What's new

Discussion I Think I Found a Way Softmod an Xbox 360

L

lancervi50

Newbie
Messages
1
Reaction score
0
Points
20
Just wanted to say as a long time lurker on these forums, thanks for going through the effort to try and softmod the 360 :smile:
 
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Super Moderators
MotM 10th Anniversary Mr. Nice Guy
Messages
1,912
Solutions
6
Reaction score
660
Points
793
It's been a long time since you could softmod the xbox 360. (King Kong Exploit + OG JTAG)

The dashboard now has too many security challenges to prevent unsigned codes from running, you could never use the original xbox bc to soft mod as you would be using original xbox files and they have no access to the 360 side, Also like already mentioned if it's not on the list it won't run on a retail console BC.

As to the update idea, this is kind of what the RGH idea does. The "Hacked" update files to allow the running of unsigned code are injected whilst the console boots thanks to the miniture window that allows us to "glitch" the hypervisor (I think? no flame plz) into allowing us to run the code as if it was legit.

If you ever found a way to inject update files, it would need some kind of security hash as I'm sure the dashboard checks the integrity of files, and like I stated above the way the code is run means even if you got the console to use the hacked dash, it wouldn't load as the HV detects and rejects the hacked code unless it is glitched.

I do like your enthusiasm though.
 
TEIR1plus2

TEIR1plus2

Contributor
Frame In Gold Programmer A Milli
Messages
506
Reaction score
221
Points
280
It's been a long time since you could softmod the xbox 360. (King Kong Exploit + OG JTAG)

The dashboard now has too many security challenges to prevent unsigned codes from running, you could never use the original xbox bc to soft mod as you would be using original xbox files and they have no access to the 360 side, Also like already mentioned if it's not on the list it won't run on a retail console BC.

As to the update idea, this is kind of what the RGH idea does. The "Hacked" update files to allow the running of unsigned code are injected whilst the console boots thanks to the miniture window that allows us to "glitch" the hypervisor (I think? no flame plz) into allowing us to run the code as if it was legit.

If you ever found a way to inject update files, it would need some kind of security hash as I'm sure the dashboard checks the integrity of files, and like I stated above the way the code is run means even if you got the console to use the hacked dash, it wouldn't load as the HV detects and rejects the hacked code unless it is glitched.

I do like your enthusiasm though.
RGH2 glitches at the end of the 2bl (CB_A for slims, CB for phats), everything beyond that is unsigned. RGH1 glitches in the middle of the CD/4bl, before the kernel gets loaded and patches are applied to the HV/kernel. In both situations, the HV/Kernel we run is unsigned.

RGH2 is way better because it happens sooner in the boot chain, it allows us to also skip the lockdown counters
 
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Super Moderators
MotM 10th Anniversary Mr. Nice Guy
Messages
1,912
Solutions
6
Reaction score
660
Points
793
RGH2 glitches at the end of the 2bl (CB_A for slims, CB for phats), everything beyond that is unsigned. RGH1 glitches in the middle of the CD/4bl, before the kernel gets loaded and patches are applied to the HV/kernel. In both situations, the HV/Kernel we run is unsigned.

RGH2 is way better because it happens sooner in the boot chain, it allows us to also skip the lockdown counters
I remember reading that somewhere, however me and details don't go down well sometimes haha
 
BLiNDzZ

BLiNDzZ

Enthusiast
Messages
573
Reaction score
459
Points
160
There's no hope for an xbox 360 softmod right?! I just wish that the scene would be as big as the 3DS. They said it would be impossible to softmod the 3DS and then scene exploded. I'll keep working on it the best i can and hopefully we'll see progress whether from me or someone else. Give it a couple years and one will eventually come out
The only software exploit I've ever seen from the 360, was a bug found in the HV system call handler, which lead to the console finally being exploited, other than that, I'm pretty sure the system is locked down tight, best of luck to you though.
 
Professional

Professional

Administrator
Administrator
Programmer Bug Finder Supreme Bounty Hunter
Messages
6,112
Reaction score
5,040
Points
1,972
because JTAG/RGH's and even flashing your console are just too much time and difficult.
It almost seems as if it would take less time and less difficulty to RGH the console rather than looking through the whole system in the hopes to find something that everyone else who has tried before you has had no luck at achieving. However with each new individual to the scene comes their own unique mind and skill set so if you are determined and you believe that you can achieve your goal then you should totally continue to test/research any ideas you come accross.

You should document all of your findings so that even if you don't end up finding a loophole your time and effort may contribute something major to taking the next step generation of soft modding. and who knows, it happened for original xbox so there is always a chance as nothing has perfect security ever.
 
D

DaBom340

Newbie
Messages
1
Reaction score
0
Points
35
I hacked my PS3 some odd 2 weeks after the 4.82 OFW update, what I did was run a virtual server on my phone and connected to it from the PS3, I don't know how they initiated it, but as you click the button on the website it dumps your PS3 and the second step was a different "website" for the flashing by doing exactly the same, could that not open the door to a same type of attack to the Xbox 360 and or Slim?
 
TEIR1plus2

TEIR1plus2

Contributor
Frame In Gold Programmer A Milli
Messages
506
Reaction score
221
Points
280
I hacked my PS3 some odd 2 weeks after the 4.82 OFW update, what I did was run a virtual server on my phone and connected to it from the PS3, I don't know how they initiated it, but as you click the button on the website it dumps your PS3 and the second step was a different "website" for the flashing by doing exactly the same, could that not open the door to a same type of attack to the Xbox 360 and or Slim?
Ps3 is vulnerable to webkit exploits, getting from user mode to kernel mode has usually been a thing with webkit exploits on ps3 (just look at ps4, they're still vulnerable to webkit exploits).

Xbox 360 on the other hand is a bit different. Lets say you found an exploit in the xbox 360 IE browser that let you write to kernel space. Fantastic, you have some unsigned code running and can take it between titles, however you will never be able to write any changes to the nand without hypervisor access. This means you are limited in what you can control (mainly just user space) and it will always need to be re-applied every boot, meaning MS could patch it immediately. How do we get hypervisor access? Well that becomes a bit more difficult. During runtime, the hypervisor only gets invoked through interrupts, and the interrupt handlers were written very carefully to ensure they could not be taken advantage of. Given that the interrupt handlers are the only way in or out of the hypervisor, its obvious that to make it secure, all MS has to do is make sure the handlers are not exploitable. A syscall is one of the interrupts that allows you to run a number of functions from the HV, but all of the syscall funtions check the data they are sent as well. Most use signing methods to make sure data integrity is valid and hasn't been modified.

Why do we need access to the hypervisor to make it a viable exploit? Well, its not so much that we need anything from the hypervisor itself, but we need our privileges escalated. The way the cpu is designed is the only time your privileges get escalated during runtime is through an interrupt, user code generates an interrupt, the cpu halts execution, goes into 'real-mode' (this is what we want), and automatically jumps to the interrupt handler which is located at a certain address. This is how the cpu was designed and this process cannot be changed. How xbox works when it boots up is it moves code into those specific addresses, this is the interrupt handler code so when the cpu jumps to the specific address, its jumping to the handler that was set up there. We need this privilege escalation because we can access any memory space with it, AND this is the only way to access certain hardware stuff, including the nand.

If we can write in kernel space, why can't we rewrite the hypervisor? This is where stuff gets complicated. Technically we can, but xbox addressing uses flags when reading and writing to memory. User mode will never see these flags as memory paging takes care of them. The HV is paged with incorrect flags (the reason for this is nothing but the HV will try to access the HV normally so it doesn't even need to be paged), when executing anything in the HV the cpu is assumed to be in real-mode and memory paging is disabled, meaning all addresses are used exactly as the code builds them, these are known as "real addresses" meaning they are used as is with no cpu modifications. The HV is written with specific flags and knows to read itself with specific flags. However if I wrote to the HV with different flags, when the HV goes to read that page, it will see it was written incorrectly and forces the system to lockup. As said, the HV is not paged, so from user mode we cannot address it, we get a seg-fault, but if we somehow found a way to make memory paging address HV space, we would not be able to write with the correct flags as memory paging basically sanitizes the flags and uses its own. Further, on the xbox 360, there is no 'kernel mode'. The kernel is considered untrusted and is executed in user mode with the same privileges as a normal titles. This is why if you had an exploit on a specific title, you are able to write in kernel space (assuming no W/X flags are active).

To summarize, we cannot obtain a privilege escalation without modifying the HV, and we cannot modify the HV without a privilege escalation.

I explain more how the HV handles interrupts on free60: http://free60.org/wiki/Hypervisor

This is why all modern hacks on the xbox 360 typically use hardware to exploit the console and re-write the nand to patch the hypervisor, because unless there is an exploit in an interrupt handler, you are still bound to the rules of the hypervisor with a softmod. The old KK exploit was the only softmod on the system, and it used an exploit in the interrupt handler to run unsigned code in hypervisor space and escalate it's privileges, this is why it was viable at the time. It was the only exploit found in the interrupt handlers and has since been patched.

This is also probably why softmods were not pursued on this platform, with the limited number of opportunities for privilege escalation, and the probability that it would be patched very quickly, its just not worth it.
 
Last edited:
TEIR1plus2

TEIR1plus2

Contributor
Frame In Gold Programmer A Milli
Messages
506
Reaction score
221
Points
280
A correction to my previous post, I was recently told the HV is mapped in the page tables. However as I said, the correct flags are not set so if you tried to read from the hv, you won't get the data you're expecting, and if you try writing to it, your console will know something is up and halt the system.
 
midnightmodders20

midnightmodders20

Enthusiast
Messages
62
Reaction score
11
Points
65
Change the Title ID of SID5 or Auto Installer Deluxe to any BC Xbox1 game and it'll load up fine, granted IDK if anything will install or break my xbox if I try the softmod process on SID5. XBMC runs like **** on the 360 usually crashes after a few swipes for me and that was like 8 versions of XBMC that I tried. UnleashX works dope tho lol
 
S

SilentModz237

Newbie
Messages
15
Reaction score
0
Points
20
i made the browser crash and return to the home menu using a html
 
S

SilentModz237

Newbie
Messages
15
Reaction score
0
Points
20
Has anyone tried a nethammer attack ??? I heard it works on Xeon CPUs and I heard that was what the Xbox 360 uses
 
TEIR1plus2

TEIR1plus2

Contributor
Frame In Gold Programmer A Milli
Messages
506
Reaction score
221
Points
280
Has anyone tried a nethammer attack ??? I heard it works on Xeon CPUs and I heard that was what the Xbox 360 uses
This is false. I can tell you that no public xbox 360 exploit uses an exploit through the network. All exploits use a hardware mod. Further, modifying xbox 360 memory through a rowhammer attack will not get you anywhere, instead the next time the modified memory is accessed, the cpu will know it was tampered with and lock up the system. This is because of a hardware implemented security feature on the memory.
 
S

SilentModz237

Newbie
Messages
15
Reaction score
0
Points
20
I found another one by accident I had a virus on my USB
 
Last edited:
S

SilentModz237

Newbie
Messages
15
Reaction score
0
Points
20
I don't know if this will do anything but I got a virus on my USB and when ever I plug it in to my computer or Xbox 360 it freezes and it will unfreeze when I unplug it I have two usbs in one with the storage and one with the virus usb
 
S

schitzotm

Member
Messages
2,574
Solutions
6
Reaction score
2,413
Points
420
Hehehe. Virus on the usb. Its freezing the console? You need an autoexecute to trigger after freeze with a payload. Does it freeze at boot time? If so you may be resetting the boot. If thats the case you might have something. Likely its just the console stopping itself but one never really knows for sure without further testing.
We have been attempting hardware and software attacks on the winchester console.
The best one thus far has been attacking the wifi module.
If you could use software to glitch the boot then you can do the same thing an rgh does without needing the rgh chip.
You still need a nand with hacked software though. Or a way to write to the nand onboard.
 
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Super Moderators
MotM 10th Anniversary Mr. Nice Guy
Messages
1,912
Solutions
6
Reaction score
660
Points
793
Microsoft learned from the Original Xbox days about softmodding and thus the 360 has some millions spent on hardware security to combat this alongside a ton of software verification. you will NOT easily softmod an xbox, and why would you bother when a RGH chip costs literally less than $10 to install now a days?
 
D

ddrkingjb

Newbie
Messages
9
Reaction score
0
Points
30
How do you attack the wifi module i wonder can a Ethernet cable work as well ??
 
Wh1t3 x Sm0K3

Wh1t3 x Sm0K3

Banned
Messages
53
Reaction score
5
Points
50
I made a modded Call of Duty Black Ops 2 iso that is to be hotswapped like a normal modded game. I got a copy of Free Style Dash and copied over the contents into the Black Ops 2 iso and renamed Free Style's "default.xex" to "default_mp.xex" and replaced the Black Ops 2 "default_mp.xex" with the Free Style Dash one. I haven't tried it out yet because i ran out of f*cking DVD+R DL's, sadly. So ideally, the game is supposed to launch as normal but when you launch multiplayer it is supposed to open up Free Style Dash instead. But if anyone wants to try out what i did it would be of much help.
That's not a bad ideal might try that./
 
Caboose

Caboose

☣ CabooseSayzWTF ☣
Modder Frame In Gold Pumpking
Messages
1,791
Reaction score
831
Points
1,035
That's not a bad ideal might try that./
Wouldn’t work it’s a custom xex file aka unsigned code a error would pop up saying game could not be started or unrecognizable disc or error etc, if it were that easy we would of had xex menu working on retails a long long time ago. Won’t work so don’t even attempt it lmao
 
Top Bottom
Login
Register