KeyVault – KV Checker For Xbox 360 KVs — Staged Checks, Privacy First

[Pcant Pcant Posts:83 Threads:7 Reputation 16]

KeyVault – KV Checker
https://xbox360kvchecker.com/

 What It Is:

• Privacy-first Xbox 360 KV checker, pipeline: Upload → Auth → AP1 → AP2 → TGS → Decrypt → Verdict.
  
• Returns: pass/fail reason, stage timings, server clock, and check counters.
  

Why It’s Different:

• Same-Origin Only: KV posts go to domain (/kv-check.php behind a same-origin proxy).
  
• No Third Parties: No external scripts, CDNs, trackers, or embeds.
  
• Zero Retention: KV streams to RAM, processed, then dropped. No disk writes of raw KV.
  
• Client-Side Precheck: Browser computes SHA-1 prefix and extracts Console ID for local verification before network.
  
• Server-Side Secrets: Optional HMAC header and API key added by the proxy. Browser never sees secrets.
  
• Strict Security Headers: Tight CSP, HSTS, Referrer-Policy, and COOP/COEP for isolation.
  
• Clear UX: Stage ring progress, latency per stage, “first-seen” badge, total check count, last-checked timestamp.
  

How To Use:

1. Open the site, drop in your KV.bin(< 256 KiB) or click Select File.
   
2. Click Check KeyVault, watch stage rings complete.
   
3. Read the verdict, expand KV Check Walkthrough & Live Raw JSON (sanitized) for details.
   
4. Click Clear to wipe in-tab state.
   

Security & Privacy:

• Origin scope: Requests hit this origin only, proxy injects sensitive headers server-side.
  
• CSP:
  • Code:

    default-src 'self'
  • Code:

    frame-ancestors 'none'
  • Code:

    base-uri 'none'
  • Code:

    object-src 'none'
  • Code:

    upgrade-insecure-requests
• Other headers:
  • Code:

    Strict-Transport-Security: max-age=31536000; includeSubDomains; preload
  • Code:

    Referrer-Policy: no-referrer
  • Code:

    Permissions-Policy: interest-cohort=()
  • Code:

    X-Content-Type-Options: nosniff
  • Code:

    X-Frame-Options: DENY(redundant with CSP, optional)
• No storage: No cookies, LocalStorage, SessionStorage, or IndexedDB for KV material.
  
• Logging: Access logs exclude raw KVs, metrics are bounded (counts, durations, HTTP codes).
  
• Retention: Zero for raw KV; metrics roll off on a fixed window (e.g., 7–30 days).
  

Under The Hood:

• Client precheck: SHA-1 of the file computed in the browser, display short prefix (e.g., first 8 hex).
  
• Console ID: Read at 0x09CA..0x09CE for user confirmation.
  
• API response: Includes first_seen boolean, first_seen_at timestamp, per-stage durations, final verdict, & reason.
  
• Deduping: First check badge triggers only on the first initial API-observed hash, not on client precheck.
  

Threat Model (Abridged):

• In scope: Passive/active network observers, shared hosting neighbors, CSRF, XSS, clickjacking.
  
• Out of scope: Compromised client machine, altered browser extensions, physical OS compromise of the server.
  
• Mitigations: Same-origin only, strict CSP/HSTS, no third-party JS, short request TTL, memory-only processing.
  

Limits & Rate-Limits:

• File cap: 256 KiB.
  
• Types: Raw KV only, archives are rejected.
  
• Rate: Soft limit per IP (e.g., 30 checks/min), 429 on exceed.
  
• Timeouts: End-to-end 15s default; per-stage timeouts enforced.
  

Availability & Reliability:

• Health: /health returns 200 with build hash & clock.
  
• Cold starts: None; workers warm.
  
• Observability: p50/p95 stage timings and error codes exported to metrics.
  

Legal & Use:

• For diagnostics and legitimate use only. Follow local law and Xbox terms.
  
• Not affiliated with Microsoft/Xbox, no endorsement implied.
  

Feedback:

• Report bugs, false positives, or edge KVs. Include SHA-1 prefix and timestamp only—never the raw KV.
  

Contact:

• Discord: https://discord.gg/cy9uWg6gxn/
  
• Email: [email protected]
  

P.S... "Comment down below or message me through one of my contacts if you think I should also develop a Windows GUI tool ¯\_(ツ)_/¯"