Xbox 360 Kernel Downgrading

From ivc wiki
Revision as of 10:56, 14 October 2007 by Ivc (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
Jump to navigationJump to search

Currently the only way to run unsigned code is to exploit a Hypervisor vulnerability in kernel/dashboard versions 4532 and 4548. You need to upgrade or downgrade to one of the the vulnerable kernels and patch the King Kong game to load the exploit.

Purpose

A good explanation by arnezami [1]:

[With the CPU key] can we not resign the essential parts of the HV, or anything else, with a modified bootloader?
All executable code on the xbox is (one way or another) signed by a RSA key. MS has the private RSA key and thats
why we will never be able to sign our own executable code. This is what prevents us from running anything different
than what MS has build (like the kernel and bootloaders). This has nothing to do with the cpu key. The only thing we
can do with the cpu key is choose which version of the kernel/bootloader we want to run. But we cannot make changes
to any of these versions themselves. 

Then why downgrade?
Because two kernel versions MS build (4532,4548) have a tiny flaw. And when we have our cpu key we can choose to
run these (old) kernels and exploit them by running a patched KK game. After running the exploit we have complete
control over the xbox (but not before that). This means to be able to run homebrew or linux we now have to start the
game, press ok, insert a disc etc. More

Upgrade Kernel

If you have kernel version 188, 2241, 2255, 2258, or 2858 you can upgrade to 4532 using the HD_DVD-2006-10.zip which is publicly availble. Just burn a CD-R with the content of the zip-file and insert the disc into the Xbox 360.

Downgrade Kernel

Xbox Live or games released after January 2007 will require you to update to kernel version 4552, 5759, or 5766 [2].

In August 2007 a new timing attack was found and makes it possible to downgrade to kernel and then find the CPU Key.

The CPU Key is used to sign the Key Vault and by increasing the Lockdown Counter in the CF section to something higher than the number of blown fuses in fuseset 7, it's possible to boot in kernel 1888 and bypass the blown fuse lock [3]. Once you have 1888 running you will be able to upgrade to one of the vulnerable kernels, as mentioned above.