xboxscene.org forums

Pages: 1 ... 13 14 [15] 16 17

Author Topic: BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45  (Read 1726 times)

jonlewi5

  • Archived User
  • Newbie
  • *
  • Posts: 8
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #210 on: March 01, 2007, 08:33:00 AM »

all im going to add to this thread(as it seems to be getting crowded with junk) is that its much easier to see the security if you are on the inside for example

if you are inside your house then u can see how many locks etc are there whereas if you are on the outside then all you see is the key hole

so once some very clever people ie the specialist etc have a play about inside the 360 we should see some more hacks coming HOPEFULLY

id give maybe a month before we see people like the specialist running some sort of home brew hopefully lol
Logged

dinzy

  • Archived User
  • Jr. Member
  • *
  • Posts: 83
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #211 on: March 01, 2007, 08:46:00 AM »

This is really preventing me from hocking the "new" flashed 360 I have been meaning to sell on ebay.  

I would like to clarify this resistor thing.  From what I have read in this thread it appears that one can remove this resistor and remove the power to the eFuse blowing element in the chip.  The problem is that the next Kernel can probably require that eFuse be blown in order to run. ( or can it?) Can MS knowingly brick a modded 360?  The sort of did it with swapped DVD drives on newer systems with the fall update. However making the kernel crash is a lot more severe than simply refusing to run with a swapped DVD drive.  Are there safety features in the 360 that let you re-update the system should they try to do this?

Also on the resistor mod.  Is a switch all that is needed?  Ie can one switch the resistor back on after the update is performed and still have the eFuse and the ability to blow eFuses with future updates.  It's not vitally important, i am just curious if the fuse is blown with the updater.  Also what value is this resistor?  Making a switch would probably be easier with a non surface mount resistor, or just a wire if it is small enough.  Does anyone have any idea how the eFuse/kernel recognition works?  Say for example that there are N eFuses, does each kernel require that eFuse N-kernel number thru N be unblown in order to run.  Obviously it is more complicated than that, but is it possible that the design does not let kernels require certain eFuses be blown.  Or in other words could it be that they did not think to prevent new kernels from running on "virgin" chips but just tried to prevent old, unsecure kernels from running after they patched a hole?

I am just curious for curiosity's sake. I think any viable hack to come form this will either come form people using it to hack other elements rather than people with unburned eFuses being the only ones able to use this.       And by viable I mean profitable modchip or something along those lines and not a homebrew only console, which IMHO is worth the 300 bucks + extras
Logged

molesza

  • Archived User
  • Newbie
  • *
  • Posts: 4
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #212 on: March 01, 2007, 09:21:00 AM »

Very interesting all of this.

I've been trying to figure out what kernel version im running. How can I check it on my 360?

Logged

networkBoy

  • Archived User
  • Sr. Member
  • *
  • Posts: 306
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #213 on: March 01, 2007, 09:22:00 AM »

QUOTE(cherryduck @ Feb 28 2007, 03:19 PM) *

Ok, I know I'm probably going to get flamed like crazy for this but have a look at this snippet about the efuse I found on Wikipedia:

The primary application of this technology is to provide in-chip performance tuning. If certain sub-systems fail, or are taking too long to respond, or are consuming too much power, the chip can instantly change its behavior by 'blowing' an eFUSE. This process does not physically destroy the eFUSE, so it is reversable and repeatable.

Everyone keeps saying you can't 'unblow' an efuse, yet right here it seems to say exactly the opposite...Anyway that's just what I found so if I'm wrong I'm wrong but thats maybe something to think about. I don't claim to be a fount of wisdom or anything I'm just interested in the possibilities.

To "unblow" an e-fuse requires a charge pump and voltage path.  These are OTP.  There is no erase path to unblow them.  Sorry.
-nB
Logged

BillMan

  • Archived User
  • Newbie
  • *
  • Posts: 20
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #214 on: March 01, 2007, 09:25:00 AM »

muhaha.gif Just wanted to say the Anonymous dude that reported this to Microsoft did it for his own research, as you see he dated the events. All it is, is woundering how fast and seriously Microsoft would take this.  It says 6 days.  Which gives them time to do other things and see how fast they can work around Microsoft.

Then once it is updated, this can show other unsigned Code. or some kind of a loopwhole.
You all look at things the wrong way by thinking it is bad.  Microsoft would of found this once it is posted somewhere.  So, why not see how long it would take them to fix the Kernal?  And see if they did a descent fix and what you can do to work around it.

Hope you all finally understand and stop diss'n the dude.
He must be doing a hella lot of work to find that code himself. Even if he has friends helping.
Logged

molesza

  • Archived User
  • Newbie
  • *
  • Posts: 4
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #215 on: March 01, 2007, 10:00:00 AM »

How can I check which kernel my xbox 360 is running?
Logged

Obveron

  • Archived User
  • Full Member
  • *
  • Posts: 195
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #216 on: March 01, 2007, 10:07:00 AM »

QUOTE(dinzy @ Mar 1 2007, 04:46 PM) *
The problem is that the next Kernel can probably require that eFuse be blown in order to run.


Indeed, if one breaks the 5v connection to the Efuses, preventing them from being burnt - future kernel updates may flag this.
A new kernel could enable a check to see if the appropriate efuse(s) is burnt, and if not.. well, ban or brick.

So pulling the resistor to prevent efuses from being burnt, could cause a problem in the future.
Logged

Fragreaver

  • Archived User
  • Newbie
  • *
  • Posts: 43
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #217 on: March 01, 2007, 10:54:00 AM »

molesza:
system blade > console settings > system info.

You'll see the dashboard version on the right side.

This post has been edited by Fragreaver: Mar 1 2007, 06:55 PM
Logged

openxdkman

  • Archived User
  • Hero Member
  • *
  • Posts: 550
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #218 on: March 01, 2007, 11:29:00 AM »

my advice depending on your situation (if you want homebrew):

- version <4532 and resistor untouched :
don't connect, don't play with games released after mid-january
if you get upgraded to >4548 you lose first efuse
without it you can't downgrade to <=4548
download the "fall update", to burn on cd-r (from the link in previous post -Thanks Castor420!-)
don't use it yet
the day some homebrew appears this cd-r will upgrade you to 4532

- version 4532 or 4548 and resistor untouched :
don't connect, don't play with games released after mid-january
if you get upgraded to >4548 you lose first efuse
without it you can't downgrade to <=4548

- version >4548 and resistor untouched :
you lost first efuse
maybe sell for very cheap your xbox360 on ebay now and buy a new one very very quickly

- any version and resistor removed (see photograph in previous post -Thanks Grim187!-):
like above, but you are allowed to do mistakes (or to continue playing online and with new games)
if you need to downgrade later -operation won't be obvious for beginners and so, may cost money-,
it will work (a flash memory needs to be screwed up), you won't be stuck in a bad situation
as long as the first efuse is ok, kernels <=4548 will accept to run
(at least that's what I've understood so far...)

Because downgrade may not be so immediate and easy operation (only possible if resistor not there), I think many (myself included) won't bother removing the resistor but will dedicate xbox360 to homebrew now.
A new model with 65nm technology will appear by end of year, this one can replace the old one for gaming.
Logged

molesza

  • Archived User
  • Newbie
  • *
  • Posts: 4
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #219 on: March 01, 2007, 11:36:00 AM »

to Fragreaver : Thanks for the info buddy
Logged

d-range

  • Archived User
  • Full Member
  • *
  • Posts: 151
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #220 on: March 01, 2007, 11:40:00 AM »

QUOTE(BillMan @ Mar 1 2007, 05:25 PM) *

Then once it is updated, this can show other unsigned Code. or some kind of a loopwhole.
You all look at things the wrong way by thinking it is bad.  Microsoft would of found this once it is posted somewhere.  So, why not see how long it would take them to fix the Kernal?  And see if they did a descent fix and what you can do to work around it.


Exactly. It might even be a good thing he reported it to MS. Like I said before: the details of this hack are now visible to anyone, and the conditions to reproduce it are known. Because everything is posted to BugTraq and publicly available, it is almost impossible for MS to sue people who use/share this hack, as there is no reverse-engineering or DMCA violations necessary to get inside (some) 360's. IANAL, but AFAIK the DMCA does allow you to do whatever you want to your hardware, as long as you don't actively try to figure out ways around the protection (which isn't needed as they are publicly available) or use security holes to circumvent copyright restrictions.

And indeed, anyone thinking MS wouldn't have figured out this hack within days after someone made them available through 'hacker channels' is just ignorant.
Logged

cohan

  • Archived User
  • Newbie
  • *
  • Posts: 22
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #221 on: March 01, 2007, 11:54:00 AM »

How can I check what kernel I have?

I have the following games connected to Live (played those who can be played online):
Dead or Alive 4
Tony Hawk (dunno what its called, but theres only one TH for Xbox360 aint it?)
Test Drive Unlimited
Elder Scrolls: Oblivion

I bought my Xbox 360 on the 27. December 2005.
Logged

Fragreaver

  • Archived User
  • Newbie
  • *
  • Posts: 43
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #222 on: March 01, 2007, 01:05:00 PM »

Cohan, just look a few posts above you.

system blade > console settings > system info. On the right side, the kernel version / dash version is shown.
Logged

Hyprkookeez

  • Archived User
  • Newbie
  • *
  • Posts: 8
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #223 on: March 01, 2007, 02:38:00 PM »

Can someone please explain why it's not possible to trick the machine into thinking it's a newer firmware, with the old firmware exploit in it?
Logged

d-range

  • Archived User
  • Full Member
  • *
  • Posts: 151
BugTraq: Xbox360 Hypervisor Vulnerability - Unsigned Code on Kernel 45
« Reply #224 on: March 01, 2007, 02:51:00 PM »

QUOTE(Hyprkookeez @ Mar 1 2007, 10:38 PM) *

Can someone please explain why it's not possible to trick the machine into thinking it's a newer firmware, with the old firmware exploit in it?


Because the kernel code is signed and encrypted so you cannot modify it. If there's code in the kernel (which is very likely) that checks the expected updates, kernel version and efuses you cannot disable or change it.

This post has been edited by d-range: Mar 1 2007, 10:52 PM
Logged
Pages: 1 ... 13 14 [15] 16 17