Xbox modding

Xbox modding is the practice of circumventing the built-in hardware and software security mechanisms of the Xbox video game console.

History

The popularity of the Xbox, as well as (in the United States) its comparatively short 90-day warranty, inspired efforts to circumvent the built-in hardware and software security mechanisms, a practice known as "cracking". Within a few months of its release the initial layer of security on the Xbox BIOS (which relied heavily on obfuscation) was broken by MIT student Andrew Huang and the contents of the "hidden" boot ROM embedded on the MCPx chip were extracted using some custom built hardware. Once this information was available, the code was soon modified so that it would skip digital signature checks and media flags, allowing unsigned code, Xbox game backups, etc., to be run. This was possible due to a number of critical flaws. A flaw in the RC4 encryption algorithm implemented by Microsoft, used to encrypt the Secret ROM, gave attackers means to use brute-force attacks effectively, giving access to the console's secret RC4 key, the second part of the bootloader, '2bl', and the kernel. The 'visor' bug, found by a hacker who never revealed his real name, was a critical flaw found in the console, due in part to Microsoft's decisions around suppliers for the microchips for use in the console. All of Microsoft's Xbox prototypes were, in fact, AMD. Hackers from the Xbox Linux team checked with AMD employees and explained that AMD chips throw an exception in the case of EIP overflows, but Intel CPU's do not. visor used XCodes to write the assembly instruction for “jmp 0xFFFF0000” to the memory location 00000000 in RAM, and changed the last four bytes in 2bl, in order to make the secret ROM run the panic code. The Secret ROM then 'falls down' to Flash memory where it can be captured. Another flaw exposed poor decisions around sandboxing games and savegame data. Plenty of Xbox games had buffer vulnerabilities in their savegame handlers. It is possible to use most USB sticks with the Xbox, and just store hacked savegames on them. It was often as easy as extending the length of strings like the name of the player, and the game would overwrite its stack with data and eventually jump to the code embedded in the savegame. The procedure for the user was then to simply copy a hacked savegame from a USB stick onto the Xbox hard disk, run the game and load the save-game. But after a buffer exploit, we would expect only to be in user mode - but not on the Xbox, as all Xbox games run in kernel mode. The Dashboard loads its files from hard disk, and with savegame exploits modifying hard disk content was possible. The Dashboard and its dependencies were RSA-2048 signed, apart from two files: the fonts. An integer vulnerability allowed for unsigned code to be run. Coupled with the savegame exploit, this made 'cracking' a console as easy as transferring a modified savegame and loading it, running a script to modify the font files. Now every time the Xbox is turned on, the Dashboard crashes because of the fonts and runs code embedded in these files. The code reloads the Dashboard with the original fonts, hacks it, and runs it.^[1] Modding an Xbox in any manner will void its warranty, as it may require disassembly of the console. Having a modified Xbox may also disallow it from accessing Xbox Live, if detected by Microsoft, as it contravenes the Xbox Live Terms of Use,^[2] but most modchips can be disabled, allowing the Xbox to boot in a "stock" configuration. Softmods can be disabled by "coldbooting" a game (having the game in the DVD drive before turning the console on, so the softmod is not loaded) or by using a multiboot configuration.

Methods

Xbox motherboard, with installed modchip

• Modchip: installing a modchip inside the Xbox that bypasses the original BIOS, with a hacked BIOS to circumvent the security mechanisms.^[3]
• TSOP flashing: reflashing the onboard BIOS chip with a hacked BIOS to circumvent the security mechanisms. The Xbox BIOS is contained on a commodity EEPROM (the 'TSOP'), which can be made writable by the Xbox by bridging points on the motherboard.^[4] Flashing is usually carried out by using a specially crafted gamesave (see 'Game save exploit', below) to flash the onboard TSOP, but the TSOP can also be de-soldered and re-written in a standard EEPROM programmer. This method only works on 1.0 to 1.5 Xboxes, as version 1.6 (the final hardware version produced) replaced the commodity TSOP with an LPC ROM contained within a proprietary chip.^[5]
• Softmods: installing additional software files to the Xbox hard drive, which exploit programming errors in the Dashboard to gain control of the system, and overwrite the in-memory copy of the BIOS.^[6] Soft modification is known to be safe for Xbox Live if the user enables multibooting with the Microsoft dashboard and an original game disc is used.^{[citation needed]}
  • Game save exploit: using select official game releases to load game saves that exploit buffer overflows in the save game handling.^[7] When these special game saves are loaded, they access an interface with scripts for installing the necessary softmod files. Disassembly of the Xbox is not required when installing most game save exploits.
• Hot swapping: using a computer to change the data on the hard drive. This requires having the Xbox unlock the hard drive when it is turned on, then swapping the powered hard drive into a running computer. By using a Linux-based Live CD, data on the hard drive can be read, altered, and deleted. In most cases, an automated script will automatically install the softmod files directly to the Xbox hard drive. This technique has been used extensively to harbor cheating on many online games. Disassembly of the console is required to perform a hot swap. It's the least recommended as it might shock the Xbox hardware or the user's PC components.

Alternative operating systems

Beyond gaming, a modded Xbox can be used as a media center with XBMC4Xbox.^[8]

There are also distributions of Linux developed specifically for the Xbox, including those based on Gentoo,^[9] Debian, Damn Small Linux and Dyne:bolic.^{[citation needed]}

List of alternative operating systems:

• Xbox Linux is a project that ported Linux to the Xbox.
• FreeBSD and NetBSD^[10] have also been ported to Xbox.
• Windows CE^[11]
• ReactOS
• A port of Windows XP is available on some modding websites but this usually involves removing the CPU and resoldering a different Pentium III as well as a heavily modified BIOS.^{[citation needed]}

References

1. Steil, Michael (2005). "17 Mistakes Microsoft Made in the Xbox Security System" (PDF). Chaos Computer Club. Retrieved 2010-08-16.
2. "Xbox Live Terms of Use". Xbox.com. October 2006. Retrieved 2007-07-18.
3. Rybka, Jason. "Modchips - What Are They and Should You Use One?". About.com. Retrieved 2007-07-18.
4. SLuSHIE (2004-03-30). "Flashing TSOP With ANY Version XBOX V1.0-V1.5 For Noobs". I-Hacked.com. Retrieved 2007-07-18.
5. Steil, Michael (2007-02-07). "Xbox Hardware Overview – Xcalibur". Xbox Linux. Archived from the original on July 20, 2007. Retrieved 2007-07-18.
6. Phoenix. "Phoenix Bios Loader". Xbox-HQ.com. Retrieved 2007-07-18.
7. Becker, David (2003-03-31). "Hacker cracks Xbox challenge". News.com. Retrieved 2007-07-18.
8. Patrick Schmid and Achim Roos (2007-07-18). "Modding The Xbox Into The Ultimate Multimedia Center". Tom's Hardware. Retrieved 2004-05-11.
9. "Gentoox". distrowatch.com. 2008-09-28. Retrieved 2010-12-25.
10. "Announcing NetBSD 5.0". Netbsd.org. Retrieved 2010-11-11.
11. "Windows CE .Net 4.20 ported to Xbox". Retrieved 2004-01-03.