Topic: Let The Hacking Begin (Read 388 times)

vax11780 · « **Reply #15 on:** December 23, 2006, 04:03:00 PM »

Here's a route for someones to explore... Modify the DVD firmware to return extra data for identify, dvd structure, etc. Since none of these are signed, it may be possible to overwrite some adjacent memory. The main thing to look for is whether or not the 360 accepts all the data, or if the DVD drive hangs trying to output more data than the 360 will accept.

I'd do this, but I'm pursuing a different path right now.

VAX

PS For those of you that want to contribute, but don't know where to start, read:

Hacking DVD firmware?

start to finish (yes, all 40+ pages!) You'll learn a lot about the hacking process, and how to play nicely with others...

HoRnEyDvL · « **Reply #16 on:** December 23, 2006, 05:21:00 PM »

Vax what path you using will i be able to lend you a hand by any chance?
DVD path might possibly work but wouldnot know how to play around with the firmware.

jaimebenlasnow · « **Reply #17 on:** December 23, 2006, 05:50:00 PM »

QUOTE

SataCdRomDecryptHostChallengeResponseTable:


.set var_1A0, -0x1A0
.set var_180, -0x180
.set var_120, -0x120
.set var_10, -0x10
.set var_8, -8

mflr %r12       #   Move from link register
stw   %r12, var_8(%sp) #   Store Word
std   %r31, var_10(%sp) #   Store Double Word
stwu %sp, -0x1F0(%sp) #   Store Word with   Update
mr   %r31, %r3    #   Move Register
addi %r3, %sp, 0x1F0+var_180 # Add Immediate
bl   XeCryptShaInit    #   Branch
li   %r5, 0x2C    #   Load Immediate
addi %r4, %r31, 0x4A3 #   Add Immediate
addi %r3, %sp, 0x1F0+var_180 # Add Immediate
bl   XeCryptShaUpdate #   Branch
li   %r5, 0x14    #   Load Immediate
addi %r4, %sp, 0x1F0+var_1A0 # Add Immediate
addi %r3, %sp, 0x1F0+var_180 # Add Immediate
bl   XeCryptShaFinal    #   Branch
li   %r5, 7       #   Load Immediate
addi %r4, %sp, 0x1F0+var_1A0 # Add Immediate
addi %r3, %sp, 0x1F0+var_120 # Add Immediate
bl   XeCryptRc4Key    #   Branch
li   %r5, 0xFD    #   Load Immediate
addi %r4, %r31, 0x306 #   Add Immediate
addi %r3, %sp, 0x1F0+var_120 # Add Immediate
bl   XeCryptRc4Ecb    #   Branch
addi %sp, %sp, 0x1F0 #   Add Immediate
lwz   %r12, var_8(%sp) #   Load Word and Zero
mtlr %r12       #   Move to   link register
ld   %r31, var_10(%sp) #   Load Double Word
blr          #   Branch unconditionally
# End of function SataCdRomDecryptHostChallengeResponseTable

XeCryptShaInit:
lis   %r10, 0x6745 # 0x67452301 # Load Immediate Shifted
lis   %r9, 0xEFCD # 0xEFCDAB89 # Load   Immediate Shifted
lis   %r8, 0x98BA # 0x98BADCFE # Load   Immediate Shifted
lis   %r7, 0x1032 # 0x10325476 # Load   Immediate Shifted
lis   %r6, 0xC3D2 # 0xC3D2E1F0 # Load   Immediate Shifted
li   %r11, 0       #   Load Immediate
ori   %r10, %r10, 0x2301 # 0x67452301   # OR Immediate
ori   %r9, %r9, 0xAB89 # 0xEFCDAB89 #   OR Immediate
ori   %r8, %r8, 0xDCFE # 0x98BADCFE #   OR Immediate
ori   %r7, %r7, 0x5476 # 0x10325476 #   OR Immediate
ori   %r6, %r6, 0xE1F0 # 0xC3D2E1F0 #   OR Immediate
stw   %r11, 0(%r3)    #   Store Word
stw   %r10, 4(%r3)    #   Store Word
stw   %r9, 8(%r3)    #   Store Word
stw   %r8, 0xC(%r3)    #   Store Word
stw   %r7, 0x10(%r3)    #   Store Word
stw   %r6, 0x14(%r3)    #   Store Word
blr          #   Branch unconditionally
# End of function XeCryptShaInit

XeCryptShaUpdate:
mflr %r12       #   Move from link register
bl   __savegprlr_25    #   Branch
stwu %sp, -0x90(%sp) #   Store Word with   Update
mr   %r29, %r3    #   Move Register
mr   %r31, %r5    #   Move Register
mr   %r30, %r4    #   Move Register
lwz   %r11, 0(%r29)    #   Load Word and Zero
clrlwi. %r28, %r11,   26 #   Clear Left Immediate
add   %r11, %r11, %r31 #   Add
stw   %r11, 0(%r29)    #   Store Word
beq   loc_800F7E2C    #   Branch if equal
add   %r27, %r28, %r31 #   Add
cmplwi cr6,   %r27, 0x40 #   Compare   Logical   Word Immediate
blt   cr6, loc_800F7E2C #   Branch if less than
add   %r11, %r28, %r29 #   Add
subfic %r5,   %r28, 0x40 #   Subtract from Immediate   Carrying
addi %r3, %r11, 0x18 #   Add Immediate
bl   memcpy       #   Branch
subf %r11, %r28, %r30 #   Subtract from
addi %r4, %r29, 0x18 #   Add Immediate
addi %r3, %r29, 4    #   Add Immediate
addi %r30, %r11, 0x40 #   Add Immediate
subi %r31, %r27, 0x40 #   Subtract Immediate
bl   XeCryptShaTransform #   Branch
li   %r28, 0       #   Load Immediate

loc_800F7E2C:

clrlwi. %r11, %r30,   30 #   Clear Left Immediate
cmplwi cr6,   %r31, 0x40 #   Compare   Logical   Word Immediate
blt   cr6, loc_800F7E98 #   Branch if less than
srwi %r27, %r31, 6    #   Shift Right Immediate
beq   loc_800F7E78    #   Branch if equal
addi %r26, %r29, 0x18 #   Add Immediate
addi %r25, %r29, 4    #   Add Immediate

loc_800F7E48:
li   %r5, 0x40    #   Load Immediate
mr   %r4, %r30    #   Move Register
mr   %r3, %r26    #   Move Register
bl   memcpy       #   Branch
mr   %r4, %r26    #   Move Register
mr   %r3, %r25    #   Move Register
bl   XeCryptShaTransform #   Branch
subic. %r27, %r27, 1 #   Subtract Immediate Carrying
addi %r30, %r30, 0x40 #   Add Immediate
subi %r31, %r31, 0x40 #   Subtract Immediate
bne   loc_800F7E48    #   Branch if not equal
b   loc_800F7E98    #   Branch
# ÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄÄ

loc_800F7E78:
addi %r26, %r29, 4    #   Add Immediate

loc_800F7E7C:
mr   %r4, %r30    #   Move Register
mr   %r3, %r26    #   Move Register
bl   XeCryptShaTransform #   Branch
subic. %r27, %r27, 1 #   Subtract Immediate Carrying
addi %r30, %r30, 0x40 #   Add Immediate
subi %r31, %r31, 0x40 #   Subtract Immediate
bne   loc_800F7E7C    #   Branch if not equal

loc_800F7E98:
          #   XeCryptShaUpdate+ACj
cmplwi cr6,   %r31, 0    #   Compare   Logical   Word Immediate
beq   cr6, loc_800F7EB4 #   Branch if equal
add   %r11, %r28, %r29 #   Add
mr   %r5, %r31    #   Move Register
mr   %r4, %r30    #   Move Register
addi %r3, %r11, 0x18 #   Add Immediate
bl   memcpy       #   Branch

loc_800F7EB4:
addi %sp, %sp, 0x90    #   Add Immediate
b   __restgprlr_25    #   Branch
# End of function XeCryptShaUpdate

XeCryptShaFinal:

.set var_50, -0x50

mflr %r12       #   Move from link register
bl   __savegprlr_25    #   Branch
stwu %sp, -0xA0(%sp) #   Store Word with   Update
mr   %r31, %r3    #   Move Register
mr   %r25, %r4    #   Move Register
addi %r30, %r31, 0x18 #   Add Immediate
mr   %r26, %r5    #   Move Register
li   %r4, 0       #   Load Immediate
lwz   %r11, 0(%r31)    #   Load Word and Zero
clrlwi %r29, %r11, 26 #   Clear Left Immediate
subfic %r28, %r29, 0x40 #   Subtract from Immediate   Carrying
add   %r27, %r29, %r30 #   Add
stw   %r11, 0xA0+var_50(%sp) # Store Word
mr   %r5, %r28    #   Move Register
mr   %r3, %r27    #   Move Register
bl   memset       #   Branch
li   %r11, 0x80    #   Load Immediate
cmplwi cr6,   %r28, 9    #   Compare   Logical   Word Immediate
stb   %r11, 0(%r27)    #   Store Byte
bge   cr6, loc_800F7F2C #   Branch if greater than or equal
mr   %r4, %r30    #   Move Register
addi %r3, %r31, 4    #   Add Immediate
bl   XeCryptShaTransform #   Branch
addi %r5, %r29, 1    #   Add Immediate
li   %r4, 0       #   Load Immediate
mr   %r3, %r30    #   Move Register
bl   memset       #   Branch

loc_800F7F2C:
lwz   %r11, 0xA0+var_50(%sp) # Load Word and Zero
li   %r5, 4       #   Load Immediate
addi %r4, %sp, 0xA0+var_50 # Add Immediate
slwi %r11, %r11, 3    #   Shift Left Immediate
addi %r3, %r30, 0x3C #   Add Immediate
stw   %r11, 0xA0+var_50(%sp) # Store Word
bl   memcpy       #   Branch
addi %r31, %r31, 4    #   Add Immediate
mr   %r4, %r30    #   Move Register
mr   %r3, %r31    #   Move Register
bl   XeCryptShaTransform #   Branch
cmplwi cr6,   %r26, 0    #   Compare   Logical   Word Immediate
beq   cr6, loc_800F7F7C #   Branch if equal
cmplwi cr6,   %r26, 0x14 #   Compare   Logical   Word Immediate
mr   %r5, %r26    #   Move Register
blt   cr6, loc_800F7F70 #   Branch if less than
li   %r5, 0x14    #   Load Immediate

loc_800F7F70:
mr   %r4, %r31    #   Move Register
mr   %r3, %r25    #   Move Register
bl   memcpy       #   Branch

loc_800F7F7C:
addi %sp, %sp, 0xA0    #   Add Immediate
b   __restgprlr_25    #   Branch
# End of function XeCryptShaFinal

XeCryptRc4Key:

lis   %r6, 1 # 0x10203 #   Load Immediate Shifted
lis   %r7, 0x808 # 0x8080808 # Load Immediate   Shifted
ori   %r6, %r6, 0x203   # 0x10203 # OR Immediate
ori   %r7, %r7, 0x808   # 0x8080808 # OR Immediate
rldicr %r6,   %r6, 32,31 #   Rotate Left Double Word   Immediate then Clear Right
rldimi %r7,   %r7, 32,0 #   Rotate Left Double Word   Immediate then Mask Insert
oris %r6, %r6, 0x405 #   OR Immediate Shifted
li   %r8, 8       #   Load Immediate
ori   %r6, %r6, 0x607    #   OR Immediate
mtctr %r8       #   Move to   count register

loc_800F8378:
std   %r6, 0(%r3)    #   Store Double Word
add   %r6, %r6, %r7    #   Add
std   %r6, 8(%r3)    #   Store Double Word
add   %r6, %r6, %r7    #   Add
std   %r6, 0x10(%r3)    #   Store Double Word
add   %r6, %r6, %r7    #   Add
std   %r6, 0x18(%r3)    #   Store Double Word
add   %r6, %r6, %r7    #   Add
addi %r3, %r3, 0x20    #   Add Immediate
bc   25, lt,   loc_800F8378 #   Branch Conditional
li   %r8, 0       #   Load Immediate
sth   %r8, 0(%r3)    #   Store Half Word
subi %r3, %r3, 0x100 #   Subtract Immediate
li   %r9, 0       #   Load Immediate
li   %r10, 0       #   Load Immediate
li   %r0, 0x100    #   Load Immediate
mtctr %r0       #   Move to   count register

loc_800F83BC:
lbzx %r11, %r3, %r8    #   Load Byte and Zero Indexed
lbzx %r7, %r4, %r10    #   Load Byte and Zero Indexed
add   %r9, %r9, %r11    #   Add
add   %r9, %r9, %r7    #   Add
clrlwi %r9,   %r9, 24    #   Clear Left Immediate
lbzx %r6, %r3, %r9    #   Load Byte and Zero Indexed
addi %r10, %r10, 1    #   Add Immediate
stbx %r6, %r3, %r8    #   Store Byte Indexed
addi %r8, %r8, 1    #   Add Immediate
stbx %r11, %r3, %r9    #   Store Byte Indexed
cmplw %r10,   %r5    #   Compare   Logical   Word
bc   7, eq, loc_800F83F0 #   Branch Conditional
li   %r10, 0       #   Load Immediate

loc_800F83F0:
bc   25, lt,   loc_800F83BC #   Branch Conditional
blr          #   Branch unconditionally
# End of function XeCryptRc4Key

XeCryptBnDw_Copy:
cmplwi %r5,   0    #   Compare   Logical   Word Immediate
cmplw cr6, %r3, %r4    #   Compare   Logical   Word
subf %r4, %r3, %r4    #   Subtract from
mtctr %r5       #   Move to   count register
bclr 14, eq       #   Branch Conditional to Link Register
bclr 14, 4*cr6+eq    #   Branch Conditional to Link Register

loc_800F4E88:
lwz   %r6, 0(%r3)    #   Load Word and Zero
stwx %r6, %r3, %r4    #   Store Word Indexed
addi %r3, %r3, 4    #   Add Immediate
bc   25, lt,   loc_800F4E88 #   Branch Conditional
blr          #   Branch unconditionally
# End of function XeCryptBnDw_Copy

XeCryptRc4Ecb:

cmplwi %r5, 0 # Compare Logical Word Immediate
bclr 14, eq # Branch Conditional to Link Register
mtctr %r5 # Move to count register
lbz %r6, 0x100(%r3) # Load Byte and Zero
lbz %r7, 0x101(%r3) # Load Byte and Zero

loc_800F840C:
addi %r6, %r6, 1 # Add Immediate
clrlwi %r6, %r6, 24 # Clear Left Immediate
lbzx %r8, %r3, %r6 # Load Byte and Zero Indexed
add %r7, %r7, %r8 # Add
clrlwi %r7, %r7, 24 # Clear Left Immediate
lbzx %r9, %r3, %r7 # Load Byte and Zero Indexed
stbx %r9, %r3, %r6 # Store Byte Indexed
stbx %r8, %r3, %r7 # Store Byte Indexed
add %r8, %r8, %r9 # Add
clrlwi %r8, %r8, 24 # Clear Left Immediate
lbzx %r8, %r3, %r8 # Load Byte and Zero Indexed
lbz %r9, 0(%r4) # Load Byte and Zero
xor %r8, %r8, %r9 # XOR
stb %r8, 0(%r4) # Store Byte
addi %r4, %r4, 1 # Add Immediate
bc 25, lt, loc_800F840C # Branch Conditional
stb %r6, 0x100(%r3) # Store Byte
stb %r7, 0x101(%r3) # Store Byte
blr # Branch unconditionally
# End of function XeCryptRc4Ecb

XeCryptShaTransform:

.set var_190, -0x190
.set var_188, -0x188

mflr %r12 # Move from link register
bl __savegprlr_24 # Branch
stwu %sp, -0x1E0(%sp) # Store Word with Update
mr %r24, %r3 # Move Register
mr %r3, %r4 # Move Register
li %r5, 0x10 # Load Immediate
addi %r4, %sp, 0x1E0+var_190 # Add Immediate
addi %r31, %sp, 0x1E0+var_190 # Add Immediate
lwz %r26, 0(%r24) # Load Word and Zero
lwz %r27, 4(%r24) # Load Word and Zero
lwz %r28, 8(%r24) # Load Word and Zero
lwz %r29, 0xC(%r24) # Load Word and Zero
lwz %r30, 0x10(%r24) # Load Word and Zero
bl XeCryptBnDw_Copy # Branch
addi %r11, %sp, 0x1E0+var_188 # Add Immediate
li %r10, 0x40 # Load Immediate

loc_800F79E8:
lwz %r8, 0x18(%r11) # Load Word and Zero
subic. %r10, %r10, 1 # Subtract Immediate Carrying
lwz %r9, 0x2C(%r11) # Load Word and Zero
lwz %r7, -8(%r11) # Load Word and Zero
xor %r9, %r9, %r8 # XOR
lwz %r8, 0(%r11) # Load Word and Zero
xor %r9, %r9, %r7 # XOR
xor %r9, %r9, %r8 # XOR
rotlwi %r9, %r9, 1 # Rotate Left Immediate
stw %r9, 0x38(%r11) # Store Word
addi %r11, %r11, 4 # Add Immediate
bne loc_800F79E8 # Branch if not equal
lis %r11, 0x5A82 # 0x5A827999 # Load Immediate Shifted
li %r7, 4 # Load Immediate
ori %r11, %r11, 0x7999 # 0x5A827999 # OR Immediate

loc_800F7A24:
xor %r10, %r29, %r28 # XOR
lwz %r8, 0(%r31) # Load Word and Zero
rotlwi %r9, %r26, 5 # Rotate Left Immediate
lwz %r25, 4(%r31) # Load Word and Zero
and %r6, %r10, %r27 # AND
lwz %r3, 8(%r31) # Load Word and Zero
rotrwi %r10, %r27, 2 # Rotate Right Immediate
lwz %r5, 0xC(%r31) # Load Word and Zero
xor %r6, %r6, %r29 # XOR
lwz %r4, 0x10(%r31) # Load Word and Zero
subic. %r7, %r7, 1 # Subtract Immediate Carrying
add %r9, %r6, %r9 # Add
xor %r6, %r28, %r10 # XOR
add %r9, %r9, %r30 # Add
and %r6, %r6, %r26 # AND
add %r9, %r9, %r8 # Add
xor %r6, %r6, %r28 # XOR
add %r8, %r9, %r11 # Add
rotrwi %r9, %r26, 2 # Rotate Right Immediate
add %r27, %r6, %r25 # Add
xor %r30, %r10, %r9 # XOR
rotlwi %r6, %r8, 5 # Rotate Left Immediate
and %r26, %r30, %r8 # AND
rotrwi %r30, %r8, 2 # Rotate Right Immediate
xor %r8, %r26, %r10 # XOR
addi %r31, %r31, 0x14 # Add Immediate
add %r3, %r8, %r3 # Add
add %r8, %r27, %r6 # Add
add %r8, %r8, %r29 # Add
xor %r29, %r30, %r9 # XOR
add %r8, %r8, %r11 # Add
and %r27, %r29, %r8 # AND
rotlwi %r6, %r8, 5 # Rotate Left Immediate
rotrwi %r29, %r8, 2 # Rotate Right Immediate
xor %r8, %r27, %r9 # XOR
add %r5, %r8, %r5 # Add
add %r8, %r3, %r6 # Add
xor %r3, %r30, %r29 # XOR
add %r8, %r8, %r28 # Add
add %r8, %r8, %r11 # Add
rotlwi %r6, %r8, 5 # Rotate Left Immediate
and %r3, %r3, %r8 # AND
add %r6, %r5, %r6 # Add
rotrwi %r28, %r8, 2 # Rotate Right Immediate
add %r10, %r6, %r10 # Add
xor %r8, %r3, %r30 # XOR
add %r27, %r10, %r11 # Add
add %r8, %r8, %r4 # Add
rotlwi %r10, %r27, 5 # Rotate Left Immediate
add %r10, %r8, %r10 # Add
add %r10, %r10, %r9 # Add
add %r26, %r10, %r11 # Add
bne loc_800F7A24 # Branch if not equal
lis %r11, 0x6ED9 # 0x6ED9EBA1 # Load Immediate Shifted
li %r7, 4 # Load Immediate
ori %r11, %r11, 0xEBA1 # 0x6ED9EBA1 # OR Immediate

loc_800F7B04:
xor %r10, %r29, %r28 # XOR
lwz %r8, 0(%r31) # Load Word and Zero
rotlwi %r9, %r26, 5 # Rotate Left Immediate
lwz %r25, 4(%r31) # Load Word and Zero
xor %r6, %r10, %r27 # XOR
lwz %r4, 8(%r31) # Load Word and Zero
rotrwi %r10, %r27, 2 # Rotate Right Immediate
lwz %r5, 0xC(%r31) # Load Word and Zero
add %r9, %r6, %r9 # Add
lwz %r3, 0x10(%r31) # Load Word and Zero
subic. %r7, %r7, 1 # Subtract Immediate Carrying
add %r9, %r9, %r30 # Add
addi %r31, %r31, 0x14 # Add Immediate
add %r9, %r9, %r8 # Add
xor %r8, %r28, %r10 # XOR
add %r9, %r9, %r11 # Add
xor %r6, %r8, %r26 # XOR
rotrwi %r8, %r26, 2 # Rotate Right Immediate
xor %r26, %r9, %r10 # XOR
add %r27, %r6, %r25 # Add
rotrwi %r30, %r9, 2 # Rotate Right Immediate
rotlwi %r6, %r9, 5 # Rotate Left Immediate
xor %r9, %r26, %r8 # XOR
add %r4, %r9, %r4 # Add
add %r9, %r27, %r6 # Add
add %r9, %r9, %r29 # Add
add %r9, %r9, %r11 # Add
xor %r27, %r30, %r9 # XOR
rotlwi %r6, %r9, 5 # Rotate Left Immediate
rotrwi %r29, %r9, 2 # Rotate Right Immediate
xor %r9, %r27, %r8 # XOR
add %r5, %r9, %r5 # Add
add %r9, %r4, %r6 # Add
xor %r4, %r30, %r29 # XOR
add %r9, %r9, %r28 # Add
add %r9, %r9, %r11 # Add
rotlwi %r6, %r9, 5 # Rotate Left Immediate
xor %r4, %r4, %r9 # XOR
add %r6, %r5, %r6 # Add
rotrwi %r28, %r9, 2 # Rotate Right Immediate
add %r10, %r6, %r10 # Add
add %r9, %r4, %r3 # Add
add %r27, %r10, %r11 # Add
rotlwi %r10, %r27, 5 # Rotate Left Immediate
add %r10, %r9, %r10 # Add
add %r10, %r10, %r8 # Add
add %r26, %r10, %r11 # Add
bne loc_800F7B04 # Branch if not equal
lis %r11, 0x70E4 # 0x70E44324 # Load Immediate Shifted
li %r7, 4 # Load Immediate
ori %r11, %r11, 0x4324 # 0x70E44324 # OR Immediate

loc_800F7BD0:
or %r10, %r28, %r27 # OR
lwz %r8, 0(%r31) # Load Word and Zero
and %r6, %r28, %r27 # AND
lwz %r25, 4(%r31) # Load Word and Zero
and %r10, %r10, %r29 # AND
lwz %r3, 8(%r31) # Load Word and Zero
rotlwi %r9, %r26, 5 # Rotate Left Immediate
lwz %r5, 0xC(%r31) # Load Word and Zero
or %r6, %r10, %r6 # OR
lwz %r4, 0x10(%r31) # Load Word and Zero
rotrwi %r10, %r27, 2 # Rotate Right Immediate
add %r9, %r6, %r9 # Add
subic. %r7, %r7, 1 # Subtract Immediate Carrying
add %r9, %r9, %r30 # Add
and %r30, %r10, %r26 # AND
add %r9, %r9, %r8 # Add
or %r8, %r10, %r26 # OR
subf %r9, %r11, %r9 # Subtract from
and %r6, %r8, %r28 # AND
rotrwi %r8, %r26, 2 # Rotate Right Immediate
or %r6, %r6, %r30 # OR
or %r30, %r9, %r8 # OR
add %r27, %r6, %r25 # Add
and %r26, %r9, %r8 # AND
and %r25, %r30, %r10 # AND
rotrwi %r30, %r9, 2 # Rotate Right Immediate
rotlwi %r6, %r9, 5 # Rotate Left Immediate
or %r9, %r25, %r26 # OR
addi %r31, %r31, 0x14 # Add Immediate
add %r3, %r9, %r3 # Add
add %r9, %r27, %r6 # Add
add %r9, %r9, %r29 # Add
subf %r9, %r11, %r9 # Subtract from
or %r29, %r30, %r9 # OR
and %r27, %r30, %r9 # AND
and %r26, %r29, %r8 # AND
rotrwi %r29, %r9, 2 # Rotate Right Immediate
rotlwi %r6, %r9, 5 # Rotate Left Immediate
or %r9, %r26, %r27 # OR
add %r5, %r9, %r5 # Add
add %r9, %r3, %r6 # Add
add %r9, %r9, %r28 # Add
subf %r9, %r11, %r9 # Subtract from
rotlwi %r6, %r9, 5 # Rotate Left Immediate
or %r3, %r29, %r9 # OR
add %r6, %r5, %r6 # Add
and %r27, %r29, %r9 # AND
and %r3, %r3, %r30 # AND
add %r10, %r6, %r10 # Add
rotrwi %r28, %r9, 2 # Rotate Right Immediate
or %r9, %r3, %r27 # OR
subf %r27, %r11, %r10 # Subtract from
add %r9, %r9, %r4 # Add
rotlwi %r10, %r27, 5 # Rotate Left Immediate
add %r10, %r9, %r10 # Add
add %r10, %r10, %r8 # Add
subf %r26, %r11, %r10 # Subtract from
bne loc_800F7BD0 # Branch if not equal
lis %r11, 0x359D # 0x359D3E2A # Load Immediate Shifted
li %r7, 4 # Load Immediate
ori %r11, %r11, 0x3E2A # 0x359D3E2A # OR Immediate

loc_800F7CC4:
xor %r10, %r29, %r28 # XOR
lwz %r8, 0(%r31) # Load Word and Zero
rotlwi %r9, %r26, 5 # Rotate Left Immediate
lwz %r25, 4(%r31) # Load Word and Zero
xor %r6, %r10, %r27 # XOR
lwz %r4, 8(%r31) # Load Word and Zero
rotrwi %r10, %r27, 2 # Rotate Right Immediate
lwz %r5, 0xC(%r31) # Load Word and Zero
add %r9, %r6, %r9 # Add
lwz %r3, 0x10(%r31) # Load Word and Zero
subic. %r7, %r7, 1 # Subtract Immediate Carrying
add %r9, %r9, %r30 # Add
addi %r31, %r31, 0x14 # Add Immediate
add %r9, %r9, %r8 # Add
xor %r8, %r28, %r10 # XOR
subf %r9, %r11, %r9 # Subtract from
xor %r6, %r8, %r26 # XOR
rotrwi %r8, %r26, 2 # Rotate Right Immediate
xor %r26, %r9, %r10 # XOR
add %r27, %r6, %r25 # Add
rotrwi %r30, %r9, 2 # Rotate Right Immediate
rotlwi %r6, %r9, 5 # Rotate Left Immediate
xor %r9, %r26, %r8 # XOR
add %r4, %r9, %r4 # Add
add %r9, %r27, %r6 # Add
add %r9, %r9, %r29 # Add
subf %r9, %r11, %r9 # Subtract from
xor %r27, %r30, %r9 # XOR
rotlwi %r6, %r9, 5 # Rotate Left Immediate
rotrwi %r29, %r9, 2 # Rotate Right Immediate
xor %r9, %r27, %r8 # XOR
add %r5, %r9, %r5 # Add
add %r9, %r4, %r6 # Add
xor %r4, %r30, %r29 # XOR
add %r9, %r9, %r28 # Add
subf %r9, %r11, %r9 # Subtract from
rotlwi %r6, %r9, 5 # Rotate Left Immediate
xor %r4, %r4, %r9 # XOR
add %r6, %r5, %r6 # Add
rotrwi %r28, %r9, 2 # Rotate Right Immediate
add %r10, %r6, %r10 # Add
add %r9, %r4, %r3 # Add
subf %r27, %r11, %r10 # Subtract from
rotlwi %r10, %r27, 5 # Rotate Left Immediate
add %r10, %r9, %r10 # Add
add %r10, %r10, %r8 # Add
subf %r26, %r11, %r10 # Subtract from
bne loc_800F7CC4 # Branch if not equal
lwz %r10, 0(%r24) # Load Word and Zero
lwz %r11, 4(%r24) # Load Word and Zero
add %r8, %r10, %r26 # Add
lwz %r9, 8(%r24) # Load Word and Zero
add %r7, %r11, %r27 # Add
lwz %r10, 0xC(%r24) # Load Word and Zero
lwz %r11, 0x10(%r24) # Load Word and Zero
add %r9, %r9, %r28 # Add
add %r10, %r29, %r10 # Add
add %r11, %r11, %r30 # Add
stw %r8, 0(%r24) # Store Word
stw %r7, 4(%r24) # Store Word
stw %r9, 8(%r24) # Store Word
stw %r10, 0xC(%r24) # Store Word
stw %r11, 0x10(%r24) # Store Word
addi %sp, %sp, 0x1E0 # Add Immediate
b __restgprlr_24 # Branch
# End of function XeCryptShaTransform

this is from commodore4eva post:

These are the routines pulled from the Xbox360 kernel for the decrypt of the Console Challenge Response Table. Hope you find this interesting and worthwhile.
The RSAkey appears not to come from the normal 360 keyvault, but is hard coded, so should be able to write our own CCRT decrypt routine.
I am very busy finishing the V5 extreme for Samsung, and then back on to the 0078 hitachi. Merry Christmas!

Xbox 360 Security Sectors & the Consoles C/R Table Key

jaimebenlasnow · « **Reply #18 on:** December 23, 2006, 06:04:00 PM »

QUOTE

hi, i havent read or posted here in a while, but i came across this page and thought i'd add my 2 cents.

firstly the 16 bytes at 0x460 are the media id, this is used to lock all xex files present a disc to the disc's SS, this is why the same SS cant be used to boot all x360 games. you will see this same media id in the header of all xex files on the disc.

also whereas the xbox1 CR table decryption routines are present in the kernel, the xbox360 CR table decryption routines are hidden inside the hypervisor. the encrypted table is fed in and decrypted by the hypervisor using a hardcoded 128bit aes key. the results of this decryption dont leave the hypervisor except when made into the encrypted atapi packets that get sent to the drive to perform the disc authentication.

Post from loser

also some information on the hypervisor:

QUOTE

Since the hypervisor seems to handle most security related processes, maybe it's a good idea to dedicate a thread to it.

Things we know:

* Hypervisor handles lots of security related tasks. The kernel calls to several security routines inside the hypervisor, like several key management routines and en/decryption routines (like for example x360 CCRT decryption). Almost every 'interesting' routine has been moved from the kernel to the hypervisor this time.
* It handles some (virtual ?) processor inits (probably the last 3 PPU cores). It *seems* that it's running in the first core and starts the others from there (once the kernel is loaded)
* It is started and fully operational before the Kernel is started.
* It handles overflows and monitors for checksums
* It runs in encrypted memory, from 0x00000000 - 0x00020000 (see comments by 'loser' in the other thread)
Also interesting suggestion from him:
Quote
I dont know the encryption algorithm, but im guessing some kinda fast stream cypher like aes. the encryption changes each boot which hints at either a random initialisation vector, or random key used each time. also the encryption seems to be done in 16byte blocks, which also helps the aes style crypt arguement.

There are still a LOT of questions like:

* What is the exact boot order, who inits the loading of the hypervisor and decrypts it.
* Where is the hypervisor stored (somewhere in that first 640kb of the TSOP ?)
* In what encrypted form is the Hypervisor stored and where is its decryption key stored. Is this a 'per box' key ?
* Who manages the en/decryption of the ram it is running in
* Who verifies this ram for checksums
* Where is the code decrypted to (prior to execution)

I know that there are a lot of questions and at the moment good info is scarce. However there are several people doing interesting work at the moment and little by little we get to know more. But progress will only really start to take place if everybody works together, so hopefully this thread will be a place to exchange new info about this interesting piece of code.

Also other good information From probutus

QUOTE

this has already been monitored (see the DVD-Key < - > TSOP thread) and it seems that the first thing who comes up is the southbridge which does further initializations (at least thats the first part which is read from flash)

AFAIK the leds are blinking red even if the CPU or GPU is desoldered (see the excellent desoldering Thread from TMF)
To come to more detailed information it would be very interesting to know which parts of the system are active at the same time like the southbridge.

Is it possible to see exactly when the CPU "wakes up" (e.g. on the power consumption)? If the cpu startup is controlled by the southbridge this would be a HUGE security hole since the SB is not secured with any security key (the sb has already been swapped by TMF). But this would explain why the complete SMC code is read again later on (see startup log): to have some checksums validated which could not be verified earlier because the CPU is not up yet...
...........................................................................................................................................................
thought of several "experiences" we had in the past:
1. Swapping the onboard flash doesnt work (but we still dont know how far the startup goes until it stops)
2. Swapping the southbridge does not have any effect on the operation of the system
3. System blinks even with desoldered cpu or gpu
4. System is completely dead when the TSOP is removed
5. The SMC code looks different in every system

acc. to 1) the key is not (at least not completely) located in the flash but acc. to 2 it is not in the southbridge (at least no machine specific key). But acc. to 3) the smc code seems to be read (and it is encrypted) otherwise the system cant blink... If you look at 3) and 4) there seems to be code for the southbridge in the flash..

This leads me to the assumption that a part of the machine specific key must be stored in flash in order to decode the smc stuff. We dont know much about the southbridge itself (which would be very helpful)

If you want to read up the whole post:
The Hypervisor

And Voila!

Thanks to all those people who work for the scene:

The specialist, Speedy22, Commodore4eva, Probutus, Robinsod, Vax11780 and all of the other cause without those people we might not have those information and also the dream or running homebrew could not be a dream

Thanks
Jaimebenlasnow

HoRnEyDvL · « **Reply #19 on:** December 23, 2006, 06:50:00 PM »

jaimebenlasnow

Thanks for that excellent post. we need more posts like that get all ideas together.

jaimebenlasnow · « **Reply #20 on:** December 23, 2006, 10:28:00 PM »

yes i think that if we get everything compiled here we might faster the process

vax11780 · « **Reply #21 on:** December 23, 2006, 10:37:00 PM »

jaimebenlasnow:

Hrmmm... I must be missing the point.... What advantage is there in decrypting the CR table? We could load backups using a modified DVD drive?

Please explain further....

VAX

vax11780 · « **Reply #22 on:** December 23, 2006, 10:59:00 PM »

Encrypting RAM is VERY difficult. Obfuscating is not...

If you want to read address 100 you have to read 0, 1, 2, 3, 4, 5, ... 99, 100 and feed each value into the stream cipher to get the decrypted value for address 100. You have to read the entire block to write a random address.

Much more likely is an obfuscation of the DRAM, similiar to what was done on the DVD drives. Swap address or data lines, xor words with a constant. A much more complicated obfuscation would modify the XOR constant using a portion of the address. Anything that requires more than two or three levels of logic to modify the data, or requires access to more than the current memory location is not feasible.

Has anybody tapped the DRAM and captured the values written into it? Or disconnected it and dumped the contents during operation (maybe force reset on the GPU and overdrive the DRAM controls)?

A potential timing attack would involve modifying a DRAM read 'on the fly' while the hypervisor is being executed. Just think, stuff the instructions in to tell the hypervisor to accept a bad signature. Note, it is very unlikely this would be feasible to implement on more than a handful of machines, but might provide a way to re-burn the signing key.

VAX

jaimebenlasnow · « **Reply #23 on:** December 24, 2006, 11:16:00 AM »

QUOTE

he Specialist demonstrated that the first version of the Xbox, the Console Challenge Response Table (CCRT) could be decrypted using a key that was also to be found in the Security Sector (SS). The algorithm required was recovered from an analysis of the Xbox 1 BIOS and since this is not yet possible with the Xbox 360 I wondered if anything useful could be deduced.

To help identify the possible purpose of different fields in the SS I diffed SS from the following titles:
GRAW, PAL and NTSC
COD2, PAL and NTSC
Q4 PAL and Q4 Bonus PAL

Ive chosen to ignore the first 16 bytes in the SS since they are understood and have no part in the CCRT encryption. Similarly the Drive Response Table (DRT) starting at 0x661 is also ignored.
0x100
The first interesting section starts at 0x100 (assuming 16 byte alignment) and is absent from Xbox1 SS. The first 0x08 bytes are common to all 6 SS:

0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x06, 0xE0

And are then followed by 20 bytes of data which are identical in the PAL and NTSC editions of the same game but are different for Quake4 and Quake4 bonus disk

0x300 The Encrypted CCRT
The Specialist successfully decrypted this table in an Xbox 1 SS and it is this table in an Xbox 360 SS that is of the most interest to me. The first four bytes are common to all six SS:

0x02, 0x15, 0x00, 0x00

These appear to be version number (was 0x01 for Xbox1), entry count and two bytes of padding. Following this is 252 bytes of CCRT, this suggests a table field size of 12 bytes (21 * 12 = 252). The final table entry (at 0x3F4) always takes the form:

0xE0,CID,0x00,0x00,

The final entry appears to be in plain text, descrambling of the DRT confirms that the CID is that of the type 0xE0 for each of the SS. The encrypted CCRT is then 240 bytes. It is also known that the final C/R exchange (a checksum of previous C/Rs) is of type 0xE0. The encrypted CCRT is identical in the PAL and NTSC versions of GRAW & COD2

0x460
A 16 byte string that is identical for NTSC and PAL versions of the same game but different for Quake4 and Quake4 Bonus. This sequence of bytes is absent in Xbox1 SS

0x49E
In the Xbox 360 SS examined there is a new non zero byte (0x04) present at 0x49E, this is not present in Xbox 1 SS.

0x49F
TheSpecialist found that the Xbox 1 used 44 bytes from offset 0x49F to calculate an SHA hash that was subsequently used to decrypt the CCRT. This field is identical in PAL and NTSC versions of the SS, it is also identical in the Q4 and Q4Bonus SS (possibly a coincidence). The first 8 bytes of this string take the form:

0x00,XX,XX,XX,XX,XX,0xCX,0x01

Where 0xCX takes the values 0xC5 or 0xC6. These two bytes also appear at the end of the section starting at 0x4BA. Interestingly Xbox 1 SS have the values 0xC1,0x01 or 0xC2,0x01 at this position and they are also repeated at the end of the block at 0x4BA

The remaining 36 bytes are identical in all the SS examined, this strongly suggests that this area is not used as an SHA hash (or if it is it isn't the key to the CCRT) since I would expect them to vary.

0x4BA
Seems to be composed of several sub-sections
A version number (0x01 for Xbox1 & 0x02 for Xbox 360)
16 bytes that are common to all the SS examined:

0x2B, 0xE1, 0xD4, 0x62, 0xC8, 0x95, 0x2D, 0x41, 0xB5, 0x80, 0x5E, 0x3F, 0x1A, 0x72, 0x72, 0x01

276 bytes of data that is identical across PAL and NTSC versions but different in Quake4 and Quake4 Bonus SS.
6 bytes of data that are different for all 6 SS examined
2 bytes 0xC5,0x01 or 0xC6,0x01.

0x5FA
Seems to be composed of several sub-sections
17 bytes some of which are common to all the SS examined:

0x02, XX, XX, XX, XX, XX, XX, 0xD9, 0x11, 0xAA, XX, 0x00, 0x10, 0x6F, 0x00, 0x1E, 0xF4

The bytes marked XX appear to vary between NTSC and PAL versions of the same game but they match in the SS from Quake4 and Quake4 Bonus (this could be coincidence since they are identical in other game, for example PAL Kameo and PGR3 SS)

84 bytes of data which different in all 6 SS examined
2 bytes which are common to all the SS examined:

0x02, 0x15

Wheres the Key?
So, assuming that the key is still in the SS, where is it? The Encrypted CCRTs are identical in both PAL and NTSC versions of the same game (and the DRTs confirm that the CRs are the same) but are different for Quake4 and Quake4 Bonus. This strongly suggests that the decryption key should be the same for both PAL and NTSC versions but different for different titles.

There are only 2 candidates:
20 bytes starting at 0x108
16 bytes starting at 0x460

I'm guessing here, but the 16 bytes at 0x460 look like a strong candidate for an AES 128 key.

Also vax...Could you explain me how you want to do the buffer overflow exploit with the dvd drive..Would like more infromation

Thanks another time VAX

ben1989 · « **Reply #24 on:** December 30, 2006, 06:45:00 PM »

here's one for you, if we can work our way throgh the bios there's got to be something in the bios that controls the hipervisor, but between the ana/southbridge and the cpu there's got to be a way to tap the bus.

is there not a way we can run the xbox but while its running tap the inputs and outputs of the tosp then would'nt we get an unencripted output from the bios.

then theres the jtag header near the cpu anyone taped in to that yet?

And theres got to be a way to tap a bus on the 360. because one thing i noticed on the dvd drives is all the test points have been used in the factory to program and test the drive so the test points on the xbox mobo must be used in some simler way to program the cpu for the dvd drive key its alll in there some were its just geting it out

-ben

just translated it from drunk english to english

vax11780 · « **Reply #25 on:** December 30, 2006, 08:21:00 PM »

QUOTE(ben1989 @ Dec 30 2006, 06:52 PM)

here's one for you, if we can work our way throgh the bios there's got to be something in the bios that controls the hipervisor, but between the ana/southbridge and the cpu there's got to be a way to tap the bus.

The specs for the CPU-GPU interface indicates it is a pair of unidirectional 8 bit buses running at 1.35MB/s

I find this somewhat confusing since there are 24 balanced signal pairs between the two chips.

Assuming for the moment there are a pair of 8 bit hypertransport links (IBM designed the CPU-GPU interface and has HT IP), the following differential signals should exist in each direction: Clock, Control, 8 data bits. This is 10 lines, can anyone explain the other 4 (2 in each direction)?

Perhaps there are also a pair for the reference voltage and ground.

I suspect the obfuscation of the data stored in DRAM is done in the CPU using a bit in the page table. I read somewhere the obfuscation is done in 16 byte chunks, and the value changes every reboot. Still, sniffing the bus gives more visibility, and the opportunity to modify the data stream as it flows past. Imagine changing a branch if signature passed instruction to branch always.

QUOTE(ben1989 @ Dec 30 2006, 06:52 PM)

just translated it from drunk english to english

Bad Ben. Bad.

VAX

jaimebenlasnow · « **Reply #26 on:** January 01, 2007, 08:17:00 AM »

QUOTE(Cooliohazord @ Jan 1 2007, 12:55 AM)

Found this while i was watching the 23c3. It appears to be legit, looks similar to the MechAssult exploit of the original Xbox but using King Kong on xbox360. But then again it could be a prank.

The CPU contains a JTAG Pins for maintenance purpose or for other reason if you check on a devkits motherboard there is a little green wire and it might be the hole in that xbox...You kind of disabled everything (hypervisor) and other thing this is why it could be that but this is my 2 cents and take it whit a grain of salt

vax11780 · « **Reply #27 on:** January 01, 2007, 05:26:00 PM »

QUOTE(jaimebenlasnow @ Jan 1 2007, 08:24 AM)

The CPU contains a JTAG Pins for maintenance purpose or for other reason if you check on a devkits motherboard there is a little green wire and it might be the hole in that xbox...You kind of disabled everything (hypervisor) and other thing this is why it could be that but this is my 2 cents and take it whit a grain of salt

JTAG is used for a lot of different things.

Every large chip manufactured uses a JTAG interface for automated testing. It takes too much time to run functional vectors, and built in self test (BIST) rarely gives sufficient fault coverage. The JTAG interface may be simplified (by removing the instruction register) if this is the only mode used. (scan mode)

Systems, like the xbox360, may also use boundary scan to test the interconnect between chips on the PCB.

JTAG can also be used during system manufacturing to program memories, and blow eFuses.

Finally, JTAG is also used to access trace/debug hardware built into the chip, but one method of securing a processor is to blow a fuse that disables the trace/debug hardware on production units.

In scan mode, almost all of the flip-flops in the chip are chained together into one long shift register. If you know exactly which positions in the scan chain correspond to a particular feature (for example, the program counter) you can clock the entire chain out, change the program counter to any value you want, the clock the entire chain back in.

Now, hoodie could be doing exactly that, stop the system clocks, change a few bits inside one of the chips, the restart the system clocks.

But I doubt it.

VAX

jaimebenlasnow · « **Reply #28 on:** January 01, 2007, 07:53:00 PM »

Hey, vax you seem to know what you are talking about could you please give us your opinions about this hoodie hacker and would be much appreciated!!

vax11780 · « **Reply #29 on:** January 02, 2007, 09:07:00 PM »

QUOTE(jaimebenlasnow @ Jan 1 2007, 08:00 PM)

Hey, vax you seem to know what you are talking about could you please give us your opinions about this hoodie hacker and would be much appreciated!!

Yeah, I can spin a good line of BS when I want to.

I can think of a dozen ways for hoodie to have faked the show and another dozen for real hacks that might give the same result but there isn't enough information to draw a conclusion one way or the other.

Right now I'd display cautious optimism, and continue on with what I'm working on.

VAX

PS I'm having a major craving for tapioca pudding. Am I the only one?

Author Topic: Let The Hacking Begin (Read 388 times)