As you know the privilege escalation vulnerability in kernel 4532 and 4548 can be exploited to run aritrary code in hypervisor mode (with full privileges and hardware access). The bug and proof-of-concept details are disclosed in Bugtraq ID 22745 / CVE-2007-1221. The vulnerability can be used to i.e. run Linux and/or extract the CPUs fuseset - including the per-box CPU-key. http://www.securityfocus.com/archive/1/461489 To exploit the vulnerability you need to put your own code and data in memory. The GPU can write to memory - and by writing custom "shaders", you can make the GPU do the necessary poking without breaking any XEX signatures. The shaders in the King Kong game are exploited in most hacks. Xorloser have written some very nice tools to help developing shaders as well as patching the shaders in KK. To get control over the instruction pointer you can patch some memory structures - Bugtraq ID 22745 gives the proof-of-consept details Code: Setup context switch to stack @80130AF0: 00130390: 00000000 00000000 00000000 FDFFD7FF MSR mask 00130360: 00000000 80130AF0 00000000 00000000 New stack pointer Setup stack: 00130BD0: 00000000 80070190 00000000 00000000 NIP to context restore 00130C90: 00000000 00000000 80070228 80070228 NIP, LR after context restore point to syscall instruction in kernel 00130CA0: 00000000 00009030 00000000 00000000 MSR 00130B40: 20000000 00000046 00000000 80130af0 r0 = syscall nr r1 = stack 00130B60: 80000000 address1 r4 = address to jump to 00002080: 00000350 points to mtctr %r4, bctr in hypervisor code This proof-of-concept snippit works fine on 4532 and 4548 retail kernels. It does however not work on devkit kernels. The patching needs to be tweaked to suit the devkit enviroment. Below is a proof-of-concept snippit for the 4548 devkit kernel. Code: Setup context switch to stack @80170AF0: 00170390: 00000000 00000000 00000000 FDFFD7FF MSR mask 00170360: 00000000 80170AF0 00000000 00000000 New stack pointer Setup stack: 00170BD0: 00000000 800737E8 00000000 00000000 NIP to context restore 00170C90: 00000000 00000000 80060C04 80060C04 NIP, LR after context restore point to syscall instruction in kernel 00170CA0: 00000000 00009030 00000000 00000000 MSR 00170B40: 20000000 00000032 00000000 80170af0 r0 = syscall nr r1 = stack 00170B60: 80000000 address1 r4 = address to jump to 000020CC: 00000350 points to mtctr %r4, bctr in hypervisor code I found the addresses and the syscall (0x32) above by looking at devkit compatible shaders generated by xorloser's bin2shader. All credits to him. CF
Yes, this is definitely one of the most intriguing exploits I've seen for the 360. If I had the necessary hardware and skills, I would definitely try to use something like this.
The cracking continues! Seems that MS did a pretty amazing job in their console security. Although this is absolutely NO use to me what-so-ever, I am impressed at the clarity of what you've written and even as a noob, it pretty much made sense to me in a rather limited capacity of course!
