I'm gonna be honest, I thought the story was over when they started talking about "oh hey here's this hypervisor code that loads extensions", because obviously extensions are going to be a massive increase in attack surface. But even then, the system wasn't actually broken by the extension being badly designed; the extension was just the most useful target to use the actual attack on.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.
- if you hack a console, you can make a fair money, by selling your exploit as a package piece of software. Much like modchip vendors do. In fact, there have been a few software exploits that were sold with ties to a specific console. Funny if you think about it
- If you hack an iPhone, you can sell your exploit to many governments and government agencies for millions of dollars
If i were a profit motivated attacker, i know which I’d focus on
That is true today, but back in 2005 when the Xbox 360 launched we didn't have every government buying up security vulnerabilities by the truckload. The market for zero-days didn't really get established until the early 2010s when the 360 was on its way out. Every contemporary competitor to the Xbox 360 got hacked within its commercial lifespan, due to having comically awful security practices. Microsoft certainly was, at the time, 'better' than Sony or Nintendo; but the task they were doing was just plain impossible.
A game console is, effectively, a Point of Presence[0] for a DRM vendor. It's job is to tie the owner's hands so that they don't copy games, and that they don't buy games from competing companies. This is an incredibly difficult, if not impossible task. In contrast, while the iPhone's security also does DRM and developer lockout; their main concern is keeping you from getting hacked by nation states. Those are certainly more sophisticated and well-financed attackers; but they (usually) don't have physical access to or ownership over what you're trying to protect.
[0] In telecom, a PoP is the dividing line between your systems and someone else's. If that sounds really arbitrary, it's because that's how they untangled the Bell monopoly.
> How the hell has this the Xbox 360 hypervisor remained basically impenetrable?
Conspiracy theorist in me thinks that since it was a games console, the NSA didn't mandate backdoors, so MS software and hardware security guys could just make the toughest hardware and software they could dream of. Sprinkled with a decent serving of luck.
So the Xbox360 was essentially a playground for MS hypervisor team, without needing to worry about national security or interference.
A perfect breeding ground for developing an actually secure product they could potentially use in the future, if they were allowed.
> You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug.
I'd hazard a guess that the Apple hardware is easier to work on than a video game console. Your already sitting in front of a general purpose computer running programming tools. A video game console is the antitheses of that.
It sounds like the hypervisor extensions are more like one-shot payloads, which probably have much less attack surface than normal kernel modules that are exposing new functionality to userspace.
Very cool to see people still working on hacking the 360. I used the RGH on my 360 years ago. Was really fun back in the day going through all the cat and mouse that went on.
A soft mod would be cool as the RGH does require soldering some very tiny wires to some very tiny pads and I remember seeing posts of many people lifting pads trying to do this mod. But in the end I had a perfect install on my 360 and would boot almost every time on the first try.
Do the people who hack 360s also know how to prevent them from inevitably red-ringing? Cause that's the biggest thing discouraging me from buying another (my other 2 went red).
It's the same issue that was behind NVDAs "soldergate" fuck-up that ended up permanently souring the relationship between them and Apple.
The core is EU's regulation on lead free solder, which led to a number of people finding out that thermal cycling on the solder led to thermal stresses. Workarounds were identified and any solder formulations since then don't suffer from that issue, so the fix is a complete re-balling of affected chips... a work not for those faint of heart.
Complicating the issue is that this was also an early generation of chiplet so there are two levels of bga. motherboard to processing unit and processing unit to chip_actual. the latter commonly are referred to as "bumps" to distinguish from "bga" which attaches the chip_structure to the mother board. A lot of the problem was in the bumps for this chiplet like sub assembly. and while reballing bga is a tricky but well understood process. my understanding is that reballing bumps is nearly impossible.
I'm European, I actually support RoHS - it was just the original cause because everyone up to it getting in force was accustomed to classic, decades-proven leaded solder.
It was not so much a "not enough time to transition" and more like "there is no consequences yet so why bother OH DAMN WE NEED TO MAKE IT TODAY IT GOES INTO FORCE".
Many had no issues, but a few companies didn't bother to do their homework, problem would have been the same if the period was twice as long.
Why not blame the EU? It is just a well known fact that non-leaded soldier has inferior properties to leaded soldier, which require careful engineering to work around, and still remain somewhat unresolved.
At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
> At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
The problem is where the e-waste ends up - some ditch or desert in Africa. From there it ends up leeching in the environment due to corrosion or, worse, as widespread aerosols when the people there burn the waste to get to the copper.
> At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
“May” is doing a lot of work there. Can you substantiate the claim that the risk of lead is lower than the switching cost?
Not every model of the 360 will inevitably red ring. Those were typically only the "fat" models and there are some fixes to prevent it from happening. It usually just involves changing to some better quality thermal paste & reflowing the board.
You wrote "He suggests that all of the fat models will eventually red ring due to being stress tested at the factory" - it directly states that stress testing at the factory is the claimed reason that the fat models will red ring. Or was the video host somehow stress tested at a factory?
The problem is internal to the CPU packaging, there isn’t a way to fix it externally. Later 65nm (both GPU/CPU) it’s almost a non-issue, but any others will almost definitely red ring at some point, all you can do is delay the inevitable.
I can't help but think that XBox 360 emulation is the only long term path that exists for the 360, which is concerning because only Xenia to my knowledge exists and it's still experimental.
The rrod was pretty well know for a long time. Video games are sold to kids so it had the requirement to not use lead solder in them even though lead solder is perfectly safe and no way a child would be exposed to it, unless they eat the xbox.
Lead solder is much softer so with the countless hot cold cycles, when hot the solder expands and when cold it contracts, it will handle these cycles much much better. Without the lead the solder joints are not as soft and the hot and cold cycles eventually results in the solder joints cracking and no longer making a solid connection = rrod.
Some models were more prone to rrod but the biggest trick is to make sure you do regular cleaning and dusting to keep air flow working. Don't put the xbox in a cabinet with no air flow where it will heat up. Put a fan on the xbox if you can. It has been a long time since I followed the xbox scene but there are tons of posts online about the entire problem and best practices to avoid it.
I've not modded my 360E, and it was probably one of the very last 360s built, but I've never had any problems with it, still play on it, and my understanding is there are fewer and less dire problems with it than the prior 360 and S.
Xbox security has certainly come a long way since the OG Xbox, which featured a pin header that may as well have had "insert modchip here" printed next to it.
Assigning dollar values to this kind of work gets messy, fast.
Imagine if someone iterated on the exploit presented in the article so that it became a persistent "softmod" - who gets the funds?
Bounties also discourage open collaboration. For example, if person A has the first half an exploit chain and person B has the second, they're each incentivised to keep the information to themselves and try to get a full chain on their own to claim the bounty. Of course, this assumes they're financially motivated - but if they're not there's no point in the bounty in the first place.
Bounties are free work contests for any potential beneficiary
And the benefactor is designed by a committee who cant even agree on the value, winding up tossing pennies at the problem hoping someone in Malaysia salivates
The Xbox 360/PS3 era of video game consoles is probably the hardest era to emulate. Subsequent generations of consoles are essentially the same hardware as regular computers, just with a custom OS (and known hardware profile, certainly a benefit over regular consumer PCs). But that era of video game consoles is the last gasp of the custom hardware design of earlier consoles, which is substantially harder to emulate because the hardware just doesn't look like what modern hardware looks like.
Furthermore, said era is also right after Denard scaling came to an end, which means that current hardware doesn't have that much better specs, at least in easy-to-use form, than the hardware of the time. If any game tried to take the hardware to its limits, it would be a real struggle to emulate it with regular computers.
PS3 was wacky, but the 360 wasn't that different from a PC at the time. There were some differences in rendering API, it had a few features not available on PC hardware. And the CPU cores were actually slower than an equivalent intel, but you had 6 of them, rare for the time. If your game was relatively portable and already used a API relatively close to D3D, it wasn't too hard to bring it up on the 360. I worked on a 360 game FWIW.
Regardless of the D3D-like API-layer (which helped Microsoft compensate for the peculiarities of PowerPC), they're both PowerPC architectures.
You apparently don't know the Story how Sony spent big R&D-money with IBM to transition from MIPS to the custom PowerPC Cell Architecture, while IBM was already selling parts of this development to Microsoft for Xbox 360, and Microsoft ultimately beating Sony in market-launch with a chipset Sony partially financed...[0]
There's a nice book about it from two of the IBM Chip-Designers called "The Race for a New Game Machine" by David Shippy and Mickie Phipps
The PS3 system design was radically different. We considering porting the same PC game we (relatively) easily ported to 360 to that platform, but rejected it because it would be months of work, at least. Didn't matter that it was a similar CPU (technically) to the 360.
Microsoft was helped by PS 3 being a pain to program, given the Cell architecture, a mistake that Sony didn't repeat, and hence why the 360 was the only XBox that had an upper hand against Sony.
Xbox 360 is also a PowerPC architecture, which on its own makes it quite a bit different from normal PC hardware, and even if that's a target that's more common to emulate there's still heavy performance losses in doing so.
It might have been easier to port to because of good OS design, but running games for it will still be inefficient compared to running on actual hardware.
Even that is a bit of a strech, at it got released one year after DirectX 8 was made available, and was powered by GeForce 3 class hardware, which naturally came first on PC.
> The GeForce 3 was unveiled during the 2001 Macworld Conference & Expo/Tokyo 2001 in Makuhari Messe and powered realtime demos of Pixar's Junior Lamp and id Software's Doom 3. Apple would later announce launch rights for its new line of computers.
Naturally outside PC, there were other stuff predating programmable graphics, however if we stick to the PC, XBox follows PC, not the other way around, specially since the first one wasn't that great versus PlayStation 2 in market share, even if there were some great games like Halo and Fable.
Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC. They're slow, glitchy, and/or hard to set up. Related to what the other commenter said, anyone who says these are good must have a lot of time to deal with it, whereas I just want the equivalent of sticking the disc into the console.
GameCube is the newest thing I've had a decent experience emulating, and even that isn't 100% unless it's Melee with the Slippi optimizations (n.b. did not try DS or Switch).
Oh sweet, thanks for the link. It sounds like it was harder getting things running on the XB1's tiny CPU vs running an emulator on monster dev machines, no surprise there! :-D
Hands down my favorite thing about my time at microsoft as an intern was just a random brown bag lunch with the engineers who did the powerPC emulator for xbox360 games on xbox one. It was an incredible talk and they went deep and were happy to answer questions.
I wonder about that too. New console supports only a subset of 360 games somehow, and with different enhancements.
The 360 could also play original Xbox games without much exception, but it was noticeably slower than the original. Halo 2 on 360 has a shorter render distance.
If you want to emulate a current console, try emulating the switch. I haven't looked into it much, but apparently it works better on modern hardware than on the switch itself. Not surprising given the switch aging hardware and power limit.
But the supposedly working Switch emulators only have experimental Mac support at best. Also idk if the CPU arch is really the hard part in general... we never got an Xbox 360 emulator for PPC Mac ;)
It's really surprising then that you had such a bad experience with PS3 emulation specifically at least, the i5 9400F was a go-to recommendation there for a very long time, basically ever since that processor's release (6 years ago).
It was in last August they bumped their system requirements to the i5 10400F. Nearly all of the games marked "Playable" in their compatibility list should be plug-and-play territory, with mint performance.
What were the games you tested with classified as? Did you try to seek help on their community space(s)?
I didn't try reaching out, I just wanted to play Shrek Forever After (for a very random reason) and gave up after 5 minutes of choppiness. Like I said, there's probably a fix, and I appreciate that there's community support, but I simply didn't have time. Especially because on the PS3 side, this was after waiting a while for RPCS3 to do its pre-run caching.
Given that game has been marked "Playable" years before your CPU has seen its initial release, and that there are no notes on its Wiki page, I'd expect it to run essentially perfectly out-of-the-box, short of some regression causing issues.
You should give it a retry sometime if you can / want to. That said, I should probably let you know that the community can be slightly hostile, and they will ask you do the legwork if it's not a misconfig but a suspected regression (they'll want you to bisect the build where the choppiness appeared). You'll also want to run the topic by the volunteers in the #help channel on their Discord before opening an issue ticket on GitHub, as their GitHub issue tickets are not for support, only for actual issue / feature request tracking.
Xbox 360 emulation is still really bad for most games, despite what some YouTubers would have you believe. But let's say in a few years it does become substantially better. There's still:
• Nostalgia
• Authenticity
• Compatibility
• Preservation
• Cost of entry
Even if 360 emulation does become practical, a 360 will still be cheaper than any gaming PC capable of playing those games.
Just this week a PC port of the 360 version of Sonic Unleashed was released that was accomplished via static recompilation techniques. It plays flawlessly and is really quite an impressive release. If this is possible now then emulation of these consoles might not be the only avenue to preserving their history.
There's no meaningful technological difference between what that static recompilation tool can do for you vs. what hacking up Xenia can. I'd also hazard a guess that that port's GitHub repo will get DMCA'd eventually, and rightfully so.
I really don't know why people keep doing this to themselves and to the communities they claim to love. This is about as far from a clean-room reimplementation and porting effort as humanly possible. It's not a forward-thinking, sustainable preservation effort at all.
Yes, but the graphics system for the game was completely reworked by people familiar with Sega's proprietary Hedgehog Engine. A straight recompile would have been unplayable.
Interesting, I didn’t know that. I suspect many casual observers don’t either. So you’re suggesting they did this work with proprietary info they’d gained through work with Sega and thus broke their NDA?
Not necessarily -- a lot of external hobbyist work has gone into reverse-engineering Sonic Generations, which has an official PC port and is based on the same engine as Unleashed.
Funnily enough, one of the most famous Generations mods is a project that ports over a bunch of levels from Unleashed. IIRC they changes the graphics pipeline to look and work more like the Unleashed one, too.
Considering that the constant stream of system software and game updates became a thing exactly in the 7th console generation (x360 era), updates are a pretty funny thing to bring up in a comparison like this.
I went to fire up my old Xbox 360 to play dance central with my kids and of course it had developed RRoD while sitting on a shelf in my basement. It seems emulation is a no go for kinect games as well.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.