wraggster
September 24th, 2007, 21:53
Via Xbox scene (http://www.xbox-scene.com/xbox1data/sep/EEApuFVAEZoyUVvULE.php)
Robinsod already released the schematics and documentation to perform the 'Timing Attack' that will allow you to downgrade any Xbox360 kernel to an exploitable kernel (which will allow you to already run Linux and also Homebrew application when they come out) earlier this week. Today he released a package of software tools that together with the Infectus modchip and his PIC interface (if you can't make this yourself, Team Infectus is working on a prebuild daughterboard) will allow you to perform this hack yourself.
From Robinsod on XBH:
[QUOTE]
* 360 Flash Tool 0.85 [note: Flash Tool included in package below is 0.5, 0.85 will be released monday]
-Added:
Patch CB LDV if CPU keys are known
Additional recognition string for new flash images
-Bodged:
Disabled extraction of Kernel images when CD version is 1920 (extracting
files will cause a crash)
* DGTool
First release.
-To do:
Improve timing filters, still need to find the cause of the jitter. Byte 6 can of the hash seems problematic occasionally.
Improve logging
* Degraded
-Fixed:
Handling of bad blocks in Cx area Now you will see the bad blocks (and the replacements) listed as "notes". if you are very unlucky the block at 0x8400 (where the CB header is located) will be bad. In this case the tools will fail and the image is unusable today.
Handling of bad blocks in FS area (not 100% yet). Currently I test for bad blocks as I insert files into the flash image. If a bad block is detected it is simply skipped over. I had a look at a dump that contains bad blocks in the File System area and it appears the file system is unaware that some of the blocks it is using are marked as bad. I guess the flash driver silently does the remapping of bad blocks for the file system. I will fix this soon since it crashes the flash tool Wink
-Handling of replacement blocks at end of flash image
Now you will see the bad blocks (and the replacements) listed as "notes". if you are very unlucky the block at 0x8400 (where the CB header is located) will be bad. In this case the tools will fail and the image is unusable today - sorry.
-To be done:
Handling of bad block at 0x8400, start of CB
Using one of the spare blocks at the end of flash when guessing the hash
Please use the latest Degraded tool and create a new image (especially if you are French and have Bad Blocks) before downgrading
When you have downgraded to 1888 I would suggest you do the following:
If you have a LDV < 6 (Degraded will tell you this) or you don't care about being stealthy then just apply the 4532 update. Another fuse will be blown but now you will have your CPU key and you can increment the LDV in the CF sections of your original image.
If you have a LDV = 6 then you might want to consider:
1) Disabling the eFuses before applying the 4532 update then put the resistor back. No need to patch your original image
2) Sit out the next update
3) Accept that you will have an unusual number of blown fuses and see above
Now you have the possibility to
-Boot a vulnerable Kernel and run Linux
-Boot the latest Kernel and play on Live
-Change the region of your console for any Kernel (be careful on Live with hacked region codes, not recommended)
Its very likely that this hack will be fixed in future versions of CB (although we have found that CB version 1920 is still vulnerable). MS can also use eFuses to lockdown the CB version in a way we can't defeat even if we know the CPU key. I have no idea if MS will update the CB section in existing boxes or if it will be limited to new boxes.
MS may even take our new toy away completely making it impossible to boot vulnerable Kernels.
If the homebrew scene is of interest to you, then start saving for a new box, get its CPU keys and use one for homebrew and one for the latest games.
There's no reason not to go for a native XBMC360 now ;)
Robinsod already released the schematics and documentation to perform the 'Timing Attack' that will allow you to downgrade any Xbox360 kernel to an exploitable kernel (which will allow you to already run Linux and also Homebrew application when they come out) earlier this week. Today he released a package of software tools that together with the Infectus modchip and his PIC interface (if you can't make this yourself, Team Infectus is working on a prebuild daughterboard) will allow you to perform this hack yourself.
From Robinsod on XBH:
[QUOTE]
* 360 Flash Tool 0.85 [note: Flash Tool included in package below is 0.5, 0.85 will be released monday]
-Added:
Patch CB LDV if CPU keys are known
Additional recognition string for new flash images
-Bodged:
Disabled extraction of Kernel images when CD version is 1920 (extracting
files will cause a crash)
* DGTool
First release.
-To do:
Improve timing filters, still need to find the cause of the jitter. Byte 6 can of the hash seems problematic occasionally.
Improve logging
* Degraded
-Fixed:
Handling of bad blocks in Cx area Now you will see the bad blocks (and the replacements) listed as "notes". if you are very unlucky the block at 0x8400 (where the CB header is located) will be bad. In this case the tools will fail and the image is unusable today.
Handling of bad blocks in FS area (not 100% yet). Currently I test for bad blocks as I insert files into the flash image. If a bad block is detected it is simply skipped over. I had a look at a dump that contains bad blocks in the File System area and it appears the file system is unaware that some of the blocks it is using are marked as bad. I guess the flash driver silently does the remapping of bad blocks for the file system. I will fix this soon since it crashes the flash tool Wink
-Handling of replacement blocks at end of flash image
Now you will see the bad blocks (and the replacements) listed as "notes". if you are very unlucky the block at 0x8400 (where the CB header is located) will be bad. In this case the tools will fail and the image is unusable today - sorry.
-To be done:
Handling of bad block at 0x8400, start of CB
Using one of the spare blocks at the end of flash when guessing the hash
Please use the latest Degraded tool and create a new image (especially if you are French and have Bad Blocks) before downgrading
When you have downgraded to 1888 I would suggest you do the following:
If you have a LDV < 6 (Degraded will tell you this) or you don't care about being stealthy then just apply the 4532 update. Another fuse will be blown but now you will have your CPU key and you can increment the LDV in the CF sections of your original image.
If you have a LDV = 6 then you might want to consider:
1) Disabling the eFuses before applying the 4532 update then put the resistor back. No need to patch your original image
2) Sit out the next update
3) Accept that you will have an unusual number of blown fuses and see above
Now you have the possibility to
-Boot a vulnerable Kernel and run Linux
-Boot the latest Kernel and play on Live
-Change the region of your console for any Kernel (be careful on Live with hacked region codes, not recommended)
Its very likely that this hack will be fixed in future versions of CB (although we have found that CB version 1920 is still vulnerable). MS can also use eFuses to lockdown the CB version in a way we can't defeat even if we know the CPU key. I have no idea if MS will update the CB section in existing boxes or if it will be limited to new boxes.
MS may even take our new toy away completely making it impossible to boot vulnerable Kernels.
If the homebrew scene is of interest to you, then start saving for a new box, get its CPU keys and use one for homebrew and one for the latest games.
There's no reason not to go for a native XBMC360 now ;)