So basically, this is another way to run homebrew. Or in other words "RGH", or "Jtag" ANY console. Corona included. If you have any questions regarding this, or any other material. Shoot me a PM, or AIM me. My aim is: jakeman8888
First, you're going to have to adjust the optimal configulation of distributed database system inside of Q41 sector of the south bridge chip. The actual exploit we are looking at is on the Output controller hub (ICH).
As you can see below in the diagram, the north and south bridge chips. (Note, the picture is not a diagram of an xbox 360's motherboard. It is just a visual to make it easier to understand.)
After we run the reverse pulse out of the output controller hub, it will bypass the Out-Of-Band management controller, which is segment one of Syscall. Syscall is the how a program requests a service from an operating system's kernel. This is a vital process in the Xbox 360's security which is what we are bypassing now.
This is the point where all of this becomes important.
After bypassing the OOB management controller, it will cause a buffer overflow in the smc config block which calls for payload ea00c020. You see what I did there? It bypasses the main bootloader cycle and starts it in hypervisor, which will still start most of the same functions as the main bootloader cycles, except in an escalated state. Boot times will be a tad slower, but not as slow as the RGH. Maybe a second or two slower.
Unprivileged code interacts with the hypervisor via the syscall instruction. This causes the machine to enter escalated hypervisor mode.
Preconditions (Registers set by unprivileged code)
Priviledged code
When processing the syscall, the processor is running in "hypervisor real mode", with the MMU switched off. However, when accessing memory locations with the MSB cleared, an additional offset, the Hypervisor Real Mode Offset (HRMO), will be applied to all memory addresses.
Credit goes to me, Sunkist0.
First, you're going to have to adjust the optimal configulation of distributed database system inside of Q41 sector of the south bridge chip. The actual exploit we are looking at is on the Output controller hub (ICH).
As you can see below in the diagram, the north and south bridge chips. (Note, the picture is not a diagram of an xbox 360's motherboard. It is just a visual to make it easier to understand.)
After we run the reverse pulse out of the output controller hub, it will bypass the Out-Of-Band management controller, which is segment one of Syscall. Syscall is the how a program requests a service from an operating system's kernel. This is a vital process in the Xbox 360's security which is what we are bypassing now.
This is the point where all of this becomes important.
Code:
00000000..00100000: SMC, KV, CB, CD, CE, CF, CG, backup bootloader
00100000..00140000: main bootloader
00140000..00f7c000: empty space
00f7c000 : smc config block
00ffc000 : exploit bufferUnprivileged code interacts with the hypervisor via the syscall instruction. This causes the machine to enter escalated hypervisor mode.
Preconditions (Registers set by unprivileged code)
Code:
%r0 syscall no.
%r3-%r12 syscall argumentsPriviledged code
Code:
13D8: cmplwi %r0, 0x61
13DC: bge illegal_syscall
...
13F0: rldicr %r1, %r0, 2, 61
13F4: lwz %r4, syscall_table(%r1)
13F8: mtlr %r4
...
1414: blrlWhen processing the syscall, the processor is running in "hypervisor real mode", with the MMU switched off. However, when accessing memory locations with the MSB cleared, an additional offset, the Hypervisor Real Mode Offset (HRMO), will be applied to all memory addresses.
Credit goes to me, Sunkist0.