freeBOOT gives the Xbox 360 JTAG hack new life

xbox360-freeBOOT-exploit

There has been another development in the never-ending battle that is Microsoft trying to keep its gaming system closed to unauthorized use. Xbox-scene reports that a new hack called freeBOOT v0.01 allows the Xbox 360 to upgrade to the newer kernels, but allows the option of rebooting to an older kernel in order use the JTAG exploit and gain access to the hardware.

In case you missed it, the JTAG hack is a way to run homebrew code on an Xbox 360. Exploiting this hack makes it possible to boot a Linux kernel in about five seconds. We’ve long been fans of the homebrew work done with XBMC on the original Xbox and hope that advances like this will lead to that end. We want this because the older hardware cannot handle high definition content at full resolution but the Xbox 360 certainly can.

This exploit is still far from perfect. It currently requires that the Cygnos360 mod chip be installed on the system. A resistor also needs to be removed from the board to prevent accidental kernel updating. That being said, this is still progress. If you’re interested in step-by-step details, take a look at the text file instructions provided.

[Thanks wdfowty]

Android app “tests” Windows vulnerability

android_windows_vulnerability_checker

An Android App for “testing” the Windows SMB2 vulnerability we covered last week has been released. For testing? Yeah right! The availability of this kind of software makes it ridiculously easy for anybody to go out and cause some havoc. Go right now and double check that your machines that run Windows Vista or Windows Server 2008 are protected (see the “workarounds” section.)

[Thanks Tom101]

Homebrew Wii via the bannerbomb exploit

bannerbomb_exploit

The Twilight Princess hack doesn’t work on newer versions of the Nintendo Wii, but thanks to a new exploit for the Wii, homebrew is still possible. Using an SD card and a few files, you can have the homebrew channel up and running in no time. The folks at Lifehacker show us how it’s done. It’s good to see that the Wii modding community is still in full force. Hopefully, this won’t turn into a back and forth battle between modders and Nintendo, like it has with Sony and the PSP.

BackTrack 4 Beta released

backtrack

The Remote Exploit Development Team has just announced BackTrack 4 Beta. BackTrack is a Linux based LiveCD intended for security testing and we’ve been watching the project since the very early days. They say this new beta is both stable and usable. They’ve moved towards behaving like an actual distribution: it’s based on Debian core, they use Ubuntu software, and they’re running their own BackTrack repositories for future updates. There are a lot of new features, but the one we’re most interested in is the built in Pico card support. You can use the FPGAs to generate rainbow tables and do lookups for things like WPA, GSM, and Bluetooth cracking. BackTrack ISO and VMWare images are available here.

iPod Touch 2G jailbreak demoed

redsn0w

Now that the iphone-dev team has unlocked the iPhone 3G they’re moving onto jailbreaking the iPod Touch 2G. While they have a fully working jailbreak, it’s not yet in a user friendly format. [MuscleNerd] did a live video demo this afternoon to show what progress they had made. It starts with him showing the iPod on but not booting. He’s already patched the kernel, but it’s failing the signature check in iboot. He then uses the team’s recoverytool to exploit a hole in iboot and patch out the signature check. The ipod then boots normally and he shows non-App Store software like Mobile Terminal, Cydia, and an NES Emulator (which makes use of the iPod’s internal speaker).

The redsn0w jailbreak works, but it has to be applied via tether every time the iPod boots. The team won’t release anything until they’ve found a way around this problem. For more insight into the boot process, check out our coverage of their Hacking the iPhone talk at 25C3.

Homebrew on the PSP3000

[matiaz] has released an exploit which allows homebrew on the PSP3000. It takes advantage of a vulnerability when loading save games on a game called GripShift. You can see the PSP running unsigned code in the video.

[thanks wraggy]

DNS exploit in the wild


We’ve been tracking Metasploit commits since Matasano’s premature publication of [Dan Kaminsky]‘s DNS cache poisoning flaw on Monday knowing full well that a functional exploit would be coming soon. Only two hours ago [HD Moore] and [I)ruid] added a module to the Metasploit Project that will let anyone test the vulnerability (with comment: “ZOMG. What is this? >:-)“). [HD] told Threat Level that it doesn’t work yet for domains that are already cached by the DNS server, but it will automatically wait for the cached entry to expire and then complete the attack. You can read more about the bailiwicked_host.rb module in CAU’s advisory. For a more detailed description of how the attack works, see this mirror of Matason’s post. You can check if the DNS server you are using is vulnerable by using the tool on [Dan]‘s site.

[photo: mattdork]