xb360 jtag exploit - Discussion

[rjrusek]

So, some quick news:

We kept on working on this idea, and it worked out. pretty well. We use JTAG to program the DMA target addr, and then SMC to trigger the DMA read. The exploit itself is based on the old 4532 exploit.

The magic is how we launch 4532 - there is a "backdoor" for manufacturing since CB 1920. We have been able to restore the newer CD versions for all hardware types.

This means:
 - We can boot own code in HV context ~5s after boot, before any video output, right after the kernel runs.
 - we need to reflash the flash, and add 3 resistors for the JTAG (no modchip required! but you might want a dual-nand modchip),
 - 8498 kills this by updating the bootloader - it blacklists 4532/4548. it also does hw init stuff which might interefere with the jtag hack, we don't know yet.
 - we have a proof of concept hack, we will release it SOON (a matter of hours/days, not more - promised.).
 - DON'T UPDATE to summer 09. Did i already say this?
 - you don't need to know your cpu key. You can update to all BUT summer '09. you don't need a dvdrom.
 - It works on all xenon, zephyr, falcon, opus, jasper. Unless you have updated to 849x. Then you're screwed.

How does M$ modify the 1BL if it is in the CPU rom?  Can they re-write the CPU ROM?

[tmbinc]

They update 2BL, not 1BL, but with the fuses, they can make sure that the old 2BL doesn't run anymore.

[Kushan]

Hi there,
I don't mean to go off topic or anything, but I've got a small question:

Is there anything I, someone who doesn't mind a bit of soldering but doesn't really know much about Linux, can do to help at all?
I'm sure I'm not the only person willing to help in whatever way they can so for those of us who can probably get the hack working but don't really know much else, what can we do?
If it's a case of just sitting back and enjoying the ride, that's cool, but if NAND dumps, or details on the console used (dash version and such) are in any way helpful, I'm willing to give what I can.

Cheers! And thanks again for all the hard work you guys are putting into it.

[tmbinc]

Yes, there are millon ways. For example, we need proper documentation (like howtos), for flashing, for soldering, for checking what box are usable, for compiling etc. on free60.org. Also we need a system administrator to take care of the slow-to-death free60 wiki. Also check free60.org/wiki/Help for some ideas.

For people liking to compile and care about toolchains, the libxenon etc. stuff is very simple, and could be improved MUCH. We need some easy to use development software, like devkitPPC for wii. The beginnings of that are already there. A nice howto, like "howto compile the cube example", would be cool.

Then people who can program a bit should start porting stuff. See the snes9x as an example, it's really not that hard. If you have specific questions, feel free to ask for help.

[Cpasjuste]

tmbinc i will probably work on the build toolchain script, make libxenon as a proper library and add that to the building script too.

[gupek]

Successfully booted Linux from HDD. vmlinuz from ssmurf kernel-v2.6.24.3. xenon.elf from usb stick. Xell support loading elf from HDD would be grate in the future. 

any instructions how to do it? ... because i bricked my dvd yesterday 

[B1N4RY]

You still need DVD Drive to boot into linux, and run the installscript

[havelln]

ive been trying to read but cant find much but  is it  basically before we see a hacked nand for jasper someone has to decrypt a jasper nand first
and is it at the mo you can only decrypt the nand with cpu key but we cant get cpu key without a hacked nand and the ta dont work

[Kushan]

ive been trying to read but cant find much but  is it  basically before we see a hacked nand for jasper someone has to decrypt a jasper nand first
and is it at the mo you can only decrypt the nand with cpu key but we cant get cpu key without a hacked nand and the ta dont work

No, it's nothing like that I think. I believe it's simply a case of needing to solder onto different parts of the motherboard (Info is known, just not released yet) and needing a specially crafted Jasper_Hacked.bin to flash onto the NAND. There aren't any roadblocks to this, it's just a matter of getting around to doing it.
My guess is that the authors have a choice: Work on hacked NANDs that doesn't do much (at least for your average joe) for all the chipsets out there, or concentrate on the one chipset for the moment while they iron out the bugs, improve features and generally make it more useful.

[Shaun]

Just bloody wait !
The smc on these boxes is different, therefore the hw init needs to be sorted 1st else you end up with a black screen / crashed system. Be grateful the details for xenon are released so that lots of folk can iron out the bugs and add features to that so that a stable setup can be achieved quickly.
The hw is different, therefore the pinouts are also, and the code needs to find a way to jtag to a diff port which isnt a 5 min job.

[gadget78]

Good post kushan, there are many people like this i feel....

Yes, there are millon ways. For example, we need proper documentation (like howtos), for flashing, for soldering, for checking what box are usable, for compiling etc. on free60.org. Also we need a system administrator to take care of the slow-to-death free60 wiki. Also check free60.org/wiki/Help for some ideas.

For people liking to compile and care about toolchains, the libxenon etc. stuff is very simple, and could be improved MUCH. We need some easy to use development software, like devkitPPC for wii. The beginnings of that are already there. A nice howto, like "howto compile the cube example", would be cool.

Then people who can program a bit should start porting stuff. See the snes9x as an example, it's really not that hard. If you have specific questions, feel free to ask for help.

am gonna try get some tutrials up, as i do have a 360, stuck in a update sequence. so now it can be fixed so once done will make a tuturial on how !

also one question, how did they make it so that only the new 2BL loads and not the old one, just by blowing fuse's ? as i presume the CPU key is still the same ? so we can still decyrpt the nand ?  and re-encypt it to how we want it ? 

thanks, not only for all your time, but for sharing what you found with us all !

[l_oliveira]

2BL has some code in itself that reads the CPU fuses, check if it has been flagged as "blocked" and if it has been flagged as such, halts.

Because 2BL itself is a signed piece of code it can't be modified. Only Microsoft can sign them. So we're aways playing "catch 22" on this game ... lol

[MoDInside]

does any of you guys tried the Xell_DHCP_RGB_1024x786? it says in the nfo it supports component video output now, I tried it, but all I get is the e79 error and just one red light, are we supposed to do something else with this new image? The xbox is a Xenon, tried in two different systems same error.

[Millhouse]

Xell_DHCP_RGB_1024x786 works fine on my 360 with component video.

My problem is that the kernel starts from cd/dvd, but stop running on mounting drives.

You can see on this pic --> http://img150.imageshack.us/img150/7584/img0152b.jpg

What to do?

[MoDInside]

Xell_DHCP_RGB_1024x786 works fine on my 360 with component video.

My problem is that the kernel starts from cd/dvd, but stop running on mounting drives.

You can see on this pic --> http://img150.imageshack.us/img150/7584/img0152b.jpg

What to do?

How did you flashed the image? infectus, nand pro? and do you have a disk on the drive or a usb with gentoo on it?

[Xb0xGuru]

Xell_DHCP_RGB_1024x786 works fine on my 360 with component video.

My problem is that the kernel starts from cd/dvd, but stop running on mounting drives.

You can see on this pic --> http://img150.imageshack.us/img150/7584/img0152b.jpg

What to do?

If it's a Hitachi drive, put it in Mode-B : http://www.xboxhacker.net/index.php?topic=12264.msg81194#msg81194

[Arakon]

@Modinside: Did you attempt to flash it as a whole nand image? or as a xell update? it's only the xell loader, not the entire xenon_hack file.

[MoDInside]

@Modinside: Did you attempt to flash it as a whole nand image? or as a xell update? it's only the xell loader, not the entire xenon_hack file.

@Arakon, I tried the image that's on xbins "Xell_DHCP_RGB_1024x786\NewXell.bin"
according to the info.

Original Xenon_Hacked.bin, updated with the
xell-1f.bin file that adds DHCP, and
1024x786 VGA out
and Support for composite RGB


Still no sound
RCA cables do not work

You need either VGA or RGB(component) Cables

but everytime I flashed that dump (infectus) it always shows the e79 error, on different consoles. I guess I need a full dump of an already flashed xenon-hack.bin with the xell-1f.bin flashed onto it, I know that's what it says the one from xbins, but its not working for me, so I am assuming that dump is the problem.
Unfortunately, my PC don't have the Parallel port, so I can't try nand pro right now. and my VGA cable is not with me but I will get it back in 2 days, I just wanted to give it a shot to the new Xell image.

[B1N4RY]

For a start, did you solder the three 330ohm resistors?

[MoDInside]

It's all good now, one of the wires on the resistors was loose. thanks.