XboxHacker BBS
 
*
Welcome, %1$s. Please login or register.
Did you miss your activation email?
May 31, 2016, 02:42:05 AM




Pages: 1 2 3 4 5 »

Author Topic: Project started: rebooting into an(y) unsigned kernel + hypervisor  (Read 77926 times)

arnezami

  • Master Hacker
  • ****
  • Posts: 214
    • View Profile

This thread/post is about the ability to run an(y) unsigned kernel + hypervisor by rebooting.

Introduction:

Before going to the juicy stuff I will first address these matters:

  • How rebooting into an(y) unsigned kernel and hypervisor is done (using a 4532 or 4548 xbox).
  • Why it is required to make substantial progress in the development of homebrew applications and software mods.
  • How it can be a solution to the dilemma of having to choose between homebrew/linux vs playing new (or live) games.
  • What milestones this project has to reach to arrive at the desired results.

I'm also releasing the first version of the rebooter which does most of the rebooting already. :) That way other hackers can conrtribute aswell and speed up the progress. I've also made a tool to assemble the rebooter file (using your own xbox-specific information) to allow everyone to create his or her own kernel/hv patches and run (and share) them. And that way there are no copyright issues.

I hope my contribution here will kickstart this project and will give all xbox 360 users a good reason not to update to any future version of the dash/kernel (which will most likely kill any hope of homebrew/linux or whatever else can be done besides what MS wants you to do) but instead to consider downgrading your xbox using the timing attack.

If you have any questions after reading the below (or just want to say thanks) please do not post it in the technical thread but here instead. We want to keep things clean over there ;).

Rebooting:

First off. We are talking about rebooting. Not about booting. And there is a fundamental difference.

I will explain.

When the xbox 360 is turned on the first thing it does is start look in its ROM (also called the first bootloader or 1BL). In the 1BL there is code which the cpu will execute. There is also a public key in it. This is used to check the validity of second bootloader (the CB section in the flash). Because the key is in ROM (and only MS has the private key) and the ROM is inside the cpu casing there is no way to run unsigned code during normal boot.

We can however run unsigned code on the xbox 360. This is done using the KK exploit. And you need kernel version 4532 or 4548 for this. The problem is when doing the KK exploit there is still a signed kernel in memory. And its "non-trivial" to change/patch it on-the-fly and return to it as if nothing was happened.

In order to run an unsigned kernel/hv (which is required to run unsigned software on the xbox 360) you somehow need to replace the current operating system (kernel/hv/dash etc) completely. The best way to do this is to reboot the xbox but while rebooting change some things on-the-fly (eg. turning off xex-signature checks, the functions that blow fuses etc).

In other words: do a soft-reboot.

Doing a soft-reboot (as opposed to a hard-reset/boot which lets the cpu start in the ROM again) allows us to stay in control. That way we can choose how the to-be-booted kernel/hv/dash should look like (and in principle we can also choose which version we want to run, more on that later).

The rebooter I've written so far does this. It loads the CD section into memory and essentially runs it. The tricky part is to make sure the xbox is put into the same state as it was during the normal boot. But much of this has been done now. The current version of the rebooter can now reliably reboot from POST 0x40 to 0x79 (which is the last POST output during normal boot). The xbox also resets the screen output and seems to detect the wireless again.

Homebrew:

If we are succesfull in (fully) rebooting into an unsigned kernel/hv we can patch the the kernel/hv to allow execution of unsigned xex-es (among many other things). Right now it is already possible to patch the kernel/hv so the moment we can get it to fully boot it should be easy to turn off the bad stuff... ;)

Creating unsigned xex-es probably requires the ability to compress and encrypt self made xex-es. Although the availabilty of libraries (not on retails boxes) might be a harder problem. But I guess these problems were also solved with the xbox1.

Apart from homebrew applications you can also think of mods: how big do you want your hdd to be? Want to change the dashboard appearance? Want to disable dvd-video or game region check? No problem.

But all of that is only possible if you can run an unsigned kernel/hv. And since we cannot boot into one we have to reboot into one.

Keep in mind that in order to run homebrew or linux you have to downgrade to an exploitable kernel. And this requirement is unlikely to change. Upgrading to the upcoming "fall update" is most likely going to disable the ability to run any old kernel version (well thats what we expect MS to do). So its decision time ;).

Solution to the Dilemma:

While it may seem like you have to choose between two worlds the ability to run any unsigned kernel/hv may the solution to the problem. ;)

The idea to run a different kernel from the the one on the flash could work like this:

  • You start with a dual nand system where both nands have the same kernel/dash version: 4532/4548
  • You boot and start the KK game resulting in the exploit.
  • You then hot-switch to the other nand. And reboot into the 4532/4548 dash. The hypervisor is patched to fake any efuse blowing (meaning it writes the new contents of the fuses on the nand or somewhere else )
  • You upgrade to the latest kernel. Lets assume this will be the fall update and it blows a fuse in the fuserow 2. However since we are running a patched hv the fuses aren't actually blown. But on the second nand (which is now active) the new bootloaders/kernel/dash is written to including the new fuserow 2 value (in the CB).
  • The beauty is: you can still boot into 4532/4548 and run homebrew/linux. And you can also reboot into the fall update by starting in 4532/4548 then switching to the second nand and rebooting into the new kernel.
  • Apart from a tiny patch deep inside the hypervisor (which fakes the fuse blowing) there is no way to tell (for an executable coming from live or a new game) that the xbox is running in "unsigned mode". In fact (and this is the kicker) the hv protection system is working for us now ;D. MS can't detect what we're doing because of their own protection system. Talk about irony...

Keep in mind this is still theory.

Of course a dual nand system still requires soldering. But maybe the above is also possible by using a memory card to store the new kernel/dash etc. This is much harder to make stealthier though so live is not really an option. But new games probably are ;).

Project phases:

I guess the project can be divided into several phases given the above:

  • Phase 1: Rebooting into an unsigned kernel. Making sure no patches are needed to the kernel/hv to simply boot. Main goal is to basicly restore the xbox 360 into the state it was during boot. Also making it possible to restart from CB or even 1BL so if CB changes in any of the new updates we can run it. This would require a "recursive" patcher though.

  • Phase 2: Disable all security measures in the 4532/4548 kernel. The ability to run unsigned xex-es (also being able to encrypt them). Basicly removing all the "bad" stuff and paving the way for homebrew. Also being able to disable fuse blowing functions.

  • Phase 3: Hotswapping the nand (best software triggered). Fake fuse blowing by storing the new values somewhere (a place a xex can't access, maybe in the kv). Being able to upgrade and dual boot using the rebooter. Making it stealthy by cleaning up all traces.

  • Phase 4: Doing the same as in phase 3 but using a mem card or harddrive as storage device (or for example the flash on the hd-dvd drive).

The rebooter:

And finally the juicy stuff. Go here to try out (and help testing/developing) the rebooter itself:

http://www.xboxhacker.net/index.php?topic=8737.0

Ok. That was it. I'm totally and utterly exhausted now ;). Going to get some sleep and/or vacation.

Regards,

arnezami

PS. Just to be clear: you can ask questions or post ideas or whathever you want in this thread. :)
« Last Edit: October 12, 2007, 11:24:45 AM by arnezami »
Logged

rupal

  • Hacker
  • ***
  • Posts: 60
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #1 on: October 12, 2007, 12:54:56 PM »

Could it be possible with this to patch the Kernel or the Game so that it will play without the latest kernel ?
Logged

Redline99

  • Global Moderator
  • Xbox Hacker
  • *****
  • Posts: 774
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #2 on: October 12, 2007, 01:00:49 PM »

yeah I'm sure you can remove the min requirement restrictions and some games would work, but also some of the newer games really do need the newer kernel procedures. So in other words, yes would be helpful for some, but not all.
Logged
Where's Waldo

arnezami

  • Master Hacker
  • ****
  • Posts: 214
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #3 on: October 12, 2007, 01:01:33 PM »

Could it be possible with this to patch the Kernel or the Game so that it will play without the latest kernel ?
Might be possible. But it depends on the game I guess. If just a change to the kernel/hv is required for the game then it should be possible. But if other (xex) files have to be updated aswell it would require more adaptations which would effectvely mean you are installing the new kernel (although maybe not the official/live way which may be less risky efuse wise).

Regards,

arnezami
« Last Edit: October 12, 2007, 01:17:22 PM by arnezami »
Logged

atiman

  • Hacker
  • ***
  • Posts: 86
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #4 on: October 12, 2007, 01:44:57 PM »

Grats! Thanks for sharing!
Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #5 on: October 12, 2007, 02:43:44 PM »

Sounds great!

Quote
...to allow everyone to create his or her own kernel/hv patches
ehhehe  ;D

Logged

arnezami

  • Master Hacker
  • ****
  • Posts: 214
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #6 on: October 12, 2007, 02:51:53 PM »

Sounds great!

Quote
...to allow everyone to create his or her own kernel/hv patches
ehhehe  ;D


hahahha ;D ;D ;D

You never know...

arnezami

Btw: Its in the rebooter (on screen) itself but I'm giving special thanks to Geremia. Without him I would have given up long ago...
« Last Edit: October 12, 2007, 02:57:59 PM by arnezami »
Logged

Surrido

  • Master Hacker
  • ****
  • Posts: 232
  • Wer lesen kann ist klar im Vorteil!
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #7 on: October 12, 2007, 03:02:59 PM »

ok, i really need to finish the NAND switch...  ::)
i will dig up my scetches :-p
great work, still loads to go...

Logged

Geremia

  • Xbox Hacker
  • *****
  • Posts: 600
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #8 on: October 12, 2007, 03:30:13 PM »

thanks again, but i did nothing special ;)
Logged

cjack

  • Hacker
  • ***
  • Posts: 89
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #9 on: October 13, 2007, 03:01:06 AM »

Thank's for sharing to all of you! NICE work Arnezami, really impressive.
Hope to see a complete reboot soon, it's possible now  ;D
Logged

safety

  • Master Hacker
  • ****
  • Posts: 296
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #10 on: October 13, 2007, 03:57:21 AM »

Well, in order to downgrade one needs the cpu key and fuse set.
There is a way to prevent the blowing of fuses. (resistor removal)
Also, dual-boot nand hack exsist.

To have a homebrew and live system, it is a complicated one..
It should be a full dual thing...
Dual dvd-drive fw, one for live, and one xtreme.
Also, dual kernel.
That way, if the resistor is removed and fuse set stays constant, it is possible to have the newest kernel on one nand, and an original drive fw, and on separate nands the modded drive fw, and downgraded kernel for homebrew stuff.

OH my god..
Anyone attempting to do so should be exerienced in a lot of things...
Good solder skills, mostly..

Well, anyway this is a milestone, and is a great news.
Logged

arnezami

  • Master Hacker
  • ****
  • Posts: 214
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #11 on: October 13, 2007, 04:51:09 AM »

Well, in order to downgrade one needs the cpu key and fuse set.
There is a way to prevent the blowing of fuses. (resistor removal)
Also, dual-boot nand hack exsist.

To have a homebrew and live system, it is a complicated one..
It should be a full dual thing...
Dual dvd-drive fw, one for live, and one xtreme.
Also, dual kernel.
That way, if the resistor is removed and fuse set stays constant, it is possible to have the newest kernel on one nand, and an original drive fw, and on separate nands the modded drive fw, and downgraded kernel for homebrew stuff.

OH my god..
Anyone attempting to do so should be exerienced in a lot of things...
Good solder skills, mostly..

Well, anyway this is a milestone, and is a great news.

Yes. Indeed. A full blown stealthy dual kernel+fw would be a daunting task to build :)

Only skilled people will be able to do that. But maybe some chip will come out to make it a bit easier.

On the other hand: if switching between a old kernel (for linux/homebrew) and new kernel (for playing new games only) is required I think it may be possible to accomplish without doing any soldering at all (if you have xbox <= 4548 that is):

- Using slax (or two-wire trick) to put the ixtreme fw on the drive
- Burn KK patched game, boot into linux with cd, dump nand/kv/fuses
- Attach memory card (eg 64MB) and put the data on it for dual booting
- Boot into KK exploit again, run rebooter cd (which should then automatically detect memory card)
- Now you are booting into unsigned kernel and hv (patched)
- Upgrade to latest kernel (fuses are faked to be blown, no need to remove resistor)
- You can now play new games (by rebooting) or run linux/homebrew

Would be kinda cool if we could get that to work ;)

Wouldn't go live with it though ;D

Regards,

arnezami

PS. People with higher kernel/dash really have to solder for the timinig attack. But its (going to be) very doable I think... (and the hardware required can be shared since its a one time event).
« Last Edit: October 13, 2007, 05:09:29 AM by arnezami »
Logged

safety

  • Master Hacker
  • ****
  • Posts: 296
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #12 on: October 13, 2007, 05:31:37 AM »

Well, in the form of a chip...
I can think of an indeed complex thing..
It should consyst 2 flash chips, and a controller.
Maybe it could have a port where pre made pcb could connect for timeing attack.
Should look like.. 
remove the onboard flash, and the dvd-rom flash, solder 1-1 adaptor, insert Your chips in them.
Connect the 2 pcb to the controller board that can switch between original, and modded content chips.
A header of somesort for timeing attack.
On the controller board there shpuld be a connection to an external pcb for:
1. timeing attack
2. upload new fw versions.

The system should be acting like a programmer, so it could program the controller, and upload all the data needed in the 2 hacked content nand.

Would be complex. And still need an external switch.
That way it can be live-proof, since when the thing is in "original" mode, nothing has been changed softvare wise.

But for this, there is a need of 2 pcb (one on the drive, one on the mobo)
header for timeing attack (after done can be removed, some no-solder souliton would be awesome)
removal of the nand on dvd drive, and on mobo (tricky..  stupid black epoxy.... damn..) maybe some quick solder flat ribbons can do the trick for easyer install (relative easy..)
a controller wich can swich between chips... (also maybe able to shut down lan connection, for live protection...)
an external pcb for uploading new things and preforimng timeing attack.. Removeable after finished..

Man, what cost would this have????
Would be a veeeeeery pricey mod i think....
Logged

arnezami

  • Master Hacker
  • ****
  • Posts: 214
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #13 on: October 13, 2007, 05:42:57 AM »

Yes. The "Phase 3" would be more of an exercise (for hackers) to learn how to do "Phase 4" (no soldering mod). The latter will be very interesting for many people I think (who play games offline and also want to watch high quality (xvid/x264) video for example). :)

As for the full stealth switchable dual nand/fw mod: its actually more fun than sensible to build: buying a second xbox is probably a better option ;).

Regards,

arnezami
« Last Edit: October 13, 2007, 05:46:19 AM by arnezami »
Logged

SOWA_PL

  • Master Hacker
  • ****
  • Posts: 113
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #14 on: October 13, 2007, 07:27:57 AM »

As far as I understand with this hack will be (in theory) possible to change for example Console ID?

Thanks for sharing  ;D
Logged

prisoner_of_time

  • Member
  • **
  • Posts: 27
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #15 on: October 13, 2007, 08:18:14 AM »

Great work arnezami. Really grateful you shared it with the rest of us. Thanks!!

Nick
GREECE

Logged

gigabite

  • Xbox Hacker
  • *****
  • Posts: 3089
  • .: Xplode Mods :.
    • View Profile
    • Xplode Mods
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #16 on: October 13, 2007, 08:28:38 AM »

Well I have done many dual boot DVD drives it is quite simple except for the epoxy removal, the NAND of the 360 will be even easier (for me, maybe not for some others) I just have to do some more research on the dual kernel NAND thing (I have 2 spare NANDs)....anyway to get on to the point of this post.  Now....what people are forgetting is that if you are able to change the console ID...you will need a new one right...which brings up the next thing, you would need a "generator" of some sort (in which M$ could easily figure out and ban or whatever through the use of updates...cause the reason you would want to change the console ID would be to go on LIVE (assuming that's all that gets banned)....then you'd have to update so no LIVE after that...get me??) anyway good work keep it up!!!

gigabite
Logged


.ISO  - he's a wannabe ... feel part of "t3h sc33n" yet ? QQ

coming 2009

Arakon

  • Administrator
  • Xbox Hacker
  • *****
  • Posts: 6926
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #17 on: October 13, 2007, 09:51:31 AM »

a generator wouldn't do any good. it's likely to generate codes in use on other consoles, so the result would be that if you got banned, some poor guy elsewhere also gets his console banned.
Logged
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.

prisoner_of_time

  • Member
  • **
  • Posts: 27
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #18 on: October 13, 2007, 11:50:19 AM »

a generator wouldn't do any good. it's likely to generate codes in use on other consoles, so the result would be that if you got banned, some poor guy elsewhere also gets his console banned.


I totally agree. I don't think MS uses a simple algorithm to produce IDs. Changing it won't unban you.
Logged

Arakon

  • Administrator
  • Xbox Hacker
  • *****
  • Posts: 6926
    • View Profile
Re: Project started: rebooting into an(y) unsigned kernel + hypervisor
« Reply #19 on: October 13, 2007, 12:05:36 PM »

also, I am pretty sure MS has a list of used IDs.. if your console goes online with an ID they don't have in the database, you probably can't even connect.
Logged
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
Pages: 1 2 3 4 5 »
 
 

Powered by MySQL Powered by PHP SMF 2.0.11 | SMF © 2015, Simple Machines

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM