Kernel Downgrade 'Timing Attack' PIC Interface Schematics and Details Options

[Xbox-Scene]

Kernel Downgrade 'Timing Attack' PIC Interface Schematics and Details Posted by XanTium | September 18 00:41 EST | News Category: Xbox360

Robinsod released the open-source schematics, sources and details to make your own PIC interface needed to perform the 'Timing Attack' that will allow you to boot the 1888 'base kernel' on your Xbox 360 even if you have burned fuses (and don't know your CPU Key) ... once booted to that kernel you will be able to update to an exploitable kernel. If you don't have the knowledge or tools to do this yourself, Robinsod says that Team Infectus is already hard at work designing a daughterboard for the their Infectus Modchip. The software required for this 'Timing Attack' is currently in final phase of testing and will be released soon. From Robinsod on XBH: [QUOTE] The timing attack is working well now, the software has been released for testing and if no major problems are found then it will be available at the end of the week. The first release will require an Infectus modchip and a "home made" PIC interface. I thought I would release the details of the PIC today to give people a chance to order parts, build and test the hardware. Schematic (horrible, hand drawn & scanned): here Parts List: IC1 LM339 IC2 LM339 IC3 74HC08 IC4 PIC16F876A 20MHz IC5 MAX232 or equivalent 1 * LED 1 * 20MHz Crystal 16 * 1K 0.25W 5% 1 * 10K 0.25W 5% 1 * 680R 0.25W 5% 1 * 330R 0.25W 5% 1 * 5K6 0.25W 5% 2 * 22pF Ceramic Cap 9 * 100nF Ceramic Cap Please note, 100nF decoupling caps across every ICs power supply pins seems to reduce the noise on the power supply and VRef lines. Reduced noise = Less jitter in the timing measurements which is a good thing ;) PIC Boot Loader, got this from Microchip site, repeated here for you convenience: here PIC Source (build with CCSC PCW) & Precompiled Binary: here (update: fixed version) Document: here Tomorrow I will release the tool that will build downgradable flash images. Hopefully by then the 2.0.1888 file set will be available in "the usual places" [/QUOTE] News-Source: xboxhacker.net (tech/bug-report discussion ONLY pls)

[Pseudo99]

sick.

[sektor1062]

need an infectus chip? I thought this mod didnt have to do with the dvd drive?
props to them tho

This post has been edited by sektor1062: Sep 18 2007, 05:29 AM

[SueMiBlitch]

sweeeet...

about the chip... i think it needs it to run the software cause i'm sure that all the stuff ain't M$ certified

[jo7a]

To tab it's needed a infectus and pic =/ . It would be nice if we just patched a image and it would boot directly to linux like the previus versions available at free60.org .

[BrooksyX]

This is great news! One step closer to Xbox 360 homebrew.

[elmo_sni]

kinda like a "brute force" attack... great work

[Hack_Bird]

WOW,

Sure im going to buy and build these tools !

Halo 3 homebrew MOD

ANyway, Great work !

[openxdkman]

Grats to robinsod and the other xbh hackers involved!

(note that you don't need the time attack if you have fw <=4548, of course)

Now, if you are interested in turning your console into an homebrew compatible one, be aware that there is a chance the coming fall update may touch the 2nd row of efuses and will make impossible the time attack.

So, if you are interested in trying this time attack, be sure your firwmare is NOT HIGHER than 5766.

You have been warned.

My personal suggestion is :
- keep resistor in place (if you don't go higher than 5766 that won't prevent you from swapping fw)
- water cool your console (coming homebrew will push GPU to its extreme limit, believe me)
- remove xclamps (see my mod tutorial in the tutorials section, using plastic clamps + mkII)
(all this is easier than soldering all the wires of infectus...)

If the fall update really kills the time attack, the wisest option will be to keep the one you have as a vulnerable one and buy a new one -unmodded- for future games (because there will be an indestructible frontier between fw versions allowing homebrew and fw versions accepting future games, because of the 2BL change, that may occur in fall update, or a later update. 2BL verifies 2nd row efuses, and its done in code, so no way to change it since we don't have the M$ private key for signing code. It's different from 1st row of efuse, compared with a value in a data set that robinsod's flash dump tool 0.81 can change at will).

Have fun with 360 homebrew!

Next interesting release to come on the 360 scene : open 3D demo source allowing accelerated 3D
(No ETA though... Its author -not me- is cleaning up source at the moment... A part to read from fw...)

Here is a snapshot (port of pbkit Demo 04, using the coming 3D demo source), and details :



Xenos Performance : Minimum 10 times faster than XB1 GPU
3.900.000 vertex/frame at 60 fps, measured in my current version of the port
(for comparison : PS2 250.000 vertex/frame, XB1 330.000 vertex/frame)

In short, 3 vertex = 1 face -triangle or polygon with 3 corners-, but if your meshes are well optimized that can go down to around 1 vertex = 1 face (strips).

1 vertex is usually a group of floats, for example : (px,py,pz,nx,ny,nz,tu,tv)
p:polygon corner coordinates
n:normal to the face, from this corner (used for gouraud or phong lighting calculation)
t:associated mapping point coordinates in the mapped texture


- Coming open source 3D Demo gives you GPU Xenos knowledge.
- pbKit Demo 04 (see XB1 development forum, post named "pbKit") gives you the functions that allow you to get all the data from standard 3DSMax files and .bmp.

So, it's not a dream, high quality homebrew is coming on the 360...

But once again, I strongly recommend you jump into the water cooling world... First.

This post has been edited by openxdkman: Sep 18 2007, 10:12 AM

[[Evil]Dude]

Great news Can't wait to see the homebrew applications, I may be buying a 360 just for this.

[bucko]

Sweet, nice work!

[sabbath_dude]

This is good to hear! . I think I'll need to buy myself a third Xbox just for homebrew unless its going to be very easy to upgraded/downgraded for playing newer games. Then again if they patch this in the next update I wont be able to play new games anyway.

This post has been edited by sabbath_dude: Sep 18 2007, 11:52 AM

[HackaJack]

need an infectus chip? I thought this mod didnt have to do with the dvd drive?
props to them tho

An Infectus requirement does not mean it's a DVD hack. The Infectus modchip is very versatile and can also be used to read/write the Xbox 360 nand. Your nand stores the latest kernel, the same kernel that does not allow you to have homebrew. The timing attack will allow you to downgrade to the original base Kernel which you will then update to the hackable 4532 or 4548 Kernel.

[proger]

Wonderful!


It's only a matter of time till a group steals this and starts selling then for $70.

[4doordrop]

First off, congratulations to robinsod and all who worked on the project. Your work will not be forgotten.

Secondly, a quick question. If we plan on using the "Timing Attack" and successfully obtain our CPU key, will we then be able to flash 5766+ fw with the R6T3 resistor removed and assume the 2nd row of efuses will go untouched?