Official Reset Glitch Hack Thread V2.0

M AzeeM K

Team Xecuter Staff Member



The newly formed RGH Development Team at Xecuter HQ are proud to announce that all Phat consoles have now been defeated and are totally glitch-able without having a previous NAND dump or CPU KEY (the same applies to Slim Trinity that have been updated to 14717/14719) !


Codenamed RGH 2.0, new features introduced:
  • Hack now works on new CB's (14717/14719 update)
  • Hack now works with all Refurbished Split CB's (4577, 5772, 6752)
  • - Zephyr CB 4577, 4575
  • - Falcon/Opus CB 5772, 5773
  • - Jasper CB 6752, 6753
  • - Trinity (Slim) CB 9230
To confirm, we can now glitch Phats with any kernel and any bootloader. As soon as you have your CPU KEY, and you are using an Xecuter DemoN you will ALWAYS be able to switch to a fully hacked NAND and it can never be stopped no matter what update you apply and no matter which efuses are blown !


We will be helping the J-Runner team to implement all of the new code which will allow you to build a patched ecc for any Phat NAND / Kernel / Bootloader.


The Xenon RGH hack will also be released however the quality of glitching seems to be as poor as the infamous Zephyr. No doubt once its out there users can tweak away at it and get some better results, the feeling here is that it's time wasted at the moment when we should be working on Corona. Currently it's a "repair" method at best to rescue DVD keys.


This is a new style of RGH hack (hence RGH 2.0) and there will be a new JED file, changes to the CoolRunner design, changes to the QSB's and possibly new install methods (we'll also show you how to change your older version TX CoolRunner to be compatible with the new hack, and initial tests have shown that other cheaper versions of RGH hardware will not work at all).


Work on fine tuning the hack is currently ongoing to make it as solid as possible, however we hope to have everything ready asap.


Members of our team are also working hard on the new Slim Corona model and can tell you that great progress has made made there too. We'll just say that we feel bad for anyone who paid good money for any glitch mod that was advertised as being "Corona Ready".


Stay tuned for more news :)


Thanks to Tiros & GliGli for their initial work on the RGH hack. Without them none of this would have been possible.


You can Follow the Original Thread here: Team Xecuter Presents RGH 2.0

========================================================

========================================================

Finally, a method of JTAG has been found to work on all non-Xenon consoles (yes....running unsigned code on Slim consoles and all dashboard versions on PHAT consoles !!!)


This also means you will be able to run all the nice stuff like games from HDD (sucks for xK3y and Wasabi - looks like they dont be needed any more as they wouldn't have been live safe either)


Source: http://libxenon.org/index.php?topic=145.msg614


Full Guides / Files / Source Code / Instructions / Diagrams: http://tinyurl.com/resetglitch


You thought it wouldn't be possible?
You thought there are only (a few) JTAGs or total overpriced Devkits to run unsigned Code?


GliGli & Tiros are proving the opposite! They developed a Hack which glitches all recent Xbox360 Kernels to run unsigned Code on:


ZEPHYR, JASPER .......and...... TRINITY (aka SLIM!).
(no matter which Dashboard/Kernel they are running)​


http://www.youtube.com/watch?v=JyYdL4L6vwE


Here is the detailed technical explanation.....


**********************************
* The Xbox 360 reset glitch hack *
**********************************


Introduction / some important facts
===================================


tmbinc said it himself, software based approaches of running unsigned code on the 360 mostly don't work, it was designed to be secure from a software point of view.


The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND (CB).


CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it's using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
- A hash of the entire fuseset.
- The timebase counter value.
- A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there's a check for "apparent randomness" (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.


CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.


Basically, CD will load a base kernel from NAND, patch it and run it.


That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.


On the other hand, tmbinc said the 360 wasn't designed to withstand certain hardware attacks such as the timing attack and "glitching".


Glitching here is basically the process of triggering processor bugs by electronical means.


This is the way we used to be able to run unsigned code.


The reset glitch in a few words
===============================


We found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.


Details for the fat hack
========================


On fats, the bootloader we glitch is CB, so we can run the CD we want.


cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a test point on the motherboard that's a fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.


So it goes like that:
- We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value (it's often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.


The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.


Details for the slim hack
=========================


The bootloader we glitch is CB_A, so we can run the CB_B we want.


On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn't yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it's even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus



So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.


When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don't decrypt CD, instead expect a plaintext CD in NAND.
- Don't stop the boot process if CD hash isn't good.


CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there's a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!


The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.


Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !


Caveats
=======


Nothing is ever perfect, so there are a few caveats to that hack:
- Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
- That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
- It requires precise and fast hardware to be able to send the reset pulse.


Our current implementation
==========================


We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it's fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.


Conclusion
==========


We tried not to include any MS copyrighted code in the released hack tools.
The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.


Credits
=======


GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360.
Full Guides / Files / Source Code / Instructions / Diagrams: http://tinyurl.com/resetglitch

Note: You can use the XECUTER NAND-X For Slim Nand Dumping ;)
 
Last edited:

insha14

Beginner
May 9, 2012
47
0
11
how to put pirated xbox 360 games on rghed 360 slim without dvd drive???

As everyone know that pirated games could be bought from almost anywhere with ease.But im uncertain that how can i copy the game by using my pc into my xbox360 hdd.i inserted one cd into my pc's dvd drive.there were like three folders:system update,audio and video.i converted them to iso by img burn.

NEXT STEP???

now wt to do????
 
Last edited:

ModMonsta

Seasoned
Member Sellers
Feb 23, 2009
2,510
0
41
Karachi
As everyone know that pirated games could be bought from almost anywhere with ease.But im uncertain that how can i copy the game by using my pc into my xbox360 hdd.i inserted one cd into my pc's dvd drive.there were like three folders:system update,audio and video.i converted them to iso by img burn.

NEXT STEP???

now wt to do????
Use ISO2GOD. :)
 

insha14

Beginner
May 9, 2012
47
0
11
Use ISO2GOD. :)
then i extracted it and deleted that system update folder.After doing this i used ISO2GOD and converted it.
now how can i copy the game into my 360 hdd using a usb and how to install the game and play?
 

Gizmo

Expert
May 6, 2009
12,863
2
42
Lahore
^^Put the files in the USB and then use XEX Menu to transfer them to the 360 HDD in their proper folders so that NXE can detect it.

Use this file path:

Content > 0000000000000000 > *Title ID here* > 0000007 > *Files here*
 

mueezaizaz

New member
Jul 23, 2010
4
0
1
complete newbie here who is tired of getting xbox patched for every new wave. If someone could explain in simple words how to use xbox's hard disk to play games after downloading them from the internet.
 

Gizmo

Expert
May 6, 2009
12,863
2
42
Lahore
^^Nah, NXE will only recognize the file path I mentioned, if you use FSD then you may use anything.
 

insha14

Beginner
May 9, 2012
47
0
11
^^Nah, NXE will only recognize the file path I mentioned, if you use FSD then you may use anything.
iso2god converts game into god.so this means i dnt need to use nxe2god?or i still need to use nxe2god and then play?
 

Gizmo

Expert
May 6, 2009
12,863
2
42
Lahore
^^No need to use NXE2GOD after using ISO2GOD, as you can tell by the titles that both programs convert the files into GOD format.
 

supermustafa123

Beginner
Jun 16, 2012
31
0
11
Islamabad, Pakistan
or if someone can provide a link to some tutorial.
I feel stupid just typing this because it feels too easy
1. Make sure you are in NXE(normal xbox dashboard NOT Freestyle DASH)
2. Put the game that you want on the hdd in the dvd drive of the xbox
3. press Y(I believe) and click install game
4. Let the game install
5. Get nxe2god(not giving you a tutorial on that, its too easy)
6. run nxe2god through xex menu
7. Follow the steps
8. you will be returned to NXE
9. Take the disc out of the dvd drive
10. Play the game
11. give me money to go to school again because that was too easy and I think my IQ level dropped 2 points xD
 

insha14

Beginner
May 9, 2012
47
0
11
^^No need to use NXE2GOD after using ISO2GOD, as you can tell by the titles that both programs convert the files into GOD format.
this means i only need to copy the game folder(title id with 0000700 folder )into my usb.is there any folder in usb where i have to put the folder or i can put it anywhere in the usb.after attaching the usb to xbox then i can copy the game using freestyle dashboard?
 

zisheepk

Banned
Aug 23, 2009
1,040
0
41
Wah Cantt
I feel stupid just typing this because it feels too easy
1. Make sure you are in NXE(normal xbox dashboard NOT Freestyle DASH)
2. Put the game that you want on the hdd in the dvd drive of the xbox
3. press Y(I believe) and click install game
4. Let the game install
5. Get nxe2god(not giving you a tutorial on that, its too easy)
6. run nxe2god through xex menu
7. Follow the steps
8. you will be returned to NXE
9. Take the disc out of the dvd drive
10. Play the game
11. give me money to go to school again because that was too easy and I think my IQ level dropped 2 points xD
how to install multi disc games and then convert to GOD.... is the procedure same?? i have'nt tried NXE2GOD yet.
 

supermustafa123

Beginner
Jun 16, 2012
31
0
11
Islamabad, Pakistan
how to install multi disc games and then convert to GOD.... is the procedure same?? i have'nt tried NXE2GOD yet.
I don't know, never played multi-game disks :/ I would acctually rip them in FSD 2.2 with named like this "(gamename) disc 1" and "(gamename) disc 2"
and I think FSD comes with the game swap feature. So NXE2GOD is pointless to me as I keep everything on my ext anyways, so I just rip the games onto my ext ;)
Hope this helped
 

zisheepk

Banned
Aug 23, 2009
1,040
0
41
Wah Cantt
I don't know, never played multi-game disks :/ I would acctually rip them in FSD 2.2 with named like this "(gamename) disc 1" and "(gamename) disc 2"
and I think FSD comes with the game swap feature. So NXE2GOD is pointless to me as I keep everything on my ext anyways, so I just rip the games onto my ext ;)
Hope this helped
i m doing the same...... (y)
 
General chit-chat
Help Users
We have disabled traderscore and are working on a fix. There was a bug with the plugin | Click for Discord
  • No one is chatting at the moment.
  • Necrokiller Necrokiller:
    Consoles can't even catch a break in titles developed exclusively for them 😢
    Link
  • Necrokiller Necrokiller:
    "All of this lends the game distinctly last-gen look at times, which is compounded by image quality and frame-rate issues."
    Link
  • Necrokiller Necrokiller:
    Link
  • Chandoo Chandoo:
    no jokes.
    Link
  • Chandoo Chandoo:
    faraany3k said:
    So while Playing Control, I found a journal which said that a bathroom is missing in Islamabad Beurue of Control. With Alan Wake and Control seems to be connected worlds. Even our city is in the universe as well. No wonder those Trail 5 and Trail 6 are haunted.
    did you know you can see @NaNoW credited in the game too ? :p
    Link
  • faraany3k faraany3k:
    So while Playing Control, I found a journal which said that a bathroom is missing in Islamabad Beurue of Control. With Alan Wake and Control seems to be connected worlds. Even our city is in the universe as well. No wonder those Trail 5 and Trail 6 are haunted.
    Link
  • EternalBlizzard EternalBlizzard:
    faraany3k said:
    What is peoples obsession with Battle Royale genre. 6 minutes to find a match, 3 minutes to setup a match, 2 minutes to land, 10 minutes for scavanging maybe 2 3 gunfigts and its over. Multiplayer landscape is looking absolute dogshit.
    I tried playing Apex Legends once. Couldn't find a gun for 5 minutes straight. If I found a gun, I couldn't find the right ammo for it. Got killed fighting with my fists. Uninstalled it the next day.
    Link
  • faraany3k faraany3k:
    What is peoples obsession with Battle Royale genre. 6 minutes to find a match, 3 minutes to setup a match, 2 minutes to land, 10 minutes for scavanging maybe 2 3 gunfigts and its over. Multiplayer landscape is looking absolute dogshit.
    • Like
    • Haha
    Reactions: iampasha and EternalBlizzard
    Link
  • M muneebjahangir:
    skip the villain arc
    Link
  • EternalBlizzard EternalBlizzard:
    iampasha said:
    I usually stay away from animes. Vinland saga changed the way i look at my life, and my experiences within. I recommend every breathing human being to watch this animated masterpiece at least once fromstart to finish.
    After I watched it, I never felt like i watched a show. It was a friggin journey. I got way too attached to Thorfinn and seeing him grow up and find himself and get rid of all the negativity inside of him was just pure bliss.
    Link
  • iampasha iampasha:
    EternalBlizzard said:
    Vinland Saga > Berserk
    I usually stay away from animes. Vinland saga changed the way i look at my life, and my experiences within. I recommend every breathing human being to watch this animated masterpiece at least once fromstart to finish.
    • Like
    Reactions: EternalBlizzard
    Link
  • Necrokiller Necrokiller:
    Crapcom's RE Engine expose hogaya saaeen. This shit ain't worth experiencing on any platform. 🤷‍♂️
    Link
  • Chandoo Chandoo:
    When a $399 console provides the same experience as a 4090. Yikes indeed saeen :sneaky:
    Link
  • Necrokiller Necrokiller:
    that's a yikes saaaen
    Link
  • Necrokiller Necrokiller:
    " Both PS5 and Series X have an unlocked frame-rate here, with performance that generally lies between 30fps and 45fps. That makes for a stuttering and inconsistent output in general play, no matter what you are doing at any given time."
    • Haha
    Reactions: EternalBlizzard
    Link
  • Link
  • EternalBlizzard EternalBlizzard:
    Vinland Saga > Berserk
    • Like
    Reactions: iampasha
    Link
  • faraany3k faraany3k:
    I absolutely hate parry and Sekiro made me love it, i hate sci fi and Mass Effect made me love it. This is the definition of genre defining experiences.
    Link
  • Necrokiller Necrokiller:
    Forbidden West Complete Edition now available on your fav websites. And Nixxes showed Crapcom how it's done 👍
    Link
  • Necrokiller Necrokiller:
    RE Engine is just utter shit for anything other than corridor design remakes
    Link
  • Necrokiller Necrokiller:
    This is a console first developer. LMAO
    Link
  • Link
  • faraany3k faraany3k:
    With how great cod warzone has translated onto mobile. Mainstream Consoles have lost its value even further. Maybe console gaming was associated with TVs and how TV is not the primary source of media consumption anymore, consoles will lose its 200 million core audiences even further.
    Link
  • Necrokiller Necrokiller:
    Even VRR can't rescue it 🥲
    Link
  • Necrokiller Necrokiller:
    And yet PC version has the highest score. RIP who plays it on consoles.
    Link
    Necrokiller Necrokiller: Consoles can't even catch a break in titles developed exclusively for them 😢