Timing Attack Used to Downgrade Xbox 360 Kernel

**Carson** · 09-16-2007, 10:27 AM

Robinsod, in cooperation with Team Infectus and others from the Xboxhacker forums have a "proof of concept" in regards to downgrading an Xbox 360 kernel. Some modding enthusiasts will remember that on January 9th, 2007 an unexpected Xbox Live Dashboard update was released. Xbox Live director, Major Nelson had this to say about the update:

Quote:

Quote:

Earlier today the team pushed out a dashboard update over Xbox Live. There is nothing major in this one, it just addresses a few performance and stability issues.

In truth, it turned out that this update, which is Kernel and Dashboard version 4552, fixed what we call the "hypervisor exploit." This exploit allowed modders to create a modified King Kong game disc, and booting this would let the modder run the machine in hypervisor mode, allowing unsigned code. In layman's terms that means that with the Xbox 360 kernel version 4532 (Fall 2006) and kernel version 4548, the system was capable of running Linux or other unsigned code. An additional bonus was that the 4552 update prevented downgrading the Xbox 360 kernel. Before this update, it was possible to change kernel versions freely.

Since this time, a lot of research and work has been into finding a way to downgrade an Xbox 360 kernel. The next step they found was that if you have your console-specific, individual CPU key, you could downgrade the kernel. Meaning, that if somebody had taken the time to run Linux when they had kernel version 4532, and use Linux to get their CPU key, they could upgrade to version 4552 or newer, and still be able to downgrade at a later time. This was a huge breakthrough, because it was like a shimmer of hope. Before this, it was thought that if you didn't take precautions before the 4552 update, there was never a chance of downgrading. Now, if a person could somehow find their CPU key, they could downgrade their Xbox 360. The problem shifted from finding a way to downgrade, to finding the CPU key.

Fast forward to about a month ago. A theory was posted by Xboxhacker member arnezami. Instead of trying to find the CPU key, why not find the hash instead? The theory was that, in order for a hash to work, it has to check the kernel against a stored hash, and it does this on a byte-by-byte basis. They needed to find two hashes, one for the CB section and one for the CF section, both hashes are 16 bytes long. Essentially, one would go through every possible value for a single byte, recording the time it takes for the Xbox 360 to fail. When the first byte fails, the Xbox 360 fails right then. When the first byte is correct, the Xbox 360 then proceeds to check the second byte. This small difference in time must be large enough to be able to clearly identify. Using an Infectus modchip, Robinsod went through every possible value for the first byte, recording the time. One attempt was longer than all the others. He had found the first byte. This was repeated until every byte from both hashes was found. And, in the end, over a span of three nights, Robinsod had succeeded in downgrading an Xbox 360 without knowing the CPU key.

This was purely a proof of concept at this point. Much more work needs to be done - like limiting the hardware needed to replicate this, fixing some minor bugs, and trying to automate the process. At this time, it is a very long and difficult process. Here's hoping that it will get faster, easier, and cheaper. Right now it looks like folks interested might want to purchase an Infectus modchip.

This process would downgrade the kernel to version 1888, the original version when you first powered on the system. This can then be upgraded to kernel 4532. Then you can run Linux to find your CPU key and fuseset values. You can also use an xD memory card and installed reader to boot a different kernel just by inserting the xD memory card you want. Imagine a card for kernel 4532 to use Linux and run homebrew, a card with the latest kernel to use on Xbox Live, and even cards for different regions (you could switch between NTSC and PAL).

Hopefully this will push homebrew development for the Xbox 360, which right now is nonexistant. The only homebrew making use of the hypervisor exploit right now, is Free60 Linux. With everybody having the ability to downgrade their kernel and use the hypervisor exploit, it would be nice to be able to run programs like Xbox Media Center, classic system emulators, and alternate dashboards.

For all of you people who just care about playing backups and using modified firmware, this has nothing to do with you at all. But I promise the next news update will be DVD firmware related.

TuBbY BuNnY · 09-16-2007, 10:32 AM

I actually understood that....that would be cool if they start pushing out alot of different Homebrew's for it....plus it is about time they did because the 360 has been out for a long time and many different teams are not giving up on the Kernel theory

**Carson** · 09-16-2007, 10:38 AM

Free60Wiki - Free60 Wiki

**ToXiC** · 09-16-2007, 10:51 AM

OMG FINALLY, they did it for Xbox original with the custom settings, now it is the Xbox 360's turn. YES

**Carson** · 09-16-2007, 10:52 AM

Not quite yet...at all.

**SiK GambleR** · 09-16-2007, 02:25 PM

We are one step closer though. And when we can run homebrews.. Well that'll just be kick ***.

***UnknowingAcorn*** · 09-16-2007, 02:31 PM

=]

yay im a nub and bearly understood that but hurayy anyway.

09-16-2007, 02:33 PM

OMG. Im sporting because of this.

***UnknowingAcorn*** · 09-16-2007, 02:37 PM

OMG forrest i only hav elike 50 more posts then you o.0 zomg must spam!

**Venomous Fire** · 09-16-2007, 05:12 PM

Oh this is great news indeed, my 120gig Harddrive would DEFINATELY come in handy with emulators on mah 360

Erdman · 09-18-2007, 11:31 PM

i would really be thrilled if that made sense to me

velvetmidget · 09-25-2007, 01:02 AM

This is a cool post. I would like to try this out for fun. Then when I render my box unusable like so many other devices I will try to remember why I didn't learn my lesson last time. I am serious I want to try it just for kicks.

laxdevil91 · 12-21-2008, 05:32 PM

with this. would it be possible to connect a sata cord from your computer to the xbox and then just download games off the internet. using an emulator then playing ?

~~Beezy 4 sheezy~~ · 12-21-2008, 06:43 PM

wow, thanks for bumping a post form a year ago.

**Carson** · 12-22-2008, 12:14 AM

And to your question:

Hell no.

09-16-2007, 10:27 AM	#1
Carson Moderator	Timing Attack Used to Downgrade Xbox 360 Kernel Robinsod, in cooperation with Team Infectus and others from the Xboxhacker forums have a "proof of concept" in regards to downgrading an Xbox 360 kernel. Some modding enthusiasts will remember that on January 9th, 2007 an unexpected Xbox Live Dashboard update was released. Xbox Live director, Major Nelson had this to say about the update: Quote: Quote: Earlier today the team pushed out a dashboard update over Xbox Live. There is nothing major in this one, it just addresses a few performance and stability issues. In truth, it turned out that this update, which is Kernel and Dashboard version 4552, fixed what we call the "hypervisor exploit." This exploit allowed modders to create a modified King Kong game disc, and booting this would let the modder run the machine in hypervisor mode, allowing unsigned code. In layman's terms that means that with the Xbox 360 kernel version 4532 (Fall 2006) and kernel version 4548, the system was capable of running Linux or other unsigned code. An additional bonus was that the 4552 update prevented downgrading the Xbox 360 kernel. Before this update, it was possible to change kernel versions freely. Since this time, a lot of research and work has been into finding a way to downgrade an Xbox 360 kernel. The next step they found was that if you have your console-specific, individual CPU key, you could downgrade the kernel. Meaning, that if somebody had taken the time to run Linux when they had kernel version 4532, and use Linux to get their CPU key, they could upgrade to version 4552 or newer, and still be able to downgrade at a later time. This was a huge breakthrough, because it was like a shimmer of hope. Before this, it was thought that if you didn't take precautions before the 4552 update, there was never a chance of downgrading. Now, if a person could somehow find their CPU key, they could downgrade their Xbox 360. The problem shifted from finding a way to downgrade, to finding the CPU key. Fast forward to about a month ago. A theory was posted by Xboxhacker member arnezami. Instead of trying to find the CPU key, why not find the hash instead? The theory was that, in order for a hash to work, it has to check the kernel against a stored hash, and it does this on a byte-by-byte basis. They needed to find two hashes, one for the CB section and one for the CF section, both hashes are 16 bytes long. Essentially, one would go through every possible value for a single byte, recording the time it takes for the Xbox 360 to fail. When the first byte fails, the Xbox 360 fails right then. When the first byte is correct, the Xbox 360 then proceeds to check the second byte. This small difference in time must be large enough to be able to clearly identify. Using an Infectus modchip, Robinsod went through every possible value for the first byte, recording the time. One attempt was longer than all the others. He had found the first byte. This was repeated until every byte from both hashes was found. And, in the end, over a span of three nights, Robinsod had succeeded in downgrading an Xbox 360 without knowing the CPU key. This was purely a proof of concept at this point. Much more work needs to be done - like limiting the hardware needed to replicate this, fixing some minor bugs, and trying to automate the process. At this time, it is a very long and difficult process. Here's hoping that it will get faster, easier, and cheaper. Right now it looks like folks interested might want to purchase an Infectus modchip. This process would downgrade the kernel to version 1888, the original version when you first powered on the system. This can then be upgraded to kernel 4532. Then you can run Linux to find your CPU key and fuseset values. You can also use an xD memory card and installed reader to boot a different kernel just by inserting the xD memory card you want. Imagine a card for kernel 4532 to use Linux and run homebrew, a card with the latest kernel to use on Xbox Live, and even cards for different regions (you could switch between NTSC and PAL). Hopefully this will push homebrew development for the Xbox 360, which right now is nonexistant. The only homebrew making use of the hypervisor exploit right now, is Free60 Linux. With everybody having the ability to downgrade their kernel and use the hypervisor exploit, it would be nice to be able to run programs like Xbox Media Center, classic system emulators, and alternate dashboards. For all of you people who just care about playing backups and using modified firmware, this has nothing to do with you at all. But I promise the next news update will be DVD firmware related. __________________

09-16-2007, 02:25 PM	#6
SiK GambleR I swear I'm not mod.	We are one step closer though. And when we can run homebrews.. Well that'll just be kick ***. __________________ I delete meme's, they are blatant spam. Oh, and I infract for cool story bro.

12-21-2008, 05:32 PM	#13
laxdevil91 7S Enthusiast	Re: Timing Attack Used to Downgrade Xbox 360 Kernel with this. would it be possible to connect a sata cord from your computer to the xbox and then just download games off the internet. using an emulator then playing ?

12-21-2008, 06:43 PM	#14
~~Beezy 4 sheezy~~ BANNED	Re: Timing Attack Used to Downgrade Xbox 360 Kernel wow, thanks for bumping a post form a year ago.

12-22-2008, 12:14 AM	#15
Carson Moderator	Re: Timing Attack Used to Downgrade Xbox 360 Kernel And to your question: Hell no.

		Se7enSins Forums > Xbox 360 Gaming > Xbox 360 Discussion
Timing Attack Used to Downgrade Xbox 360 Kernel

09-16-2007, 10:32 AM	#2
TuBbY BuNnY IT'S A DICK	I actually understood that....that would be cool if they start pushing out alot of different Homebrew's for it....plus it is about time they did because the 360 has been out for a long time and many different teams are not giving up on the Kernel theory

09-16-2007, 10:38 AM	#3
Carson Moderator	Free60Wiki - Free60 Wiki

09-16-2007, 10:51 AM	#4
ToXiC Premium Member	OMG FINALLY, they did it for Xbox original with the custom settings, now it is the Xbox 360's turn. YES

09-16-2007, 10:52 AM	#5
Carson Moderator	Not quite yet...at all.

09-16-2007, 02:31 PM	#7
*UnknowingAcorn* S7 Legend	=] yay im a nub and bearly understood that but hurayy anyway.

09-16-2007, 02:33 PM	#8
ForrrestMaster Guest	OMG. Im sporting because of this.

09-16-2007, 02:37 PM	#9
*UnknowingAcorn* S7 Legend	OMG forrest i only hav elike 50 more posts then you o.0 zomg must spam!

09-16-2007, 05:12 PM	#10
Venomous Fire Novice	Oh this is great news indeed, my 120gig Harddrive would DEFINATELY come in handy with emulators on mah 360

09-18-2007, 11:31 PM	#11
Erdman 7S Enthusiast	i would really be thrilled if that made sense to me

09-25-2007, 01:02 AM	#12
velvetmidget Novice	This is a cool post. I would like to try this out for fun. Then when I render my box unusable like so many other devices I will try to remember why I didn't learn my lesson last time. I am serious I want to try it just for kicks.

Thread Tools
Show Printable Version Email this Page
Display Modes
Linear Mode Switch to Hybrid Mode Switch to Threaded Mode