Hardware Security Exploit Research – Xbox 360

Good times. I was the developer at Microsoft who designed the Xbox 360 hardware security, wrote all the boot loaders, and the hypervisor code.<p>Note to self: you should have added random delays before and after making the POST code visible on the external pins.

&gt; So - here is a hopefully informative write up of my Journey to figuring out how these guys were running unsigned code in 2011 on a XBOX 360<p>&gt; XBOX 360 Security defeated - 2011<p>I realize this post is more about hardware security than software security, but if the benchmark is unsigned code execution then the author should at least mention the 2007 (King Kong shader exploit) and 2009 (SMC hack — same root flaw but executed automatically at boot) methods of achieving the same:<p>- <a href="https:&#x2F;&#x2F;github.com&#x2F;Free60Project&#x2F;wiki&#x2F;blob&#x2F;master&#x2F;docs&#x2F;Hacks&#x2F;King_Kong_Hack.md">https:&#x2F;&#x2F;github.com&#x2F;Free60Project&#x2F;wiki&#x2F;blob&#x2F;master&#x2F;docs&#x2F;Hacks...</a><p>- <a href="https:&#x2F;&#x2F;github.com&#x2F;Free60Project&#x2F;wiki&#x2F;blob&#x2F;master&#x2F;docs&#x2F;Hacks&#x2F;SMC_Hack.md">https:&#x2F;&#x2F;github.com&#x2F;Free60Project&#x2F;wiki&#x2F;blob&#x2F;master&#x2F;docs&#x2F;Hacks...</a>

Fun thinking back to the days of cat and mouse between MS and hackers so many cool things went down. My favorite being hackers making custom firmware for certain dvd burners so that you could burn right to the very edge of 7.5gb discs and make 8gb games that MS started using. Truncated games were being detected and then hackers came up with this idea it was so genius.<p>Then came along the reset glitch hack and I moved away from discs to an external hard drive and never looked back. I did a few for me and a couple friends. The soldering involved was pretty precise in the fact that it was a very very small pad you needed to solder to and if you screwed up it was very easy to lift the pad and putting yourself into a big heap of trouble fixing it. I was also using a crappy $15 soldering iron with a bad tip because I was poor. But never did I have an issue. Depending on your install you could get the glitch to happen sometimes on the first reset or for some it took multiple resets. I was happy because all mine seemed to work first if not second reset which a lot of people struggled to get. I still have my rgh 360 my kids have it with a hdd full of games I backed up from my own games you know.

&gt; Generating VERY precise timing and pulses, you need FPGA&#x27;s or CPLD&#x27;s<p>Back in the day, I managed to create a working RGH modchip based on Atmega8 (8 bit micro) running at 20 MHz with hand-crafted assembly code. I named it RWH (Reset Witch Hack) and it was able to boot Xbox 360 Jasper in 1-2 minutes. Old motherboards had a physical pad on the motherboard allowing for slowing down the CPU, so no i2c was required. I also have to connect the whole 8 bit POST bus to read the current value in one instruction.<p>PCB was made at home, and since AVR is 5V system, I used NPNs for voltage conversion (all values were inverted in the software).<p>Why? I didn&#x27;t have money to buy the &quot;real&quot; CPLD modchip.<p>Rush and happiness when it first booted - priceless.<p>I still should have the source code for it somewhere on backup.<p>photos: <a href="https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;JaCzekanski&#x2F;c02ed11c30facd137c7a5dba8308d87b&#x2F;raw&#x2F;df93f4adb2a22afd4136ce4bc23e762659389456&#x2F;pcb.jpeg" rel="nofollow">https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;JaCzekanski&#x2F;c02ed11c30fac...</a> <a href="https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;JaCzekanski&#x2F;c02ed11c30facd137c7a5dba8308d87b&#x2F;raw&#x2F;df93f4adb2a22afd4136ce4bc23e762659389456&#x2F;installed.jpeg" rel="nofollow">https:&#x2F;&#x2F;gist.githubusercontent.com&#x2F;JaCzekanski&#x2F;c02ed11c30fac...</a>

Fun article. One note:<p>&gt; I have a Saleae 8 channel 100Mhz, which turned out not to be fast enough &gt; I found a not too expensive 200Mhz Kingst LA2016 Logic Analyzer on Amazon<p>The author is confusing MHz with MS&#x2F;s (mega samples per second). Salaea has a logic analyzer that works on 100MHz signals (with 500 MS&#x2F;s), but I suspect the author had the unit with 100 MS&#x2F;s that only works up to 25MHz signals.<p>The cheap Kingst unit has 200 MS&#x2F;s but only works with signals up to 40MHz.

&gt; Note - Newer revisions of XBOX 360 has no access to CLK and you must use Matrix oscillator<p>If there&#x27;s no CLK line on the mobo, does this mean newer X360s have everything that might be clocked (I assume at least CPU, GPU and V&#x2F;RAM?) in a single chip, SoC-like?

If you are not familiar with the fascinating story behind it, I recommend this podcast episode [1], it&#x27;s one of my absolute favorites (along with its sequel)! I found out about it on this very forum a few years ago, hope to propagate the favor to somebody else out there.<p>[1] <a href="https:&#x2F;&#x2F;darknetdiaries.com&#x2F;episode&#x2F;45&#x2F;" rel="nofollow">https:&#x2F;&#x2F;darknetdiaries.com&#x2F;episode&#x2F;45&#x2F;</a>