Timing attack - stupid questions thread.

[uberfry]

nice, but I wired it this way:
1-7-6-5-4-3-2-8

and I can't get a single code you've posted...

is that correct or do you ignore the silkscreen on the back?

[atiman]

Nice photographs! Thanks a lot, Robinsod!

[robinsod]

nice, but I wired it this way:
1-7-6-5-4-3-2-8

and I can't get a single code you've posted...

is that correct or do you ignore the silkscreen on the back?

Looks good,

FT6U1   POST[0]
FT6U7
FT6U6
FT6U5
FT6U4
FT6U3
FT6U2
FT6U8   POST[7]

Don't forget these are 1V signals so you wont "see" anything with standard 5 or 3.3V logic...

[newb]

Since this is the stupid questions thread I have a few

1) approximately how long time is it untill this hack will be availibale for public consumption?

2)Assuming I buy a 360 and after getting my cpu key I choose to remove the 6t3 resistor can I still upgrade to the future latest firmware (and downgrade from it at a time of my choosing)

3)If/when I get banned for modding will I be able to make my console become unbanned by reflashing it or similar

4)I'm planning on getting a 360 sometime next week so as to get one before this hole is patched are there any dos or don'ts other then don't go on live and don't play a game relesed after the next firmware update (which I assume will patch this)?

[Arakon]

unbanning is NOT possible.

[newb]

unbanning is NOT possible.

As in not possible right now or as in will not become possible for the foresee able future and also how does microsoft recognize a banned console? A final question as well does the downgrade work with elite consoles?

[uberfry]

alright thanks robinsod, of course, my banks are 1.5V, so no problem with logic levels
I'll try logging again now

[jacksback]

Why is "Can I unban my console" always asked in these threads?

The simple answer is "Don't play on live with backups"

I thought we were all excited about the timing attack results because it will soon give the majority of Xbox owners the ability to downgrade and run homebrew at some stage.

[newb]

I don't want to unban my console (hell I haven't even bought it yet) but I want to eat my cake and have it to (use homebrew and live) so I thought I'd ask if the enabeling of homebrew would enable you to change what ever key it is that is banned from live there for for all intents and purposes making you immune to banning.

[uberfry]

ugh...
all I get is 0x08, 0x00, 0x08, 0x00 while a game is already running...
I shut off the console and get:
0x10, 0x00, 0x10, 0x20

odd...

edit: I now get 0x00, 0x00, 0x70, 0x79 when I switch on the fpga just before the game runs

[jacksback]

You shouldn't get banned for 'modding' your console, i.e. flashing the DVD firmware and/or installing an Infectus modchip, you will only maybe get banned if you play backups.

What I would suggest for now is looking on Ebay for a 2nd hand console and before buying, ask the seller for the Dashboard version, tell them System Blade, System Info. I've bought three off Ebay and all have had the 2858 Kernel. At the same time buy an Infectus modchip. install it and then make a backup of your flash. You should then update to Kernel 4532 (The expolitable one) and obtain your CPU key using the Gentoo Linux cd and readfuses script.

It's possible at the moment to downgrade even after blowing efuses thanks to the awesome Flashtool application found on this forum.

If you do what I suggested above, you will have an Xbox for gaming and Live, and an expolitable dahsboard backup for homebrew
 

[Icekiller]

You shouldn't get banned for 'modding' your console, i.e. flashing the DVD firmware and/or installing an Infectus modchip, you will only maybe get banned if you play backups.

What I would suggest for now is looking on Ebay for a 2nd hand console and before buying, ask the seller for the Dashboard version, tell them System Blade, System Info. I've bought three off Ebay and all have had the 2858 Kernel. At the same time buy an Infectus modchip. install it and then make a backup of your flash. You should then update to Kernel 4532 (The expolitable one) and obtain your CPU key using the Gentoo Linux cd and readfuses script.

It's possible at the moment to downgrade even after blowing efuses thanks to the awesome Flashtool application found on this forum.

If you do what I suggested above, you will have an Xbox for gaming and Live, and an expolitable dahsboard backup for homebrew
 

the problem is.. if you use the kingkong loader it isn't valid dvd (well muleter says so) so. if they monitor if you play backups (offline) then you would still be banned..
ofcourse if you have 2 nands and write over it it shouldn't really have an effect (if you do the backup only on the exploitable kernel)

[Geremia]

I now get 0x00, 0x00, 0x70, 0x79 when I switch on the fpga just before the game runs

Dot know why you test with games, since the post sequence occurs about in the first 5s after powerup from standby (initial garbage data + 3,7s of post sequence). The post sequence ends with 79, then the 4 led blinks green ,you hear the fan accelerate, then sound...then dashboard, while the postcode is still fixed to 79.
I got better sampling with high/low threshold set to 0,6V

[arnezami]

1) approximately how long time is it untill this hack will be availibale for public consumption?

Right now the prototype is still being refining. So this project is still in its fairly early stages. And lots of other things have to be done for it to become really "noob friendly". So think weeks or even months not days.

2)Assuming I buy a 360 and after getting my cpu key I choose to remove the 6t3 resistor can I still upgrade to the future latest firmware (and downgrade from it at a time of my choosing)

From what I understand right now the latest version will accept no or less than usual burned fuses (when r6t3 is removed). Microsoft could change that in the next version. Burning these fuses is not a problem right now since when you have a cpu key you can downgrade. But MS could possibly burn fuses in row 2 which will make it impossible to run old kernels at all. That would mean you would have to make a choice between gaming or homebrew. Choosing gaming (again if MS can and will do this, this is not really certain yet) will then most probably make it impossible to run homebrew ever again. Choosing homebrew means no live and no new games. Until that is a way is found to "fake" a new kernel version while booting in the old one. That is however still very far away I think. If MS can't or won't burn these special fuses then you can do both (eg using an xD mod switching between kernel versions).

3)If/when I get banned for modding will I be able to make my console become unbanned by reflashing it or similar

From what I understand a key or identifyer in your keyvault is banned forever. This effectively bans your xbox. It may be possible to transplant one keyvault from another (eg dead) xbox. But I don't know if keyvaults are somehow directly linked to an xbox apart from the cpu key. Anyway its very unlikely you can get the cpu key out of a dead xbox so you would have to get one out of a working one that never goes live. Don't know if that is practical.

4)I'm planning on getting a 360 sometime next week so as to get one before this hole is patched are there any dos or don'ts other then don't go on live and don't play a game relesed after the next firmware update (which I assume will patch this)?

Keep reading the forums. Don't upgrade to a version until it is known that somebody else was able to downgrade from that version. Buy one sooner rather than later, but be sure about the manufacturing date. You can even see this date in the store: lift up the little "lid" on the outside of the packaging and when you look carefully you will be able to see the date. Earlier than 2007 should be ok. Later is also ok but you'll have to perform this timing attack which may take a while to become easy and accessable for everyone.

Let me ask a stupid question too: has anyone been able to upgrade to kernel version 5766 (guitar version) with its r6t3 still in place and been able to downgrade again?

Regards,

arnezami

[jacksback]

I'll connect to Live tonight, update from 5759 to 5766, then downgrade to 4532 and report my results, if no one beats me to it 

Edit - Just read your question again and can't perform the test as I have removed my resistor

[safety]

You gonna love this one...
Can WE burn fuses?
If so, what happens if we burn ALL of them, and encrypt a valid kernel with fuse set?
(all burned)

What happens at NEXT update?
FUSE SET CAN NOT CHANGE!!!!!!

How do Ya like that idea?

[uberfry]

how about always downgrading from 4532 to 1888 and upgrading again? wow.
that's total M$ pwnage right?

[safety]

AA now, the idea is not the same...
Fuses can not be unblown.
Is all of them are blown, and a valid flash is made, than is you update,
the cpu key stays the same.
Also it can be a hero attack.
Why?
A chip could change between exploitable version, and actual version.
No need to be afraid of update, fuse set remains the same.
This way the CPU key will not be uniqe.
So, the chip can be pre-made, and can work on any system.
IT could blow all the fuses, and then have 2 flash mems, one with exploitable kernel, encrypted with all blown fuse set, other can be updated anytime. Nothing will change.
Also, even if You have a high kernel version, You could use it with out timeing attack.

[uberfry]

BAM! the genius struck!
so go do it and tell us how it went
thanks

[safety]

first place was only asking if blowing the fuses can be done.
and after all, this IS stupid questions threat, isint it?
 

but, good idea. I will try to gather info how are fuses are blown, and then if possible i will give it a shoot. just to make you feeeeeeal happpppy.

Why wont you buy a flamethrower?
 
just kidding... i get you, getting fancy ideas is one thing, getting the job done is an other.
Right?