There is a new hack which can boot homebrew code in less than 5 seconds. Put 'xell-1f.bin' renamed to 'updxell.bin' into the Root of the USB Drive. In order to control all registers, a second step was necessary, this time by jumping into the interrupt restore handler.See at the end of this document for a description how the hack works. This finally allows all CPU general purpose registers to be filled with etermined values.Please also notice that from a functional side, the result will be the same as the KK-hack; it's just much faster, works on more hardware and is more reliable. Extract with Wx Pirs from the unzipped 4532-Dashboard-Update 3. Your updated hacked-image was written into the output directory and is ready to be flashed. To jump into an arbitrary location, we just used a "mtctr, bctr"-register pair in hypervisor, which would redirect execution low into any 64-bit address.Copy the files xboxupd.bin, 1888image.bin, CB.xxxx/CB.xxxx, smc.hacked and the two Xe LL files xell-1and to /tools/imgbuild/input (you need to create the folder first). This is important, since we need to clear the upper 32bit (i.e.,set the MSB to disable the HRMO), since the code we want to jump to is in unencrypted memory.So that makes it possible to talk to each PCI device in the system, including the NAND controller. The problem is that the "VM code", the code which does a lot of system initialization, like the memory (that code is also responsible for generating the 01xx "RROD"-Errors), sets a certain bit in some GPU register, which disables the JTAG interface.So we can simply use THAT instead of the SMC to start the DMA? The VM code is executed way before the kernel is active. But the combination works - by programming the DMA target address via JTAG, and launching the attack via SMC.
Each page has 512 bytes of payload, and 16 bytes of ECC data.The 8051 core has access to NAND registers, which are mapped into the 8051 SFRs.It uses the same protocol as the kernel uses, so it writes an address, does a "READ" command, and then reads the data out of the "DATA" registers. So by hacking the SMC, we could make the box do the exploit, without any shader - the SMC can access the NAND controller all the time, even when the kernel is running (though it will likely interfere with the kernel). While most NAND registers are mapped, the DMA address registers (1c, 20) are not. The shader was written to overwrite the Idle-thread context to make the kernel jump at a certain position in memory, with some registers nder our control. Xe LL should recognize USB Drive and tell you '* found Xe LL update. Wait for Xe LL to tell you '*update done' and unplug the USB Drive so it won't upgrade on the next startup. The KK exploit exploited the kernel bug by modifying an unsigned shader to do a series of so-called memory exports, an operation where the GPU can write the results of a pixel or vertex shader into physical memory.