A9VG电玩部落论坛

 找回密码
 注册
搜索
查看: 19146|回复: 52

关于全民自制简单不头疼,一看就懂,自制原理/焊接方法/软件下载

[复制链接]

精华
0
帖子
1504
威望
0 点
积分
1469 点
种子
0 点
注册时间
2010-1-8
最后登录
2014-5-29
 楼主| 发表于 2011-8-29 09:17  ·  湖北 | 显示全部楼层 |阅读模式
本帖最后由 xyz888 于 2011-8-30 16:13 编辑

源头:http://free60.org/Reset_Glitch_Hack
===========================================================================



原理:
===========================================================================
无论系统核心版本,主机型号,理论上全可以行的通,但需要自己去探索脉冲频率。微软通过软件暂时无法修复
漏洞通过给cpu发送低速率重启脉冲,来欺骗bootloader哈希检测,加载自制的bootloader从而运行未经签名的程序
每次发射重启脉冲有25%的几率成功,每次耗时约五秒,如失败会自动重试,大多数情况下启动用时在一分钟内。
但相信通过脉冲装置的完善和bootloader的改进,还会有提升的空间。
现阶段已经可运行模拟器和ubuntu,离真正的自制可能不太遥远了。




需要悍接到主板上的器件:
===========================================================================




破解所需软件包下载:
http://u.115.com/file/clq0rmvk



现阶段实现应用:
===========================================================================
能启动XELL读取CPUKEY和DVDKEY和一些未签证的模拟自制程序,暂无对应启动固件,现阶段想刷自制的朋友还要多多等待一些时日,期待更多的完善和进步 对于以前丢失DVDKEY的玩家是个好消息


其实自制也就那么回事,别太认真:===========================================================================
其实真正玩自制的人是少数了,大多数人对自制无兴趣的,也就是放个碟子进去而以,也就是范范的玩下子!不是每个玩家都是硬件级的核心玩家,非要免光盘非要超多游戏XBLA和DLC,其实哪来那多时间玩游戏呀(要看大片吧,要上网吧,要吃饭吧,要工作吧,有的还要带孩子吧),真正意义上的可能就是一种满足感而以:“我不花钱不用光盘啥都可以玩!”  大部分时间这样的人可能是在不停的下载和拷贝游戏,而真正玩游戏的时间可能少得可怜,是一种“心理满足”!  持续性的拥有并没带来任何的游戏乐趣!! 不过话又说回来,本身破解过程就是种乐趣,会非常有成就感!对于游戏核心玩家来说,能体验到更多游戏的精华所在!,不过是人都是不一样的,有些观念不要强加,各取所长!,寻找自己合适的需要

现在要的是简单娱乐,当你苦心拥有一台自制机之后,你仍然会发现,原来也就这么回事儿! 省钱不省心



===========================================================================
我只从中摘录出来的,至于是谁提供的此消息,我确实不太在乎,有得罪的海量罗,别追求那种虚无的名利!
所有辛苦和版权归应有的人,和本人无关

本帖子中包含更多资源

您需要 登录 才可以下载或查看,没有帐号?注册

x

精华
0
帖子
1504
威望
0 点
积分
1469 点
种子
0 点
注册时间
2010-1-8
最后登录
2014-5-29
 楼主| 发表于 2011-8-29 09:18  ·  湖北 | 显示全部楼层
**********************************
* The Xbox 360 reset glitch hack *
**********************************

Introduction / some important facts
===================================

tmbinc said it himself, software based approaches of running unsigned code on the 360 mostly don't work, it was designed to be secure from a software point of view.

The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND ( CB ).

CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it's using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
- A hash of the entire fuseset.
- The timebase counter value.
- A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there's a check for "apparent randomness" (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.

CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.

Basically, CD will load a base kernel from NAND, patch it and run it.

That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.

On the other hand, tmbinc said the 360 wasn't designed to withstand certain hardware attacks such as the timing attack and "glitching".

Glitching here is basically the process of triggering processor bugs by electronical means.

This is the way we used to be able to run unsigned code.

The reset glitch in a few words
===============================

We found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.

Details for the fat hack
========================

On fats, the bootloader we glitch is CB, so we can run the CD we want.

cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a test point on the motherboard that's a fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.

So it goes like that:
- We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value (it's often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.

The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.

Details for the slim hack
=========================

The bootloader we glitch is CB_A, so we can run the CB_B we want.

On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a diffi*** modification and it didn't yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it's even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus

So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.

When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don't decrypt CD, instead expect a plaintext CD in NAND.
- Don't stop the boot process if CD hash isn't good.

CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there's a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!

The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.

Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !

Caveats
=======

Nothing is ever perfect, so there are a few caveats to that hack:
- Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
- That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
- It requires precise and fast hardware to be able to send the reset pulse.

Our current implementation
==========================

We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it's fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.

Conclusion
==========

We tried not to include any MS copyrighted code in the released hack tools.
The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.

Credits
=======

GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360.

精华
0
帖子
3350
威望
0 点
积分
3794 点
种子
433 点
注册时间
2006-2-11
最后登录
2024-9-12
发表于 2011-8-29 09:18  ·  广东 | 显示全部楼层
本帖最后由 bghf 于 2011-8-29 09:19 编辑

楼上,做人要厚道!!!
https://bbs.a9vg.com/thread-1594267-1455-1.html

精华
0
帖子
446
威望
0 点
积分
558 点
种子
700 点
注册时间
2010-5-9
最后登录
2024-11-14
发表于 2011-8-29 09:19  ·  重庆 | 显示全部楼层
要是真的就太好了,关键是什么时候能实现
该用户已被禁言

精华
0
帖子
288
威望
0 点
积分
316 点
种子
7 点
注册时间
2007-2-6
最后登录
2019-11-25
发表于 2011-8-29 09:20  ·  江苏 | 显示全部楼层
Even in the glitch we found is pretty reliable (25% success rate per try on average), 、
貌似只有25%的可以啊

精华
0
帖子
1504
威望
0 点
积分
1469 点
种子
0 点
注册时间
2010-1-8
最后登录
2014-5-29
 楼主| 发表于 2011-8-29 09:29  ·  湖北 | 显示全部楼层
bghf 发表于 2011-8-29 09:18
楼上,做人要厚道!!!
https://bbs.a9vg.com/thread-1594267-1455-1.html

你就是,告诉大家,是你发的对吧,哦,对不起,我没看到!

这消息是bfhf发的,大家记住了bfhf bfhf bfhf bfhf bfhf

精华
0
帖子
1395
威望
0 点
积分
1838 点
种子
5 点
注册时间
2010-5-8
最后登录
2023-5-10
发表于 2011-8-29 09:44  ·  辽宁 | 显示全部楼层
这个应该是可行的,大体上解释一下,就是说要先弄来一个芯片,刷入jtag程序,焊到板子上(类似jtag线)但是这个焊点出奇的小啊... 之后就用它自带的一个固件生成器,制作xell刷入
刷好了可以用原始nand制作freeboot(目前有还没有对应slim的freeboot吧……)之后通过xell刷进去即可启动,但是据说每次启动要两分钟。

精华
0
帖子
3350
威望
0 点
积分
3794 点
种子
433 点
注册时间
2006-2-11
最后登录
2024-9-12
发表于 2011-8-29 09:51  ·  广东 | 显示全部楼层
本帖最后由 bghf 于 2011-8-29 09:52 编辑
タイムマシン 发表于 2011-8-29 09:44
这个应该是可行的,大体上解释一下,就是说要先弄来一个芯片,刷入jtag程序,焊到板子上(类似jtag线)但是这个 ...


面条,看那个视频,开机是有点久,启动的是XELL,然后引导了一个N64模拟器,然后玩了某游戏……
现在还不清楚如何引导自制的NAND,或者映射到硬盘上?

精华
0
帖子
121
威望
0 点
积分
124 点
种子
5 点
注册时间
2006-2-2
最后登录
2019-1-1
发表于 2011-8-29 09:52  ·  北京 | 显示全部楼层
本帖最后由 songy171 于 2011-8-29 09:52 编辑

目前应该还是只能运行xex的自制软件 自制固件还无法刷写 因为还没有出对应slim版的freeboot
不过我想这也只是时间的问题了 出现这种破解方法的后果就是 像欧版美版等超便宜的促销机型也会涌入咱国内吧 毕竟刷了自制后就全区了 全球360一个样

精华
0
帖子
215
威望
0 点
积分
252 点
种子
65 点
注册时间
2010-11-24
最后登录
2024-11-14
发表于 2011-8-29 09:54  ·  江苏 | 显示全部楼层
js还是不会降价的!
您需要登录后才可以回帖 登录 | 注册

本版积分规则

Archiver|手机版|A9VG电玩部落 川公网安备 51019002005286号

GMT+8, 2024-11-14 21:11 , Processed in 0.206276 second(s), 16 queries , Redis On.

Powered by Discuz! X3.4

Copyright © 2001-2020, Tencent Cloud.

返回顶部