You are viewing our Forum Archives. To view or take place in current topics click here.
Xbox 360 RGH Tutorial| RGH 2.0| J-Runner| Fixes [TUT]
Posted:

Xbox 360 RGH Tutorial| RGH 2.0| J-Runner| Fixes [TUT]Posted:

SeaEye
  • V5 Launch
Status: Offline
Joined: May 03, 201113Year Member
Posts: 3,845
Reputation Power: 251
Status: Offline
Joined: May 03, 201113Year Member
Posts: 3,845
Reputation Power: 251
RGH Tutorial



Creds to NickXModz for the first coding. Gli Gli thanks for this. Along with others!

What is a Reset Glitched console (RGH)




Introduction

Gli Gli wrote The software based approaches of running unsigned code on the 360 mostly don't work, it was designed to be secure from a software point of view.

The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND (CB).

CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it's using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
- A hash of the entire fuseset.
- The timebase counter value.
- A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there's a check for "apparent randomness" (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.

CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.

Basically, CD will load a base kernel from NAND, patch it and run it.

That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.

On the other hand, tmbinc said the 360 wasn't designed to withstand certain hardware attacks such as the timing attack and "glitching".

Glitching here is basically the process of triggering processor bugs by electronical means.

This is the way we used to be able to run unsigned code.





Reset Glitch in a few words

Gli Gli wrote They found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.





Details on the phat hack

Gli Gli wrote On fats, the bootloader we glitch is CB, so we can run the CD we want.

cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a test point on the motherboard that's a fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.

So it goes like that:
- We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value (it's often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.

The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.





Details on the slim hack

The bootloader we glitch is CB_A, so we can run the CB_B we want.

On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn't yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it's even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus

So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.

When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don't decrypt CD, instead expect a plaintext CD in NAND.
- Don't stop the boot process if CD hash isn't good.

CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there's a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!

The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.

Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !






Supplies Needed Throughout:
Soldering Iron
Solder
Coolrunner Rev B
Xbox
Nand X
Cool Runner to Nand X wire






Step One: Programming CoolRunner

Flip switch to program on CoolRunner:
[ Register or Signin to view external links. ]


Switch it to PHAT or SLIM ^^

Plug in CoolRunner To Nandx Cable:
[ Register or Signin to view external links. ]

Find out your console type using this image:
[ Register or Signin to view external links. ]



Plug in the console type. And follow the diagram.
[ Register or Signin to view external links. ]






Step 2: Soldering Nand X

Slim:
[ Register or Signin to view external links. ]


Phat:
[ Register or Signin to view external links. ]





Step 3: Wiring CoolRunner To Board

Xenon(Usually Used to Retrieve DVD keys:(
[ Register or Signin to view external links. ]


Zephyr, Falcon, Jasper(RGH) :
[ Register or Signin to view external links. ]


Zephyr, Falcon, Jasper(RGH 2.0) :
[ Register or Signin to view external links. ]


Slim(Has to be Trinity)(RGH+RGH2.0, They are the same:
[ Register or Signin to view external links. ]






Step 4: Reading Nand

Once the nandx wires are installed and nandx is plugged in with drivers we are ready to read!

[ Register or Signin to view external links. ]

You should see this in the cmd window in J-Runner:
[ Register or Signin to view external links. ]






Step 5: Creating/Writing ECC Image

The ecc image will allow you to boot Xell Reloaded to retrieve your CPU key

First: Input Nand and Create the image.
[ Register or Signin to view external links. ]


Then write(Should only take 5-10 seconds:(
[ Register or Signin to view external links. ]


Boot the console. Take a Pic. And combine fusesets 3+5 or 4+6. If it boots slow on a jasper. bridge the onboard cap.





Step 6:Create GG Build

Input CPU key, Choose dash, Create image, Write it. Simple!

[ Register or Signin to view external links. ]






Your done with the RGH!





Pulling Wires Fixes/ Alternate Points:


Creds to UberGeek: [ Register or Signin to view external links. ]

Thanks to Pacote-San - full credits to him.

Taken from [ Register or Signin to view external links. ]

This was was initially a thread to help me out fixing a client's Jasper with several burned pads.

I had a E74 Falcon gathering dust in my closet so i decided to use it to make this little guide on how to fix what i think it will be the most problematic points on the PHAT motherboards.

If you remember the Lite-on MRA you know that as soon as the reset glitch gets more popular (probably when the next hacked dash gets released), a whole lot of people who never used a soldering iron before will try themselves and they WILL FAIL MISERABLY!

So i just purposely Fuc#$@ the problematic points so i could fix them and create this guide.

I will be doing a slim console soon

So i hope you guys appreciate as this took me a few hours to create :p


FIRST THINGS FIRST:

- Here are some tools that i used and greatly helped me with these fixes:

- Multimeter (to check the traces)

- A fiberglass pen to scrap the traces (you can use an Exacto knife too, but i prefer the pen)

[ Register or Signin to view external links. ]

Orange Wire

[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]


ALTERNATIVE POINT THANKS TO KIPPER2K (FT2R2 - Grey wire)

[ Register or Signin to view external links. ]



Yellow Wire

[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]


Green Wire

[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]
[ Register or Signin to view external links. ]






Thanks and hope this helps! If you see a fault please comment!

Enjoi :coffee:

The following 9 users thanked SeaEye for this useful post:

Creds (12-21-2012), VillaHD (11-11-2012), DynamicBomb (06-30-2012), Famous (06-21-2012), Stance (06-14-2012), iXixPerfXtionZx (06-08-2012), Carlooch (05-15-2012), M0d (05-14-2012), Lost (05-14-2012)
#2. Posted:
BoSsLoBbYz
  • Gold Gifter
Status: Offline
Joined: Oct 01, 201014Year Member
Posts: 4,566
Reputation Power: 228
Status: Offline
Joined: Oct 01, 201014Year Member
Posts: 4,566
Reputation Power: 228
looks nice soon to be stickied i bet
#3. Posted:
zQee
  • Challenger
Status: Offline
Joined: May 06, 201212Year Member
Posts: 158
Reputation Power: 9
Status: Offline
Joined: May 06, 201212Year Member
Posts: 158
Reputation Power: 9
Could to post the link to the cool runner & nandx and the wires UK ?
#4. Posted:
EvoshieldSwag
  • Prospect
Status: Offline
Joined: Sep 14, 201113Year Member
Posts: 609
Reputation Power: 37
Status: Offline
Joined: Sep 14, 201113Year Member
Posts: 609
Reputation Power: 37
Nice tut man!! I'd try it but I'd mess up! And I have no idea where to get the tools!
#5. Posted:
-Jtags-
  • Powerhouse
Status: Offline
Joined: Apr 25, 201212Year Member
Posts: 462
Reputation Power: 20
Status: Offline
Joined: Apr 25, 201212Year Member
Posts: 462
Reputation Power: 20
Very nice post, thanks
#6. Posted:
Lost
  • Moderator
Status: Offline
Joined: Jul 17, 201014Year Member
Posts: 13,802
Reputation Power: 47931
Motto: PM me if you have any issues.
Motto: PM me if you have any issues.
Status: Offline
Joined: Jul 17, 201014Year Member
Posts: 13,802
Reputation Power: 47931
Motto: PM me if you have any issues.
Very nice tut you have here!
#7. Posted:
M0d
  • TTG Master
Status: Offline
Joined: Dec 23, 201013Year Member
Posts: 878
Reputation Power: 40
Status: Offline
Joined: Dec 23, 201013Year Member
Posts: 878
Reputation Power: 40
Very nice post, very well organized, thanks for this!
#8. Posted:
Dragovich
  • Ladder Climber
Status: Offline
Joined: Jan 29, 201212Year Member
Posts: 323
Reputation Power: 21
Status: Offline
Joined: Jan 29, 201212Year Member
Posts: 323
Reputation Power: 21
Great Job looks great
#9. Posted:
iXixPerfXtionZx
  • Challenger
Status: Offline
Joined: May 05, 201014Year Member
Posts: 127
Reputation Power: 7
Status: Offline
Joined: May 05, 201014Year Member
Posts: 127
Reputation Power: 7
i know this is a dumb question but im confused a little, to do the RGH hack to a console does it have to be on a certain kernel?
#10. Posted:
SeaEye
  • TTG Contender
Status: Offline
Joined: May 03, 201113Year Member
Posts: 3,845
Reputation Power: 251
Status: Offline
Joined: May 03, 201113Year Member
Posts: 3,845
Reputation Power: 251
SolidDUECE wrote i know this is a dumb question but im confused a little, to do the RGH hack to a console does it have to be on a certain kernel?


No with the new RGH update you dont.
Jump to:
You are viewing our Forum Archives. To view or take place in current topics click here.