Difference between revisions of "Xbox 360 Kernel"
From ivc wiki
Jump to navigationJump to search
| Line 4: | Line 4: | ||
1. 1BL (first bootloader, stored in ROM), this loads decrypts and starts: | 1. 1BL (first bootloader, stored in ROM), this loads decrypts and starts: | ||
2. CB (2BL, 2nd bootloader, stored in NAND), this this loads decrypts and starts: | 2. CB (2BL, 2nd bootloader, stored in NAND), this this loads decrypts and starts: | ||
3. CD. This loads, decrypts and decompresses CE, which contains the base kernel + base HV (Hypervisor). It also loads decrypts and then starts: | 3. CD. This loads, decrypts and decompresses CE, which contains the base kernel + base HV (Hypervisor). | ||
4. CF. This loads, decrypts and decompresses CG, which contains the patches for kernel and HV. It then applies the patches and starts up the patched HV and then the patched kernel. Then it boots dash. | It also loads decrypts and then starts: | ||
4. CF. This loads, decrypts and decompresses CG, which contains the patches for kernel and HV. | |||
It then applies the patches and starts up the patched HV and then the patched kernel. Then it boots dash. | |||
So basically it's like: 1BL -> 2 BL -> patch kernel and HV and start them -> boot dashboard. Every step also checks signature for the next step of course. | So basically it's like: 1BL -> 2 BL -> patch kernel and HV and start them -> boot dashboard. | ||
Every step also checks signature for the next step of course. | |||
== View Content == | == View Content == | ||
Revision as of 00:24, 9 August 2007
Boot-up
TheSpecialist, Xboxhacker.net:
Well from power-on:
1. 1BL (first bootloader, stored in ROM), this loads decrypts and starts:
2. CB (2BL, 2nd bootloader, stored in NAND), this this loads decrypts and starts:
3. CD. This loads, decrypts and decompresses CE, which contains the base kernel + base HV (Hypervisor).
It also loads decrypts and then starts:
4. CF. This loads, decrypts and decompresses CG, which contains the patches for kernel and HV.
It then applies the patches and starts up the patched HV and then the patched kernel. Then it boots dash.
So basically it's like: 1BL -> 2 BL -> patch kernel and HV and start them -> boot dashboard.
Every step also checks signature for the next step of course.
View Content
To view the content of the dumped NAND flash download the latest version of 360 Flash Dump Tool and open the BIN file.
To decode all of the encrypted content you need the 1BL and CPU Key located in the fuses (there are 12 fusesets). These are found using the King Kong shader exploit and XeLL (Xeon Linux Loader) on vulnerable firmware version, e.g 4532 and 4548.
Fuses
There are 12 fusesets and they form the fundament for the Xbox 360 hypervisor security.
Fuseset #01 - 00: c0ffffffffffffff Fuseset #02 - 01: 0f0f0f0f0f0f0ff0 Fuseset #03 - 02: 0f00000000000000 Fuseset #04 - 03: xxxxxxxxxxxxxxxx Fuseset #05 - 04: xxxxxxxxxxxxxxxx Fuseset #06 - 05: yyyyyyyyyyyyyyyy Fuseset #07 - 06: yyyyyyyyyyyyyyyy Fuseset #08 - 07: 0000000000000000 Fuseset #09 - 08: 0000000000000000 Fuseset #10 - 09: 0000000000000000 Fuseset #11 - 0a: 0000000000000000 Fuseset #12 - 0b: 0000000000000000
1BL
CPU Key
The CPU Key can be found by combining fusetset #03 and fuseset #05 (or #04 and #06). The final string should be 16 bytes long, e.g xxxxxxxxxxxxxxxxyyyyyyyyyyyyyyyy.
