Skip to content
Branch: master
Find file Copy path
2 contributors

Users who have contributed to this file

@tuxuser @davidgumberg
255 lines (197 sloc) 9.84 KB


From Free60

This page was created when knowlage was low, everything on here is impossible, due to the 360s hypervisor The only exploit there is and ever will be is the king kong/jtag(smc)/whatever hypervisor bug found in kernel 4532 -slasherking823

Actually, upon further examination, this page was created by someone with no knowlage even when public knowlage existed

Bade Ideas are as follows:

Please reply and comment each attack and tell us if such attacks are possible or not

Please do not erase wrong things but reply instead

Some basic knowledge


No void warranty


  • Old XBOX games
    • Known bugs on the old games
    • Maybe it works (small probability that it has not been fixed)
    • Its been noted that few of the XBOX1 games whose GameSavs were exploitable appear on the X360 backwards list. However it's also worth knowing that games in addition to 007AUF, MA, and SC1 contain similar flaws - but their exploitation was not felt necessary.
    • This probably does not work, since the XBOX360 emulates the old XBOX (with an emulator that is customized for each game). Using a bug in an old game would just "break out" into the emulated old XBOX. Of course, if the emulator design is sufficiently sloppy, it might be possible to have a second step that then compromises the actual XBOX360 security.
  • Patched games
    • Patching (French)
    • (early versions?) king kong will need a patch in order to be playable under some screens
    • The patch needs a hdd
  • Manipulated media files
    • Images, Music Files, Video
      • Windows Media Center, after authenticating with the server, uses a client compiled for the 360 to access all Media Center functionality. the software is very buggy. would be a prime target for attack.
    • Start by trying out some exploits that are already known and see how the XBox360 reacts to them
      • There is potential to use a .tiff overflow(?) Certainly if the Hypervisor behaves as suggested, it will catch the buffer overflow, but it might provide insight as to how it works.
        • I emailed the team that did the .tiff overflow with the PSP (for anyone who knows about their work), and asked for info regarding how they went about .tiff exploit. They had some interesting things to say (I can email anyone their response if they want), and recommended this. I'm sure its old business for alot of people, but its oer my head; I'm not able enough to get alot of it. If someone wants to work in conjunction with me to try this exploit out, my email is
      • Maybe the recent WMF bug (escape function) will work too.
        • WMF Files don't play on the 360.
  • Save game attack
    • Will require another hack first to be able to hijack a game's save game signing
  • Network compromise
    • Fuzzing services/network connections
  • File system drivers
  • Decompression routines
    • Cause a buffer overflow


  • DMA attack
    • Someone has developed an exploit for Firewire DMA FireWire - all your memory belongs to us
    • Firewire can copy data between two firewire hdd without using the cpu at all (no irq gestion ...)
    • Maybe retrieve some data that can't be retrieved
    • USB and IDE that have DMA
      • Maybe it doesn't work with non-Firewire devices
    • Video: [2] for linux
  • Manipulated USB device
    • Webcam
    • IPod

Torx and Solder

  • Boot suggests various CPU parameters including Hypervisor mode and boot vector are set by I2C/SPI bus on start up. If the I2C/SPI bus is accessible and modifiable then security features could be disabled allowing another vector to succeed.
  • Theories are floating around some forums as to the validity of hacking DVD drive firmware to authenticate all discs as OK. Firmware has some basic bitswapping and xor-ing which was defeated quickly, maybe potential to change it?
    • Good technical thread here at Unfortunately, it starts in the name of backups, but it contains large amounts of insight as to how the DVD system functions. Signing code would still be a problem, but bypassing mediachecks could help at least.
      • (Offtopic) If it is possible to modify the firmware, would it then not also be possible to read the 'hidden' security areas on (for example) audio-dvd?
  • Buses
    • If some bus are accessible but at too much high speed(don't remember well the design of the 360 i must re-read the documentation and websites) maybe use of highspeed DAC or professionals osciloscope for electronic design or aviation(maybe some people have access to such devices) or home-made ones (using some dac of some cards(video-cards,tv-cards))
    • Easiest way to do DAQ is to use an NI DAQ system of allmost any kind (w/ fast enough DAC, something like FLASH-DAC) [3]
    • Develop program for a snatching data from the bus. with high input impendances, megaohm range. If somebody is able to get those DAQ systems, i'm going to write a program for snatching data.

Failed Vectors

To save people revisiting old ground please list any attempts that have failed here


Page design

this is a stub or whatever you call this kind of page...

it's as a "brouillon(french)"

this page has not been reviewed by skilled persons...(mabe they haven't got the time) this page could be reviewed by someone that is not a developer(precious time) but is a press expert and know what is possible and what isn't

so put evrything on the main page and discuss it on the main page it's ment for this

and if something cleen and verified can be produced we will make another "stable" page that developers should read


Xbox 360's OS has its root in the OS of the original Xbox (which is derivate from Windows 2000). I think that some bug and exploit in Xbox 1 (or even 2000) still work on the 360, we have to try every bug/fuzzing/hole knowed to find exploits.

Ideas :

- file format fuzzing (there are some tools in sourceforge), example : image format like wmf (recent exploit in Win 2000 and XP plateform due to implementation of the fct escape() and not a BO!!!!!)

XMA is a very good way to find some holes, and Sounds aren't signed (Demo DVD) Someone has Doc about XMAÂ ? maybe in XACTÂ ?

- by network UPnP (use XML), it's seems that the norm think about security like not permit to send XML break char, or limit ACL hack, but if there are an XML implementation (lib XML) there are chance to find an exploit.

We all know Microsoft's security in their implementation of norms (like IP stack or other).

- by DMA, using USB (security hole in Win 2000&XP ohcpi) other way : IDE (sata), we can try to access to DMA with a PC connected to the SATA ;-) the idea is to use the PC like an IDE device for the Xbox 360. i'm reading the DMA-API and IDE doc for linux (if you have linux, interessting stuffs are in /include/Documentation/DMA-API.txt & DMA-mapping.txt and in /include/Drivers/ide/ )

- by threads, if we can use the GPU to access to RAM and acces to the same area as the CPU we can do some buggy things (in fact thread is not necessary)

ressources :

- metasploit, a huge DB for exloits and shellcodes

- milw0rm, exploits

- fuzzing file and network

XEX executables

What security problems are known about the XEX files. They can be burned to DVD/CD and used to install the backwards compatability emulator, so attacking them would be a good idea. Since the OS for the 360 is based on Windows, is the .xex file in any way related to .exe? .xex files renamed to end in .exe do not do anything in Windows. I would like further documentation on what happens when the emulation software is executed via CD/DVD. --Monsuco 19:29, 9 Mar 2006 (CET)

The XBOX360 CPU is based on the PowerPC architecture, not on Intel like PC CPUs. For that simple reason, an XBOX360 executable will never run under a PC version of Windows.--Silence 10:59, 10 Mar 2006 (CET)

First guy is absolutly retarded >_> -Thilo


- The XNA libraries are .Net wrappers around various DirectX libraries (XACT, XInput, Direct3D, etc), and runs on the .NET Compact Framework. Both frameworks are fairly large and complex and it could be a possible candy store for exploits.

After all that

No No No and btw No

Personal tools


You can’t perform that action at this time.