Results 1 to 3 of 3

Corona v2 NAND dumping is done!

  1. #1
    Junior Member
    Xbox Junkie!
    knowlzy10's Avatar
    Join Date
    Feb 2012
    workington, cumbria, england
    Thanked: 298
    Blog Entries
    0 Post(s)

    Corona v2 NAND dumping is done!

    XeLL also boots!

    Chinese hacker zhangjiqi007 has managed to successfully 'glitch' the Corona v2 and was able to launch XeLL in order to grab the CPUkey.

    Chinese hacker zhangjiqi007 managed to get a 66MB NAND dump of the Corona v2 board, that was also decryptable with the CPU key that he obtained from the console.

    Here's the official info:

    Members of Glitch360Team shared the Phison datasheet with several higher up members of the hacking community including zhangjiqi007 who deserves proper credit for finding the method to dump the nand extract the 64MB bootcode area and write the new information ... This is a huge step for this console type ... The datasheet is what allowed him to find what he needed to achieve this.

    I have also been informed by Glitch360Team that they will be sharing some interesting findings regarding the Phison eMMC controller which they have made within the last few weeks.

    This site will not be responsible for someone trying to steal credit or glory from the proper individuals , and from talking to orkid1818 in private messages as well as in the research forum while it seems it may be a language barrier , he truly doesn't seem to know what he is doing.

    Here is a link to the Chinese forum that did this if you understand Chinese have at it:
    Bigger picture of the nanddump opening in RGBuild:

    Now, it looks like the guy did it "the hardway":

    1 : remove 4gb nand from mainboard and dump it externaly
    2 : use xor hack to build ecc
    3 : flash it in a 16mb nand
    4 : solder the 16mb nand to the xbox motherboard (Changing something on the resistor configuration on the Corona board to make it works)
    5 : grab keys
    This means that, there is still no way to dump and decrypt the nand direclty from the nand.

    And finally, here is a Pastebin of the XeLL output, where you can see that the NAND isnít properly recognized.

    We can say from that:
    Magic bytes are OK
    Nand dump is 66 Mb (like the data part for Jasper BB nand)
    The CPUKey decrypt the KV properly and display console info as Corona
    Bootloader are the one from Corona
    So, itís definitely legit!
    Definitely, this is a big step. Stay tuned for more in the upcoming days!


  2. The Following 2 Users Say Thank You to knowlzy10 For This Useful Post:

  3. #2
    Enthusiast jonathanb9595's Avatar
    Join Date
    Aug 2011
    Behind you
    Thanked: 57
    0 Post(s)
    Very cool, good find.
    Consoles: Super Famicon, N64, PS1, Gamecube, Wii, Xbox 360, PS3, N3DS, Wii U.

  4. #3
    Founding Member
    Join Date
    Mar 2011
    Thanked: 29
    0 Post(s)
    the guy did it "the hardway" !


Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts