Types of firmware
First you need to figure out what types of firmware exist. This is important because each of them provides different capabilities and has its own limitations. They are divided into four groups.
Drive firmware
This firmware can work with both licensed discs and pirated ones purchased in a store or downloaded from the Internet and burned to disc yourself on a home computer. The latest firmware versions do not limit your use of the Xbox Live service, giving you the opportunity to take advantage of all the benefits of licensed content.
You can even play games that are not intended for your region, and those that simply cannot be purchased in your city. For example, some games are designed to be distributed in a certain group of countries, while remaining inaccessible to another. This may be an important factor for X-Box users who bought it abroad.
In addition, you no longer have to wait for a new game to be available for official purchase. All you have to do is download a pre-sale disk image (and it is often leaked onto the Internet) and burn it to a disc. You can continue to use official updates downloaded via Xbox Live, as well as using any other discs, without worrying about the functionality of the firmware and game console.
Freeboot
Firmware, the main purpose of which is to make it possible to play unlicensed games from the built-in hard drive or through an external drive such as a USB flash drive or portable hard drive. You just need to download the game from the Internet, move it to the drive and connect it to the console.
You can copy games to the internal hard drive through the built-in file explorer from external media or through a network interface using FTP technology. A huge advantage is that the connection to a specific region is removed, so you can use any product, even one that is not officially distributed in your area. It is also possible to install any update or expansion to the game without having to purchase it from the Xbox Marketplace.
In addition, you can run applications specifically written for Freeboot, including game console emulators, file players, browsers and many others. In addition, the Freeboot graphical shell provides access to important functions - a file manager, cooling fan control, network connections, and many sensors.
If standard firmware forces you to play with a DVD inserted into the drive, then Freeboot can copy the contents to the internal storage of the console, which in the future will make it possible to get rid of the use of laser discs. The only drawback is the inability to play online via Xbox Live servers. But there are unofficial servers that support multiplayer games.
X360key
It is a drive emulator running on the Linux operating system, which allows you to run toys from any USB drive. It consists of two components - a chip embedded inside the X-Box, and an external module - a special USB port into which external drives are installed. Some advanced models may have a control panel with a display. Xkey can be installed on any Xbox 360 model.
Dual Nand
This method of improving your console will allow you to squeeze out all the maximum capabilities from it. Essentially, you will have two consoles in one: regular licensed firmware and a hacked console with Freeboot.
You still have all the features of the licensed version, but you will have to buy games, and the advantages of the hacked Freeboot firmware will not go away. It is considered the best option, since the opportunity to play online on the official server remains available, while using pirated discs.
Protecting and hacking Xbox 360 (Part 1)
You've probably heard about the Xbox 360 game console, and that it is being "flashed." By “firmware” here we mean bypassing the built-in protection mechanisms to run copies of games and home-written software. And this is where questions arise! What mechanisms, how do they work? What did the developers do and how did they manage to get around it? In fact, the topic is very broad and interesting, especially for the Xbox 360 - here you can find software vulnerabilities, hardware flaws, and absolutely magical magic. Interesting? Let's take a look! In the first part we get acquainted with the hypervisor, drives and firmware...
Meet the test subject
The Xbox 360 game console was released back in 2005 and since then has not undergone any changes in hardware characteristics. The entire time it was released, it was the same:
- 3.2 GHz PowerPC CPU, / 3 cores
- 500 MHz GPU
- 512 MB RAM
- SATA DVD-ROM
- SATA HDD (optional)
Yes, over time the design changed, nanometers decreased:
However, all games worked equally well on all “revisions” of consoles - this is exactly the case when modern games can be run on 2005 hardware.
At the time of release, a loud statement was made that the console was designed to be as secure as possible - custom chips with hardware protection, and in general, hackers have never seen anything like this:
There are going to be levels of security in this box that the hacker community has never seen before
What did the developers come up with?
Firstly
, they did everything so that
the program code of the system could not be obtained
.
A 32 KB ROM was built into the central processor, containing the primary boot loader (1BL) and a 64 KB SRAM in which it was executed. It is very, very difficult to get the contents of the ROM from the CPU crystal: Secondly
fuses
were inserted into the same processor - jumpers burned (literally, by high voltage), a kind of one-time programmable memory. Fuses contained:
- JTAG interface lock bits
- bits defining the purpose of the prefix (retail / devkit / testkit)
- unique 128-bit processor key
- Lock-Down Value (LDV) counters to prohibit downgrades
Yes, yes, the number of fuse is limited.
If you managed to update your set-top box 80 times in a row, the CFLDV counter will run out and... I don't know, I haven't tried that. The console will probably no longer be able to update. Third
, the developers have implemented
a chain of trust
. To verify the authenticity of bootloaders, a combination of modern (at that time) SHA-1 and RSA-2048 algorithms was used, which excluded the possibility of running your own code or unauthorized modification of bootloaders even if you somehow got all the keys from the set-top box and were able to rebuild the system .
Fourthly
RAM protection module
into the same unfortunate CPU ! With its help, all areas with program code were encrypted, and for the most important areas (the hypervisor) integrity control was enabled!
This protected the developers from DMA attacks, when they change the system code in RAM through external devices with access to RAM.
Finally
the hypervisor
was responsible for delimiting rights to memory regions . Only he could make the pages executable, of course, before that he checked the digital signature, so it was impossible to load unsigned code or execute something from the data area even through a vulnerability in some driver or game (the axis and games were launched with kernel rights) .
As a result, the Xbox 360 operating system was well protected, and therefore DVD-ROM was chosen as the first attack vector.
Let's launch... backups!
In the Xbox 360, the main media for games was a dual-layer DVD. Naturally, there were protective mechanisms here too:
- data exchange with DVD-ROM was encrypted with a unique key
- at the beginning of the disk there were special “Security Sectors” to confirm licensing
- executable files on the disk were digitally signed
But protecting the DVD drive received much less attention than the main system. The game console placed too much trust in the DVD drive - it was the DVD-ROM that determined the licensing of the disc. Moreover, the firmware was stored in external memory and could be read by the programmer:
As a result, on May 14, 2006, commodore4eva
(c4eva) released the first modified firmware for the TS-H943 drive:
README for firmware release
— Xtreme firmware for TS-H943 Xbox 360 — Here it is, the long awaited World first Xbox 360 backup firmware modification to boot all game backups!
Features — Boots all Xtreme Xbox 360 backups Boots all Xtreme Xbox 1 backups Boots all Xbox 360 originals Boots all Xbox 1 originals on Xbox 360 Xtreme0800 extraction firmware enables drive to function natively under Windows without any hardware conversion/adaptors Use on Xbox Live at own risk Technical details — Reads Xbox 360 security sector from PSN 04FB1F (Layer 0) Reads Xbox 1 security sector from PSN 605FF (Layer 0) Security sector must be extrated using Xtreme0800 360 firmware for Xbox360 games and Xbox 1 games Will not boot Xbox 1 backups made with Xbox1 605b 0800 firmware (maybe in future release)
The firmware read security sectors from fixed areas on the DVD disc and tricked the set-top box into thinking that a licensed disc was inserted.
At the same time, firmware “0800” was released, designed to create copies of games and read security sectors. The Xbox 360 drive, flashed with this firmware, was detected in the computer and could fully read the sectors of the game disc.
README for using 0800 firmware
Extracting Security Sector — Ensure DVD drive has been flashed with Xtrm0800.bin firmware.
Drive can now work under Windows. Insert original game disk into drive and wait for windows to detect disk change Run DVDinfoPro Enter the following four custom cdb commands: AD 00 FF 02 FD FF FE 00 08 00 01 C0 AD 00 FF 02 FD FF FE 00 08 00 03 C0 AD 00 FF 02 FD FF FE 00 08 00 05 C0 AD 00 FF 02 FD FF FE 00 08 00 07 C0 Then save hexadecimal display as bin file as SS.binCreating a game backup — Ensure DVD drive has been flashed with Xtrm0800.bin firmware. Drive can now work under Windows. Extract Isobuilder.rar Insert original game disk into drive and wait for windows to detect disk change Run DVDinfoPro Enter the following custom cdb command to unlock drive: (game data visable)
FF 08 01 01
Run Isobuster Right click on DVD and select Extract From-To Click Length and enter number of LBAs as follows:
Xbox 1 Original Number of LBA to read 3431264 decimal or Xbox 360 Original Number of LBA to read 3567872 decimal Select User Data (2048 bytes/block) Click Start Extraction Enter filename as game.iso and click Save Upon read error dialogue box choose fill with blank zeros for sector and select use this selection for all errors Copy game.iso and ss.bin to the relevant isobuilder directory (Depending on Xbox 360 or Xbox 1 game) Run build360.bat (Xbox 360 game) or build.bat (xbox 1 game) Ensure your burner will set the booktype of DVD+R DL to DVDRom Burn with CloneCd and choose the image.dvd file
The game could also be partially copied using the following trick:
- put a regular two-layer disc into a computer DVD-ROM
- wait until it calms down and stops spinning
- use a paper clip to open the tray and change the disc to a game from Xbox 360
- close the tray and make a disk image!
(This did not work on all DVD-ROM models.)
The most important thing is that the drive was flashed exclusively in software, using special ATA commands. The kit included a special program for reading the original firmware and writing the modified one. The original firmware contained the treasured key with which the drive was linked to the Xbox 360:
Losing the key meant the impossibility of launching even licensed discs, so some wrote the key in a notepad, saved it wherever possible, this was the most treasured knowledge.
A separate topic was panic about playing online. Everyone was afraid that Microsoft would find out that the drive was modified and remotely turn off the set-top box. Some even made a hardware mod to switch between stock and modified firmware:
On the original firmware they played “under license” and connected to the network; on the modified version, the Internet cable was bashfully disconnected. By the way, the panic was not in vain, but such mods were completely in vain, everything was logged without a network connection.
Exactly a month later (June 15, 2006), the firmware was ported to another drive model that was installed in the Xbox 360 at that time - Hitachi GDR3120L. He also had an external flash drive containing the firmware:
This drive was better protected:
- the firmware was stored in ROM in encrypted form
- the firmware had integrity control
- to rewrite the firmware, you had to go to a special “Mode B”
And if the researchers managed the first two points themselves, the feat of transferring to “Mode B” had to be repeated by all young stitchers.
It was proposed to perform this action using a special boot disk with Slax Linux, or by short-circuiting the wires at startup. It was necessary to short-circuit pins 0 and 9 of the drive power connector. For example, with pins!
In both cases, after such abuse, the drive was detected in Windows as a regular DVD drive, where it was picked up and forced to flash.
After the first release, custom firmware was improved, stability was increased, support for new games was added, in general, everything was as usual.
Microsoft's response
The developers responded simply to accusations that the “unhackable” console had been hacked:
The system was not hacked, we just learned how to run copies of games, we are working on it
original answer
The core security system has not been broken. However, it is reported that the authentication protocol between the optical disc drive and the console may be attacked, which if accurate could allow people to play illegally copied games. Our security team is aware of this and we are investigating potential solutions to this issue. The Xbox 360 platform was designed to be updated, and we are prepared to respond appropriately should any unauthorized activity be identified.
What was actually done to correct the situation:
- Samsung TS-H943 began to be shipped with ms28 firmware, which did not enter the firmware mode using the well-known ATA command
- Hitachi GDR3120L with firmware 0078 and 0079 appeared, not flashable even in Mode B
- New BenQ-LiteOn VAD6038 drives have appeared
- The first targeted “bans” of pirates on Xbox Live began; pirates were prohibited from playing online forever
If with the bans everything was clear and irreparable (at that point in time), then the researchers soon figured out the drives:
- For Hitachi, they found unlocking the firmware mode via a special audio disc
- Samsung ms28 and BenQ VAD6038 perfectly entered the firmware mode via inexpensive SATA controllers VIA 6421
Let's leave the battlefield for the drive firmware for a moment, there was a not very interesting period when researchers tried to make “Stealth” firmware so as not to be banned from Xbox Live, adjusted to new games with new “waves” - versions of system updates and ported the results to everything expanding variety of firmware and drives. Everything was flashed anyway, the “backups” were successfully launched, the Xbox 360 was gaining popularity among the people...
We break the axle!
As you remember from the first part of the story, the Xbox 360 system had a hypervisor that controlled everything. So here it is. In one of the system versions, a vulnerability suddenly appeared in it! I don’t know for sure how exactly the researchers obtained hypervisor code samples. But the fact is that already at the end of 2006, researchers launched unsigned code on the Xbox 360, and at the beginning of 2007 the vulnerability was fixed by the developers:
Timeline: Oct 31, 2006 — release of 4532 kernel, which is the first version containing the bug Nov 16, 2006 — proof of concept completed; unsigned code running in hypervisor context Nov 30, 2006 — release of 4548 kernel, bug still not fixed Dec 15, 2006 — first attempt to contact vendor to report bug Dec 30, 2006 — public demonstration Jan 03, 2007 — vendor contact established, full details disclosed Jan 09, 2007 — vendor releases patch Feb 28, 2007 — full public release
The hypervisor had one feature - unlike the rest of the code, it was executed not in the virtual address space, but in the physical one (Real Mode).
Broadcasting was not used, calls were made directly (addresses like 0x00000000'xxxxxx). Either this was done for speed, or for simplicity... And here lay one feature of the Xbox 360 address space. The memory access mode was determined by its physical address. Namely, the most significant bits of the address had a service purpose. For example, address 0x00000 0
00'0000201C meant direct access to address 0x201C, and 0x00000
1
00'0000201C meant on-the-fly decryption and integrity check required when reading the same physical address 0x201C.
Accordingly, in order for execution to be carried out with encryption and protection enabled, you need to access addresses of the form 0x00000 1
00'xxxxxxxx. Only then did the hardware module turn on the protective mechanisms. Therefore, at the hardware level, the required bit was added automatically (a special register HRMOR - Hypervisor Real Mode Offset Register was responsible for this)!
Once again - as soon as the hypervisor accesses an address like 0x000000
00'xxxxxxxx, MMU automatically changes this address to 0x00000
1
00'xxxxxxxx, including encryption and security! So any attempts to execute code “directly” from physical memory, without protection and encryption, are doomed to failure... or not?
Let's look at the vulnerable code of the hypervisor version 4532:
//in %r0 – system call number 13D8: cmplwi %r0, 0x61 //compare with the maximum allowable ID 13DC: bge illegal_syscall //if the transmitted number is greater than 0x61, we say that it is incorrect... 13F0: rldicr %r1, %r0, 2 , 61 //multiply the system call number by 4 13F4: lwz %r4, syscall_table(%r1) //get the handler address from table 13F8: mtlr %r4 //place the handler address in the lr register... 1414: blrl //jump to this address
Do you see the gopher? And he is! The cmplwi instruction works with 32-bit
values, but rldicr works with
64-bit values
! That is, we can submit the value 0x20000000'0000002A as the system call number, it will pass the check (because the low 32-bit part is less than 0x61), and as a result, instead of the address 0x10EC, the handler address will be taken from 0x80000000'000010EC!
And then, as they say, watch your hands. The most significant bits of the address are not zero, so HRMOR is not added
! And since the real address space is 32-bit, the 63-bit we set is simply ignored. We redirected the hypervisor to unencrypted and unprotected memory by simply supplying an incorrect system call number!
But wait, in order to have somewhere to jump, we need to be able to write our data into physical memory.
How to achieve this? This is where the second factor comes into play - the GPU in the Xbox 360 was smart, even too smart
smart. It supported a special shader instruction "MemExport" for exporting geometry data into physical memory. That is, you could compile a shader, execute it on the GPU and thereby write anything anywhere! And most importantly, the shaders were not signed; if you somehow modify the game disc, you can easily replace the shader code.
There was only one question left. How to replace the shader code on the game disc? And this is where hacking the DVD drive of a set-top box is very useful. We wrote a shader, replaced it in the game image, recorded it on a disc and launched Linux!
Yes, to start it you had to launch the game every time, wait for the exploit to work, and install a boot disk with Linux, but that was at least something!
As already mentioned, Microsoft released a system update that fixed the hypervisor vulnerability. But what if we return the vulnerable kernel?
Downgrade!
In general, the architecture of the Xbox 360 included downage protection mechanisms.
In the hardware fuses of the processor, each time an update was performed, another bit was burned out (the Lock Down Value, LDV increased), and if this same LDV in the fuses and in the system did not match, the console simply did not start. Let's look at the structure of the Xbox 360 bootloaders, namely “Bootloader Sections”:
It can be seen that the image has several sets of loaders, each of which corresponds to an LDV.
In the example this is 1888
for LDV 0,
16767
for LDV 3 and
16756
for LDV 2
So, all updates to the system itself were recorded in sections 6BL/7BL and simply “overlaid” in the form of patches on the base “core” 5BL 1888
.
But which set of patches to apply was chosen according to the LDV prescribed in the fuses and loader headers! And just for 5BL the header could be modified, with one big BUT - the correctness of the header was checked using the HMAC-SHA-1 hash sum written in it. And it was checked with the usual memcmp
.
If you haven't yet realized where this is going, they managed to use a Timing Attack here. Standard function memcmp
ends the comparison immediately after the first discrepancy. Therefore, by changing the first byte of the hash and timing the execution time of memcmp, you can select the desired value (with it, the verification time will increase). Continuing further, you can pick up all the bytes of the hash sum!
For measurements, we used the POST_OUT debug bus. It works much like on a PC; at different moments of loading, a one-byte value is displayed, from which you can judge where the processor is currently executing and what error occurred. Essentially these are 8 points on the motherboard, each of which is responsible for a specific bit of value:
By soldering to these points, you can just measure the execution time of each of the loading stages and see if an error has occurred.
The entire hash selection process takes about an hour:
The result is an image in which the current LDV is installed for the base kernel, which is why no patches are applied and the oldest version of the 1888 system is launched! Where can you update to the vulnerable version 4532:
Of course, Microsoft fixed this vulnerability by updating the very first updateable bootloader (2BL, “CB”) and burning the CBLDV fuse, which made downgrading impossible again. Now, instead of memcmp, its secure version was used, with the same execution time regardless of the input values.
JTAG Hack!
But here, too, the researchers did not give up and found a loophole.
Yes, something that the developers could not even imagine. In the normal mode of operation of the set-top box, all bootloaders are connected to each other in a chain. As a result, the decryption of each loader depends on the data area in the header of the previous loader (Pairing Data). Additionally, code encryption depends on the unique processor key, so you cannot take and build a working image without knowing the CPU_Key. Or is it possible?
At the console production stage (when the processor key is not yet burned into the fuses), a special launch mode for the Xbox 360 is used when Pairing Data is zero (Zero-Pairing). And such an image (with a vulnerable kernel!) can be launched on any set-top box, without even knowing the processor key! Unfortunately, there will be no full launch; you will get the following error:
That is, the King Kong game cannot be launched, the exploit cannot be activated through shaders... But the vulnerable kernel is already starting! Maybe there is another way to burn the RAM? It turned out that there is.
To begin with, we solder three free GPIOs of the south bridge of the set-top box to the JTAG pins of the GPU:
Then we modify the southbridge firmware (it is encrypted, but not signed) and assemble an image with a vulnerable kernel. Then the magic happens:
- At startup, the south bridge via GPU JTAG climbs to PCI Express and configures the NAND controller
- Now the NAND controller, when reading, will write data to the memory area we need
- The system kernel starts and tells the southbridge that the system has started
- The South Bridge yanks the NAND controller, overwriting RAM in the right place and exploits the hypervisor vulnerability!
- Control is transferred to our code, we do what we want
In short, we did everything the same as in King Kong Shader Exploit, but cooler - there is no need to launch the game and change disks.
Based on JTAG Hack, modified versions of the system were created - XBReboot, Freeboot, with signature verification disabled, where pirates were already rampant. Games could be launched not only from USB drives and drives, but also via the SMB protocol directly from the computer.
Importantly, a full-fledged system hack gave a chance to those who had lost the DVD key and could not play - having a processor key, it was not difficult to extract the DVD key.
Of course, here again Microsoft quickly closed the vulnerability by updating 2BL again and increasing the CBLDV value. This is where the saga of the vulnerable hypervisor ended, people ran to buy the remains of “JTAG-compatible” set-top boxes in stores - everyone wanted to play from USB flash drives without any problems. There were discussions on the forums about which bundles with which release date were suitable for hacking...
The topic of modifications to the Xbox 360 system died down for almost two years, but the topic of firmware continued to develop. And it was in the firmware of LiteOn drives that the most extensive battle between researchers and Microsoft took place. But more on that in the next article.
Links:
GoogleTechTalks report King Kong Hack Timing Attack JTAG / SMC Hack
Protection and hacking of Xbox 360, Part 1 Protection and hacking of Xbox 360, Part 2 Protection and hacking of Xbox 360, Part 3
PS If anyone is interested in the details, I will answer any questions on the topic in the comments!
What firmware should I flash the drive with? How do the firmware differ?
The easiest way to modify the Xbox 360 game console yourself is to flash the drive. In turn, there are two options for such firmware:
- The most popular version of unofficial firmware. Among its undeniable advantages is the ability to avoid account blocking on Xbox Live for some time. True, the terms are individual, some are blocked immediately, and others after a few years;
- The most omnivorous firmware, allows you to run almost any game image. At the same time, it has a number of significant disadvantages: instant blocking in Xbox Live and unavailability of firmware on new drives.
Think for yourself what is more important to you - availability of services or omnivorousness.
Things to remember
Before you start flashing the Xbox 360 firmware, we want to warn you about the following:
- You perform all actions at your own peril and risk. You personally bear all responsibility for a damaged console. The site editors are not responsible for the consequences of your careless actions. In addition, you will not be covered by Microsoft's warranty. In the event of a breakdown due to negligence, all repairs will fall on your shoulders (if it is advisable at all).
- The instructions are intended for fairly experienced users who have an understanding of computer hardware and how a Windows-based computer works. This means that there will be no detailed explanations of basic operations. If you consider yourself an inexperienced user, contact a workshop.
- The instructions are valid for Lite-On DG-16D2S drives with FW Ver 83850c V1 and X-BOX 360 Benq (Fat), initially running on factory firmware. The sequence of actions on other firmware may differ, and in some cases it may be necessary to intervene in the hardware of the X-Box. Then it is better to contact the workshop. In addition, outdated unofficial firmware is replaced in a different way.
Update Dashboard (optional)
A few words about what Dashboard is. It is simply the operating system of your gaming console that allows it to function. It does not depend on the drive version. Microsoft has provided the opportunity to download updates completely free of charge from the official website, and then update using a flash drive. In rare cases, it may need to be updated. In addition, it may happen that the new version may cause some functions to not work correctly. If you are sure that the update is necessary, follow these instructions:
- Using a computer, format the flash drive in FAT format;
- On this site (https://support.xbox.com/en-US/xbox-360/console/system-update-operating-system) we download the latest version of the operating system for the Xbox console;
- Unpack the downloaded archive and copy the files to the flash drive;
- We insert the flash drive into the console and turn it on or reboot if it is already turned on;
- The system will automatically detect the presence of a new version. All you have to do is confirm the request and wait for the update to complete.
Why is this necessary?
Updating XBOX 360 is an action aimed at downloading and installing new software. Such steps are carried out in the following cases:
- Desire to gain new options and opportunities.
- Troubleshooting console problems. Updating the software helps with missing avatars, problems with displaying the control panel, or problems with the Kinect sensor.
You can control the appearance of new versions on the official website or through the interface of the console itself.
Preparing for firmware
We stock up on the necessary tools
You will need:
- SATA cable for connecting the X-Box drive to the computer;
- Opening Tool for safely opening the console. Can be ordered online. If not, then use:
- screwdriver;
- with a torx10 wrench or a regular clock screwdriver.
- The personal computer to which we will connect the console drive. If you have a laptop, you will have to rack your brains, since in the absence of its own laser drive, it does not provide the ability to simultaneously use a SATA cable and a built-in hard drive. Then you will have to use Windows-to-Go recorded on a flash drive.
Find out the drive version and disassemble the console
If you need to find out the drive model, you will have to disassemble the X-Box to get to the sticker on the drive body. It contains all the necessary information about the manufacturer, model and firmware version. In this case, there is no need to remove the drive from the console. Do all actions very carefully, otherwise it is very easy to break the latches and fasteners.
- Remove the main panel of the Xbox 360;
- We take out the lower leg;
- We move first two and then four more latches, after which we need to lift the plastic top;
- We move the six latches on the back side and remove the lower and upper plugs;
- Peel off the warranty sticker;
- We bend the four front fasteners and open the attachment;
- Next, the safest way to disassemble the console is to use the Opening Tool. If it is missing, you can break several fasteners and it will not be easy to put it back together;
- Insert the Opening Tool into the small holes in the back of the console. If you don't have one, be very, very careful;
- Remove the bottom cover and pull out the laser drive opening button;
- Using a screwdriver or wrench, unscrew 6 screws;
- Open the drive latches and pull them up to remove the plug;
- Done, the body is removed.
Download the necessary software
You will need:
- Utility for flashing JungleFlasher drive. You can download it from our website (https://yadi.sk/d/14-ftGGxxtvRf). Unfortunately, the official website does not work correctly, and it is almost impossible to download the latest version.
- Driver for your drive model. From us you can download drivers for X-BOX 360 Benq and Lite-On DG-16D2S drives with FW Ver 83850c V1.
Preparing the computer for work
- After turning off the computer, remove the cover and connect the SATA cable to a free connector on the computer’s motherboard;
- We connect the other end of the cable to the Xbox 360 console drive, leaving its standard power supply;
- We connect the video output cable to the X-Box so that it does not turn off at the most inopportune moment. When using HDMI, you need to connect the console to the TV;
- Turn on the computer and the console;
- We remove the RAID controller driver for VIA on the computer via Device Manager, otherwise the firmware will not be successful;
- Install JungleFlasher, unpack the archives with drivers.
We install Port I/O 32
- We start the Xbox 360 console by pressing the power button with something thin;
- Go to Device Manager and, right-clicking on the icon in the top line, select “Install old device”, after which the hardware installation wizard will start;
- Click “Next” until the installation method is offered;
- Select “Install equipment manually selected from the list” - “Show all devices” - “Next” - “Install from disk” - “Browse”;
- In the folder with the unpacked JungleFlasher program, look for the manual_install subfolder, and in it select the portio32.inf file. Click “Open”;
- Click “Next” until the system displays a security message. Click "Install this driver anyway" - "Finish".
We put the drive into service mode
- Launch the JungleFlasher utility, find the MTK Flash 32 tab, and in it the I/O Port section;
- Select your drive from the drop-down list;
- We switch to the 360 Tools section and unlock our drive there, so that Drive in Vendor Mode is written in the Drive Properties section, and the program status is displayed as Done;
- If for some reason it was not possible to switch to service mode the first time, then you need to slightly open the console's disk drive tray and pull out the power cord, and then plug it back in and repeat the previous steps. The main thing is not to mix up the sides of the cable, otherwise you can burn the console!
Reading the drive key
- In the JungleFlasher utility menu, open the DVDkey 32 tab, select the name of the X-Box in the I/O Port field;
- We read the drive key by pressing the LO83info button. It will need to be saved in a separate folder.
Pros and cons of firmware
Autocamping has both advantages and disadvantages. The latter is mainly explained by the desire of the manufacturing company, Microsoft, to protect itself from piracy.
Incorrect firmware can ruin your device
Professionals:
- Saving on disks. The licensed version of the game costs about 2,500 rubles, and the “blank” for the pirated version can be bought 10 times cheaper.
- New items on release day. There is no need to wait for a licensed game to appear in stores; you can download it online on release day or even earlier.
Flaws:
- you may end up on Live's banned list. This occurs as a result of Microsoft checks. When a user downloads updates, the manufacturer sees which images were played on the device: licensed or pirated. If unlicensed game tracks are detected, Live will block the player.
Attention! A live ban cannot be cancelled. It's forever.
- Hazard to lasers and lenses. If you buy low-quality discs for recording games, they can quickly ruin the hardware of the device.
- Break up. Poor-quality firmware can permanently damage the set-top box. This is especially true for firmware, where the integrity of the device body is compromised.
Professionals make sure that the firmware does not in any way affect the further operation of the set-top box. If the owner of the device does not dare to do this himself, you can contact specialists.
Set-top box firmware
We will assume that we already have the firmware and the drive key is saved. Next, we will directly flash our Xbox 360 game console.
Example 1. Lite-On DG-16D2S with FW Ver 83850c V1
- In the JungleFlasher firmware utility, go to the FirmwareTool32 tab, then click the Open Source Firmware button and select the drive key file called Dummy.bin or Lite-OFW.bin.
- After the offer to automatically download the firmware, click No and find the pre-downloaded firmware.
- Click Open Target Firmware - Spoof Source to Target - Save to File.
- Go to the MTK Flash32 tab, click the Lite-On Erase button, and then confirm the request of the two pop-up windows by clicking the YES button.
- After confirming the second one, immediately turn off and turn on the set-top box again. We look at the log window - if the result is successful, Drive returned Status 0x72 should be written there, and in the Drive Properties subsection - Drive in Vendor Mode.
- We confirm the operation by sequentially clicking Yes - Write, after which the flashing process begins.
- After completion, as evidenced by the Write verifed OK entry in the log, press the Outro / ATA Reset button. All!
- Now we check how successfully we flashed the Xbox 360 console by launching the game from a self-written disk.
Example 2. X-BOX 360 Benq(Fat)
- After turning on the console, launch JungleFlasher, go to the MTK Flash 32 tab, look for the Flashing Tasks group of buttons and click Read.
- After the program considers the official firmware of the drive, we agree to save it and select a folder on the computer without changing the name of the file with the .bin extension.
- After this, we confirm the automatic download of the new firmware, after which the program goes to the Firmware Tool 32 tab, loading the standard firmware (displayed in the Source tab) and the custom firmware to which we will update (displayed in the Target tab).
- If the new firmware was not automatically detected, click Open Target Firmware and specify the file manually.
- Next, we transfer the drive key from the original firmware to the custom one and save the changes to the file: Firmware Tool 32 - Spoof Source to Target - Save to File - Save.
- We clear the built-in firmware and flash the new one: MTK Flash 32 - Flashing Tasks - Erase (if completed successfully, we will see the Blank Verified OK notification!) - Write (Write Verified OK will indicate successful firmware) - Outro / ATA Reset.
- Congratulations on successful firmware, you can try to play.
Ban on Xbox Live
Blocking a user on Xbox Live is an irreversible process that cannot be resolved by support or the user themselves.
If your account is swamped, then you will no longer be able to use the console itself with the official firmware.
Note that stitched consoles are much more difficult to sell.
To avoid a ban, we recommend installing only reliable versions of custom firmware. For example, Dual Nand or IXtreme. It is important to carefully follow all the steps in the instructions for installing a new OS and do not skip the step of clicking on the “Outro ATA Reset” button.