|
Week of August 28, 2011
DosFlash v2.0 Build 20110903
>> Kai Schtrom released a new version of DosFlash - a PC tool to flash your drive via DOS.
What's new/fixed:
* Key extraction task "LiteOn Key V3 (Tarablinda)" now supports the Slim firmware versions 9504, 0272, 0225, 0401, 1071 and also tries to discover the key on unknown firmware versions.
* 2 new tasks added named "Lock SPI Flash" and "Unlock SPI Flash". The new unlock SPI flash task is used in combination with Geremia's MXIC and Winbond Unlock method. It is very much influenced by Geremia's unlockSPI program, which was the first bruter to unlock Winbond SPI flashes. To relock the flash after you have finished writing a patched firmware to it, use the lock SPI flash task. This will instantly make the SPI flash write protected for all blocks. BP0, BP1 and SRP status bits are activated afterward, so handle this function with care!
* Read Flash task now can create a full firmware dump of the Slim firmware versions 9504, 0272, 0225, 0401 and 1071. To create full firmware dumps of 0225 drives and above you should get a compatible SATA2 controller and set it to IDE mode. In addition you should be able to do Geremia's MXIC or Winbond unlock method. The compatible SATA2 controller is needed to unlock the MTK. Any installed drivers should be uninstalled, because they will switch the controller back to AHCI mode. In combination with the SPI flash status register unlock you are able to write to the firmware and inject Geremia's 8051 trojan, which can then dump the complete firmware. A risk level is added to show you how risky it is for your individual flash chip and firmware combination to write the patched firmware to obtain a full dump.
* Possibility during "Read Flash" task to write firmware sector 3E of Slim drives with unknown firmware version This feature should be useful if new, unknown Slim firmware versions get out. If you write the patched 3E sector to a new and unknown firmware version this could potentially kill your drive. So handle it with care!
* Portio.sys reimplemented as separate driver for DosFlash32 and DosFlash64 The driver files portio32.sys and portio64.sys are again separated from the executable file. This way the user has the possibility to sign the drivers on his x64 system with the Driver Signature Enforcement Overrider.
* SATA and IDE adapter list updated
Official Site: n/a, by Kai Schtrom
Download: here
News-Source/Full NFO: xbins.org
Discuss this news item on our forums: forums.xbox-scene.com
Spread News: PermaLink
| Add us on: Twitter - Facebook - RSS
(Saturday 03 September 2011 09:10 EST) - (Category: Xbox360) - (Posted by::
)
Xbox 360 Limited Edition CoD: MW3 Console and Accessories
>> From majornelson.com:
[QUOTE]
Today at the Call Of Duty XP event in Los Angeles, we announced the Xbox 360 Limited Edition Call of Duty: Modern Warfare 3 Console and two limited edition Modern Warfare 3 themed accessories. Here are the details:
This limited edition console includes a customized console with graphics from the game, along with two custom wireless controllers, a 320GB hard drive, a copy of “Call of Duty: Modern Warfare 3,” as well as custom sounds when the console is turned on. Here are the .WAV files of they what they sound like: power on/off and disk tray eject.
A one month Xbox LIVE Gold subscription to Xbox LIVE is included, as well as exclusive avatar items that show your Xbox LIVE friends you’re one of the lucky ones to own this coveted console.
The console will launch on November 8, 2011 in the U.S., Canada, Mexico, Australia, New Zealand, and EMEA for $399 (U.S. ERP), and you can pre-order today at participating retailers.
In addition to the console, Xbox 360 will be releasing two limited edition accessories, both shipping to stores October 11:
The Xbox 360 Call of Duty: Modern Warfare 3 Wireless Headset with Bluetooth provides the ability to chat with friends during multi-player game play or with Bluetooth®-enabled mobile phones, PCs and other devices. Its artwork matches the custom console and includes a charging cradle, ear loop, ear gels, and an Xbox LIVE token for an exclusive download for $69.99 (U.S ERP).
The Xbox 360 Call of Duty: Modern Warfare 3 Wireless Controller allows you to show all your friends your passion for the franchise. The controller includes exclusive artwork and a transforming D-pad that can be rotated to adapt to the user’s game play, as well as an Xbox LIVE token for an exclusive download, all for $59.99 (U.S. ERP)
[/QUOTE]
More Pictures: flickr.com/photos/majornelson
Discuss this news item on our forums: forums.xbox-scene.com
Spread News: PermaLink
| Add us on: Twitter - Facebook - RSS
(Friday 02 September 2011 21:30 EST) - (Category: Xbox360) - (Posted by::
)
Maximus Stinger - Reset Glitch Hack add-on board
>> From 360nandflasher.com:
[QUOTE]
Team Maximus is proud to annouce their offering for making use of the recent discovery of the reset glitch hack released by GliGli.
The Maximus Stinger JTAG Add-on board.
These can be used in conjunction with the Maximus Nand Flasher kits but is not limited to those alone, the Stinger can also be used in conjunction with any other USB Nand flashing devices. While the full feature set for the Maximus Stinger is not yet announced rest assured the entire team is hard at work and production has already started, news on the full feature set will be coming soon and more info can be found on the maximus nandflasher website www.360nandflasher.com in the coming days.
Official resellers will start taking pre-orders soon so you will be able to pre-order you Maximus Stinger from your local reseller and get ready for a whole new world of JTAG.
Credits
GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360.
[/QUOTE]
Official Site: http://www.360nandflasher.com
Discuss this news item on our forums: forums.xbox-scene.com
Spread News: PermaLink
| Add us on: Twitter - Facebook - RSS
(Thursday 01 September 2011 01:48 EST) - (Category: Xbox360) - (Posted by::
)
Team Xecuter CoolRunner: New Nand-X Addon for Reset Glitch Hack
>> From team-xecuter.com:
[QUOTE]
Due to the new reset glitch hack announced this weekend by GliGli and Tiros, we are happy to announce a new add-on for the NAND-X Kit that is based on the Xilinx CoolRunner-II CPLD.
This simple addon has been designed to work out of the box with the Zephyr, Jasper and Trinity(Slim) motherboards - and can also be updated for any future code changes / motherboard revisions.
Simply connect the included Phat or Slim adapter to the Xecuter CoolRunner and away you go.
Easily dump your nand with the Xecuter NAND-X and then install the Xecuter CoolRunner to get instant access to homebrew and beyond !
Easy install for anyone who can solder. The Slim is 7 wires and the Phat is 6 wires.
Production has started so you should expect these to be in stores within the next couple of weeks. The price will be no more than $20 !
- Many thanks to GliGli, Tiros and Coz for their efforts in opening up a new chapter of homebrew for the scene.
[/QUOTE]
Official Site: http://team-xecuter.com
Discuss this news item on our forums: forums.xbox-scene.com
Spread News: PermaLink
| Add us on: Twitter - Facebook - RSS
(Wednesday 31 August 2011 22:27 EST) - (Category: Xbox360) - (Posted by::
)
Tank360 libXenon Homebrew Game
>> JQE released Tank360, a native libXenon homebrew game(-engine):
[QUOTE]
This is going to get flushed out more.
For now, i decided to work on creating an engine / game from scratch made in and from libxenon and lzx.
This is still very basic much more to come.
Thanks to libxenon team.
Thanks to Ced2911, Cancerous, Tuxuser for Libxenon / LZX / Encouragement
Thanks to Blackwolf for the upcoming music
Thanks to Mattie for the idea
Thanks to STK50 for all you have done. Hope one day to work with you again.
[/QUOTE]
Official Site/Download: github.com/JQE/Tank360/
Discuss this news item on our forums: forums.xbox-scene.com
Spread News: PermaLink
| Add us on: Twitter - Facebook - RSS
(Wednesday 31 August 2011 17:04 EST) - (Category: Xbox360) - (Posted by::
)
FFplay Xbox360 - Homebrew Media Player
>> From the readme/nfo:
[QUOTE]
Welcome to our release of FFPlay. From Cancerous and JQE
This is using FFmpeg libraries from http:\\ffmpeg.org as ported by Ced2911 This is using SDL as ported by Lantus
This should play allmost all 720p videos. 1080p IS UNSTABLE please don't report it we know about i.
INFO FOR USERS:
A brings up a menu, rewind, Fast Forward, Stop, Play, Pause.
NOTE: Fast Forward, and Rewind might be unstable. It is know and we are working on it.
NOW we have our people to thank.
cOz helped with some coding and solved a issue with running it on JTAGS
Thanks to testers: Blackwolf, JPizzle, Mattie, Razkar, and Trajik.
Thanks for direction and assistance: MaesterRo, Anthony, And node21
Thanks for the libraries Ced2911 and Lantus
[/QUOTE]
Official Site: http://code.google.com/p/ffplay360/
Download: here
News-Source: xbins.org / elitemodscene.com
Discuss this news item on our forums: forums.xbox-scene.com
ECC Glitch Generator v1.0
>> BestPig released a new utility for the new homebrew Xbox 360 reset glitch hack to easily generate an ECC file:
[QUOTE]
This new 'reset glitch hack' hack requires the creation of a ECC file based on a dump of your NAND. The official script is written in python, so I wrote a little GUI to make life easier for you ;)
No need to install python, ECC Glitch Generator is stand-alone and doesn't need any other software to operate.
[/QUOTE]
Official Site/Download: bestpig.fr (the software has English support)
Discuss this news item on our forums: forums.xbox-scene.com
XeLL Reloaded 28/08/2011 '2Stages'
>> Cancerous, [cOz], Ced2911, GliGli, RedLine99 and Tuxuser are proud to release today the first official version of XeLL-Reloaded (Codename: 2Stages) following the release of the new homebrew Xbox 360 reset glitch hack:
[QUOTE]
* Its divided in 2 stages:
- 1st Stage initalizes the Hardware, uncompresses and executes 2nd Stage
- 2nd Stage (based on LibXenon) loads all required drivers and does the usual "XeLL tasks"
* XeLL is based on LibXenon now
* XeLL is running with all CPU cores activated
* Optimized CPU Usage
* TinyEHCI is used, delivers full USB 2.0 speed when acccessing mass storage media
* lwip network stack upgraded to v1.4 rc2 - It's faster
* It can access the DVD-drive via DMA now: faster reading
* It's possible to reload into XeLL now when you are inside a LibXenon Application
* Refactored ELF Launching Code - shouldn't have issues when executed via XeLL-Launch
* New HTTP Webinterface
* Proper hardware init / shutdown (e.g. after XeLL Launch)
* Supports upgrading XeLL with a XeLL-2Stages binary from USB, named "updxell.bin"
* Infinite bootloop when looking for ELFs to execute
* Parses / decrypts keyvault (either with real or virtual CPUkey)
For now, there is still a little work to do on the nandflasher so this feature is disabled and a update will comes in the following weeks.
If you have a Jtag console, you can update XeLL with tuxuser's apps : XeLL Updater or LxNANDFlasher (Use at your own risks).
[/QUOTE]
Official Site/Download: libxenon.org
News-Source: logic-sunrise.com
Discuss this news item on our forums: forums.xbox-scene.com
The Xbox 360 reset glitch hack - New Homebrew Hack!
>> GliGli released a new hack to boot the Xbox360 into XeLL and thus run homebrew software on your console. It's is compatible with ALL dashboard version and ALL Slim and Fat (expect Xenon, Falcon support will follow later) models and is unpatchable via software updates by Microsoft.
From the readme/nfo:
[QUOTE]
Introduction / some important facts
===================================
tmbinc said it himself, software based approaches of running unsigned code on the 360 mostly don't work, it was designed to be secure from a software point of view.
The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND (CB).
CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it's using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
- A hash of the entire fuseset.
- The timebase counter value.
- A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there's a check for "apparent randomness" (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.
CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.
Basically, CD will load a base kernel from NAND, patch it and run it.
That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.
On the other hand, tmbinc said the 360 wasn't designed to withstand certain hardware attacks such as the timing attack and "glitching".
Glitching here is basically the process of triggering processor bugs by electronical means.
This is the way we used to be able to run unsigned code.
The reset glitch in a few words
===============================
We found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.
Details for the fat hack
========================
On fats, the bootloader we glitch is CB, so we can run the CD we want.
cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a test point on the motherboard that's a fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.
So it goes like that:
- We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value (it's often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.
The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.
Details for the slim hack
=========================
The bootloader we glitch is CB_A, so we can run the CB_B we want.
On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn't yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it's even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus ;)
So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.
When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don't decrypt CD, instead expect a plaintext CD in NAND.
- Don't stop the boot process if CD hash isn't good.
CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there's a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!
The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.
Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !
Caveats
=======
Nothing is ever perfect, so there are a few caveats to that hack:
- Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
- That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
- It requires precise and fast hardware to be able to send the reset pulse.
Our current implementation
==========================
We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it's fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.
Conclusion
==========
We tried not to include any MS copyrighted code in the released hack tools.
The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.
Credits
=======
GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360.
[/QUOTE]
Official Site: github.com/gligli
Download: here
Tutorial/HowTo: libxenon.org / free60.org
News-Source: xboxhacker.org
Discuss this news item on our forums: forums.xbox-scene.com
|
|
|
|
|
|
|
