Hey everyone,
As many of you saw at the RE//verse conference, researcher Markus "doom" Gaasedelen blew the Xbox One’s security wide open with the "Bliss" exploit—a hardware-level Voltage Glitch Hack (VGH) targeting the secure boot ROM. Because this attack exploits physical silicon behavior during early boot, it is completely unpatchable.
While Mark proved the concept, we haven't had a consumer-ready "modchip" to automate this process for regular users. However, hardware developer GFL_Tech has officially stepped up to change that. They have launched an open-source hardware project to design, build, and code a functional physical modchip for the Bliss Hack.
I wanted to put together a tracking thread here on GBATemp to log their engineering progress, layout the roadmap, and get more eyes from the HW hacking scene on this project.
The Hardware and How It Works
Unlike the original Xbox ModXO project, which uses a cheap Raspberry Pi RP2040 to mimic a flash chip, glitching the Xbox One requires insane, sub-nanosecond timing precision.
The GFL_Tech modchip is currently leveraging a hybrid approach to tackle the security processor:
Signal Processing: Utilizing a TLV3201 high-speed comparator circuit to clean up and track the motherboard's hardware states.
Sidechannel Isolation: Designing a custom Quick Solder Board (QSB) to hook directly into the EFUSE lines, tuning resistor values to kill signal noise.
The Glitch Trigger: The end goal is using a microcontroller/CPLD setup to automatically sweep timing profiles against the EMMC DAT0 lines to intercept execution flow and drop the voltage rail at the exact microsecond required.
The Project Roadmap and Current Status
GFL_Tech is treating this as a transparent, step-by-step engineering journey. Here is where the project currently sits:
Phase 1: Sourcing and teardown of a 2013 "Day One" Xbox One retail testbed. (Completed)
Phase 2: Successful testing of the TLV3201 comparator circuit. (Completed)
Phase 3: Finalizing the EFUSE QSB layout and stabilizing pull-up/pull-down noise. (In Progress)
Phase 4: Coding the automated glitch-sweep logic for the MCU. (Planned)
Phase 5: Real-time timing sweeps against the EMMC lines to hijack execution flow. (Planned)
Phase 6: Public V1 Release featuring open-source PCB schematics, code, and installation guides for the community to test and refine. (Planned)
Where to Follow and Contribute
If you want to look at the hardware schematics, trace their engineering steps, or contribute to the codebase, everything is being kept open:
GitHub Source: https://github.com/GFLTech/Xbox-One-Bliss-Hack-GFL_Tech-Modchip- to check out the wiki and hardware roadmaps.
Video Devlogs: They are documenting the actual hardware breakdowns, scope readouts, and circuit testing on YouTube under the handle @GFL_Tech.
Videos
As many of you saw at the RE//verse conference, researcher Markus "doom" Gaasedelen blew the Xbox One’s security wide open with the "Bliss" exploit—a hardware-level Voltage Glitch Hack (VGH) targeting the secure boot ROM. Because this attack exploits physical silicon behavior during early boot, it is completely unpatchable.
While Mark proved the concept, we haven't had a consumer-ready "modchip" to automate this process for regular users. However, hardware developer GFL_Tech has officially stepped up to change that. They have launched an open-source hardware project to design, build, and code a functional physical modchip for the Bliss Hack.
I wanted to put together a tracking thread here on GBATemp to log their engineering progress, layout the roadmap, and get more eyes from the HW hacking scene on this project.
The Hardware and How It Works
Unlike the original Xbox ModXO project, which uses a cheap Raspberry Pi RP2040 to mimic a flash chip, glitching the Xbox One requires insane, sub-nanosecond timing precision.
The GFL_Tech modchip is currently leveraging a hybrid approach to tackle the security processor:
Signal Processing: Utilizing a TLV3201 high-speed comparator circuit to clean up and track the motherboard's hardware states.
Sidechannel Isolation: Designing a custom Quick Solder Board (QSB) to hook directly into the EFUSE lines, tuning resistor values to kill signal noise.
The Glitch Trigger: The end goal is using a microcontroller/CPLD setup to automatically sweep timing profiles against the EMMC DAT0 lines to intercept execution flow and drop the voltage rail at the exact microsecond required.
The Project Roadmap and Current Status
GFL_Tech is treating this as a transparent, step-by-step engineering journey. Here is where the project currently sits:
Phase 1: Sourcing and teardown of a 2013 "Day One" Xbox One retail testbed. (Completed)
Phase 2: Successful testing of the TLV3201 comparator circuit. (Completed)
Phase 3: Finalizing the EFUSE QSB layout and stabilizing pull-up/pull-down noise. (In Progress)
Phase 4: Coding the automated glitch-sweep logic for the MCU. (Planned)
Phase 5: Real-time timing sweeps against the EMMC lines to hijack execution flow. (Planned)
Phase 6: Public V1 Release featuring open-source PCB schematics, code, and installation guides for the community to test and refine. (Planned)
Where to Follow and Contribute
If you want to look at the hardware schematics, trace their engineering steps, or contribute to the codebase, everything is being kept open:
GitHub Source: https://github.com/GFLTech/Xbox-One-Bliss-Hack-GFL_Tech-Modchip- to check out the wiki and hardware roadmaps.
Video Devlogs: They are documenting the actual hardware breakdowns, scope readouts, and circuit testing on YouTube under the handle @GFL_Tech.
Videos
