What's new

Discussion The science behind exploited/hacked consoles (How a JTAG/RGH works)

  • Thread starter JoinTheResistance
  • Start date
  • Views 82,981
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,097
DISCLAIMER: I am too lazy to read through this more than once, so if there are any typos, sorry :tongue:
I am going to add more information as time goes.

Let's start with what all of these exploits have in common. First and foremost, they all require soldering and modification of the console's hardware and software. Second, all of these exploits require modification of the Xbox 360 operation system, stored on the nand chip. This leads us to the third thing that these consoles have in common, no Xbox Live. The only way to connect to Xbox Live is with a stealth server or offline files. Lastly, all of the exploits bellow allow you to run unsigned code. In other words, no matter what hack your console is using, you will be able to do things like, game modding, running home-brew applications and backed up games, and much more (including Linux).

How the Xbox 360 security system works
The xbox 360 uses a hypervisor based environment. When you power on your xbox you see the regular dashboard, which is pretty much the 360's OS (operating system), but it's not the only operating system running on your console. You see, the dashboard you see on your TV or monitor is only a guest OS, the host OS, the one on which the dashboard is running on top of, is called the hypervisor.
The hypervisor's purpose is to make sure that the code that's being run on the console is digitally signed and doesn't have access to more than it should. The hypervisor also has direct access to the hardware and acts as a bridge between the hardware and the guest OS. One way to execute unsigned code is through a bug in the hypervisor itself, this is what the SMC/JTAG exploit uses. However, this bug has been patched a long time ago, so we are left with having to replace the hypervisor with a modified one, this is what RGH based exploits utilize.
Unfortunately for us, there is a piece of code on the CPU itself, which prevents unsigned code, in this case a modified hypervisor, from running. Bellow you will find information on how we are able to execute unsigned code, despite the security systems implemented by Microsoft.

KK Exploit (King Kong Shader exploit)
First of all, This exploit is VERY outdated, it requires dashboard 4532 or 4548 and does NOT allow you to run a freeboot image, meaning no backed up games and no mod menus. It is here only for informational purposes.
The KK exploit is pretty much the first exploit that allowed unsigned code to be executed on a 360 console. The exploit, or hack, is based on the King Kong game, which has a vital flaw, it can load an unsigned shader. This means that you can put custom code in this shader and the console will run it.
The way this hack is executed, is we take the KK game, we make a backup of it, we patch the game with a shader which includes Xell (Xenon Linux Loader), we burn the game onto a DVD (yes, this means that you also need LT+ for this hack), then we run it and just like that we have unsigned code running on the 360.
More information on it can be found here and here.

Here are the exploits which allow to run a hacked dashboard (A.K.A. you can play backed up/modified games).

JTAG/SMC exploit
One of the oldest exploits is the SMC exploit, it is most commonly known as the JTAG hack. It's the simplest of all the hardware exploits to setup, but unfortunately, it only works on consoles with a very old dashboard version, 7371 or lower. Using an exploit in the SMC (System Management Controller) and the GPU's JTAG port, this hack loads unsigned code and reboots the console into a hacked image (usually FreeBoot).

What makes this exploit great is it's ease of install and configuration.You can find more info on that in the spoiler below.
There are two popular JTAG methods, both of which are very easy to set up. The first one is the older diode method, which works in most cases. The second one is the newer aud_clamp method. Both methods are easy to do and give you the same functionality. Even though both methods are stable and reliable, some consoles display the RROD when they are JTAGed. This isn't the common hardware failure RROD, and it is fixed by switching to a different JTAG method. Because every console is different, one console might work best with the diode method, another might work best with the aud_clamp method and a third one could work just fine with either one.
As I mentioned before, both the diode and the aud_clamp installs are very simple.
Things needed for the diode method:
2x diodes
Some wire

Things needed for the aud_clamp method:
2 transistors
2x resistors
Some wire

RGH1
After the SMC exploit (JTAG hack) was patched up by Microsoft, a new exploit called reset glitch hack (RGH) was introduced.
The reset glitch hack works by using Phase-Locked Loops (PLL) to slow the CPU down by 128 times and sending a small electric pulse into the CPU_RST (CPU reset) point. This causes CPU registers to return false data and allow the execution of unsigned code. The electric pulse sent to the CPU needs to be very precise and well timed, and since every console is different, extra capacitors and/or resistors need to be added on some consoles in order to achieve a successful glitch. Even with these modifications, sometimes an unsuccessful glitch may occur, if this happens the console is automatically reset and the glitch is attempted again. This is the reason why not all RGHed consoles boot instantly.
The RGH exploit can be deployed onto zephyr, opus, falcon and jasper motherboards running a dashboard version not higher than 14699. This exploit also requires a glitch chip and sometimes extra components like capacitors and resistors.
An RGH console usually takes from 7s (instant) to 30s to boot.

RGH2
RGH2 was originally designed to be a RGH1 substitute for slim consoles, however it was later ported to phat consoles as well.
The benefit of RGH2 is that it is compatible with all dashboard versions, including the latest one. The downside is that, because a reliable PLL point hasn't been found on slim consoles, the i2c interface needs to be used. I2C is an interface or a bus, used for communication between some of the console's ICs (integrated circuits). By connecting the glitch chip to this interface, we are able to communicate with the CPU and slow it down, when attempting a glitch. Unfortunately, i2c only allows the CPU to be slowed down by 8 times, meaning that the glitch pulse needs to be even more precise and well timed. This is also the reason why RGH2 installs often require much more time and tuning than RGH1. Consoles running RGH2 are usually the ones that require the longest amount of time to boot. Things have improved with the latest CR4 glitch board and 15432's RGH2 files for the x360 ace board, however RGH1 is still superior when it comes to ease of install and boot times.

RGH2 (PHAT)
As mentioned above RGH2 was eventually ported over to Phat consoles, but because it was still using i2c and wasn't tweaked as much as RGH2 for Slims, it performs worse than its Slim version. Why does the Phat version use i2c instead of PLL, you may ask. Well... no one really knows. The most logical thing is that because it was originally developed by TX (Team Xecuter) and they wanted to promote their pre-programmed R-JTAG boards, RGH2 that's using PLL would have been too good for a free alternative.

R-JTAG
R-JTAG is basically a combination between the JTAG exploit and the RGH exploit. It uses the same glitch method used in the RGH exploit, but instead of directly booting the console it uses virtual e-fuses to allow the console to load an old JTAG exploitable kernel. Once this kernel is loaded the JTAG part of the exploit comes into play and boots the operating system using the SMC exploit.
R-JTAG requires a pre-programmed glitch chip and JTAG wiring (either the diodes method or the aud_clamp method). Usually the boot times of a console exploited with this hack are somewhere between RGH1 and RGH2, usually closer to RGH1.

RGH1.2
This is one of the latest exploits. It uses both PLL and RGH2 settings and is considered to be the best available Phat exploit that works on the dashboard versions after 14699. RGH1.2 also offers something no other exploit does, a dynamic/auto-tuning file. Once your glitch chip is programmed with this file it will automatically start testing different settings and find the ones that work for your console.
The boot times here, are usually (almost) the same as the ones on an RGH1 console.

S-RGH
S-RGH, also known as Speed RGH is relatively new hack developed by 15432. It is similar to RGH2, but uses different settings and offers an easier install and better boot times. S-RGH is only available for slim consoles, but there is a very similar alternative, developed by 15432 for phats.

R-JTOP
This is the latest Xbox 360 exploit. It is more or less an open source version of R-JTAG, which means that you don't have to pay a premium for a TX made board. However, due to its late release, you don't get much support and information on what works and what doesn't. So, you shouldn't attempt R-JTOP if you don't have experience with any of the other exploits or someone experienced helping you.

Summary (TL : DR version)
JTAG = best, but needs old dash (7371 and earlier), only works on phat consoles
RGH = Very good, but needs an old dash (14699 and earlier), only works on phats
RGH2 = Not very good (unless you're using a CR4 or S-RGH files), works on new dashboards, phats and slims
R-JTAG = Good, works on dashboards => 15572, phat only, can be expensive
RGH1.2 = Very good, works on new dashboards, phat only
S-RGH = Very good, similar to RGH2, but better, phats and slims
R-JTOP = doesn't have much support and popularity, not recommended for inexperienced people
 
Last edited:
Reedradar

Reedradar

Flex and bass is what life is all about.
Messages
1,148
Reaction score
629
I woudnt say an RGH 2 is not very good. At first maybe but people have found the nooks and crannies of it so its as stable
 
FannyCircus

FannyCircus

Newbie
Messages
17
Reaction score
2
Thank you for taking the time to compile this.
 
Aydind

Aydind

Administrator
Administrator
Premium
Bright Idea Reporter Tutorial Creator
Messages
12,257
Reaction score
14,517
Very well crafted thread, was a good read. Nice job!
 
Hulk

Hulk

️ ️ ️ ️ ️ ️ ️ ️ ️ ️ ️
Administrator
Trifecta Odysseus' Summit MotM
Messages
10,643
Reaction score
22,472
Where nice compilation of info on different modded consoles. Definitely gonna come in handy when referring someone who has a question about this kind of info. Good work. :thumbsup:
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,097
Very well crafted thread, was a good read. Nice job!

Where nice compilation of info on different modded consoles. Definitely gonna come in handy when referring someone who has a question about this kind of info. Good work. :thumbsup:
Thank you!
I am actually going to keep updating it with more detailed information, whenever I get time (and knowledge of course).
 
Hulk

Hulk

️ ️ ️ ️ ️ ️ ️ ️ ️ ️ ️
Administrator
Trifecta Odysseus' Summit MotM
Messages
10,643
Reaction score
22,472
Thank you!
I am actually going to keep updating it with more detailed information, whenever I get time (and knowledge of course).
Sounds good. Look forward to checking out that update and hopefully I can refer back to this thread when trying to answer certain support questions.
 
Extern

Extern

Banned
Messages
1,458
Reaction score
824
Due to the Xbox 360 security architecture, main memory is aliased to
different addresses with different properties, in order to conditionally
enable the security features (encryption and hashing). The hypervisor
sets the value of the HRMO special register so that the hypervisor code,
including the syscall jump table, resides in memory which is hashed as
well as encrypted, even when using zero-based addresses.
What does this mean (highlighted)? I know what main memory is, but the word "aliased" is confusing me in that context.

EDIT: Wait...I'm pretty sure that explanation is for the KK/shader exploit, not the SMC exploit.
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,097
What does this mean (highlighted)? I know what main memory is, but the word "aliased" is confusing me in that context.

EDIT: Wait...I'm pretty sure that explanation is for the KK/shader exploit, not the SMC exploit.
Ok, I'm not sure if this is 100% correct (after all that's why I simply copy pasted the source text here), but I think it means that it divides the code in different parts and encrypts them separately, so that not everything will be in one place and under 1 encryption. Again I'm not really sure on that. 
Wait...I'm pretty sure that explanation is for the KK/shader exploit, not the SMC exploit.
Ops! My bad! I actually wrote 80% of this over a year ago and ditched it in a word file (while waiting for a member who is no longer active on the site to add it to his thread), so I didn't really re-read all of it. I'm dumb... anyway I'll rework the JTAG part in a sec.
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,097
UPDATE: The JTAG part has been reworked and the KK exploit has been added.
I'll probably rework the "How the Xbox 360 security system works" part as well in the next few days.
Also, thanks to Extern Extern for pointing out a few mistakes and giving me the idea for the KK exploit.
Oh :tongue: - Phat only twice
Fixed!
 
Last edited:
Extern

Extern

Banned
Messages
1,458
Reaction score
824
UPDATE: The JTAG part has been reworked and the KK exploit has been added.
I'll probably rework the "How the Xbox 360 security system works" part as well in the next few days.
Also, thanks to Extern Extern for pointing out a few mistakes and giving me the idea for the KK exploit.

Fixed!
Here's an in-depth article on how the JTAG hack works: http://free60.org/wiki/SMC_Hack#Technical_details. It could also help understand how the Xbox 360 security system works, which will make it easier for you to update that portion.
 
Kazr

Kazr

Enthusiast
Messages
70
Reaction score
8
very nice, now i'm gonna look into s-rgh as an alt for rgh 2
 
devilhunter1990

devilhunter1990

Enthusiast
Messages
300
Reaction score
37
Actually R-Jtag is no longer working since TX CR4 XL often have problems with the phat consoles (recent fault batch) BEWARE!
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,097
Actually R-Jtag is no longer working since TX CR4 XL often have problems with the phat consoles (recent fault batch) BEWARE!
I thought they had fixed that already?!
 
Top Bottom