don’t see any reason to keep this private. The only outcome of letting people know about it is that it may stop it from happening to them.

    MS has done an excellent job on the Xbox360 security. Even when all it’s secrets are known, it still cannot be readily exploited. That isn’t to say that hackers who really want to can’t exploit it, and those who do end up with a totally open system. For hackers the public knowledge of any of this stuff is not going to hinder them. If you have a hacked system, you can find and patch the revocation checks in 5 minutes.

  5. My point is not specifically about crl.bin, but more towards other things that I know you know, that I don’t think should be public because they can change and ruin certain things we’re able to do right now. Like for instance, if you update your ap 2.5 post with real info.

  6. I actually do plan on doing a post on ap2.5 sometime soon, however I fail to see how posting info about how it works and what it is will change anything. If it works correctly it will stop copied games from booting whether info about it is made public or not. Either way the worst that I can see happening is that copied games will stop working or cause bans, and I don’t have a problem with that.

  7. It won’t matter what you post, the hackers / modders will either already know this, or have their ways around it. When AP2.5 immerges, yes it might stop it for a short while, but it won’t stop it completely.
    M3 havent got anything in the bag for protection apart from 2.5 but since it doesn’t work correctly on all the dvd drives, doubt it will see the light till xbox no.3. Even if it does … within 6 months it’ll be cracked.

  8. bmp: You don’t know what ap2.5 is do you….

    It’s not that it doesn’t work correctly on all drives, it’s just not implemented in a few older models, Samsung, and early Hitachis. This is a low percentage of consoles now, they probably can implement it on 85% of consoles if not more because of 3rod or dead drive repairs.

    The amount of “hackers/modders” (reversers is a better term) that have actually reversed the hypervisor and understand what is going on is a hand full, and when xorloser says “copied games will stop working or cause bans” he’s right. It will. There isn’t an easy way around this.

    If you’ve looked at Microsoft’s code, which I doubt you have, it’s really top of the line stuff, some of it is absolutely brilliant. They have many options of how to implement more security, and they clearly choose not to. So I wouldn’t say they haven’t got anything in the bag, because they certainly do.

    It will not be “cracked” in 6 months because it’s not something that is crackable in that sense. To understand that you have to know that the drive firmware hack, other than the patching to relocate and bypass certain things, is emulation. The challenges are not actually performed, the responses are stored at the time of ripping and repeated when challenged. The reason this security fails on the xbox 360 is because of this “playback” attack, which is generally easily thwarted and a weak attack if it’s dynamic. For instance, the captcha that verifies posts on this blog will change after every use to thwart a replay attack. Ap2.5 is dynamic like that, this attack won’t work.

    The only ways around ap2.5 are to have an exploit console and dump and decrypt the ap2.5 challenge set from the nand, and then somehow implement it into your firmware for each game and each set (rofl) if ms implement it properly, that would be a ridiculous task. Or make that challenge set constantly empty, which again if they implemented it properly, and made it a regular part of security, they would just code a check to verify the size. Tip, everything is symmetrical in this disc authentication process.

    Xorloser, I hope they all get banned too. I don’t think people should be messing around on xbox live with pirated discs.

  9. “Other method of tracking IDconsole : in kv : 0×09BA.” <— yup, if you’re using a keyvault from robinsods tool, which isn’t proper. In a raw keyvault with the proper bytes at the beginning, it’s 0x9C8, which is the beginning of the console certificate, this is also how the hypervisor sees a keyvault as you probably know (nice tools btw).

    I just looked briefly at the code, what the revoke load and save seem to grab from your keyvault is at 0x9CA(0x9BC in a robinsod kv), so skip the first 2 bytes of the cert, and it moves 0x5 to the count register and does a loop to grab those bytes. I haven’t looked at it in depth, but this doesn’t seem to be the “real console id’. But I’ve found different results with either of those 2 forms you posted xorloser, so I’m not sure what’s going on. ?????

  10. Yes the “real” console id as used by the xbox360 is grabbed straight from the console certificate (key 0x36). It is those 5 bytes you mentioned after the 16bit keysize field. This includes the console id displayed on the “system info” page from the dashboard which extracted from the console cert before being displayed. I didn’t bother mentioning that you can grab the console id from the console certificate since most people do not have their keyvaults dumped.

    The Xbox360 just does a memcmp of those 5 bytes against the contents of the revocation list. Interesting to note is that they use a binary search over the contents of the list which hints that they expect the list could become quite big.

    I am interested in console ids you have found that don’t match those forms though.

  11. Hmm, so I guess that is the real i.d. I tried generating one using the mac address + manufacturing year + month and it doesn’t look like the proper format, I also noticed that putting in the month didn’t seem to do anything for the generation of the real id. The results do not match that of the keyvault. I’d post the info but it’s not my console, and then it would probably be on the next list haha. I have a few others but don’t have the dash info to generate the ids. Maybe a mutual friend will get us in touch.

  12. Ah thanks for pointing that out – my mistake.

    I forgot to upload the last version of the console id generator since I was testing a local version. Please try and see if it now works.

  13. Yup works now, everything matches up, good work :)

    I’m really curious about your process of finding out what bits were used to generate the console id, where did you start?

  14. Sweet, I made the list! I feel like a VIP member. That system has been sitting in my closet untouched for over a year though, so it doesn’t matter to me. I don’t think I ever uploaded any gamesaves from that system, but I definitely uploaded nand dumps and keyvaults from it. That must be how/why they revoked it. System still has the 4532 kernel on it, it’s just been sitting in my closet just in case some useful homebrew was ever released. Although I should say I also shared that keyvault with a friend of mine to get him unbanned, so that could play a part too.

    It feels cool to be a member of a small group (443) of consoles that have pissed off Microsoft. 😛

  15. i changed first byte @0×09BA in kv.bin after writing this kv to the nand the box worked but wireless controller doesn’t connect to console

    after restore org nand dump it worked again

    is there any method that console can compare the moded ID with other static value in the kv to insure it match the correct id

    may need to change the date in kv but not the mac address

  16. As a follow up to my comment above, I am now curious as to why this console ID has been revoked. At this point, it looks like it had to do with another system using my keyvault to get unbanned from Xbox Live. At the time that this was performed, and from that point on, the original donor 360 has stayed in my closet, never touching Live. While the receiving 360 obviously has been on Live (that’s kind of the point of unbanning a 360). To me, this looks like unbanning a 360 by using another unbanned system’s keyvault will get your system revoked. Unfortunately it’s not possible for me to determine whether the keyvault was revoked prior to, around the same time, or after the receiving 360 was unbanned.

    I would be interested in knowing of any other 360 owners who have been unbanned from Xbox Live by using another system’s keyvault. I would think your system is also revoked.

  17. after i downgrade 2 x360 they did not sing in XBL but u can update the console via live …no ban code only storag device issue & invalid membership detail

    may due to LDV counter ??

  18. sasoseso: your console id is not at 0x9BA(in a flashtool keyvault) it is at 0x9BC. As xorloser said in a previous post ‘It is those 5 bytes you mentioned after the 16bit keysize field”. Also, I believe your console cert is signed as the kernal does Pkcs1 Verification. Just sayin.

  19. ah yer right, stupid flash tool kvs. Anyway I think changing anything in the console cert breaks the sig, xorloser could verify that.

  20. Yes H is correct. There is a signature over the first 0xA8 bytes of the Console Certificate (Key 0x36). This signature is 0x100 bytes in length and appears at offset 0xA8, therefore giving a console certificate size of 0x1A8 bytes. The signature is done with the private master key and verified with the public master key (Key 0x3C).

    Therefore changing any part of the Console Certificate renders it invalid. You could “swap” it for another correctly signed Console Certificate from another console, however then it will not match your other keys and MAC address. I plan on talking more about keys and keyvaults in the future, so stick around :)

  21. hi

    after i got 2 x360 revoked cuz i downgraded & update to 4532 with R6T3 in place

    i tried 3rd console but this time i removed R6T3 update to 4532 extract cpu key. reinstall R6T3 . sign in to xbl no problem at all :-)

    now i am sure that LDV counter will lead to console revoked

  22. i think this revokation list may also be stored in profiles somehow. i had 2 systems revoked for sharing gamesaves but one of them never saw xbox live and had the original dashboard. i used to trade accounts with people to swap gamerscore, other profiles stopped loading on this system that has never seen live, the only profiles that would load were the ones created on it, or that the ones i tried to load were also added to the list, either way, how could a system that has never seen live and never recieved any of microsofts updates behave this way? something has to be stored in the profile as well

  23. Have you ever run a system update on this Xbox360? If you play a newly released game and your system hasn’t been updated it will often require an update before allowing that game to play. The update in this case is stored on the game disc. Even system updates installed this way or after downloading them on a PC and burning to a disc will still install the revocation list onto your console.

  24. Im revoked…..am i gonna be screwed??? I think so….all cuz of gamerscore..WOW

  25. [quote]
    If you have a hacked system, you can find and patch the revocation checks in 5 minutes.

    would u mind to explain this one please.

  26. Like the post says – if you have an xbox360 that runs hacked kernels and hypervisors, then it is a simple job to nop out the revocation check so that it will not be triggered even if you console is revoked.

    Of course the only people who have hacked xbox360 systems like this are those who are able to do it themselves. And anyone who is able to do this is able to easily nop out a check :)

    So if you cannot hack your xbox360 in this way yourself, then there is no need to worry about such things.

  27. I’m curious, if what you say is true, and the console ID is generated at manufacture, how did you manage to work out the algorithm for generating the key?

  28. Firstly it is assumed it is created during manufacture since the console ID exists when you buy the console and the key is part of the Console Certificate that is signed with a private key that only Microsoft has.

    As for working out the algorithm it is the same as with anything hacking related, you take what you have and work backwards. So you look at the Console ID from a number of different xbox360s along with whatever other relevant information you can gleam and then it becomes fairly obvious. It is not a complicated algorithm; basically consisting of parts of the mac address and the date of manufacture.

    The top 4 bits are still unknown to me as I did not come across an Xbo360 that had anything there except zeros, however the revoked list does show a very small number of IDs have some data here.

    The only thing left is the CRC which tend to be calculated according to the same kinds of general rules and in this case was very simple. A brute force app that tested many different kinds of possible rules was able to identify the CRC algorithm after just a few seconds.

  29. can a game be resigned after using XeXtool or X360GameHack?
    I edited the default.xex region code from pal to region free
    and want to resign it and inject it back into the games iso?
    anyway?

  30. No. If it could be resigned then there would be no need for all the hackery that is required to run your own stuff. Read my cryptography for dummies post for a basic overview of asymmetric cryptography which is used during signing and you might understand how and why the signing works like it does.

  31. Xor,

    In process of researching the modification of Console ID, we have come to a few pieces of information. However, one thing is not behaving logically, so perhaps you can shed some light on it.

    I have been told by atleast a dozen people that the hash checks are not active in v1 KV’s. This should enable us to modify them. I am however, resigned to what limited information was provided, and no one has been able to tell me as of yet, specifically, the differences between ‘v1’ and ‘v2’ KV’s and how it affects security/hash checks. But we just proved it is indeed verifying the console ID against the cert when we altered our KV’s with a new console ID on a xenon. Could you please shed some light on the subject of what is different between v1 and v2 KV’s? And if this is something not possible, how would one patch the HV/routine to prevent the check in the first place? Should XBR not be able to patch for that?

  32. iriez: any routine in HV is patchable if you “own” the system as you do when running something such as XBR.

    from memory hashed keyvaults contained an extra key which was actually the hash over the keyvault. if it is indeed just a hash then the hash should be recalculatable as long as you have access to your cpu/fuse key.

  33. I’m sure hackers would enjoy the benefits of memory hacking.
    “Information spoofing” is a delight.
    cosole id = (all to 0)
    gt code 00 00 00 00
    possibly edit IP to 00 00 00 00

Leave a Reply

Your email address will not be published. Required fields are marked *