xbox

109 Articles

If You Give A Dev A Tricked Out Xbox, They’ll Patch Halo 2

August 11, 2024 by 2 Comments

[Ryan Miceli] had spent a few years poring over and reverse-engineering Halo 2 when a friend asked for a favor. His friend created an improved Xbox with significant overclocks, RAM upgrades, BIOS hacks, and a processor swap. The goal was simple: patch the hardcoded maximum resolution from 480p to 720p and maybe even 1080p. With double the CPU clock speed but only a 15% overclock on the GPU, [Ryan] got to work.

Step one was to increase the size of the DirectX framebuffers. Increasing the output resolution introduced severe graphical glitches and rendering bugs. The game reuses the framebuffers multiple times as memory views, and each view encodes a header at the top with helpful information like width, height, and tiling. After patching that, [Ryan] had something more legible, but some models weren’t loading (particularly the water in the title screen). The answer was the texture accumulation layer. The Xbox has a hardware limitation of only sampling four textures per shader pass, which means you need a buffer the size of the render resolution to accumulate the textures if you want to sample more than four textures. Trying to boot the game resulted in an out-of-memory crash. The Xbox [Ryan] was working on had been upgraded with an additional 64MB of RAM, but the memory allocator in Halo 2 wasn’t taking advantage of it. Yet.

To see where the memory was going, [Ryan] wrote a new tool called XboxImageGrabber to show where memory was allocated and by whom. Most games make a few substantial initial allocations from the native allocator, then toss it over to a custom allocator tuned for their game. However, the extra 64MB of RAM was in dev consoles and meant as debug RAM, which meant the GPU couldn’t properly access it. Additionally, between the lower 64MB and upper is the Xbox kernel. Now, it became an exercise of patching the allocator to work with two blobs of memory instead of one contiguous one. It also moved runtime data into the upper 64MB while keeping video allocations in the lower. Ultimately, [Ryan] found it easier to patch the kernel to allow memory allocations the GPU could use in the upper 64MB of memory. Running the game at 720p resulted in only a semi-playable framerate, dropping to 10fps in a few scenes.

After some initial tests, [Ryan] concluded that it wasn’t the GPU or the CPU that was the bottleneck but the swap chain. Halo 2 turns VSync on by default, meaning it has to wait until a blank period before swapping between its two framebuffers. A simple tweak is to add a third frame buffer. The average FPS jumped 10%, and the GPU became the next bottleneck to tweak. With a light GPU overclock, the game was getting very close to 30fps. Luckily for [Ryan], no BIOS tweak was needed as the GPU clock hardware can be mapped and tweaked as an MMIO. After reverse engineering, a debugging feature to visual cache evictions, [Ryan] tuned the texture and geometry cache to minimize pop-ins that the original game was infamous for.

Overall, it’s an incredible hack with months of hard work behind it. The code for the patch is on Github, and there’s a video after the break comparing the patched and unpatched games. If you still need more Halo in your life, why not make yourself a realistic battle rifle from the game?

Continue reading “If You Give A Dev A Tricked Out Xbox, They’ll Patch Halo 2

Kickflips And Buffer Slips: An Exploit In Tony Hawk’s Pro Skater

August 8, 2024 by 6 Comments

[Ryan Miceli] wanted to build some reverse engineering skills by finding a new exploit for an original Xbox. Where he ended up was an exploit that worked across the network, across several games, and several different consoles. But it all started with an unbounded strcpy in Tony Hawk Pro Skater (THPS).

Xbox, PlayStation 2, and Gamecube (often referred to as the sixth generation) are wonderful hacking targets as they don’t possess many of the security enhancements of the seventh generation, like hypervisors, privilege levels, and hardware executability protections. The console launches the game, and control is fully within the game, so once you get your code executing, you’re done. The exploit started with a feature in many Tony Hawk games, the custom map editor. In the editor, you can create gaps between jumps with a name so that when a player completes the gap, it can flash “you jumped x” in big letters. However, on Xbox, the gap name is copied with an unbounded strcpy to the stack, meaning you can overwrite the return pointer. Additionally, there are no stack cookies for THPS, which meant nothing stopped [Ryan] from smashing his way through. He includes a small memcpy stub in the header of the level, which the gap name jumps to, which then copies and executes his full payload.

The other games in the series, like Tony Hawk’s Pro Skater 3 (THPS3), had the bug, but the gap name was copied to the heap, not the stack. However, he could overflow into a vtable of the next object that would call his code when the object was freed. However, the level save data wasn’t an executable region of memory, which meant he needed ROP (return-oriented programming). Just a few gadgets later, and [Ryan] had another exploit working.

Tony Hawk’s Underground 1 and 2 had stack cookies turned on. This meant a random value was placed on the stack before a function, then popped off and checked. This meant the program could check if its stack had been smashed. Unfortunately for [Ryan], this proved to be a major roadblock. However, the PC and PS2 versions of these games do not have stack cookies, which means they can be exploited in the same manner.

The beauty of the exploit is that the game allows you to invite a friend to play a custom level. This means once the level is transferred over the network, their console is hacked as well. However, the full payload wasn’t sent to the client console, which meant the exploit had to send the payload to the other console using the game’s existing net code. The exploit sets up an asynchronous file transfer then hands control back to the game. Of course, there was a memory leak in the netcode, because the game had never sent large amounts of data over the network before. So, part of the exploit was a hot patch for a memory leak.

As a last hurrah, [Ryan] ported the hack to Gamecube, PS2, and PC. The code is on GitHub, and the video is after the break. We love the attention the Xbox has been getting, and if you’re curious about a hardware hack, this 256MB ROM mod goes deep into the internals.

Continue reading “Kickflips And Buffer Slips: An Exploit In Tony Hawk’s Pro Skater”

Giving The Original Xbox 256 MB Of Memory

July 10, 2024 by 20 Comments

The original Xbox forever changed the console world, because it was basically just PC components laced together in a slightly different architecture. It featured a Pentium 733 MHz CPU with just 64MB of RAM. [Prehistoricman] has been hard at work, figuring out how to up that to 256MB instead.

This isn’t [Prehistoricman’s] first rodeo. Previously, he managed to up the Xbox’s RAM to 128 MB. To figure out how to go further, he had to figure out the addressing scheme. A datasheet for the Xbox’s original memory chip was a help in this regard, as was the envytools project and an Xbox source code leak.

A BIOS hack was needed to move the auto-precharge pin to free up more address pins for the higher memory space. Furthermore, the only available memory chips that were suitable used BGA packages, so a small PCB with castellated edges was needed to adapt the chip to the Xbox’s motherboard, which expects a TQFP package.

Ultimately, getting this hack to work involved a lot of bare-metal hacking. It also won’t help the performance of commercial games at all, as they were all designed within the limitations of the original console. Still, it’s impressive to see this now-ancient platform hacked to do more. It’s also hilarious to compare it with a contemporary PC, which could simply accept 256 MB of RAM by using additional memory slots. Video after the break.

Continue reading “Giving The Original Xbox 256 MB Of Memory”

Showing the modchip installed into a powered up Xbox, most of the board space taken up by a small Pi Pico board. A wire taps into the motherboard, and a blue LED on the modchip is lit up.

An Open XBOX Modchip Enters The Scene

June 30, 2024 by 44 Comments

If you’ve ever bought a modchip that adds features to your game console, you might have noticed sanded-off IC markings, epoxy blobs, or just obscure chips with unknown source code. It’s ironic – these modchips are a shining example of hacking, and yet they don’t represent hacking culture one bit. Usually, they are more of a black box than the console they’re tapping into. This problem has plagued the original XBOX hacking community, having them rely on inconsistent suppliers of obscure boards that would regularly fall off the radar as each crucial part went to end of life. Now, a group of hackers have come up with a solution, and [Macho Nacho Productions] on YouTube tells us its story – it’s an open-source modchip with an open firmware, ModXO.

Like many modern modchips and adapters, ModXO is based on an RP2040, and it’s got a lot of potential – it already works for feeding a BIOS to your console, it’s quite easy to install, and it’s only going to get better. [Macho Nacho Productions] shows us the modchip install process in the video, tells us about the hackers involved, and gives us a sneak peek at the upcoming features, including, possibly, support for the Prometheos project that equips your Xbox with an entire service menu. Plus, with open-source firmware and hardware, you can add tons more flashy and useful stuff, like small LCD/OLED screens for status display and LED strips of all sorts!

If you’re looking to add a modchip to your OG XBOX, it looks like the proprietary options aren’t much worth considering anymore. XBOX hacking has a strong community behind it for historical reasons and has spawned entire projects like XBMC that outgrew the community. There’s even an amazing book about how its security got hacked. If you would like to read it, it’s free and worth your time. As for open-source modchips, they rule, and it’s not the first one we see [Macho Nacho Productions] tell us about – here’s an open GameCube modchip that shook the scene, also with a RP2040!

Continue reading “An Open XBOX Modchip Enters The Scene”

HDMI For The Original Xbox

October 24, 2023 by 12 Comments

The original Xbox was a console based on PC architecture that launched back in 2001. That was long before HDMI became a defacto standard for home AV systems. However, it’s possible to mod the Xbox to output lovely crisp digital video over HDMI for use with modern screens, as covered by [Modern Vintage Gamer].

The mod, originally known as XboxHDMI and later XboxHD+, is a pure digital output mod, and was developed by [Dustin Holden]. Unlike other solutions, it doesn’t work by converting the console’s existing analog output. Instead, it captures pixel data straight out of the GPU and pumps it out over HDMI, along with 5.1 surround sound, too.

Mods like these have become popular in recent years for multiple reasons. Original HD output cables for older consoles are often hard to come by, and many used analog outputs that are no longer suitable for using with modern screens. For those that don’t want to keep older CRTs and flat screens going for older consoles, digital video output kits are a great way to keep using your old consoles well into the future. Video after the break.

Continue reading “HDMI For The Original Xbox”

Bench Power Supply Turned Realistic Flight Sim Panel

August 12, 2023 by No comments

Flight simulator software has been available for about as long as desktop PCs have been a thing, but modern incarnations such as 2020’s Microsoft Flight Simulator have really raised the bar — not only graphically, but in terms of interactivity. There’s a dizzying array of switches and buttons that you can fiddle with in your aircraft’s virtual cockpit, but doing it with the same keyboard that you use to hammer out code or write Hackaday articles doesn’t do much for immersion.

Looking to improve on the situation without having to shell out for an expensive sim panel, [Michael Fitzmayer] decided to convert a broken Manson SSP-8160 lab power supply into a fairly good approximation of the KAP 140 autopilot system which is used in one of his favorite aircraft, the Pilatus PC-6 Turbo-Porter.

[Michael] gutted the piece of equipment pretty thoroughly, only leaving behind the case itself and the illuminated button panel on the front. The original displays were replaced with TM1637 seven-segment LEDs, and a pair of new rotary encoders are mounted where the stock knobs were. The whole show is run by a STM32F103 Blue Pill, which conveys the button pressing and knob spinning to the game by mimicking a USB Human Interface Device.

A fascia applied to the front of the power supply blocks the original text and labels, and really makes the finished unit look the part. [Michael] admits it’s not 100% accurate to the layout of the real hardware, but it’s certainly better than trying to enter heading and altitude information with the controller.

Oh that’s right, did we mention he’s actually using this on the Xbox Series S? While we generally see this sort of sim hardware hooked up to a tricked out gaming computer, we appreciate that he’s trying to bring some of that same experience to the console world. While the one-way communication of USB HID does bring with it some limitations — for example the hardware needs to be manually reset at the beginning of each flight to make sure the physical displays match what’s shown in the virtual cockpit– there’s still a lot of potential here.

For example, you could design and build your own flight yoke, pedals, and throttles rather than spending hundreds on a commercial version. It sounds like [Michael] is just getting started in the world of affordable console-based flight simulation, and we’re very eager to see where he goes from here.

Using JTAG To Dump The Xbox’s Secret Boot ROM

August 11, 2023 by 13 Comments

When Microsoft released its first entry into the video game console market with the Xbox, a lot of the discussions at the time revolved around the fact that it used a nearly off-the-shelf Intel CPU and NVIDIA GPU solution. This made it quite different from the very custom consoles from Nintendo and Sony, and invited thoughts on running custom code on the x86 console. Although the security in the console was hacked before long, there were still some open questions, such as whether the secret boot ROM could have been dumped via the CPU’s JTAG interface. This is the question which [Markus Gaasedelen] sought to answer.

The reason why this secret code was originally dumped by intercepting it as it made its merry way from the South to the North Bridge (containing the GPU) of the Xbox was because Microsoft had foolishly left this path unencrypted, and because the JTAG interface on the CPU was left disabled via the TRST# pin which was tied to ground. This meant that without removing the CPU and adding some kind of interposer, the JTAG interface would not be active.

A small issue after the harrowing task of desoldering the CPU and reinstalling it with the custom interposer in place was to keep the system integrity check (enforced by an onboard PIC16 MCU) intact. With the CPU hooked up to the JTAG debugger this check failed, requiring an external injection of the signal on the I2C bus to keep the PIC16 from resetting the system. Yet even after all of this, and getting the secret bootrom code dumped via JTAG, there was one final system reset that was tied to the detection of an abnormal CPU start-up.

The original Xbox ended up being hacked pretty thoroughly, famously giving rise to projects like Xbox Media Center (XBMC), which today is known as Kodi. Microsoft learned their lesson though, as each of their new consoles has been more secure than the last. Barring some colossal screw-up in Redmond, the glory days of Xbox hacking are sadly well behind us.