You are viewing our Forum Archives. To view or take place in current topics click here.
TUT Reset Glitch! More new chips!
Posted:

TUT Reset Glitch! More new chips!Posted:

Mini-Uzi
  • TTG Senior
Status: Offline
Joined: Nov 29, 201013Year Member
Posts: 1,902
Reputation Power: 102
Status: Offline
Joined: Nov 29, 201013Year Member
Posts: 1,902
Reputation Power: 102
FAT wiring method here(not the best pictures)



Good enough pics.
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]


[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]


Front wiring
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]

When it is finished
[ Register or Signin to view external links. ]




CHIPS



Neils post about the latest chips Forums/p=14841317.html#14841317


Maximus Stinger - Reset Glitch Hack add-on board
>> From 360nandflasher.com


Credit to Jpizzle and Eaton for posting about these chips/

Team Maximus is proud to annouce their offering for making use of the recent discovery of the reset glitch hack released by GliGli.

The Maximus Stinger JTAG Add-on board.

These can be used in conjunction with the Maximus Nand Flasher kits but is not limited to those alone, the Stinger can also be used in conjunction with any other USB Nand flashing devices. While the full feature set for the Maximus Stinger is not yet announced rest assured the entire team is hard at work and production has already started, news on the full feature set will be coming soon and more info can be found on the maximus nandflasher website [ Register or Signin to view external links. ] in the coming days.

Official resellers will start taking pre-orders soon so you will be able to pre-order you Maximus Stinger from your local reseller and get ready for a whole new world of JTAG.

taken from [ Register or Signin to view external links. ]
Credits
GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360.







Via Logic-Sunrise.com today we get news of a new product to perform the Reset Glitch Hack on xbox360 phats and slims, The Glitchip. As news of this new hack spread through the internets like wildfire on sunday the available boards quickly ran out of stock leaving people that were slow to react high and dry but the french have stepped in to save the day.

The Glitchip promises to be a quick, clean and easy method to preforming the hack with only 7 solder points for the slim and 6 for the phat. This is sure to make the job a little easier for those that were overwhelmed by the schematics released when the hack first went public. Here is a short quote from the official website loosely translated from french:


glitch hip the x360 is a chip created by the company LIBRASOFT already known for his participation in the Xbox 360 scene. (BqI_Reader / 360 Drive Switcher / 360 Waves Patcher / 360 Games Patcher / x360SED ...).


The x360 Glitchip follows the hack done by gligli (the Reset Glitch Hack) which allows to boot unsigned code on the Xbox 360 regardless of the kernel installed, and all revisions of motherboards now existing Slim Included (Except Xenon).
To (very) simple, the chip sends a series of electrical pulses to the processor, in order to destabilize the console and make him believe that a modified CB is authentic (correctly hashed and signed). This fails every time, but it is repeated until success. Once the CB modified / hacked is validated by the console, it has sufficient rights to run unsigned code.

Posted Image Launch unsigned code on Xbox 360
Posted ImageA single chip for both consoles. Compatible with Xbox 360 and SLIM PHAT
Posted Image No additional hardware required (Except for a JTAG cable you if the chip was delivered blank)
Posted Image Compatible regardless of the kernel installed on the Xbox 360
Posted Image Easy installation (7 welds on a Slim, 6 welds on a Phat)
Posted Image Opportunity to update the chip via a JTAG cable (not supplied)
Posted Image Dimensions suitable for easy installation in the Xbox 360 (3cm by 4cm)
Posted Image The console boots signed a code in a short period of time ranging from 10s to 2 ~ 3 min.
Posted Image Product 100% French :smile:
Posted ImageThe x360Glitchip JTAG provides the equivalent of all the Xbox 360 (Xenon Offline). Falcon coming soon.


You can preorder yours now from Logic-Sunrise.com for only 26 euros or wait for on of your local shops to become a reseller.

BUY HERE [ Register or Signin to view external links. ]





[quote="Eaton"]TeamX is already touting a working replacement for the CLPD.

[ Register or Signin to view external links. ]

So if you wait a while longer, this process may be 2x easier.


Look at the link for a easier wiring method.

Rebooter/Generator for those not using CMD
Forums/t=2113789/slim-hack-genera...e-cmd.html

XeLL reloaded Downloads/id=2875.html#1054

Works with all slim models and Zephyr,Jaspers and soon to be falcon.
This will not not by-pass server checks,this won't get you online



I: Software and Hardware needed

Prerequisites :
Installed XillinX Lab Tools

Software :

Python and Pyton Crypto

Impact (from Xilinx Lab Tools)

NandPro (>= v2.0e)



Hardware :



USB SPI Programmer to dump/flash the Xbox360's NAND

[ Register or Signin to view external links. ]

A XC2C64A CoolRunner-II CPLD (aka Digilent C-mod), matching socket and a XilinX JTAG Programmer cable

[ Register or Signin to view external links. ]

A 220pF capacitor

Soldering material & Soldering experience
[ Register or Signin to view external links. ]

Now Dump nand twice and make sure both are indentical.


II: Installation of Python and Python Crypto

Step 1 : Install Python 2.7 (32bit!) with the default settings :
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]


Step 2 : Install PyCrypto 2.3 with the default setting
[ Register or Signin to view external links. ]

To enable python in windowss command prompt, we will have to modify the environment variables .



Step 3 : Go in Control Panel > System > Advanced system settings
[ Register or Signin to view external links. ]

Step 4 : Click on environnement variables
[ Register or Signin to view external links. ]

Step 5 : Click on new in system variable
[ Register or Signin to view external links. ]

Step 6 : Add this for the name and the value of the variable :



PYTHONPATH
%PYTHONPATH%;C:\Python2.7


[ Register or Signin to view external links. ]

III: Creating the Hackimage

Step 1 : Download this archive III: Creating the Hackimage

Step 1 : Download this archive
[ Register or Signin to view external links. ]


Step 2 : Put your original NAND dump in the root of the gggggg-folder and create an output folder (in the root aswell).

[ Register or Signin to view external links. ]

Step 3 : Open windowss command prompt again and navigate to the gggggg-folder, then type this python command (dont forget to modify it with your NAND dump name)

python common\imgbuild\build.py nanddumpname.bin common\cdxell\CD common\xell\xell-gggggg.bin

[ Register or Signin to view external links. ]

You should see the following

[ Register or Signin to view external links. ]

The file image_00000000.ecc is located in the output folder now.
[ Register or Signin to view external links. ]

Step 4 : Copy this file into your nandpro folder and navigate to the folder via commandpromt again



Step 5 : Use the following command to flash the image to your console's NAND.



nandpro usb : +w16 image_00000000.ecc



[ Register or Signin to view external links. ]


The flashed file has a size of 50 blocks so you should see 004F when the flashing is over.



IV: Programming the CPLD



Step 1 : Power your CPLD with 3.3V on pin 20 and GND on pin 21. There are many solution to do this ... here are some of them :



Use an old DVD drive supply cable by cutting 5 and 6 cable (3.3V and GND) and connect it to the a CK or the motherboard drive socket

[ Register or Signin to view external links. ]

Solder the pin 20 to the J2C1.8 point of the motherboard and pin 21 (GND) to a point of the motherboard like the legs of the various connector-metalcasing.



Step 2 : Grab your LPT/USB XilinX JTAG programmer cable. If you don't have one, you can use GliGli's schematic to build a LPT JTAG Programmer. Connect the cable to the PC and the CPLD.

[ Register or Signin to view external links. ]

[ Register or Signin to view external links. ]

step 3 : Launch "iMPACT" (from XilinX Lab Tools) and let's start the programming ... just follow the images.

[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]

IV: The wiring


Tutorial
Step 1 : On the CPLD, remove the Resistor R2 and connect R2's upper pad to R1's lower pad.

[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]

Step 2 : Place the CPLD on the motherboard like you see on the picture. We recommand to use double coated tape + material to isolate the CPLD

[ Register or Signin to view external links. ]

Step 3 : Use the following diagram to solder all needed connections. Its recommended to use a socket!
[ Register or Signin to view external links. ]

[ Register or Signin to view external links. ]

ENJOY



You can now start your console normally and see XeLL boot within 2 minutes. You can now enjoy running unsigned code on your slim.

[ Register or Signin to view external links. ]


Credit to Razkar from Logic sunrise and GliGli for finding the hack.
This tut was taken from Logic sunrise.


xXCoNdEmRXx Edit: Additional Information.

**********************************
* The Xbox 360 reset glitch hack *
**********************************

Introduction / some important facts
===================================

tmbinc said it himself, software based approaches of running unsigned code on the 360 mostly don't work, it was designed to be secure from a software point of view.

The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND (CB).

CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it's using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
- A hash of the entire fuseset.
- The timebase counter value.
- A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there's a check for "apparent randomness" (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.

CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.

Basically, CD will load a base kernel from NAND, patch it and run it.

That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.

On the other hand, tmbinc said the 360 wasn't designed to withstand certain hardware attacks such as the timing attack and "glitching".

Glitching here is basically the process of triggering processor bugs by electronical means.

This is the way we used to be able to run unsigned code.

The reset glitch in a few words
===============================

We found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.

Details for the fat hack
========================

On fats, the bootloader we glitch is CB, so we can run the CD we want.

cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a test point on the motherboard that's a fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.

So it goes like that:
- We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value (it's often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.

The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.

Details for the slim hack
=========================

The bootloader we glitch is CB_A, so we can run the CB_B we want.

On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn't yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it's even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus

So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.

When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don't decrypt CD, instead expect a plaintext CD in NAND.
- Don't stop the boot process if CD hash isn't good.

CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there's a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!

The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.

Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !

Caveats
=======

Nothing is ever perfect, so there are a few caveats to that hack:
- Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
- That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
- It requires precise and fast hardware to be able to send the reset pulse.

Our current implementation
==========================

We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it's fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.

Conclusion
==========

We tried not to include any MS copyrighted code in the released hack tools.
The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.

Credits
=======

GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360


Last edited by Mini-Uzi ; edited 30 times in total

The following 53 users thanked Mini-Uzi for this useful post:

HarTar (04-24-2012), Nathan-- (12-07-2011), M0d (11-11-2011), Shirohige (11-06-2011), -Jord (11-04-2011), NCAA (10-21-2011), marsupiallizard (09-29-2011), Stance (09-22-2011), TTG-Steady (09-18-2011), mike007b (09-07-2011), FiKzT_Prodigy (09-06-2011), JTAG-GALORE (09-01-2011), SARG3NT (09-01-2011), Kugryshev (09-01-2011), -TANK- (08-31-2011), slapah0 (08-31-2011), Sequrity (08-30-2011), Secrets (08-29-2011), johnny_appleseed (08-29-2011), Sethmeistermann (08-29-2011), jimmer89 (08-29-2011), danskeav (08-29-2011), WastedShnarf (08-29-2011), Dummazz (08-29-2011), -SnoopDogg- (08-28-2011), Honest (08-28-2011), HankWilliamsJr (08-28-2011), adamdrucz1029 (08-28-2011), noneed4aname (08-28-2011), proud2bpunk (08-28-2011), Blind_Isos (08-28-2011), Jacob8hockey (08-28-2011), Flup (08-28-2011), MatthewUK (08-28-2011), FlamesUK (08-28-2011), registry_editor (08-28-2011), Nuka (08-28-2011), -InFamous- (08-28-2011), Fiberzz (08-28-2011), I_Am_Superman (08-28-2011), MrFunEGUY (08-28-2011), MangoMods (08-28-2011), Pipe (08-28-2011), dRaiL (08-28-2011), HACKERX01101 (08-28-2011), Matt (08-28-2011), pvtpunchu (08-28-2011), No1 (08-28-2011), vegasgamer (08-28-2011), LostPhone (08-28-2011), -Cammy- (08-28-2011), Nab (08-28-2011), iPatobo (08-28-2011)
#2. Posted:
Wagering
  • V5 Launch
Status: Offline
Joined: Dec 18, 201013Year Member
Posts: 1,264
Reputation Power: 5
Status: Offline
Joined: Dec 18, 201013Year Member
Posts: 1,264
Reputation Power: 5
So what exactly can you do with this hack?
#3. Posted:
Mini-Uzi
  • TTG Senior
Status: Offline
Joined: Nov 29, 201013Year Member
Posts: 1,902
Reputation Power: 102
Status: Offline
Joined: Nov 29, 201013Year Member
Posts: 1,902
Reputation Power: 102
Wagering wrote So what exactly can you do with this hack?


LOOOOOOOOOOOOOOOOL you can run unsigned code on a slim this is big news for the xbox modding scene.
#4. Posted:
Eaton
  • TTG Senior
Status: Offline
Joined: May 30, 201014Year Member
Posts: 1,252
Reputation Power: 93
Status: Offline
Joined: May 30, 201014Year Member
Posts: 1,252
Reputation Power: 93
This is insanely awesome! Never thought this day would come!
#5. Posted:
Mavhammer
  • TTG Addict
Status: Offline
Joined: Jun 17, 201113Year Member
Posts: 2,059
Reputation Power: 86
Status: Offline
Joined: Jun 17, 201113Year Member
Posts: 2,059
Reputation Power: 86
This seems a lot harder than doing the normal JTAG modification.
#6. Posted:
Wailfulnose
  • Challenger
Status: Offline
Joined: May 21, 201113Year Member
Posts: 193
Reputation Power: 7
Status: Offline
Joined: May 21, 201113Year Member
Posts: 193
Reputation Power: 7
This is the greatest post on the tech game. Make vouches. This is going to help everyone. Thanks.
#7. Posted:
iPatobo
  • TTG Contender
Status: Offline
Joined: Sep 05, 201014Year Member
Posts: 3,218
Reputation Power: 209
Status: Offline
Joined: Sep 05, 201014Year Member
Posts: 3,218
Reputation Power: 209
Eaton wrote This is insanely awesome! Never thought this day would come!


You and me both!

This is going to be a HUGE blow to MS.

Inb4Sticky!

P.S.

This won't allow you to go online and host lobbies,or even connect to Xbox Live.

This will just allow you to JTAG the Valhalla motherboards (aka Slimline consoles) and when released,other consoles above the 7371 dashboard,which was previously impossible.


Last edited by iPatobo ; edited 1 time in total
#8. Posted:
Mini-Uzi
  • TTG Senior
Status: Offline
Joined: Nov 29, 201013Year Member
Posts: 1,902
Reputation Power: 102
Status: Offline
Joined: Nov 29, 201013Year Member
Posts: 1,902
Reputation Power: 102
Eaton wrote This is insanely awesome! Never thought this day would come!


same,never thought a slim would be modded like this
#9. Posted:
Mavhammer
  • TTG Addict
Status: Offline
Joined: Jun 17, 201113Year Member
Posts: 2,059
Reputation Power: 86
Status: Offline
Joined: Jun 17, 201113Year Member
Posts: 2,059
Reputation Power: 86
This is awesome. How much do you think they will start at?
#10. Posted:
Mini-Uzi
  • TTG Senior
Status: Offline
Joined: Nov 29, 201013Year Member
Posts: 1,902
Reputation Power: 102
Status: Offline
Joined: Nov 29, 201013Year Member
Posts: 1,902
Reputation Power: 102
SnorlaxModz wrote This is awesome. How much do you think they will start at?


Not sure bro but this is a huge break through
Jump to:
You are viewing our Forum Archives. To view or take place in current topics click here.