This will allow you to get the clean 100F0 hash on any kernel, without the nee

1.  
2. This will allow you to get the clean 100F0 hash on any kernel, without the need for a UART.
3.  
4. All you need is the retail non-live HV for that kernel (first 256KB of the xboxkrnl) and the code below.
5.  
6.  
7.  
8. Code:
9. // The code below will allow you to generate the 100F0 hash for
10. // any dashboard without the need for a UART
11.  
12. // Released by: Devient
13.  
14. BYTE BaseHV[0x40000] = { 0 };
15. BYTE LiveHV[2][0x40000] = { 0 };
16.  
17. void UpdateBlocks(QWORD r3, QWORD r4)
18. {
19. for (QWORD i = r4; i > 0; i--)
20. {
21. __asm
22. {
23. dcbst r0, r3
24. }
25. r3 += 0x80;
26. }
27. __sync();
28. __isync();
29. }
30.  
31. void Generate100F0()
32. {
33. // Copy our consoles HV
34. HvPeekBytes(0, LiveHV[0], 0xFFFF);
35. HvPeekBytes(0x8000010200010000, LiveHV[0] + 0x10000, 0xFFFF);
36. HvPeekBytes(0x8000010400020000, LiveHV[0] + 0x20000, 0xFFFF);
37. HvPeekBytes(0x8000010600030000, LiveHV[0] + 0x30000, 0xFFFF);
38. memcpy(LiveHV[1], LiveHV[0], 0x40000);
39.  
40. // Read BaseHV from file
41. CReadFile("HDD:\\BaseHV.bin", BaseHV, 0x40000);
42.  
43. // Overwrite xeBuild patches
44. *(PDWORD)(LiveHV[1] + 0x11BC) = *(PDWORD)(BaseHV + 0x11BC);
45. memcpy(LiveHV[1] + 0x154C, BaseHV + 0x154C, 0x10);
46. *(PDWORD)(LiveHV[1] + 0x1880) = *(PDWORD)(BaseHV + 0x1880);
47. *(PDWORD)(LiveHV[1] + 0x3120) = *(PDWORD)(BaseHV + 0x3120);
48. *(PDWORD)(LiveHV[1] + 0x6BB0) = *(PDWORD)(BaseHV + 0x6BB0);
49. *(PDWORD)(LiveHV[1] + 0x6BB4) = *(PDWORD)(BaseHV + 0x6BB4);
50. *(PDWORD)(LiveHV[1] + 0x6C48) = *(PDWORD)(BaseHV + 0x6C48);
51. *(PDWORD)(LiveHV[1] + 0x6C4C) = *(PDWORD)(BaseHV + 0x6C4C);
52. *(PDWORD)(LiveHV[1] + 0x6C98) = *(PDWORD)(BaseHV + 0x6C98);
53. *(PDWORD)(LiveHV[1] + 0x6C9C) = *(PDWORD)(BaseHV + 0x6C9C);
54. *(PDWORD)(LiveHV[1] + 0x6D08) = *(PDWORD)(BaseHV + 0x6D08);
55. *(PDWORD)(LiveHV[1] + 0x6D0C) = *(PDWORD)(BaseHV + 0x6D0C);
56. *(PDWORD)(LiveHV[1] + 0x6D58) = *(PDWORD)(BaseHV + 0x6D58);
57. *(PDWORD)(LiveHV[1] + 0x6D5C) = *(PDWORD)(BaseHV + 0x6D5C);
58. *(PDWORD)(LiveHV[1] + 0x70BC) = *(PDWORD)(BaseHV + 0x70BC);
59. *(PDWORD)(LiveHV[1] + 0x7268) = *(PDWORD)(BaseHV + 0x7268);
60. *(PDWORD)(LiveHV[1] + 0x72B4) = *(PDWORD)(BaseHV + 0x72B4);
61. *(PDWORD)(LiveHV[1] + 0x72C4) = *(PDWORD)(BaseHV + 0x72C4);
62. *(PDWORD)(LiveHV[1] + 0x72EC) = *(PDWORD)(BaseHV + 0x72EC);
63. *(PDWORD)(LiveHV[1] + 0x72F0) = *(PDWORD)(BaseHV + 0x72F0);
64. *(PDWORD)(LiveHV[1] + 0x813C) = *(PDWORD)(BaseHV + 0x813C);
65. *(PDWORD)(LiveHV[1] + 0xA560) = *(PDWORD)(BaseHV + 0xA560);
66. *(PDWORD)(LiveHV[1] + 0xA564) = *(PDWORD)(BaseHV + 0xA564);
67. memcpy(LiveHV[1] + 0xB4F8, BaseHV + 0xB4F8, 0x120);
68. *(PDWORD)(LiveHV[1] + 0x15E60) = *(PDWORD)(BaseHV + 0x15E60);
69. *(PDWORD)(LiveHV[1] + 0x24D58) = *(PDWORD)(BaseHV + 0x24D58);
70. *(PDWORD)(LiveHV[1] + 0x24D5C) = *(PDWORD)(BaseHV + 0x24D5C);
71. *(PDWORD)(LiveHV[1] + 0x264F0) = *(PDWORD)(BaseHV + 0x264F0);
72. memcpy(LiveHV[1] + 0x29B08, BaseHV + 0x29B08, 0x38);
73. *(PDWORD)(LiveHV[1] + 0x2A30C) = *(PDWORD)(BaseHV + 0x2A30C);
74. *(PDWORD)(LiveHV[1] + 0x2A310) = *(PDWORD)(BaseHV + 0x2A310);
75. *(PDWORD)(LiveHV[1] + 0x2AA80) = *(PDWORD)(BaseHV + 0x2AA80);
76. *(PDWORD)(LiveHV[1] + 0x2AA8C) = *(PDWORD)(BaseHV + 0x2AA8C);
77. *(PDWORD)(LiveHV[1] + 0x2B770) = *(PDWORD)(BaseHV + 0x2B770);
78. *(PDWORD)(LiveHV[1] + 0x2C0B0) = *(PDWORD)(BaseHV + 0x2C0B0);
79. *(PDWORD)(LiveHV[1] + 0x2C3A0) = *(PDWORD)(BaseHV + 0x2C3A0);
80. *(PDWORD)(LiveHV[1] + 0x304E8) = *(PDWORD)(BaseHV + 0x304E8);
81. *(PDWORD)(LiveHV[1] + 0x304FC) = *(PDWORD)(BaseHV + 0x304FC);
82. *(PDWORD)(LiveHV[1] + 0x3089C) = *(PDWORD)(BaseHV + 0x3089C);
83. *(PDWORD)(LiveHV[1] + 0x308A0) = *(PDWORD)(BaseHV + 0x308A0);
84. *(PDWORD)(LiveHV[1] + 0x308A4) = *(PDWORD)(BaseHV + 0x308A4);
85. *(PDWORD)(LiveHV[1] + 0x308A8) = *(PDWORD)(BaseHV + 0x308A8);
86.  
87. // Poke newly modified HV back to memory
88. HvPokeBytes(0, LiveHV[1], 0xFFFF);
89. HvPokeBytes(0x8000010200010000, LiveHV[1] + 0x10000, 0xFFFF);
90. HvPokeBytes(0x8000010400020000, LiveHV[1] + 0x20000, 0xFFFF);
91. HvPokeBytes(0x8000010600030000, LiveHV[1] + 0x30000, 0xFFFF);
92.  
93. // Update cache blocks to reflect changes
94. UpdateBlocks(0, 0x200);
95. UpdateBlocks(0x8000010200010000, 0x200);
96. UpdateBlocks(0x8000010400020000, 0x200);
97. UpdateBlocks(0x8000010600030000, 0x200);
98.  
99. // Read and hash updated cache blocks
100. PBYTE pCache = (PBYTE)XPhysicalAlloc(0x1000, MAXULONG_PTR, 0, PAGE_READWRITE);
101. memset(pCache, 0, 0x1000);
102. HvPeekBytes(0x8000020000010000, pCache, 0x1000);
103.  
104. BYTE pHash[0x14] = { 0 };
105. XECRYPT_SHA_STATE SHA;
106. XeCryptShaInit(&SHA);
107. XeCryptShaUpdate(&SHA, pCache + 0x2, 0x3FE);
108. XeCryptShaUpdate(&SHA, pCache + 0x410, 0x170);
109. XeCryptShaUpdate(&SHA, pCache + 0x5B6, 0x24A);
110. XeCryptShaUpdate(&SHA, pCache + 0x800, 0x400);
111. XeCryptShaUpdate(&SHA, pCache + 0xC00, 0x400);
112. XeCryptShaFinal(&SHA, pHash, 0x14);
113.  
114. CWriteFile("HDD:\\100F0.bin", pHash, 0x10);
115. XPhysicalFree(pCache);
116.  
117. // Write unmodified HV back to main memory
118. HvPokeBytes(0, LiveHV[0], 0xFFFF);
119. HvPokeBytes(0x8000010200010000, LiveHV[0] + 0x10000, 0xFFFF);
120. HvPokeBytes(0x8000010400020000, LiveHV[0] + 0x20000, 0xFFFF);
121. HvPokeBytes(0x8000010600030000, LiveHV[0] + 0x30000, 0xFFFF);
122. }