Print

[BCfosheezy]

My current kernel and dash have been upgraded to: 2.0.2241.0

(D:2.0.2241.0 - K:2.0.2241.0)
BK:2.0.1888.0

I'm guessing that BK = Backed up Kernel since I think if we're flashing from Live that there would be a backup kept.
Also, when I opened my console it said revision 1888 so I'm quite sure that's the version it shipped with. Everyone please post your results and if you've connected to live or not and if you can remember, how many updates you've received. I've received two if I remember correctly.

Edit: To view this information simply go to your dashboard. Then go to the system tab. Next go to console settings. Then go into system info. You'll notice information similar to what I posted above in the lower left.

I also applied a thin layer of Arctic Silver 5 to my cpu and gpu. I'd recommend the same since the gpu uses an aluminum pad.

[lordvader129]

ah, now i see how MS can trust a kernel update to the consumer level, they keep a backup at all times, much like the xenium recovery mode (probably got the idea from us)

also means any hope of a 360 version of a TSOP flash is probably dead, they would just see the hacked bios and overwrite it from the backup

[BCfosheezy]

QUOTE(bobhinkle1 @ Nov 27 2005, 01:05 PM)

ah but your missing the upside. there is the ablitilty to make the xbox try and flash its tsop. you just have to trigger it and then force a different one into memory. xbox could flash your bios on its own. Your screwed if that one doesn't work.

Yeah maybe in an emergency recovery flash there aren't heavy security checks to validate that backup. (HIGHLY UNLIKELY) This way we could flash the recovery bank with a hacked bios and force it to recover.

[bucko]

QUOTE(lordvader129 @ Nov 27 2005, 06:59 PM)

ah, now i see how MS can trust a kernel update to the consumer level, they keep a backup at all times, much like the xenium recovery mode (probably got the idea from us)

also means any hope of a 360 version of a TSOP flash is probably dead, they would just see the hacked bios and overwrite it from the backup

But if you dont hook up your xbox to live however....

[gonkle]

maybe you can sniff the file when i passes your LAN and take a look, maybe there go some other information while the new kernel comes home

[lordvader129]

QUOTE(BCfosheezy @ Nov 27 2005, 02:03 PM)

Yeah maybe in an emergency recovery flash there aren't heavy security checks to validate that backup. (HIGHLY UNLIKELY) This way we could flash the recovery bank with a hacked bios and force it to recover.

i dont think its unlikely theyll run a checksum on the backup, thats assuming the backup bank is even programable (xeniums isnt)

but i guess for that info we have to wait for the second Live update to see if the BK changes

[BCfosheezy]

QUOTE(gonkle @ Nov 27 2005, 03:45 PM)

maybe you can sniff the file when i passes your LAN and take a look, maybe there go some other information while the new kernel comes home

Well it might at least tell us how to initiate a tsop flash across a network. I'm sure everything that comes from live in encrypted though so it's doubtful. I'd be just as interested if not more interested in a way to read the contents of the tsop across the network.

[BCfosheezy]

On a different note, I did a short little sniff of the network packets and found out that our 360's are running a webserver. This was involved with my windows media connect service running on my laptop and my 360 so there might eventually be something useful come of this. So far don't get excited because it is nothing. The Xbox sent me a page of xml. If you'd like to see it type this into your web browser while your 360 is on and on the same network on all layers of the OSI model .

http://(Your 360's IP):1028

So for most with dhcp running on their nifty pnp linksys router it will look something like this:
http://192.168.0.4:1028

[deadparrot]

At least this means that the BIOS is writable, where ever it actually is.

[lordvader129]

QUOTE(deadparrot @ Nov 28 2005, 10:31 AM)

At least this means that the BIOS is writable, where ever it actually is.

xbox-linux confirms the kernel and the bootloader are on the processor die

the wuestion is, how muchof the security is in the bootloader? on the xbox it was just a simple hash check that was easy to fool, so we were able to trick it into loading any hacked kernel we wanted, MS is unlikely to make the same mistake twice, i think we need to find a way to rip and examine th ebootloader, not the kernel, i think even if we figure out a way to initiate a kernel update locally, and inject our own hacked kernel, the bootloader wont touch it because it isnt signed, it will just restore the backup kernel

[BCfosheezy]

QUOTE(atomiX @ Nov 28 2005, 10:14 AM)

http://forums.xbox-s...howtopic=462790
Don't know if you meant 1026 instead of 1028 but either way...basically the same. Looks like its used for UPnP.

No, on mine it was definitely 1028 because I copy and pasted it directly. I thought it was odd that other's ports were 1026. Maybe for whatever reason my port 1026 was not available and it had to switch. If you look at the time of posts I actually made this discovery first. Not that it matters. I know that they did not copy and I just wanted to make it clear that I did not copy

[atomiX]

Like you said, it doesn't really matter but according to what I see, they posted first. Lets not dwell on this though. As its been said before, this is yet another possible way to exploit the system. With MS allowing the system to communicate with the outside even more than the Xbox, it opens up more possibilities but we still have to remind ourselves that the core of the hardware is protected beyond anything seen before. They said the first Xbox was unhackable, yet it was able to run unsigned code within months. I'm confident the same will happen here...maybe not as fast but will nonetheless.

[lordvader129]

QUOTE

MS allowing the system to communicate with the outside even more than the Xbox

the only reason MS is allowing that is because

QUOTE

the core of the hardware is protected beyond anything seen before.

MS is confident that any outside attacks can and will be blocked in the processor core, and they are justified in their confidence

i think we have to wait til MS starts sending more stuff out through Live, if 360 hasnt been cracked in a year they might start getting lazy and leave a hole somewhere

[lordvader129]

QUOTE(atomiX @ Nov 29 2005, 11:36 AM)

Some have speculated that if a hacked kernel is found in memory, the backup kernel might be loaded to replace it.

hmm, id say if a hacked kernel is put into memory the primary kernel would be loaded to replace it

if a hacked kernel were somehow programmed onto the processor in place of the primary then the backup would be loaded to replace it


if we find a software exploit on the backup kernel then we might be able to trick an updated xbox into loading the backup by programming a bogus hacked kernel over the primary

this however assumes 2 things

1: we'll find a software exploit on the older kernel
2: we'll be able to reprogram the primary without an official update from Live

personally i fear that any attempt to load a hacked kernel via either PBL/nkpatcher-type software or a modchip device will simply result in a reload of the retail kernel from either the primary or backup roms

we might have go about modchip a totally different way, like with saturn, i believe that chip physically intercepted the signal from the cd drive and reported a false media type, this type of hack on the 360 will at least allow playing signed backups, but not homebrew apps, but it would be a start

[BCfosheezy]

QUOTE(atomiX @ Nov 29 2005, 07:37 AM)

Like you said, it doesn't really matter but according to what I see, they posted first. Lets not dwell on this though. As its been said before, this is yet another possible way to exploit the system. With MS allowing the system to communicate with the outside even more than the Xbox, it opens up more possibilities but we still have to remind ourselves that the core of the hardware is protected beyond anything seen before. They said the first Xbox was unhackable, yet it was able to run unsigned code within months. I'm confident the same will happen here...maybe not as fast but will nonetheless.

K... I'm wrong.

At any rate I'm at work but this crazy thought hit me and it's probably stupid but I'd like to know. You can change your motto (for example) online from xbox.com. Your xbox updates when it's connected to live. Does this display when you're not connected to live? Tons of "ifs" start now. If so is this transmission cleartext or encrypted?(pretty sure everything from live is encrypted) If we could manipulate the packets we could in theory gain access to wherever these live settings are stored. Even if this is this case it would still be impossible to execute due to the hypervisor but it could possibly be a way to store data on the hdd? I dont know. I'm sure this is stupid but I wanted throw it out there.