13:37 How to run unsigned code on the xbox 360 | |
| Every game console trying to break. Try to break the enthusiasts who want to start her own hand-written code in all the most secure modes. Try to break the enthusiasts who want to "run game backups on it (or if in Russian - to engage in piracy). Try to break the enthusiasts who want to put Linux and also an end in itself, be used more extensively than would a manufacturer of consoles (because money is made primarily on the games console itself is sold with a minimum charge, and even in minus the manufacturer). The vast majority of enthusiasts to do it. This was taken the most interesting part of hacking the Xbox 360 - code execution is not signed by MS. Hacking for piracyTwo years ago, Xbox360 broke for piracy, that is, learned how to run copies of licensed games, recorded on discs. The details, I just wrote here. In short, the license disk entirely determined firmware DVD-ROM and most xbox tsifirku passed only one - a good drive or not. If you alter the firmware so that it always returns a number corresponding to the license disc - voila. In those versions of the chip with the firmware you can just pull out and alter. Since then, much has changed at the same time and not much - it was a great engineering solution pour MS chip with firmware black epoxy (it should still know whose decision it was, very much in Russian), but it turned out that it is possible to alter the firmware podtseplyaya DVD -ROM from the xbox to the PC. Each firmware update rewritten, but it was enough to perezalit again. And it continues to work with Live. On the other hand, started to ban people for pirated firmware, partisan ways. That is, the new update is a kind of code, which identifies telltale signs flashing and sends this information to the server. At one point, the accumulated banyatsya console from Xbox Live (just the console, without accounts). Such software by MS has managed to turn a game of cat and mouse - you can put the latest firmware, but there is no guarantee that MS will not find indirect evidence of its detection and in the end not banned console. Improved and hacking tools, it is given less indirect effects, and means for detecting the software. However, the vulnerability is very serious, as this could leave - I do not understand. My only version - in a hurry to withdraw the console on the market. However, from release to run pirated games - 4 months old. All of this was two years ago, but this hack made it impossible to run on korobokse your code, just an exact copy of the game's code. But we also understand that a certain portion of humanity is not willing to consider any piece of metal worth of existence, until it will not run Linux, and is ready to work on it. And for this we must inevitably be able to run your code. Let's briefly look at how to xbox360 arranged security-model to approximately describe why it is difficult.First, the binary on disk hellish encrypted public key stitched somewhere in silicone console and private - is stored deep within the home office. All binaries are all the games are encrypted in the key supersekretnym supersekternoy laboratory before release. Get key unreal. The code that decrypts and verifies the binary, sitting deep in the ROM console, and encrypted / checked and rechecked with iron. Each update can go there to prescribe the new code because it was originally prepared in the same supersekretnoy laboratory. Substitute the code - is unrealistic. The game always runs in unprivileged mode, a read-only access pages of memory with the code and the lack of execute-flag on the data and stack, that is impossible to write any code in the data and pass back control (a classic case of buffer overflow) nor a substitute for an already loaded their code (because the read-only). Moreover, all executable code is still and always hangs in the memory of the encrypted key that is generated randomly, each run (hardvernaya feature of the processor) to protect against the memory raskovyrivaniya physical methods (roughly speaking - a soldering iron). Everything related to the encryption and decryption is performed in hypervisor mode, in which there is never a game code, but code firmware. As I understand it, he just deals with decoding binaries and other security stuff. He has no such restrictions, but of course the game code in this regime will never break, and there is not anything to write. It would seem, all backed. Code of the game is not fake, even if something is cool zakorraptit in the data does not help buffer overrun, no modification of code. Even from a physical attack - and the saved. How can this situation could have been all profakapit?The main document describing the vulnerability - are here. In short, in one version of firmware was incorrect test in the very first team syscall - system call of the game code. This team is given the number of function and its arguments, and she pulls out her address from the secure plate and take control of all powers. The problem was that when checking the validity of the function rooms use 32-bit command, and in calculating the offset - 64-bit. And then you can send a number of functions, which has some nonzero upper bits, the number held in the offset calculation, and thus would indicate a memory which is treated as data and is not encrypted hardvernoy protection. From this memory will undertake the function address and call me in hypervisor mode, even if this address in the data. If the desired memory location is a pointer to your own code - voila. This is not the vulnerability, one must understand how to place this data set. It is not so trivial - you can not modify the code and modify the game data on the disk so that it recorded its code to the right place the right bytes and called syscall - very long and complex analysis at random. Know how to do? Me it is most admired in this whole story. Make shaders. All the shaders - of course resources on disk and, like all the resources that are not encrypted, but will remain at their shaders, ie microcode card. And on the same xbox360 clever GPU, he knows how to read and write memory of the shader. More than that, and the memory of a CPU and GPU in general, means of shader you can and CPU-memory register to the right address. Knowing where it is often the code - you can and pokorraptit stack so that he has already done to ret syscall with the correct arguments, taken from the same stack. This turned out to do in practice with the King Kong Demo (http://www.xbox-scene.com/xbox1data/sep/EEZklEuAkAzUotmeVt.php) Note that this requires to know the very deep parts of the code game, ie to know what place the stack pokorraptit - it is hardly possible without access to the code of the game and devkitu. First, it works only for strictly defined firmware versions, where there was a bug with syscall (at current anymore), but six months later dug up the possibility of downgrades on the original console version of the firmware, from which you can upgrade to the version with the vulnerability. As a result, the exploit works substitute shader King Kong, who wrote in memory of executable code, and korraptit stack in a special place to call a system function, which is due to a bug in the firmware passes control to the same code power system. Ohrenet. Survived, a hack of a shader. Dovoevalis for GPU. TotalAnd it did make the first hello world its own code, and then even before Ubuntu was working nearby, and build community business equipment (http://www.free60.org). Actually, everything. For good measure - let lasted half a year to run arbitrary code. And yet, damn it, all right and responsibility zadizaynili and propped everywhere. One of the most important command on the entire system - and in her critical bug. Here is a garbage, eh? .. | |
|
| |
| Total comments: 14 | 1 2 » | ||||||||||
| |||||||||||
| 1-10 11-14 | |||||||||||
