How the Original Xbox Security was Defeated | MVG

*We'd certainly like to have you remove that if you could...*

"Ran out of time" -- We aren't afraid of 20min videos!

Is it worth mentioning that Microsoft tried to hide the fact that the game ports were electrically USB, they just changed the shape? That was something that annoyed me on the original design, thankfully they included standard USB ports on the 360!

The original XBOX UI is still beautiful to look at. Has that Matrix, late 90s, early 2000s look, but doesn't look cheesy, just looks futuristic. While you really can't have a modern UI this simple, I do wish we had the option of different looks that aren't just cheaply made amateur nonsense. Give the XBOX4 a modern UI built on this original look with all the animations, etc, and they'll sell an extra 10million units.

*Corrections and notes:*
- 5:18 The sniff was done between MCPX and NV2A (target being the CPU further down) [correct in voice-over, but broken visualization].
- 5:59 bunnies method wasn't too relevant itself; just that the MCPX dumps allowed for analysis and finding various exploits in the early boot process. This allowed circumventing checks of the flash ROM validity by exploiting MCPX bugs. It was almost entirely irrelevant to the kernel patching itself (it just made the installation of patched kernels easily possible).
- 5:59 What did allow for easier kernel patching was Microsofts internal struggle with its employees, who kept leaking code and internal details.
- 7:33 The expensive part is not a motherboard redesign (MS kept redesigning it anyway). The expensive part would probably be a change of the intel CPU design, which would significantly raise costs. The MCPX/MCPD on the other hand was developed specifically for Xbox and nForce motherboards and was cheaper to fabricate with the built-in ROM from the start.
- 8:10 The MCPX 1.1 basically moves code from the MCPX into the flash (FBL) and verifies it using TEA; I believe the FBL still uses RC4.
- 8:10 TEA itself is not insecure, however, the way MS used it was known to be insecure.
- 8:10 There were other known exploits in the MCPX 1.1 (inherited from MCPX 1.0; such as visor and mist, mentioned in the outro); and A20 was also already possible with MCPX 1.0 (as a software-only solution instead of bunnies attack).
- 8:34 The 1.6 Xcyclops (chip with Xbox Logo to the left) contains the ROM and SMC; Xcalibur (chip with Xbox Logo to the right) is only a video encoder. At least this is currently believed to be the case.
- 9:05 There *was* security for savegames, but savegame encryption keys were dumped from the kernel, so another machine could modify savegames. Without the MCPX dumps (and kernel dumps), this might have taken a bit longer.
I also believe the bunnie-phone-call was about the still-encrypted flash contents, hence: *ROM image* (which also contains the plaintext copyright message, shown on his website).
There was a back-and-forth with MS about his actual MCPX research being published, so it would be weird for MS to give him a call afterwards (as the legal situation was settled; quote: "I got a grudging thumbs up, so to speak, from Microsoft on my Xbox reverse engineering work").
*All to the best of my knowledge, for updated information, check **xboxdevwiki.net/*
- JayFoxRox

To be fair Microsoft representatives did eventually compliment the efforts of the modding community.

When it comes to these extremely detailed videos about how security was defeated in the gaming world, I wouldnt mind if these videos were an hour long to be honest.
They are very detailed, extremely accurate, and you sure did all of the research anyone could possibly do on the subject. That shows true passion for what you do, and you do a great service for the community. Thank you.

Hmm, yes interesting. I know some of these words.

This Xbox on the video is absolutely *gorgeous*

Being that I have always enjoyed embedded electronics and hardware hacking (and plan on double majoring in CS and EE), I enjoyed this video covering security flaws in consumer electronics. Please make more of these!!!

Forgot reason 4, to play games from other regions on region locked hardware. That's why I got work-arounds for my Gamecube, and my PS2.

Looking forward to the 360 video. Thanks

Dat voicemail... first time I hear that, it is gold! I find it really fascinating to learn how exactly security got breached on all the different consoles, wether via hardware or software or a mix of the two. That was told in great detail yet succint and moving at a fast pace, and with your usual flair. Very well done, MVG! that was one really enjoyable vid yet again!

A great video! You've managed to capture the history nicely there! I have a lot of fond memories of the old XBOX =D

This guy really deserves millions of views for the amount of work he goes through for each video.

Imagine someone watching this on their OG Xbox through Linux

Thank you so much for this video! I love seeing this kind of content on the game systems from my childhood, especially now that many of the original sources on forums and the like are long since gone. Thanks again and looking forward to more!

(In bill lumberg voice) I'm gonna have to go ahead and ask you to remove that. Mmm kay!

How glad I am that they messed up the security :) The OG XBox is one of the best go-to machines for emulation, it's great!

Fun fact: one of the things you can do with a modded xbox is install Windows. There’s something called 98Lite which is basically a modified version of Windows 98 that’s meant to work on an xbox with xbox controls.

Playing backups si so handy. Just dug out my old xbox and it's easy to just play games from hard drive. No need to have the discs moved out of storage. Easier to enjoy old systems

Remembering the old school days while reading xbox-scene website everyday waiting for news, always wondered who was Lantus, now seeing you explaining details about it, must say thank you for all the hard work done in the hacking scene, making an entertaining time of our lives. P.S. In 2023 I still have my treasure with XDSL working just like then.

9:21 I remember seeing an old photo circulated around, where one of the save files had a Debian logo on it, so that could be one of the hacked save files.

Hope you do one on the Saturn, the story behind how it was done and just how long it took always fascinated me

Nothing is better than a new MVG video with a cup of coffee in the morning.

So glad you mentioned Andrew's work on this.
I vividly recall reading that blog about how he went about tapping into the bus, soldering his own custom PCB to the tiny traces. Fantastic work.
(I think this was around 2004?)
That did lead to people finding the other embarrassing security flaws, too. I still have a copy of 007: Agent Under Fire - the ONLY original Xbox disk I own. lol
I mainly used my Xbox for watching movies via XBMC, and a modded Xbox RGB SCART cable, so I could run Component to a projector.
Good times, and all thanks to the modders, hardware hackers, and coders. ;)

this channel is one of the only reasons I'm excited for Mondays.

Great video, brings back some good memories for me. I bought my first Xbox after following the progress of the exploits. Softmodded it on day one and not long after I was getting a second unit and mod chips. My main use of the machine was for Xbox Media Center which was revolutionary HTPC software at the time, and getting our gimped PAL units to output HD resolutions via component :)

Please do how the original Wii was hacked

This channel has the best content, and it's the icing on the cake that this man designed the emulator I used for my first SM64 120 stars(Surreal 64) It was a really great idea to combine the three best emulators into one program, as there were many situations where if Pj64 couldn't run something, 1964 could or vice-versa. I never got much use out of UltraHLE or whatever the third one was.

This isn't the story of topic I'd usually be fascinated by, but this video was fantastically made and drew me right in. Thank you for the really interesting and well made content.

Can I just say MVG, thank you for your videos. I love that you make content on these older system that I have or can get easily cheap! Keep up the awesome work man :)

There's an insane book called by Bunnei about this. I was able to snag a limited edition first run and it explains everything very well. It's called hacking the Xbox.

I would love to see videos like this for all the major console and handheld releases. This was really great to watch.

You are a very good teacher. Thanks for all your contributions you’ve made in your lifetime. You are a genius and a humble man at that.

I knew most of this but, it's been years... Thanks for the refresher... I remember when I did mine, I went with a mod chip and dropped a 200gb drive into my Xbox... Plenty of space. I popped it out about a month ago and must of been playing games for like 12 hours... oh the fun I had with this system when it came out...

i love videos that discuss the exploits and explains them on a technical level keep up the good work!

I remember doing a hard mod of my OG Xbox where I soldered wires to different points on the motherboard. I upgraded the hard drive and borrowed every game I could find from friends and saved them to the larger hard drive. Then put the Xbox in the senior lounge at my high school so we could all play whatever games we wanted to during study hall and lunch, without having to worry about the other people scratching discs.

I loved that they called the bloke who uploaded the rom file and ask nicely if they could remove the exploit lmao. Should've given him a job imo

I read bunnies book "Hacking the xbox" back in the day. It was quite enjoyable. Modded a bunch of the original xboxes with different types of modchips, first a bunch or wires, and then pogo pins, and finally the softmod. Still have the copy of splinter cell and the accompanying memory card with the save game exploit lying around somewhere.

7:41 haha “Xbox 2”. Like they thought that Microsoft knows how to count

As always, really interesting. It is so exiting to know, that I used your software back in the day on my v1.1. It is also hilarious to see how the Aladdin modchip looks when properly soldered in. I remember doing this with my father with solid copper wires, a non regulatable soldering iron an not understanding the manual as to how to solder the chip directly on to the pins. It looks terribly slaughtered in there, with the chip hanging loose, but works until this day.

I didnt realize you do your own music. That´s awesome!

I was only a young teenager but exploiting the original Xbox taught me so much, I even learned to solder and that is a skill I have had so much use for hacking other hardware. I miss the days of the Xbox and often get nostalgic thinking about it, it's where it all started for me and it was just so cool to me, so rewarding.

I'm a simple man, I see MVG upload, insta like.

This is awesome how in-detail and the depth you go into the console. If you could do like a comparison to modern day consoles, like the Switch, or Xbox One or PS4, and how their security is now, that would be sick!

Is it weird that I used to get scared by turning on my Xbox. I would either think that it would break, or the intro video would give me nightmares.

I *love* coming back and binge watching this series. The OG Xbox was my first time hacking a console, and o-boy was it an adventure.

Now that i know this version of the xbox exists. I need one

Really detailed man, i though i knew something. gees newer knew how more complicated it really is. Thanks

You know when the thumbnail says "Mistakes Were Made" you're in for a great video.

To be fair to the Xbox, it was basically a PC without the “scary bits” to normal users. So it’s forgiven that it’d also be the easiest to bust wide open, especially when it’s based off of something that is wide open from the start.

LOL I love how sony just released Linux, "here you go, that will save you/buy us time"

Your channel is fantastic, man. You always make the information very palatable for everyone and I always look forward to your videos.

"We'd certainly like to have you remove that if you could." If he could hahaha Aw shucks I'd like to but I just can't!

What a great video it brings back the memories I was part of team xtender the journey started with me getting hold of a developer box great times we showcased the chip at the Barras market in Glasgow and the bowlers market in Manchester the same day.

Fascinating! What a great video! :) Thanks MVG!

This was an awesome blast from the past. The og xbox was the first system I ever modded. I didn't have an Action Reply, so I cut the end off an xbox controller and a USB multitap and spliced those together to load the game save. Good times

I really like your channel and the information about hardware, little bit of history about Xbox, Modding and Softmod.
Still love these Xbox Classic machines, awesome seeing the 3 crystal versions at the back of your video.

I hot swapped mine back in 2009-2010 then installed a 160 gb ide and xbmc. Watching these makes me want to go back and play with the hard ware besides just using it to watch all my pirates movies and play Xbox games

And now Microsoft has Azure's security.

these old episodes are always fun to rewatch

Monday mornings at work go something like this: drop things off at my desk, make a coffee, close the office door and watch MVG. E-mails and other nonsense can wait.

Just found this channel a couple days ago. Awesome content and please continue with such high quality content!

The PSVITA is now FULLY exploited with a firmware downgrader now. You should do a video about that

The softmod that I used was the hdd hot swap. Where you boot up the Xbox, then unplug it from its ide and plug it into your personal computer. You gain full access to bypass its hdd password. Then all to install the original xbmc... Man those were the days

Not a PIII, it's a Celeron variant (from SSpec).
Disk wasn't a "swap" thing, it was password locked.
The trick was: you turn on the XBox (with XBox HDD powered by a PC), wait for XBox to "unlock" your hard disk, "unplug" the IDE disk and plug it on a PC (keeping it powered for the whole time).

Nice video as always. I always like to take a look at the architectures of old systems as a means to learn things about how we ended up, where we are right now, but I don't have the Time to research myself, so I very much appreciate Videos like these. Nicely researched, comprehensive but still to the point.

I still remember soft modding my xbox crystal with the “mech assault” exploit . 😅

I have to say, I really enjoy your videos detailing the cracking history and anti-piracy methods companies have used. Keep up the good work.

Why is your Xbox lookin' like a Limited Edition.

I remember when I soft modded my Xbox. I bought a copy of 007: Agent Under Fire on eBay to use a game save exploit. The seller left a note in the game case that read: “Enjoy the new Xbox experience, friend.” This was almost 13 years ago, and I will always contribute modding my console to my love of technology. Original Xbox was so much fun to mess with.

It would be interesting to talk about how they now have the “real unhackable console” aka Xbox One.

I can’t wait to see the video on the security of the Xbox 360. I was part of a community that contributed heavily to the resigning of game save data (before modding via JTAG).

Thank you MVG, very cool!

sick as hell video man. well done editing and amazing coverage along all branches of this story. BTW excellent shirt

I'm pretty sure your intro music plays when people are traveling to heaven. That's how good your TH-cam channel is haha

Really fun video! A little of the jargon at 8:30 lost me (about the removal of the LPC header and Flash memory chip), but not for very long. I'm looking forward to the 360 video! :)

For the people who are laughing at Microsoft for these mistakes: Remember that Nintendo's first console had *zero* protection and the NES's could be bypassed by cutting one wire.

A superb video.
Such an amazing amount of detailed research, it's exquisite.

More please. Love these videos. Very interesting.

Dude I remember, being 14-15 school night 2-3 am, Xbox fully opened , and you had me trying to sync my xbox and pc boot sequence with the IDE cable... those were the years...

Can you see yourself covering homebrew and installation on the 3DS? I'd love to see it.

I appreciate the level of complexity in your videos. I'd love to see anything more about the saturn, dreamcast and ps1.

Og Xbox has the best lineup of games!

Damn! Just found this channel. I love the in-depth technical analysis / explanations. I want MORE!
Great work!

To some Linux meens freedom...
For me Linux means frustration!

This channel is a mine of knowledge about old tech. Thank you.

Another top informative vid!
BTW, I always thought it was pronounced RetroArk (short for "Retro Archive"), not RetroArch.

I remember the times when my dad got broken xbox (software issue if I remember correctly) and made it into our local server (local network was still at it's basics, 10mbps and such)

where can we find the infamous voicemail recording at?

Oh man, that Blue Xbox is absolutely beautiful. It reminds me of the white clear one that I got when Fable first came out, but way better looking.
Sadly the disc drive in mine is shot so it can't read discs anymore, and I already have a modded one that isn't limited edition so the clear one is just sitting around collecting dust.

9.01, Green xbox has a moth moving around in it

Thank you for the very informative video.
I find the history behind these hacks very interesting.
Xbox was the first consol i modded and it got me into the scene and peaked my Interest into home media due to XBMC.
Now I‘m and AV installer making it for a living in Bali Indonesia 😎

No mention of the IDE Hotswap method? I am kind of disappointed :D

I got all excited thinking someone finally cracked the live security and was gonna put it back online. Darn.

that background music you use. where do you get it? it's amazing! wanna listen to it all day.

I want to look into these softmods... It would be nice if I could just burn and run replacement copies of destroyed or overly-scratched discs without having to crack the console open.
On the other hand, it needs that anyway to have the controller ports and disk drive looked at...

Surprised you didn't mention the epic crypto fail. They encrypted the ROM using RC5, which has a cascading effect where if you change one byte, it will affect all following bytes. So to verify it wasn't tampered with, they just check the last few bytes are correct. Then they switched to RC4 which *doesn't* have the cascading effect, rendering that check useless.
Similarly, their program relies on a feature of the CPU they used. If the ROM were tampered with, it jumps to an instruction at the very last memory address, which turns off the ROM; then, because the next address is out of bounds, the CPU throws an error and locks up. But then they switched to a different CPU which doesn't throw an error and instead just loops back to the first memory address, where you could place some of your own code and simply turn the ROM back on and copy it. So their clever "something's wrong, lock everything down" routine just gives you control instead.
Also, you touched on it briefly, but the A20 hack. Basically by shorting a pin you could put the CPU in a legacy MS-DOS compatibility mode, and it would skip the ROM entirely, instead booting into a memory region you could control. That mode isn't used by the Xbox at all, but I guess would have been too expensive to remove since they used off the shelf CPUs, but it's pretty silly that they seemingly forgot it exists. They could have accounted for it in the design by rearranging memory a bit, so that even in this mode it would use the ROM instead of something you control.
There's also an exploit in the ROM itself, where it reads some commands from the hard drive (?) to set up the system, and you could alter those to hijack it.

OG Xboxes seem to be having a new resurgence in popularity. I've been picking them up from thrift stores at $10 each for a while now.