Hacking the Xbox 360 Hypervisor Part 2: The Bad Update Exploit(icode4.coffee)

271 pointsby kevincox6 days ago5 comments

kmeisthax6 days ago
I'm gonna be honest, I thought the story was over when they started talking about "oh hey here's this hypervisor code that loads extensions", because obviously extensions are going to be a massive increase in attack surface. But even then, the system wasn't actually broken by the extension being badly designed; the extension was just the most useful target to use the actual attack on.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.
- karlgkk5 days ago
  Part of the reason is motivation
  - if you hack a console, you can make a fair money, by selling your exploit as a package piece of software. Much like modchip vendors do. In fact, there have been a few software exploits that were sold with ties to a specific console. Funny if you think about it
  - If you hack an iPhone, you can sell your exploit to many governments and government agencies for millions of dollars
  If i were a profit motivated attacker, i know which I’d focus on
  - kmeisthax5 days ago
    That is true today, but back in 2005 when the Xbox 360 launched we didn't have every government buying up security vulnerabilities by the truckload. The market for zero-days didn't really get established until the early 2010s when the 360 was on its way out. Every contemporary competitor to the Xbox 360 got hacked within its commercial lifespan, due to having comically awful security practices. Microsoft certainly was, at the time, 'better' than Sony or Nintendo; but the task they were doing was just plain impossible.
    A game console is, effectively, a Point of Presence[0] for a DRM vendor. It's job is to tie the owner's hands so that they don't copy games, and that they don't buy games from competing companies. This is an incredibly difficult, if not impossible task. In contrast, while the iPhone's security also does DRM and developer lockout; their main concern is keeping you from getting hacked by nation states. Those are certainly more sophisticated and well-financed attackers; but they (usually) don't have physical access to or ownership over what you're trying to protect.
    [0] In telecom, a PoP is the dividing line between your systems and someone else's. If that sounds really arbitrary, it's because that's how they untangled the Bell monopoly.
    saagarjha4 days ago
    I mean, people definitely were doing zero day research before 2010.
- MisterTea6 days ago
  > You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug.
  I'd hazard a guess that the Apple hardware is easier to work on than a video game console. Your already sitting in front of a general purpose computer running programming tools. A video game console is the antitheses of that.
- chc46 days ago
  It sounds like the hypervisor extensions are more like one-shot payloads, which probably have much less attack surface than normal kernel modules that are exposing new functionality to userspace.
146 days ago
Very cool to see people still working on hacking the 360. I used the RGH on my 360 years ago. Was really fun back in the day going through all the cat and mouse that went on.
A soft mod would be cool as the RGH does require soldering some very tiny wires to some very tiny pads and I remember seeing posts of many people lifting pads trying to do this mod. But in the end I had a perfect install on my 360 and would boot almost every time on the first try.
- hot_gril6 days ago
  Do the people who hack 360s also know how to prevent them from inevitably red-ringing? Cause that's the biggest thing discouraging me from buying another (my other 2 went red).
  - throwaway484766 days ago
    The red ring is caused by underfill that is too soft that let's the solder bumps break. It's a BGA packaging problem and there's no fix.
    mschuster916 days ago
    It's the same issue that was behind NVDAs "soldergate" fuck-up that ended up permanently souring the relationship between them and Apple.
    The core is EU's regulation on lead free solder, which led to a number of people finding out that thermal cycling on the solder led to thermal stresses. Workarounds were identified and any solder formulations since then don't suffer from that issue, so the fix is a complete re-balling of affected chips... a work not for those faint of heart.
    somat6 days ago
    Complicating the issue is that this was also an early generation of chiplet so there are two levels of bga. motherboard to processing unit and processing unit to chip_actual. the latter commonly are referred to as "bumps" to distinguish from "bga" which attaches the chip_structure to the mother board. A lot of the problem was in the bumps for this chiplet like sub assembly. and while reballing bga is a tricky but well understood process. my understanding is that reballing bumps is nearly impossible.
    throwaway484766 days ago
    It's called FCBGA, flip chip ball grid array. The only other option for packaging is wire bonding but that doesn't scale well with pin count.
    Technically you could recall and repackage the dies but you'd need millions of dollars in equipment.
    mulmen6 days ago
    Sounds like a R&D problem. Why the dig at the EU?
    mschuster916 days ago
    I'm European, I actually support RoHS - it was just the original cause because everyone up to it getting in force was accustomed to classic, decades-proven leaded solder.
    hot_gril6 days ago
    Did they need to have a longer transition period? Looks like it went into enforcement only 2 or 3 years after it was approved.
    nolok5 days ago
    It was not so much a "not enough time to transition" and more like "there is no consequences yet so why bother OH DAMN WE NEED TO MAKE IT TODAY IT GOES INTO FORCE".
    Many had no issues, but a few companies didn't bother to do their homework, problem would have been the same if the period was twice as long.
    throwaway484766 days ago
    No, the issue didn't affect the IBM CPU in the 360 or Intel products because they did the R&D work. TSMC and their packaging partners were just lazy.
    gjsman-10006 days ago
    Why not blame the EU? It is just a well known fact that non-leaded soldier has inferior properties to leaded soldier, which require careful engineering to work around, and still remain somewhat unresolved.
    At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
    tecleandor6 days ago
    You should remember the bioaccumulative properties of lead.
    Lead: The most extensively spread toxic environmental contaminant (2024): https://www.sciencedirect.com/science/article/abs/pii/B97803...
    The Urban Lead (Pb) Burden in Humans, Animals and the Natural Environment (2022): https://pmc.ncbi.nlm.nih.gov/articles/PMC8812512/
    mschuster916 days ago
    > At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
    The problem is where the e-waste ends up - some ditch or desert in Africa. From there it ends up leeching in the environment due to corrosion or, worse, as widespread aerosols when the people there burn the waste to get to the copper.
    mulmen6 days ago
    > At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
    “May” is doing a lot of work there. Can you substantiate the claim that the risk of lead is lower than the switching cost?
    Novosell6 days ago
    Sure you're not thinking of the PS3 or did both of them actually suffer the same issue?
    6SixTy6 days ago
    Both of them experience the same issue. Though it's a yellow light instead of the ring on the Xbox.
    perching_aix6 days ago
    IIRC the PS3 issues were a mix of the RSX die cracking and the NEC Tokin caps giving out, not a solder issue.
    throwaway484766 days ago
    It was an industry wide problem.
    hot_gril6 days ago
    Somehow out of everyone I know with one or both consoles, 100% of 360s got red ring, 0% of PS3s got yellow light.
    6SixTy6 days ago
    Fat or slim PS3? Mine experienced a YLOD circa 2010 while the slim that replaced it still works to this day.
    hot_gril6 days ago
    Mostly the fat PS3. And the fat 360 too.
  - pogue6 days ago
    Not every model of the 360 will inevitably red ring. Those were typically only the "fat" models and there are some fixes to prevent it from happening. It usually just involves changing to some better quality thermal paste & reflowing the board.
    https://www.ifixit.com/Guide/Xbox+360+Red+Ring+of+Death+Fix+...
    hart_russell6 days ago
    This video does a deep dive on the subject:
    https://www.youtube.com/watch?v=24KbVf1AD1c
    He suggests that all of the fat models will eventually red ring due to being stress tested at the factory. Not sure how true that is.
    throwaway484766 days ago
    RIP Felix has a much better video that explains the cause of the failure.
    Factory stress isn't the cause. It was a bad design.
    hart_russell6 days ago
    You misread, that's not what I wrote.
    ghusbands5 days ago
    You wrote "He suggests that all of the fat models will eventually red ring due to being stress tested at the factory" - it directly states that stress testing at the factory is the claimed reason that the fat models will red ring. Or was the video host somehow stress tested at a factory?
    hart_russell4 days ago
    The video states that the stress testing is what aggravates the underlying design flaw.
    deaddodo6 days ago
    The problem is internal to the CPU packaging, there isn’t a way to fix it externally. Later 65nm (both GPU/CPU) it’s almost a non-issue, but any others will almost definitely red ring at some point, all you can do is delay the inevitable.
  - Salgat6 days ago
    I can't help but think that XBox 360 emulation is the only long term path that exists for the 360, which is concerning because only Xenia to my knowledge exists and it's still experimental.
    hot_gril6 days ago
    Maybe it's easier at this point to reverse-engineer Halo 3 into a Windows build
    Edit: wait https://store.steampowered.com/app/1064271/Halo_3/ Well it'd still be nice to get the original experience and not to deal with Steam.
  - 146 days ago
    The rrod was pretty well know for a long time. Video games are sold to kids so it had the requirement to not use lead solder in them even though lead solder is perfectly safe and no way a child would be exposed to it, unless they eat the xbox.
    Lead solder is much softer so with the countless hot cold cycles, when hot the solder expands and when cold it contracts, it will handle these cycles much much better. Without the lead the solder joints are not as soft and the hot and cold cycles eventually results in the solder joints cracking and no longer making a solid connection = rrod.
    Some models were more prone to rrod but the biggest trick is to make sure you do regular cleaning and dusting to keep air flow working. Don't put the xbox in a cabinet with no air flow where it will heat up. Put a fan on the xbox if you can. It has been a long time since I followed the xbox scene but there are tons of posts online about the entire problem and best practices to avoid it.
  - rpcope16 days ago
    I've not modded my 360E, and it was probably one of the very last 360s built, but I've never had any problems with it, still play on it, and my understanding is there are fewer and less dire problems with it than the prior 360 and S.
  - minihoot2 days ago
    The slim doesn't red ring.
- nolok6 days ago
  Ah, I remember I had one of the first series where they forgot to remove the JTAG pins
  - jsheard6 days ago
    Xbox security has certainly come a long way since the OG Xbox, which featured a pin header that may as well have had "insert modchip here" printed next to it.
knowitnone6 days ago
and here I am having trouble even removing the case! haha.
- noisem4ker6 days ago
  Gotta stab it hard in those holes.
- throwaway484766 days ago
  Its not that hard when you get the hang of it and have the right tools.
  - zymhan6 days ago
    That was not their point.
mouse_6 days ago
I wish there was somewhere I could toss cash into a softmod bounty.
- Retr0id6 days ago
  Assigning dollar values to this kind of work gets messy, fast.
  Imagine if someone iterated on the exploit presented in the article so that it became a persistent "softmod" - who gets the funds?
  Bounties also discourage open collaboration. For example, if person A has the first half an exploit chain and person B has the second, they're each incentivised to keep the information to themselves and try to get a full chain on their own to claim the bounty. Of course, this assumes they're financially motivated - but if they're not there's no point in the bounty in the first place.
  - yieldcrv6 days ago
    Bounties are free work contests for any potential beneficiary
    And the benefactor is designed by a committee who cant even agree on the value, winding up tossing pennies at the problem hoping someone in Malaysia salivates
- whalesalad6 days ago
  at this point is there any reason to use xb360 hardware? emulation on modern hardware has gotta be substantially better
  - jcranmer6 days ago
    The Xbox 360/PS3 era of video game consoles is probably the hardest era to emulate. Subsequent generations of consoles are essentially the same hardware as regular computers, just with a custom OS (and known hardware profile, certainly a benefit over regular consumer PCs). But that era of video game consoles is the last gasp of the custom hardware design of earlier consoles, which is substantially harder to emulate because the hardware just doesn't look like what modern hardware looks like.
    Furthermore, said era is also right after Denard scaling came to an end, which means that current hardware doesn't have that much better specs, at least in easy-to-use form, than the hardware of the time. If any game tried to take the hardware to its limits, it would be a real struggle to emulate it with regular computers.
    trashface6 days ago
    PS3 was wacky, but the 360 wasn't that different from a PC at the time. There were some differences in rendering API, it had a few features not available on PC hardware. And the CPU cores were actually slower than an equivalent intel, but you had 6 of them, rare for the time. If your game was relatively portable and already used a API relatively close to D3D, it wasn't too hard to bring it up on the 360. I worked on a 360 game FWIW.
    rickdeckard5 days ago
    Regardless of the D3D-like API-layer (which helped Microsoft compensate for the peculiarities of PowerPC), they're both PowerPC architectures.
    You apparently don't know the Story how Sony spent big R&D-money with IBM to transition from MIPS to the custom PowerPC Cell Architecture, while IBM was already selling parts of this development to Microsoft for Xbox 360, and Microsoft ultimately beating Sony in market-launch with a chipset Sony partially financed...[0]
    There's a nice book about it from two of the IBM Chip-Designers called "The Race for a New Game Machine" by David Shippy and Mickie Phipps
    [0] https://www.theguardian.com/technology/blog/2009/jan/01/sony...
    trashface5 days ago
    The PS3 system design was radically different. We considering porting the same PC game we (relatively) easily ported to 360 to that platform, but rejected it because it would be months of work, at least. Didn't matter that it was a similar CPU (technically) to the 360.
    pjmlp5 days ago
    Microsoft was helped by PS 3 being a pain to program, given the Cell architecture, a mistake that Sony didn't repeat, and hence why the 360 was the only XBox that had an upper hand against Sony.
    PaulHoule5 days ago
    Nintendo also used PowerPC for GameCube, Wii and Wii U.
    rekoil5 days ago
    Xbox 360 is also a PowerPC architecture, which on its own makes it quite a bit different from normal PC hardware, and even if that's a target that's more common to emulate there's still heavy performance losses in doing so.
    It might have been easier to port to because of good OS design, but running games for it will still be inefficient compared to running on actual hardware.
    iforgotpassword5 days ago
    360 emulation was already quite good a year ago, now there's even an experimental fork of xenon that does recompilation for even more performance.
    maximilianburke5 days ago
    The 360 had three hyperthreaded cores, not six.
    trashface5 days ago
    It had 6 hardware threads, but yes pedantically there were three cores.
    jamesfinlayson5 days ago
    Which game?
    trashface5 days ago
    It was an early xbox live arcade game. Not AAA.
    tedunangst6 days ago
    xbox 360 is pretty close to modern graphics hardware; in fact it debuted modern shader arch a bit before it became the PC standard.
    pjmlp5 days ago
    That would have been DirectX 8, which predates XBox 360 by five years.
    goosedragons5 days ago
    I think they're thinking of the original Xbox which had pixel shaders.
    pjmlp4 days ago
    Even that is a bit of a strech, at it got released one year after DirectX 8 was made available, and was powered by GeForce 3 class hardware, which naturally came first on PC.
    > The GeForce 3 was unveiled during the 2001 Macworld Conference & Expo/Tokyo 2001 in Makuhari Messe and powered realtime demos of Pixar's Junior Lamp and id Software's Doom 3. Apple would later announce launch rights for its new line of computers.
    -- https://en.wikipedia.org/wiki/GeForce_3_series
    Naturally outside PC, there were other stuff predating programmable graphics, however if we stick to the PC, XBox follows PC, not the other way around, specially since the first one wasn't that great versus PlayStation 2 in market share, even if there were some great games like Halo and Fable.
    yieldcrv6 days ago
    so, the challenge is what’s interesting, or any specific title or application?
  - hot_gril6 days ago
    Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC. They're slow, glitchy, and/or hard to set up. Related to what the other commenter said, anyone who says these are good must have a lot of time to deal with it, whereas I just want the equivalent of sticking the disc into the console.
    GameCube is the newest thing I've had a decent experience emulating, and even that isn't 100% unless it's Melee with the Slippi optimizations (n.b. did not try DS or Switch).
    com2kid6 days ago
    > Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC.
    This is unfortunate as a decade ago Microsoft had an internal emulator for Xbox 360 that ran at near native speed.
    I am curious if that emulator is what it used to play Xbox360 games on newer x64 based Xbox models, or if they are using a different code base.
    Either way, technically it is possible for the experience to be good!
    vekatimest6 days ago
    I think the 360 backwards compatibility is a mix of emulation and certain parts being disassembled & recompiled for x86 with some black magic.
    edit: Here's an interview with platform lead Bill Stillwell that goes into a lot more detail https://www.eurogamer.net/digitalfoundry-2017-xbox-one-x-bac...
    com2kid6 days ago
    Oh sweet, thanks for the link. It sounds like it was harder getting things running on the XB1's tiny CPU vs running an emulator on monster dev machines, no surprise there! :-D
    devmor5 days ago
    I believe there is actually a recent userland project that disassembles and recompiles 360 games for x86...
    matthewfcarlson5 days ago
    Hands down my favorite thing about my time at microsoft as an intern was just a random brown bag lunch with the engineers who did the powerPC emulator for xbox360 games on xbox one. It was an incredible talk and they went deep and were happy to answer questions.
    com2kid5 days ago
    Oh damn, I was probably there at the time, working in the building, and was completely unaware of the talk!
    That would've been awesome!
    By that time though my org had spun out of Xbox to become the Microsoft Band team, so we didn't get any of the cool invites anymore. :(
    hot_gril6 days ago
    I wonder about that too. New console supports only a subset of 360 games somehow, and with different enhancements.
    The 360 could also play original Xbox games without much exception, but it was noticeably slower than the original. Halo 2 on 360 has a shorter render distance.
    jamesfinlayson5 days ago
    > The 360 could also play original Xbox games without much exception
    I remember there being a list of what it could play but I was never too sure how comprehensive it was. I know it couldn't emulate Midtown Madness 3.
    hot_gril5 days ago
    Oh. So it can't emulate the game I probably played the most.
    KeplerBoy6 days ago
    If you want to emulate a current console, try emulating the switch. I haven't looked into it much, but apparently it works better on modern hardware than on the switch itself. Not surprising given the switch aging hardware and power limit.
    hot_gril6 days ago
    Now that you mention it, I tried that once and gave up. The amount of confusion like this makes me not want to try again (Reddit post from 4mo ago): https://www.reddit.com/r/yuzu/comments/1gkdr5x/whats_the_mos...
    Seems like these projects keep getting into legal trouble, shut down, then forked.
    mschuster916 days ago
    The Switch is a mainstream-ish ARM system. IIRC it maps really well to Apple's M system.
    hot_gril6 days ago
    But the supposedly working Switch emulators only have experimental Mac support at best. Also idk if the CPU arch is really the hard part in general... we never got an Xbox 360 emulator for PPC Mac ;)
    aprilnya4 days ago
    I thought Ryujinx’ Mac support was great?
    hot_gril4 days ago
    Maybe it was, idk cause that project shut down
    KeplerBoy5 days ago
    yes, I guess running switch games on android is like running x86 windows games on x86 linux using wine.
    perching_aix6 days ago
    > Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC.
    How did you manage to achieve that? What specs are we talking?
    hot_gril6 days ago
    10th gen i5(? might be another gen I forget, will check at home), 16GB RAM, RTX 2060ti, Win10
    perching_aix6 days ago
    Could you be a bit more specific regarding that CPU? That's a very wide range.
    hot_gril5 days ago
    i5-9400f, and I was wrong about GPU, it's 1660ti
    perching_aix5 days ago
    It's really surprising then that you had such a bad experience with PS3 emulation specifically at least, the i5 9400F was a go-to recommendation there for a very long time, basically ever since that processor's release (6 years ago).
    It was in last August they bumped their system requirements to the i5 10400F. Nearly all of the games marked "Playable" in their compatibility list should be plug-and-play territory, with mint performance.
    What were the games you tested with classified as? Did you try to seek help on their community space(s)?
    hot_gril5 days ago
    I didn't try reaching out, I just wanted to play Shrek Forever After (for a very random reason) and gave up after 5 minutes of choppiness. Like I said, there's probably a fix, and I appreciate that there's community support, but I simply didn't have time. Especially because on the PS3 side, this was after waiting a while for RPCS3 to do its pre-run caching.
    perching_aix5 days ago
    Given that game has been marked "Playable" years before your CPU has seen its initial release, and that there are no notes on its Wiki page, I'd expect it to run essentially perfectly out-of-the-box, short of some regression causing issues.
    You should give it a retry sometime if you can / want to. That said, I should probably let you know that the community can be slightly hostile, and they will ask you do the legwork if it's not a misconfig but a suspected regression (they'll want you to bisect the build where the choppiness appeared). You'll also want to run the topic by the volunteers in the #help channel on their Discord before opening an issue ticket on GitHub, as their GitHub issue tickets are not for support, only for actual issue / feature request tracking.
    foldr6 days ago
    An Xbox Series S does a fine job of playing Xbox 360 games and doesn't cost much.
    itishappy6 days ago
    > There are 632 games that have been made backward compatible out of 2,155 that have been released for Xbox 360.
    It's also going to struggle without a disk drive to play my physical collection.
    https://en.wikipedia.org/wiki/List_of_backward-compatible_ga...
  - mouse_6 days ago
    Xbox 360 emulation is still really bad for most games, despite what some YouTubers would have you believe. But let's say in a few years it does become substantially better. There's still:
    • Nostalgia
    • Authenticity
    • Compatibility
    • Preservation
    • Cost of entry
    Even if 360 emulation does become practical, a 360 will still be cheaper than any gaming PC capable of playing those games.
    reassembled6 days ago
    Just this week a PC port of the 360 version of Sonic Unleashed was released that was accomplished via static recompilation techniques. It plays flawlessly and is really quite an impressive release. If this is possible now then emulation of these consoles might not be the only avenue to preserving their history.
    perching_aix6 days ago
    There's no meaningful technological difference between what that static recompilation tool can do for you vs. what hacking up Xenia can. I'd also hazard a guess that that port's GitHub repo will get DMCA'd eventually, and rightfully so.
    I really don't know why people keep doing this to themselves and to the communities they claim to love. This is about as far from a clean-room reimplementation and porting effort as humanly possible. It's not a forward-thinking, sustainable preservation effort at all.
    gjsman-10006 days ago
    Yes, but the graphics system for the game was completely reworked by people familiar with Sega's proprietary Hedgehog Engine. A straight recompile would have been unplayable.
    reassembled6 days ago
    Interesting, I didn’t know that. I suspect many casual observers don’t either. So you’re suggesting they did this work with proprietary info they’d gained through work with Sega and thus broke their NDA?
    csande175 days ago
    Not necessarily -- a lot of external hobbyist work has gone into reverse-engineering Sonic Generations, which has an official PC port and is based on the same engine as Unleashed.
    Funnily enough, one of the most famous Generations mods is a project that ports over a bunch of levels from Unleashed. IIRC they changes the graphics pipeline to look and work more like the Unleashed one, too.
    NegativeLatency6 days ago
    I also find it much less drama to sit down on the couch and fire up a console, than to have to:
    - startup PC
    - update PC
    - figure out why bluetooth controller won't pair to PC
    - finally get it working, and then have a game crash on you
    perching_aix5 days ago
    Considering that the constant stream of system software and game updates became a thing exactly in the 7th console generation (x360 era), updates are a pretty funny thing to bring up in a comparison like this.
    reginald784 days ago
    I went to fire up my old Xbox 360 to play dance central with my kids and of course it had developed RRoD while sitting on a shelf in my basement. It seems emulation is a no go for kinect games as well.
    6 days ago
    undefined
  - eddiewithzato6 days ago
    It’s also the worst era to play natively. Bad textures and horrible frames per second.
djmips6 days ago
tour de force - I'm very impressed.