Earlier this week, two hackers called Gigli and Tiros managed to perform a hardware attack on the Xbox 360’s CPU/GPU and managed to trick it into ignoring its usual boot-time verifications! This is is big news! Pretty soon we’ll start seeing tutorials and modded firmwares. I really hope I can end up with similar functionality on my 360 as I had with my OG XBOX back in the day.
Essentially what they have done is sent a command via i2c to the CPU to underclock it slightly (there is a freely accessible header for i2c @ J2C3 on the MoBo). Then they send a POST_DA message which begins a counter before it boots again. At 20 nanoseconds they send a pulse on CPU_RESET that apparently (when the CPU is underclocked) allows for unsigned code to be run or possibly injected here. I’m not clear on the specifics yet. From there they restore the CPU speed via i2c and the XBOX continues its boot process. It begins loading whatever firware it has been given, here’s where the real fun happens. Since the DRAM isn’t initialized yet it can be patched before being run, from here one could turn off disc hash check error handling and many other things. Since this firmware is RC4 encrypted they simply use a known keystream to simply encrypt their own code.
I’ve embedded a video here that the group released earlier demoing the hack. BTW, the soundtrack to their demo video is… bad. I would mute it if I were you and maybe reach for a nice dubstep track.
This is all really hacky at the moment but what these guys have done is awesome! They’ve put in some serious work. Pretty soon we’ll be seeing daughter boards with pogo pins to do most of this for us I am sure. But I have a few XBOXen just lying around. After just a bit of digging I’ve got a tutorial PDF, pictures depicting the wiring for both fat and slim 360’s, and schematics for a cpld programmer, the cpld code, and even a Python script to build a NAND Flash image! These guys really do rock!
Download the files from my blog, This 8-Bit Life.