So it seems some newer .xvc packages for XBOX games had changes done as far as the format.
As the screenshot shows for the game "Project Winter", the manifest is entirely unencrypted. In fact, if you use certain tools that are able to recover ntfs partition from image file, you can extract everything from the .xvc. That catch is, that of course, aside from the manifest and some other files, everything is still encrypted. I'm curious if it's possible to add support in xvdtool. Namely to jest extract everything even if it's encrypted. Would it be possible? The newer packages have a different file name btw. These always have "_x.xvc" at the end now.

I have been using xvdtool for a while and it works flawlessly, but this the first time it appears to be failing for decrypting files. I usually print package information to check I am using the right key to decrypt, and even on printing package info it fails. Debugging tells me it fails while checking for signature. Exception says "input too large for RSA cipher."

Seems this flag is a recent-ish addition, wasn't seen in some older XVD utils/drivers at least.

Most hash block related functions check for this flag, and if set multiply their return value by 2 (XiComputeHashBackingBlockNumber, XiNumberHashPagesForLevel, XiNumberHashPages...), so it seems Resiliency probably allows for a second set of hash tables to be included in the XVD (reminiscent of the second set of hash blocks inside 360's STFS)

Unsure what makes this secondary hash-table get used instead of the primary, IIRC STFS had a field which would choose the tables to use (with that field being one of the last things to be written to the file), doesn't seem XVD has any field like that though, so maybe it depends on the top level hash instead?

xvdtool doesn't support files with this flag at all yet, adding support for reading them should be pretty straight-forward, but I'm uncertain about rehashing... will need to look into it some more.

i want to convert xvd to vhd, so i tried to decrypting it and when i launch the command it give me a error
someone can help me please
this is my CMD log
C:\Users====\Downloads\seriesx\FactoryReset$SystemUpdate>xvdtool -eu updater.xvd
XVDTool 0.53.0-5737d20: XVD file manipulator

No desired signkey provided, falling back to RedXvdPrivateKey
No desired CIK provided, falling back to 33ec8436-5a0e-4f0d-b1ce-3f29c3955039
No desired or invalid ODK provided, will try to use ODK indicated by XVD header
Warning: Signkey could not be loaded, you will be unable to resign XVD headers!
Warning: CIK could not be loaded!

Loading file from updater.xvd...

Verifying data hashes, use -nd to disable:
Decrypting XVD using "" key...
Unhandled exception. System.InvalidOperationException: ODK with Id 'RedOdk' is known but not loaded! Cannot crypt CIK in header
at LibXboxOne.XvdFile.CryptHeaderCik(Boolean encrypt)
at LibXboxOne.XvdFile.Decrypt()
at XVDTool.Program.<>c__DisplayClass4_0.

I have see that system.xvd is impossible to extract, i tried everything

Like in the title, if I had not put the Licenses folder from my game's disk into the working folder I wouldn't have known that's a feature. Supposedly my .xvc is decrypted now.
Before I proceed however, a question:
Is it actually really decrypted? Honestly, I believe I should also remove mutable data and hash but I'm having doubts if I should even bother. I am a casual user at best so just wanted to ask if there's a point currently in me trying anymore, or if I should just wait for a proper time when this will work.
I did try to extract an embedded .xvd (only to get a 91 mb file... from a 37 something Gig xvc) and then a .vhd (i got a big file but by looking through the hex editor on it, it's pretty much empty... just a waste of space).
I apologize if the answer is mentioned already and I missed it. Thank you.

The workflow build.yml is referencing action gittools/actions/gitversion/setup using references v0.9.9. However this reference is missing the commit 90150b40fdd6c4b06d39cfd764e900cff45ccfca which may contain fix to the some vulnerability.
The vulnerability fix that is missing by actions version could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider to update the reference to the action.

IIRC this was the only major part of XVDs I never looked into, as reversing this seemed like too much of a chore at the time.

Not exactly super-important, but would be nice to finally finish off the tool.

MSIXVCs contain 2 or more encrypted regions, atm only the first encrypted region inside MSIXVCs (aka the "FS-MD" region) decrypts properly, while the second one doesn't.

My guess is the first 4 bytes of the tweak are probably set to something, and then during XTS this 4 byte value gets used as the "base" number for the dataUnit number. xvdd.sys does seem to set these 4 bytes to something when certain parameters are met, but right now we haven't figured out what...

It does seem to be page-number related though, but none of our guesses (number of pages to this region? number of pages from UserData to this region? number of pages inside this region?) have worked yet.

Might have to try getting a raw dump of a mounted MSIXVC and bruting the 4 bytes to find what it gets set to, would give us something to work with at least, but right now I can't seem to mount the MSIXVC inside my VM that has the license for the MSIXVC, since I guess it's already mounted to the WindowsApps folder, yet unmounting doesn't work though... need to find a way to inject the CIK into a different VM's xvdd.sys.

When I try to extract the system.xvd file using:

XVDTool -xf .\System "C:\Blah\Blah\Blah\system.xvd"

It says:

Extracting XVD files to folder "System"...
Extracted files successfully.

But doesn't even extract.
Can someone please help?

Hello.
I got this error: "XvdOpenAdapter failed. Result: 0x0" when I try to mount xvc file.
How can I fix it?
Thanks in advance.

Firstly thanks for xvdtool it's great!

I'm looking how to install msixvc files, any idea?

I found that in Windows if you start downloading some game using Xbox app or Store app then in C:\Program Files\WindowsApps\MSIXVC it will create 3 files for each game.

%InstanceGUID% - msixvc file (game's files)
%InstanceGUID%.xvs - various metadata in JSON encoded with UTF-16, contains the download source path and CIK for msixvc
%InstanceGUID%.xvi - crdi-xvc file, looks like some metadata about download progress and other unknown stuff

So basically you only need %InstanceGUID%.xvs as then you can download msixvc file, take CIK and use XVDTool to extract it.
Unfortunately the msixvc file I tried all extracted .exe are still encrypted and no idea how do decrypt those.

There is also another file called .phf which is JSON containing SHA256 hashes for msixvc file.
Also it looks like -xf doesn't extract user data, can use -xu but then you get a single file of some container (can see several file names inside and multiple file contents)

In .xvs file, there's CrdPath that looks like

[XBL:]\\http://xvcf1.xboxlive.com/%digit%/%SomeGUID%/%InstanceGUID%/%path_version%_%arch%__%ProductID%.msixvc,phf=http://xvcf1.xboxlive.com/%digit%/%SomeGUID%/%InstanceGUID%/%path_version%_%arch%__%ProductID%.msixvc.phf,hoh=%Base64-CIK%,sid=%GUID2%,cv=%CorrelationVector%

hoh= specifies CIK.

Here's Ruby program to get CIK out of .xvs. To use -g flag just run XVDTool -eu to get CIK GUID

#!/usr/bin/env ruby
require "optparse"
require "json"
require "base64"


def guidToBin(guid)
    data = guid.split("-").pack("H*" * 5)
    data[0..3].reverse + data[4..5].reverse + data[6..7].reverse + data[8..15]
end

guid = nil
keyDir = Dir.pwd
parser = OptionParser.new do |opts|
    opts.banner = "Usage: #{$0} [options] <XVS files...>"

    opts.on("-gGUID", "--guid=GUID", "Key GUID") do |g|
        guid = g.downcase
    end

    opts.on("-o", "--output=DIR", "Output directory") do |dir|
        keyDir = dir
    end

    opts.on_tail("-h", "--help", "Prints this help") do
        $stderr.puts(opts)
        exit
    end
end

begin
    parser.parse!
rescue OptionParser::ParseError => e
    $stderr.puts(e.message)
    exit(-1)
end

parser.parse!(ARGV)

files = ARGV
if files.length.zero?
    $stderr.puts(parser)
    exit
end

if guid && !guid.match(/^[0-9A-F]{8}-([0-9A-F]{4}-){3}[0-9A-F]{12}$/i)
    $stderr.puts("Invalid GUID: #{guid}")
    exit(-2)
end

if guid && files.length > 1
    $stderr.puts("Using only first file and ignoring rest")
    files = files.take(1)
end

files.each do |f|
    info = JSON.parse(File.read(f, mode: "rb", encoding: Encoding::UTF_16LE))
    details = Hash[info["Request"]["ActiveSource"]["CrdPath"].split(",").map { |pair| pair.include?("=") ? pair.split("=") : ["file", pair]}]
    key = Base64.decode64(details["hoh"])
    hexKey = key.unpack('H*').first
    if guid
        filename = File.join(keyDir, guid + ".cik")
        File.write(filename, guidToBin(guid) + key)
        puts "Saved to #{filename} (#{hexKey})"
    else
        puts hexKey
    end
end

and to validate msixvc checksums

#!/usr/bin/env ruby

require "json"
require "base64"
require "digest"

files = ARGV
if files.length.zero?
    $stderr.puts("Usage: #{$0} <MSIXVC files...>")
    exit
end

files.each do |file|
    infoFile = file + ".phf"
    info = JSON.parse(File.read(infoFile))
    size = info["PieceSize"]
    pieces = info["Pieces"]
    File.open(file, "rb") do |file|
        pieces.each_with_index do |piece, i|
            file.seek(i * size)
            data = file.read(size)
            sha = Digest::SHA256.digest(data)
            shaHex = sha.unpack('H*').first
            expectedSha = Base64.decode64(piece)
            if (sha == expectedSha)
                puts("%s (Matches)" % [shaHex])
            else
                puts("%s (Invalid! Expected: %s)" % [shaHex, expectedSha.unpack('H*').first])
                break
            end
        end
    end
end

Consiga SSH Tool - Free SFTP client for Windows en Microsoft Store https://apps.microsoft.com/detail/9npfnx2ns6gx?ocid=webpdpshare

Hello, i'm trying to extract files from an XVC (more specifically "Minecraft: Xbox One Edition"), but when i try to extract files, CMD prints "Access is denied.", and i really don't know what should I do since i'm running CMD as administrator and i'm in an Admin User from Windows.

I am looking to mounting an XVD file I have however I get this error. Is there any way I can resolve this?

Planned architecture of loading keyfiles:

Introduce directories to store each type of key.

• OdkKeys/
• CikKeys/
• XvdSignKeys/

1. Load from global directory: Users//AppData/xvdtool or something like that
2. Load from executable directory
3. Provide cmdline parameters, e.g. -rsa rsaPrivKey.bin -cik cikKey.bin -odk odkKey.bin. Parameters on cmdline take precedence of course.

I want modify/build own system on Xbox One similar to Windows operating system.
(I don't have any ODK also I using Win7)

The program included with this, named "DurangoKeyExtractor", is stuck at an screen like this:

when i decrypt and mount it it woldn t let me open it ived been trying and i got close to doing it but bc im dumb and only lil brain i couldnt do the rest it kept saying invalid bin file when i put it in poweriso and other bin readers i did make it a nuget and it only had the dependencys folder and that was my final brain cell idea and im only 13 u can call me STUPID becouse i am

Consiga ls for Windows 10 en Microsoft Store https://apps.microsoft.com/detail/9nnn29gml77p?ocid=webpdpshare

When i download the tool it pops up as a trojan...

xvdtool -m -mp "X:" system.xvd
XVDTool 0.53.0-5737d20: XVD file manipulator

Loaded key XvdSigningKey from C:\Users\davfa\AppData\Local\xvdtool\XvdSigningKey\GreenGamesPublicKey.rsa
Loaded key XvdSigningKey from C:\Users\davfa\AppData\Local\xvdtool\XvdSigningKey\GreenXvdPublicKey.rsa
Loaded key XvdSigningKey from C:\Users\davfa\AppData\Local\xvdtool\XvdSigningKey\RedXvdPrivateKey.rsa
Loaded key Odk from C:\Users\davfa\AppData\Local\xvdtool\Odk\RedOdk.odk
Loaded key Cik from C:\Users\davfa\AppData\Local\xvdtool\Cik\33ec8436-5a0e-4f0d-b1ce-3f29c3955039.cik
No desired signkey provided, falling back to RedXvdPrivateKey
No desired CIK provided, falling back to 33ec8436-5a0e-4f0d-b1ce-3f29c3955039
No desired or invalid ODK provided, will try to use ODK indicated by XVD header
Using Xvd Signkey: RedXvdPrivateKey
Using CIK: 33ec8436-5a0e-4f0d-b1ce-3f29c3955039

XvdOpenAdapter failed. Result: 0x80070005
Mounting system.xvd failed with error

I am wondering what error 0x80070005 means and how to fix it. I decrypted the XVD with RedOdk before trying to mount it.

Extract keys from xsapi.dll by DurangoKeyExtractor:

XVDTool-0.53.0.0-win-x64> .\DurangoKeyExtractor.exe .\xsapi.dll
DurangoKeyExtractor 0.53.0-5737d20: Durango key extractor
Scanning .\xsapi.dll for known keys...
Found XvdSigningKey "GreenGamesPublicKey" at offset 0x239B0
Found XvdSigningKey "GreenXvdPublicKey" at offset 0x23BD0
Found Odk "RedOdk" at offset 0x23DF0
Found XvdSigningKey "RedXvdPrivateKey" at offset 0x23E10
Found 4 keys :)
Saving keys to "C:\Users\xxxxxxxxxx\AppData\Local\Temp\.net\DurangoKeyExtractor\j3pmypap.1rq\extracted"...

Check keys by XVDTool:

XVDTool-0.53.0.0-win-x64> .\XVDTool.exe -lk
XVDTool 0.53.0-5737d20: XVD file manipulator

No desired signkey provided, falling back to RedXvdPrivateKey
No desired CIK provided, falling back to 33ec8436-5a0e-4f0d-b1ce-3f29c3955039
No desired or invalid ODK provided, will try to use ODK indicated by XVD header
Warning: Signkey could not be loaded, you will be unable to resign XVD headers!
Warning: CIK could not be loaded!

Known Durango keys:
XvdSigningKey:
    RedXvdPrivateKey: Loaded: False Hash: 8E2B60377006D87EE850334C42FC200081386A838C65D96D1EA52032AA9628C5 Size: 2331
    GreenXvdPublicKey: Loaded: False Hash: 618C5FB1193040AF8BC1C0199B850B4B5C42E43CE388129180284E4EF0B18082 Size: 539
    GreenGamesPublicKey: Loaded: False Hash: 183F0AE05431E4AD91554E88946967C872997227DBE6C85116F5FD2FD2D1229E Size: 539
Odk:
    RedOdk: Loaded: False Hash: CA37132DFB4B811506AE4DC45F45970FED8FE5E58C1BACB259F1B96145B0EBC6 Size: 32
Cik:
    33ec8436-5a0e-4f0d-b1ce-3f29c3955039: Loaded: False Hash: 6786C11B788ED5CCE3C7695425CB82970347180650893D1B5613B2EFB33F9F4E Size: 32
    f0522b7c-7fc1-d806-43e3-68a5daab06da: Loaded: False Hash: B767CE5F83224375E663A1E01044EA05E8022C033D96BED952475D87F0566642 Size: 32

Decrypt by XVDTool err:

\XVDTool-0.53.0.0-win-x64> .\XVDTool.exe -nd -eu '..\$SystemUpdate\updater.xvd'
XVDTool 0.53.0-5737d20: XVD file manipulator

No desired signkey provided, falling back to RedXvdPrivateKey
No desired CIK provided, falling back to 33ec8436-5a0e-4f0d-b1ce-3f29c3955039
No desired or invalid ODK provided, will try to use ODK indicated by XVD header
Warning: Signkey could not be loaded, you will be unable to resign XVD headers!
Warning: CIK could not be loaded!

Loading file from ..\$SystemUpdate\updater.xvd...

Decrypting XVD using "<ODK indicated by XVD header>" key...
Unhandled exception. System.InvalidOperationException: ODK with Id 'RedOdk' is known but not loaded! Cannot crypt CIK in header
   at LibXboxOne.XvdFile.CryptHeaderCik(Boolean encrypt)
   at LibXboxOne.XvdFile.Decrypt()
   at XVDTool.Program.<>c__DisplayClass4_0.<Main>g__PerformActions|1(XvdFile file)
   at XVDTool.Program.Main(String[] args)

Show info:

\XVDTool-0.53.0.0-win-x64> .\XVDTool.exe -nd -i '..\$SystemUpdate\updater.xvd'
XVDTool 0.53.0-5737d20: XVD file manipulator

No desired signkey provided, falling back to RedXvdPrivateKey
No desired CIK provided, falling back to 33ec8436-5a0e-4f0d-b1ce-3f29c3955039
No desired or invalid ODK provided, will try to use ODK indicated by XVD header
Warning: Signkey could not be loaded, you will be unable to resign XVD headers!
Warning: CIK could not be loaded!

Loading file from ..\$SystemUpdate\updater.xvd...

XvdMiscInfo:
... ...

Cannot get XvdFilesystem from encrypted package

What is the right way to decrypt XVDs? Thanks.

Hello, there!

As part of the university research we are currently doing regarding the security of Github Actions, we noticed that one or many of the workflows that are part of this repository are referencing vulnerable versions of the third-party actions. As part of a disclosure process, we decided to open issues to notify GitHub Community.

Please note that there are could be some false positives in our methodology, thus not all of the open issues could be valid. If that is the case, please let us know, so that we can improve on our approach. You can contact me directly using an email: ikoishy [at] ncsu.edu

Thanks in advance

1. The workflow build.yml is referencing action gittools/actions/gitversion/setup using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.
2. The workflow build.yml is referencing action gittools/actions/gitversion/execute using references v0.9.9. However this reference is missing the commit 90150b4 which may contain fix to the vulnerability.

The vulnerability fix that is missing by actions' versions could be related to:
(1) CVE fix
(2) upgrade of vulnerable dependency
(3) fix to secret leak and others.
Please consider updating the reference to the action.

If you end up updating the reference, please let us know. We need the stats for the paper :-)

Add standalone filesystem extraction or alternstive, make vhd conversion more versatile (to achieve the same goal).

From what I was able to gather, At "data offset" the BAT starts (big endian block allocation table), then the actual data. This is very similar to VHD.

Need to investigate further

I see it being mentioned both here and when I do -wi on .xvd's from XONE's internal hdd. Question is... as I understand, we know it exists but it is private right? I just want to make sure. Because if it can be obtained, where do I get it from? If it's taboo then just gimme a hint. But if it's private, as I suspect, then nevermind.
TL;DR: Can Key Extractor extract this from something? If this odk is private to M$, then nevermind.
Thank you, and I apologize if this is a dumb question.

问题描述（Description）：

Warning: rsa3_key.bin file not found and unable to retrieve key from SDK files, you will be unable to resign packages.
Warning: odk_key.bin file not found and unable to retrieve key from SDK files, you will be unable to decrypt XVDs.
Warning: cik_keys.bin file not found and unable to retrieve key from SDK files, you will be unable to decrypt XVCs.

Decrypting package using "TestODK" key...
Error during decryption!

可不可以提供一下这3个文件（What I want）：

rsa3_key.bin
odk_key.bin
cik_keys.bin

I'm trying to mount a file, however it results in an error message shown in this screenshot: https://i.imgur.com/74qMk9Q.png

I have installed the GameServices framework, but skipped the part where I should extract the keys. The key extractor would ask where the key files are located, to which I had no answer, so I hoped that mounting it should work fine without extracting the keys.

If the issue is caused by skipping the extraction of keys: where do I locate them? Or if it's another cause: how can I fix it? Thanks.

Need to find out if we should do this or not, it seems xvdd relies on the hash table when en/decrypting, but with our current code xvdtool doesn't actually require it, should we change this? Will have to check with xvdd & other official tools - we don't want to create files that nothing official can actually read.

i tried to use "GreenGamesPublicKey.rsa", "GreenXvdPublicKey.rsa", "RedOdk.odk" and "RedXvdPrivateKey.rsa" keys and i cant extract System.xvd, could someone help me or send the right key?

Last 4 bytes of hash-entries are used during crypto as the XTS "dataUnit" number, I'd previously only seen those bytes being set to the relative page number of the page in the region (0, 1, 2...), but MSIXVCs have some set to much larger numbers (eg. 0x731ED983, 0x731ED984, 0x731ED985...)

How are these numbers created? It seems there's a base number which gets the relative page num added to it, is that base number just random? or does it come from the hash of the first page in the region?

It's probably not really that important for us to create them the same way (we should be able to just use last 4 bytes of hash as dataUnit for each page fine), but it'd be nice to have xvdtool act the same way as the official tools.

The previous unknown keys along side their identities are provided as follows:
ODK = Offline Distribution Key
CIK = Content Instance Key

Newly added kind of block located just before hash table begins, seems to store 1 byte for each XVC region in the image, some places in xvdd.sys call this area the "presence map", is apparently used to create the "XCT", unsure what any of that means though..

My guess is the byte indicates the presence of the region, I've only seen the value of 3 used so far, so I guess 3 must mean the region is present? Other values might mean the region is missing/being downloaded/???

Not sure if this area is hashed/signed at all, after the NumMDUBlocks field in the header is a 0x10 array of bytes that seem filled with data (was formerly unused), could be a hash, but haven't been able to find how to make a hash that matches (also haven't seen any code in xvdd.sys that actually checks that 0x10 array...)

Current situation

• AES / RC4 is handled by custom implementation to LibXboxOne.
• SHA256 is handled by .NET's System.Security.Cryptography
• RSA(3) is handled by Windows-exclusive NCrypt P/Invoke (NCrypt)

Proposal
Implement cryptography in a unified fashion, either System.Security.Cryptography or BouncyCastle ?!

Result

• Multi platform compatibility
• More failsafe by using widely accepted / distributed library
• Better maintainability

I've recently built an xbox game, and want to extract the contents to double check some things.
The game's key is loaded when using -lk, but it says that it cant find the CIK loaded in keystorage.
So I'm unsure of what to do. Some help would be greatly appreciated!

^
Also reference Assembly version in generated CLI tools' usage.

Reference: https://github.com/AlkampferOpenSource/StupidFirewallManager/blob/master/.github/workflows/dotnetcore.yml

Hi,

I got 3 dumps, where 1 works perfectly fine and the other two throw the following expection, when I use the -i parameter:

XBFSTool 0.53.0-5737d20: Xbox boot filesystem tool

Unhandled exception. System.IndexOutOfRangeException: Index was outside the bounds of the array.
   at LibXboxOne.Nand.XbfsHeader.ToString(Boolean formatted)
   at LibXboxOne.Nand.XbfsFile.ToString(Boolean formatted)
   at LibXboxOne.Nand.XbfsFile.ToString()
   at XBFSTool.Program.Main(String[] args)

The -c paramter however works on both of them and I can see all the contents of the certificate.

Could it be that the two dumps which don't work come from a recent FW update or something where Microsoft changed something that XBFS Tool can't parse correctly?

The dump can be provided if needed.

Taking suggestions for what we should call XVDs in general, when starting xvdtool I just called them packages since that's all I figured they'd be, something similar to the 360's content packages, but after everything we've found out I think a different term would probably be more accurate.

• Images? VHDs seem to be named this, it looks like most things to do with filesystems (ISOs, HDD imagers, etc..) are also called images, so this could be the best bet...

• Drives? Not sure calling a file as a "drive" makes all much sense.

• Containers? XVCs are "Xbox Virtual Containers", and we could probably get away with calling non-XVCs as containers too..

• Packages? We could stick with what we have, I'd really prefer something that's more accurate though.

• Anything else? Taking suggestions from anyone that has a good idea!

Also, we should probably take a closer look at the official tools and see if they have any ideas for us...

i cant seem to get the keys extracted from the xdk

When I try to mount a VHD I got from a decrypted XVD from an XVC, here's the output:

XvdOpenAdapter failed. Result: 0xD0000185
Mounting .\Desktop\XVD Tool\Tool Files\extracted_vhd.vhd failed with error

Is this error common? If so, how can I get around it?

It also doesn't mount the VHD and if I try to open it in windows, it says it is corrupted.

can't mount anything due to above error
don't even know what this error means or anything

Hello.
When i use xvddkeysloutil I get this error:
[+] Ensuring previous driver instance is removed...
[+] Installing Kernel-Bridge driver...
[-] Failed to install Kernel-Bridge driver!
Last error: -2146762484
How can I fix this error?

Hello,
When I try to decrypt the file I got massage: "Using CIK: 33ec8436-5a0e-4f0d-b1ce-3f29c3955039"
And than I got error : "Decrypting XVC...
Did not find CIK 886a1c1f-47d3-491a-5d6a-61652b8360ab loaded in Keystorage
Checking for XML licenses...
Error during decryption!"

1. How to fix this error?
2. How to find the second CIK key that "loaded in Keystorage"?

can i install XVC file, on my xbox with this ?