Jump to content

Free60: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Limitations: King Kong exploit is now not the only way to get unsigned code execution
Execution Method: KK exploit has been surpassed by the JTAG/SMC exploit and RGH.
Line 6: Line 6:


==Execution Method==
==Execution Method==
Since executable code on the Xbox 360 is [[Digital signature|digitally signed]], and runs underneath a [[hypervisor]], an exploit or hack is necessary in order to execute [[Homebrew (video games)|homebrew]] code. On the Xbox 360, one such exploit exists, relying on and utilizing a modified DVD-ROM drive [[firmware]], a modified burnt disc of the game [[Peter Jackson's King Kong: The Official Game of the Movie|King Kong]] (for Xbox 360), and the target console having either one of two vulnerable [[Kernel (computer science)|Kernel]] revisions. Optionally, a home-made serial cable may be used where attached to the appropriate [[pin header]] on the motherboard of the console.<ref>Speedy22's Headers and Connectors Tech Info {{cite web |url=http://www.dave-bell.co.uk/~speedy22/XBOX360cpu15data.pdf |title=Archived copy |accessdate=2008-07-07 |deadurl=yes |archiveurl=https://web.archive.org/web/20061022203457/http://www.dave-bell.co.uk/~speedy22/XBOX360cpu15data.pdf |archivedate=2006-10-22 |df= }}</ref>
Since executable code on the Xbox 360 is [[Digital signature|digitally signed]], and runs underneath a [[hypervisor]], an exploit or hack is necessary in order to execute [[Homebrew (video games)|homebrew]] code. On the Xbox 360, the first exploit which enabled booting of unsigned code relied on a modified DVD-ROM drive [[firmware]], a modified burned disc of the game [[Peter Jackson's King Kong: The Official Game of the Movie|King Kong]] (for Xbox 360), and the target console having either one of two vulnerable [[Kernel (computer science)|Kernel]] revisions. Alternatively, a home-made serial cable may be used where attached to the appropriate [[pin header]] on the motherboard of the console to flash an image to old kernel revisions, known as the "JTAG/SMC exploit", which later evolved into the "RGH exploit" which is applicable on any kernel version on all but the latest revision of the Xbox 360 motherboard.<ref>Speedy22's Headers and Connectors Tech Info {{cite web |url=http://www.dave-bell.co.uk/~speedy22/XBOX360cpu15data.pdf |title=Archived copy |accessdate=2008-07-07 |deadurl=yes |archiveurl=https://web.archive.org/web/20061022203457/http://www.dave-bell.co.uk/~speedy22/XBOX360cpu15data.pdf |archivedate=2006-10-22 |df= }}</ref>


The console must launch the modified game, which will utilize the software vulnerability to load a small chunk of code that is included on the disc. This code may either initialize the serial port to allow upload of further code to the console, or eject the drive tray and prepare the console to load further code from a specified point on optical media that is then placed in the drive. The latter method involves the '''readcd''' binary, made specifically for this cause. The code that readcd executes in this instance is known as XeLL, short for '''Xenon Linux Loader'''. XeLL captures CPU threads and launches the Linux kernel from either network ([[Trivial File Transfer Protocol|tftp]]) or optical media as its only purpose, providing a flat device tree for the kernel. In the cases of released '[[Live CD]]s', the readcd binary would typically be included on the modified game disc, which would eject the drive, and a CD containing the XeLL binary as well as the complete Linux kernel and filesystem would be inserted.
With the original King Kong exploit, the console must launch the modified game which will utilize the software vulnerability to load a small chunk of code that is included on the disc. This code may either initialize the serial port to allow upload of further code to the console, or eject the drive tray and prepare the console to load further code from a specified point on optical media that is then placed in the drive. The latter method involves the '''readcd''' binary, made specifically for this cause. The code that readcd executes in this instance is known as XeLL, short for '''Xenon Linux Loader'''. XeLL captures CPU threads and launches the Linux kernel from either network ([[Trivial File Transfer Protocol|tftp]]) or optical media as its only purpose, providing a flat device tree for the kernel. In the cases of released '[[Live CD]]s', the readcd binary would typically be included on the modified game disc, which would eject the drive, and a CD containing the XeLL binary as well as the complete Linux kernel and filesystem would be inserted.


==Limitations==
==Limitations==

Revision as of 20:58, 11 November 2018

Free60 is the successor to the Xbox Linux Project that aims to put Linux, BSD, or Darwin on the Microsoft Xbox 360 using a software or hardware based "hack". The Xbox 360 uses hardware encryption and will not run unsigned code out of the box.

The project's goals were met in March 2007, when shortly after the announcement of a critical software vulnerability[1] in the Xbox 360 Hypervisor a loader for Linux appeared, which allowed to run a Linux ported to the Xbox 360.

To date, there are two Linux kernel patchsets available, one for 2.6.21 and one for 2.6.24.3. Three main Linux distributions may be run on the Xbox 360; Gentoo, Debian and Ubuntu Linux, the last two of which are easily installable to the Xbox 360 hard drive by scripts provided by members of the Free60 project.[2][3][4]

Execution Method

Since executable code on the Xbox 360 is digitally signed, and runs underneath a hypervisor, an exploit or hack is necessary in order to execute homebrew code. On the Xbox 360, the first exploit which enabled booting of unsigned code relied on a modified DVD-ROM drive firmware, a modified burned disc of the game King Kong (for Xbox 360), and the target console having either one of two vulnerable Kernel revisions. Alternatively, a home-made serial cable may be used where attached to the appropriate pin header on the motherboard of the console to flash an image to old kernel revisions, known as the "JTAG/SMC exploit", which later evolved into the "RGH exploit" which is applicable on any kernel version on all but the latest revision of the Xbox 360 motherboard.[5]

With the original King Kong exploit, the console must launch the modified game which will utilize the software vulnerability to load a small chunk of code that is included on the disc. This code may either initialize the serial port to allow upload of further code to the console, or eject the drive tray and prepare the console to load further code from a specified point on optical media that is then placed in the drive. The latter method involves the readcd binary, made specifically for this cause. The code that readcd executes in this instance is known as XeLL, short for Xenon Linux Loader. XeLL captures CPU threads and launches the Linux kernel from either network (tftp) or optical media as its only purpose, providing a flat device tree for the kernel. In the cases of released 'Live CDs', the readcd binary would typically be included on the modified game disc, which would eject the drive, and a CD containing the XeLL binary as well as the complete Linux kernel and filesystem would be inserted.

Limitations

  • The readcd method was initially restricted to only Hitachi branded DVD-ROM drives, but now also supports Samsung branded drives.[6] All other commercially used drives are assumed unsupported, at this point in time the only other drives in use are manufactured by BenQ and Lite-ON.
  • An older Kernel revision is required on the Xbox 360 itself, which may prove to be hard to find, since connecting to the Xbox Live service applies updates to the console, and many games include updates that must be applied before the game will run. This limitation is not as important as it once was, as it is now known to be possible to downgrade a Kernel greater than the last of the two exploitable Kernels by means of a timing attack.
  • There are presently no audio drivers written to support the console's internal audio hardware, however a USB audio device can be used.
  • Some codecs are incompatible with the current display driver, causing some videos to not play. In addition to this, framebuffer and cache issues mean that videos that do play are jumpy after the first few seconds when the cache is full.

Development

One of the main contributors to the Free60 project has developed a method of 3D graphics acceleration on the Xbox 360's GPU (codenamed Xenos) under Linux.[7][8][9] This work has been encapsulated into an API for easier use. In order to achieve this acceleration, some data from the Xbox 360's flash needs to be uploaded to the Xenos GPU. This process may be automated to help ensure legality of any 3D graphics acceleration.

Since only a small proportion of Xbox 360's are currently able to execute unsigned code, there has been little development within the Free60 project in recent times. This may to some extent be contrasted to the Free60 predecessor, the Xbox Linux project, which saw far more development as a result of the relative ease of running unsigned code on the Xbox and the ease of porting x86 code to the Xbox's custom Intel Pentium III-based CPU.

To continue development, members of the Free60 project are looking for help.[10] Perhaps the most important of the help requests is to provide audio drivers; the Free60 members have asked for someone with knowledge of the ALSA kernel component and a SiS966 based motherboard to achieve this.

One project created as a result of the success of Free60 is a Kernel Rebooter.[11] The goal of this is, after initially loading a vulnerable kernel and exploiting it to gain control of the system, to be able to make the console reload into a modified, unsigned hypervisor and kernel. Being able to reboot into a more recent kernel revision would allow for games to be executed on the console that are dependent on these kernel revisions. This project has seen a certain level of success; there are binary files available (to be launched by the serial loader or readcd) to partially reload the hypervisor.

Summer 2009 Xbox Live Update

On August 11, 2009 Microsoft released an Xbox 360 software update that overwrites the Second stage bootloader of the system. Any failure while updating this will break the Xbox 360 beyond repair. Statistics from other systems have shown that about one in a thousand bootloader updates went wrong and unless Microsoft has a novel solution to this problem, this puts tens of thousands of Xboxes at risk.

It seems that this update was issued to fix a vulnerability already known to the Free60 Project. This vulnerability has been successfully exploited to run arbitrary code, and a complete end user compatible hack has been in development for some time and is planned to be released on free60.org shortly. It will allow users to take back control of their Xboxes and run arbitrary code like homebrew applications or Linux right after turning on the console and without the need of a modchip, finally opening up the Xbox 360 to a level of hacking as the original Xbox.

Because of the danger of the update and the homebrew lockout, the Free60 Project advises all Xbox 360 users to not update their systems to the latest software version. The Free60 website will provide the latest information on this ongoing topic, including the final hack software.

References

  1. ^ Bugtraq: Xbox 360 Hypervisor Privilege Escalation Vulnerability http://seclists.org/bugtraq/2007/Feb/0514.html
  2. ^ Debian-Etch Installation Guide https://web.archive.org/web/20080704112307/http://www.free60.org/wiki/Debian-etch. Archived from the original on July 4, 2008. Retrieved July 7, 2008. {{cite web}}: Missing or empty |title= (help); Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
  3. ^ Ubuntu 7.04 Installation Script https://web.archive.org/web/20080704112331/http://www.free60.org/wiki/Ubuntu7.04. Archived from the original on July 4, 2008. Retrieved July 7, 2008. {{cite web}}: Missing or empty |title= (help); Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
  4. ^ Ubuntu 7.10 Installation Script https://web.archive.org/web/20080704112123/http://www.free60.org/wiki/Ubuntu7.10. Archived from the original on July 4, 2008. Retrieved July 7, 2008. {{cite web}}: Missing or empty |title= (help); Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
  5. ^ Speedy22's Headers and Connectors Tech Info "Archived copy" (PDF). Archived from the original (PDF) on 2006-10-22. Retrieved 2008-07-07. {{cite web}}: Unknown parameter |deadurl= ignored (|url-status= suggested) (help)CS1 maint: archived copy as title (link)
  6. ^ Gentoo Live CD Xenon Beta 2 Release Notes http://sourceforge.net/project/shownotes.php?group_id=139616&release_id=506402
  7. ^ debugmo.de » fancy
  8. ^ debugmo.de » Fear, triangles!
  9. ^ debugmo.de » Xbox 360 GPU update
  10. ^ Free60 Help https://web.archive.org/web/20080704112155/http://www.free60.org/wiki/Help. Archived from the original on July 4, 2008. Retrieved July 7, 2008. {{cite web}}: Missing or empty |title= (help); Unknown parameter |deadurl= ignored (|url-status= suggested) (help)
  11. ^ Kernel Rebooter http://www.xboxhacker.net/index.php?topic=8738.0