I'm gonna be honest, I thought the story was over when they started talking about "oh hey here's this hypervisor code that loads extensions", because obviously extensions are going to be a massive increase in attack surface. But even then, the system wasn't actually broken by the extension being badly designed; the extension was just the most useful target to use the actual attack on.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.
- if you hack a console, you can make a fair money, by selling your exploit as a package piece of software. Much like modchip vendors do. In fact, there have been a few software exploits that were sold with ties to a specific console. Funny if you think about it
- If you hack an iPhone, you can sell your exploit to many governments and government agencies for millions of dollars
If i were a profit motivated attacker, i know which I’d focus on
It sounds like the hypervisor extensions are more like one-shot payloads, which probably have much less attack surface than normal kernel modules that are exposing new functionality to userspace.
> You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug.
I'd hazard a guess that the Apple hardware is easier to work on than a video game console. Your already sitting in front of a general purpose computer running programming tools. A video game console is the antitheses of that.
Assigning dollar values to this kind of work gets messy, fast.
Imagine if someone iterated on the exploit presented in the article so that it became a persistent "softmod" - who gets the funds?
Bounties also discourage open collaboration. For example, if person A has the first half an exploit chain and person B has the second, they're each incentivised to keep the information to themselves and try to get a full chain on their own to claim the bounty. Of course, this assumes they're financially motivated - but if they're not there's no point in the bounty in the first place.
Bounties are free work contests for any potential beneficiary
And the benefactor is designed by a committee who cant even agree on the value, winding up tossing pennies at the problem hoping someone in Malaysia salivates
The Xbox 360/PS3 era of video game consoles is probably the hardest era to emulate. Subsequent generations of consoles are essentially the same hardware as regular computers, just with a custom OS (and known hardware profile, certainly a benefit over regular consumer PCs). But that era of video game consoles is the last gasp of the custom hardware design of earlier consoles, which is substantially harder to emulate because the hardware just doesn't look like what modern hardware looks like.
Furthermore, said era is also right after Denard scaling came to an end, which means that current hardware doesn't have that much better specs, at least in easy-to-use form, than the hardware of the time. If any game tried to take the hardware to its limits, it would be a real struggle to emulate it with regular computers.
PS3 was wacky, but the 360 wasn't that different from a PC at the time. There were some differences in rendering API, it had a few features not available on PC hardware. And the CPU cores were actually slower than an equivalent intel, but you had 6 of them, rare for the time. If your game was relatively portable and already used a API relatively close to D3D, it wasn't too hard to bring it up on the 360. I worked on a 360 game FWIW.
Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC. They're slow, glitchy, and/or hard to set up. Related to what the other commenter said, anyone who says these are good must have a lot of time to deal with it, whereas I just want the equivalent of sticking the disc into the console.
GameCube is the newest thing I've had a decent experience emulating, and even that isn't 100% unless it's Melee with the Slippi optimizations (n.b. did not try DS or Switch).
Oh sweet, thanks for the link. It sounds like it was harder getting things running on the XB1's tiny CPU vs running an emulator on monster dev machines, no surprise there! :-D
Hands down my favorite thing about my time at microsoft as an intern was just a random brown bag lunch with the engineers who did the powerPC emulator for xbox360 games on xbox one. It was an incredible talk and they went deep and were happy to answer questions.
I wonder about that too. New console supports only a subset of 360 games somehow, and with different enhancements.
The 360 could also play original Xbox games without much exception, but it was noticeably slower than the original. Halo 2 on 360 has a shorter render distance.
If you want to emulate a current console, try emulating the switch. I haven't looked into it much, but apparently it works better on modern hardware than on the switch itself. Not surprising given the switch aging hardware and power limit.
But the supposedly working Switch emulators only have experimental Mac support at best. Also idk if the CPU arch is really the hard part in general... we never got an Xbox 360 emulator for PPC Mac ;)
Xbox 360 emulation is still really bad for most games, despite what some YouTubers would have you believe. But let's say in a few years it does become substantially better. There's still:
• Nostalgia
• Authenticity
• Compatibility
• Preservation
• Cost of entry
Even if 360 emulation does become practical, a 360 will still be cheaper than any gaming PC capable of playing those games.
Just this week a PC port of the 360 version of Sonic Unleashed was released that was accomplished via static recompilation techniques. It plays flawlessly and is really quite an impressive release. If this is possible now then emulation of these consoles might not be the only avenue to preserving their history.
There's no meaningful technological difference between what that static recompilation tool can do for you vs. what hacking up Xenia can. I'd also hazard a guess that that port's GitHub repo will get DMCA'd eventually, and rightfully so.
I really don't know why people keep doing this to themselves and to the communities they claim to love. This is about as far from a clean-room reimplementation and porting effort as humanly possible. It's not a forward-thinking, sustainable preservation effort at all.
Yes, but the graphics system for the game was completely reworked by people familiar with Sega's proprietary Hedgehog Engine. A straight recompile would have been unplayable.
Interesting, I didn’t know that. I suspect many casual observers don’t either. So you’re suggesting they did this work with proprietary info they’d gained through work with Sega and thus broke their NDA?
Not necessarily -- a lot of external hobbyist work has gone into reverse-engineering Sonic Generations, which has an official PC port and is based on the same engine as Unleashed.
Funnily enough, one of the most famous Generations mods is a project that ports over a bunch of levels from Unleashed. IIRC they changes the graphics pipeline to look and work more like the Unleashed one, too.
Very cool to see people still working on hacking the 360. I used the RGH on my 360 years ago. Was really fun back in the day going through all the cat and mouse that went on.
A soft mod would be cool as the RGH does require soldering some very tiny wires to some very tiny pads and I remember seeing posts of many people lifting pads trying to do this mod. But in the end I had a perfect install on my 360 and would boot almost every time on the first try.
Do the people who hack 360s also know how to prevent them from inevitably red-ringing? Cause that's the biggest thing discouraging me from buying another (my other 2 went red).
It's the same issue that was behind NVDAs "soldergate" fuck-up that ended up permanently souring the relationship between them and Apple.
The core is EU's regulation on lead free solder, which led to a number of people finding out that thermal cycling on the solder led to thermal stresses. Workarounds were identified and any solder formulations since then don't suffer from that issue, so the fix is a complete re-balling of affected chips... a work not for those faint of heart.
Complicating the issue is that this was also an early generation of chiplet so there are two levels of bga. motherboard to processing unit and processing unit to chip_actual. the latter commonly are referred to as "bumps" to distinguish from "bga" which attaches the chip_structure to the mother board. A lot of the problem was in the bumps for this chiplet like sub assembly. and while reballing bga is a tricky but well understood process. my understanding is that reballing bumps is nearly impossible.
I'm European, I actually support RoHS - it was just the original cause because everyone up to it getting in force was accustomed to classic, decades-proven leaded solder.
Why not blame the EU? It is just a well known fact that non-leaded soldier has inferior properties to leaded soldier, which require careful engineering to work around, and still remain somewhat unresolved.
At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
> At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
The problem is where the e-waste ends up - some ditch or desert in Africa. From there it ends up leeching in the environment due to corrosion or, worse, as widespread aerosols when the people there burn the waste to get to the copper.
> At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
“May” is doing a lot of work there. Can you substantiate the claim that the risk of lead is lower than the switching cost?
Not every model of the 360 will inevitably red ring. Those were typically only the "fat" models and there are some fixes to prevent it from happening. It usually just involves changing to some better quality thermal paste & reflowing the board.
The problem is internal to the CPU packaging, there isn’t a way to fix it externally. Later 65nm (both GPU/CPU) it’s almost a non-issue, but any others will almost definitely red ring at some point, all you can do is delay the inevitable.
I can't help but think that XBox 360 emulation is the only long term path that exists for the 360, which is concerning because only Xenia to my knowledge exists and it's still experimental.
I've not modded my 360E, and it was probably one of the very last 360s built, but I've never had any problems with it, still play on it, and my understanding is there are fewer and less dire problems with it than the prior 360 and S.
The rrod was pretty well know for a long time. Video games are sold to kids so it had the requirement to not use lead solder in them even though lead solder is perfectly safe and no way a child would be exposed to it, unless they eat the xbox.
Lead solder is much softer so with the countless hot cold cycles, when hot the solder expands and when cold it contracts, it will handle these cycles much much better. Without the lead the solder joints are not as soft and the hot and cold cycles eventually results in the solder joints cracking and no longer making a solid connection = rrod.
Some models were more prone to rrod but the biggest trick is to make sure you do regular cleaning and dusting to keep air flow working. Don't put the xbox in a cabinet with no air flow where it will heat up. Put a fan on the xbox if you can. It has been a long time since I followed the xbox scene but there are tons of posts online about the entire problem and best practices to avoid it.
Xbox security has certainly come a long way since the OG Xbox, which featured a pin header that may as well have had "insert modchip here" printed next to it.
I'm gonna be honest, I thought the story was over when they started talking about "oh hey here's this hypervisor code that loads extensions", because obviously extensions are going to be a massive increase in attack surface. But even then, the system wasn't actually broken by the extension being badly designed; the extension was just the most useful target to use the actual attack on.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.
Part of the reason is motivation
- if you hack a console, you can make a fair money, by selling your exploit as a package piece of software. Much like modchip vendors do. In fact, there have been a few software exploits that were sold with ties to a specific console. Funny if you think about it
- If you hack an iPhone, you can sell your exploit to many governments and government agencies for millions of dollars
If i were a profit motivated attacker, i know which I’d focus on
It sounds like the hypervisor extensions are more like one-shot payloads, which probably have much less attack surface than normal kernel modules that are exposing new functionality to userspace.
> You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug.
I'd hazard a guess that the Apple hardware is easier to work on than a video game console. Your already sitting in front of a general purpose computer running programming tools. A video game console is the antitheses of that.
and here I am having trouble even removing the case! haha.
Gotta stab it hard in those holes.
Its not that hard when you get the hang of it and have the right tools.
That was not their point.
tour de force - I'm very impressed.
I wish there was somewhere I could toss cash into a softmod bounty.
Assigning dollar values to this kind of work gets messy, fast.
Imagine if someone iterated on the exploit presented in the article so that it became a persistent "softmod" - who gets the funds?
Bounties also discourage open collaboration. For example, if person A has the first half an exploit chain and person B has the second, they're each incentivised to keep the information to themselves and try to get a full chain on their own to claim the bounty. Of course, this assumes they're financially motivated - but if they're not there's no point in the bounty in the first place.
Bounties are free work contests for any potential beneficiary
And the benefactor is designed by a committee who cant even agree on the value, winding up tossing pennies at the problem hoping someone in Malaysia salivates
at this point is there any reason to use xb360 hardware? emulation on modern hardware has gotta be substantially better
The Xbox 360/PS3 era of video game consoles is probably the hardest era to emulate. Subsequent generations of consoles are essentially the same hardware as regular computers, just with a custom OS (and known hardware profile, certainly a benefit over regular consumer PCs). But that era of video game consoles is the last gasp of the custom hardware design of earlier consoles, which is substantially harder to emulate because the hardware just doesn't look like what modern hardware looks like.
Furthermore, said era is also right after Denard scaling came to an end, which means that current hardware doesn't have that much better specs, at least in easy-to-use form, than the hardware of the time. If any game tried to take the hardware to its limits, it would be a real struggle to emulate it with regular computers.
PS3 was wacky, but the 360 wasn't that different from a PC at the time. There were some differences in rendering API, it had a few features not available on PC hardware. And the CPU cores were actually slower than an equivalent intel, but you had 6 of them, rare for the time. If your game was relatively portable and already used a API relatively close to D3D, it wasn't too hard to bring it up on the 360. I worked on a 360 game FWIW.
Which game?
xbox 360 is pretty close to modern graphics hardware; in fact it debuted modern shader arch a bit before it became the PC standard.
so, the challenge is what’s interesting, or any specific title or application?
Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC. They're slow, glitchy, and/or hard to set up. Related to what the other commenter said, anyone who says these are good must have a lot of time to deal with it, whereas I just want the equivalent of sticking the disc into the console.
GameCube is the newest thing I've had a decent experience emulating, and even that isn't 100% unless it's Melee with the Slippi optimizations (n.b. did not try DS or Switch).
> Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC.
This is unfortunate as a decade ago Microsoft had an internal emulator for Xbox 360 that ran at near native speed.
I am curious if that emulator is what it used to play Xbox360 games on newer x64 based Xbox models, or if they are using a different code base.
Either way, technically it is possible for the experience to be good!
I think the 360 backwards compatibility is a mix of emulation and certain parts being disassembled & recompiled for x86 with some black magic.
edit: Here's an interview with platform lead Bill Stillwell that goes into a lot more detail https://www.eurogamer.net/digitalfoundry-2017-xbox-one-x-bac...
Oh sweet, thanks for the link. It sounds like it was harder getting things running on the XB1's tiny CPU vs running an emulator on monster dev machines, no surprise there! :-D
Hands down my favorite thing about my time at microsoft as an intern was just a random brown bag lunch with the engineers who did the powerPC emulator for xbox360 games on xbox one. It was an incredible talk and they went deep and were happy to answer questions.
Oh damn, I was probably there at the time, working in the building, and was completely unaware of the talk!
That would've been awesome!
By that time though my org had spun out of Xbox to become the Microsoft Band team, so we didn't get any of the cool invites anymore. :(
I wonder about that too. New console supports only a subset of 360 games somehow, and with different enhancements.
The 360 could also play original Xbox games without much exception, but it was noticeably slower than the original. Halo 2 on 360 has a shorter render distance.
> The 360 could also play original Xbox games without much exception
I remember there being a list of what it could play but I was never too sure how comprehensive it was. I know it couldn't emulate Midtown Madness 3.
If you want to emulate a current console, try emulating the switch. I haven't looked into it much, but apparently it works better on modern hardware than on the switch itself. Not surprising given the switch aging hardware and power limit.
Now that you mention it, I tried that once and gave up. The amount of confusion like this makes me not want to try again (Reddit post from 4mo ago): https://www.reddit.com/r/yuzu/comments/1gkdr5x/whats_the_mos...
Seems like these projects keep getting into legal trouble, shut down, then forked.
The Switch is a mainstream-ish ARM system. IIRC it maps really well to Apple's M system.
But the supposedly working Switch emulators only have experimental Mac support at best. Also idk if the CPU arch is really the hard part in general... we never got an Xbox 360 emulator for PPC Mac ;)
> Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC.
How did you manage to achieve that? What specs are we talking?
10th gen i5(? might be another gen I forget, will check at home), 16GB RAM, RTX 2060ti, Win10
Could you be a bit more specific regarding that CPU? That's a very wide range.
i5-9400f, and I was wrong about GPU, it's 1660ti
An Xbox Series S does a fine job of playing Xbox 360 games and doesn't cost much.
> There are 632 games that have been made backward compatible out of 2,155 that have been released for Xbox 360.
It's also going to struggle without a disk drive to play my physical collection.
https://en.wikipedia.org/wiki/List_of_backward-compatible_ga...
Xbox 360 emulation is still really bad for most games, despite what some YouTubers would have you believe. But let's say in a few years it does become substantially better. There's still:
• Nostalgia
• Authenticity
• Compatibility
• Preservation
• Cost of entry
Even if 360 emulation does become practical, a 360 will still be cheaper than any gaming PC capable of playing those games.
Just this week a PC port of the 360 version of Sonic Unleashed was released that was accomplished via static recompilation techniques. It plays flawlessly and is really quite an impressive release. If this is possible now then emulation of these consoles might not be the only avenue to preserving their history.
There's no meaningful technological difference between what that static recompilation tool can do for you vs. what hacking up Xenia can. I'd also hazard a guess that that port's GitHub repo will get DMCA'd eventually, and rightfully so.
I really don't know why people keep doing this to themselves and to the communities they claim to love. This is about as far from a clean-room reimplementation and porting effort as humanly possible. It's not a forward-thinking, sustainable preservation effort at all.
Yes, but the graphics system for the game was completely reworked by people familiar with Sega's proprietary Hedgehog Engine. A straight recompile would have been unplayable.
Interesting, I didn’t know that. I suspect many casual observers don’t either. So you’re suggesting they did this work with proprietary info they’d gained through work with Sega and thus broke their NDA?
Not necessarily -- a lot of external hobbyist work has gone into reverse-engineering Sonic Generations, which has an official PC port and is based on the same engine as Unleashed.
Funnily enough, one of the most famous Generations mods is a project that ports over a bunch of levels from Unleashed. IIRC they changes the graphics pipeline to look and work more like the Unleashed one, too.
I also find it much less drama to sit down on the couch and fire up a console, than to have to:
- startup PC
- update PC
- figure out why bluetooth controller won't pair to PC
- finally get it working, and then have a game crash on you
It’s also the worst era to play natively. Bad textures and horrible frames per second.
Very cool to see people still working on hacking the 360. I used the RGH on my 360 years ago. Was really fun back in the day going through all the cat and mouse that went on.
A soft mod would be cool as the RGH does require soldering some very tiny wires to some very tiny pads and I remember seeing posts of many people lifting pads trying to do this mod. But in the end I had a perfect install on my 360 and would boot almost every time on the first try.
Do the people who hack 360s also know how to prevent them from inevitably red-ringing? Cause that's the biggest thing discouraging me from buying another (my other 2 went red).
The red ring is caused by underfill that is too soft that let's the solder bumps break. It's a BGA packaging problem and there's no fix.
It's the same issue that was behind NVDAs "soldergate" fuck-up that ended up permanently souring the relationship between them and Apple.
The core is EU's regulation on lead free solder, which led to a number of people finding out that thermal cycling on the solder led to thermal stresses. Workarounds were identified and any solder formulations since then don't suffer from that issue, so the fix is a complete re-balling of affected chips... a work not for those faint of heart.
Complicating the issue is that this was also an early generation of chiplet so there are two levels of bga. motherboard to processing unit and processing unit to chip_actual. the latter commonly are referred to as "bumps" to distinguish from "bga" which attaches the chip_structure to the mother board. A lot of the problem was in the bumps for this chiplet like sub assembly. and while reballing bga is a tricky but well understood process. my understanding is that reballing bumps is nearly impossible.
It's called FCBGA, flip chip ball grid array. The only other option for packaging is wire bonding but that doesn't scale well with pin count.
Technically you could recall and repackage the dies but you'd need millions of dollars in equipment.
Sounds like a R&D problem. Why the dig at the EU?
I'm European, I actually support RoHS - it was just the original cause because everyone up to it getting in force was accustomed to classic, decades-proven leaded solder.
Did they need to have a longer transition period? Looks like it went into enforcement only 2 or 3 years after it was approved.
No, the issue didn't affect the IBM CPU in the 360 or Intel products because they did the R&D work. TSMC and their packaging partners were just lazy.
Why not blame the EU? It is just a well known fact that non-leaded soldier has inferior properties to leaded soldier, which require careful engineering to work around, and still remain somewhat unresolved.
At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
You should remember the bioaccumulative properties of lead.
Lead: The most extensively spread toxic environmental contaminant (2024): https://www.sciencedirect.com/science/article/abs/pii/B97803...
The Urban Lead (Pb) Burden in Humans, Animals and the Natural Environment (2022): https://pmc.ncbi.nlm.nih.gov/articles/PMC8812512/
> At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
The problem is where the e-waste ends up - some ditch or desert in Africa. From there it ends up leeching in the environment due to corrosion or, worse, as widespread aerosols when the people there burn the waste to get to the copper.
> At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
“May” is doing a lot of work there. Can you substantiate the claim that the risk of lead is lower than the switching cost?
Sure you're not thinking of the PS3 or did both of them actually suffer the same issue?
Both of them experience the same issue. Though it's a yellow light instead of the ring on the Xbox.
IIRC the PS3 issues were a mix of the RSX die cracking and the NEC Tokin caps giving out, not a solder issue.
It was an industry wide problem.
Somehow out of everyone I know with one or both consoles, 100% of 360s got red ring, 0% of PS3s got yellow light.
Fat or slim PS3? Mine experienced a YLOD circa 2010 while the slim that replaced it still works to this day.
Mostly the fat PS3. And the fat 360 too.
Not every model of the 360 will inevitably red ring. Those were typically only the "fat" models and there are some fixes to prevent it from happening. It usually just involves changing to some better quality thermal paste & reflowing the board.
https://www.ifixit.com/Guide/Xbox+360+Red+Ring+of+Death+Fix+...
This video does a deep dive on the subject:
https://www.youtube.com/watch?v=24KbVf1AD1c
He suggests that all of the fat models will eventually red ring due to being stress tested at the factory. Not sure how true that is.
RIP Felix has a much better video that explains the cause of the failure.
Factory stress isn't the cause. It was a bad design.
You misread, that's not what I wrote.
The problem is internal to the CPU packaging, there isn’t a way to fix it externally. Later 65nm (both GPU/CPU) it’s almost a non-issue, but any others will almost definitely red ring at some point, all you can do is delay the inevitable.
I can't help but think that XBox 360 emulation is the only long term path that exists for the 360, which is concerning because only Xenia to my knowledge exists and it's still experimental.
Maybe it's easier at this point to reverse-engineer Halo 3 into a Windows build
Edit: wait https://store.steampowered.com/app/1064271/Halo_3/ Well it'd still be nice to get the original experience and not to deal with Steam.
I've not modded my 360E, and it was probably one of the very last 360s built, but I've never had any problems with it, still play on it, and my understanding is there are fewer and less dire problems with it than the prior 360 and S.
The rrod was pretty well know for a long time. Video games are sold to kids so it had the requirement to not use lead solder in them even though lead solder is perfectly safe and no way a child would be exposed to it, unless they eat the xbox.
Lead solder is much softer so with the countless hot cold cycles, when hot the solder expands and when cold it contracts, it will handle these cycles much much better. Without the lead the solder joints are not as soft and the hot and cold cycles eventually results in the solder joints cracking and no longer making a solid connection = rrod.
Some models were more prone to rrod but the biggest trick is to make sure you do regular cleaning and dusting to keep air flow working. Don't put the xbox in a cabinet with no air flow where it will heat up. Put a fan on the xbox if you can. It has been a long time since I followed the xbox scene but there are tons of posts online about the entire problem and best practices to avoid it.
Ah, I remember I had one of the first series where they forgot to remove the JTAG pins
Xbox security has certainly come a long way since the OG Xbox, which featured a pin header that may as well have had "insert modchip here" printed next to it.