Skip to content
Permalink
Branch: master
Find file Copy path
1 contributor

Users who have contributed to this file

177 lines (159 sloc) 5.72 KB

Old notes on the Xbox 360 Hypervisor can be found here: Hypervisor (Old Notes)

What is a Hypervisor?

Like in the PS3, Microsoft protects the integrity of its system with a Hypervisor. Using the virtualization technologies of today's processors, a hypervisor can act as a small piece of code with even higher privileges than the more complex operating system. In theory, even potential flaws in the operating system cannot be exploited since the hypervisor puts up additional restrictions.

In case of the Xbox 360, the hypervisor is responsible for encryption, decryption and the enforcement of access restrictions on memory.

Thanks to the work of an anonymous hacker, a flaw in the hypervisor has been discovered on certain versions of the Xbox 360 kernel, allowing the injection of code, which has not been cryptographically signed by Microsoft.

How It Works

The Hypervisor (HV) is primarily made up of a series of interrupt vectors and system calls that are accompanied by a few cryptography related helper sub-routines. On the 360, the main job of the HV is to manage the security of the system and handle encryption/crypto-signatures of files that will be run. Because of this, the HV is only executed in Real-Mode, with the highest privileges. Memory paging is disabled and the HV can access any memory space on the system, including memory mapped devices, however code run from user-mode (normal mode) cannot read or write to HV space. It is essential to understand how the HV works to understand the lower level of software on the xbox 360.

When an interrupt is generated by the CPU, it jumps to the corresponding handler. When this occurs, the address of the instruction that generated the interrupt is stored in SRR0 and the MSR before the interrupt occurred is stored in SRR1 with bits 33-36 and bits 42-47 loaded with data specific to the interrupt. For every interrupt, the CPU is sent into Real Mode/privileged state, interrupts are the entrance to the HV. Instruction and data relocation is disabled at this time.

When a return from interrupt (rfid) instruction occurs, it copies SRR1 to the MSR, synchronizes context, and jumps to the address stored in SRR0. Unless the Interrupt modified the contents of SRR1, the program will exit privileged state after the MSR is set.

All interrupts are ordered meaning while one is being handled, the CPU will wait until it is finished before handling another. The exception to this is the RESET and MACHINE_CHECK interrupts, these are unorded and can take place at any time. If they occur while another interrupt is being handled, SRR0 and SRR1 will be overwritten by the new handler and context synchronization will be lost. During normal operation of the Xbox 360, the RESET interrupt does not occur and the MACHINE_CHECK interrupt is not recoverable.

Interrupt Vectors

Vectors
Offset
0x00000100
0x00000200
0x00000218
0x00000300
0x00000380
0x00000400
0x00000480
0x00000500
0x00000600
0x00000700
0x00000800
0x00000900
0x00000980
0x00000B9C
0x00000C00
0x00000D00
0x00000A5C
0x00000F20
0x00001600
0x00001700
0x00001800

Cryptography

Retail 17511 - These offsets are subject to change!

Cryptography Functions
Offset
0x00020300
0x00023500
0x000226F0
0x00022738
0x00020520
0x0000A880
0x0000AD20
0x00022DB8
0x00022BD0
0x00022CF0
0x00023170
0x00023218
0x00020578
0x00020F00
0x00021210
0x00020EC8
0x000244D8
0x00024560
0x000211F0
0x00024AF0
0x00024A40
0x00024A98
0x000247D0
0x00020910
0x00024C68
0x00023108
0x00022E98
0x00023010
0x00023060
0x000200F8
0x00023008
0x00021128
0x00020D28
0x000211A8
0x00021240
0x00021840
0x00021BC8
0x000217C0
0x00021968
0x00021710
0x00021270
0x00021C08
0x00023278
0x00023330
0x00020550
0x00020250
0x00020468
0x000203A8
0x00024420
0x00020680
0x00000E14

Utility Functions

Utility Functions
Offset
0x00000384
0x00000398
0x000003C4
0x00000484
0x000004A8
0x000004D8
0x0000068C
0x000006A0
0x000006B4
0x000006CC
0x00000E14
0x00000EE4
0x00001804
0x000029E0
0x00003358
0x000033D8
0x00003620
0x00000000

Invoking The Hypervisor

User-mode code can invoke the Hypervisor at any time through what is called a system call(syscall). System calls are functions set up by the Hypervisor that can preform various tasks on the system, for example getting the value of a special cpu register or printing to the console's post bus. When a system call is preformed, the cpu generates a syscall interrupt and jumps to the appropriate handler. System calls are described more here: System Calls

You can’t perform that action at this time.