If you have a media center PC, you remember negotiation as that time when you had to enter in an 8-character code from your Xbox 360 into your media center PC. That 8 character code is actually a single 32 bit integer (the first 4 digits are a device code that never change... ok well the last digit cycles from 0-9, but it's ignored and not sent to the client). Brute forcing these trust codes is impossible because of the order that negotiation occurs. You'll see. Here's how it goes.

1) Send a blank key packet to client on port 3776
Note: doing this will reset all server key info on the client
2) Receive an acknowledgement containing a TCP port to connect to
3) Connect and receive an unknown intialization packet
4) Send a start authentication packet
5) Receive a response
Response should be 40 bytes and contain within it a SHA-1 hash
This is a hash of the client's public key (which it hasn't sent us yet) plus the trust code. Only used for client authentication and we don't really give a shit about that.
6) Generate a random 16 byte key and hash the trust code, then it
7) Send a trust code packet with this hash
8) Now, you receive the client's public key
This time, the key should NOT be blank. Import this baby into OpenSSL.
9) Reverse your random 16 byte key and encrypt it with the client's public key. Oh, and reverse the result too (OpenSSL->CAPI). Then send the encrypted response packet.
10) You're done. Listen for a key broadcast on 3776 and THIS one won't be zeroed. Return to key exchange.