|
TheSpecialist
|
 |
« on: February 28, 2007, 07:49:53 PM » |
|
The bug can be exploited using the following series of physical memory writes: ... Ok, a thread then, dedicated to finding out how to do this  IMHO it's without a doubt that the King Kong shaders are in some way involved here. I haven't been experimenting with shaders myself, but I've been told by somebody who did, that: 1. You can crash the x360 by modding shaders. One way to do so is to mod shaders so that they become 'too big', which causes a system crash. I've been told though, that the leds will blink red, it SEEMS that this doesnt happen in the hoodie video though, not sure here .. 2. You can use the shaders to instruct the GPU to write to mem directly. However, unless some 'special' flag is set, it will only go to some 'intermediate' mem location. Unfortunately I don't have any more info than this, I guess lots of research has to be done into the shader instructions. But then again, maybe someone here already has done so and can elaborate a bit. Other suggestions are also very welcome. But please, keep the thread clean from n00b posts (no insult intended, but it slows things down) |
|
|
|
« Last Edit: February 28, 2007, 07:56:48 PM by TheSpecialist »
|
Logged
|
|
|
|
|
HoRnEyDvL
|
|
« Reply #1 on: February 28, 2007, 09:16:16 PM » |
|
TheSpecialist.
Can there be a difference between which version Of KK was used. NTSC or PAL?
Was it the Kiosk Disk that was used & if not has it been patched up in new versions of this game?
Is it also possible 2 have same shader hack on the xbox version of KK.
Will go Buy a Copy of KK 2day & play around with it. Will post results here.
|
|
|
|
|
Logged
|
|
|
|
|
TheSpecialist
|
|
« Reply #2 on: February 28, 2007, 09:59:53 PM » |
|
TheSpecialist.
Can there be a difference between which version Of KK was used. NTSC or PAL?
Was it the Kiosk Disk that was used & if not has it been patched up in new versions of this game?
Is it also possible 2 have same shader hack on the xbox version of KK.
Will go Buy a Copy of KK 2day & play around with it. Will post results here.
Not sure, I currently don't have the Kiosk disk nor the KK retail. But this is what someone said in the XS forum thread: No, it is not the KK demo, it is the retail one. The "wingnut logo" introductory video is very different. Which makes sense, since the Kiosk disk won't run of course anymore. So obviously they used the FW hack to mod the shader. I think the reason that KK is being used, is that this is the game where the orginal shader experiments were conducted on and the particular shader that has been modded is probably the same for both the demo as the retail version. Anyway, I just watched the original video again: first you see the title screen, then a black screen where it says 'loading' in the bottom right corner and then a total black screen, I guess this is where the modified shader kicks in (which crashes the system ?). I just found a vid of KK, it shows the shader that kicks in after that 'loading' disappears, on 1:29 => http://youtube.com/watch?v=ez7kRFQx-WY If you watch it carefully, it starts with that blue/white air fading in, seems to me that they've modded that thing. Anybody knows where it's located on disk (dont have KK here at the moment, will buy one this weekend) ? BTW, of course it isn't a coincidence that the exploit example code puts out a byte to a serial connection. The 'mysterious' device that hoodie uses is a serial/usb connector. |
|
|
|
« Last Edit: February 28, 2007, 10:58:52 PM by TheSpecialist »
|
Logged
|
|
|
|
|
SiliconIce
|
|
« Reply #3 on: March 01, 2007, 11:27:13 AM » |
|
Hey Spec Glad to see this place is still alive - and with awesome news! From http://www.securityfocus.com/archive/1/461489/30/0/threaded: As it is not possible to directly overwrite even non-priviledged code,
existing code needs to be tricked into calling the hypervisor syscall
with the desired register set. This can be done by setting up a stack
frame and forcing a context switch to this stack frame. The bug can be
exploited using the following series of physical memory writes From the bugtraq post, I gather that their exploit code was injected into memory somehow (hence this thread). Are shaders the only "interesting" thing we can modify on a retail game disc? (I've been away a while...). Modifying code directly is out (at least, they state they don't require it) as well as physical bus attacks: A physical memory attack could modify code; however,
code memory is encrypted with a unique per-session key, making meaningful
modification of code memory in a broadly distributable fashion difficult.
In addition, the stack and heap are always marked as non-executable, and
therefore data loaded there can never be jumped to by unpriviledged code.
. Shaders seem like a good thought. Perhaps its time to hit the ATI docs and experiment with shaders. Given similarity to their PC graphics hardware, I wonder if experimentation on PC cards would be at all helpful? I have seen King Kong for 360 around for <$10, maybe its time I pick up a copy if there are any left. |
|
|
|
|
Logged
|
-- SiliconIce
|
|
|
|
TheSpecialist
|
|
« Reply #4 on: March 01, 2007, 11:56:28 AM » |
|
From the bugtraq post, I gather that their exploit code was injected into memory somehow (hence this thread). Are shaders the only "interesting" thing we can modify on a retail game disc? (I've been away a while...). Modifying code directly is out (at least, they state they don't require it) as well as physical bus attacks:
Hey SI good to see you back ! Yeah, of course it's not 100% sure they're using the shaders but I think there's also not much doubt that they do. The original shader experiments were conducted on King Kong, I know people succesfully crashed the x360 in their shader experiments and I know some got far at writing mem with the shaders (there are specific GPU instructions you can use to do so). Besides, look at the hoodie video, screen remains black at the exact moment that a shader would normally kick in (after that 'loading' logo in the bottom right corner disappears). So it seems there's not much reason to doubt that they're using shaders to upload the code and then communicate via the serial port with the laptop (like their example exploit code does). I think this part is done to upload their own homebrew code so they didn't have to burn a DVD each time when they wanted to test something. I'll get myself a KK copy this weekend and I think it's time to start some experiments and do some research |
|
|
|
« Last Edit: March 01, 2007, 11:59:42 AM by TheSpecialist »
|
Logged
|
|
|
|
StandardIO
Newbie
Posts: 9
|
|
« Reply #5 on: March 01, 2007, 02:01:22 PM » |
|
I would consider looking at using inline assembly in the KK HLSL scripts. It appears you can mix and match HLSL and assembly.
__asm {
...your code here...
};
or Assembly Fragments:
asm_fragment {
...your code here...
};
Maybe the use of a simple "mov loc, val" will allow you to write to memory.
|
|
|
|
|
Logged
|
|
|
|
|
uberfry
|
|
« Reply #6 on: March 01, 2007, 02:13:03 PM » |
|
sorry for being OT, but can someone please tell me where I can find the full instruction set + registers for PPC?
So far I've only found some of the instructions (haven't found instructions like "lis")
Thanks in advance
|
|
|
|
|
Logged
|
|
|
|
|
|
|
DrMatrix
|
|
« Reply #8 on: March 01, 2007, 08:58:12 PM » |
|
I was given the following link: http://rapidshare.com/files/18954883/crwl360-loader.rar.htmlI've checked it quickly (i'm currently burning the disc), and it looked legit. Unfortunately I don't know more about this. But the putc/getc look ok compared to what we have seen in the advisory. It would be very cool if this would be the real thing! |
|
|
|
|
Logged
|
|
|
|
|
TheSpecialist
|
|
« Reply #9 on: March 01, 2007, 09:16:29 PM » |
|
I don't have a KK disc nor a x360 with 'bugged' kernel, so can't check it, but it seems legit indeed. Waiting for your report to hear if it worked, but I have a feeling it will |
|
|
|
|
Logged
|
|
|
|
mrblack1134
Newbie
Posts: 8
|
|
« Reply #10 on: March 01, 2007, 11:06:11 PM » |
|
Looks legit -- I can find the MSR mask 0xFDFFD7FF and the new stack pointer 0x80130AF0 in shader.bin (don't forget they're big endian, so backwards). No <4552 here so can't test though  On a side note, anyone knows where we can get a shader decompiler (or compiler)? |
|
|
|
|
Logged
|
|
|
|
|
uberfry
|
|
« Reply #11 on: March 02, 2007, 12:10:22 AM » |
|
I have all three just waiting until I get my mainboard back, then I'll test it btw, is it known where the kernel is in the memory? else it'll take around 10hrs to dump the entire memory... |
|
|
|
« Last Edit: March 02, 2007, 12:14:19 AM by uberfry »
|
Logged
|
|
|
|
|
segher
|
|
« Reply #12 on: March 02, 2007, 02:29:57 AM » |
|
btw, is it known where the kernel is in the memory? else it'll take around 10hrs to dump the entire memory...
Just start dumping at 0, that's where the exception vectors live (perhaps not at *physical* 0, but you'll get the HRMOR applied anyway). Or do you really want to dump the kernel? I'd find the hypervisor way more interesting :-) |
|
|
|
|
Logged
|
|
|
|
|
tser
|
|
« Reply #13 on: March 02, 2007, 02:33:33 AM » |
|
It's allways nice, when a plan comes together.  The Shader shader compiler is fxc.exe. |
|
|
|
« Last Edit: March 02, 2007, 02:35:22 AM by tser »
|
Logged
|
|
|
|
|
Iriez
|
|
« Reply #14 on: March 02, 2007, 02:40:17 AM » |
|
Im assuming this is not against rules since it is a official update from Microsoft: http://www.badongo.com/file/2357641 <-- 4532 dashboard update |
|
|
|
|
Logged
|
|
|
|
|
Surrido
|
|
« Reply #15 on: March 02, 2007, 03:06:40 AM » |
|
It should be possible to point to code stored on the DVD drive which means it would be possible to create a "live CD" that does not require any additional hardware (no laptop to the port) other than the firmware hack...
we need to figure out how to load the insert code from the DVD drive. that way anybody with correct kernel and dvd firmware hack would be able to play around without the need for an external device.
|
|
|
|
|
Logged
|
|
|
|
|
salemf
|
|
« Reply #16 on: March 02, 2007, 04:47:34 AM » |
|
the problem is dual layers are expensive and thus thats why the hooded hacker used the serial/usb connection device so that every time he modified the code he didnt have to burn on to a new dual layer.
|
|
|
|
|
Logged
|
|
|
|
|
Surrido
|
|
« Reply #17 on: March 02, 2007, 05:00:01 AM » |
|
HD should do the same trick... that can be written easyly
|
|
|
|
|
Logged
|
|
|
|
|
is0-mick
|
|
« Reply #18 on: March 02, 2007, 05:52:45 AM » |
|
It should be possible to point to code stored on the DVD drive which means it would be possible to create a "live CD" that does not require any additional hardware (no laptop to the port) other than the firmware hack...
we need to figure out how to load the insert code from the DVD drive. that way anybody with correct kernel and dvd firmware hack would be able to play around without the need for an external device.
Would it not make more sense create a bootloader dvd, then use the ethernet port? |
|
|
|
|
Logged
|
|
|
|
|
TheSpecialist
|
|
« Reply #19 on: March 02, 2007, 06:41:37 AM » |
|
HD should do the same trick... that can be written easyly
Yeah, that would be nice, a little HDD loader instead of serial port loader, but from the hacker point of view, a serial connection is much more convenient of course. Especially to test new code, like to dump the HV, which will be one of the first interesting tasks IMHO And yeah, an ethernet server would be even more convenient, but that would be quite some work ... Also, aren't there shaders being used in the dashboard ? Will check this later today, that would be something, if you could just use this hack from within the dashboard, instead of having to load a DVD, then this would basically be like the 'bert&ernie font exploit' Not sure though about signatures here .. Or if not the dashboard, maybe in some pre installed demo that's set to run from HDD ? Always a bit more convenient than a DVD. |
|
|
|
« Last Edit: March 02, 2007, 06:58:36 AM by TheSpecialist »
|
Logged
|
|
|
|
|
