Quote:

---

Xbox 360 Hypervisor/King Kong Exploit

Thanks to Anonymous Hacker's great work, I' m now able to publish my own little implementation of the exploit.

I've used the full version of the King Kong (KK) game, as it has been shown to work by these anonymous people at 22C3, and it was the first one I found with editable shaders. Most games have these - KK was just the first one I've checked.
So you need a KK full (USA or PAL doesn't matter, they are the same) DVD image (including video partition), and obviously a hacked drive firmware.
You could also try hotswapping from your (hopefully existing!) KK original to the modified copy. Then you could go with a stock firmware.
Why not using the KK demo? It would work the same (though the shader file format is different), but requires a firmware hack too, as the possibility to run it from DVD-R was blacklisted in a very early kernel already, which doesn't have the vulnerability.

So, how does the hack work? Basically, the bugtraq post (http://www.securityfocus.com/archive/1/461489 in case you haven't read it yet) explains it all. All I did was to convert the series of memory writes into a shader, and writing a small serial loader stub.

You need to connect the serial port to use this hack. Read Speedy22's fine "Xbox 360 Motherboards and Headers" documentation, it's on J2B1.
NOTE: It's LVTTL. Do not even think about connecting to an RS232 port directly.
RS232 is +-12V, LVTTL is 3V. Think about what's happening when you connect your 110V equipment to 220V. You don't want to happen that on your southbridge.
For example, use a MAX3232, or just use any of these USB serial port adapters which already output 3.3V.
Speed is hardcoded to 115200/8N1.

To modify your existing game image, start the "patcher" tool. It will patch your game image to include the loader. It is a bit lame, but works. The tool will also remove the three startup videos for a faster boot.
When you launch the modified game, it will directly go to the main screen.
Press start on a controller. It should display "LOADING", and then freeze while displaying "Acessing Content". If it doesn't freeze, you don't have the correct kernel version (4532 or 4548, but only 4532 was tested). See below on how to update.

Now, the serial loader gets active. You should see a "Xe>" on the serial port. Now, upload your binary code (just as a binary blob). To terminate your upload, send 16x 'x'. It will be loaded to 0x01300000, and executed.
Be warned, only CPU #0 is trapped. The other threads/cores are still happily executing, so you need to catch them.

"Hello, world!"
Use the source, luke!
compile with
powerpc64-linux-gcc hello.S -o hello.o -Ttext=0x1300000 -nostdlib
objcopy -O binary hello.o hello.bin

HOWTO UPDATE (to the correct kernel)
To clarify things again:
* If you have 4552, you are screwed. Sorry.
* If you have 4532 or 4548, it has to work. If it doesn' t work, something else is wrong, but please don't try to update.
* If you have pre-4532: Grab HD_DVD_10-2006.zip [URL in readme is already offline] (check MD5SUM first: microsoft could have changed this file! the correct md5 is cd4db8e2c94266ab73513c361dd5b8f6). Burn it to a CD, and start it. It will update your console to 4532.

---