realizzazione siti internet ed e-commerce mugello

Risultati da 1 a 3 di 3
Like Tree2Likes
  • 2 Post By DrSchottky

Discussione: [X360 Reversing] Intro

  1. #1
    Moderatore L'avatar di DrSchottky
    Data Registrazione
    Sep 2014
    Messaggi
    150
    Post Thanks / Like

    [X360 Reversing] Intro

    Xbox 360 Reversing
    An overview about xeBuild’s hacked images




    DISCLAIMER

    All the stuff i'll write comes from what i read and/or reversed. It might be inaccurate or totally wrong, please don't blame me for this.



    Intro

    As you might know, Xbox’s chain of trust is composed by a series of loaders and ends with the Kernel (I won’t dwell on this, boot process is explained quiet well on Free60),
    but how is made a modified bootchain?
    Assuming that you know what an ECC is and how it works, let’s focus on xeBuild’s patches.


    ! To avoid confusion: all my examples will be based on RGH2 Trinity, with MFG CB_A(9188) !

    There are three items that need to be patched on a hacked image: CB_B, CD and Kernel/HV; and this is what xeBuild does.
    CB_B/CD patches are applied to the original files before they’re used to build an image, Kernel patches are stored as plaintext
    in the built image and applied at runtime by CD on an already decompressed and merged CE + CG (for this reason CF doesn’t need to be patched).


    xeBuild’s patches format is documented in about_patches.S, and in summary is:

    [CB_B patches] FF FF FF FF [CD patches] FF FF FF FF [Kernel patches] FF FF FF FF


    Each patch looks like this

    • Address (32 bit)
    • Number of patches (32 bit)
    • Data (32 bit x number of patches)






    If you want to look inside a loader (CB_A/B, CD, CF)

    • load it into IDA;
    • set ppc as processor;
    • look at 0x8(4 bytes) for the entry point and jump to it;
    • press C to disassemble.



    Loading into IDA a kernel image requires some further step since it’s stored in your nand as a compressed base (CE) + update (CG).
    I think that RGLoader Image Editor is the quickest way to get an updated kernel (ready to be disassembled) from your nand dump.

    Most of Crypto/Hash functions used in loaders are equal to those used in the kernel: if you have a kernel with symbols it’s easy
    to make a labeler script that searches for well known patterns in your code.


    In later chapters we’ll see in detail the various patches applied by xeBuild.


    >> Next Chapter >>

    Credits:
    xeBuild Team
    Free60
    RGLoader
    Ultima modifica di DrSchottky; 10-10-2015 alle 09:38
    Pa0l0ne and Chojin like this.

  2. Likes zeruel85, The_Pusher, Sk8er000 Ha dato un "mi piace" per questo post
    Thanks Sk8er000, Pa0l0ne Ha ringraziato per questo post
  3. #2
    Moderatore L'avatar di DrSchottky
    Data Registrazione
    Sep 2014
    Messaggi
    150
    Post Thanks / Like
    Published
    Ultima modifica di DrSchottky; 08-10-2015 alle 22:29

  4. #3
    Yeah, bitch! Magnets! L'avatar di zeruel85
    Data Registrazione
    Sep 2014
    Località
    Treviso (TV)
    Messaggi
    491
    Post Thanks / Like
    Thank you for doing this amazing job. People in general don't even know how much work there is behind these things.

    Cheers.

  5. Thanks DrSchottky Ha ringraziato per questo post

Tag per Questa Discussione

Segnalibri

Permessi di Scrittura

  • Tu non puoi inviare nuove discussioni
  • Tu non puoi inviare risposte
  • Tu non puoi inviare allegati
  • Tu non puoi modificare i tuoi messaggi
  •