SMC Hack

From Xenon Wiki
Revision as of 02:13, 12 March 2010 by imported>Jamiec (→‎Updating a hacked image)
Jump to navigation Jump to search

The JTAG/SMC Hack

There is a new hack which can boot homebrew code in less than 5 seconds. See at the end of this document for a description how the hack works. For now, all we need to know is that this is a new way to exploit the well-known 4532 kernel, in a way which also works on updated machines, unless they have been updated by the summer '09 update. It also works on all hardware types.

Please also notice that from a functional side, the result will be the same as the KK-hack; it's just much faster, works on more hardware and is more reliable. So it replaces the KK-hack, not less and not more.

Technical details are available on [1].


Required Soldering

The SMC Hack requires bridging 3 points on the motherboard (for trigger the exploit by JTAG), as well as having a way to read & write with your Nand Flash

- The JTAG points are available for a number of consoles

Xenon:

http://imgur.com/Fdjmi.png

Falcon, Zephyr, Opus & Jasper:

http://pictures.xbox-scene.com/xbox360/free60/diagram.jpg

- To read & write the Nand Flash (using SPI protocol by LPT & a printer cable), there is a friendly tutorial here: NAND Reading

There are other ways to read & write the Nand Flash that are valid (such as infectus modchip)



•All the diodes used in SPI & JTAG are "switching diodes" proposed are: BAT41 1N4148 or 1N4153

Building a Homebrew-Kernel

From scratch

What you need for this:

•Latest build.py Script from GIT

•CB/CD-files matching for your Xbox Revision (called CB.xxxx/CD.xxxx here, where xxxx is the version) -Xenon: 1921 -Zephyr: 4558 -Falcon: 5770 -Jasper: 6712, 6723


•Hacked SMC Code matching your Xbox Revision (called smc_hacked.bin here) ATM only available for XENON / falcon / zephyr / opus(as of recently)

•The 1888 Basekernel (called 1888image.bin here)

•Xbox 360 Dashboard Update Version 4532 (HD_DVD_10-2006.zip)

•wxPirs to extract xboxupd.bin from 4532-Update

•Compiled XELL (xell-1f.bin, also the same file named xell-backup.bin)

1. Check out the latest free60-tools with GIT git clone git://free60.git.sourceforge.net/gitroot/free60/tools/

2. Extract xboxupd.bin with WxPirs from the unzipped 4532-Dashboard-Update

3. Copy the files xboxupd.bin, 1888image.bin, CB.xxxx/CB.xxxx, smc.hacked and the two XeLL files xell-1f.bin and xell-backup.bin to /tools/imgbuild/input (you need to create the folder first). Also create a folder "output" in /tools/imgbuild/

4. Edit build.py to contain the Secret 1BL Key in this format (Example-Key: 010F0E0C0ED669E7B56794FB68563EFA)

secret_1BL = "\x01\x0F\x0E\x0C\x0E\xD6\x69\xE7\xB5\x67\x94\xFB\x68\x56\x3E\xFA"

5. Start build.py with the following command python build.py input/1888image.bin input/CB.xxxx input/CD.xxxx input/xboxupd.bin input/xell-backup.bin input/xell-1f.bin input/smc_hacked.bin

If everything works out the Script should output something similar to this

  • found flash image, unpacking and decrypting...

ECC'ed - will unecc. Found 2BL (build 1888) at 00008000 Found 4BL (build 1888) at 0000e1e0 Found 5BL (build 1888) at 000138d0

  • found (hopefully) decrypted CB
  • found (hopefully) raw CD
  • found update

Found 6BL (build 4532) at 00000000 Found 7BL (build 4532) at 000044c0

  • found XeLL binary, must be linked to 1c000000
  • found XeLL binary, must be linked to 1c000000
  • found decrypted SMC
  • we found the following parts:

CB: 1921 CD: 1921 CE: 1888 CF: 4532 CG: 4532

  • checking if all files decrypted properly... ok
  • checking required versions... ok
  • Fixing up the hacked SMC code with the target address
  • this image will be valid *only* for: xenon
  • zero-pairing...
  • constructing new image...
  • base size: 70000
  • compiling payload stub
  • Flash Layout:

0x00000000..0x000001ff (0x00000200 bytes) Header 0x00000200..0x000003ff (0x00000200 bytes) Exploit 0x00000400..0x00000fff (0x00000c00 bytes) Padding 0x00001000..0x00003fff (0x00003000 bytes) SMC 0x00004000..0x00007fff (0x00004000 bytes) Keyvault 0x00008000..0x000117ff (0x00009800 bytes) CB 1921 0x00011800..0x00016ebf (0x000056c0 bytes) CD 1921 0x00016ec0..0x0006cf2f (0x00056070 bytes) CE 1888 0x0006cf30..0x0006ffff (0x000030d0 bytes) Padding 0x00070000..0x000744bf (0x000044c0 bytes) CF 4532 0x000744c0..0x000a33ff (0x0002ef40 bytes) CG 4532 0x000a3400..0x000bffff (0x0001cc00 bytes) Padding 0x000c0000..0x000fffff (0x00040000 bytes) Xell (backup) 0x00100000..0x0013ffff (0x00040000 bytes) Xell (main)

  • Encoding ECC...

Written into output/image_00000000.ecc ! please flash output/image_*.ecc, and setup your JTAG device to do the DMA read from 00000200 6. Finished! Your ready-to-be-flashed Image is located in the output-folder, called image_00000000.ecc


Updating a hacked image

What you need for this:

  • Latest build.py Script from GIT
  • Hacked Kernel-Image (hacked-image.bin)
  • Xbox 360 Dashboard Update Version 4532 (HD_DVD_10-2006.zip)
  • wxPirs to extract xboxupd.bin from 4532-Update
  • Compiled XELL (xell-1f.bin)
1. Checkout free60-tools, extract xboxupd.bin as described above
2. Copy files hacked-image.bin, xboxupd.bin and xell-1f.bin to /tools/imgbuild/ and create a folder "output" there
3. Start build.py with following command
python build.py hacked-image.bin xboxupd.bin xell-1f.bin
4. Finished! Your updated hacked-image was written into the output directory and is ready to be flashed.

Alternative: If you are using XeLL-compile after 31. August 09 you could use the USB-Update feauture.

1. Format a compatible USB-Stick to FAT16/32.
2. Put 'xell-1f.bin' renamed to 'updxell.bin' into the Root of the USB-Stick.
3. Turn on XeLL-Xbox360 with attached USB-Stick.
4. XeLL should recognize USB-Stick and tell you '* found XeLL update. press power NOW if you don't want to update.'
5. Wait for XeLL to tell you '*update done' and plug out the USB-Stick so it won't upgrade on next startup.
6. Reboot Xbox360 and enjoy fresh XeLL :)

Extracting SMC/CB/CD from a hacked image

What you need for this:

  • Latest build.py Script from GIT
  • Hacked Kernel-Image (hacked-image.bin)
  • Xbox 360 Dashboard Update Version 4532 (HD_DVD_10-2006.zip)
  • wxPirs to extract xboxupd.bin from 4532-Update
  1. Checkout free60-tools, extract xboxupd.bin as described above
  2. Copy files hacked-image.bin and xboxupd.bin to /tools/imgbuild/ and create a folder "output" there
  3. Start build.py with following command
python build.py hacked-image.bin xboxupd.bin
4. Finished!Decrypted SMC, CB and CD data was written into the output directory

Build a full 16MB Image out of the small one created by build-script

Just use this simple command (input/backup.ecc is your nand backup, and output/full.ecc is a 16MB image you can flash)

cp input/backup.ecc output/full.ecc; dd if=output/image_00000000.ecc of=output/full.ecc conv=notrunc

Using the 1920to1921 script

What you need for this:

  • Latest 1920to1921.py Script from GIT
  • decrypted 1921 CB (2BL)
  • decrypted 1920 CD (4BL)
  1. Rename 1921 CB file to "CB.1921" (no file-extension) and 1920 CD to "CD.1920"
  2. Move both files to /tools/imgbuild/input/
  3. Start 1920to1921.py with following command
python 1920to1921.py xxxx (where xxxx is the CD Version you want to create, i.e 1921, 4558, 5770)
4. Finished! Script should tell you "great, hash matches!" and write the appropriative CD to the input folder
Retrieved from "https://www.xenonwiki.com/index.php?title=SMC_Hack&oldid=4795"