Topic: 'Hello World' - First Public Homebrew Code Running via Hypervisor Expl (Read 1657 times)

Xbox-Scene · « **on:** March 01, 2007, 11:02:00 PM »

'Hello World' - First Public Homebrew Code Running via Hypervisor Exploit
Posted by XanTium | March 2 00:55 EST | News Category: Xbox360

(IMG:http://www.burstnet.com/cgi-bin/ads/ad9520b.cgi/ns/v=2.1S/sz=300x250A/

Crawler360 released what looks like the first 'homebrew' program that you can run on a retail Xbox360 using the Xbox360 Hypervisor Vulnerability released Tuesday. The program itself will just display a "Hello, world!" message, so you can see it as a proof-of-concept of the Hypervisor Vulnerability using the King Kong shader 'hack'.
However this isn't a hack the average end-user can try-out already, as for now it'll require the King Kong game, a modified DVD firmware or disc-swap (which are both still fairly easy to do), but you will also have to connect the serial port on your Xbox360, compile the code from sources yourself and you'll need kernel 4532 or 4548 (most of you are probably already updated to the patched 4552 kernel - and right now there's no way to downgrade as Microsoft probably blew up an eFuse to prevent kernel downgrades). If you have a kernel below 4532/4548 you can upgrade 'safely' to 4532 using the burnable HD-DVD software update called HD_DVD_10-2006.zip (the readme includes an URL for it on the MS servers, but the file is already offline ... however I'm sure it'll still out there somewhere, the md5 is cd4db8e2c94266ab73513c361dd5b8f6).

From the readme/nfo:

Quote

Xbox 360 Hypervisor/King Kong Exploit

Thanks to Anonymous Hacker's great work, I' m now able to publish my own little implementation of the exploit.

I've used the full version of the King Kong (KK) game, as it has been shown to work by these anonymous people at 22C3, and it was the first one I found with editable shaders. Most games have these - KK was just the first one I've checked.
So you need a KK full (USA or PAL doesn't matter, they are the same) DVD image (including video partition), and obviously a hacked drive firmware.
You could also try hotswapping from your (hopefully existing!) KK original to the modified copy. Then you could go with a stock firmware.
Why not using the KK demo? It would work the same (though the shader file format is different), but requires a firmware hack too, as the possibility to run it from DVD-R was blacklisted in a very early kernel already, which doesn't have the vulnerability.

So, how does the hack work? Basically, the bugtraq post (http://www.securityfocus.com/archive/1/461489 in case you haven't read it yet) explains it all. All I did was to convert the series of memory writes into a shader, and writing a small serial loader stub.

You need to connect the serial port to use this hack. Read Speedy22's fine "Xbox 360 Motherboards and Headers" documentation, it's on J2B1.
NOTE: It's LVTTL. Do not even think about connecting to an RS232 port directly.
RS232 is +-12V, LVTTL is 3V. Think about what's happening when you connect your 110V equipment to 220V. You don't want to happen that on your southbridge.
For example, use a MAX3232, or just use any of these USB serial port adapters which already output 3.3V.
Speed is hardcoded to 115200/8N1.

To modify your existing game image, start the "patcher" tool. It will patch your game image to include the loader. It is a bit lame, but works. The tool will also remove the three startup videos for a faster boot.
When you launch the modified game, it will directly go to the main screen.
Press start on a controller. It should display "LOADING", and then freeze while displaying "Acessing Content". If it doesn't freeze, you don't have the correct kernel version (4532 or 4548, but only 4532 was tested). See below on how to update.

Now, the serial loader gets active. You should see a "Xe>" on the serial port. Now, upload your binary code (just as a binary blob). To terminate your upload, send 16x 'x'. It will be loaded to 0x01300000, and executed.
Be warned, only CPU #0 is trapped. The other threads/cores are still happily executing, so you need to catch them.

"Hello, world!"
Use the source, luke!
compile with
powerpc64-linux-gcc hello.S -o hello.o -Ttext=0x1300000 -nostdlib
objcopy -O binary hello.o hello.bin

HOWTO UPDATE (to the correct kernel)
To clarify things again:
* If you have 4552, you are screwed. Sorry.
* If you have 4532 or 4548, it has to work. If it doesn' t work, something else is wrong, but please don't try to update.
* If you have pre-4532: Grab HD_DVD_10-2006.zip [URL in readme is already offline] (check MD5SUM first: microsoft could have changed this file! the correct md5 is cd4db8e2c94266ab73513c361dd5b8f6). Burn it to a CD, and start it. It will update your console to 4532.

Official Site: n/a, by Crawler360 (tech/research discussion on xboxhacker.net)
Thanks to GaryO.P.A. for news/file/link.
Download sourcecode: rapidshare.com

mist4fun · « **Reply #1 on:** March 01, 2007, 10:20:00 PM »

aaronrun · « **Reply #2 on:** March 01, 2007, 10:23:00 PM »

"If you have 4552, you are screwed. Sorry."

Why is that? I thought it was possible to downgrade your firmware. BTW this is insanely exciting. We've all been waiting a looooooooong time for this

mathers3000 · « **Reply #3 on:** March 01, 2007, 10:30:00 PM »

awesome, far out!! (IMG:style_emoticons/default/smile.gif) i'll light one up for that
Keep up the good work

This post has been edited by mathers3000: Mar 2 2007, 06:31 AM

CattyKid · « **Reply #4 on:** March 01, 2007, 10:36:00 PM »

Great news.
It would eb good to get some pics here, though...

pablot · « **Reply #5 on:** March 01, 2007, 10:31:00 PM »

QUOTE(aaronrun @ Mar 2 2007, 06:30 AM)

"If you have 4552, you are screwed. Sorry."

Why is that? I thought it was possible to downgrade your firmware. BTW this is insanely exciting. We've all been waiting a looooooooong time for this

nope, from v4552 and up you can't downgrade the firmware. So if you have that, you are screwed. At least with the current knowledge of the situation.

Lucky me that I have an earlier firmware. Happy hacking.

lostboyz · « **Reply #6 on:** March 01, 2007, 10:42:00 PM »

good news

even if the homebrew scene is awesome, i don't know if its ever worth it without live, at least not at the 360s current price to own two. Once we get around that then it will truly be amazing. It is a big step in the right direction though, props.

capboy210 · « **Reply #7 on:** March 01, 2007, 10:48:00 PM »

Hah that's the lamest homebrew ever! But yet it is so cool! Hopefully we can see some more complex and usefull homebrew down the road. Nice work whoever the hacker was!

RolfLobker · « **Reply #8 on:** March 01, 2007, 10:51:00 PM »

Great stuff, excellent knowledge.

Real-life example of why the exploit does infact serves a purpose (yes, I'm talking about you, the one who has been complaining in the previous exploit thread that it was meaningless because it was already patched)

ASmithz · « **Reply #9 on:** March 01, 2007, 10:45:00 PM »

QUOTE(capboy210 @ Mar 2 2007, 06:48 AM)

Hah that's the lamest homebrew ever! But yet it is so cool! Hopefully we can see some more complex and usefull homebrew down the road. Nice work whoever the hacker was!

It's a start is all. Rememeber the PSP, the homebrew scene started with the same "Hello World" thing. Now we can run anything on it, downgrade, virtualy anything.

belke · « **Reply #10 on:** March 01, 2007, 10:46:00 PM »

Can't wait to see what the hackers do with all this.

jimjom · « **Reply #11 on:** March 01, 2007, 10:59:00 PM »

QUOTE((capboy210 @ Mar 2 2007 @ 06:48 AM))

Hah that's the lamest homebrew ever! But yet it is so cool! Hopefully we can see some more complex and usefull homebrew down the road. Nice work whoever the hacker was!

dude, the phrase 'hello world' is always a welcome sign of great things to come. PFFT!!

http://en.wikipedia.org/wiki/Hello_world_program

wiki-owned.

flashfreak · « **Reply #12 on:** March 01, 2007, 11:00:00 PM »

Technically, you can downgrade, I think, but you have to remove R6T3 or whatever it is, to remove power to the efuses so they cant blow and cant kill the 360.

Dont quote me on this though. Next thing we need is to run unsigned code so we dont have to use the KK disc, but that may still be a fair way off as it'd require a patch to the bios or security system.

Great strides though, good work everyone!

Ha, wiki owned (IMG:style_emoticons/default/tongue.gif) Nice one

This post has been edited by flashfreak: Mar 2 2007, 07:01 AM

gottastopdrinkin · « **Reply #13 on:** March 01, 2007, 11:05:00 PM »

Removing the R6T3 is supposed to PREVENT the efuse from blowing. If you didn't remove it and you updated, then it blew and for now your screwed.

pablot · « **Reply #14 on:** March 01, 2007, 11:12:00 PM »

QUOTE(flashfreak @ Mar 2 2007, 07:00 AM)

Technically, you can downgrade, I think, but you have to remove R6T3 or whatever it is, to remove power to the efuses so they cant blow and cant kill the 360.

Dont quote me on this though. Next thing we need is to run unsigned code so we dont have to use the KK disc, but that may still be a fair way off as it'd require a patch to the bios or security system.

Great strides though, good work everyone!

Ha, wiki owned

Nice one

BEEEEEP. Wrong. You remove the resistor to prevent the fuse from blowing as gottastopdrinkin said. Once its blow, you are screwed.

Author Topic: 'Hello World' - First Public Homebrew Code Running via Hypervisor Expl (Read 1657 times)