Similar Threads

  1. Replies: 19
    Last Post: 14th July 12, 13:46
  2. Confused about new "glitch reset" modchips
    By wizpanda in forum The Noob Room
    Replies: 1
    Last Post: 21st September 11, 08:15
  3. ANY IDEAS "failed to identify the flash type" ERRO
    By oddity in forum The Noob Room
    Replies: 2
    Last Post: 5th March 08, 13:03
Page 1 of 46 1234511 ... LastLast
Results 1 to 20 of 918
  1. #1

    Join Date
    Dec 2002
    Location
    Asia
    Posts
    8,081
    Skill Level
    Elite
    Thanks
    556
    Thanked 27,754 Times in 1,589 Posts

    Exclamation Reset Glitch Hack - "JTAG" Type Exploit Zephyr/Jasper/Trinity(Slims) !!!

    Finally, a method of exploit (like the previous JTAG) has been found to work on all non-Xenon/Falcon consoles (yes....running unsigned code on Slim consoles and all dashboard versions on HDMI PHAT consoles !!!)

    This also means you will be able to run all the nice stuff like games from HDD (sucks for **** and ****** - looks like they dont be needed any more as they wouldn't have been live safe either)

    Update: regarding Falcon....
    Quote Originally Posted by gligli
    Falcons should work, tho they will need their own glitch timing (this also needs a proper explanation, but not today), couldn't do it because I didn't own one...
    Update 2: Xell Reloaded '2Stage' Download: http://tinyurl.com/xell2stage


    Source: http://libxenon.org/index.php?topic=145.msg614

    Full Guides / Files / Source Code / Instructions / Diagrams: http://tinyurl.com/resetglitch (The Xecuter CoolRunner is being manufactured which will be custom designed to do everything you need out of the box - stay tuned)

    You thought it wouldn't be possible?
    You thought there are only (a few) JTAGs or total overpriced Devkits to run unsigned Code?

    GliGli & Tiros are proving the opposite! They developed a Hack which glitches all recent Xbox360 Kernels to run unsigned Code on:

    ZEPHYR, JASPER .......and...... TRINITY (aka SLIM!).
    (no matter which Dashboard/Kernel they are running)

    [ame]http://www.youtube.com/watch?v=JyYdL4L6vwE[/ame]

    Here is the detailed technical explanation.....

    **********************************
    * The Xbox 360 reset glitch hack *
    **********************************

    Introduction / some important facts
    ===================================

    tmbinc said it himself, software based approaches of running unsigned code on the 360 mostly don't work, it was designed to be secure from a software point of view.

    The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND (CB).

    CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it's using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
    - A hash of the entire fuseset.
    - The timebase counter value.
    - A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there's a check for "apparent randomness" (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.

    CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.

    Basically, CD will load a base kernel from NAND, patch it and run it.

    That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
    In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
    On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
    The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.

    On the other hand, tmbinc said the 360 wasn't designed to withstand certain hardware attacks such as the timing attack and "glitching".

    Glitching here is basically the process of triggering processor bugs by electronical means.

    This is the way we used to be able to run unsigned code.

    The reset glitch in a few words
    ===============================

    We found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.

    Details for the fat hack
    ========================

    On fats, the bootloader we glitch is CB, so we can run the CD we want.

    cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a test point on the motherboard that's a fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.

    So it goes like that:
    - We assert CPU_PLL_BYPASS around POST code 36 (hex).
    - We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
    - When that counter has reached a precise value (it's often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
    - We wait some time and then we deassert CPU_PLL_BYPASS.
    - The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.

    The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
    A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
    In most cases, the glitch succeeds in less than 30 seconds from power on that way.

    Details for the slim hack
    =========================

    The bootloader we glitch is CB_A, so we can run the CB_B we want.

    On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
    Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn't yield good results.
    We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
    Apparently those registers are written by the SMC through an I2C bus.
    I2C bus can be freely accessed, it's even available on a header (J2C3).
    So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus

    So it goes like that:
    - We send an i2c command to the HANA to slow down the CPU at POST code D8 .
    - We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
    - When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
    - We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
    - The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.

    When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
    - Always activate zero-paired mode, so that we can use a modified SMC image.
    - Don't decrypt CD, instead expect a plaintext CD in NAND.
    - Don't stop the boot process if CD hash isn't good.

    CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
    RC4 is basically:
    crypted = plaintext xor pseudo-random-keystream
    So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
    guessed-pseudo-random-keystream = crypted xor plaintext
    new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
    You could think there's a chicken and egg problem, how did we get plaintext in the first place?
    Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!

    The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
    The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.

    Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !

    Caveats
    =======

    Nothing is ever perfect, so there are a few caveats to that hack:
    - Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
    - That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
    - It requires precise and fast hardware to be able to send the reset pulse.

    Our current implementation
    ==========================

    We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it's fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
    We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
    The cpld code is written in VHDL.
    We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.

    Conclusion
    ==========

    We tried not to include any MS copyrighted code in the released hack tools.
    The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.

    Credits
    =======

    GliGli, Tiros: Reverse engineering and hack development.
    cOz: Reverse engineering, beta testing.
    Razkar, tuxuser: beta testing.
    cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360.
    Full Guides / Files / Source Code / Instructions / Diagrams: http://tinyurl.com/resetglitch (The Xecuter CoolRunner is being manufactured which will be custom designed to do everything you need out of the box - stay tuned)

    Note: You can use the XECUTER NAND-X For Slim Nand Dumping


    PLEASE READ THE FORUM RULES BEFORE POSTING HERE

    The Following 168 Users Say Thank You to Xecuter For This Useful Post:

    -_K_-M_-D_-, 192_26, adam2893, Aerials, aidan14, ajw22, andmarreiro, andyc240, antz1970, Artxx, athlonoc, bandit123, Beerd, BGAMods, Blkmoose, Blub_sT, BlueFrame 2nd-L, bonesbart, bongtoker, brettsog, brh11, Bringer, butowood, C43Mi57, carlos007, comet12401, crasez58, crashxtrme, crazybean!, crazycastle, criscus2004, CS10, Cuban11182, Culbertosilva, DaRkO, DavidGuetta, DaVine, dayjo43, DBTarmac, dec0y7, devintorres, diaboliq20, DJM30w, djnixtre, djpetar, Drastic018, Eazy!, eeprom90, Element888, elpampaor, F1Ride, fieso, gamedude45, garageinc, Ghar4416, GodsSon07, Goldensavage, goodey200, haxzor69, he-man, hodgie, It Has 2 Be Mee, J2G, JKER123, jujko, kal0000, KaZPeRxX, kiwi1hu, Krafter, kuchar, law0825, lielais90, littlebilly1, M AzeeM K, mac_burner_meal_13, magilicuty, magoadjuntas, mark2010, Martin C, MasterCyc, maxallepi, mespo365, mgmckee, MMS4MSU, modmonster, mossman70, mrbiggzz79, Mrclaret, MREVOVIII, mrhmix, nadrat24, nfl31, nosherfj, Numaholic, orgia71, pablosns11, PeRgo!, piadd, pipadee2010, pizzaman, Play.me52, Porta360, PSP30900, PureVVater, raphytaffy, raptor700, raulmal, razadon, rdubbs007, relax2010, RickSizz, rk7987, rocket8080, roellie7635, roffleburgers, Rogerioalk, Rome 16:16, rtruckin972, saaif88, Scofe, scum2000, shai12, Sheepy, sherlock, sick360mods, silverfoxx1, skietuwillie, skincarver, sp4rkst4rt3r, spider85, srt4fun, steveoo1, STRATEGIZER, Suicyde, t11t11, T3ROR, taximan250, tennents, TheRealKTFO, tlapyt, Tnigs1, tommy_irish23, tr4ckerz, Twinbird, uberd0g, UpHanleyDuck, Utmad, viv11, vxx07, WalangAlam, weedpoppin, WestCoastConsoles, willi23, WiZZlorD, wyospartan117, x360ccm, x360slim, xbox360items, XBOX4LIFE, xboxerSlim, XCONSOLES, Xmods, xval666, yazzino, YogevIF, zakzak257, ZeRo1989, zolaa7


  2. #2

    Join Date
    May 2010
    Location
    Silver Sun City, Asia
    Posts
    1,475
    Skill Level
    RGH Addicted
    Thanks
    357
    Thanked 138 Times in 129 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    WOW! Unbelievable

    Wohoo finally I can resurrect my xbox without dvd key

    The Following User Says Thank You to WalangAlam For This Useful Post:



  3. #3

    Join Date
    Feb 2003
    Location
    California, USA
    Posts
    6,238
    Skill Level
    Modding, Gaming
    Thanks
    1,175
    Thanked 19,202 Times in 2,723 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Yep, this exploit cannot be patched through a future dash update as CB_A contains no checks on revocation fuses

    Nice work
    PLEASE READ THE FORUM RULES BEFORE POSTING HERE

    The Following 9 Users Say Thank You to Ubergeek For This Useful Post:



  4. #4

    Join Date
    Jul 2010
    Location
    (UK)
    Posts
    1,839
    Skill Level
    playing
    Thanks
    1,136
    Thanked 797 Times in 487 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Hell yeah a new dimension has opened
    was this something that TX were aware of already ?

  5. #5

    Join Date
    Dec 2002
    Location
    Asia
    Posts
    8,081
    Skill Level
    Elite
    Thanks
    556
    Thanked 27,754 Times in 1,589 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Quote Originally Posted by bandit123 View Post
    Hell yeah a new dimension has opened
    was this something that TX were aware of already ?
    No this is something new. A really nice exploit found by GliGli and Tiros

    Full Guides / Files / Source Code / Instructions / Diagrams: http://tinyurl.com/resetglitch
    PLEASE READ THE FORUM RULES BEFORE POSTING HERE

    The Following 4 Users Say Thank You to Xecuter For This Useful Post:



  6. #6

    Join Date
    Jan 2004
    Location
    Scotland, UK
    Posts
    36,230
    Skill Level
    Hardware diagnostics and modchip troubleshooting
    Thanks
    1,496
    Thanked 10,854 Times in 7,278 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Massive news! Thanks to those who didn't give up!

    The Following User Says Thank You to Martin C For This Useful Post:



  7. #7

    Join Date
    May 2010
    Location
    90N
    Posts
    3,811
    Skill Level
    凸(‿)凸
    Thanks
    538
    Thanked 1,415 Times in 943 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Very Fooking Nice Indeed ..

    The Following User Says Thank You to J2G For This Useful Post:



  8. #8

    Join Date
    May 2010
    Location
    Silver Sun City, Asia
    Posts
    1,475
    Skill Level
    RGH Addicted
    Thanks
    357
    Thanked 138 Times in 129 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    This will have all the capabilities of the 7371 jtag right? oh what will happened to the xode, ****, etc.? Won't be safe for xlive? Sorry I'm so excited

  9. #9

    Join Date
    Jan 2010
    Location
    where nobody will find me
    Posts
    159
    Skill Level
    noob
    Thanks
    80
    Thanked 21 Times in 13 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    nice guess ill be buying a second console for this glitch

  10. #10

    Join Date
    Jun 2007
    Location
    UK
    Posts
    1,681
    Skill Level
    proficient in most
    Thanks
    77
    Thanked 453 Times in 376 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    And they said it would never happen....hopefully I can dig that mint Jasper (minus Dvd Key) out now

    The Following User Says Thank You to frazzeld For This Useful Post:



  11. #11

    Join Date
    Feb 2011
    Location
    Czech Republic
    Posts
    268
    Skill Level
    -
    Thanks
    166
    Thanked 47 Times in 40 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Will TX make own product(s) for this hack? It should be nice one(s).

    The Following User Says Thank You to rendis.adio For This Useful Post:



  12. #12
    BANNED
    Join Date
    Mar 2011
    Location
    united kingdom
    Posts
    1,423
    Skill Level
    flasher
    Thanks
    146
    Thanked 416 Times in 354 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    wonder how long it will take M$ to come up with a new revision to block this on new batches

  13. #13
    Full Member
    Join Date
    Jan 2011
    Location
    Michigan,USA
    Posts
    69
    Skill Level
    Mod/Repair/RGH
    Thanks
    124
    Thanked 10 Times in 7 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Quote Originally Posted by WalangAlam View Post
    WOW! Unbelievable

    Wohoo finally I can resurrect my xbox without dvd key
    Do you know how many xbox 3 sixty's I have without the dvd key .......this is amazing

  14. #14
    Full Member
    Join Date
    Jul 2010
    Location
    Almelo
    Posts
    36
    Skill Level
    Professional Dutch Modder
    Thanks
    9
    Thanked 0 Times in 0 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    And here the tutorial: http://tinyurl.com/42pvld3

    Edit: yeah its in the OP already - dont spam other sites links here

  15. #15

    Join Date
    Aug 2010
    Location
    Cornwall England
    Posts
    2,171
    Skill Level
    RGH, Flashing, Sales master of the universe
    Thanks
    227
    Thanked 307 Times in 246 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    bad ass, i wish i understood any of what they said. I will be paying one of you good peeps soon to jtag my slim i hope
    flashed consoles, JTAGS and RGHs CLEARANCE!
    CRAZY CHEAP CONSOLES!
    http://team-xecuter.com/forums/showthread.php?t=99626

  16. #16

    Join Date
    Feb 2003
    Location
    California, USA
    Posts
    6,238
    Skill Level
    Modding, Gaming
    Thanks
    1,175
    Thanked 19,202 Times in 2,723 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Quote Originally Posted by WalangAlam View Post
    This will have all the capabilities of the 7371 jtag right? oh what will happened to the xode, ****, etc.? Won't be safe for xlive? Sorry I'm so excited
    You will be able to run all games from HDD without using **** etc
    PLEASE READ THE FORUM RULES BEFORE POSTING HERE

    The Following 9 Users Say Thank You to Ubergeek For This Useful Post:



  17. #17
    Full Member
    Join Date
    Jan 2011
    Location
    Michigan,USA
    Posts
    69
    Skill Level
    Mod/Repair/RGH
    Thanks
    124
    Thanked 10 Times in 7 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Quote Originally Posted by Blkmoose View Post
    Do you know how many xbox 3 sixty's I have without the dvd key .......this is amazing
    Also have a slim that did not retrieve the key before the kamikaze hack... brand spanking new!!!!!

  18. #18

    Join Date
    Jul 2010
    Location
    (UK)
    Posts
    1,839
    Skill Level
    playing
    Thanks
    1,136
    Thanked 797 Times in 487 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Makes some sense reading it through and wow going to have to stock up on slims now

    no doubt ubergeeks already 50% through a tutorial for TX lol out mad TUT scientist

  19. #19

    Join Date
    Apr 2005
    Location
    Texas
    Posts
    390
    Skill Level
    modds
    Thanks
    87
    Thanked 106 Times in 92 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    this is fkin nice to hear I can't wait to see the tx solution as it is always top notch and not only that this will bring life back to the programming scene for jtags as it was still being worked on but not near as much as it used to

  20. #20

    Join Date
    May 2010
    Location
    Silver Sun City, Asia
    Posts
    1,475
    Skill Level
    RGH Addicted
    Thanks
    357
    Thanked 138 Times in 129 Posts

    Re: Reset Glitch Hack - JTAG All Consoles inc Slims !!!

    Quote Originally Posted by Ubergeek View Post
    You will be able to run all games from HDD without using **** etc
    Nice. Too bad for the **** team.

    Can we use ****** 2.0 ++? nand-x?

 

 
Page 1 of 46 1234511 ... LastLast

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •