Monday, August 29, 2011

Glitched !

When I started this blog, I said it would be about open source libraries, emulators, reverse engineering and hacking. My libxenon stuff easily covers the first 3 items, but I didn't write much about hacking.
That word means a lot of different things, but it was synonym of 'finding exploits' for me when I wrote it.

And fact is I already had a working reset glitch hack when I wrote it, hell, all my libxenon stuff was coded on a glitched console !

It started around febuary 2010, I don't really know why, but I wanted to hack the 360, badly, I had a few ideas on how to do it but even if I red xboxhacker , I had very little knowledge of how the 360 worked.
Nonetheless, I started disassembling a Zephyr I bought, wiring POST port, JTAG, and a few other things I red on xboxhacker about.
Then I met Tiros, he was already well known for his hacking work on the 360. He told me my ideas were junk, but he also started to 'teach' me how previous exploits worked, how the boot process worked,...
Then we took the 'regular' way of hacking it, first searching for a way to prevent the boot process to deactivate JTAG, then trying to find a kernel that was vulnerable to SMC/System flash controller DMA attack but wasn't blacklisted by bootloaders, then trying to find hypervisor flaws, then ... nothing, we searched flaws for months, found a few interesting bugs, but nothing that could lead to unsigned code running...
It is now late summer 2010, I'm starting to lose hope, then as a desperate move, I start to think about glitching.
From that moment it took me no more than a few weeks to run Xell for the first time on my Zephyr!
I had incredible luck, there was a bug in my CPU reset code, instead of sending a millisecond-like pulse, it sent a 100 nanoseconds one, it was in fact the time for 2 consecutive GPIO write instructions to complete on my microcontroller ! Call it while the CPU is slowed down and it glitches !

To be continued...

57 comments:

  1. Hi GliGli,
    First of all, congratulations for this giant leap for the homebrew scene. You're the Messiah of the banned and eFUSES blowed consoles ;D

    But I was thinking, do you believe that Microsoft could release an update to fix that glitch or this is just impossible and they will need a new hardware design so fix that?!

    ReplyDelete
  2. what microcontroller did you use to get 100ns GPIO timings??

    ReplyDelete
  3. that one: http://www.olimex.com/dev/lpc-h2148.html
    it was my dev board while I worked on the hack

    ReplyDelete
  4. First of all : Congratulations Gligli! Your strong mind in trying to find a "jtag" hack gap for xbox 360 was very impressive, even after all the denials. Lucky xbox 360 scene that you are a persistent guy! ;D

    Is it possible to use another CPLD device than XC2C64A CoolRunner-II CPLD ? As you may be already warned, Digilent C-mod vanished like magic. Thanks a lot in advance!

    ReplyDelete
  5. Hi, I'm not asking when Falcon support will be available. I'm just wondering if the parts listed in your tutorial will be compatible with a Falcon board. Thanks again for your hard work!

    ReplyDelete
  6. Nicely done.
    Thank's a lot.
    Didn't expect there will be xell on Slims any time.

    ReplyDelete
  7. Some of us have lots and lots of the old 79-key devices used to unlock the Hitachi v79 drives a while back before another hack was found.

    It is a board with the xilinx xc9572xl in a socket.

    If the glitch could be ported to that chip/board I have 180pcs that could be turned from useless junk to something I could finally get sold...cheap!

    ReplyDelete
  8. Fantastic work GliGli!

    Would be interesting to find out more about the story behind the hack, not just the technical side but the human side too.

    Amazing that you managed to work on and release other projects whilst perfecting Glitch hack.

    Please continue with the rest of the story, I can't wait to read the rest!

    Thanks again,

    J.

    ReplyDelete
  9. you are the best gligli

    ReplyDelete
  10. WAIT WHAT? a stupid hack??
    where's the damn n64 emulator???


    I'm kidding lol good job to all involved, this is awesome!!

    ReplyDelete
  11. dude you are amazing; you give me inspiration that anything is possible!!!
    I'm taking electronics engineering and from education wish to follow your footsteps in the art of reverse engineering, and low level coding.Whether it be the various assemblies,c,C++ etc...

    ReplyDelete
  12. thanks so much GliGli and others that hand in this. GliGli u had a chance too look at falcon boards yet? no rush just wanted to see if its doable thats all. thanks agiain

    ReplyDelete
  13. Hi GliGli

    Various sites are reporting there are different revision of the Xbox slim mobo out in the wild and the hack isnt working on them.

    Can you provide some insight?

    ReplyDelete
  14. Indeed it seems there are slightly different slims mobos, I even had to buy one not long ago to test a wip version of the hack.
    Afaik it works on older and newer slims, it was tested on around 10 various slims before release.

    ReplyDelete
  15. Do you need a falcon console to test your glitch on? If so, I could provide mine. I would hope to get it back, but I would pay for shipping both ways. Thanks for all your hard work and diligence!

    ReplyDelete
  16. GliGli, you are a true OG.
    You are to the 360 what MLK is to blacks.

    ReplyDelete
  17. This work is awesome...but not going the freeboot, and freestyle dash, and other stuff. A glitch hack enabled this utilityes?

    ReplyDelete
  18. GliGli once again thanks for the excellent work

    Any chance you could create/upload source so we can see the temps that the slim runs at during op?

    PS: Fellow readers there is no need for a rebooter, kernel can be patched etc etc

    ReplyDelete
  19. I second what Jordan Grant said...I'd be more than happy to pay for mine to be shipped both ways to help in the dev of the Falcon exploit.

    ReplyDelete
  20. This doesnt even compare to the x360key, theres even no gurantees a freestyle, freeboot dash will be released! But you all congradulate this person!?

    ReplyDelete
  21. Well yes, a rebooter generally speaking is used for piracy. Running libXenon or Linux on the console does not. Not matter which way you look at it, the only homebrew scene is using the libxenon library and a very small group of people that use a JTAG for dev purposes, instead of buying XNA membership. 90% of the xbox 'homebrew' scene use their modified console for piracy, end of. It needs to be made more clear on every website relating to homebrew on the 360, that just because you run freestyle dash, does not make you apart of the hacking/homebrew scene, your just exploiting it for your own ends.

    ReplyDelete
  22. GliGli, I have another overlooked idea for exploiting/glitching the console, how would one go about getting in touch?

    bl1nk

    ReplyDelete
  23. Hey, is there any news on falcon timing?? Ive even downloaded and installed Xilinx SDK/Project Manager to brute force timing, reprogramming CPLD one step between values of Zephyr and Jasper timings every try starting from 1675. It takes lot of time;)

    ReplyDelete
  24. Hi Gligli, I want to know She's for the future is the ability to run this exploit even for xenon, I would like to recover my dvdkey xenon as the reader no signs of life.
    I apologize for my English by google translator

    ReplyDelete
  25. Hi GliGli,
    First of all thank you for your amazing hack!
    I a HW expert on Xilinx FPGAs CPLDs. I recently downloaded your source code (read VHDL) for the CPLD and noticed one or two points in the code that can be improved and may potentially reduce the time needed for glitching the console. If you are interested contact me at marchetto83@gmx.com

    Best regards,
    Marco

    PS: I am not seeking for money or other things, just want to give a hand and my contribution to the community.

    ReplyDelete
  26. I can confirm that glitching works on Falcon console. Thanks GliGli.

    ReplyDelete
  27. Marco> Will do, I'm almost a vhdl newbie, I learned it while I was doing the hack :)

    blbinop> so you found the falcon timing ?

    ReplyDelete
  28. Marco here, so contact me at my mail sending me an e-mail address or skype account or chat account (whichever you prefer) so we can talk, make tests, and if successful, release.
    I like your enthusiasm, keep going!!!

    PS: my mail marchetto83@gmx.com

    ReplyDelete
  29. A friend of mine told me that he liked the number 1603 very much. I haven't got the slightest idea why.

    ReplyDelete
  30. blbinop.

    please be more precise :)

    ReplyDelete
  31. GliGli any idea when a falcon jed will be ready?

    ReplyDelete
  32. Try setting WIDTH_RESET_START to 1603 in main.vhd

    ReplyDelete
  33. Did you test your glitch hack on the Xenon yourself, GliGli? Was the CPU lock up limited to the 520Khz (CPU_PLL_BYPASS = 3.3v) scenario, or does it also lock up at 6.2Mhz (CPU_EXT_CLK_EN = 3.3v)?

    ReplyDelete
  34. What do i need to compile vhdl files?!

    ReplyDelete
  35. I am wondering how many consoles will turn into a brick or who Microsoft will sue first.

    ReplyDelete
  36. as long as you have a backup of your nand, then you are good to go...

    ReplyDelete
  37. so far setting WIDTH_RESET_START to 1603 in main.vhd has not yielded good results for me.

    ReplyDelete
  38. There are some jed;s confirming to work for falcon on xbox-scene forum. :)

    ReplyDelete
  39. Guys, buy original games.

    ReplyDelete
  40. Please can you send me YOUR version of Matrix Glitcher 360 diagrammes? email me at riparoxbox360 @ gmail.com


    For me Slim,not work, my video installation is here
    http://tinyurl.com/3szv542

    And i follow the infinitymod.com diagrammes

    Hav one guy at logic-sunrise name Zoontek make it WORK on slim but i see his photo and him use another diagrammes but in photo i can't see good the point.

    ReplyDelete
  41. Hey GliGli thanks for all your great work!

    I've gotten the glitch to work with a dangerous prototypes CoolRunner II board but have had a bit of trouble with a parallel jtag cable based off of your schematic. Impact would read the device id as 0s. Same result with a XC9572XL cpld if the VccIO pin was connected (but it worked if it wasn't).

    After using your lpt pinouts with the resistor, diode and capacitor network here http://www.cobbleware.com/files/jtag.png it works flawlessly. You may wish to update your schematic to some variant thereof.

    ReplyDelete
  42. GliGli my falcon fails when trying create the ecc file. i'm a 360 noob so i can't realy understand 100% what's happening but i've checked build.py code and i've found that my falcon build is 5772 and in falcon_builds var u only checked the 5771 version. the creation fails in patch_CB(CB) def on the above line:
    if build(CB) == versions[0]:
    the value returned by build(CB) is 5772 and it compares to 9188 value. if I comment that line there's no problem but i don't know if it will work. can u help me on that?

    sorry my bad english.

    ReplyDelete
  43. GliGli are u still against a rebooter/hacked dash as c4eva has hacked the new xgd3 discs i realy dont think guys will use a rebooter/hacked for piracy as its much easier to hack a dvd drive and u get to play on xbox live with it. i just want to be able to play my games and play hombrew at the same time like all the jtag users

    ReplyDelete
  44. sorry bad english
    i have too a falcon cb 5772, i reserch and found is refubirsed its come with a 2 stage cd like slim, its possible to configuire build.py

    ReplyDelete
  45. First: Great job dude!

    Are you work on a Solution for the Jasper with CB 6752? I hope so! At first it was a hand full of it, and now thay where more and more of it...

    Sorry for bad english, i hope you understand what i whant to say.

    ReplyDelete
  46. I am really very glad after read here and I appreciate for the information that you presented here.

    ReplyDelete
  47. Hi Gligli!
    Thanks for hard work about this project!
    Until now, i don't understand why the boot timming for slim is instability.
    I tried to analysis your vhdl code for slim, there are some warnings when Fit the design to xc2c64a-7 deveice and the maximum clk operation is 37.879 MHz, but the input clock from xbox 360 is 48MHz.
    I also tried to change the deveice to xc2c64a-5 and the maximum clk is 64.103 MHz (>48Mhz).
    Do you think that's problem??? Have you tried to use xc2c64a-5?
    I think if we using xc2c64a-7, maybe we should edit the code to operation at one edge of clk ( instead 2 edge), is it posible and did you do that???
    Sorry for bad english, i hope you understand what i whant to say.
    Thank you very much!

    ReplyDelete
  48. Sorry Gligli!
    do you know maximum frequency of the I2C interface for slim xbox 360??

    ReplyDelete
  49. Every next entry makes me laugh lauder and lauder.

    ReplyDelete
  50. hi gligli,

    A friend of mine told me that i should write you to speak about a problem with a xenon.
    how i have just said, i have got this damned xenon with a e64 drive (so no key anymore). And i was wondering if you, even just for a bit, succeded in starting up a glitched xenon, just for having a look at cpu and drive key.

    I hope you could help me.

    thank you in advance

    ReplyDelete
  51. Xbox 360 is such a nice game console to play the different games. This game console give the best resolution to the games.

    ReplyDelete
  52. Gligli, you are the man! How does it feel to be lumped in with Bunnie and all the folks that cracked a console for the first time? Thanks for your hard work and I love your N64 emu!

    Thanks to Trios and all the other devs as well.

    ReplyDelete
    Replies
    1. Merci Beaucoup gligli
      Thank you all very much for your work
      update blog please!!!

      Delete
  53. Hi Gligli !


    Thanks you for your work !! It's very fantastic !!!!


    You are the best hacker of the world !!!!!




    PS : Je suis français comme toi =)

    ReplyDelete
  54. I am extremely impressed along with your writing abilities, Thanks for this great share.

    ReplyDelete
  55. I am read your post information and like it. Just visiting here...........

    ReplyDelete