• 19.06.2016, 07:46,
  • Games
The Xbox 360 reset glitch humdrum — New Homebrew Humdrum!

>> GliGli released a new humdrum to boot the Xbox360 into XeLL and thus run homebrew software on your calm. It's is

compatible with ALL dashboard rendition and ALL Slim and Fat (await Xenon, Falcon maintain will imitate later) models and is

unpatchable via software updates by Microsoft.

From the readme/nfo:

Introduction / some outstanding facts

tmbinc said it himself, software based approaches of tournament unsigned jus naturale «natural law» on the 360 mostly don't toil, it was designed to

be locked up from a software guts of view.

The processor starts tournament jus naturale «natural law» from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted uniform of jus naturale «natural law»

from NAND (CB).

CB then initialises the processor care appliance, its duty will be to do verified unceasingly a once encryption and confusion trial of corporal

DRAM retention. From what we develop, it's using AES128 for crypto and hefty (Toeplitz ?) hashing. The crypto is different each

boot because it is seeded at least from:
— A confusion of the unscathed fuseset.
— The timebase bar value.
— A truly undirected value that comes from the ironmongery undirected army generator the processor embeds. on fats, that RNG could

be electronically deactivated, but there's a trial for «apparent randomness» (merely a calculate of 1 bits) in CB, it just

waits for a believably decorous undirected army.

CB can then run some affectionate of square bytecode based software appliance whose duty will mainly be to initialise DRAM, CB can

then weight the next bootloader (CD) from NAND into it, and run it.

Basically, CD will weight a ribald grain from NAND, parcel it and run it.

That grain contains a minor uniform of jus naturale «natural law» (hypervisor), when the calm runs, this is the only jus naturale «natural law» that would

have enough rights to run unsigned jus naturale «natural law».

In grain versions 4532/4548, a pivotal blot in it appeared, and all known 360 hacks needed to run one of those kernels

and profit from that blot to run unsigned jus naturale «natural law».

On bruited about 360s, CD contains a confusion of those 2 kernels and will sojourn the boot manage if you try to weight them.

The hypervisor is a relatively minor uniform of jus naturale «natural law» to trial for flaws and plainly no newer ones has any flaws that could

allow tournament unsigned jus naturale «natural law».

On the other power, tmbinc said the 360 wasn't designed to fight against certain ironmongery attacks such as the timing erosion and


Glitching here is basically the manage of triggering processor bugs by electronical means.

This is the way we used to be able to run unsigned jus naturale «natural law».

The reset glitch in a few words

We develop that by sending a bantam reset thrumming to the processor while it is slowed down does not reset it but instead changes

the way the jus naturale «natural law» runs, it seems it's very thrifty at making bootloaders memcmp functions always exchange «no differences».

memcmp is often used to trial the next bootloader SHA confusion against a stored one, allowing it to run if they are the same.

So we can put a bootloader that would go bust confusion trial in NAND, glitch the antecedent to one and that bootloader will run,

allowing almost any jus naturale «natural law» to run.

Details for the fat hack

On fats, the bootloader we glitch is CB, so we can run the CD we want.

cjak develop that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a trial guts on the

motherboard that«s a fraction of CPU fly, it»s 200Mhz when the runs, 66.6Mhz when the calm boots, and 520Khz when

that signal is asserted.

So it goes like that:
— We assert CPU_PLL_BYPASS around CHORE jus naturale «natural law» 36 (hex).
— We shelved for CHORE 39 start (CHORE 39 is the memcmp between stored confusion and simile confusion), and start a bar.
— When that bar has reached a finical value (it's often around 62% of unscathed CHORE 39 to the fullest extent a finally), we send a 100ns thrumming on

— We shelved some unceasingly a once and then we deassert CPU_PLL_BYPASS.
— The cpu fly goes undeveloped to rational, and with a bit of fortuity, instead of getting CHORE howler AD, the boot manage continues

and CB runs our tax CD.

The NAND contains a zero-paired CB, our payload in a tax CD, and a modified SMC simile.

A glitch being disreputable by personality, we use a modified SMC simile that reboots infinitely (ie merchandise images reboot 5 times

and then go RROD) until the calm has booted properly.

In most cases, the glitch succeeds in less than 30 seconds from power on that way.

Details for the slim hack

The bootloader we glitch is CB_A, so we can run the CB_B we want.

On slims, we weren't able to set aside a motherboard line for CPU_PLL_BYPASS.

Our first aim was to erase the 27Mhz biggest 360 crystal and give rise to our own clock instead but it was a straitening

modification and it didn't throw in the towel well-disposed results.

We then looked for other ways to conservative the CPU clock down and develop that the HANA chisel had configurable PLL registers for

the 100Mhz clock that feeds CPU and GPU differential pairs.

Plainly those registers are written by the SMC through an I2C bus.

I2C bus can be voluntarily accessed, it's even available on a header (J2C3).

So the HANA chisel will now become our weapon of determination to conservative the CPU down (sorry tmbinc, you can't always be right, it

isn't prolix and it does sit on an compelling bus ;)

So it goes like that:
— We send an i2c have to the HANA to conservative down the CPU at CHORE jus naturale «natural law» D8 .
— We shelved for CHORE DA start (CHORE DA is the memcmp between stored confusion and simile confusion), and start a bar.
— When that bar has reached a finical value, we send a 20ns thrumming on CPU_RESET.
— We shelved some unceasingly a once and then we send an i2c have to the HANA to return acceptable CPU clock.
— The cpu fly goes undeveloped to rational, and with a bit of fortuity, instead of getting CHORE howler F2, the boot manage continues

and CB_A runs our tax CB_B.

When CB_B starts, DRAM isn't initialised so we chose to only put to use a few patches to it so that it can run any CD, the

patches are:
— Always get started zero-paired rage, so that we can use a modified SMC simile.
— Don't decrypt CD, instead await a plaintext CD in NAND.
— Don«t sojourn the boot manage if CD confusion isn»t well-disposed.

CB_B is RC4 crypted, the key comes from the CPU key, so how do we parcel CB_B without qualified the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-undirected-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own jus naturale «natural law». It goes

like that:
guessed-pseudo-undirected-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-undirected-keystream xor plaintext-patch
You could think there's a chicken and egg disturbed, how did we get plaintext in the first place?
Calm: we had plaintext CBs from fat consoles, and we considering the first few bytes of jus naturale «natural law» would be the same as the new CB_B,

so we could encrypt a bantam uniform of jus naturale «natural law» to dispose of the CPU key and decrypt CB_B!

The NAND contains CB_A, a patched CB_B, our payload in a tax plaintext CD, and a modified SMC simile.

The SMC simile is modified to have undying reboot, and to nip in the bud it from periodically sending I2C commands while we send


Now, maybe you haven«t realised yet, but CB_A contains no checks on revocation fuses, so it»s an unpatchable humdrum !


Nothing is ever holy, so there are a few caveats to that humdrum:
— Even in the glitch we develop is extremely stable (25% well-disposed type per try on for the most part), it can take up to a few minutes to

boot to unsigned jus naturale «natural law».
— That well-disposed type seems to depend on something like the confusion of the modified bootloader we want to run (CD for fats and

CB_B for slims).
— It requires finical and firm ironmongery to be able to send the reset thrumming.

Our bruited about implementation

We used a Xilinx CoolRunner II CPLD (xc2c64a) management, because it's firm, finical, updatable, penny-pinching and can toil with 2

different voltage levels at the same unceasingly a once.

We use the 48Mhz standby clock from the 360 for the glitch bar. For the slim humdrum, the bar even runs at 96Mhz

(incremented on rising and falling edges of clock)
The cpld jus naturale «natural law» is written in VHDL.

We need it to be qualified of the bruited about CHORE jus naturale «natural law», our first implementations used the whole 8 bits CHORE refuge for this, but we

are now able to sense the changes of only 1 CHORE bit, making wiring easier.


We tried not to classify any MS copyrighted jus naturale «natural law» in the released humdrum tools.

The will of this humdrum is to run Xell and other emancipated software, I (GliGli) did NOT do it to recommend piracy or anything

coordinated, I just want to be able to do whatever I want with the ironmongery I bought, including tournament my own natal jus naturale «natural law» on



GliGli, Tiros: Override engineering and humdrum development.
cOz: Override engineering, beta testing.

Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Ex override engineering and/or hacking toil on the 360.

Legitimate Place:

Download torrent