The Xbox 360 was a difficult console to jailbreak. Microsoft didn’t want anyone running unsigned code, and darn if they didn’t make it difficult to do so. However, some nifty out of the box thinking and tricky techniques cracked it open like a coconut with a crack in it. For the low down, [15432] has a great in-depth article on how it was achieved. The article is in Russian, so you’ll want to be armed with Google Translate for this one.
The article gets right into the juice of how glitch attacks work—in general, and with regards to the Xbox 360. In the specific case of the console, it was all down to the processor’s RESET line. Flicker it quickly enough, and the processor doesn’t actually reset, but nonetheless its behavior changes. If you time the glitch right, you can get the processor to continue running through the bootloader’s instructions even if a hash check instruction failed. Of course, timing it right was hard, so it helps to temporarily slow down the processor.
From there, the article continues to explore the many and varied ways this hack played out against Microsoft’s copy protection across multiple models and revisions of the Xbox 360. The bit with the BGA ball connections is particularly inspired. [15432] also goes even deeper into a look at how the battle around the Xb0x 360’s DVD-ROM drive got heated.
We seldom talk about the Xbox 360 these days, but they used to grace these pages on the regular. Video after the break.
[Thanks to aliaali for the tip!]
Heh, I was just looking up 360 modding today.
So you, Lewin likes russian hacks?
Do you not like russian hacks?
Same stuff, different year. Do yourself a favor and put down the remote.
Go Russia!
I couldn’t get google translate to work (returned an error) but firefox translated it just fine.
Half of the translators out there (e.g., Yandex, which is a Russian site, ironically enough) use Google as a back-end, so they all end in he same error.
FYI this doesn’t work with the Winchester revision. In fact no MS console has been defeated since the Winchester x360.
There’s been a few Xbox one vulnerabilities that haven’t been used for a jailbreak. But it seems a jailbreak is on the cards anyways.
The usual suspects haven’t been that interested because of the Dev mode is more than enough for nearly everyone. And like you imply Microsoft really have beefed up security.
Yeah every thing done with the 360 was patched on Xbox one
Including rgh with better gating and buffering of logic signals
They even let you dump your Xbox one nand
That’s a hint that dumping and knowing your nand content isn’t really useful
Especially when the amd PSP (amd version of ime) is used for drm and as effectively an in hardware hypervisor
And also the Xbox one is sandboxed more than the 360
Everything effectively runs in a different virtual machine
Even dev mode
With different permissions and restrictions software and hardware wise
Compare this to Nintendo’s approach where rather than secure Switch 2 they simply SLAPP and otherwise buy off devs for the biggest emulators.
The community didn’t like Yuzu but they were SLAPPed away.
MigSwitch was sued to high heaven but given it has been cloned and all over AliExpress it’s gameover there for Nintendo to stop it (even if Team Xecutor’s Bowser is part of the project after getting out of prison for the last time he crossed Nintendo!).
Ryujinx was Brazil based and expected to be immune from Nintendo’s lawsuits but it seems the owner was simply given an offer he couldn’t refuse.
Now Switch 2 details are out, it’s clear why. Both could with probably minor modification run Switch 2 games. With the right PC they might even run them better.
Nintendo is embarassed that it’s games run better via emulation than on their expensive devices, but they haven’t taken the route of offering higher performance hardware. Just suing devs.
I prefer Microsoft’s approach for the Xbox, even if I prefer Playstation’s gaming experience. Nintendo I love the games and IP but can not stand the company even if I buy every generation of their devices!
Literally zero homebrew or chips on Winchester.. For One/Series nth-days that don’t escape GameOS VM; can’t touch XSTS token handler(Live), XGD4(game discs). or XVD/XVC header hash-chain-check.
The One/Series security is all based around the signed header of XVD and XVC files; you can actually ignore the live stuff mostly.. The second someone patches the private-key head/er-hash check for XVD and XVC loading it’s defeated.. Everything is a XVD or XVC image on One/Series..
Now gli gli rgh hackaday originally posted back around 2011
Is simple enough it’s been ported to the South bridge 8051 like jtag
Rgh 3.0
Don’t even need a modchip if your have a falcon or better unless you have a stubborn CPU
Essentially just flash nand, solder a few wire jumpers like jtag
I just did one of these last night. Boots way faster then having a glitch chip and only needed one diode, one resister and 2 lengths of wire.
I hacked my PSP and 3DS. Is it as easy as that or a different kind of difficult?
Another level of difficult. Other people had already dumped the bootloaders. Our hacker here:
-scoured through the assembly instructions, locating the verification step
-tried hardware glitching the reset line
-connected to the serial pin of a chip, to send commands and reduce CPU speed
-glitch again
-patch firmware on ANOTHER chip to avoid issues from rebooting too much
-automate the glitch and reboot step until it works
that’s just part 1 of the story. Really impressive persistence