Difference between revisions of "Xbox 360 Kernel"

From ivc wiki
Jump to navigationJump to search
Line 37: Line 37:


=== 1BL ===
=== 1BL ===
The 1BL is the 'First Boot Loader' and is stored in the ROM inside the CPU. The loader is 32KB and the 1BL key is the same for all Xbox 360 machines.


=== CPU Key ===
=== CPU Key ===
Line 72: Line 73:
  fuseset 10: 0000000000000000
  fuseset 10: 0000000000000000
  fuseset 11: 0000000000000000
  fuseset 11: 0000000000000000
== References ==
* [http://www.assemblergames.com/forums/showthread.php?t=13783&page=3 Unsigned code on modded/hacked 360?]
* [http://www.xboxhacker.net/index.php?topic=7913 How To: Dumping 1BL & Fuse Data from Linux]
* [http://www.xboxhacker.net/index.php?topic=7691 360 Flash Dump Tool V0.1]

Revision as of 23:51, 8 August 2007

Boot-up

TheSpecialist, Xboxhacker.net:

Well from power-on:
1. 1BL (first bootloader, stored in ROM), this loads decrypts and starts:
2. CB (2BL, 2nd bootloader, stored in NAND), this this loads decrypts and starts:
3. CD. This loads, decrypts and decompresses CE, which contains the base kernel + base HV (Hypervisor).
   It also loads decrypts and then starts:
4. CF. This loads, decrypts and decompresses CG, which contains the patches for kernel and HV.
   It then applies the patches and starts up the patched HV and then the patched kernel. Then it boots dash.

So basically it's like: 1BL -> 2BL -> patch kernel and HV and start them -> boot dashboard.

Every step also checks signature for the next step of course.

View Content

To view the content of the dumped NAND flash download the latest version of 360 Flash Dump Tool and open the BIN file.

To decode all of the encrypted content you need the 1BL and CPU Key located in the fuses (there are 12 fusesets). These are found using the King Kong shader exploit and XeLL (Xeon Linux Loader) on vulnerable firmware version, e.g 4532 and 4548.

360 Flash Dump Tool.PNG

Fuses

There are 12 fusesets and they form the fundament for the Xbox 360 hypervisor security [1].

Fuseset #01 - 00: c0ffffffffffffff
Fuseset #02 - 01: 0f0f0f0f0f0f0ff0
Fuseset #03 - 02: 0f00000000000000
Fuseset #04 - 03: xxxxxxxxxxxxxxxx
Fuseset #05 - 04: xxxxxxxxxxxxxxxx
Fuseset #06 - 05: yyyyyyyyyyyyyyyy
Fuseset #07 - 06: yyyyyyyyyyyyyyyy
Fuseset #08 - 07: 0000000000000000
Fuseset #09 - 08: 0000000000000000
Fuseset #10 - 09: 0000000000000000
Fuseset #11 - 0a: 0000000000000000
Fuseset #12 - 0b: 0000000000000000

1BL

The 1BL is the 'First Boot Loader' and is stored in the ROM inside the CPU. The loader is 32KB and the 1BL key is the same for all Xbox 360 machines.

CPU Key

The CPU Key can be found by combining fusetset #03 + #05 (or #04 + #06). The final string should be 16 bytes long, e.g xxxxxxxxxxxxxxxxyyyyyyyyyyyyyyyy.

XeLL Output

Xe>!
XeLL - Xenon linux loader 0.1
* clearing BSS...
* Attempting to catch all CPUs...
CPUs online: 01..
CPUs online: 15..
* success.
trying to initialize network...
ok now the NIC
NETIF at 8000000001459478
NIC reset
reset: 01805508
1478 before: f2050000
1478: f2050000
init tx
init rx
starting httpd server..ok!
* CPU PVR: 00710200
* FUSES - write them down and keep them safe:
fuseset 00: c0ffffffffffffff
fuseset 01: 0f0f0f0f0f0f0ff0
fuseset 02: 0f00000000000000
fuseset 03: c2666e8fab3c299a
fuseset 04: c2666e8fab3c299a
fuseset 05: c49a457d64ba4b3d
fuseset 06: c49a457d64ba4b3d
fuseset 07: f000000000000000
fuseset 08: 0000000000000000
fuseset 09: 0000000000000000
fuseset 10: 0000000000000000
fuseset 11: 0000000000000000

References