para los que tengan la suerte de tener el kenel beno
Xbox 360 Hypervisor/King Kong Exploit
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Thanks to Anonymous Hacker's great work, I' m now able to publish my own
little implementation of the exploit.
I've used the full version of the King Kong game, as it has been shown to
work by these anonymous people at 22C3, and it was the first one I found
with editable shaders. Most games have these - KK was just the first one
I've checked.
So you need a KK full (USA or PAL doesn't matter, they are the same) DVD
image (including video partition), and obviously a hacked drive firmware.
You could also try hotswapping from your (hopefully existing!) KK original
to the modified copy. Then you could go with a stock firmware.
Why not using the KK demo? It would work the same (though the shader file
format is different), but requires a firmware hack too, as the possibility
to run it from DVD-R was blacklisted in a very early kernel already, which
doesn't have the vulnerability.
So, how does the hack work? Basically, the bugtraq post
(
http://www.securityfocus.com/archive/1/461489 in case you haven't read it
yet) explains it all. All I did was to convert the series of memory writes
into a shader, and writing a small serial loader stub.
You need to connect the serial port to use this hack. Ready Speedy22's
fine "Xbox 360 Motherboards and Headers" documentation, it's on J2B1.
NOTE: It's LVTTL. Do not even think about connecting to an RS232 port
directly.
RS232 is +-12V, LVTTL is 3V. Think about what's happening when you connect
your 110V equipment to 220V. You don't want to happen that on your
southbridge. ;)
For example, use a MAX3232, or just use any of these USB serial port
adapters which already output 3.3V.
Speed is hardcoded to 115200/8N1.
To modify your existing game image, start the "patcher" tool. It will patch
your game image to include the loader. It is a bit lame, but works. The
tool will also remove the three startup videos for a faster boot.
When you launch the modified game, it will directly go to the main screen.
Press start on a controller. It should display "LOADING", and then freeze
while displaying "Acessing Content". If it doesn't freeze, you don't have
the correct kernel version (4532 or 4548, but only 4532 was tested). See
below on how to update.
Now, the serial loader gets active. You should see a "Xe>" on the serial
port. Now, upload your binary code (just as a binary blob). To terminate
your upload, send 16x 'x'. It will be loaded to 0x01300000, and executed.
Be warned, only CPU #0 is trapped. The other threads/cores are still
happily executing, so you need to catch them.
"Hello, world!"
===============
Use the source, luke!
compile with
powerpc64-linux-gcc hello.S -o hello.o -Ttext=0x1300000 -nostdlib
objcopy -O binary hello.o hello.bin
HOWTO UPDATE (to the correct kernel)
============
To clarify things again:
If you have 4552, you are screwed. Sorry.
If you have 4532 or 4548, it has to work. If it doesn' t work, something
else is wrong, but please don't try to update.
If you have pre-4532:
Grab
http://assets.xbox.com/en-us/hardware/HD_DVD_10-2006.zip
(check MD5SUM first: microsoft could have changed this file!
the correct md5 is cd4db8e2c94266ab73513c361dd5b8f6)
Burn it to a CD, and start it. It will update your console to 4532.
- crawler360
![[triston]](/images/smilies/nuevos/triste_ani2.gif "tristón")
![[lapota]](/images/smilies/nuevos2/masvomitos.gif "potando")
