Xbox 360 King Kong Shader Exploit

From ivc wiki
Jump to navigationJump to search

On 23th December 2006 at a the 23C3 Hacker Congress in Germany, an anonymous hacker presented a vulnerability in the Xbox 360 using the King Kong game and Macbook Pro connected via a serial-to-USB cable.

Later in February the exploit was revealed on SecurityFocus with full details. The release was delay to allow Microsoft to patch the problem.

The exploit utilizes a bug in the Hypervisor to allow unsigned code execution. A shader in the King Kong game was used to perform the exploit and load arbitrary code with full privileges and full hardware access, to e.g run Linux.

Patch Game

Game

The King Kong game has to be a origial release, not the newer Classic release. King Kong was one of the launch titles and should be quite easy to get hold of.

My edition:

  • Languages: Norwegian/Danish/Swedish/Finnish
  • Region: PAL
  • Barcode: 3 307210 206725
  • Made in Europe

Dump Image

To be able to patch the game, you have to dump the disc to an image file. The easiest way to do this is to get a regular Samsung SH-D162C DVD-ROM reader and flash it with a custom Kreon firmware. This enables the drive to see and read the content of Xbox 1 and Xbox 360 game discs.

Ripping the discs and be done using either Xbox Backup Creator or SchtromXtract. I prefer the former, but both work the same. Be sure to get the latest version.

In Xbox Backup Creator, make sure the Samsung drive is selected in the top dropdown menu. Select the 'Drive Tools'-tab and press 'Unlock Drive'. This unlocks the hidden partitions of the disc (the game partitions is hidden).

Xbox Backup Creator Unlock.PNG

Go back to the 'Read'-tab and select 'Complete Backup'. Ignore the text about not a true 1 to 1 copy, it only applies to Xbox 1 games. Press 'Start'.

Xbox Backup Creator Dump.PNG

When the process is complete, the .iso file should be exactly 7 572 881 408 bytes.

Patch Image

Get the King_Kong_Shader_Expliot_for_XELL.rar (mirror) file, it includes the shader patcher that will instruct the system to eject the game disc after the exploit has been executed. You can then insert a CD-R with XeLL (Xenon Linux Loader) to boot Linux from a LiveCD.

King King Shader Patcher Folder.PNG

The shader code is refered to as 'Fixed sector reader code' or 'readcd' (source code). This is how the shader code works, taken from the read me in gentoo-xenon-minimal-2006.1.tgz:

The code is a bit quick&dirty, but does the following:
- load constants
- open tray using SMC
- delay a bit
- issue READ(10)-command,
- on error: request sense, loop
- read ~128k starting at LBA 0x20 to 0x1310000
- jump there

Now back to the patching, open a Command-prompt and execute the win_patch.exe with the King Kong image as a argument.

King King Shader Patcher.PNG

Burn Image

Burn the image on a DVD+R DL disc using either ImgBurn or CloneCD. I prefer the former, it's open source and free.

Make sure your burner supports booktype setting to DVD-ROM for DVD+R DL discs before you start.

Imgburn Process.PNG

Note that you need a modified Xbox 360 DVD-drive to allow game backups to run.

Update Xbox Kernel

The Hypervisor exploit only works on Xbox Kernel version 4532 and 4548. If you have a kernel version lower than 4532 you can update to 4532 using the 2006-10 HD DVD update provided by Microsoft. On the other side, if you have a 4552 or later kernel version, you can not use this exploit. The exploit was fixed in 4552 and onwards.

Xbox 4532 Kernel.JPG

You can update to 4532 using the official Xbox 360 update released for the HD DVD drive. It's a zip file named HD_DVD_10-2006.zip and the files should be burned on a regular CD-R. The update is available publicly but make sure the md5sum is cd4db8e2c94266ab73513c361dd5b8f6, it might have been updated by Microsoft although the filename is the same.

HD DVD Update MD5.PNG

HD DVD Update Folder.PNG

After applying the update, eject the CD or you'll get an HD DVD Installation screen.

Updates available for download:

Burn LiveCD

The last thing you need is the the LiveCD, which includes the XeLL (Xeon Linux Loader), Linux kernel (vmlinux) and special edition of Gentoo built for the Xbox 360/Xenon. All of this is included in the Gentoo LiveCD.

The latest LiveCD is available on free60.org and sourceforge.net. Note that if you have a Toshiba-Samsung 360 drive you have to load the 0800 enable DVD before the LiveCD to use the 'minimal' and 'beta' releases, only the 'beta2' release has full support for this drive.

It's important when you burn the iso that you burn it as Disc-At-Once (as opposite to Track-At-Once), or else the sectors won't match and the shader exploits fails to load XeLL. It expects XeLL to be at 0x20, which usually is the first file on DAO disc.

Executing Exploit

King Kong Start Screen
Linux Kernel 2.6 Booting
Gentoo Loading

You should now have 2 or 3 discs ready if you followed the steps above, and optionally you need a USB keyboard and network once Gentoo Linux has booted.

  • Patched King Kong Game
  • HD DVD Update (optional)
  • Gentoo LiveCD
  • USB Keyboard (optional)
  • Network (optional)

Now you're ready to execute the exploit:

  1. Update the system to kernel 4532 or 4548
  2. Insert the patched King Kong disc, wait for it to load
  3. At the main screen, press the 'Start'-button as shown
  4. After 2-3 seconds, the screen will go quite dark with a picture frozen in the background (a white dot)
  5. The power-button should start to blink and the game disc will eject
  6. Now insert the Gentoo LiveCD
  7. After 15-30 seconds Tux will show up along with the Linux kernel boot sequence
  8. Congratulations, you are now running Linux!

Connect remotely via SSH to perform commands and transfer files via SCP.

Gentoo Desktop:

Gentoo Desktop.png

Dumping Security Bits

References