update · invoxiplaygames.uk/x360-research@7d20f29

my research and reverse engineering notes/utilities relating to the Xbox 360 (Mirrored from https://github.com/InvoxiPlayGames/x360-research)

fork atom

update

invoxiplaygames.uk 1 year ago 7d20f29f 8097d2e3

+87 -10

5 changed files

expand all

unified split

README.md

homebrew

README.md

xebuild

patch_format.md

official-software

networking

system_link.md

system

security_overview.md

README.md

··· 50 50 * [DrSchottky's X360 Reversing tutorials](https://www.razielconsole.com/forum/guide-e-tutorial-xbox-360/943-%5Bx360-reversing%5D-intro.html) 51 51 * [TEIR1plus2's Xbox-Reversing](https://github.com/TEIR1plus2/Xbox-Reversing) 52 52 * [ihatecompvir's x360-hv-notes](https://github.com/ihatecompvir/x360-hv-notes) 53 + * [Grimdoomer's Xbox 360 hypervisor article](https://icode4.coffee/?p=1047) 53 54 54 55 I likely wouldn't know nearly as much as I do if not for all the great open source 55 56 projects detailing how parts of this system work, and all the people behind them.

homebrew/README.md

··· 1 + **Emma's Xbox 360 Research Notes - Homebrew** 2 + 3 + # Table of Contents 4 + 5 + * xeBuild 6 + * Patch Format

+34

homebrew/xebuild/patch_format.md

··· 1 + **Emma's Xbox 360 Research Notes - Homebrew - xeBuild** 2 + 3 + Updated 7th March 2025. 4 + 5 + Stub page. 6 + 7 + # Patch Format 8 + 9 + | Offset | Type | Description | 10 + | ------ | -------- | ----------------------------------- | 11 + | `0x0` | uint32 | Address in boot section to patch | 12 + | `0x4` | uint32 | Number of 4-byte words to patch | 13 + | `0x8` | uint32[] | Array of words to insert at address | 14 + 15 + Patch sets are delimited by `0xFFFFFFFF` to signify the end of the current 16 + section. 17 + 18 + For SMC hacked images, patches are structured in this order: 19 + * 1BL patches 20 + * CB patches 21 + * CD patches 22 + * Hypervisor/kernel patches 23 + 24 + For RGH images, patches are structured in this order: 25 + * CB_B patches 26 + * CD patches 27 + * Hypervisor/kernel patches 28 + 29 + ## Recommended reading 30 + 31 + * `about_patches.S` included in xeBuild. 32 + 33 + * DrSchottky's "X360 Reversing" guide about xeBuild's hacked images: 34 + https://www.razielconsole.com/forum/guide-e-tutorial-xbox-360/943-%5Bx360-reversing%5D-intro.html

+9 -7

official-software/networking/system_link.md

··· 1 1 **Emma's Xbox 360 Research Notes - Networking** 2 2 3 - Updated 24th October 2024. 3 + Updated 7th March 2025. 4 4 5 5 Stub page. 6 6 ··· 125 125 with a source IP of 0.0.0.1 and a destination IP address of 255.255.255.255. 126 126 The destination MAC address is FF:FF:FF:FF:FF:FF. 127 127 128 - **Cross-Platform:** TODO 128 + **Cross-Platform:** (From GfWL) Broadcast messages are sent over IPv4 UDP 129 + port 3074, with a source IP of the local network adapter and a desination 130 + address off 255.255.255.255. 129 131 130 132 ### General Structure 131 133 132 - | Offset | Type / Size | Description | 133 - | -------- | ----------- | ----------------------------------- | 134 - | `0x0` | uint32 | Header flags *(TODO: Check?)* | 135 - | `0x4` | variable | Encrypted packet data | 136 - | variable | Footer | Metadata about the packet | 134 + | Offset | Type / Size | Description | 135 + | -------- | ----------- | ----------------------------- | 136 + | `0x0` | uint32 | Header flags *(TODO: Check?)* | 137 + | `0x4` | variable | Encrypted packet data | 138 + | variable | Footer | Metadata about the packet | 137 139 138 140 Note that parts of the footer will be encrypted depending on the length of the 139 141 packet data.

+37 -3

official-software/system/security_overview.md

··· 1 1 **Emma's Xbox 360 Research Notes - System Software** 2 2 3 - Updated 12th September 2024. 3 + Updated 7th March 2025. 4 4 5 5 "Stub" page, not in-depth, just trying to put some notes and thoughts here: 6 6 ··· 12 12 As of 2024, every console manufactured before 2011 is subject to trivial 13 13 piracy, and cheating online in many games is possible with savegame exploits, 14 14 patched game files on burned DVDs, or network exploits. 15 - The last method to run homebrew without soldering a modchip was patched in 2007. 15 + 16 + As of 2025, there have been two demonstrated vulnerabilities allowing for 17 + software-only hypervisor mode code execution: 18 + - "King Kong" syscall handler exploit in 2007 (4532/4548), patched in 2007 19 + - https://free60.org/Hacks/King_Kong_Hack/ 20 + - Patched in kernel version 4552. 21 + - Hypervisor versions 4532/4548 blacklisted in the bootloader with 8498. 22 + - "Xbox360BadUpdate" exploit chain in 2025 (??-17559), **unpatched** 23 + - https://github.com/Grimdoomer/Xbox360BadUpdate 24 + - https://icode4.coffee/?p=1047 - "System Overview" 25 + - https://icode4.coffee/?p=1081 - "The Bad Update Exploit" 16 26 17 27 ## Security Features 18 28 29 + * Very small and simple boot chain 30 + * Several stages, each one small and very easy to analyse. 31 + * All are RSA signature checked by secure code burned into the CPU (1BL). 32 + * Execution is done from within either SRAM or encrypted and hashed main 33 + memory, preventing any outside attacks. 34 + * Vulnerable hypervisor versions are blacklisted, even if an exploit is used 35 + to attempt a downgrade. 36 + * E-fuses prevent any and all attempts at downgrading the bootloader, 37 + permanently. 19 38 * Small hypervisor, small attack surface 20 39 * Hypervisor exposes only 120 syscalls to the kernel (as of 17559), each of 21 40 them serve a specific purpose and are easy to audit and analyse. None are ··· 53 72 * Random AES keys are chosen at startup by 2BL, with help from hardware RNG. 54 73 The 2BL also checks to make sure there's sufficient randomness so the RNG 55 74 can't be rigged or disabled in hardware. 75 + * (2014+) Hardware protection against glitching 76 + * "Winchester" motherboards have POST output disabled by e-fuses, and the 77 + reset line is latched to prevent RGH. 56 78 57 79 ## Security Pitfalls 58 80 ··· 80 102 meaning it can be replaced to modify the behaviour or be used to attack the 81 103 CPU (see: SMC Hack, RGH3 - as well as all other RGH variants rebooting rather 82 104 than RRoD on failed boots) 105 + * The hypervisor does not check userland page permissions before writing data 106 + to a user-controlled pointer, allowing for userland exploits to overwrite the 107 + (unencrypted view of) memory in any write-protected page. Related ... 108 + * ... the memory management unit only hashes the hypervisor's memory space, 109 + allowing for userland exploits to corrupt kernel, XAM and game ciphertext in 110 + ways that may result in a favourable plaintext when decrypted. (See: 111 + Xbox360BadUpdate's "Stage 2" - as well as yet-to-be-disclosed kernel patching 112 + by [ihatecompvir](https://wetdry.world/@ihatecompvir/113359460700460045)) 83 113 84 114 ## References 85 115 86 - * Memory encryption/hashing: 116 + * Free60 wiki: 117 + https://free60.org/ 118 + * Memory encryption/hashing information: 87 119 https://github.com/GoobyCorp/Xbox-360-Crypto/blob/master/MemCrypto.py 120 + * Ryan Miceli's "Hacking the Xbox 360 Hypervisor Part 1: System Overview": 121 + https://icode4.coffee/?p=1047 88 122 89 123 I must've got some more of this info from other places, but I can't remember.