Timing attack - stupid questions thread.

[gigabite]

What hardware do we actually need to be connected to get a NAND dump and the downgrader to function?

An Infectus (tools for soldering it in etc) and a "downgrader" board (homebuilt or wait 10 days for teh infectus one to come out.

Should I reconnect all the fans (and place the air guide back on), DVD drive, and video cable?

Yes and make sure you screw in ALL the screws except the case screws (the long ones) because improper grounding (i.e not screwing it into the grounding shield) will cause error 0020 (2RL)

With all the connections on the bottom of the xbox motherboard, I was hoping to run the xbox outside of the case while doing the timing attack, but I suspect the fans are necessary.

You can do this (just make your wires longer)...the data lines are easy (you can connect them to the start of the resistors) but the power lines are harder - overall, i'd say make your wires longer (BUT NOT TO LONG...you can go up to around 15cm per wire [I didn't have any trouble with this length] ) and use the bottom of the motherboard, much easier

Also, for 5V and GND on the downgrader add-on, should I just use the same 5V and GND I give to the infectus chip from the 360 motherboard

I'd use the 5v and GND coming from the computer to the infectus (so yoru power to teh downgrader board is being supplied by the computers USB port)

gigabite

[Thinkdiff]

An Infectus (tools for soldering it in etc) and a "downgrader" board (homebuilt or wait 10 days for teh infectus one to come out.

Well, I'm not THAT stupid ... I meant more along the lines of DVD drive and fans.

I'd use the 5v and GND coming from the computer to the infectus (so yoru power to teh downgrader board is being supplied by the computers USB port)

Do you happen to know which points on the infectus provide 5V and GND from the USB port?
http://www.infectus.biz/forum/index.php?action=dlattach;topic=160.0;attach=23;image
Should I use that top 5V point?

Also, with 5V/GND coming from computer and the rest of the power coming from the xbox, there won't be any grounding loop issues?

Thanks for the reply

[Arakon]

you can use that top one. the ground points are all conntected together anyways.

[gigabite]

I wouldn't use that source for 5v because it's the power regulator - you see the 5 pins from where the USB port is soldered onto the infectus (wich should only be 4) this is a "pinout"  (wich I would use to get my 5v from)   

5v>|    data>|    3.3v>|    data>|    gnd>|   

(the data and gnd could be mixed up because a normal usb only has 4 pins...5v data data gnd - but the rest of the lines are accurate - I just measured them for ya now)

this pinout is made looking at the infectus with the writing the right way or the SST logo facing the right way or the 5v and gnd points on the infectus being at the bottom

gigabite

[Thinkdiff]

Thanks! I was originally going to pull the power from those points as well. I'll double check them with my multimeter before hooking everything up.

[amadeus]

Can anyone answer these 3 yes/no questions? 

* Is this the attack sequence?:
Time Attack => CB hash from keyvault => downgrade to 1888 kernel => upgrade to exploitable kernel => KK Attack => cpu key => decrypt keyvault => execute unsigned xex

* Are the keys in the keyvault private keys?

* Is CB the hash of the 2nd bootloader?

[roofus]

I like this one, yes or no.

Can anyone answer these 4 yes/no questions? 

* Is this the attack sequence?:
Time Attack => CB hash from keyvault => downgrade to 1888 kernel => upgrade to exploitable kernel => KK Attack => cpu key => decrypt keyvault => execute unsigned xex

* Are the keys in the keyvault private keys?

* Is CB the hash of the 2nd bootloader?

* Is the hypervisor build into the cpu?

No.
If by private you mean, per-console/unique, then mostly Yes.
No.
No.

[Megabug]

Ok, it's a bit late now (at least in my time zone ) but I have some questions: (I prefer asking twice before making mistakes...)

When I buy a infectus2 I need a level shifter board... With this connection I can get the CPU Key AND flash the NAND, right?

I read much about the problems with different diodes to lower the voltage... where is the voltage needed? (1,4V or so)

Is it for the "other side of the level shifter"?

I would use this shifter: http://www.maxim-ic.com/quick_view2.cfm/qv_pk/4187

Sound useable ... or am I not getting something right?


Thanks! (for your patience... )

[vax11780]

The infectus can flash the NAND. The level shifter is only used to get the CPU key.

A diode/resistor solution will not work reliably for everyone, and will require hand tweaking to get it to work for each console. The problem is with raising Voh to meet the Vih (min) of the Infectus without rasing Vol above Vil (max). Basically, no combination of resistors/diodes will work.

The Maxim part looks like a good match. You will need to generate the Vl supply or find and supply pin on the CPU that is 1.2V. A simple resistor divider from 3.3V would probably work as well. Vcc should be 3.3V.

Let us know how it works.

VAX

[Megabug]

So the 1,2V are only for the other side of the shifter... okay. I can get these easy with a voltage regulator or z-diode and resistor. So no problem there.

I am a little bit confused with flashing the NAND because I could not find the schematics for that.


Thanks for your answer.

[vax11780]

So the 1,2V are only for the other side of the shifter... okay. I can get these easy with a voltage regulator or z-diode and resistor. So no problem there.

I am a little bit confused with flashing the NAND because I could not find the schematics for that.


Thanks for your answer.

http://www.infectus.biz/tutorial360nand-en.php

Your best bet is to ask questions on the Infectus forum rather than here.

VAX

[Shaun]

the infectus is used to access the nand image. the level shifters provide a way to read the post port on the 360 which runs @ 0-1v (or similar) levels so 'something' is needed to get it to talk to the 0-5v level infectus. once infectus can access flash ok and monitor post port, there is where robinsod's software gets going which hopefully finds your hash enabling you to 'make' a base 1888 kernel complete with your still crypted keyvault. this is fine of you have a pre falcon board atm as you can then upgrade to a vulnerable kernel

[Megabug]

So the 1,2V are only for the other side of the shifter... okay. I can get these easy with a voltage regulator or z-diode and resistor. So no problem there.

I am a little bit confused with flashing the NAND because I could not find the schematics for that.


Thanks for your answer.

http://www.infectus.biz/tutorial360nand-en.php

Your best bet is to ask questions on the Infectus forum rather than here.

VAX

Yeah, I know this tutorial... but do you see any schematics in there? I dont! (I am a little bit blind, but should be corrected with my glasses )


@Shaun

Well okay. Was just curious where the 1.2V are needed. I know what a level shifter is for.

What the exact voltage is for my shifter I can find out with my oscilloscope. So no problem there.

Thanks.

PS: Now I have to get an infectus... from italy or so.

[Arakon]

http://www.infectus.biz/diagrams/Xbox360_1b.JPG

[Megabug]

Thanks!

So now wait for Maxim to deliver and make my pcb for the level shifter.

[Pence128]

Yes! found the stupid questions thread!

could you perform the timing attack on a 360, upgrade to the vulnerable kernel, and then copy that to an identical flash chip, which you cold then solder in parallel with a switch for the CE pins? then you could have on flash for being a normal box and playing on XBL, and another flash for KKing Linux. I suppose you'd either have to not install Linux to the HD or use another HD for it, so XBL doesn't ban you for having a messed one. it would be pretty nice though, just having a switch on the front to go between Linux and XBL mode.

note: I don't actually have a 360 right now, I'm trying to justify spending $400 on video games by it being a computer too.

Pence

[gigabite]

yes....you could also copy it to an XD card (check the xd card thread - search)...but only 2 specific readers work - buy a 360...just research the hairdryer trick also...

gigabite

[Pence128]

wait, nand flash == a 16MB xD card? wow, talk about convenient. the hairdryer trick is to get the warranty stickers off without breaking them right? I wonder if I can remove all evidence of  gobs of solder....

that would make it pretty awesome though, have a slot hanging out of the back and swap kernels in and out at will.

Just found a data sheet on the flash, did a double take, then a double double take. WTF? 48 pins, but 28 are NC?

well, this just goes to show that I don't know anything about nand flash.

I suppose with the price of USB sticks now, you could just use one of those to install Linux to.

speaking of all this mess, is there a place where I can read up on the combined understanding of the 360? What I know about the boot process is that the CPU rom (1bl) checks a tiny bit of the the flash, and that bit keeps snowballing into the kernel + all the patches, and there's a file system in the nand that has a bunch of C something files.

thanks much, Pence

[a360]

While you're at it,, look up 'heatgun' (NOT good for warranty stickers) and 'three red lights of Death' (a common homebrew 360 program).
It's sequel 'Lord of the red ring' (of Death) is pretty common as well.
 

[Pence128]

3 rrod == bad GPU solder connection yes? as for heat gunning my mobo I'm...... hesitant.

now, a common cause of the 3 rrod is a crappy stock clamp that breaks BGA ball joints? is changing it recommended? or did I read that wrong?

if only we had a rich friend with a SEM that we could sent a dead CPU to to read the rom (a la original Game Boy). mmmm.... nitric acid.....