I'm gonna be honest, I thought the story was over when they started talking about "oh hey here's this hypervisor code that loads extensions", because obviously extensions are going to be a massive increase in attack surface. But even then, the system wasn't actually broken by the extension being badly designed; the extension was just the most useful target to use the actual attack on.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.
It sounds like the hypervisor extensions are more like one-shot payloads, which probably have much less attack surface than normal kernel modules that are exposing new functionality to userspace.
> You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug.
I'd hazard a guess that the Apple hardware is easier to work on than a video game console. Your already sitting in front of a general purpose computer running programming tools. A video game console is the antitheses of that.
Assigning dollar values to this kind of work gets messy, fast.
Imagine if someone iterated on the exploit presented in the article so that it became a persistent "softmod" - who gets the funds?
Bounties also discourage open collaboration. For example, if person A has the first half an exploit chain and person B has the second, they're each incentivised to keep the information to themselves and try to get a full chain on their own to claim the bounty. Of course, this assumes they're financially motivated - but if they're not there's no point in the bounty in the first place.
Bounties are free work contests for any potential beneficiary
And the benefactor is designed by a committee who cant even agree on the value, winding up tossing pennies at the problem hoping someone in Malaysia salivates
The Xbox 360/PS3 era of video game consoles is probably the hardest era to emulate. Subsequent generations of consoles are essentially the same hardware as regular computers, just with a custom OS (and known hardware profile, certainly a benefit over regular consumer PCs). But that era of video game consoles is the last gasp of the custom hardware design of earlier consoles, which is substantially harder to emulate because the hardware just doesn't look like what modern hardware looks like.
Furthermore, said era is also right after Denard scaling came to an end, which means that current hardware doesn't have that much better specs, at least in easy-to-use form, than the hardware of the time. If any game tried to take the hardware to its limits, it would be a real struggle to emulate it with regular computers.
Xbox 360 and PS3 emulators are still borderline unusable on my new-ish PC. They're slow, glitchy, and/or hard to set up. Related to what the other commenter said, anyone who says these are good must have a lot of time to deal with it, whereas I just want the equivalent of sticking the disc into the console.
GameCube is the newest thing I've had a decent experience emulating, and even that isn't 100% unless it's Melee with the Slippi optimizations (n.b. did not try DS or Switch).
Oh sweet, thanks for the link. It sounds like it was harder getting things running on the XB1's tiny CPU vs running an emulator on monster dev machines, no surprise there! :-D
I wonder about that too. New console supports only a subset of 360 games somehow, and with different enhancements.
The 360 could also play original Xbox games without much exception, but it was noticeably slower than the original. Halo 2 on 360 has a shorter render distance.
If you want to emulate a current console, try emulating the switch. I haven't looked into it much, but apparently it works better on modern hardware than on the switch itself. Not surprising given the switch aging hardware and power limit.
But the supposedly working Switch emulators only have experimental Mac support at best. Also idk if the CPU arch is really the hard part in general... we never got an Xbox 360 emulator for PPC Mac ;)
Xbox 360 emulation is still really bad for most games, despite what some YouTubers would have you believe. But let's say in a few years it does become substantially better. There's still:
• Nostalgia
• Authenticity
• Compatibility
• Preservation
• Cost of entry
Even if 360 emulation does become practical, a 360 will still be cheaper than any gaming PC capable of playing those games.
Just this week a PC port of the 360 version of Sonic Unleashed was released that was accomplished via static recompilation techniques. It plays flawlessly and is really quite an impressive release. If this is possible now then emulation of these consoles might not be the only avenue to preserving their history.
There's no meaningful technological difference between what that static recompilation tool can do for you vs. what hacking up Xenia can. I'd also hazard a guess that that port's GitHub repo will get DMCA'd eventually, and rightfully so.
I really don't know why people keep doing this to themselves and to the communities they claim to love. This is about as far from a clean-room reimplementation and porting effort as humanly possible. It's not a forward-thinking, sustainable preservation effort at all.
Yes, but the graphics system for the game was completely reworked by people familiar with Sega's proprietary Hedgehog Engine. A straight recompile would have been unplayable.
Very cool to see people still working on hacking the 360. I used the RGH on my 360 years ago. Was really fun back in the day going through all the cat and mouse that went on.
A soft mod would be cool as the RGH does require soldering some very tiny wires to some very tiny pads and I remember seeing posts of many people lifting pads trying to do this mod. But in the end I had a perfect install on my 360 and would boot almost every time on the first try.
Do the people who hack 360s also know how to prevent them from inevitably red-ringing? Cause that's the biggest thing discouraging me from buying another (my other 2 went red).
It's the same issue that was behind NVDAs "soldergate" fuck-up that ended up permanently souring the relationship between them and Apple.
The core is EU's regulation on lead free solder, which led to a number of people finding out that thermal cycling on the solder led to thermal stresses. Workarounds were identified and any solder formulations since then don't suffer from that issue, so the fix is a complete re-balling of affected chips... a work not for those faint of heart.
Complicating the issue is that this was also an early generation of chiplet so there are two levels of bga. motherboard to processing unit and processing unit to chip_actual. the latter commonly are referred to as "bumps" to distinguish from "bga" which attaches the chip_structure to the mother board. A lot of the problem was in the bumps for this chiplet like sub assembly. and while reballing bga is a tricky but well understood process. my understanding is that reballing bumps is nearly impossible.
I'm European, I actually support RoHS - it was just the original cause because everyone up to it getting in force was accustomed to classic, decades-proven leaded solder.
Why not blame the EU? It is just a well known fact that non-leaded soldier has inferior properties to leaded soldier, which require careful engineering to work around, and still remain somewhat unresolved.
At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
> At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
The problem is where the e-waste ends up - some ditch or desert in Africa. From there it ends up leeching in the environment due to corrosion or, worse, as widespread aerosols when the people there burn the waste to get to the copper.
> At this point, the directive may have caused more e-waste and environmental damage from part failures than the damage the original leaded soldier would have caused.
“May” is doing a lot of work there. Can you substantiate the claim that the risk of lead is lower than the switching cost?
Not every model of the 360 will inevitably red ring. Those were typically only the "fat" models and there are some fixes to prevent it from happening. It usually just involves changing to some better quality thermal paste & reflowing the board.
The problem is internal to the CPU packaging, there isn’t a way to fix it externally. Later 65nm (both GPU/CPU) it’s almost a non-issue, but any others will almost definitely red ring at some point, all you can do is delay the inevitable.
I can't help but think that XBox 360 emulation is the only long term path that exists for the 360, which is concerning because only Xenia to my knowledge exists and it's still experimental.
I've not modded my 360E, and it was probably one of the very last 360s built, but I've never had any problems with it, still play on it, and my understanding is there are fewer and less dire problems with it than the prior 360 and S.
Xbox security has certainly come a long way since the OG Xbox, which featured a pin header that may as well have had "insert modchip here" printed next to it.
How the hell has this the Xbox 360 hypervisor remained basically impenetrable? You'd think at some point, someone would write and sign a hypervisor extension with a cripplingly bad memory safety bug. Hell, Apple's PPL[0] has better hardware isolation than Xenon's hypervisor mode[1] and it still gets 0wned more often.
[0] Page Protection Layer. On Apple processors, every ARM exception level has a corresponding guarded exception level that has privileges over the regular one; chiefly corresponding to memory management.
[1] On Xenon, the hypervisor runs in "real mode" plus HRMOR; Apple PPL's GL1/2 still have virtual memory and page table permissions.
reply