Results 1 to 2 of 2

Thread: How were the 360 FW's hacked?

  1. #1
    imported_shamrockboy is offline -Hacks Newbie
    Join Date
    Feb 2006
    phoenix , az
    Rep Power


    So I've been keeping up on all of the xbox 1 and 360 developments overs the last 7 or 8 years. I've seen all the cool hacks and mods come and go and always thought to myself "How awesome are the people that come up with these". But I have always wanted to participate in projects such as these. I'm tired of leeching off of these great people in this community and finally want to be a contributer. So my first goal is to learn all the technical details involved with the 360 Firmware hacks. I am an engineer with a fortune 500 computer manufacturing company , so I have the tech knowhow to understand the different processes involved. I was wondering if someone could give me a link or some info on how it was all done technically. I've googled this many times but have been unable to find any really detailed information on this. I also wanted to say how much I love this site and to keep up the great work guys. :)

  2. #2
    psphackr's Avatar
    psphackr is offline -Hacks Ninja
    Join Date
    Apr 2006
    Someplace inside your sisters pussy.
    Rep Power


    If you read through this recent article you might have an idea

    A Memoir, Team HyperX. LiteOn Encryption
    >> A overview of the history behind firmware modification & the creation and conclusion of the team formerly 'Team Jungle' and the story of an unsuccessful extortion. All views expressed are documented between several members of Team Jungle,THX and the scene and are not opinions expressed by Xbox-Scene.

    A great amount of work has been put into the xtreme, and now current ixtreme firmware. commodore4eva, now simply known as 'c4e' came upon the scene to bring changes to the xbox360's firmware that lead to new innovations and progress to a section within the xbox360 hacking scene.

    These changes have been for the most part very positive, and in 2009 I formed a group who became known as 'Team Jungle' who spent 8 months working in unison to crack the first LiteOn drive. It was a very very big achievement, and kudos is deserved all around for each member that did their share. It was a very bleak dismal long process that did not look so promising for many many months. The conclusion of Team Jungle/Team HyperX has arrived, and will be documented in this story. It is also my intention to notify everyone of facts previously withheld from the public, and to clear the air with some people unfairly accused of fraud and elitism/heroism with malcontent :)

    With the cat and mouse game of almost all modification scenes, with hackers vs vendors, technologies are constantly updated and secured against new vulnerabilities. As the ixtreme firmware was released for the LiteOn, it was apparent to that specific vendor that they needed to step up their game once their secure platform was defeated. It WAS a very brilliant design, for in the simplicity of basic hardware it becomes difficult to secure a platform without the host being entirely integrated into the overall security. We see the PS3 as a fine example of this: A hardware platform that has proven very secure from top to bottom!

    Unfortunately, as the securities increased, known vulnerabilities decreased and new methods needed to be found. Alas, they were :) Some of these vulnerabilities were hardware based, and some software. Some were vendor commands (cdb's) that were intentionally placed within the firmware for diagnostic purposes! A large part of firmware 'hacking' is disassembling the firmware and discovering all of the hidden cdb's for alternative usage (piracy, homebrew, etc).

    In order to hack the LiteOn, a team was necessary. c4e's talent was the final step to a very long process. You need experts on the physical/hardware side who are capable of extracting the firmware (since known software methods were locked out). Sometimes several hardware guys are needed for different area's of talent. One might be skilled in decapsulation and extraction methods and the other has xray and microscopes and is excellent at detailing :) The bottom line is 90% of the work was NOT associated with the firmware and the job preformed by c4e. The firmware modification was the easy part! Of the 8 months spent on that project, only 24hrs was needed by c4e to complete his part of the project :)

    With every release of xtreme and ixtreme firmware different methods of hacking that particular hardware platform became apparent through documentation (tutorials), software (JF, sending cdb's, etc) or specs/technical information released. Speculation is always a key player whether methodology is apparent, released or not.

    When the 83850c hit the shelves, the public quickly figured out that there was a flaw: serial output was not working. So the team found a few 83850c's through our usual channels (distributors), purchased them (despite what you think, we usually buy our materials, most dont ever make it back. donations are very 'final'.) and got them shipped to one of our hardware specialists that is capable of decapsulating and reading eeprom's. It takes a rather talented and unique skillset to decapsulate and dump eeprom's with microfiber :) Infact, the 'micro' is a understatement: Its so small its practically invisible to the human eye! Imagine trying to solder that!

    Our hardware genius successfully dumped the firmware. Since our crypto (software) genius already cracked the encryption algorithm of the original drive's firmware (which was one of the most difficult tasks of hacking the drive!!) it was just a matter of having him decrypt it for us. Once decrypted, c4e can start doing his patching routines, aswell as analyze the firmware for security changes. For a month I sat in the dark as c4e and the rest of the group 'worked' on getting the drive to output key/serial data. At the time it was presumed impossible. On the 5th week I was brought full circle and informed that the team had been coordinating decisions outside of my knowledge. Apparently the team came to a decision since there was no way to retrieve the key via software. The only hardware method at the time was full acid decapsulation, with the exception of the pin lift method. I would like to take a moment to explain the following with an analogy:

    Sir Alex Ferguson is the manager of the world famous Manchester United football(soccer) club. He does not play soccer (he used to). However, he is essential to the success of the the football team. He uses his managerial experience to bring together players that would not normally play the sport together. When the team starts playing, he uses his decision making skills to combat changes within the field. Without him, the team can still play and successful at that! However, without him the team will eventually die, as they will become stale and not progress or get fresh blood into the roster. I use this analogy for myself. I created Team Jungle, which I renamed to THX due to a fallout between me and one of the developers who I had start the project we now know as 'jungle flasher'. He was not a team player(several incidents), so I removed him from the team. Instead of changing the name of his application to disassociate himself from the team, I decided to change the team name! While I created the team, and organized it and made decisions, the essential process (hacking) can obviously be done without me. The team made that choice when they went outside of my circle to discuss the future of LiteOn in regards to the team.

    The decision that the team had come to was to integrate a piece of hardware(a modchip) into the process that would make end users capable of modding the new LiteOn drive without us giving away our only hardware 'dumping' method, the pin-lift method recently disclosed by geremia. We did not want MS and LiteOn/MTK to patch the only known software hole(pin-lift method) as that would defeat our capabilities in the future to dump the firmware. While we can always try to decapsulate, there are methods to combat it, and its a very risky process that destroys the hardware. I am also experienced enough to understand that multiple avenues of hacking must be present in order to secure the *future* of this project! The reason the team did not disclose their decision, or the decision making process to me was simple: Greed. They wanted to bargin with the chinese to get the maximum money possible out of each chip sold, and I was one less pie cut. And hey, im not a hacker right? I dont do any work (other than creating the group and making the ENTIRE process possible!) so why should I get paid? Well, no loss on my end, and only theirs(the groups) because I would have been, and argued very strongly against ANY money-based process.

    At that time c4e came to me and told me that they had been meeting behind my back and had come to a decision, however c4e in the 5th week after obtaining the fw found out how the serial key output had changed, with a encrypted key data. He had already contacted foundmy and made the key decryption services a reality. He had already consulted with the other group members who (due to legal risk) said they did not want to be a part of it. Everything was ready to launch by the time I was told about it, and asked whether I wanted to be a part of it.

    Xbox 360: iXtreme LT+; RRoD
    PSP: 6.35 PRO
    iPhone 3GS: iOS 4.2.1 jailbroken with greenpois0n

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts