Print Page - Kernel/dash Versions For Reference

Xbox360 Forums => Xbox 360 Hacking Forums => Technical Onboard Bios / Kernel / Dashboard Forum => Topic started by: BCfosheezy on November 27, 2005, 10:42:00 AM

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on November 27, 2005, 10:42:00 AM

My current kernel and dash have been upgraded to: 2.0.2241.0

(D:2.0.2241.0 - K:2.0.2241.0)
BK:2.0.1888.0

I'm guessing that BK = Backed up Kernel since I think if we're flashing from Live that there would be a backup kept.
Also, when I opened my console it said revision 1888 so I'm quite sure that's the version it shipped with. Everyone please post your results and if you've connected to live or not and if you can remember, how many updates you've received. I've received two if I remember correctly.

Edit: To view this information simply go to your dashboard. Then go to the system tab. Next go to console settings. Then go into system info. You'll notice information similar to what I posted above in the lower left.

I also applied a thin layer of Arctic Silver 5 to my cpu and gpu. I'd recommend the same since the gpu uses an aluminum pad.

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on November 27, 2005, 11:52:00 AM

ah, now i see how MS can trust a kernel update to the consumer level, they keep a backup at all times, much like the xenium recovery mode (probably got the idea from us)

also means any hope of a 360 version of a TSOP flash is probably dead, they would just see the hacked bios and overwrite it from the backup

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on November 27, 2005, 12:56:00 PM

QUOTE(bobhinkle1 @ Nov 27 2005, 01:05 PM)

ah but your missing the upside. there is the ablitilty to make the xbox try and flash its tsop. you just have to trigger it and then force a different one into memory. xbox could flash your bios on its own. Your screwed if that one doesn't work.

Yeah maybe in an emergency recovery flash there aren't heavy security checks to validate that backup. (HIGHLY UNLIKELY) This way we could flash the recovery bank with a hacked bios and force it to recover.

Title: Kernel/dash Versions For Reference
Post by: bucko on November 27, 2005, 01:29:00 PM

QUOTE(lordvader129 @ Nov 27 2005, 06:59 PM)

But if you dont hook up your xbox to live however....

Title: Kernel/dash Versions For Reference
Post by: gonkle on November 27, 2005, 02:38:00 PM

maybe you can sniff the file when i passes your LAN and take a look, maybe there go some other information while the new kernel comes home

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on November 27, 2005, 05:12:00 PM

QUOTE(BCfosheezy @ Nov 27 2005, 02:03 PM)

i dont think its unlikely theyll run a checksum on the backup, thats assuming the backup bank is even programable (xeniums isnt)

but i guess for that info we have to wait for the second Live update to see if the BK changes

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on November 27, 2005, 06:47:00 PM

QUOTE(gonkle @ Nov 27 2005, 03:45 PM)

maybe you can sniff the file when i passes your LAN and take a look, maybe there go some other information while the new kernel comes home

Well it might at least tell us how to initiate a tsop flash across a network. I'm sure everything that comes from live in encrypted though so it's doubtful. I'd be just as interested if not more interested in a way to read the contents of the tsop across the network.

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on November 27, 2005, 07:27:00 PM

On a different note, I did a short little sniff of the network packets and found out that our 360's are running a webserver. This was involved with my windows media connect service running on my laptop and my 360 so there might eventually be something useful come of this. So far don't get excited because it is nothing. The Xbox sent me a page of xml. If you'd like to see it type this into your web browser while your 360 is on and on the same network on all layers of the OSI model

.

http://(Your 360's IP):1028

So for most with dhcp running on their nifty pnp linksys router it will look something like this:
http://192.168.0.4:1028

Title: Kernel/dash Versions For Reference
Post by: deadparrot on November 28, 2005, 09:24:00 AM

At least this means that the BIOS is writable, where ever it actually is.

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on November 28, 2005, 10:16:00 AM

QUOTE(deadparrot @ Nov 28 2005, 10:31 AM)

At least this means that the BIOS is writable, where ever it actually is.

xbox-linux confirms the kernel and the bootloader are on the processor die

the wuestion is, how muchof the security is in the bootloader? on the xbox it was just a simple hash check that was easy to fool, so we were able to trick it into loading any hacked kernel we wanted, MS is unlikely to make the same mistake twice, i think we need to find a way to rip and examine th ebootloader, not the kernel, i think even if we figure out a way to initiate a kernel update locally, and inject our own hacked kernel, the bootloader wont touch it because it isnt signed, it will just restore the backup kernel

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on November 28, 2005, 02:46:00 PM

QUOTE(atomiX @ Nov 28 2005, 10:14 AM)

http://forums.xbox-s...howtopic=462790
Don't know if you meant 1026 instead of 1028 but either way...basically the same. Looks like its used for UPnP.

No, on mine it was definitely 1028 because I copy and pasted it directly. I thought it was odd that other's ports were 1026. Maybe for whatever reason my port 1026 was not available and it had to switch. If you look at the time of posts I actually made this discovery first. Not that it matters. I know that they did not copy and I just wanted to make it clear that I did not copy

Title: Kernel/dash Versions For Reference
Post by: atomiX on November 29, 2005, 06:30:00 AM

Like you said, it doesn't really matter but according to what I see, they posted first. Lets not dwell on this though. As its been said before, this is yet another possible way to exploit the system. With MS allowing the system to communicate with the outside even more than the Xbox, it opens up more possibilities but we still have to remind ourselves that the core of the hardware is protected beyond anything seen before. They said the first Xbox was unhackable, yet it was able to run unsigned code within months. I'm confident the same will happen here...maybe not as fast but will nonetheless.

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on November 29, 2005, 08:58:00 AM

QUOTE

MS allowing the system to communicate with the outside even more than the Xbox

the only reason MS is allowing that is because

QUOTE

the core of the hardware is protected beyond anything seen before.

MS is confident that any outside attacks can and will be blocked in the processor core, and they are justified in their confidence

i think we have to wait til MS starts sending more stuff out through Live, if 360 hasnt been cracked in a year they might start getting lazy and leave a hole somewhere

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on November 29, 2005, 11:18:00 AM

QUOTE(atomiX @ Nov 29 2005, 11:36 AM)

Some have speculated that if a hacked kernel is found in memory, the backup kernel might be loaded to replace it.

hmm, id say if a hacked kernel is put into memory the primary kernel would be loaded to replace it

if a hacked kernel were somehow programmed onto the processor in place of the primary then the backup would be loaded to replace it

if we find a software exploit on the backup kernel then we might be able to trick an updated xbox into loading the backup by programming a bogus hacked kernel over the primary

this however assumes 2 things

1: we'll find a software exploit on the older kernel
2: we'll be able to reprogram the primary without an official update from Live

personally i fear that any attempt to load a hacked kernel via either PBL/nkpatcher-type software or a modchip device will simply result in a reload of the retail kernel from either the primary or backup roms

we might have go about modchip a totally different way, like with saturn, i believe that chip physically intercepted the signal from the cd drive and reported a false media type, this type of hack on the 360 will at least allow playing signed backups, but not homebrew apps, but it would be a start

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on November 29, 2005, 12:16:00 PM

QUOTE(atomiX @ Nov 29 2005, 07:37 AM)

K... I'm wrong.

At any rate I'm at work but this crazy thought hit me and it's probably stupid but I'd like to know. You can change your motto (for example) online from xbox.com. Your xbox updates when it's connected to live. Does this display when you're not connected to live? Tons of "ifs" start now. If so is this transmission cleartext or encrypted?(pretty sure everything from live is encrypted) If we could manipulate the packets we could in theory gain access to wherever these live settings are stored. Even if this is this case it would still be impossible to execute due to the hypervisor but it could possibly be a way to store data on the hdd? I dont know. I'm sure this is stupid but I wanted throw it out there.

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on November 29, 2005, 02:57:00 PM

QUOTE(atomiX @ Nov 29 2005, 02:13 PM)

The connection to live itself is not encrypted but the actual data is. This is all assuming that all data is transfered like the marketplace content is. I haven't sniffed my live trafic since I don't have any hubs laying around but I'm sure some have already.

As for packet manipulation, I'm not sure I get where you're going. Transfering our own data to the HD by spoofing LIVE?

Well yeah. I know it's a totally different thing but for example xbc and xlink. They intercept a packet sent from a known mac, encapsulate it for transmission over the internet and send it. Well I'm not proposing that we add another layer or do anything other than intercept the packet and manipulate it for whatever purpose. I honestly don't have enough knowledge to know what that could lead to if it indeed proved possible but if things went well it could possibly be of use.

Well anyways I know u knew that and that's not the question you asked after reading your post again. You were asking if this was about writing to the hd by spoofing live and the answer is yes. I rationalized that if it was storing the gamer card information on the hd and since you can update it via your computer on xbox.com that some data was sent to the 360 to make it reflect that change. I theorized that if an individual intercepted that packet destined for the 360 and manipulated it that there's a possibility they could at the very least change their motto just for proof that they actually did this. If that were possible there is a chance that something else could be placed inside this folder instead of overwriting whatever configuration it is currently overwriting.

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on November 29, 2005, 08:40:00 PM

I just thought I'd add this from a XeDK screenshot just to confirm what we already know.

I borrowed this pic from poiygon who got this at zero hour.
Here's the original thread: http://forums.xbox-s...howtopic=464528

Here's probably the best pic that shows the version of the rom on the flash and the version of the xdk:PIC

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on December 01, 2005, 10:42:00 AM

of course theres authentication, as if the system is gonna accept soemthing as critical as a kernel update just because its comes in on the right port

we've never been able to spoof Live with an xbox1, and i think its reasonable to assume 360 will have some sort of beefed-up handshake process because of the additional critical updates being delivered this way (kernel updates for example)

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on December 01, 2005, 12:56:00 PM

QUOTE

are the backup kernel programed or hardcoded
in some chip on the 360?

my guess would be hardcoded, but we probably wont know until the second kernel update via Live

QUOTE

If its hardcoded the next question, is it replacable

doubtful, remember all these critical components on the processor itself, would be next to impossible for anyone to remove and replace components

QUOTE

and if its programmed, can we reprogram it ?

if this is the case then yeah, im sure we can figure a way to program it, however my worries still lie with hypervisor, if we program both the backup and the primary kernel they will both fail hash and signature checks, so the hypervisor will just throw the whole system into a reflashing loop and you wont be able to do anything with the system

QUOTE

One other question, the backup
kernal in the box, is it encrypted, compressed, both or plain code

it will definately be encrypted, i would say not compressed though, theres not much to compress on it, and its likely so small they wouldnt risk corruption just say to a couple kb

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on December 01, 2005, 01:34:00 PM

The hypervisor is something I'm going to have to do a lot of research on to post intelligently. This just hit me though. Any altered or homebrew code obviously fails the security checks. Once we figure out exactly how it works it may be possible to use a signed MS executable as a static application. Let me explain. No matter what piece of code we try to run, we force the hypervisor to see the signed app and then once checks are passed switch over to our manipulated code seemlessly so the hypervisor was never aware that it was executing any code other than the signed MS code. This in itself does not seem possible knowing that the hypervisor is actually what software sees as executing the code and the actual thing doing the switching is the very thing we are trying to fool. It's just an ignorant idea I had.

Title: Kernel/dash Versions For Reference
Post by: Monoxboogie on December 01, 2005, 09:28:00 PM

atomiX - Sniff the data going from live without a hub. Look into ettercap. It allows for arp cache poisoning, whereby the target of the poison is fooled to think that the node running the poison is the switch, and the switch is fooled into thinking the person running the poisoning is the one who was poisoned. It's called a man in the middle attack.

I'd do it...but I don't have an Xbox to poke at.

Though the data from live may be encrypted, to my knowledge, we have as of yet to even suck down the encrypted contents of the TSOP. With a large transmission from live, we may be able to pull out the data that contains a kernel update, and at least be able to toy around with the encrypted bios...at least to see it's structure, and begin looking for weaknesses in it's crypt. We can't even do that without the encrypted BIOS, though.

Title: Kernel/dash Versions For Reference
Post by: Monoxboogie on December 05, 2005, 12:31:00 PM

QUOTE(ryan_the_leach @ Dec 5 2005, 09:04 AM)

but if this "switching" was done by external hardware?

It doesn't matter. ARP packets are broadcast across the network, and as such, it creates a race condition if a program is able to spoof a header. Google for ARP Poisoning if you wish to understand the underlying workings of it (good), or take a cisco course (better).

Title: Kernel/dash Versions For Reference
Post by: Grim187 on December 13, 2005, 03:38:00 AM

QUOTE

[email protected]

^Decrypted with hex editor

QUOTE

° xam.xex
xboxkrnl.exe

^found befor a big chunck of encrypted txt

Title: Kernel/dash Versions For Reference
Post by: BCfosheezy on December 13, 2005, 08:44:00 AM

QUOTE(defnator @ Dec 13 2005, 09:46 AM)

and what can we do with this insteresting line?

Well basically nothing at all. There's nothing wrong with finding and sharing information though because the #1 key to manipulating anything is first knowing how it works. We really don't know very much about the 360 so any gathering of information about it brings us a step closer.... albeit much smaller than a baby step but it still brings us closer.

Title: Kernel/dash Versions For Reference
Post by: PS2MXBOX on December 13, 2005, 04:06:00 PM

yeah i also found that .exe "executable" line in a xex.
P.s. ive found it in multiple xex's now

now let me ask this, how did that xbox->pc->internet tunneling thing work? did you have to have a modded xbox? if not, is it possible to connect to xbox live via that process and extract incoming data and packets to your pc that way? just a thought

also, i recommend that if you have a pc and can use the iso xtracter (there is no extracter for the mac yet) to extract the xex and look at them with a hex editor. this is what ive found in some xex's

d:\xenonfre\main\core\private\tools\cert\demofixer\obj\xbox\demofixer.pdb

J:\defualt.xex\Device\CdRom0..XLNI_DASH_ARCADEXLNI_DET_MEDIA..OK .OKOKOK..OKU.x.OK.Aceptar [This game does not support pal 50 please change your display setting to pal 60. To change your setting in System select Console Settings Display

MS XBOX MEDIA_DVD_LAYOUT_TOOL_SIG

Title: Kernel/dash Versions For Reference
Post by: InterestedHacker on December 14, 2005, 06:50:00 AM

QUOTE(PS2MXBOX @ Dec 14 2005, 01:13 AM)

yeah i also found that .exe "executable" line in a xex.
P.s. ive found it in multiple xex's now
now let me ask this, how did that xbox->pc->internet tunneling thing work? did you have to have a modded xbox? if not, is it possible to connect to xbox live via that process and extract incoming data and packets to your pc that way? just a thought
also, i recommend that if you have a pc and can use the iso xtracter (there is no extracter for the mac yet) to extract the xex and look at them with a hex editor. this is what ive found in some xex's

d:\xenonfre\main\core\private\tools\cert\demofixer\obj\xbox\demofixer.pdb

J:\defualt.xex\Device\CdRom0..XLNI_DASH_ARCADEXLNI_DET_MEDIA..OK .OKOKOK..OKU.x.OK.Aceptar [This game does not support pal 50 please change your display setting to pal 60. To change your setting in System select Console Settings Display

MS XBOX MEDIA_DVD_LAYOUT_TOOL_SIG

This line is particularly interesting:-

d:\xenonfre\main\core\private\tools\cert\demofixer\obj\xbox\demofixer.pdb

Now, assuming that's on the DVD Drive (D: ?) then, it looks to be refering to a certificate / certification process? Maybe someone should take a look at demofixer.pdb if they can. I wonder if it's process that adds a certificate into the system to allow the demo to run?

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on December 14, 2005, 09:27:00 AM

QUOTE(Darren101 @ Dec 14 2005, 09:54 AM)

From what I hear, the xbox360 can run signed .xex files from a burned cd.....

so can xbox1, thats nothing new

the problem is the flash updater will likely fail a media check from a cd-r (it would probably be signed to run off HD only)

also the bios would likely fail a signature check, or a hash check/checksum

i seriously doubt we are gonna make a cd-r that you just pop in and it mods your 360

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on December 14, 2005, 01:32:00 PM

QUOTE(Darren101 @ Dec 14 2005, 10:52 AM)

Still, if we could get the bios/kernel, it could help us with hacking the xbox360.....
Edit: Spelling Mistakes

yes it would, the trouble is finding a way to load the hacked/modifed kernel, but thats why we're here, lol

Title: Kernel/dash Versions For Reference
Post by: enixn on December 23, 2005, 12:43:00 AM

hey i gotta question, when .xex's are signed with the private key, it only references the integrity of the .xex itself, right?...or does it also hash all the content files (that the .xex would load) too?....I dont think this would be the case though because then you have a 4+ gig game and its not gonna hash all of it. So all this means is that we cant modify the .xex without breaking the checksum.....but on the emulation profile update, there is no media check (rather its lenient) But there is only 1 file (the xex)...M$ prolly knew this so included all content into the xex itself so that it would all be checksummed. So, if we could find a signed xex that references some external file, and is signed for lenient media checks, it might be possible to get the xex to load something user created...But then they probably havent made such an xex yet. Bah, wtf i cant sleep right now and i have no idea what i'm talking about

Title: Kernel/dash Versions For Reference
Post by: shakaru on December 23, 2005, 01:07:00 AM

QUOTE(enixn @ Dec 23 2005, 08:50 AM)

Well, (depending on what encryption is used) it should be done in two parts. Digital Signiture, and hashing. Xbox used a combination of SHA1 for hashing and RSA1024 for its digital signiture. If the contents of a file have been altered, the SHA1 check fails. The RSA check is to make sure its real aproved code its self.

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on December 23, 2005, 08:47:00 AM

QUOTE(enixn @ Dec 23 2005, 01:50 AM)

well think about it, as you said MS was very careful to make sure the emualtor update was entirely within one xex, so we cant use it for hacking, you think they are just gonna give us another xex that we can use?

but yeah, if they did we might be able to use it, however MS has been uber-careful when letting xbes out without media checks (xbox Live arcade didnt help us any either)

Title: Kernel/dash Versions For Reference
Post by: enixn on December 23, 2005, 12:57:00 PM

so i remember reading somewhere that the xex of the emulation profile update was kinda like a zip file, which if true means that it extracts the content somewhere first before moving it around on the hdd...would they first be extracted to the hdd?....or can the files exist in the ram and from there be copied directly to the hdd into their specific location?...but then everything read to ram is encrypted i think, and so on and so forth...

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on December 23, 2005, 02:53:00 PM

QUOTE(enixn @ Dec 23 2005, 02:04 PM)

the files would be exrtracted stright to the HD

Title: Kernel/dash Versions For Reference
Post by: enixn on December 27, 2005, 09:06:00 AM

aha, so i guess M$ did it after all....A disc was created with a loose media check that references external files:
http://forums.xbox-s...howtopic=474350 , So now, back to my original post, anyone think its still possible?...hehe

Title: Kernel/dash Versions For Reference
Post by: lordvader129 on January 31, 2006, 01:20:00 PM

QUOTE(cregan @ Jan 30 2006, 09:31 PM)

My 360 just flashed its kernel and dashboard for a secong time. My xbox was (D:2.0.2241.0 - K:2.0.2241.0) but now it updated to (D:2.0.2255.0 - K:2.0.2255.0) but my BK is still (2.0.1888.0). This doesn't mean that the backup isn't reprogramable but it does mean that the 360 doesn't automatically update it's back up to the current kernel when the current kernel is being updated. This is what i expected. My question is that does anybody know a way to get the 360 to reflash its backup? My computer has 2 network ports and i want to try using it as a server between my 360 and the internet (xbox live). If I could get the xbox to update through my computer i could get more info on how its done. The only problem is that i never know when my 360's gonna update and if i did get it i only get one shot at trying to read any info.

what you need a second 360, or a friend with one, once yours updates bring him over and let his update

would actually be interesting to see how an update from 1888 to 2255 goes

personally i dont believe backup kernel would be left writable, the idea behind it would be if your 360 gets a bad flash this will let it reprogram itself, by putting the backup in jeopardy of a bad flash you pretty much nullify its entire purpose

Title: Kernel/dash Versions For Reference
Post by: bowser22 on February 01, 2006, 03:14:00 PM

Maybe if you run your internet connection thorugh your pc with 2 nic's,like your main connection on nic 1 and have that shared to nic 2 for your 360 then use a program like packetzyer to capture the packet then dissasemble it then learn how it works and write your own flash then turn your pc into a live server and make it update

sounds farfetched

c ya

Title: Kernel/dash Versions For Reference
Post by: LightningStruckMyXbox on June 12, 2006, 07:18:00 AM

QUOTE(littlestevie360 @ May 20 2006, 07:27 AM)

Im under the impression that the Bootstap and the Kernal are burned into the CPU (ie: not reprogrammable)
and that the Kernal update is infact a patch that is written to the TSOP. Thus BK standing for Base Kernal not Backup Kernal.

This is my opinion on the matter and in theory works perfect, its n00b pr00f
Littlestevie360

Unless the BK revision changes after a dash update

Title: Kernel/dash Versions For Reference
Post by: ethan craft on July 13, 2006, 09:08:00 AM

QUOTE(BCfosheezy @ Nov 27 2005, 06:49 PM)

xboxscene.org forums

Xbox360 Forums => Xbox 360 Hacking Forums => Technical Onboard Bios / Kernel / Dashboard Forum => Topic started by: BCfosheezy on November 27, 2005, 10:42:00 AM