Comments on: The STM Release Exploit

By: marcan

marcan — Sun, 07 Feb 2010 17:01:06 +0000

The PowerPC uses the IoctlAsync call, which returns to the caller before getting a reply from IOS. The callback is called from interrupt context once the reply does arrive. To IOS async and sync calls look the same; the only difference is the way they are handled in the PPC.

By: hcs

hcs — Fri, 05 Feb 2010 23:04:41 +0000

Heh, very cool. I’m just a little confused about one bit of terminology:
“this call blocks (asynchronously)”
It sounded like the ioctl blocks, not returning until the response from the IOS, so I’m not sure what the “asynchronously” refers to. Is the blocking ioctl done on a different thread than the one that posts a callback function, so it looks asynchronous to the caller?

By: Sven

Sven — Tue, 02 Feb 2010 16:42:25 +0000

Christ: no, you are only running in _usermode_ there. The STM module is neither allowed to patch its own code nor is able to even read the code of the kernel and/or the ES module (which we want to modify because the sign check is in there).

By: Chris

Chris — Tue, 02 Feb 2010 11:25:17 +0000

Very nice explanation… and a smart way to hack into IOS .

Now, I’m wondering, why using those “wtf” functions in your ARM routine ? Can’t you just directly patch IOS code in RAM since you are already running as IOS (something similar to self-modifying code) ?

By: Sven

Sven — Mon, 01 Feb 2010 21:53:54 +0000

yes, it say that microsoft knows a lot more about security than nintendo does. I know some of the xbox 360 hackers and I can definitely tell you that they are in no way inferior to us. We couldn’t do anything for the xbox 360 at all if we were working on it.

By: jpx92681

jpx92681 — Mon, 01 Feb 2010 15:42:36 +0000

hehe thanks Sven, jtag workaround is great no devalue at all, I don’t want to go so far with the details but just an example, there is no way to install homebrew if you have kernel 8955… (think about it..), not even using a hardware hack. That says a lot don’t you think?.

By: Sven

Sven — Mon, 01 Feb 2010 11:03:05 +0000

jpx92681: sorry, but you clearly do not know what you are talking about. tmbinc or mist for example are sure able to what we are doing. the xbox360’s security system is just pretty sophisticated but they still managed to pull of the JTAG hack. We did not even have to resort to hardware hacks so far because IOS is full of bugs…

By: KingLewy

KingLewy — Mon, 01 Feb 2010 06:22:03 +0000

Wow. Fascinating. Half of that went right over my head, but an interesting read nonetheless. Thanks again.

By: jpx92681

jpx92681 — Mon, 01 Feb 2010 05:57:37 +0000

I have really found this reading absolutely pleasant. Is the kind of things that we hope from our generation. Would be great if someone go that far in terms of reversing engineering with the xbox 360 but it seems no one in the scene has such level.

By: HenshinMijin

HenshinMijin — Sat, 30 Jan 2010 04:25:36 +0000

Splendid..!
Though I hate wen your articles end.
They are such a pleasure to read!

~fsKD™