DobaMuffin

Disturbed - Down with the Sickness

Limp Bizkit - Rollin' (Air Raid Vehicle) Evanescence - Going Under Papa Roach - Last Resort System Of A Down - Chop Suey!

We probably should. It's hard to listen to just 1 song. Especially in a playlist.

I figure instead of doing 4 posts, I'd just have 4 songs in 1 post instead. Everlast - What it's Like Three Days Grace - I Am Machine Evanescence - Bring Me To Life Three Days Grace - Never Too Late

Yeah, very much reminds me of the code written by bennydiamond/psykochewbacca. Simplistic in nature, though this code seems easier to read overall in comparison to benny's code. Edit: I hope to be able to build a few in the future. Seems like an interesting project overall.

This seems interesting. Definitely not the first time I've heard of the Mangler project, but it's not what I thought it was either. This seems like it will be the start to a nice open source modchip.

Did some changes to my branches and now the new branch with the correct version of cromwell is here: https://github.com/DobaMuffin/cromwell/tree/MCPX_Dump

Writeup of how I did it. - First step is to make the cromwell bios image. This is done by running make at the root of the source code. - Next step is to find cromwell.bin in the image folder. This is the newly built image, and needs to be hex edited. - Open cromwell.bin in a hex editor. Delete the bytes from 0x0 to 0xFFF so that the data at 0x1000 is now at the start of the binary file. - The next step is to jump to the FF padding after the Cromwell kernel and delete everything after the kernel. Save the new binary file. - If everything went well, you should end up with a binary file of about 175.6KiB. This is the new cromwell payload for mcpx-attack. - Now that Cromwell is prepped, the next step is to download mcpx-tools, and build mcpx-attack. - Following this, you should have your cromwell payload and the mcpx-attack tool. You now need to get a copy of your xbox's stock bios, and add it into a folder containing mcpx-attack and the cromwell payload. - the following command should now be run: ./mcpx-attack 1.# ./path_to_stock_bios.bin -i ./path_to_cromwell_payload.bin -o ./final_bios_image.bin where # = (0 or 1 depending on your MCPX rom version) - The resulting bios file can now be flashed onto a modchip (I used an aladdin clone with 256KB of flash) before being placed into your xbox and the xbox turned on. - If everything went well, you should now have the MCPX rom on your screen. You just need to copy it by hand (As a hint, the MCPX roms start with the Hex values 0x33 0xC0 and end with the hex values 0x02 0xEE What it does: RC4 patches a jump instruction to point to 0x1000, and TEA adds X-codes, patches jump instruction for fbl, and I think that was it. ok, so yeah that's all mcpx-attack does. Well apart from inserting whatever payload I wanted at 0x1000 with the -i parameter Links to my github repo for Cromwell is here: https://github.com/DobaMuffin/cromwell/tree/master Link to the MCPX-Tools repo is here: https://github.com/XboxDev/mcpx-tools MCPX MD5sums have been attached in an image to this post, as well as the cromwell payload I used for the exploits. This version of cromwell has the code to disable the mxpc rom removed so that it doesn't hide it after loading it. The need for the MCPX-Attack suite is due to the bootloader of cromwell using the visor hack which diasbles the MCPX secret rom in the process due to how the exploit works. By removing it and using the TEA or RC4 hacks instead, this issue is no longer present. Future plans for this is to save the MXPC rom to a file either on a storage unit plugged into the controller, or onto the hard drive. The other future plan is to have a qr code generated that links to a webpage hosted by the xbox where the file can be downloaded. If anyone has any issues with these isntructions, let me know and I'll try to figure out what the issue is. payload.bin

Yeah. I believe I was the one who mentioned it was possible tbh. I know I've done it on my personal consoles before. It's very simple. Take an lpc rebuild board, install it, and then cut a certain trace on the top of the motherboard near the xyclops chip to cut lframe going to it.

No problem. It's all info I've gathered over the past few years, either through discussions with people, independent reading of old articles and books, or through research into the cpld code for open source modchips.

The cheapmod works due to an address bug in the 49lf020 in which it will accept any address as a valid address and will happily send the data requested. This hardware bug was fixed on the 49lf020a/b variants and thus no longer worked with them. On 1.0 and 1.1 units, it was as simple as grounding d0 and wiring it up to the lpc interface. On 1.3-1.4, you had to reconnect the lframe signal from the mcpx to the lpc header since the lframe signal is only present on those board revisions for the 1.2 units, and those were development units only containing an mcpx x2 chip. Interest for the cheapmod grew again when the 1.6 came out since the xyclops used the lpc interface to boot the console, and thus all of the necessary signals for a cheapmod were present on the board. This required rebuilding the lpc interface on the 1.6 motherboard and cutting the lframe signal going to xyclops so that there would be no contention for the bus as the xyclops didn't see any valid memory read cycles. Of course, all of these issues were solved when basic modchips like the aladdin came out. They created their own lframe signals for the flash chip on board, and they also fixed the memory addresses so that is was also in a valid range for the flash chip. They also dealt with lframe or d0 by grounding them on boot to disable the onboard tsop flash, or to cancel the lframe cycle for the xcyclops.