Topic: Xbox360FanBoy: The hypervisor and its implications (Read 1173 times)

fghjj · « **Reply #15 on:** November 30, 2005, 03:00:00 PM »

QUOTE(Artifex)

That article contains so innacurate, speculative, uninformed BS that I'd be ashamed to quote it.

I understand that X-S is just doing it's job, reporting the news.... but c'mon... that's not news, it's just some chick rambling about something she obviously knows nothing about. I've always respected the high standards X-S has set for links to external stories, but this is dissapointing.

Artifex already posted what I wanted to say (IMG:style_emoticons/default/smile.gif)

This post has been edited by fghjj: Nov 30 2005, 11:01 PM

cooke26 · « **Reply #16 on:** December 02, 2005, 11:05:00 AM »

I wonder if XEN or another hypervisor corporation would get involved in this matter to maybe overlap one of there own ontop of the 360's hpervisor

Ace25 · « **Reply #17 on:** December 02, 2005, 04:10:00 PM »

QUOTE(BCfosheezy @ Nov 29 2005, 06:45 PM)

I don't mean to be technical because you're right, but really it's firmware. The hypervisor is embedded in the cpu. Getting at this so-called insecure software is going to be extremely difficult. I'm not saying it won't be done but I am saying that it should not be taken lightly.

I think you misunderstood my statement. I wasn't trying to say breaking the Hypervisor is the answer. Actually the opposite. I think it will be near impossible for that. Yes, I understand that its embedded into the CPU. Sorry I didnt make that part clear. My thinking was that the easiest hack is going to be later on in the boot sequence. IE, in the X360 OS. There will hopefully be a flaw in one of the MS made files that will allow us to get non signed code to run via a hacked legit file. Far from easy I know due to the hashing/checksums, but I still believe that is going to be the easiest avenue to explore.

"Please dont make such blinded sensational comments." .. umm.. we are talking about MS right? How is that comment blinded OR sensational. Show me 1 software product they have made that did not have HUGE flaws that needed update/patching? Hmmm.. none? Thought so.

stampsm · « **Reply #18 on:** December 04, 2005, 03:14:00 AM »

you have to remember that the hyervisor is wrote by IBM not microsh*t.

MSi · « **Reply #19 on:** December 05, 2005, 07:28:00 AM »

QUOTE(BCfosheezy @ Nov 30 2005, 02:45 AM)

I don't mean to be technical because you're right, but really it's firmware. The hypervisor is embedded in the cpu. Getting at this so-called insecure software is going to be extremely difficult. I'm not saying it won't be done but I am saying that it should not be taken lightly. It was inevitable that security advance from console to console but this is slightly more sophisticated than a "next step". This is a pretty big advancement in security. I personally like the fact that they went with this approach because it seems to be getting a lot of attention and there are a lot of people out there that already wanted to be the "next Bunnie" but this time it's that much sweeter since the security is so tight. The hypervisor is a double-edged sword though because while it secures the system pretty completely while it's used as intended, if anything else were able to control it or take the place of it all security goes down with it. Since it is implemented at the hardware level I think a modchip with have to be put in place to either disable this hypervisor and run an almost identical one minus the security and have unrestriced access to the cpu and ram.

Tell me if i'm misunderstanding, but if the hypervisor is basically a secure virtual machine, could it not be used to our advantage?

I don't know how deep it goes, but I guess the hypervisor could sign everything for you, then with a little mod of the firmware, you have a virtual machine open to any code you choose to throw at it. So basically, if you can crack the hypervisor (which is by no means going to be easy, i'm sure) you have bypassed all the other security they have in place.

modthebox.tk · « **Reply #20 on:** December 12, 2005, 05:09:00 PM »

hmmm. except for the fact that the hypervisor is built into the x360 CPU, which, last time I checked, needs to have an electron micrscope to see any detail. If we wanted to hack it it has to be software related. Either that or we have to corrupt some connection outside the CPU so that the hypervisor doesn't work to some extent.

the hypervisor is not virtual, it is a ROM on the CPU that is run after the BIOS boots (it actually boots with the BIOS if I'm understanding it correctly).

InterestedHacker · « **Reply #21 on:** December 13, 2005, 06:35:00 AM »

QUOTE(modthebox.tk @ Dec 13 2005, 02:09 AM)

hmmm. except for the fact that the hypervisor is built into the x360 CPU, which, last time I checked, needs to have an electron micrscope to see any detail. If we wanted to hack it it has to be software related. Either that or we have to corrupt some connection outside the CPU so that the hypervisor doesn't work to some extent.

the hypervisor is not virtual, it is a ROM on the CPU that is run after the BIOS boots (it actually boots with the BIOS if I'm understanding it correctly).

The interesting thing is, if we can get access to the boot code (and be able to read it), then we may be able to work out how the X360 is setting up it's virtual machine within Hypervisor.

Have a read of this:-

http://www.xbox360fanboy.com/2005/11/29/th...s-implications/

Some is speculation, but the general information appears to be that a percentage of the code required to boot and setup the virtual machine / OS, is available for modification.

Another way of looking at this problem is:-

If you cannot create a virtual machine via hypervisor, either by pretending to be the official x360 virtual machine, or at least passing valid init data to it to be able to host Linux etc, then you cannot run jack on the CPU. It just won't work!

I think we are faced with two options:-

1) Hack boot code and work out how to trick hypervisor.
2) If we can't trick it, then I reckon you are looking at a replacement CPU, one without hypervisor.

EDIT: If hypervisor is booting from an on CPU DIE ROM, and from that point it's only reading signed code, I reckon the 360 will not get hacked.

This post has been edited by InterestedHacker: Dec 13 2005, 02:47 PM

MaTiAz · « **Reply #22 on:** December 18, 2005, 01:33:00 PM »

QUOTE(InterestedHacker @ Dec 13 2005, 03:35 PM)

2) If we can't trick it, then I reckon you are looking at a replacement CPU, one without hypervisor.

How do you plan on getting the same kind of processor without the hypervisor? IIRC it's a custom CPU which isn't being sold on store shelves (IMG:style_emoticons/default/smile.gif)

InterestedHacker · « **Reply #23 on:** December 18, 2005, 03:08:00 PM »

QUOTE(MaTiAz @ Dec 18 2005, 10:33 PM)

How do you plan on getting the same kind of processor without the hypervisor? IIRC it's a custom CPU which isn't being sold on store shelves (IMG:style_emoticons/default/smile.gif)

I never said we could, I said that's what you may need to do! My own personal opinion is there is so much signed hardware, hacking the xbox 360 is unlikely in the next couple of years at least. Because it's custom, M$ could do whatever security mods they wanted to it, like putting stuff on die. I will be very suprised if hypervisor can be bypassed in some way.

sumazn · « **Reply #24 on:** December 18, 2005, 08:32:00 PM »

some info about hypervisor and sHype from IBM.
check out the pdf link at bottom of page, too technical for me, but may prove useful...
happy reading. (IMG:style_emoticons/default/biggrin.gif)

http://domino.watson.ibm.com/library/cyber...ht=0,Hypervisor

also you must be a member of the scientific community... (IMG:style_emoticons/default/wink.gif)

BCfosheezy · « **Reply #25 on:** December 19, 2005, 09:54:00 AM »

QUOTE(Ace25 @ Dec 2 2005, 05:10 PM)

I think you misunderstood my statement. I wasn't trying to say breaking the Hypervisor is the answer. Actually the opposite. I think it will be near impossible for that. Yes, I understand that its embedded into the CPU. Sorry I didnt make that part clear. My thinking was that the easiest hack is going to be later on in the boot sequence. IE, in the X360 OS. There will hopefully be a flaw in one of the MS made files that will allow us to get non signed code to run via a hacked legit file. Far from easy I know due to the hashing/checksums, but I still believe that is going to be the easiest avenue to explore.

"Please dont make such blinded sensational comments." .. umm.. we are talking about MS right? How is that comment blinded OR sensational. Show me 1 software product they have made that did not have HUGE flaws that needed update/patching? Hmmm.. none? Thought so.

First of all I was not being confrontational. Don't get upset because I quoted your post.

You quoted a statement that I did not make in the post where I quoted you so I really don't see how you could think it was directed towards you. At any rate I am not going to argue whether or not there will be a software flaw that will open the doors for the scene because I'd love to see that happen and I want to agree with you. The only thing that stops me from agreeing with you is it's totally stupid and childish to take sides on an issue that frankly neither or us are qualified to comment on. What I know is, the hypervisor's security is supposed to control what has access to ram (supposed to prevent overflows and underruns) and it controls execution (signature checks) so it's supposed to create a pretty secure system. I, like you hope that MS relied on that too much and got sloppy with their coding and left something open. I also hope that hypervisor isn't as big and scary as it seems on the surface but going back to my previous statement, we don't know. In short, please don't be defensive as I have never went on the offensive.

litspliff · « **Reply #26 on:** March 08, 2006, 12:15:00 PM »

i haven't worked on a 360 yet,
but my experience with digital equipment may be of use.

hopefully this is something.
if not, flame away! i'm a man, i can take it!

important questions in my opinion:

what specifically is the real boot sequence on the MoBo.
is hypervisor loading in tandem with a bios, or does a bios hand over control to it?
is hypervisor the new breed of bios?!?!?!?!
what happens, in what order?
once you know, you go down the line and try every trick in the book before hypervisor goes live.
if the hypervisor's operation is fully integrated into the CPU's architecture and initialized with the CPU automatically, then this saddens me. i seriously doubt you can write over the hypervisors instructions.

the prize is the Processor.

where else are you going to get a system running a chip this advanced for this price?
this kind of processing power costs some major $'s outside of the gaming world.
i'm guessing that this is one of the reasons MS loses money on the boxes.
it may be that it is not cost effective or in the abilities of the average modder to hijack it.
however, there will always be a way of some kind. also, it is only a matter of time until MS or IBM people that worked on the project release something. IBM is cutting pensions i hear

it's my understanding that in a pc, or xbox1 the CPU can't initialize without (traditional) bios, nothing on the board knows how to pass bits properly. if you can write over the bios, you theoretically are the master of it's domain.

questions (excuse me for being such a 360 noob, i'm a computer guy):

where is the bios code located (chip type?, location on board?, where do the key traces lead directly to?etc.), and how is it called to action?

do we know if the "bios" of a 360 acts in the same way as a traditional Basic Input/Output Service?
it may just be a diversion. maybe the bios does nothing? maybe the bios is on the CPU (i hope not)?

i'm tired of MS limiting the potential of some amazing technology.
bottom line, they are a software company. they don't give a damn about the potential of your equipment.
they want to sell you code. by providing this lock-down environment, they have created a captive audience. you.
the technology that we are attempting to liberate here is very powerful.
hopefully these are some good leads.

gl to the real pioneers.
if i could afford to tear these things apart like i do with computers, i would.

mxeDiT10n · « **Reply #27 on:** July 09, 2006, 06:32:00 PM »

QUOTE: questions (excuse me for being such a 360 noob, i'm a computer guy):

where is the bios code located (chip type?, location on board?, where do the key traces lead directly to?etc.), and how is it called to action?

Hypervisor (sHype) is/contains the BIOS.

do we know if the "bios" of a 360 acts in the same way as a traditional Basic Input/Output Service?
it may just be a diversion. maybe the bios does nothing? maybe the bios is on the CPU (i hope not)?

Yes, the Hypervisor which contains the BIOS is on-die. Start building an electron microscope...

--------------------------

----Virtual Machine----

--------------------------

*********UUUUU********

***Hypervisor(SLIC/BIOS)**

***********************
| | |
VVV

#######UUU#######

#####Hardware#####

################

This post has been edited by mxeDiT10n: Jul 10 2006, 01:33 AM

mxeDiT10n · « **Reply #28 on:** July 09, 2006, 06:58:00 PM »

Forgot to mention that the BIOS is sometimes referred to the SLIC (System Liscensed Internal Code) in the IBM world... sorry for the double-post.

This post has been edited by mxeDiT10n: Jul 10 2006, 02:03 AM

mxeDiT10n · « **Reply #29 on:** July 12, 2006, 06:02:00 PM »

In order to further understand the Hypervisor and discover possible faults or inefficiencies it contains, research should focus in:

Where/How Logical Partitions Are Created
Hypervisor Call Interface
Information Flow Between LPARs & their resources (i.e. bandwidth, memory, disk space, and disk response times)

Obviously these topics cannot be studied on the X360 platform. However, there are in-fact virtually identical open-source implementations of the Hypervisor on an X86 platform using Linux.

You may be wondering why such a need to investigate the above areas even exists. If an inefficiency exists somewhere deep in one of these areas, it could be the door we're looking for. Obviously encryption is an issue in this case, but it is something that can be traversed. Yet, since encryption is not the only barrier, the need to understand the Hype & how it operates arises and becomes more important.

Assuming a discovery is made on the implementation of the virtualization of a system's resources (Information Flow between LPARs), then it becomes even more possible to be able to access privelaged partitions containing privelaged operations; thus gaining access to system resources.

I know that this information is not bleeding with technical information. On the other hand, it seems as though this thread has lost focus. In attempt to provide some technical justification, there are a few documents available on eye-BMs website discussing the Hypervisor & its architecture along with its implementations in a Linux O/S. Unfortunately I cannot provide the links to the documents; I can only disclose that they exist within the Research website of eye-BM. The title of a good resource for the Hype is Approach to Trusted Virt. Sys. Eye-BM's Research Hypervisor (rHype) is the open-source implementation on a Linux Platform - is a profitable starting-base of researching the Hypervisor.

I am embarking on the setup of a Hype Implementation on a Linux box. I will return with more technical results soon.

Author Topic: Xbox360FanBoy: The hypervisor and its implications (Read 1173 times)