invoxiplaygames.uk / x360-research
my research and reverse engineering notes/utilities relating to the Xbox 360 (Mirrored from https://github.com/InvoxiPlayGames/x360-research)
fork atom

update

invoxiplaygames.uk 7d20f29f 8097d2e3

+87 -10
unified split
+1
README.md
··· 50 * [DrSchottky's X360 Reversing tutorials](https://www.razielconsole.com/forum/guide-e-tutorial-xbox-360/943-%5Bx360-reversing%5D-intro.html) 51 * [TEIR1plus2's Xbox-Reversing](https://github.com/TEIR1plus2/Xbox-Reversing) 52 * [ihatecompvir's x360-hv-notes](https://github.com/ihatecompvir/x360-hv-notes) 53 54 I likely wouldn't know nearly as much as I do if not for all the great open source 55 projects detailing how parts of this system work, and all the people behind them.
··· 50 * [DrSchottky's X360 Reversing tutorials](https://www.razielconsole.com/forum/guide-e-tutorial-xbox-360/943-%5Bx360-reversing%5D-intro.html) 51 * [TEIR1plus2's Xbox-Reversing](https://github.com/TEIR1plus2/Xbox-Reversing) 52 * [ihatecompvir's x360-hv-notes](https://github.com/ihatecompvir/x360-hv-notes) 53 + * [Grimdoomer's Xbox 360 hypervisor article](https://icode4.coffee/?p=1047) 54 55 I likely wouldn't know nearly as much as I do if not for all the great open source 56 projects detailing how parts of this system work, and all the people behind them.
+6
homebrew/README.md
···
··· 1 + **Emma's Xbox 360 Research Notes - Homebrew** 2 + 3 + # Table of Contents 4 + 5 + * xeBuild 6 + * Patch Format
+34
homebrew/xebuild/patch_format.md
···
··· 1 + **Emma's Xbox 360 Research Notes - Homebrew - xeBuild** 2 + 3 + Updated 7th March 2025. 4 + 5 + Stub page. 6 + 7 + # Patch Format 8 + 9 + | Offset | Type | Description | 10 + | ------ | -------- | ----------------------------------- | 11 + | `0x0` | uint32 | Address in boot section to patch | 12 + | `0x4` | uint32 | Number of 4-byte words to patch | 13 + | `0x8` | uint32[] | Array of words to insert at address | 14 + 15 + Patch sets are delimited by `0xFFFFFFFF` to signify the end of the current 16 + section. 17 + 18 + For SMC hacked images, patches are structured in this order: 19 + * 1BL patches 20 + * CB patches 21 + * CD patches 22 + * Hypervisor/kernel patches 23 + 24 + For RGH images, patches are structured in this order: 25 + * CB_B patches 26 + * CD patches 27 + * Hypervisor/kernel patches 28 + 29 + ## Recommended reading 30 + 31 + * `about_patches.S` included in xeBuild. 32 + 33 + * DrSchottky's "X360 Reversing" guide about xeBuild's hacked images: 34 + https://www.razielconsole.com/forum/guide-e-tutorial-xbox-360/943-%5Bx360-reversing%5D-intro.html
+9 -7
official-software/networking/system_link.md
··· 1 **Emma's Xbox 360 Research Notes - Networking** 2 3 - Updated 24th October 2024. 4 5 Stub page. 6 ··· 125 with a source IP of 0.0.0.1 and a destination IP address of 255.255.255.255. 126 The destination MAC address is FF:FF:FF:FF:FF:FF. 127 128 - **Cross-Platform:** TODO 129 130 ### General Structure 131 132 - | Offset | Type / Size | Description | 133 - | -------- | ----------- | ----------------------------------- | 134 - | `0x0` | uint32 | Header flags *(TODO: Check?)* | 135 - | `0x4` | variable | Encrypted packet data | 136 - | variable | Footer | Metadata about the packet | 137 138 Note that parts of the footer will be encrypted depending on the length of the 139 packet data.
··· 1 **Emma's Xbox 360 Research Notes - Networking** 2 3 + Updated 7th March 2025. 4 5 Stub page. 6 ··· 125 with a source IP of 0.0.0.1 and a destination IP address of 255.255.255.255. 126 The destination MAC address is FF:FF:FF:FF:FF:FF. 127 128 + **Cross-Platform:** (From GfWL) Broadcast messages are sent over IPv4 UDP 129 + port 3074, with a source IP of the local network adapter and a desination 130 + address off 255.255.255.255. 131 132 ### General Structure 133 134 + | Offset | Type / Size | Description | 135 + | -------- | ----------- | ----------------------------- | 136 + | `0x0` | uint32 | Header flags *(TODO: Check?)* | 137 + | `0x4` | variable | Encrypted packet data | 138 + | variable | Footer | Metadata about the packet | 139 140 Note that parts of the footer will be encrypted depending on the length of the 141 packet data.
+37 -3
official-software/system/security_overview.md
··· 1 **Emma's Xbox 360 Research Notes - System Software** 2 3 - Updated 12th September 2024. 4 5 "Stub" page, not in-depth, just trying to put some notes and thoughts here: 6 ··· 12 As of 2024, every console manufactured before 2011 is subject to trivial 13 piracy, and cheating online in many games is possible with savegame exploits, 14 patched game files on burned DVDs, or network exploits. 15 - The last method to run homebrew without soldering a modchip was patched in 2007. 16 17 ## Security Features 18 19 * Small hypervisor, small attack surface 20 * Hypervisor exposes only 120 syscalls to the kernel (as of 17559), each of 21 them serve a specific purpose and are easy to audit and analyse. None are ··· 53 * Random AES keys are chosen at startup by 2BL, with help from hardware RNG. 54 The 2BL also checks to make sure there's sufficient randomness so the RNG 55 can't be rigged or disabled in hardware. 56 57 ## Security Pitfalls 58 ··· 80 meaning it can be replaced to modify the behaviour or be used to attack the 81 CPU (see: SMC Hack, RGH3 - as well as all other RGH variants rebooting rather 82 than RRoD on failed boots) 83 84 ## References 85 86 - * Memory encryption/hashing: 87 https://github.com/GoobyCorp/Xbox-360-Crypto/blob/master/MemCrypto.py 88 89 I must've got some more of this info from other places, but I can't remember.
··· 1 **Emma's Xbox 360 Research Notes - System Software** 2 3 + Updated 7th March 2025. 4 5 "Stub" page, not in-depth, just trying to put some notes and thoughts here: 6 ··· 12 As of 2024, every console manufactured before 2011 is subject to trivial 13 piracy, and cheating online in many games is possible with savegame exploits, 14 patched game files on burned DVDs, or network exploits. 15 + 16 + As of 2025, there have been two demonstrated vulnerabilities allowing for 17 + software-only hypervisor mode code execution: 18 + - "King Kong" syscall handler exploit in 2007 (4532/4548), patched in 2007 19 + - https://free60.org/Hacks/King_Kong_Hack/ 20 + - Patched in kernel version 4552. 21 + - Hypervisor versions 4532/4548 blacklisted in the bootloader with 8498. 22 + - "Xbox360BadUpdate" exploit chain in 2025 (??-17559), **unpatched** 23 + - https://github.com/Grimdoomer/Xbox360BadUpdate 24 + - https://icode4.coffee/?p=1047 - "System Overview" 25 + - https://icode4.coffee/?p=1081 - "The Bad Update Exploit" 26 27 ## Security Features 28 29 + * Very small and simple boot chain 30 + * Several stages, each one small and very easy to analyse. 31 + * All are RSA signature checked by secure code burned into the CPU (1BL). 32 + * Execution is done from within either SRAM or encrypted and hashed main 33 + memory, preventing any outside attacks. 34 + * Vulnerable hypervisor versions are blacklisted, even if an exploit is used 35 + to attempt a downgrade. 36 + * E-fuses prevent any and all attempts at downgrading the bootloader, 37 + permanently. 38 * Small hypervisor, small attack surface 39 * Hypervisor exposes only 120 syscalls to the kernel (as of 17559), each of 40 them serve a specific purpose and are easy to audit and analyse. None are ··· 72 * Random AES keys are chosen at startup by 2BL, with help from hardware RNG. 73 The 2BL also checks to make sure there's sufficient randomness so the RNG 74 can't be rigged or disabled in hardware. 75 + * (2014+) Hardware protection against glitching 76 + * "Winchester" motherboards have POST output disabled by e-fuses, and the 77 + reset line is latched to prevent RGH. 78 79 ## Security Pitfalls 80 ··· 102 meaning it can be replaced to modify the behaviour or be used to attack the 103 CPU (see: SMC Hack, RGH3 - as well as all other RGH variants rebooting rather 104 than RRoD on failed boots) 105 + * The hypervisor does not check userland page permissions before writing data 106 + to a user-controlled pointer, allowing for userland exploits to overwrite the 107 + (unencrypted view of) memory in any write-protected page. Related ... 108 + * ... the memory management unit only hashes the hypervisor's memory space, 109 + allowing for userland exploits to corrupt kernel, XAM and game ciphertext in 110 + ways that may result in a favourable plaintext when decrypted. (See: 111 + Xbox360BadUpdate's "Stage 2" - as well as yet-to-be-disclosed kernel patching 112 + by [ihatecompvir](https://wetdry.world/@ihatecompvir/113359460700460045)) 113 114 ## References 115 116 + * Free60 wiki: 117 + https://free60.org/ 118 + * Memory encryption/hashing information: 119 https://github.com/GoobyCorp/Xbox-360-Crypto/blob/master/MemCrypto.py 120 + * Ryan Miceli's "Hacking the Xbox 360 Hypervisor Part 1: System Overview": 121 + https://icode4.coffee/?p=1047 122 123 I must've got some more of this info from other places, but I can't remember.