xbox-scene.com archived forum

Please login or register.

Login with username, password and session length
Advanced search  

News:

xbox-scene.com forum restored.  registration disabled.  thanks to xboxexpert for the db dump and netham45 for cleaning it up!

Pages: 1 [2] 3 4

Author Topic: Let The Hacking Begin  (Read 627 times)

'vax11780'

  • Guest
NULL
« Reply #15 on: December 23, 2006, 03:03:46 PM »

'
               
Here's a route for someones to explore... Modify the DVD firmware to return extra data for identify, dvd structure, etc. Since none of these are signed, it may be possible to overwrite some adjacent memory. The main thing to look for is whether or not the 360 accepts all the data, or if the DVD drive hangs trying to output more data than the 360 will accept.

I'd do this, but I'm pursuing a different path right now.

VAX

PS For those of you that want to contribute, but don't know where to start, read:

Hacking DVD firmware?

start to finish (yes, all 40+ pages!) You'll learn a lot about the hacking process, and how to play nicely with others...

               
               

               
            '
Logged

'HoRnEyDvL'

  • Guest
NULL
« Reply #16 on: December 23, 2006, 04:21:41 PM »

'
               Vax what path you using will i be able to lend you a hand by any chance?
DVD path might possibly work but wouldnot know how to play around with the firmware.
               
               

               
            '
Logged

'jaimebenlasnow'

  • Guest
NULL
« Reply #17 on: December 23, 2006, 04:50:54 PM »

'
               I'm not experienced in hacking process or Engeneering but the dvd sounds like impossible since you will have to completely change but i don't know vax should come up with something...

Also there is also a kernel dump out here don't know if i can post but this might come up with something and i would like to say that if i get banned is for a good reason

QUOTE


SataCdRomDecryptHostChallengeResponseTable:
               

.set var_1A0, -0x1A0
.set var_180, -0x180
.set var_120, -0x120
.set var_10, -0x10
.set var_8, -8

   mflr %r12            #   Move from link register
   stw   %r12, var_8(%sp)      #   Store Word
   std   %r31, var_10(%sp)     #   Store Double Word
   stwu %sp, -0x1F0(%sp)     #   Store Word with   Update
   mr   %r31, %r3         #   Move Register
   addi %r3, %sp, 0x1F0+var_180 # Add Immediate
   bl   XeCryptShaInit         #   Branch
   li   %r5, 0x2C         #   Load Immediate
   addi %r4, %r31, 0x4A3     #   Add Immediate
   addi %r3, %sp, 0x1F0+var_180 # Add Immediate
   bl   XeCryptShaUpdate      #   Branch
   li   %r5, 0x14         #   Load Immediate
   addi %r4, %sp, 0x1F0+var_1A0 # Add Immediate
   addi %r3, %sp, 0x1F0+var_180 # Add Immediate
   bl   XeCryptShaFinal         #   Branch
   li   %r5, 7            #   Load Immediate
   addi %r4, %sp, 0x1F0+var_1A0 # Add Immediate
   addi %r3, %sp, 0x1F0+var_120 # Add Immediate
   bl   XeCryptRc4Key         #   Branch
   li   %r5, 0xFD         #   Load Immediate
   addi %r4, %r31, 0x306     #   Add Immediate
   addi %r3, %sp, 0x1F0+var_120 # Add Immediate
   bl   XeCryptRc4Ecb         #   Branch
   addi %sp, %sp, 0x1F0      #   Add Immediate
   lwz   %r12, var_8(%sp)      #   Load Word and Zero
   mtlr %r12            #   Move to   link register
   ld   %r31, var_10(%sp)     #   Load Double Word
   blr               #   Branch unconditionally
# End of function SataCdRomDecryptHostChallengeResponseTable





XeCryptShaInit:          
   lis   %r10, 0x6745 # 0x67452301 # Load Immediate Shifted
   lis   %r9, 0xEFCD # 0xEFCDAB89 # Load   Immediate Shifted
   lis   %r8, 0x98BA # 0x98BADCFE # Load   Immediate Shifted
   lis   %r7, 0x1032 # 0x10325476 # Load   Immediate Shifted
   lis   %r6, 0xC3D2 # 0xC3D2E1F0 # Load   Immediate Shifted
   li   %r11, 0            #   Load Immediate
   ori   %r10, %r10, 0x2301 # 0x67452301   # OR Immediate
   ori   %r9, %r9, 0xAB89 # 0xEFCDAB89 #   OR Immediate
   ori   %r8, %r8, 0xDCFE # 0x98BADCFE #   OR Immediate
   ori   %r7, %r7, 0x5476 # 0x10325476 #   OR Immediate
   ori   %r6, %r6, 0xE1F0 # 0xC3D2E1F0 #   OR Immediate
   stw   %r11, 0(%r3)         #   Store Word
   stw   %r10, 4(%r3)         #   Store Word
   stw   %r9, 8(%r3)         #   Store Word
   stw   %r8, 0xC(%r3)         #   Store Word
   stw   %r7, 0x10(%r3)         #   Store Word
   stw   %r6, 0x14(%r3)         #   Store Word
   blr               #   Branch unconditionally
# End of function XeCryptShaInit





XeCryptShaUpdate:         
   mflr %r12            #   Move from link register
   bl   __savegprlr_25         #   Branch
   stwu %sp, -0x90(%sp)      #   Store Word with   Update
   mr   %r29, %r3         #   Move Register
   mr   %r31, %r5         #   Move Register
   mr   %r30, %r4         #   Move Register
   lwz   %r11, 0(%r29)         #   Load Word and Zero
   clrlwi. %r28, %r11,   26    #   Clear Left Immediate
   add   %r11, %r11, %r31      #   Add
   stw   %r11, 0(%r29)         #   Store Word
   beq   loc_800F7E2C         #   Branch if equal
   add   %r27, %r28, %r31      #   Add
   cmplwi cr6,   %r27, 0x40    #   Compare   Logical   Word Immediate
   blt   cr6, loc_800F7E2C     #   Branch if less than
   add   %r11, %r28, %r29      #   Add
   subfic %r5,   %r28, 0x40    #   Subtract from Immediate   Carrying
   addi %r3, %r11, 0x18      #   Add Immediate
   bl   memcpy            #   Branch
   subf %r11, %r28, %r30     #   Subtract from
   addi %r4, %r29, 0x18      #   Add Immediate
   addi %r3, %r29, 4         #   Add Immediate
   addi %r30, %r11, 0x40     #   Add Immediate
   subi %r31, %r27, 0x40     #   Subtract Immediate
   bl   XeCryptShaTransform   #   Branch
   li   %r28, 0            #   Load Immediate

loc_800F7E2C:            
               
   clrlwi. %r11, %r30,   30    #   Clear Left Immediate
   cmplwi cr6,   %r31, 0x40    #   Compare   Logical   Word Immediate
   blt   cr6, loc_800F7E98     #   Branch if less than
   srwi %r27, %r31, 6         #   Shift Right Immediate
   beq   loc_800F7E78         #   Branch if equal
   addi %r26, %r29, 0x18     #   Add Immediate
   addi %r25, %r29, 4         #   Add Immediate

loc_800F7E48:            
   li   %r5, 0x40         #   Load Immediate
   mr   %r4, %r30         #   Move Register
   mr   %r3, %r26         #   Move Register
   bl   memcpy            #   Branch
   mr   %r4, %r26         #   Move Register
   mr   %r3, %r25         #   Move Register
   bl   XeCryptShaTransform   #   Branch
   subic. %r27, %r27, 1      #   Subtract Immediate Carrying
   addi %r30, %r30, 0x40     #   Add Immediate
   subi %r31, %r31, 0x40     #   Subtract Immediate
   bne   loc_800F7E48         #   Branch if not equal
   b   loc_800F7E98         #   Branch
# ���������������������������������������������������������������������������

loc_800F7E78:            
   addi %r26, %r29, 4         #   Add Immediate

loc_800F7E7C:            
   mr   %r4, %r30         #   Move Register
   mr   %r3, %r26         #   Move Register
   bl   XeCryptShaTransform   #   Branch
   subic. %r27, %r27, 1      #   Subtract Immediate Carrying
   addi %r30, %r30, 0x40     #   Add Immediate
   subi %r31, %r31, 0x40     #   Subtract Immediate
   bne   loc_800F7E7C         #   Branch if not equal

loc_800F7E98:            
               #   XeCryptShaUpdate+ACj
   cmplwi cr6,   %r31, 0         #   Compare   Logical   Word Immediate
   beq   cr6, loc_800F7EB4     #   Branch if equal
   add   %r11, %r28, %r29      #   Add
   mr   %r5, %r31         #   Move Register
   mr   %r4, %r30         #   Move Register
   addi %r3, %r11, 0x18      #   Add Immediate
   bl   memcpy            #   Branch

loc_800F7EB4:            
   addi %sp, %sp, 0x90         #   Add Immediate
   b   __restgprlr_25         #   Branch
# End of function XeCryptShaUpdate





XeCryptShaFinal:         

.set var_50, -0x50

   mflr %r12            #   Move from link register
   bl   __savegprlr_25         #   Branch
   stwu %sp, -0xA0(%sp)      #   Store Word with   Update
   mr   %r31, %r3         #   Move Register
   mr   %r25, %r4         #   Move Register
   addi %r30, %r31, 0x18     #   Add Immediate
   mr   %r26, %r5         #   Move Register
   li   %r4, 0            #   Load Immediate
   lwz   %r11, 0(%r31)         #   Load Word and Zero
   clrlwi %r29, %r11, 26     #   Clear Left Immediate
   subfic %r28, %r29, 0x40   #   Subtract from Immediate   Carrying
   add   %r27, %r29, %r30      #   Add
   stw   %r11, 0xA0+var_50(%sp) # Store Word
   mr   %r5, %r28         #   Move Register
   mr   %r3, %r27         #   Move Register
   bl   memset            #   Branch
   li   %r11, 0x80         #   Load Immediate
   cmplwi cr6,   %r28, 9         #   Compare   Logical   Word Immediate
   stb   %r11, 0(%r27)         #   Store Byte
   bge   cr6, loc_800F7F2C     #   Branch if greater than or equal
   mr   %r4, %r30         #   Move Register
   addi %r3, %r31, 4         #   Add Immediate
   bl   XeCryptShaTransform   #   Branch
   addi %r5, %r29, 1         #   Add Immediate
   li   %r4, 0            #   Load Immediate
   mr   %r3, %r30         #   Move Register
   bl   memset            #   Branch

loc_800F7F2C:            
   lwz   %r11, 0xA0+var_50(%sp) # Load Word and Zero
   li   %r5, 4            #   Load Immediate
   addi %r4, %sp, 0xA0+var_50 # Add Immediate
   slwi %r11, %r11, 3         #   Shift Left Immediate
   addi %r3, %r30, 0x3C      #   Add Immediate
   stw   %r11, 0xA0+var_50(%sp) # Store Word
   bl   memcpy            #   Branch
   addi %r31, %r31, 4         #   Add Immediate
   mr   %r4, %r30         #   Move Register
   mr   %r3, %r31         #   Move Register
   bl   XeCryptShaTransform   #   Branch
   cmplwi cr6,   %r26, 0         #   Compare   Logical   Word Immediate
   beq   cr6, loc_800F7F7C     #   Branch if equal
   cmplwi cr6,   %r26, 0x14    #   Compare   Logical   Word Immediate
   mr   %r5, %r26         #   Move Register
   blt   cr6, loc_800F7F70     #   Branch if less than
   li   %r5, 0x14         #   Load Immediate

loc_800F7F70:            
   mr   %r4, %r31         #   Move Register
   mr   %r3, %r25         #   Move Register
   bl   memcpy            #   Branch

loc_800F7F7C:            
   addi %sp, %sp, 0xA0         #   Add Immediate
   b   __restgprlr_25         #   Branch
# End of function XeCryptShaFinal





XeCryptRc4Key:            
               
   lis   %r6, 1 # 0x10203      #   Load Immediate Shifted
   lis   %r7, 0x808 # 0x8080808 # Load Immediate   Shifted
   ori   %r6, %r6, 0x203   # 0x10203 # OR Immediate
   ori   %r7, %r7, 0x808   # 0x8080808 # OR Immediate
   rldicr %r6,   %r6, 32,31    #   Rotate Left Double Word   Immediate then Clear Right
   rldimi %r7,   %r7, 32,0     #   Rotate Left Double Word   Immediate then Mask Insert
   oris %r6, %r6, 0x405      #   OR Immediate Shifted
   li   %r8, 8            #   Load Immediate
   ori   %r6, %r6, 0x607         #   OR Immediate
   mtctr %r8            #   Move to   count register

loc_800F8378:            
   std   %r6, 0(%r3)         #   Store Double Word
   add   %r6, %r6, %r7         #   Add
   std   %r6, 8(%r3)         #   Store Double Word
   add   %r6, %r6, %r7         #   Add
   std   %r6, 0x10(%r3)         #   Store Double Word
   add   %r6, %r6, %r7         #   Add
   std   %r6, 0x18(%r3)         #   Store Double Word
   add   %r6, %r6, %r7         #   Add
   addi %r3, %r3, 0x20         #   Add Immediate
   bc   25, lt,   loc_800F8378  #   Branch Conditional
   li   %r8, 0            #   Load Immediate
   sth   %r8, 0(%r3)         #   Store Half Word
   subi %r3, %r3, 0x100      #   Subtract Immediate
   li   %r9, 0            #   Load Immediate
   li   %r10, 0            #   Load Immediate
   li   %r0, 0x100         #   Load Immediate
   mtctr %r0            #   Move to   count register

loc_800F83BC:            
   lbzx %r11, %r3, %r8         #   Load Byte and Zero Indexed
   lbzx %r7, %r4, %r10         #   Load Byte and Zero Indexed
   add   %r9, %r9, %r11         #   Add
   add   %r9, %r9, %r7         #   Add
   clrlwi %r9,   %r9, 24         #   Clear Left Immediate
   lbzx %r6, %r3, %r9         #   Load Byte and Zero Indexed
   addi %r10, %r10, 1         #   Add Immediate
   stbx %r6, %r3, %r8         #   Store Byte Indexed
   addi %r8, %r8, 1         #   Add Immediate
   stbx %r11, %r3, %r9         #   Store Byte Indexed
   cmplw %r10,   %r5         #   Compare   Logical   Word
   bc   7, eq, loc_800F83F0   #   Branch Conditional
   li   %r10, 0            #   Load Immediate

loc_800F83F0:            
   bc   25, lt,   loc_800F83BC  #   Branch Conditional
   blr               #   Branch unconditionally
# End of function XeCryptRc4Key


XeCryptBnDw_Copy:       
   cmplwi %r5,   0         #   Compare   Logical   Word Immediate
   cmplw cr6, %r3, %r4         #   Compare   Logical   Word
   subf %r4, %r3, %r4         #   Subtract from
   mtctr %r5            #   Move to   count register
   bclr 14, eq            #   Branch Conditional to Link Register
   bclr 14, 4*cr6+eq         #   Branch Conditional to Link Register

loc_800F4E88:          
   lwz   %r6, 0(%r3)         #   Load Word and Zero
   stwx %r6, %r3, %r4         #   Store Word Indexed
   addi %r3, %r3, 4         #   Add Immediate
   bc   25, lt,   loc_800F4E88  #   Branch Conditional
   blr               #   Branch unconditionally
# End of function XeCryptBnDw_Copy


XeCryptRc4Ecb:          
             
   cmplwi %r5,   0         #   Compare   Logical   Word Immediate
   bclr 14, eq            #   Branch Conditional to Link Register
   mtctr %r5            #   Move to   count register
   lbz   %r6, 0x100(%r3)         #   Load Byte and Zero
   lbz   %r7, 0x101(%r3)         #   Load Byte and Zero

loc_800F840C:          
   addi %r6, %r6, 1         #   Add Immediate
   clrlwi %r6,   %r6, 24         #   Clear Left Immediate
   lbzx %r8, %r3, %r6         #   Load Byte and Zero Indexed
   add   %r7, %r7, %r8         #   Add
   clrlwi %r7,   %r7, 24         #   Clear Left Immediate
   lbzx %r9, %r3, %r7         #   Load Byte and Zero Indexed
   stbx %r9, %r3, %r6         #   Store Byte Indexed
   stbx %r8, %r3, %r7         #   Store Byte Indexed
   add   %r8, %r8, %r9         #   Add
   clrlwi %r8,   %r8, 24         #   Clear Left Immediate
   lbzx %r8, %r3, %r8         #   Load Byte and Zero Indexed
   lbz   %r9, 0(%r4)         #   Load Byte and Zero
   xor   %r8, %r8, %r9         #   XOR
   stb   %r8, 0(%r4)         #   Store Byte
   addi %r4, %r4, 1         #   Add Immediate
   bc   25, lt,   loc_800F840C  #   Branch Conditional
   stb   %r6, 0x100(%r3)         #   Store Byte
   stb   %r7, 0x101(%r3)         #   Store Byte
   blr               #   Branch unconditionally
# End of function XeCryptRc4Ecb






XeCryptShaTransform:        
             

.set var_190, -0x190
.set var_188, -0x188

   mflr %r12            #   Move from link register
   bl   __savegprlr_24         #   Branch
   stwu %sp, -0x1E0(%sp)     #   Store Word with   Update
   mr   %r24, %r3         #   Move Register
   mr   %r3, %r4         #   Move Register
   li   %r5, 0x10         #   Load Immediate
   addi %r4, %sp, 0x1E0+var_190 # Add Immediate
   addi %r31, %sp, 0x1E0+var_190 # Add   Immediate
   lwz   %r26, 0(%r24)         #   Load Word and Zero
   lwz   %r27, 4(%r24)         #   Load Word and Zero
   lwz   %r28, 8(%r24)         #   Load Word and Zero
   lwz   %r29, 0xC(%r24)         #   Load Word and Zero
   lwz   %r30, 0x10(%r24)      #   Load Word and Zero
   bl   XeCryptBnDw_Copy      #   Branch
   addi %r11, %sp, 0x1E0+var_188 # Add   Immediate
   li   %r10, 0x40         #   Load Immediate

loc_800F79E8:          
   lwz   %r8, 0x18(%r11)         #   Load Word and Zero
   subic. %r10, %r10, 1      #   Subtract Immediate Carrying
   lwz   %r9, 0x2C(%r11)         #   Load Word and Zero
   lwz   %r7, -8(%r11)         #   Load Word and Zero
   xor   %r9, %r9, %r8         #   XOR
   lwz   %r8, 0(%r11)         #   Load Word and Zero
   xor   %r9, %r9, %r7         #   XOR
   xor   %r9, %r9, %r8         #   XOR
   rotlwi %r9,   %r9, 1         #   Rotate Left Immediate
   stw   %r9, 0x38(%r11)         #   Store Word
   addi %r11, %r11, 4         #   Add Immediate
   bne   loc_800F79E8         #   Branch if not equal
   lis   %r11, 0x5A82 # 0x5A827999 # Load Immediate Shifted
   li   %r7, 4            #   Load Immediate
   ori   %r11, %r11, 0x7999 # 0x5A827999   # OR Immediate

loc_800F7A24:          
   xor   %r10, %r29, %r28      #   XOR
   lwz   %r8, 0(%r31)         #   Load Word and Zero
   rotlwi %r9,   %r26, 5         #   Rotate Left Immediate
   lwz   %r25, 4(%r31)         #   Load Word and Zero
   and   %r6, %r10, %r27         #   AND
   lwz   %r3, 8(%r31)         #   Load Word and Zero
   rotrwi %r10, %r27, 2      #   Rotate Right Immediate
   lwz   %r5, 0xC(%r31)         #   Load Word and Zero
   xor   %r6, %r6, %r29         #   XOR
   lwz   %r4, 0x10(%r31)         #   Load Word and Zero
   subic. %r7,   %r7, 1         #   Subtract Immediate Carrying
   add   %r9, %r6, %r9         #   Add
   xor   %r6, %r28, %r10         #   XOR
   add   %r9, %r9, %r30         #   Add
   and   %r6, %r6, %r26         #   AND
   add   %r9, %r9, %r8         #   Add
   xor   %r6, %r6, %r28         #   XOR
   add   %r8, %r9, %r11         #   Add
   rotrwi %r9,   %r26, 2         #   Rotate Right Immediate
   add   %r27, %r6, %r25         #   Add
   xor   %r30, %r10, %r9         #   XOR
   rotlwi %r6,   %r8, 5         #   Rotate Left Immediate
   and   %r26, %r30, %r8         #   AND
   rotrwi %r30, %r8, 2         #   Rotate Right Immediate
   xor   %r8, %r26, %r10         #   XOR
   addi %r31, %r31, 0x14     #   Add Immediate
   add   %r3, %r8, %r3         #   Add
   add   %r8, %r27, %r6         #   Add
   add   %r8, %r8, %r29         #   Add
   xor   %r29, %r30, %r9         #   XOR
   add   %r8, %r8, %r11         #   Add
   and   %r27, %r29, %r8         #   AND
   rotlwi %r6,   %r8, 5         #   Rotate Left Immediate
   rotrwi %r29, %r8, 2         #   Rotate Right Immediate
   xor   %r8, %r27, %r9         #   XOR
   add   %r5, %r8, %r5         #   Add
   add   %r8, %r3, %r6         #   Add
   xor   %r3, %r30, %r29         #   XOR
   add   %r8, %r8, %r28         #   Add
   add   %r8, %r8, %r11         #   Add
   rotlwi %r6,   %r8, 5         #   Rotate Left Immediate
   and   %r3, %r3, %r8         #   AND
   add   %r6, %r5, %r6         #   Add
   rotrwi %r28, %r8, 2         #   Rotate Right Immediate
   add   %r10, %r6, %r10         #   Add
   xor   %r8, %r3, %r30         #   XOR
   add   %r27, %r10, %r11      #   Add
   add   %r8, %r8, %r4         #   Add
   rotlwi %r10, %r27, 5      #   Rotate Left Immediate
   add   %r10, %r8, %r10         #   Add
   add   %r10, %r10, %r9         #   Add
   add   %r26, %r10, %r11      #   Add
   bne   loc_800F7A24         #   Branch if not equal
   lis   %r11, 0x6ED9 # 0x6ED9EBA1 # Load Immediate Shifted
   li   %r7, 4            #   Load Immediate
   ori   %r11, %r11, 0xEBA1 # 0x6ED9EBA1   # OR Immediate

loc_800F7B04:          
   xor   %r10, %r29, %r28      #   XOR
   lwz   %r8, 0(%r31)         #   Load Word and Zero
   rotlwi %r9,   %r26, 5         #   Rotate Left Immediate
   lwz   %r25, 4(%r31)         #   Load Word and Zero
   xor   %r6, %r10, %r27         #   XOR
   lwz   %r4, 8(%r31)         #   Load Word and Zero
   rotrwi %r10, %r27, 2      #   Rotate Right Immediate
   lwz   %r5, 0xC(%r31)         #   Load Word and Zero
   add   %r9, %r6, %r9         #   Add
   lwz   %r3, 0x10(%r31)         #   Load Word and Zero
   subic. %r7,   %r7, 1         #   Subtract Immediate Carrying
   add   %r9, %r9, %r30         #   Add
   addi %r31, %r31, 0x14     #   Add Immediate
   add   %r9, %r9, %r8         #   Add
   xor   %r8, %r28, %r10         #   XOR
   add   %r9, %r9, %r11         #   Add
   xor   %r6, %r8, %r26         #   XOR
   rotrwi %r8,   %r26, 2         #   Rotate Right Immediate
   xor   %r26, %r9, %r10         #   XOR
   add   %r27, %r6, %r25         #   Add
   rotrwi %r30, %r9, 2         #   Rotate Right Immediate
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   xor   %r9, %r26, %r8         #   XOR
   add   %r4, %r9, %r4         #   Add
   add   %r9, %r27, %r6         #   Add
   add   %r9, %r9, %r29         #   Add
   add   %r9, %r9, %r11         #   Add
   xor   %r27, %r30, %r9         #   XOR
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   rotrwi %r29, %r9, 2         #   Rotate Right Immediate
   xor   %r9, %r27, %r8         #   XOR
   add   %r5, %r9, %r5         #   Add
   add   %r9, %r4, %r6         #   Add
   xor   %r4, %r30, %r29         #   XOR
   add   %r9, %r9, %r28         #   Add
   add   %r9, %r9, %r11         #   Add
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   xor   %r4, %r4, %r9         #   XOR
   add   %r6, %r5, %r6         #   Add
   rotrwi %r28, %r9, 2         #   Rotate Right Immediate
   add   %r10, %r6, %r10         #   Add
   add   %r9, %r4, %r3         #   Add
   add   %r27, %r10, %r11      #   Add
   rotlwi %r10, %r27, 5      #   Rotate Left Immediate
   add   %r10, %r9, %r10         #   Add
   add   %r10, %r10, %r8         #   Add
   add   %r26, %r10, %r11      #   Add
   bne   loc_800F7B04         #   Branch if not equal
   lis   %r11, 0x70E4 # 0x70E44324 # Load Immediate Shifted
   li   %r7, 4            #   Load Immediate
   ori   %r11, %r11, 0x4324 # 0x70E44324   # OR Immediate

loc_800F7BD0:          
   or   %r10, %r28, %r27      #   OR
   lwz   %r8, 0(%r31)         #   Load Word and Zero
   and   %r6, %r28, %r27         #   AND
   lwz   %r25, 4(%r31)         #   Load Word and Zero
   and   %r10, %r10, %r29      #   AND
   lwz   %r3, 8(%r31)         #   Load Word and Zero
   rotlwi %r9,   %r26, 5         #   Rotate Left Immediate
   lwz   %r5, 0xC(%r31)         #   Load Word and Zero
   or   %r6, %r10, %r6         #   OR
   lwz   %r4, 0x10(%r31)         #   Load Word and Zero
   rotrwi %r10, %r27, 2      #   Rotate Right Immediate
   add   %r9, %r6, %r9         #   Add
   subic. %r7,   %r7, 1         #   Subtract Immediate Carrying
   add   %r9, %r9, %r30         #   Add
   and   %r30, %r10, %r26      #   AND
   add   %r9, %r9, %r8         #   Add
   or   %r8, %r10, %r26         #   OR
   subf %r9, %r11, %r9         #   Subtract from
   and   %r6, %r8, %r28         #   AND
   rotrwi %r8,   %r26, 2         #   Rotate Right Immediate
   or   %r6, %r6, %r30         #   OR
   or   %r30, %r9, %r8         #   OR
   add   %r27, %r6, %r25         #   Add
   and   %r26, %r9, %r8         #   AND
   and   %r25, %r30, %r10      #   AND
   rotrwi %r30, %r9, 2         #   Rotate Right Immediate
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   or   %r9, %r25, %r26         #   OR
   addi %r31, %r31, 0x14     #   Add Immediate
   add   %r3, %r9, %r3         #   Add
   add   %r9, %r27, %r6         #   Add
   add   %r9, %r9, %r29         #   Add
   subf %r9, %r11, %r9         #   Subtract from
   or   %r29, %r30, %r9         #   OR
   and   %r27, %r30, %r9         #   AND
   and   %r26, %r29, %r8         #   AND
   rotrwi %r29, %r9, 2         #   Rotate Right Immediate
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   or   %r9, %r26, %r27         #   OR
   add   %r5, %r9, %r5         #   Add
   add   %r9, %r3, %r6         #   Add
   add   %r9, %r9, %r28         #   Add
   subf %r9, %r11, %r9         #   Subtract from
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   or   %r3, %r29, %r9         #   OR
   add   %r6, %r5, %r6         #   Add
   and   %r27, %r29, %r9         #   AND
   and   %r3, %r3, %r30         #   AND
   add   %r10, %r6, %r10         #   Add
   rotrwi %r28, %r9, 2         #   Rotate Right Immediate
   or   %r9, %r3, %r27         #   OR
   subf %r27, %r11, %r10     #   Subtract from
   add   %r9, %r9, %r4         #   Add
   rotlwi %r10, %r27, 5      #   Rotate Left Immediate
   add   %r10, %r9, %r10         #   Add
   add   %r10, %r10, %r8         #   Add
   subf %r26, %r11, %r10     #   Subtract from
   bne   loc_800F7BD0         #   Branch if not equal
   lis   %r11, 0x359D # 0x359D3E2A # Load Immediate Shifted
   li   %r7, 4            #   Load Immediate
   ori   %r11, %r11, 0x3E2A # 0x359D3E2A   # OR Immediate

loc_800F7CC4:          
   xor   %r10, %r29, %r28      #   XOR
   lwz   %r8, 0(%r31)         #   Load Word and Zero
   rotlwi %r9,   %r26, 5         #   Rotate Left Immediate
   lwz   %r25, 4(%r31)         #   Load Word and Zero
   xor   %r6, %r10, %r27         #   XOR
   lwz   %r4, 8(%r31)         #   Load Word and Zero
   rotrwi %r10, %r27, 2      #   Rotate Right Immediate
   lwz   %r5, 0xC(%r31)         #   Load Word and Zero
   add   %r9, %r6, %r9         #   Add
   lwz   %r3, 0x10(%r31)         #   Load Word and Zero
   subic. %r7,   %r7, 1         #   Subtract Immediate Carrying
   add   %r9, %r9, %r30         #   Add
   addi %r31, %r31, 0x14     #   Add Immediate
   add   %r9, %r9, %r8         #   Add
   xor   %r8, %r28, %r10         #   XOR
   subf %r9, %r11, %r9         #   Subtract from
   xor   %r6, %r8, %r26         #   XOR
   rotrwi %r8,   %r26, 2         #   Rotate Right Immediate
   xor   %r26, %r9, %r10         #   XOR
   add   %r27, %r6, %r25         #   Add
   rotrwi %r30, %r9, 2         #   Rotate Right Immediate
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   xor   %r9, %r26, %r8         #   XOR
   add   %r4, %r9, %r4         #   Add
   add   %r9, %r27, %r6         #   Add
   add   %r9, %r9, %r29         #   Add
   subf %r9, %r11, %r9         #   Subtract from
   xor   %r27, %r30, %r9         #   XOR
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   rotrwi %r29, %r9, 2         #   Rotate Right Immediate
   xor   %r9, %r27, %r8         #   XOR
   add   %r5, %r9, %r5         #   Add
   add   %r9, %r4, %r6         #   Add
   xor   %r4, %r30, %r29         #   XOR
   add   %r9, %r9, %r28         #   Add
   subf %r9, %r11, %r9         #   Subtract from
   rotlwi %r6,   %r9, 5         #   Rotate Left Immediate
   xor   %r4, %r4, %r9         #   XOR
   add   %r6, %r5, %r6         #   Add
   rotrwi %r28, %r9, 2         #   Rotate Right Immediate
   add   %r10, %r6, %r10         #   Add
   add   %r9, %r4, %r3         #   Add
   subf %r27, %r11, %r10     #   Subtract from
   rotlwi %r10, %r27, 5      #   Rotate Left Immediate
   add   %r10, %r9, %r10         #   Add
   add   %r10, %r10, %r8         #   Add
   subf %r26, %r11, %r10     #   Subtract from
   bne   loc_800F7CC4         #   Branch if not equal
   lwz   %r10, 0(%r24)         #   Load Word and Zero
   lwz   %r11, 4(%r24)         #   Load Word and Zero
   add   %r8, %r10, %r26         #   Add
   lwz   %r9, 8(%r24)         #   Load Word and Zero
   add   %r7, %r11, %r27         #   Add
   lwz   %r10, 0xC(%r24)         #   Load Word and Zero
   lwz   %r11, 0x10(%r24)      #   Load Word and Zero
   add   %r9, %r9, %r28         #   Add
   add   %r10, %r29, %r10      #   Add
   add   %r11, %r11, %r30      #   Add
   stw   %r8, 0(%r24)         #   Store Word
   stw   %r7, 4(%r24)         #   Store Word
   stw   %r9, 8(%r24)         #   Store Word
   stw   %r10, 0xC(%r24)         #   Store Word
   stw   %r11, 0x10(%r24)      #   Store Word
   addi %sp, %sp, 0x1E0      #   Add Immediate
   b   __restgprlr_24         #   Branch
# End of function XeCryptShaTransform


this is from commodore4eva post:

These are the routines pulled from the Xbox360 kernel for the decrypt of the Console Challenge Response Table. Hope you find this interesting and worthwhile.
The RSAkey  appears not to come from the normal 360 keyvault, but is hard coded, so should be able to write our own CCRT decrypt routine.
I am very busy finishing the V5 extreme for Samsung, and then back on to the 0078 hitachi. Merry Christmas!

Xbox 360 Security Sectors & the Consoles C/R Table Key


               
               

               
            '
Logged

'jaimebenlasnow'

  • Guest
NULL
« Reply #18 on: December 23, 2006, 05:04:06 PM »

'
               Some interesting information:
QUOTE

hi, i havent read or posted here in a while, but i came across this page and thought i'd add my 2 cents.

firstly the 16 bytes at 0x460 are the media id, this is used to lock all xex files present a disc to the disc's SS, this is why the same SS cant be used to boot all x360 games. you will see this same media id in the header of all xex files on the disc.

also whereas the xbox1 CR table decryption routines are present in the kernel, the xbox360 CR table decryption routines are hidden inside the hypervisor. the encrypted table is fed in and decrypted by the hypervisor using a hardcoded 128bit aes key. the results of this decryption dont leave the hypervisor except when made into the encrypted atapi packets that get sent to the drive to perform the disc authentication.

Post from loser


also some information on the hypervisor:
QUOTE

Since the hypervisor seems to handle most security related processes, maybe it's a good idea to dedicate a thread to it.

Things we know:

* Hypervisor handles lots of security related tasks. The kernel calls to several security routines inside the hypervisor, like several key management routines and en/decryption routines (like for example x360 CCRT decryption). Almost every 'interesting' routine has been moved from the kernel to the hypervisor this time.
* It handles some (virtual ?) processor inits (probably the last 3 PPU cores). It *seems* that it's running in the first core and starts the others from there (once the kernel is loaded)
* It is started and fully operational before the Kernel is started.
* It handles overflows and monitors for checksums
* It runs in encrypted memory, from 0x00000000 - 0x00020000 (see comments by 'loser' in the other thread)
Also interesting suggestion from him:
Quote
I dont know the encryption algorithm, but im guessing some kinda fast stream cypher like aes. the encryption changes each boot which hints at either a random initialisation vector, or random key used each time. also the encryption seems to be done in 16byte blocks, which also helps the aes style crypt arguement.

There are still a LOT of questions like:

* What is the exact boot order, who inits the loading of the hypervisor and decrypts it.
* Where is the hypervisor stored (somewhere in that first 640kb of the TSOP ?)
* In what encrypted form is the Hypervisor stored and where is its decryption key stored. Is this a 'per box' key ?
* Who manages the en/decryption of the ram it is running in
* Who verifies this ram for checksums
* Where is the code decrypted to (prior to execution)

I know that there are a lot of questions and at the moment good info is scarce. However there are several people doing interesting work at the moment and little by little we get to know more. But progress will only really start to take place if everybody works together, so hopefully this thread will be a place to exchange new info about this interesting piece of code.


Also other good information From probutus

QUOTE

this has already been monitored (see the DVD-Key < - > TSOP thread) and it seems that the first thing who comes up is the southbridge which does further initializations (at least thats the first part which is read from flash)

AFAIK the leds are blinking red even if the CPU or GPU is desoldered (see the excellent desoldering Thread from TMF)
To come to more detailed information it would be very interesting to know which parts of the system are active at the same time like the southbridge.

Is it possible to see exactly when the CPU "wakes up" (e.g. on the power consumption)? If the cpu startup is controlled by the southbridge this would be a HUGE security hole since the SB is not secured with any security key (the sb has already been swapped by TMF). But this would explain why the complete SMC code is read again later on (see startup log): to have some checksums validated which could not be verified earlier because the CPU is not up yet...
...........................................................................................................................................................
thought of several "experiences" we had in the past:
1. Swapping the onboard flash doesnt work (but we still dont know how far the startup goes until it stops)
2. Swapping the southbridge does not have any effect on the operation of the system
3. System blinks even with desoldered cpu or gpu
4. System is completely dead when the TSOP is removed
5. The SMC code looks different in every system

acc. to 1) the key is not (at least not completely) located in the flash but acc. to 2 it is not in the southbridge (at least no machine specific key). But acc. to 3) the smc code seems to be read (and it is encrypted) otherwise the system cant blink... If you look at 3) and 4) there seems to be code for the southbridge in the flash..

This leads me to the assumption that a part of the machine specific key must be stored in flash in order to decode the smc stuff. We dont know much about the southbridge itself (which would be very helpful)


If you want to read up the whole post:
The Hypervisor

And Voila!

Thanks to all those people who work for the scene:

The specialist, Speedy22, Commodore4eva, Probutus, Robinsod, Vax11780 and all of the other cause without those people we might not have those information and also the dream or running homebrew could not be a dream

Thanks
Jaimebenlasnow
               
               

               
            '
Logged

'HoRnEyDvL'

  • Guest
NULL
« Reply #19 on: December 23, 2006, 05:50:44 PM »

'
               jaimebenlasnow

Thanks for that excellent post. we need more posts like that get all ideas together.
               
               

               
            '
Logged

'jaimebenlasnow'

  • Guest
NULL
« Reply #20 on: December 23, 2006, 09:28:13 PM »

'
               yes i think that if we get everything compiled here we might faster the process
               
               

               
            '
Logged

'vax11780'

  • Guest
NULL
« Reply #21 on: December 23, 2006, 09:37:56 PM »

'
               jaimebenlasnow:

Hrmmm... I must be missing the point.... What advantage is there in decrypting the CR table? We could load backups using a modified DVD drive?

Please explain further....

VAX
               
               

               


                     Edited by vax11780, 24 December 2006 - 06:39 AM.
                     
                  


            '
Logged

'vax11780'

  • Guest
NULL
« Reply #22 on: December 23, 2006, 09:59:50 PM »

'
               
Encrypting RAM is VERY difficult. Obfuscating is not...

If you want to read address 100 you have to read 0, 1, 2, 3, 4, 5,  ... 99, 100 and feed each value into the stream cipher to get the decrypted value for address 100. You have to read the entire block to write a random address.

Much more likely is an obfuscation of the DRAM, similiar to what was done on the DVD drives. Swap address or data lines, xor words with a constant. A much more complicated obfuscation would modify the XOR constant using a portion of the address. Anything that requires more than two or three levels of logic to modify the data, or requires access to more than the current memory location is not feasible.

Has anybody tapped the DRAM and captured the values written into it? Or disconnected it and dumped the contents during operation (maybe force reset on the GPU and overdrive the DRAM controls)?

A potential timing attack would involve modifying a DRAM read 'on the fly' while the hypervisor is being executed. Just think, stuff the instructions in to tell the hypervisor to accept a bad signature. Note, it is very unlikely this would be feasible to implement on more than a handful of machines, but might provide a way to re-burn the signing key.

VAX

               
               

               
            '
Logged

'jaimebenlasnow'

  • Guest
NULL
« Reply #23 on: December 24, 2006, 10:16:23 AM »

'
               i don't think there is a point of decrypting this but this could be some really like really good information...Also you can read up the first post of robinsod in the CCRT thread...

QUOTE


he Specialist demonstrated that the first version of the Xbox, the Console Challenge Response Table (CCRT) could be decrypted using a key that was also to be found in the Security Sector (SS). The algorithm required was recovered from an analysis of the Xbox 1 BIOS and since this is not yet possible with the Xbox 360 I wondered if anything useful could be deduced.

To help identify the possible purpose of different fields in the SS I diff�ed SS from the following titles:
�   GRAW, PAL and NTSC
�   COD2, PAL and NTSC
�   Q4 PAL and Q4 Bonus PAL

I�ve chosen to ignore the first 16 bytes in the SS since they are understood and have no part in the CCRT encryption. Similarly the Drive Response Table (DRT) starting at 0x661 is also ignored.
0x100
The first interesting section starts at 0x100 (assuming 16 byte alignment) and is absent from Xbox1 SS. The first 0x08 bytes are common to all 6 SS:

  0x00, 0x00, 0x00, 0x30, 0x00, 0x00, 0x06, 0xE0

And are then followed by 20 bytes of data which are identical in the PAL and NTSC editions of the same game but are different for Quake4 and Quake4 bonus disk

0x300 The Encrypted CCRT
The Specialist successfully decrypted this table in an Xbox 1 SS and it is this table in an Xbox 360 SS that is of the most interest to me. The first four bytes are common to all six SS:

  0x02, 0x15, 0x00, 0x00

These appear to be version number (was 0x01 for Xbox1), entry count and two bytes of padding. Following this is 252 bytes of CCRT, this suggests a table field size of 12 bytes (21 * 12 = 252). The final table entry (at 0x3F4) always takes the form:

  0xE0,CID,0x00,0x00,

The final entry appears to be in plain text, descrambling of the DRT confirms that the CID is that of the type 0xE0 for each of the SS. The encrypted CCRT is then 240 bytes. It is also known that the final C/R exchange (a �checksum� of previous C/Rs) is of type 0xE0. The encrypted CCRT is identical in the PAL and NTSC versions of GRAW & COD2

0x460
A 16 byte string that is identical for NTSC and PAL versions of the same game but different for Quake4 and Quake4 Bonus. This sequence of bytes is absent in Xbox1 SS

0x49E
In the Xbox 360 SS examined there is a new non zero byte (0x04) present at 0x49E, this is not present in Xbox 1 SS.

0x49F
TheSpecialist found that the Xbox 1 used 44 bytes from offset 0x49F to calculate an SHA hash that was subsequently used to decrypt the CCRT. This field is identical in PAL and NTSC versions of the SS, it is also identical in the Q4 and Q4Bonus SS (possibly a coincidence). The first 8 bytes of this string take the form:

  0x00,XX,XX,XX,XX,XX,0xCX,0x01

Where 0xCX takes the values 0xC5 or 0xC6. These two bytes also appear at the end of the section starting at 0x4BA. Interestingly Xbox 1 SS have the values 0xC1,0x01 or 0xC2,0x01 at this position and they are also repeated at the end of the block at 0x4BA

The remaining 36 bytes are identical in all the SS examined, this strongly suggests that this area is not used as an SHA hash (or if it is it isn't the key to the CCRT) since I would expect them to vary.

0x4BA
Seems to be composed of several sub-sections
�   A version number (0x01 for Xbox1 & 0x02 for Xbox 360)
�   16 bytes that are common to all the SS examined:

  0x2B, 0xE1, 0xD4, 0x62, 0xC8, 0x95, 0x2D, 0x41, 0xB5, 0x80, 0x5E, 0x3F, 0x1A, 0x72, 0x72, 0x01

�   276 bytes of data that is identical across PAL and NTSC versions but different in Quake4 and Quake4 Bonus SS.
�   6 bytes of data that are different for all 6 SS examined
�   2 bytes 0xC5,0x01 or 0xC6,0x01.

0x5FA
Seems to be composed of several sub-sections
�   17 bytes some of which are common to all the SS examined:

  0x02, XX, XX, XX, XX, XX, XX, 0xD9, 0x11, 0xAA, XX, 0x00, 0x10, 0x6F, 0x00, 0x1E, 0xF4

The bytes marked XX appear to vary between NTSC and PAL versions of the same game but they match in the SS from Quake4 and Quake4 Bonus (this could be coincidence since they are identical in other game, for example PAL Kameo and PGR3 SS)

�   84 bytes of data which different in all 6 SS examined
�   2 bytes which are common to all the SS examined:

  0x02, 0x15

Where�s the Key?
So, assuming that the key is still in the SS, where is it? The Encrypted CCRTs are identical in both PAL and NTSC versions of the same game (and the DRTs confirm that the CRs are the same) but are different for Quake4 and Quake4 Bonus. This strongly suggests that the decryption key should be the same for both PAL and NTSC versions but different for different titles.

There are only 2 candidates:
�   20 bytes starting at 0x108
�   16 bytes starting at 0x460

I'm guessing here, but the 16 bytes at 0x460 look like a strong candidate for an AES 128 key.



Also vax...Could you explain me how you want to do the buffer overflow exploit with the dvd drive..Would like more infromation

Thanks another time VAX
               
               

               
            '
Logged

'ben1989'

  • Guest
NULL
« Reply #24 on: December 30, 2006, 03:43:47 PM »

'
               heres one for you if we can work our way throgh the bios shurly thers some think in the bios that controls the hiperviser and the but between the ana/southbrige and the cpu thers got to be a way to tap the bus esent there a way we can run the xbox but while its running tap the in puts and out puts of the tosp then wouldent we get an  unencripted output but theres the jtag header nr the cpu anyone taped that yet ? and theres got to be a way to tap a bus on the 360. coz one think i noticed on the dvd drives is all the test points have been used in the factory to program and test the drive so the test points on the xbox mobo must be use in some simler way to program the cpu for the dvd drive key its alll in there some were its just geting it out


-ben
               
               

               
            '
Logged

'ben1989'

  • Guest
NULL
« Reply #25 on: December 30, 2006, 05:45:29 PM »

'
               here's one for you, if we can work our way throgh the bios there's got to be something in the bios that controls the hipervisor, but between the ana/southbridge and the cpu there's got to be a way to tap the bus.

is there not  a way we can run the xbox but while its running tap the inputs and outputs of the tosp then would'nt we get an unencripted output from the bios.

then theres the jtag header near the cpu anyone taped in to that yet?

And theres got to be a way to tap a bus on the 360. because one thing i noticed on the dvd drives is all the test points have been used in the factory to program and test the drive so the test points on the xbox mobo must be used in some simler way to program the cpu for the dvd drive key its alll in there some were its just geting it out


-ben

just translated it from drunk english to english smile.gif
               
               

               


                     Edited by ben1989, 31 December 2006 - 02:46 AM.
                     
                  


            '
Logged

'vax11780'

  • Guest
NULL
« Reply #26 on: December 30, 2006, 07:21:49 PM »

'
               
QUOTE(ben1989 @ Dec 30 2006, 06:52 PM) View Post

here's one for you, if we can work our way throgh the bios there's got to be something in the bios that controls the hipervisor, but between the ana/southbridge and the cpu there's got to be a way to tap the bus.


The specs for the CPU-GPU interface indicates it is a pair of unidirectional 8 bit buses running at 1.35MB/s

I find this somewhat confusing since there are 24 balanced signal pairs between the two chips.

Assuming for the moment there are a pair of 8 bit hypertransport links (IBM designed the CPU-GPU interface and has HT IP), the following differential signals should exist in each direction: Clock, Control, 8 data bits. This is 10 lines, can anyone explain the other 4 (2 in each direction)?

Perhaps there are also a pair for the reference voltage and ground.

I suspect the obfuscation of the data stored in DRAM is done in the CPU using a bit in the page table. I read somewhere the obfuscation is done in 16 byte chunks, and the value changes every reboot. Still, sniffing the bus gives more visibility, and the opportunity to modify the data stream as it flows past. Imagine changing a branch if signature passed instruction to branch always.

QUOTE(ben1989 @ Dec 30 2006, 06:52 PM) View Post

just translated it from drunk english to english smile.gif


Bad Ben. Bad.

VAX

               
               

               
            '
Logged

'Cooliohazord'

  • Guest
NULL
« Reply #27 on: December 31, 2006, 09:48:24 PM »

'
               Found this while i was watching the 23c3. It appears to be legit, looks similar to the MechAssult exploit of the original Xbox but using King Kong on xbox360. But then again it could be a prank.
               
               

               
            '
Logged

'jaimebenlasnow'

  • Guest
NULL
« Reply #28 on: January 01, 2007, 07:17:31 AM »

'
               
QUOTE(Cooliohazord @ Jan 1 2007, 12:55 AM) View Post

Found this while i was watching the 23c3. It appears to be legit, looks similar to the MechAssult exploit of the original Xbox but using King Kong on xbox360. But then again it could be a prank.


The CPU contains a JTAG Pins for maintenance purpose or for other reason if you check on a devkits motherboard there is a little green wire and it might be the hole in that xbox...You kind of disabled everything (hypervisor) and other thing this is why it could be that but this is my 2 cents and take it whit a grain of salt
               
               

               
            '
Logged

'vax11780'

  • Guest
NULL
« Reply #29 on: January 01, 2007, 04:26:10 PM »

'
               
QUOTE(jaimebenlasnow @ Jan 1 2007, 08:24 AM) View Post

The CPU contains a JTAG Pins for maintenance purpose or for other reason if you check on a devkits motherboard there is a little green wire and it might be the hole in that xbox...You kind of disabled everything (hypervisor) and other thing this is why it could be that but this is my 2 cents and take it whit a grain of salt


JTAG is used for a lot of different things.

Every large chip manufactured uses a JTAG interface for automated testing. It takes too much time to run functional vectors, and built in self test (BIST) rarely gives sufficient fault coverage. The JTAG interface may be simplified (by removing the instruction register) if this is the only mode used. (scan mode)

Systems, like the xbox360, may also use boundary scan to test the interconnect between chips on the PCB.

JTAG can also be used during system manufacturing to program memories, and blow eFuses.

Finally, JTAG is also used to access trace/debug hardware built into the chip, but one method of securing a processor is to blow a fuse that disables the trace/debug hardware on production units.

In scan mode, almost all of the flip-flops in the chip are chained together into one long shift register. If you know exactly which positions in the scan chain correspond to a particular feature (for example, the program counter) you can clock the entire chain out, change the program counter to any value you want, the clock the entire chain back in.

Now, hoodie could be doing exactly that, stop the system clocks, change a few bits inside one of the chips, the restart the system clocks.

But I doubt it.

VAX

               
               

               
            '
Logged
Pages: 1 [2] 3 4
 

Page created in 0.679 seconds with 16 queries.