|
Geremia
|
 |
« Reply #60 on: August 21, 2007, 12:43:43 PM » |
|
hehehe, this project sounds interesting, great job  i can get all the required (or arranged) in some days, if you like |
|
|
|
|
Logged
|
|
|
|
robinsod
Global Moderator
Xbox Hacker
Posts: 648
Perl packed my shorts during global destruction
|
|
« Reply #61 on: August 21, 2007, 02:08:06 PM » |
|
Ok, I got some info from infectus and solved that problem. The integration is "sort of" working (the code is still very rough & hacked together) but I can now test a number of "guesses" with no human intervention. These are the numbers I see when average over 10 samples, I started at 190 and went on until the system failed  Each "Try" is the average of 10 measurement cycles Try 190 Result 15062 Try 191 Result 15062 Try 192 Result 15073 Try 193 Result 15060 Try 194 Result 15059 Try 195 Result 15059 Try 196 Result 15061 Try 197 Result 15060 Try 198 Result 15060 Try 199 Result 15060 Try 200 Result 15061 Can you guess the first byte of my hash? The numbers are in multiples of 50nS, the timing period is taken from the second rising edge of CE until POST != 0x21. The timing don't make a lot of sense (I haven't really analyzed them & dont really care - I am looking for an easy to measure timing delta) http://www.national.com/mpf/LM/LM339.htmlI think the LM339 is quite a slow comparator and some faster devices might be a possibility |
|
|
|
|
Logged
|
|
|
|
robinsod
Global Moderator
Xbox Hacker
Posts: 648
Perl packed my shorts during global destruction
|
|
« Reply #62 on: August 21, 2007, 02:39:37 PM » |
|
hehe, I've guessed the second hash byte (the average number of samples has been reduced to 5 - It reduces the period between crashes ) Try 94 Result 15072 Try 95 Result 15073 Try 96 Result 15075 Try 97 Result 15086 Try 98 Result 15071 Try 99 Result 15073 Try 100 Result 15073 Try 101 Result 15069 So far 0xC0, 0x61 The system is a bit unstable, typically the infectus bombs after 10 erase/write cycles but that's normal for integration work (I want to add infectus have been really helpful and delivered an excellent product - YOU GUYS ROCK) |
|
|
|
« Last Edit: August 21, 2007, 02:47:38 PM by robinsod »
|
Logged
|
|
|
|
|
lasonnette
|
|
« Reply #63 on: August 21, 2007, 03:00:58 PM » |
|
If someone knows a faster way to make that 1V into at least 2.2V, the delta-time feature can be easily added onto infectus.
|
|
|
|
|
Logged
|
Big party tonight! Where? Your mouth! Who's coming? Everybody!
|
|
|
robinsod
Global Moderator
Xbox Hacker
Posts: 648
Perl packed my shorts during global destruction
|
|
« Reply #64 on: August 21, 2007, 03:24:51 PM » |
|
Third (last one tonight - Im bored ) elusive hash byte Try 240 Result 15086 Try 241 Result 15083 Try 242 Result 15083 Try 243 Result 15081 Try 244 Result 15093 Try 245 Result 15082 Try 246 Result 15080 To date 0xC0, 0x61, 0xF4 Edit: I lied, 4th byte Try 119 Result 15092 Try 120 Result 15106 Try 121 Result 15094 Try 122 Result 15092 Try 123 Result 15090 Try 124 Result 15094 Try 125 Result 15091 Try 126 Result 15097 To date 0xC0, 0x61, 0xF4, 0x78 Edit: I sampled the timing 300 times for each of the 4 Hash bytes I know plus the next one which I don't (so 5 curves in all). The average, minimum and maximum values were logged as well: Hash[0] Hash[1] Hash[2] Hash[3] Hash[4] Ave 15060 15072 15083 15094 15105 Min 15051 15061 15074 15085 15096 Max 15070 15081 15094 15104 15117 This Excel file contains data and a graph of the distribution of timing measurements for each Hash byte. Its pretty clear the timing attack works. As before, time is in units of 50 nS from the rising edge of CE to the end of Hashing (0x21->0xA4) http://rapidshare.com/files/50439408/Hash_Timing.xls.htmlMore soon |
|
|
|
« Last Edit: August 21, 2007, 06:29:07 PM by robinsod »
|
Logged
|
|
|
|
|
tmbinc
|
|
« Reply #65 on: August 21, 2007, 06:56:48 PM » |
|
I just thought a bit about flash wear.
If we investigate the block replacement process (i think it's as easy as a brute force search trough the replacement area), we could switch to another page, possibly after some tries. That would prevent the same page from being erased over and over again...
Pretty impressive, btw, your results.
|
|
|
|
|
Logged
|
Please don't copy/quote full text outside this board. Instead, summarize and link to this post. Thanks! This lets me keep information updated and doesn't pull things out of context.
|
|
|
|
arnezami
|
|
« Reply #66 on: August 22, 2007, 12:22:49 AM » |
|
Just bought some popcorn  . This is turning out to be a great show!  Man that looks so cool  Feels like a historical moment is coming up... |
|
|
|
« Last Edit: August 22, 2007, 12:50:09 AM by arnezami »
|
Logged
|
|
|
|
robinsod
Global Moderator
Xbox Hacker
Posts: 648
Perl packed my shorts during global destruction
|
|
« Reply #67 on: August 22, 2007, 03:24:31 AM » |
|
I just thought a bit about flash wear.
If we investigate the block replacement process (i think it's as easy as a brute force search trough the replacement area), we could switch to another page, possibly after some tries. That would prevent the same page from being erased over and over again...
Fortunately Arakon has a box with the 10th block marked as bad, should reduce the guesswork... Pretty impressive, btw, your results.
Thanks |
|
|
|
|
Logged
|
|
|
|
|
lasonnette
|
|
« Reply #68 on: August 22, 2007, 04:18:41 AM » |
|
I just thought a bit about flash wear.
If we investigate the block replacement process (i think it's as easy as a brute force search trough the replacement area), we could switch to another page, possibly after some tries. That would prevent the same page from being erased over and over again...
Pretty impressive, btw, your results.
How about a temporary FIFO with some logic around it? He's got infectus, it'll be done maybe still today |
|
|
|
|
Logged
|
Big party tonight! Where? Your mouth! Who's coming? Everybody!
|
|
|
robinsod
Global Moderator
Xbox Hacker
Posts: 648
Perl packed my shorts during global destruction
|
|
« Reply #69 on: August 22, 2007, 07:28:42 PM » |
|
Done it! My bricked box - one blown eFuse but no CPU key and no valid flash dump that would boot (I did have a valid 2241 dump though that would no longer boot because of the eFuse) - is now alive and well and booting 2.0.1888 with a patched CB (LD count = 1) and a "guessed" hash. Even doing it "manually" only took 3 evenings Now, sleep |
|
|
|
|
Logged
|
|
|
|
|
sentinel0
|
|
« Reply #70 on: August 22, 2007, 07:36:30 PM » |
|
Awsome work, by any chance does anyone know where to get a an infectus in the states?
|
|
|
|
« Last Edit: August 22, 2007, 08:14:20 PM by sentinel0 »
|
Logged
|
|
|
|
|
stonersmurf
|
|
« Reply #71 on: August 22, 2007, 09:28:48 PM » |
|
Done it! My bricked box - one blown eFuse but no CPU key and no valid flash dump that would boot (I did have a valid 2241 dump though that would no longer boot because of the eFuse) - is now alive and well and booting 2.0.1888 with a patched CB (LD count = 1) and a "guessed" hash. Even doing it "manually" only took 3 evenings Now, sleep Great news. Keep up the good work! |
|
|
|
|
Logged
|
|
|
|
|
uberfry
|
|
« Reply #72 on: August 22, 2007, 11:12:16 PM » |
|
great work Karl www.hardstore.com for all your infectus needs  |
|
|
|
|
Logged
|
|
|
|
|
arnezami
|
|
« Reply #73 on: August 22, 2007, 11:19:43 PM » |
|
Done it! Awesome! BIG congratulations. Its another one of those good days Now, sleep Sweet dreams. |
|
|
|
|
Logged
|
|
|
|
Dense
Newbie
Posts: 1
|
|
« Reply #74 on: August 23, 2007, 02:36:00 AM » |
|
Congratulations on this effort.
I have a few questions that i'd like to know the answer to that follow on from where this hack leads us. Doors are opening for some very interesting developments.
1) Is this timing attack done on the kernel before or after its downgraded. I am probably wording this incorrectly but do you put the NAND dump on then do the timing attack? Or use the current working kernel?
2) Following on from the previous question, will future software upgrades from Microsoft lock out this process? Is it advisable to prevent future firmware upgrades before the CPU key is extracted? (Obviously once we have the CPU key it doesn't matter what Microsoft does).
3) Once we have the CPU key using this exploit this allows changes to be made to the key vault? I know this means we can change DVD serial number (allow the use of any 360 DVD drive), region coding and hopefully machine account (is machine account stored in the KV?).
4) If Machine Account is stored in KV, changing this should allow a banned 360 to work on Live again? If a damaged motherboard had the NAND extracted (using hardware tools) this information could be updated on the exploited system to make it look like a different system and thus allow it to regain Live access. Is this correct?
|
|
|
|
|
Logged
|
|
|
|
|
Surrido
|
|
« Reply #75 on: August 23, 2007, 02:54:26 AM » |
|
VICTORY Great work! |
|
|
|
|
Logged
|
|
|
|
|
Ellex80
Guest
|
|
« Reply #76 on: August 23, 2007, 03:27:22 AM » |
|
CONGRATULATIONS good job karl |
|
|
|
|
Logged
|
|
|
|
|
parasven
|
|
« Reply #77 on: August 23, 2007, 03:37:47 AM » |
|
this is so great looking forward to try this on my xbox good job to all involved |
|
|
|
|
Logged
|
|
|
|
|
atiman
|
|
« Reply #78 on: August 23, 2007, 04:28:31 AM » |
|
/applause
|
|
|
|
|
Logged
|
|
|
|
|
|
|
