Jump to content


Photo

Discovery: Boot Xbox360 from 1888 Kernel - Downgrade Kernel


  • Please log in to reply
69 replies to this topic

#1 Xbox-Scene

Xbox-Scene

    Memba Numero Uno

  • Admin
  • 5,201 posts
  • Location:Yurop
  • Xbox Version:unk
  • 360 version:unknown

Posted 13 January 2007 - 06:45 AM

Discovery: Boot Xbox360 from 1888 Kernel - Downgrade Kernel
Posted by XanTium | January 13 00:45 EST

 
Robinsod over at the XBH forums probably found a way to boot his Xbox360 with the original 1888 kernel ('BK' kernel). The onboard flash of the Xbox360 contains the full original kernel (v2.0.1888.0, which is the first public kernel release) and patches (this is what MS adds when they release new kernel updates) to update the kernel to the latest build (currently at v2.0.4552.0). Apparently the systems scans for version numbers in the headers of kernel patches and then selects what to load, by deleting (null) the (non-encrypted) headers (esp. version numbers) of the patches Robinsod probably managed to get his Xbox360 to boot the original 1888 kernel (v2.0.1888.0).
While the Xbox360 software (system>console settings>system info) reports being in 1888 kernel it has yet to be tested if it really is booting only the 1888 kernel without patches (looking at the dashboard features is no option ... the dashboard and kernel are not the same, the dashboard stays as it is).


I have now successfully mounted my HYNIX flash in a socket and developed code to read, erase and reflash areas of that flash. I have also been sniffing the flash bus during the 360's power on sequence.

I believe my 360 was last updated from the NFS:Carbon game disk. The Kernel and Dash versions are reported as:
D 2.0.2868.0, K 2.0.2868.0, BK 2.0.1888.0

The read sequence I observed agrees broadly with that posted on free60 and when "condensed" it looks like this:
Power On:
Reads 0x000000 - 0x0001FF
Reads 0x008000 - 0x00E1FF ---"CB"
Reads 0x000000 - 0x0001FF
Reads 0x001000 - 0x003FFF
Reads 0x00C000 - 0x00C1FF
Reads 0x00E000 - 0x0699FF
Reads 0x06C000 - 0x06C1FF ---"CF"
Reads 0x07C000 - 0x07C1FF ---"CF" As per free60.org upto here
Reads 0x06C000 - 0x07BFF0 ---"CF" My log differs from free60.org from here

Notice how the 360 reads the first 0x200 bytes of the blocks marked "CF" and then selects one to read completely. This suggests that the 360 is reading the version numbers of kernel patches and selecting the most recent. In this case the patch at 0x06C000 is read.

To test the theory I erased:
1) 16KB block of Flash at 0x06C000, result:
D 2.0.2858.0, K 2.0.2858.0, BK 2.0.1888.0
2) 16KB block of Flash at 0x06C000 and 0x07C000, result:
K 2.0.1888.0
3) Inserted the NFS:C disk and reapplied the 2.0.2868.0 update, result:
D 2.0.2868.0, K 2.0.2868.0, BK 2.0.1888.0

So now I need to find a suitable test software to verify that the console really is downgraded to 2.0.1888.0. The kiosk disk perhaps...


Interesting reply from TheSpecialist:


I'd like to toss in my theory about the 'patches'. There are 2 questions here:
1. Why does MS upgrade via 'patches' and not just by sending the whole files and
2. Why don't they just patch the files in flash, but instead, keep the original files + patches in flash?

There are various good answers to question one, but I think the best answer is that it has to do with the limited space. Now, it is very easy to roll back the kernel: they always keep the original file, so they can hold various kernel versions in the Flash, because the patches are relatively small. If they wouldn't use patches, but complete files, then they wouldn't probably have space enough for 2 kernels !

About the answer to question 2 I am pretty sure: they simply can NOT patch the exe files themselves on the flash ! Because doing so, would break the signature, so they would need to resign the files and MS is not going to send us the private key to do so ;) Besides, another reason would be that rolling back would be more difficult.

So, to conclude, the filesystem always contains the V1.0 version of the files (well: 2.0.1888.0 November 22, 2005 Original shipped version), plus the patches. The 360 scans for the latest patch, loads both the original exe and the latest patch, checks BOTH files for their signature (at least, that is what i EXPECT) and then creates the new, 'patched' exe in its memory.


Note that right now, booting up with the 1888 kernel doesn't bring any real advantages (except maybe booting the kiosk disc from recordable media), but it might come in handy later.

Full Story/News-Source: xboxhacker.net (hacking discussions ONLY! - thx)




#2 rasputin69

rasputin69

    X-S Enthusiast

  • Members
  • 13 posts

Posted 13 January 2007 - 06:03 AM

I wonder could this help people who have had bad flashes that give errors. The system is still booting, but the flash did not go well. Who knows.

#3 ILLusions0fGrander

ILLusions0fGrander

    third echelon agent

  • Head Moderator
  • PipPipPipPipPipPipPipPipPipPipPip
  • 7,500 posts
  • Location:Post Apocalyptic DC Vault No. 101
  • Xbox Version:v1.4
  • 360 version:v4.0 (jasper)

Posted 13 January 2007 - 06:13 AM

QUOTE
Note that right now, booting up with the 1888 kernel doesn't bring any real advantages (except maybe booting the kiosk disc from recordable media), but it might come in handy later.


thats what i found pretty cool.

if there was a flaw from day one... it can now be exploited.



#4 Tobb555

Tobb555

    X-S Expert

  • Members
  • PipPipPip
  • 656 posts
  • Location:From the dark side of the Moon
  • Xbox Version:v1.0
  • 360 version:v1 (xenon)

Posted 13 January 2007 - 06:15 AM

This is a awsome find but isnt it this kinda a pain in the arse for the normal joe to do. I sure I dont have the skills for this.

#5 1337 pig

1337 pig

    X-S Senior Member

  • Members
  • PipPip
  • 153 posts
  • Location:West Fargo, ND
  • Xbox Version:v1.6b
  • 360 version:v1 (xenon)

Posted 13 January 2007 - 06:16 AM

I saw this eailer today, didnt understand much of thier technical talk but i knew it was another step.

#6 poncinator

poncinator

    X-S Enthusiast

  • Members
  • 26 posts
  • Xbox Version:v1.4
  • 360 version:v1 (xenon)

Posted 13 January 2007 - 06:26 AM

Hope ohmy.gif

#7 gaming fanboy

gaming fanboy

    X-S X-perience

  • Members
  • PipPip
  • 304 posts
  • Location:Michigan
  • Interests:friends n family, gaming, technology
  • Xbox Version:v1.5
  • 360 version:v4.0 (jasper)

Posted 13 January 2007 - 06:40 AM

QUOTE(ILLusions0fGrander @ Jan 13 2007, 06:20 AM) View Post

thats what i found pretty cool.

if there was a flaw from day one... it can now be exploited.

i agwee smile.gif

QUOTE(Tobb555 @ Jan 13 2007, 06:22 AM) View Post

This is a awsome find but isnt it this kinda a pain in the arse for the normal joe to do. I sure I dont have the skills for this.

true true mad.gif

QUOTE(poncinator @ Jan 13 2007, 06:33 AM) View Post

Hope ohmy.gif


THEY'RE GETTING SOMEWHERE!!! biggrin.gif smile.gif

#8 Casper1786

Casper1786

    X-S Genius

  • Members
  • PipPipPipPip
  • 915 posts
  • Xbox Version:v1.3
  • 360 version:v1 (xenon)

Posted 13 January 2007 - 06:49 AM

now i'm curious if the new/newer/after launch machines carry a later kernal then launchday or are they preloading launch kernals with latest patches to the flashes? cause unless XBL guys are making "pre-patched" kernals and seperate patch versions for these then it's probable that we all have the same "base kernal"

#9 appleguru

appleguru

    an Apple a Day...

  • Members
  • PipPipPipPipPipPip
  • 2,694 posts
  • Location:Colorado Springs, CO Boston, MA
  • Xbox Version:v1.6
  • 360 version:v1 (xenon)

Posted 13 January 2007 - 07:08 AM

QUOTE(Casper1786 @ Jan 13 2007, 12:56 AM) View Post

now i'm curious if the new/newer/after launch machines carry a later kernal then launchday or are they preloading launch kernals with latest patches to the flashes? cause unless XBL guys are making "pre-patched" kernals and seperate patch versions for these then it's probable that we all have the same "base kernal"


As of now anyways, we all do.

#10 SwattiMatti

SwattiMatti

    X-S Enthusiast

  • Members
  • 2 posts

Posted 13 January 2007 - 07:10 AM

love.gif

#11 NFN_NLN

NFN_NLN

    X-S Enthusiast

  • Members
  • 8 posts

Posted 13 January 2007 - 07:16 AM

I'm always paranoid about taking updates because I know that if they do find an exploit chances are it'll be for an early kernel version. As I understand it this kernel + patch model is a fundamental architecture that can't safely change so we'll always be able to downgrade (assuming you have the balls to pull out your flash memory and reprogram it).
Here's to hoping a number of those patches were to plug up security holes and not just feature enhancements.

#12 GARRYB

GARRYB

    X-S Member

  • Members
  • Pip
  • 126 posts

Posted 13 January 2007 - 07:51 AM

so does this mean we will soon be running linux on 360 if yes wow u just made my day. love.gif

#13 sicknasty413

sicknasty413

    X-S Messiah

  • Members
  • PipPipPipPipPipPipPip
  • 3,590 posts
  • Location:Central VA
  • Interests:Modding... video games... eating... sleeping... computers... and those things we call women.
  • Xbox Version:v1.0
  • 360 version:v1 (xenon)

Posted 13 January 2007 - 08:13 AM

QUOTE(GARRYB @ Jan 13 2007, 01:58 AM) View Post

so does this mean we will soon be running linux on 360 if yes wow u just made my day. love.gif

soon? doubt it.

Good news though!

#14 Murc

Murc

    X-S Member

  • Members
  • Pip
  • 130 posts

Posted 13 January 2007 - 08:30 AM

smells like progress.

But I'm sure a linux type of interface is still a long while off yet.

I have a question, way out of the left field that has nothing at all to do with this topic....Can people (me) put a custom picture on their 360 for their gamertag pic???

Edited by Murc, 13 January 2007 - 08:35 AM.


#15 signal-to-noise-ratio

signal-to-noise-ratio

    X-S Senior Member

  • Members
  • PipPip
  • 165 posts
  • Xbox Version:v1.6
  • 360 version:v1 (xenon)

Posted 13 January 2007 - 09:02 AM

QUOTE
While the Xbox360 software (system>console settings>system info) reports being in 1888 kernel it has yet to be tested if it really is booting only the 1888 kernel without patches (looking at the dashboard features is no option ... the dashboard and kernel are not the same, the dashboard stays as it is).


If the kiosk disc does boot doesnt that prove it has reverted back to the 1888 kernel without patches otherwise the disc wouldnt boot.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users