I'm thinking a bit longer about how we could break the security system on the newer kernels.
I'm just talking about the 2nd revision of the box. I don't know the exact name. It's NOT the new Jasper.
I just watched (again...
) the Video from the 24C3 and an idea came up into my mind.
We can use a timing attack on the newer boards to calculate a new hash for the stored updates in the TSOP. We *could* then try to boot the base kernel but it will panic because of the different product id of the GPU.
But what about just patching the base kernel to work with the new GPU?
I know it sounds too easy. I'm almost sure that this also is signed with a cryptographical hash.
Another thing I came up with is messing around with .NET.
MS offers the XNA Framework with a .NET Runtime which has to be installed on the harddrive. I must be honest that I haven't yet found the time to look into it.
I somewhere saw a video from a Chaos Communication Congress about breaking out of virtual machines from inside. Perhaps the .NET Runtime has a flaw somewhere and we could exploit it by loading a modified .NET Assembly. Where would we be now? We would be in Userland right? So there is again these fscking hypervisor between us and the hardware...
Third thing would be the NXE dashboard. Did they change the hypervisor for it?
They must have done this because you can load games from the HDD and then the DVD needs to be checked for the security sectors. Is this done by the hypervisor or by the kernel?
Perhaps they did a mistake?
I almost gave it up to think about several attacks. I'm not the only one who did that before and if there is a hole in the wall somebody else already would have gotton to the other side through it.
Damn... It's late here in Germany. Forget about the first thoughts. If I could create a patch by myself and let it be applied by the loader I wouldn't need to patch the PID, just overwrite it with my own code and done... But it isn't.