This is basically one fucking huge packet that does all invites the client to connect sent from the server to the Xbox. First, you connect via TCP to the client using the port given at the end of key exchange. You should receive a 72 byte intialization packet. It will contain a deviceSalt of 8 bytes at +40 and suspicious 20 byte value at +52 bytes. 20 bytes clearly suggests a SHA1 hash, but I don't know where this is used. However, since it's sent from client to server, it stinks of client authentication, which I don't really care about.

Next comes a mysterious hashing of the device Salt and the trust secret. At least this is what occurs in the windows binaries. However, I also haven't figured out where this SHA-1 hash is used, if ever. Strange.

Ok, now I'll describe the creation of the final packet. Because it's the very last thing that's wrong with my code. The client is never connecting. :-(

1) First, we generate all the data.
2) Next, we encrypt it with the client's public key. To do this, we break it into chunks of 244 bytes or less, and reverse and then encrypt, and then reverse each one. Why? Because that's how Microsoft does it.
3) Then we take a SHA-1 hash of all this data, and some other crap too. Basically the hash data is:
a) One byte that is always 0x02
b) The device salt
c) The trust secret
d) the unencrypted data from step 1

4) Final step. Send all this data. It looks like:
a) A header that already contains sizes, so hopefully your data is the same size
char bigBufHead[] = { 0x51, 0xc6, 0x74, 0xc0,
0x01, 0x89, 0x04, 0x30,
0x01, 0x18,
0x00, 0x04,
0x00, 0x00, 0x00, 0x00,
0x01, 0x84,
0x01, 0x00 };
b) 256 byte buffer that is the reversed,encrypted,reversed logon password
c) Big encrypted block from step 2 (preceeded by tag and length)
d) a footer { 0x00, 0x00, 0x00, 0x02 }; (preceeded by tag and length)
e) the SHA-1 hash from step 3 (preceeded by tag and length)

Obviously a lot of details are left out... refer to source code. After sending this, the client should respond with rdp initialization packet on supplied port using supplied credentials. See RDP protocol.