----------------------------------------------------------------------------
1. General
----------------------------------------------------------------------------
1.1 I want to softmod my X-Box. Where do I start?
Read this FAQ. Read the various tutorials on the forum. Come back to
this FAQ if you need some pointers to more information. Also, check
out our IRC channel (#softmods on Efnet).
In a nutshell, you need to find out your X-Box's version, your BIOS
version and dashboard version (instructions are in this FAQ),
obtain the necessary software and items (conversion cables etc,
X-Box memory card etc), and/or perform a hotswap if necessary. Don't
worry, it's easier than it sounds, as long as you're willing to do a
little reading and follow instructions properly.
Here's a video clip of a softmod (using a game exploit) in action to
show you how easy it can be:
http://www.smdepot.net/forum/index.php?topic=164.01.2 What is a softmod? How does a softmod work?
A softmod is a way of modding the X-Box purely using software,
without adding additional chips or altering the X-Box hardware.
By taking advantage of various programming flaws in various retail
software (ie games or the dashboard) which allow externally injected
program code to be run. You'll need some background knowledge of
cryptographic concepts, how the X-Box security system works, and
computer security systems in general to understand the next few
paragraphs. Some good primers on these subjects can be found here:
http://en.wikipedia.org/wiki/Buffer_overflow http://en.wikipedia.org/wiki/Cryptography http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System Note: Knowing this stuff is not required to actually PERFORM the
softmod, but it does help immensely.
What most contemporary softmod installers do is replace the dashboard
(c:\xboxdash.xbe) in the hard disk with an exploitable version, along
with the exploits embedded into data files that the dashboard loads
(usually fonts).
So when the vulnerable dash loads, it runs the exploit code. The
exploit code will replace the in-memory retail RSA
(
http://en.wikipedia.org/wiki/RSA) public key with one where the
private key is revealed. The most commonly used of such replacement
keys is Habibi, named after the guy who pioneered the technique.
The exploit code then launches a habibi-signed XBE, which the X-Box
will happily authenticate and execute, since the Habibi key is in
place. This XBE can be anything, but in practice, it is either a
BIOS loader or patcher.
This BIOS loader/patcher will convert the running retail BIOS into a
hacked version with the security mechanisms disabled, allowing any
non-retail XBE to run. The BIOS loader/patcher then loads another
XBE. As above, this XBE can be anything, but in practice, a non-
retail dashboard program is run. To summarise, the control flow
is...
X-Box boots up -> runs vulnerable c:\xboxdash.xbe, loads data
(fonts), triggers exploit, replaces in-memory key with Habibi ->
runs Habibi-signed BIOS loader/patcher, removes security
mechanisms -> runs non-retail dashboard.
However, you can't simply load the exploits and vulnerable dashboard
into the hard disk through the retail dashboard. So this is where
either hotswapping or game save exploits enter the picture.
A game save exploit works almost exactly the same way as a dashboard
exploit, except it is triggered by game save data loaded by an
exploitable game. When executed, it replaces the in-memory with
Hababi, runs the BIOS loader/patcher, followed by an installer
program to install the vulnerable dashboard and dashboard exploits
into the hard disk.
Because game saves can be transferred from/to the X-Box using a
memory card or USB storage, we are able to load the exploits into
the X-Box hard disk through them. So the entire control flow for a
softmod installation using a gamesave is...
Transfer softmod installer package to hard disk using mem card ->
run exploitable game, game loads the exploit disguised as a save
file, triggers explot, replaces in-memory key with Habibi -> runs
Habibi-signed BIOS loader/patcher, removes security mechanisms ->
runs installer program, replaces c:\xboxdash.xbe with vulnerable
dash, and installs exploit data (fonts).
So, now when X-Box powers up...
runs vulnerable c:\xboxdash.xbe, loads data (fonts), triggers
exploit, replaces in-memory key with Habibi -> runs Habibi-signed
BIOS loader/patcher, removes security mechanisms -> runs non-retail
dashboard.
Hotswapping eliminates the need for game save exploits and the
exploitable games (which can be difficult to obtain). See section on
"Hotswapping" for more details.
1.3 Can all X-Boxes (regardless of region code or version) be softmodded?
Yes. Although not all softmods will work on all X-Boxes. As of this
writing, NDURE is the only softmod you should concern yourself with,
as it works will all X-Boxes.
1.4 What is the difference between UXE, NDURE, UDE, Krayzie, WaffleTools,
Kingroach and all those other names?
UXE (Uber XBE Exploit), NDURE (Next-Dimension Uber Rmenhal [this is
the guy who created the exploit] Exploit), UDE (Ultimate Dashboard
Exploit) are dashboard exploit methods. Krayzie, WaffleTools and
Kingroach are softmod installer packages which make use of the
exploits methods, and bundle in a BIOS loader/patcher and a non-
retail dashboard into a single, easy-to-use installer.
Quite often, the exploit methods are used to refer to the
softmod installer packages (eg. referring to Krayzie's NDURE
installer simply as NDURE). This is technically incorrect, which can
lead to some confusion over which softmod package is the "real"
thing (eg. "Is Krayzie the real NDURE or Kingroach?")
Anyway, as mentioned above, as far as exploit methods go,
NDURE is the only one you should concern yourself with, as is it the
most recent, and it fixes some issues with the older ones. Here is
a forum discussion comparing the NDURE and UXE:
http://forums.xbox-scene.com/index.php?showtopic=263586&st=495&p=2740295&#entry2740295 As for UDE, don't bother, it is rather old and will not work on
newer X-Boxes.
For softmod installer packages, Krayzie's NDURE installers are
largely considered the "gold standard" for installing a softmod
through a game-save.
Kingroach's (Kingroach PC NDURE installer), on the other hand is a
softmod installer for either upgrading an existing softmod, upgrading
a hard disk, or softmodding via hotswapping. It is a Windows-
executable for generating the dashboard exploit files on a PC which
can be then be transferred into the X-Box hard disk.
1.5 How do I determine what version my X-Box is?
See
http://www.xbox-linux.org/wiki/Xbox_Versions_HOWTO.
1.6 How do I determine my X-Box serial number?
If you have a backup of your EEPROM, see the section titled "EEPROM".
Otherwise, look at your X-Box box packaging or under your X-Box,
there should be a label with numbers in the format of NNNNNNN NNNNN
(where N is a digit). That's the serial number.
1.7 What is dual-booting?
It is when your X-Box is setup to boot to either a "modded" or
"unmodded" (aka retail) state. Think of it as a software equivalent
to modchips that have a switch that can turn off the chip. You'll get
the "unmodded" state when the X-Box is powered on with the DVD tray
open.
1.8 How can I enable dual-boot?
An NDURE based softmod package is required. Krayzie's NDURE softmod
installers enable it by default. Kingroach's installer has an option
called "Retail Files" on the installer menu which must be checked to
enable dual-booting.