Jump to content


Using "random" Flash Memory To Run Unsigned Code.

  • Please log in to reply
No replies to this topic

#1 arnezami


    X-S Enthusiast

  • Members
  • 20 posts

Posted 10 July 2006 - 02:29 PM

I've got this idea. Maybe its nothing maybe it is. But in any case its a long shot wink.gif.

Its about running homebrew code. Or at least the first step to that goal.

I'm going to do lot of assumptions. But please bear with me.

From what I understand (but the real hackers will know this much better im sure) is that there is some kind of ROM inside the CPU (or some e-fuse memory) and there is some flash memory somewhere outside the CPU. Let me assume the amount of ROM inside the CPU is really tiny and contains only a basic decryption algo to decrypt the flash (which in turn contains the public 2048-bit key for xex's and the basic software the 360 runs on/boots with). First the CPU starts with accessing the flash, then decrypting it (using an AES key?) and then runs it. Those are my assumptions.

The question is: how secure is the code in this ROM? I mean: how much verification is there done on the decrypted flash?

Lets assume (and this is the big one) that the CPU decrypts and simply runs the flash (so no checksum code in the tiny ROM).

IF that were true (can we know?) then maybe the following is possible:

1) Remove the CPU and put it on some testbed.
2) Start/reset the CPU
3) When the CPU accesses the addresses of the flash give it a random response.
4) If the CPU simply decrypts it it will then run random code. Theoretically there is a chance the first bytes are a "jmp .." to some memory address.
5) Watch if an address somewhere in memory is accessed and give it back another command (eg another jmp). And verify if it executes that command. If so you have found a way run unsigned code on the CPU. Goto 7.
6) Goto 2
7) Retrieve the AES key by commanding the CPU to do so.

Once you got the AES key you can alter/design the flash memory (or find weaknesses in it).

As I said this is a long shot. Its mainly dependend on how big the ROM inside the CPU actually is and if it contains checksum code of some sorts. If there is a 32-bit checksum it may still work (by trying many times) depending on the speed of this rebooting the CPU and stuff.

Its a bit of a wild idea and somebody probably already thought of it but since running homebrew on the 360 is the main goal (and not running pirated stuff) I thought I might give it a try smile.gif.

Does this make any sense? Or is it plain stupid?

Just sharing my (strange) thoughts. 8)



Edited by arnezami, 10 July 2006 - 02:35 PM.

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users