Timing attack - stupid questions thread.

[SOWA_PL]

Somebody could post a schematic of this daughterboard?

And one more question because I don't know that I understand it correctly- can I use xD card reader for dump the NAND flash or need I infectus?

[drstoopid]

I don't see how much sense it would make if the schematic was posted...
Yes, you can use an xD/SM card reader to dump and write the contents
however, you won't have the ECC bytes unless you have that (Olympus?) cardreader or Infectus.
Sure, you can calculate the ECC bytes using 7S's tool, but you can't rewrite them into the nand flash

And also, what are you going to do without the software?
Just wait until it's all ready

[Tiros]

This looks like it might work, without any external resistors at all, and its faster too:

http://www.maxim-ic.com/quick_view2.cfm/qv_pk/3672

[KoenigUnhold]

Hi Tiros,

This looks like it might work, without any external resistors at all, and its faster too:

Just a quick question - where do you tab the 1.2V needed for VL? I guess you'll need a "real" voltage source for VL, a voltage divider won't do in this case (unless you choose very low values for the resistors).

Other than that, I see no reason why this shouldn't work. Digikey sells this IC for around 2.10 USD (if you order at least 74 each :-), which is a bit more expensive than a pair of widely available LM339 that cost around 0.43 USD/each.

Regards,
KoenigUnhold

[Tiros]

Just a quick question - where do you tab the 1.2V needed for VL? I guess you'll need a "real" voltage source for VL, a voltage divider won't do in this case (unless you choose very low values for the resistors).

Other than that, I see no reason why this shouldn't work. Digikey sells this IC for around 2.10 USD (if you order at least 74 each :-), which is a bit more expensive than a pair of widely available LM339 that cost around 0.43 USD/each.

Regards,
KoenigUnhold

I would think there is some type of Vcore available. In any event a zener diode and single resistor would be good enuf.
As for the cost, well 1 part versus 2 plus a dozen or so resistors? For handbuilding its a no brainer.

[KoenigUnhold]

I would think there is some type of Vcore available.

Can you pin-point its exact location? I'm curious :-)

In any event a zener diode and single resistor would be good enuf.

A 1.2V Zener diode - really ... ;-) Haven't seen such a thing yet.

As for the cost, well 1 part versus 2 plus a dozen or so resistors? For handbuilding its a no brainer.

Sure, the cost differential is negligible for a DIYer, but you still have to name a source that supplies this IC in low quantities? The best supplier I could find was DigiKey and they would only sell me at least 74 each. In contrast, the LM339 is almost everywhere in stock at low prices. I don't think the Maxim IC you've chosen will rival the LM339 for this particular purpose.

[Tiros]

Can you pin-point its exact location? I'm curious :-)

If your too stoopid to find such a point yourself, than perhaps this is more than you can handle.

A 1.2V Zener diode - really ... ;-) Haven't seen such a thing yet.

So use 2 diodes in series, or better still an LED, which also makes a handy pwr indicator.
Or if your anal buy this:
http://www.analog.com/UploadedFiles/Data_Sheets/ADR512.pdf

Sure, the cost differential is negligible for a DIYer, but you still have to name a source that supplies this IC in low quantities? The best supplier I could find was DigiKey and they would only sell me at least 74 each. In contrast, the LM339 is almost everywhere in stock at low prices. I don't think the Maxim IC you've chosen will rival the LM339 for this particular purpose.

Well you can buy qty 1 right from Maxim for like $2.50.
I really dont know why you want to argue about it.
Your having a problem with even coming up with a simple voltage source indicates to me that your techinical expertise is minimal and useless here.

Why dont you just do whatever it is that blows your own skirt.
It was just a suggestion it wasnt really up for techincal debate, and I will debate it no further with a noob such as yourself, regardless of your reply.
If you feel like wiring up a bunch of extra parts go for it!

[KoenigUnhold]

I really dont know why you want to argue about it.

Your solution is neither well suited for large scale production nor for anyone who intends to build something like that at home. That's what I was trying to argue about with you.

Your having a problem with even coming up with a simple voltage source ...

No, I don't have a problem with that, but it looks like you do. That's why I kept asking ironic question. You obviously failed to get the point.

A good voltage source has low output imedance.

It was just a suggestion it wasnt really up for techincal debate.

If you don't feel like debating, you probably shouldn't post on a forum. Or is it, that you lack the technical knowledge to undermine your affirmations?

Regards,
KoenigUnhold

[ivc]

I updated a 360 with known CPU Key to the latest 5787 Xbox Live update and I can confirm that downgrading is still possible.

The R6T3 resistor is still in place. First dumped 5766, updated to the latest 5787, dumped the new kernel, found the new LDV count (6, +1 increment from 5766), opened the old 5766 kernel, patched the LDV, flashed the modified 5766 kernel back to NAND, and the 360 booted fine. No problems encountered.

MS probably didn't change anything in this update hindering downgrade, at least if the CPU Key is know. Will test if the timing attack is possible tomorrow.

ivc

[arnezami]

I updated a 360 with known CPU Key to the latest 5787 Xbox Live update and I can confirm that downgrading is still possible.

The R6T3 resistor is still in place. First dumped 5766, updated to the latest 5787, dumped the new kernel, found the new LDV count (6, +1 increment from 5766), opened the old 5766 kernel, patched the LDV, flashed the modified 5766 kernel back to NAND, and the 360 booted fine. No problems encountered.

MS probably didn't change anything in this update hindering downgrade, at least if the CPU Key is know. Will test if the timing attack is possible tomorrow.

ivc

Can you still decrypt the keyvault in the new 5787 dump?

[arnezami]

Ok. Just got some info. The 5787 does not just add support for "big button".

Normal Flash Tool cannot apply the 5787 patch in the CF/CG!

[edit] False alarm on the kv decryption it seems [/edit]

For now it looks ok. But wait for more news before even thinking about upgrading !

arnezami

[robinsod]

Hi

Check the CB & CD version, if 1920 then they have been upto something in the way compression/encryption is applied to the Kernel and Filesystem. I had hoped to release a new version of the tool today that worked around it but as you noticed, I messed up

It seems machines RMAed recently are coming back with newer firmware. But the same update applied to  an older firmware still works. This update's not a threat but the next one probably will be  

[arnezami]

Hi

Check the CB & CD version, if 1920 then they have been upto something in the way compression/encryption is applied to the Kernel and Filesystem. I had hoped to release a new version of the tool today that worked around it but as you noticed, I messed up

It seems machines RMAed recently are coming back with newer firmware. But the same update applied to  an older firmware still works. This update's not a threat but the next one probably will be  

CB, CD en CE are all 1888.

CF has been changed at several points it seems (compared to 5766). Will take a look at that.

arnezami

[Surrido]

well, my suggestion was to delay the release of the success/progesss on the timing attack to after halo3 release... that one will increase the number of boxes by far and we would know what and if the halo 3 disk needs an update...

[Geremia]

halo3 comes with a 5766 dashupdate (like Stranglehold).

[ivc]

Can you still decrypt the keyvault in the new 5787 dump?

Yes, the key vault in 5787 decrypts fine with 360 Flash Tool 0.81 (with cpu key set). Verified the KV.bin, it contains the serialnumber, certificates, etc.

CB, CD en CE are all 1888.

CF has been changed at several points it seems (compared to 5766). Will take a look at that.

Correct, the dump I made was on a 360 with 1888 base kernel. After the update it's still 1888.

well, my suggestion was to delay the release of the success/progesss on the timing attack to after halo3 release... that one will increase the number of boxes by far and we would know what and if the halo 3 disk needs an update...

Halo 3 comes with a 5766 update. Currently 5787 can only be found on Xbox Live.

[arnezami]

http://forums.xbox-scene.com/index.php?showtopic=620515&st=15
perhaps we will have a openxdk360
and have something like the psp

This might be helpful for the average user that doesn't have access to a devkit and wants to write some small apps/demos.  To port anything larger like XBMC, Mame, etc. it helps to use the official debug kit, compiler, and debugger.  Visual Studio is so much easier to work with than gdb/gcc.  How many popular Xbox1 homebrew do you know that were written without the official MS XDK?  I'm sure there are other developers also waiting for XDK support before we jump into 360 homebrew.

Ok. If you had a say in this where would you like the hacker community to focus on:

• For every xbox 360 to be able to run unsigned xex-es without needing (too much) hardware
• For every developer to turn his xbox 360 into a debug or full dev kit machine
• For every xbox 360 user not having to worry about having to choose between running homebrew vs. running new games/going live (like dual kernel solutions).
• For drivers to be available for every piece of hardware on the xbox 360 (and developing an open XDK).
  
  

Would like to hear from your perspective .

Regards,

arnezami

[DRAGUNOV_Lq]

sorry for asking but have we a easy way to get cpu-key without infectus?
i want to change 360 region but i dont know how
i have played live today so my kernel most be final version right?which is this kernel version now?

many thanks

[Ellex80]

you don`t need a infectus to get the cpu-key.
but how do you flash the patched nand ?
so you need a infectus.

the easiest way to get the cpu-key 
[/url]http://arisme.free.fr/Xbox/Fuse360/[/url]


Requirement

The usual stuff - as described on Free60

    * A vulnerable Xbox 360 kernel (4532/4548 or older)
    * A patched Xbox 360 DVD firmware to read home made DVD9
    * A King Kong original game patched with the XeLL shader exploit

[moshin111]

no the infectus downgrader chip is out when u guys will release an easy to understand tutorial to downgrade xbox 360 without cpu key
i wanna downgrade my 360 and i m not a hacker or brilliant to understanding this method
all u guys are enjoying a downgraded xbox what about noobs
think of noobs please 
a step by step tutorial is needed
thanks in advance