[X360] The Reset Glitch Hack

Discussion in 'User Submitted News' started by Aurora Wright, Aug 28, 2011.

  1. Aurora Wright
    OP

    Aurora Wright GBAtemp Advanced Maniac

    Member
    1,528
    3,949
    Aug 13, 2006
    Italy
    [youtube]http://www.youtube.com/watch?v=JyYdL4L6vwE[/youtube]​
    We all know that the Xbox 360 is a masterpiece as far as software security is concerned, hackers such as tmbinc and marcan said so too.
    Since software was so secure, some hackers found an hardware glitch, which works by using a chip to destabilyze the processor, while it checks the signature of one of the bootloaders.
    This glitch hack works on both FAT and SLIM models, allowing them to run unsigned code [​IMG]
    Details about how it works:
    Warning: Spoilers inside!
    Tutorial (it requires hardware soldering skills)
     


  2. TLSS_N

    TLSS_N Who is John Galt?

    Member
    547
    6
    Aug 16, 2010
    United States
    Back in the south~
    Hell yea, NOW were talking!
     
  3. Devin

    Devin "Local Hardware Wizard"

    Member
    5,711
    2,178
    Aug 17, 2009
    United States
    The Nexus
    You said it. Just ended my search for a JTAG 360, might do it to this Jasper I have.
     
  4. TLSS_N

    TLSS_N Who is John Galt?

    Member
    547
    6
    Aug 16, 2010
    United States
    Back in the south~
    I wonder if this group let Microsoft know about this before they released it, since that's what happened with j-tag, it makes me wonder.
     
  5. Devin

    Devin "Local Hardware Wizard"

    Member
    5,711
    2,178
    Aug 17, 2009
    United States
    The Nexus
    I'm also curious about that, but if it works on any Dash. Don't update.
     
  6. FAST6191

    FAST6191 Techromancer

    pip Reporter
    22,916
    8,592
    Nov 21, 2005
    Wow a good read. I shall have to see how this all plays out and if it turns out it can be done on some more commodity hardware (thinking some of the more common development boards although a quick scan says the current setup is nothing major) I sense I shall be doing a few as this looks like it will work on banned hardware too.
     
  7. TLSS_N

    TLSS_N Who is John Galt?

    Member
    547
    6
    Aug 16, 2010
    United States
    Back in the south~
    Well, if anyone needs a box, I suggest waiting a bit to find out if microsoft has patched it, just keep an eye on xbox-scene forums for a heads up. I know I am going to get a new box either way, I need it. and let's hope someone grabs the keys!!
     
  8. Devin

    Devin "Local Hardware Wizard"

    Member
    5,711
    2,178
    Aug 17, 2009
    United States
    The Nexus
    Yup. If it hasn't been patched yet great. Until I get it done, my 360 stays offline. Just bought a 360 from a friend, so I'll have two to screw around with.

    (So that means the 360's can run games, and still play on Live? Amazing.
     
  9. Fudge

    Fudge Remember that death is not the end, but only a tra

    Banned
    2,655
    134
    Aug 26, 2009
    United States
    New York
    Awesome!!! Unsigned code is possible once more! [​IMG]
     
  10. raulpica

    raulpica With your drill, thrust to the sky!

    Supervisor
    10,983
    7,224
    Oct 23, 2007
    Italy
    PowerLevel: 9001
    Hm, this will probably have a nice huge drop of JTAG'd 360s prices. Good.

    I wonder if MS will still ban you if you use this hack... Hopefully it'll be less detectable.
     
  11. machomuu

    machomuu Drops by occasionally

    Member
    8,441
    597
    Sep 4, 2009
    United States
    The Courtroom
    Sounds awesome, but I can't solder so [​IMG]

    I might buy another 360 just to do this.
     
  12. chartube12

    chartube12 GBAtemp Psycho!

    Member
    3,141
    468
    Mar 3, 2010
    United States
    So much for the secret of how the xode was gonna work!
     
  13. hunter291

    hunter291 GBAtemp Advanced Fan

    Member
    780
    9
    May 14, 2007
    Gambia, The
    So in noob language... could we describe it as "JTAG" for newer models ? I mean can this lead to the same stuff ? Freestyledash, xellous, freeboot and stuff ?
     
  14. 431unknown

    431unknown Greatness Awaits

    Member
    2,056
    275
    Sep 29, 2008
    United States
    lol, Nice! I knew somebody would find something new eventually.
     
  15. gregor1997

    gregor1997 Member

    Newcomer
    34
    1
    Sep 12, 2009
    Slovenia
    Maribor
    This is awesome!
     
  16. shakirmoledina

    shakirmoledina Legend

    Member
    6,611
    218
    Oct 23, 2004
    Tanzania
    Dar es Salaam
    i wonder if 3ds at the end will require an advance hack like this
    i do also remember fast talked about messing around with the clocks to get some strange results. this is a rare hack i have read about.
    if i am not mistaken, its all about making a false hash (SHA) to think it is the correct hash value right?

    A little info i know about SHA from a book
    Similar to MD5, the message digest is 160 bits instead of 128 bits.This algorithm provides the hash function for the DSA algorithm specified within the DSS.
     
  17. FAST6191

    FAST6191 Techromancer

    pip Reporter
    22,916
    8,592
    Nov 21, 2005
    If you are referring to that hacking concepts thread in the 3ds section clock hacks there were more about superclocking or underclocking to cause commands to be missed, interpreted badly or a race condition which is a similar class of attack the eventual one here. However from reading the above it seems as though the clocks were slowed to allow things to work on simpler hardware- trying to get things to mesh at 200MHz or higher (the post said the point viewed was a fraction of the actual speed) is a nightmare (pretty much university or corporate level) but at the sort of speeds they are mentioning when the CPU gets slowed down is far easier to work with.

    Once this is done the CPU reset function seems to get abused- I am guessing it resets any flags in the CPU that get returned on the compare check as "not a match" just in time for the next part of the routine to think it is in fact correct and carry on booting. It being that early in the boot process means you can tell it whatever you like and that includes getting it to give you the keys to the kingdom.
     
  18. Armadillo

    Armadillo GBAtemp Psycho!

    Member
    3,487
    1,419
    Aug 28, 2003
    United Kingdom
    Nice, might have to grab a slim when funds allow it, already got a jtag, but with fans at 80% it's pretty loud.

    This line from the readme

    "Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !"

    So does that mean unpatchable by software? or just unpatchable forever [​IMG]. It's a glitch on the cpu, so I'd assume any fix would have to be a hardware one, but I'm just wondering if the attack is at such a level, would the console need a complete redesign to fix it.

    I see a wave of 360 modchips coming now.
     
  19. dilav

    dilav GBAtemp Maniac

    Member
    1,230
    40
    Nov 22, 2006
    United States
    Great news, but debating on if I should pick one up. 25% boot rate isn't too bad either.
     
  20. shakirmoledina

    shakirmoledina Legend

    Member
    6,611
    218
    Oct 23, 2004
    Tanzania
    Dar es Salaam
    so speed is such a strange thing in processing that even a computer/machine can misinterpret a situation

    then again, i dont understand how they figure it out to try this... is there a clue or have they searched through the codes? or is it a guess/chance based on some info?

    PS - Fast, i had to read yer post at least 4 times to try to understand what u said and hopefully i get u