New Xbox 360 Homebrew Method (Founded by me)
Discussion in 'Xbox 360 Tutorials' started by sunkist0, Saturday at 4:59 PM.
So basically, this is another way to run homebrew. Or in other words "RGH", or "Jtag" ANY console. Corona included. If you have any questions regarding this, or any other material. Shoot me a PM, .
First, you're going to have to adjust the optimal configulation of distributed database system inside of Q41 sector of the south bridge chip. The actual exploit we are looking at is on the Output controller hub (ICH).
As you can see below in the diagram, the north and south bridge chips. (Note, the picture is not a diagram of an xbox 360's motherboard. It is just a visual to make it easier to understand.)
After we run the reverse pulse out of the output controller hub, it will bypass the Out-Of-Band management controller, which is segment one of Syscall. Syscall is the how a program requests a service from an operating system's kernel. This is a vital process in the Xbox 360's security which is what we are bypassing now.
This is the point where all of this becomes important.
00000000..00100000: SMC, KV, CB, CD, CE, CF, CG, backup bootloader
00100000..00140000: main bootloader
00140000..00f7c000: empty space
00f7c000 : smc config block
00ffc000 : exploit buffer
After bypassing the OOB management controller, it will cause a buffer overflow in the smc config block which calls for payload ea00c020. You see what I did there? It bypasses the main bootloader cycle and starts it in hypervisor, which will still start most of the same functions as the main bootloader cycles, except in an escalated state. Boot times will be a tad slower, but not as slow as the RGH. Maybe a second or two slower.
Unprivileged code interacts with the hypervisor via the syscall instruction. This causes the machine to enter escalated hypervisor mode.
Preconditions (Registers set by unprivileged code)
%r0 syscall no.
%r3-%r12 syscall arguments
13D8: cmplwi %r0, 0x61
13DC: bge illegal_syscall
13F0: rldicr %r1, %r0, 2, 61
13F4: lwz %r4, syscall_table(%r1)
13F8: mtlr %r4
When processing the syscall, the processor is running in "hypervisor real mode", with the MMU switched off. However, when accessing memory locations with the MSB cleared, an additional offset, the Hypervisor Real Mode Offset (HRMO), will be applied to all memory addresses.
This does not take multiple attempts like the RGH does to boot. It boots like a normal xbox. It may seem a bit confusing, but I plan on making this more user-friendly looking in the near future. Until then, I will continue developing this. Stay tuned for updates every couple days.
If you repost this, please give me credit. I put a lot of time into studying this. And also some money, due to multiple xbox purchases.
Credit goes to me, Sunkist0.