What's new

Tutorial New Xbox 360 Homebrew Method (Founded by me)

  • Thread starter sunkist0
  • Start date
  • Views 12,172
S

sunkist0

Enthusiast
Messages
208
Reaction score
10
Points
70
Sin$
0
So basically, this is another way to run homebrew. Or in other words "RGH", or "Jtag" ANY console. Corona included. If you have any questions regarding this, or any other material. Shoot me a PM, .

First, you're going to have to adjust the optimal configulation of distributed database system inside of Q41 sector of the south bridge chip. The actual exploit we are looking at is on the Output controller hub (ICH).

As you can see below in the diagram, the north and south bridge chips. (Note, the picture is not a diagram of an xbox 360's motherboard. It is just a visual to make it easier to understand.)
pOLEZ.png


After we run the reverse pulse out of the output controller hub, it will bypass the Out-Of-Band management controller, which is segment one of Syscall. Syscall is the how a program requests a service from an operating system's kernel. This is a vital process in the Xbox 360's security which is what we are bypassing now.

This is the point where all of this becomes important.
Code:
00000000..00100000: SMC, KV, CB, CD, CE, CF, CG, backup bootloader
00100000..00140000: main bootloader
00140000..00f7c000: empty space
00f7c000  : smc config block
00ffc000  : exploit buffer
After bypassing the OOB management controller, it will cause a buffer overflow in the smc config block which calls for payload ea00c020. You see what I did there? It bypasses the main bootloader cycle and starts it in hypervisor, which will still start most of the same functions as the main bootloader cycles, except in an escalated state. Boot times will be a tad slower, but not as slow as the RGH. Maybe a second or two slower.

Unprivileged code interacts with the hypervisor via the syscall instruction. This causes the machine to enter escalated hypervisor mode.

Preconditions (Registers set by unprivileged code)
Code:
%r0 syscall no.
%r3-%r12 syscall arguments

Priviledged code
Code:
13D8: cmplwi %r0, 0x61
13DC: bge illegal_syscall
...
13F0: rldicr %r1, %r0, 2, 61
13F4: lwz %r4, syscall_table(%r1)
13F8: mtlr %r4
...
1414: blrl

When processing the syscall, the processor is running in "hypervisor real mode", with the MMU switched off. However, when accessing memory locations with the MSB cleared, an additional offset, the Hypervisor Real Mode Offset (HRMO), will be applied to all memory addresses.

This does not take multiple attempts like the RGH does to boot. It boots like a normal xbox. It may seem a bit confusing, but I plan on making this more user-friendly looking in the near future. Until then, I will continue developing this. Stay tuned for updates every couple days.

If you repost this, please give me credit. I put a lot of time into studying this. And also some money, due to multiple xbox purchases.
Credit goes to me, Sunkist0.
 
halopro77

halopro77

The Wombologist
Platinum Record Frame In Gold Bright Idea
Messages
1,713
Reaction score
575
Points
285
Sin$
7
Congrats bro if this works!! I don't even understand half of this but it seem's like you knew what you were talking about. Will this be easier to do than the RGH (install the pulse thingy and all that other crap). Can't wait for the user friendly version :smile:
 
MrPirate

WeedPlz

Wanna Get High?
Reporter
Messages
665
Reaction score
113
Points
150
Sin$
7
it could be worth the effort mate, best of luck with future testing keep us up to date if you could
 
ItzzBlink

ItzzBlink

Not the bees!
Messages
937
Reaction score
222
Points
125
Sin$
0
fec3392b0dc073244d38eba1feb8e6b7.jpg

OT: I don't understand this, but I hope it helps whoever does :smile:
 
blazek556

blazek556

Newbie
Messages
1
Reaction score
0
Points
35
Sin$
0
Great work! If you need any help i got a corona here for testing...:biggrin:
 
-Unh0ly-

-Unh0ly-

Enthusiast
Messages
392
Reaction score
29
Points
85
Sin$
7
hmm hopefully you can make a device for this that will come with all items needed and not cost $150 by the time you have all parts and such (seriously, xecuter needs to stop doing that)
 
I

iHc James

Getting There
Programmer Modder
Messages
185
Reaction score
724
Points
235
Sin$
0
If you exploit r40 during the the CJ decryption maybe you can make some toast.
 
lowpro

lowpro

Professional Abecedarian
Programmer Mythical Veteran Mr. Nice Guy
Messages
4,528
Reaction score
2,041
Points
725
Sin$
0
I wish I knew all about this stuff... how do you find these type of exploits?
 
NerdysMods

NerdysMods

LOL THATS NOT MY BIRTHDAY
Seasoned Veteran Grizzled Veteran
Messages
1,143
Reaction score
152
Points
165
Sin$
0
awesome dude!....

maybe this way we can go on xbox live and host mw2 lobbies :tongue:
 
Top Bottom
Login
Register