xb360 jtag exploit - Discussion

[Redline99]

So, some quick news:

We kept on working on this idea, and it worked out. pretty well. We use JTAG to program the DMA target addr, and then SMC to trigger the DMA read. The exploit itself is based on the old 4532 exploit.

The magic is how we launch 4532 - there is a "backdoor" for manufacturing since CB 1920. We have been able to restore the newer CD versions for all hardware types.

This means:
 - We can boot own code in HV context ~5s after boot, before any video output, right after the kernel runs.
 - we need to reflash the flash, and add 3 resistors for the JTAG (no modchip required! but you might want a dual-nand modchip),
 - 8498 kills this by updating the bootloader - it blacklists 4532/4548. it also does hw init stuff which might interefere with the jtag hack, we don't know yet.
 - we have a proof of concept hack, we will release it SOON (a matter of hours/days, not more - promised.).
 - DON'T UPDATE to summer 09. Did i already say this?
 - you don't need to know your cpu key. You can update to all BUT summer '09. you don't need a dvdrom.
 - It works on all xenon, zephyr, falcon, opus, jasper. Unless you have updated to 849x. Then you're screwed.

[Ell3X]

after updating to 849x  ... it`s still possible to go backwards if cpu-key is known ?

[jelle2503]

i am barely able to imagine the possibilities? can someone perhaps explain some more on this? is this an exploit a la Xbox1? full control? we might see XBMC360?

a dual nand chip means the ability to go on live, and have homebrew right?

does it still requires soldering wires, to the 360 , adding 3 resistors?
is it like a really easy thing to do?

[nickcas]

Hats off to probably the greatest hackers in recent history. Sick news!

[misterfly]

this is sure a great work  

[TheEazyB]

I imagine the file "$SystemUpdate_Fall08_7371" will hold relevance for some users 

[leorimolo]

I wanted to ask what is currently possible

1. booting an unsigned xex?
2. Booting newer games?  as well allow the use of linux, I noticed you mentioned that you used the old kk exploit update to achieve this and alot of games didn't work on older kernels.
3. Method of install

Thanks alot for all the work that has gone into this exploit, this is some great news!

[reaper527]

excellent work tmbinc. you have accomplished something truly amazing, that many people thought they would never see.

on a semi related note to anyone who would know the answer to this, would it now be possible to recover consoles without a known dvd key? i have read in the past that it is possible to dump the drive key from the motherboard, but this process involved running linux, and by extension an exploitable console and a working dvd drive with a known key.

since tmb has said that his new exploit doesn't require a dvd drive, would that mean that any console (without the newest update) can have its key extracted? this would add even more utility to an already amazing breakthrough.

(this is just speculation on my part, you guys are the geniuses)

[Mad_Gouki]

It will be interesting to see the exact method by which the exploit is done.  Sounds like some soldering is in order.
I may be reading too much into this, but I'm getting the impression that this is going to be the first 360 modchip judging by the jtag stuff.

Anyone know if this will allow us to get the dvd keys from boards now?

[tmbinc]

 - It's possible to recover DVD keys. In fact, no DVD-ROM is required to run the hack, so it's possible to run own code, dump cpu key, decrypt HV, inject key, flash back. Note that I personally don't like games, so I won't be of much help here.
 - No, even if you know your CPU key, it's not possible to downgrade back from 8498.
 - Right now, the only way to support both gaming and hacking would be a dual-nand modchip, which switches between nand contents. Note that you still couldn't update to 8498, as it likely (haven't tried) doesn't run without R6T3.


From a technical perspective, I want to stress that this is not "yet another bug" - it's THE SAME bug we used 2 years ago. It's just that we changed the way how we write to memory, and that allows for the new cool features.

[Ell3X]

is kernel 849x still patchable (regioncode,dvd-key etc.) ?

[nickcas]

- It's possible to recover DVD keys. In fact, no DVD-ROM is required to run the hack, so it's possible to run own code, dump cpu key, decrypt HV, inject key, flash back. Note that I personally don't like games, so I won't be of much help here.
 - No, even if you know your CPU key, it's not possible to downgrade back from 8498.
 - Right now, the only way to support both gaming and hacking would be a dual-nand modchip, which switches between nand contents. Note that you still couldn't update to 8498, as it likely (haven't tried) doesn't run without R6T3.


From a technical perspective, I want to stress that this is not "yet another bug" - it's THE SAME bug we used 2 years ago. It's just that we changed the way how we write to memory, and that allows for the new cool features.

In that third bullet, when you say 'gaming' do you mean LIVE gaming or playing games in general is not possible with this hack yet without a dual-nand modchip? And if gaming isn't possible could it be in the future?

I'm guessing/hoping it's "LIVE gaming"

Again, thanks for all of your hardwork.

[jz_5_3]

god damn it, I just updated my jasper! but I have 12-month live gold, so I have to update anyway.

could you please explain a little bit further why 8489 probably does not work for this new hacking technique. since 8489 only updates the content in nand flash, I am just wondering if your hacking technique could work when a 1888 timing attack downgrading image is flashed to the nand? my understanding is that your jtag stuff does not require 360 to be fully booted.

[nickcas]

god damn it, I just updated my jasper! but I have 12-month live gold, so I have to update anyway.

could you please explain a little bit further why 8489 probably does not work for this new hacking technique. since 8489 only updates the content in nand flash, I am just wondering if your hacking technique could work when a 1888 timing attack downgrading image is flashed to the nand? my understanding is that your jtag stuff does not require 360 to be fully booted.

The new updated changed the first level bootloader, which to my knowledge closes this "windows of opportunity" to run unsigned code.

[jz_5_3]

god damn it, I just updated my jasper! but I have 12-month live gold, so I have to update anyway.

could you please explain a little bit further why 8489 probably does not work for this new hacking technique. since 8489 only updates the content in nand flash, I am just wondering if your hacking technique could work when a 1888 timing attack downgrading image is flashed to the nand? my understanding is that your jtag stuff does not require 360 to be fully booted.

The new updated changed the first level bootloader, which to my knowledge closes this "windows of opportunity" to run unsigned code.

okay, the first level bootloader? is it 1BL inside CPU?

[Mad_Gouki]

In that third bullet, when you say 'gaming' do you mean LIVE gaming or playing games in general is not possible with this hack yet without a dual-nand modchip? And if gaming isn't possible could it be in the future?

I'm guessing/hoping it's "LIVE gaming"

Again, thanks for all of your hardwork.

If you play on LIVE, you have to upgrade to the newest update.  The newest update would be the one that overwrites the bootloader, so having another nand wouldn't help if I understand correctly.  You wouldn't be able to take the hacked box on live at all, or you would have to update it and break the hack.

If you think about what he said in that third bullet point

Right now, the only way to support both gaming and hacking would be a dual-nand modchip, which switches between nand contents.Note that you still couldn't update to 8498, as it likely (haven't tried) doesn't run without R6T3.

He does say that he hasn't tried it, so there may still be hope.

[B1N4RY]

For one, I am anticipated on the release, at the same time, not very happy about the new dashboard updating the bootloader. I didn't know that the bootloader was possible to change via dashboard updates

So far, is anyone coding a linux bootloader for Jasper using this method??

[Coniger12]

Its sad that both were patched before it released.
I might owe tmbinc a beer after this. ;-)

Kinda sucks I now have to go buy a new 360 (damn dashboard beta)

We can boot own code in HV context ~5s after boot, before any video

So will running *nix change? I mean does one still have to use KingKong, or will there be an easier way now?

[dtrmad2004]

Woohoo, brilliant news. Thanks to all involved. Heh Maybe I just made a fool out of myself on the other thread  

[B1N4RY]

  - Right now, the only way to support both gaming and hacking would be a dual-nand modchip, which switches between nand contents. Note that you still couldn't update to 8498, as it likely (haven't tried) doesn't run without R6T3.

Get a cygnos 360 if anyone needs a dual nand feature