Timing attack - stupid questions thread.

[lasonnette]

I don't know how many burned fuses I have...but my version is pre 4552...something in the 2xxx
I have an infectus and eval board for a3p250...no problem in testing..my usb core works also
today I'll at least try to get japanese games working on my console WITHOUT flashing.

[growlley]

Sorry if its a really stupid question Ive not had a morning coffee yet, but am I correct in thinking this method could allso be used  to recover boxes with a lost key?

ie  use timming attack to run earlier kernel as mention, upgrade to a kk exploitable kernel and then use linux to dump the key and fuses?


thanks

[arnezami]

Sorry if its a really stupid question Ive not had a morning coffee yet, but am I correct in thinking this method could allso be used  to recover boxes with a lost key?

ie  use timming attack to run earlier kernel as mention, upgrade to a kk exploitable kernel and then use linux to dump the key and fuses?


thanks

This attack would allow you to downgrade. If you have a completely working xbox it essentially allows you to do all kinds of stuff (because you can extract the cpu key and decrypt the keyvault) like running linux, changing region etc (probably more to come). This is because you can downgrade to an exploitable kernel and extract the important stuff.

However right now extracting the keyvault (which also contains the dvd key, i'm presuming thats the "lost key" you are referring to) can only be done using the one and only exploit found so far in early kernel versions (4532, 4548). But you need a working dvd to run the King Kong exploit! Without a dvd key this KK exploit won't work (its a bit of a chicken and egg problem).

So if you are referring to the dvd key being lost then this attack alone won't revive your xbox. However if a new exploit is found in any of the early kernel versions that doesn't require a working dvd then this downgrading attack combined with that new exploit will probably do the trick .

Regards,

arnezami

PS. @lasonnette: sounds like a plan. First trying to get the nand emulator to get to work properly .

[lasonnette]

Do you have enough money to buy 16MB of SRAM? I don't

[arnezami]

Do you have enough money to buy 16MB of SRAM? I don't

I was referring to you going to change the kv on-the-fly (I assume thats were you were talking about when you said you want to change the region without flashing). Since the kv is quite small (and the CB-auth page even smaller) there is no need for 16 MB of SRAM.

So what I meant was not a full NAND emulator but only a partial one (with FIFO)


Regards,

arnezami

[lasonnette]

In the evening I will post results...

[growlley]

Arnezami, thanks for the reply it was dvd key from the key vault I ment. To avoid the 'Chicken and egg' situation, could you downgrade the kernel and then upgrade to the exploitable version and run the KK exploit off a modified kiosk disk?

 

[arnezami]

Arnezami, thanks for the reply it was dvd key from the key vault I ment. To avoid the 'Chicken and egg' situation, could you downgrade the kernel and then upgrade to the exploitable version and run the KK exploit off a modified kiosk disk?
 

No. The kiosk disc is revoked for 4532 and 4548.

[lasonnette]

bloody f****** hell, I still haven't managed to retrieve my CPU key...this console hates me...
first I burned King Kong, fully stealthed, and then it wouldn't boot (It showed the microsoft logo and then it just blocked at that...)
now I'm burning it again...if it doesn't work then screw this.
and I burned the 4548 update a dozen times on cd-r, still doesn't work...shows as mixed media disc
gears of war plays good though.

I give up. I'm frustrated. I have 1 DL left. Screw this.

[Ellex80]

im not sure , but i only know about the hd-dvd update cd .
this update is kernel 4532 .
burn the cd with xp ( default.xex + system update)
but first check the md5sum

http://www.free60.org/wiki/Kernel

http://www.free60.org/wiki/First_Steps

and i recommend to flash your drive with "non stealth" firmware .
i.e. xtreme5.3 works fine , and linux boots fine , too .

sorry for bad english.

[lasonnette]

I've tried 59 1.7, 59 2.4, 78 2.4, 78 1.7... (Hitachi)
also the ixtremes...I found ONE more DL, let's just hope it'll work... (btw, it's Mediarange...I hear they're really good...)
wish me luck...

[arnezami]

bloody f****** hell, I still haven't managed to retrieve my CPU key...this console hates me...
first I burned King Kong, fully stealthed, and then it wouldn't boot (It showed the microsoft logo and then it just blocked at that...)
now I'm burning it again...if it doesn't work then screw this.
and I burned the 4548 update a dozen times on cd-r, still doesn't work...shows as mixed media disc
gears of war plays good though.

I give up. I'm frustrated. I have 1 DL left. Screw this.

To isolate your problem you might wanna burn the unpatched KK iso onto a disc and see if it works. Then you can better determine whats causing the problem: media / iso / patch / fw.

Assuming you wanna get your cpu key at some time anyway...

Regards,

arnezami

[lasonnette]

It's my burner. I tried burning a perfect copy of GOW and it didn't work (ripped correctly!)...it still said "write overburn" in CloneCD...

Ohwell, we'll have to wait until I get a Pioneer burner...

[tumba]

no updates for a long time, what is going on ?

[lasonnette]

erm, today I found a company that sells DVR-112D in my country and I travelled the long way to get one
so HOPEFULLY news this evening (that is if it burns perfectly and I can retrieve my CPU key)

[lasonnette]

OK, so I've been able to boot Gentoo Linux (yay), but still haven't retrieved my fuseset...
Tomorrow I'll build that serial cable and then we'll see...

[jas0nuk]

You could use XeLL which prints it to screen on boot

[parasven]

@lasonette

does this mean that you were able to downgrade via the timing attack ?

[lasonnette]

not yet...I have yet to confirm if my idea of on-the-fly patching works...
and I don't know how besides changing something in the keyvault (like region) to prove it works...

my problem now is that I can't access my usb stick or ipod...no root = no mount
anyone know the root password for the newest gentoo live cd?

[lasonnette]

alright, got my 1BL, fuseset and the nand flash dump (thanks arnezami!)
trying region change now! laters