Some time ago, we reported about a few hackers who have been working on a way to downgrade the kernel of the Xbox 360 without needing the console's unique CPU-Key. The process, which they have dubbed as the "Timing Attack", is already working pretty reliably as of this article's writing.

One of the hackers working on the project, Robinsod, has released a parts list, schematic, PIC Boot Loader, PIC Source (complete with a pre-compiled Binary), as well as instructions needed for this hack to be performed.

It was also announced that a tool to build downgradable flash images will be released soon. For those who don't want to go about messing with the innards of their Xbox 360, Team Infectus is already developing a Daughter Board which should allow users to downgrade their systems without any fuss.

The implications of this project are pretty big as it opens the doors for Xbox 360 users to create and use homebrew on their systems. If you want to get the full instructions, you can click on our Read Link for more information. Be advised though that any modifications of this nature will void its warranty and could possibly damage your Xbox 360.

Downgrading your Xbox 360 firmware from any Kernel without using your CPU key used to be just a legend. However, some enterprising hackers on the xboxhacker.net had plans on doing just that.

After much thought they were able to successfully do so using a method that has been dubbed a "timing attack". A hacker by the handle Robinsod managed to successfully boot his Xbox360 using a flashed eFuse with kernel 1888.

While less experienced (and less daring) individuals might not be able to do this for now, the hackers are currently working on a way to simplify the process.

Here's a little quote from Robinsod explaining how the process works:

The timing attack does not try to "bruteforce" the cpu key itself. It tries to find/bruteforce a hash value which is a result of the usage of the cpu key (so even if you have that hash you still cannot backwards compute the cpu key). But finding this hash value (I usually refer to it as the CB-auth value) will enable the xbox to boot the original kernel (v 1888).

This then allows you to upgrade to a vulnerable kernel (eg 4532) and THEN you can extract the cpu key using the kk exploit. Since -on average- you will find the correct value at roughly half of the possible byte values you only need to try (approx) 128 values for each of the 16 bytes.

Thats why vax is talking about 16 * 128 total number if byte changes... There is a theoretical minimum to the reboot time of about 1 second. So in theory you could find the 16 bytes in 34 minutes. Thats probably not gonna happen. Grin And installing the hardware will probably take even more time so its not a really big issue. But this is basically where the time speculations are based on.

This could be good news for the hacking community considering that further refinements on this technique will eventually lead to homebrew, Linux, and possibly even custom firmware for the Xbox 360. For more details on this, feel free to click on our read link which will send you to the forums where this was announced.

 

Stemming up from a few Xbox tech sources is a claim from the Xboxhacker (XBH) Forums stating that the Xbox 360's DVD key and game region code can be altered to break down the region locks for some games. And following that particular tip by XBH member Seventhson, a flurry of third-party experimentations are beginning to back the claim in its entirety.

"I successfully changed the DVD key and region code of a 360. So it's all confirmed. ... All I did towards this was to reverse the plaintext KV signature to figure out how to modify and resign the KV contents," said Seventhson in his post, assuring that he isn't here to claim fame for this find.

He has stated that this triumph was built upon works of other Xbox hackers and wishes to thank four others - Takires, TheSpecialist, Robinsod, tmbinc - for their region code tests and SHA1/RC5 documentation. But it appears that the patch only works for some versions of Xbox 360s, which include all those with exploitable Hypervisors (kernels 4532 and 4548).

Meanwhile, one other Xboxhacker contributor going by the name of Arakon has successfully loaded a region-locked game, stating, "My USA 360 just booted a PAL (non-region-free) game. The region patching works."

robinsod has released a decryption and extraction tool for the different parts of your Xbox 360's flash. Called the 360 Flash Dump Tool v0.1, this app will basically open up the data in your 360 for you to study, if you so choose.

To keep us from getting past the technical aspects of this application, here's what robinsod had to say about it:

This tool will allow you to decrypt and extract various parts of a XBox360 flash dump. The flash is divided into 2 major parts:

1. The Cx sections (CB,CD,CE & 0,1 or 2 CF & CG sections).
   CB, CPU bootup
   CD, unpacker for CE
   CE, contains the HV and Kernel in a .cab archive
   CF&CG are upgrade patches
   
   The tool will extract and decrypt sections CB, CD, CE. Additionally it will  extract the .cab file in section CE. This can be opened with winrar and the content (xboxkrnl.img) extracted. The first 256K of xboxkrnl.img is the Hypervisor, the remainder is the 2.0.1888 Kernel.
2. The Flash File System.

The tool expects a dump to contain the data (512 bytes) followed by the ECC (16 bytes). The ECC bytes are used to locate FS entries & identify the version.

The tool consists of the exe and CxKey.txt. CxKey.txt is delivered with 32 '0's and they should be replaced with the key obtained from the 1BL. After all the fuss about AACS keys recently it seems risky to put the key in the exe. The Cx sections extracted from a dump will only decrypt correctly if the correct hex digits are inserted in the CxKey.txt file.

As you can see, it's not exactly a very newbie-friendly device. It does uncover a lot of things about the Xbox 360's code. For those who know what to do with it, it's a very useful thing. As Jamie M., one of our other bloggers, mentioned about the device, "it's a step towards understanding how the xbox 360 flash works (kernel / file system) allowing for possible future customizations as seen with the PSP custom firmware." Isn't that a nice deal?

Download: 360 Flash Dump Tool v0.1