Monday, 29 August 2011

Glitched !

When I started this blog, I said it would be about open source libraries, emulators, reverse engineering and hacking. My libxenon stuff easily covers the first 3 items, but I didn't write much about hacking.
That word means a lot of different things, but it was synonym of 'finding exploits' for me when I wrote it.

And fact is I already had a working reset glitch hack when I wrote it, hell, all my libxenon stuff was coded on a glitched console !

It started around febuary 2010, I don't really know why, but I wanted to hack the 360, badly, I had a few ideas on how to do it but even if I red xboxhacker , I had very little knowledge of how the 360 worked.
Nonetheless, I started disassembling a Zephyr I bought, wiring POST port, JTAG, and a few other things I red on xboxhacker about.
Then I met Tiros, he was already well known for his hacking work on the 360. He told me my ideas were junk, but he also started to 'teach' me how previous exploits worked, how the boot process worked,...
Then we took the 'regular' way of hacking it, first searching for a way to prevent the boot process to deactivate JTAG, then trying to find a kernel that was vulnerable to SMC/System flash controller DMA attack but wasn't blacklisted by bootloaders, then trying to find hypervisor flaws, then ... nothing, we searched flaws for months, found a few interesting bugs, but nothing that could lead to unsigned code running...
It is now late summer 2010, I'm starting to lose hope, then as a desperate move, I start to think about glitching.
From that moment it took me no more than a few weeks to run Xell for the first time on my Zephyr!
I had incredible luck, there was a bug in my CPU reset code, instead of sending a millisecond-like pulse, it sent a 100 nanoseconds one, it was in fact the time for 2 consecutive GPIO write instructions to complete on my microcontroller ! Call it while the CPU is slowed down and it glitches !

To be continued...