Difference between revisions of "Xbox 360 King Kong Shader Exploit"

From ivc wiki
Jump to navigationJump to search
Line 46: Line 46:


After applying the update, eject the CD or you'll get an HD-DVD Installation screen.
After applying the update, eject the CD or you'll get an HD-DVD Installation screen.
== Burn LiveCD ==
The last thing you need is the the LiveCD, which includes the XeLL (Xeon Linux Loader), Linux kernel (vmlinux) and special edition of Gentoo built for the Xbox 360/Xenon. All of this is included in the Gentoo LiveCD.
The latest LiveCD is available on [http://www.free60.org/wiki/LiveCD free60.org] and [http://sourceforge.net/project/showfiles.php?group_id=139616&package_id=226828 sourceforge.net]. Note that if you have a Toshiba-Samsung 360 drive you can not use the 'minimal' and 'beta' releases, only the 'beta2' release has support for this drive.
It's important when you burn the iso that you burn it as Disc-At-Once (as opposite to Track-At-Once), or else the sectors won't match and the shader exploits fails to load XeLL. It expects XeLL to be at 0x20, which usually is the first file on DAO disc.


== Executing Exploit ==
== Executing Exploit ==
You should now have 2 or 3 discs ready if you followed the steps above.
* Patched King Kong
* HD-DVD Update with 4532 kernel (optional)
* Gentoo LiveCD


Now you're ready to perform the execution of the exploit:
* Update the system to kernel 4532 or 4548
* Insert the patched King Kong disc, wait for it to load
* At the main screen, press the 'Start'-button
* After 2-3 seconds, the screen should be quite dark but still show a picture (a white dot)
* The power-button should start to blink and the game disc will eject
* Now insert the LiveCD
* After a few moments Tux will show up along with the Linux kernel boot sequence
* Congratulations, you are now running Linux!


== References ==
== References ==

Revision as of 00:11, 11 August 2007

In early January 2007 at a the 23C3 Hacker Congress in Germany, an anonymous hacker presented a vulnerability in the Xbox 360 using the King Kong game and Macbook Pro connected via a serial cable.

Later in February the exploit was revealed on SecurityFocus with full details. The release was delay to allow Microsoft to patch the problem.

The exploit utilized a bug in the Hypervisor to allow unsigned code execution. A shader in the King Kong game was used to perform the execution of the exploit and load arbitrary code with full privileges and full hardware access.

Patch Game

Game

The King Kong game has to be a origial release, not a Classic release. King Kong was one of the launch titles and should be quite easy to get hold of.

Dump Image

To be able to patch the game, you have to dump the disc to an image file. The easiest way to do this is to get a regular Samsung SH-D162C DVD-ROM reader and flash it with a custom Kreon firmware. This enables the drive to see and read the content of Xbox 1 and Xbox 360 game discs.

Ripping the discs and be done using either Xbox Backup Creator or SchtromXtract. I prefer the former, but both work the same. Be sure to get the latest version.

In Xbox Backup Creator, make sure the Samsung drive is selected in the top dropdown menu. Select the 'Drive Tools'-tab and press 'Unlock Drive'. This unlocks the hidden partitions of the disc (the game partitions is hidden).

Go back to the 'Read'-tab and select 'Complete Backup'. Ignore the text about not a true 1 to 1 copy, it only applies to Xbox 1 games. Press 'Start'.

When the process is complete, the .iso file should be exactly 7 572 881 408 bytes.

Patch Image

Get the King_Kong_Shader_Expliot_for_XELL.rar file, it includes the shader patcher that will instruct the system to eject the game disc after the exploit has been executed. You can then insert a CD-R with XeLL (Xenon Linux Loader) to boot Linux from a LiveCD.

The shader code is refered to as 'Fixed sector reader code' or 'readcd' (source code). This is how the shader code works, taken from the read me in gentoo-xenon-minimal-2006.1.tgz:

The code is a bit quick&dirty, but does the following:
- load constants
- open tray using SMC
- delay a bit
- issue READ(10)-command,
- on error: request sense, loop
- read ~128k starting at LBA 0x20 to 0x1310000
- jump there

Now back to the patching, open a Command-prompt and execute the win_patch.exe with the King Kong image as a argument.

Burn Image

Burn the image on a DVD+R DL disc using either ImgBurn or CloneCD. I prefer the former, it's open source and free.

Make sure your burner supports booktype setting to DVD-ROM for DVD+R DL discs before you start.

Update Xbox Kernel

The Hypervisor exploit only works on Xbox Kernel version 4543 and 4548. If you have a kernel version lower than 4532 you can update using the HD-DVD update provided by Microsoft. On the other side, if you have a 4552 or later kernel version, you can not use this exploit. The exploit was fixed in 4552 and onwards.

You can update to 4532 using the official Xbox 360 update released for the HD-DVD drive. It's a zip file named HD_DVD_10-2006.zip and the files should be burned on a regular CD-R. The update is available publicly but make sure the md5sum is cd4db8e2c94266ab73513c361dd5b8f6, it might have been updated by Microsoft although the filename is the same.

After applying the update, eject the CD or you'll get an HD-DVD Installation screen.

Burn LiveCD

The last thing you need is the the LiveCD, which includes the XeLL (Xeon Linux Loader), Linux kernel (vmlinux) and special edition of Gentoo built for the Xbox 360/Xenon. All of this is included in the Gentoo LiveCD.

The latest LiveCD is available on free60.org and sourceforge.net. Note that if you have a Toshiba-Samsung 360 drive you can not use the 'minimal' and 'beta' releases, only the 'beta2' release has support for this drive.

It's important when you burn the iso that you burn it as Disc-At-Once (as opposite to Track-At-Once), or else the sectors won't match and the shader exploits fails to load XeLL. It expects XeLL to be at 0x20, which usually is the first file on DAO disc.

Executing Exploit

You should now have 2 or 3 discs ready if you followed the steps above.

  • Patched King Kong
  • HD-DVD Update with 4532 kernel (optional)
  • Gentoo LiveCD

Now you're ready to perform the execution of the exploit:

  • Update the system to kernel 4532 or 4548
  • Insert the patched King Kong disc, wait for it to load
  • At the main screen, press the 'Start'-button
  • After 2-3 seconds, the screen should be quite dark but still show a picture (a white dot)
  • The power-button should start to blink and the game disc will eject
  • Now insert the LiveCD
  • After a few moments Tux will show up along with the Linux kernel boot sequence
  • Congratulations, you are now running Linux!

References