|
Surrido
|
 |
« on: September 26, 2007, 08:06:03 AM » |
|
i was wondering if we still dont have the ability to get the DVD-key from the nand...
are we?
|
|
|
|
|
Logged
|
|
|
|
|
torne
|
|
« Reply #1 on: September 26, 2007, 09:31:56 AM » |
|
Not yet, no. The timing attack allows you to get an exploitable kernel to boot without knowing the CPU key, but you still need to be able to actually boot KK to run the exploit and dump the keyvault with the DVD key in it.
|
|
|
|
|
Logged
|
- Bad ARM, no cookie for you. UQADDSUBXEQ is not a RISC instruction.
- I fail at hardware. I code pretty awesome, though.
|
|
|
|
Surrido
|
|
« Reply #2 on: September 26, 2007, 12:20:51 PM » |
|
never understood why we cant get the keyvault another way...
|
|
|
|
|
Logged
|
|
|
|
|
safety
|
|
« Reply #3 on: September 26, 2007, 01:27:36 PM » |
|
couse no toher way to boot kk disc...
no other way of running hb code, and also get out of wm.
|
|
|
|
|
Logged
|
|
|
|
|
gigabite
|
|
« Reply #4 on: September 26, 2007, 08:28:21 PM » |
|
how bout something down the kiosk disk "road" ? - cause if you revert back to BK 1888 the kiosk disk can still boot cause the xex isn't blacklisted in that kernel version (i think - correct me if I am wrong)
gigabite
|
|
|
|
|
Logged
|
 .ISO - he's a wannabe ... feel part of "t3h sc33n" yet ? QQ coming 2009  |
|
|
|
safety
|
|
« Reply #5 on: September 27, 2007, 03:11:10 AM » |
|
And...
If you want to boot a disc, doesn't an optical drive with a porper key needed?
Comeon...Than You can read the drivekey from the drive itself.....
|
|
|
|
|
Logged
|
|
|
|
|
Shaun
|
|
« Reply #6 on: September 27, 2007, 05:54:47 AM » |
|
indeed, IF a 1888 kernel was vulnerable is some way, now would be a good time to find it as more people have possible access !
Least then it removes the grey area or booting via a backup
|
|
|
|
|
Logged
|
|
|
|
|
gigabite
|
|
« Reply #7 on: September 27, 2007, 06:21:18 AM » |
|
well...correct me if I am wrong again - but doesn't the kiosk disk...not need a key to boot ?
gigabite
|
|
|
|
|
Logged
|
.ISO - he's a wannabe ... feel part of "t3h sc33n" yet ? QQ coming 2009 |
|
|
|
Surrido
|
|
« Reply #8 on: September 27, 2007, 06:44:55 AM » |
|
as far as i know the hypervisor exploit is only in 4532 and 4548, NOT in 1888
so even IF the kiosk disk would run without DVD key, that wont help us because Xcell doesnt work.
however, we could modify 1888 and patch it with the 4532 kernel version. would that be possible?
THEN maybe we could rund KK exploit without DVD key (again, if the kiosk disk really doesnt require DVD-key AND there are shaders to be modified on the kiosk disk.
|
|
|
|
|
Logged
|
|
|
|
|
Surrido
|
|
« Reply #9 on: September 27, 2007, 09:10:27 AM » |
|
edit: I meant "hypervisor-Version" of kernel 4532
|
|
|
|
|
Logged
|
|
|
|
|
Shaun
|
|
« Reply #10 on: September 27, 2007, 10:58:19 AM » |
|
2 possible trains of thought. 1 more ppl with access to 1888 therefore more ppl able to see if any holes in it. 2. more access to bootable kiosk disc so more chance of a flaw to be found in that 3 (comination of above) 1888 kernel allowing kiosk with hv of 4532 allowing exploit = possible holy grail ? can dream  |
|
|
|
|
Logged
|
|
|
|
|
gigabite
|
|
« Reply #11 on: September 27, 2007, 06:45:27 PM » |
|
yeah I realized that the KK exploit only worked on 4532 and 4548 but like both of you sort of said, it might be possible to do something with the kiosk disk with the sharers or something (I rember this was sort of investigated a while ago and someone I believe said that there was something different about the shaders (or there being no shaders?) on the kiosk disk...even then it would still be worth a try trying to get something good out of the kiosk disk as Shaun said more people have acsess to 1888 and the kiosk disk now - maybe robinsod, TMF, TS could comment ??
gigabite
|
|
|
|
|
Logged
|
.ISO - he's a wannabe ... feel part of "t3h sc33n" yet ? QQ coming 2009 |
|
|
|
moshin111
|
|
« Reply #12 on: September 30, 2007, 03:38:35 AM » |
|
can't we extract the key directly from the nand dump without the cpu key
|
|
|
|
|
Logged
|
After Hardwork, Little Fools Becomes Genius Someday
|
|
|
|
Arakon
|
|
« Reply #13 on: September 30, 2007, 04:25:24 AM » |
|
no. without cpu key, you can't extract ANY useful data from the nand.
|
|
|
|
|
Logged
|
I do NOT give support by email, PM, ICQ or whatever. Anyone annoying me that way will have his balls removed. With a rusty butterknife. Slowly. And I'll enjoy doing it.
|
|
|
|
moshin111
|
|
« Reply #14 on: September 30, 2007, 08:07:00 PM » |
|
well there should be a way to extract cpu key directly from the dump like cracking the dump like we crack the copy of dump nand and get cpu key and then use it with the orig dump
|
|
|
|
|
Logged
|
After Hardwork, Little Fools Becomes Genius Someday
|
|
|
|
tmbinc
|
|
« Reply #15 on: September 30, 2007, 09:24:02 PM » |
|
Only way i can think of would be to find a different way to write into memory - one which doesn't require shaders. You could hook the PCIe-bus, or try your luck on the GPU JTAG(?) connector, or maybe on one of the Southbridge debug connectors. Or find some way on the CPU JTAG, but this seems to much crippled to be useful.
Then you wouldn't need to run KK, so you don't need a drivekey. And the exploit would be "transparent", and doesn't require booting a game.
Or again someone is smarter than all those people who already looked at it, and finds an exploit for 1888.
|
|
|
|
|
Logged
|
Please don't copy/quote full text outside this board. Instead, summarize and link to this post. Thanks! This lets me keep information updated and doesn't pull things out of context.
|
|
|
|
gigabite
|
|
« Reply #16 on: September 30, 2007, 11:26:34 PM » |
|
Ok so to summarize: *The Kiosk Disk does not need a key to boot (reason being it's basically a DVD movie??? - someone) *To get a DVD key from the board, you would need the CPU key (1BL etc etc) to downgrade to 1888, BUT to do this you will need your DVD key to run the KK exploit to get ^^^^^ *What we (everyone, hackers, whoever) need to do is either: Find a way to use the Kiosk disk like the KK exploit (as it requires no DVD key) OR Find an exploit in BK1888 (plausible) Now to investigate  ?? gigabite |
|
|
|
|
Logged
|
.ISO - he's a wannabe ... feel part of "t3h sc33n" yet ? QQ coming 2009 |
|
|
|
Surrido
|
|
« Reply #17 on: October 01, 2007, 03:27:08 AM » |
|
Getting rid of the KK would help us a lot in legalizing launchin linux. this is still a grey zone, even if you own KK.
I know that many ways have been looked at so far.
my question was, can we somehow "MIX" the vulnerable hypervisor into the 1888 kernel???
if so, we could have at least the possibility to launch xcell from something other than the KK game.
is it possible to merge a kernel together and then master the hash for it to boot?
EDIT: if i remember right, the kiosk disk files had "all-media" xex files, so they would also run from the HDD...
that coule be nice ;-)
|
|
|
|
« Last Edit: October 01, 2007, 03:30:59 AM by Surrido »
|
Logged
|
|
|
|
|
prisoner_of_time
|
|
« Reply #18 on: October 10, 2007, 08:34:32 AM » |
|
Getting rid of the KK would help us a lot in legalizing launchin linux. this is still a grey zone, even if you own KK.
I know that many ways have been looked at so far.
my question was, can we somehow "MIX" the vulnerable hypervisor into the 1888 kernel???
if so, we could have at least the possibility to launch xcell from something other than the KK game.
is it possible to merge a kernel together and then master the hash for it to boot?
EDIT: if i remember right, the kiosk disk files had "all-media" xex files, so they would also run from the HDD...
that coule be nice ;-)
Very good idea indeed. It resembles what DarkAlex did for the PSP firmware. He used parts of the 1.50 firmware(the one with the security hole) with parts from the latest Sony firmwares that add more features to the PSP. I believe (although I don't have the knowledge) that 1888 and 4552 can be merged in something that would be the key to fully unlock the X360. |
|
|
|
|
Logged
|
|
|
|
|
Dilber MC Theme by HarzeM