So I decided to pick up an Xbox cheap from GameStop this week. (I couldn’t resist, they priced them at $129 and even included the Mechwarrior game with the saved game buffer overflow vulnerability). Having read one too many poorly written documents on how to install Linux on an Xbox, I decided to document a bit of what I did here to save someone else the trouble.

The hard part is really getting the Xbox prepared having nothing else but a Linux desktop and an Xbox. I’d originally intended on soldering a USB extension cable into an Xbox controller, because the controllers actually have a USB 1.1 hub inside. Memory cards are just regular storage with a the funny connector. My original thought was that it would be pretty easy to solder the connector onto the controller, but I managed to destroy at least one controller doing that.

At this point, I was a bit stuck because I didn’t have the USB image I needed for buffer overflow vulnerability, but I wasn’t ready to give up just yet. I spent some time reading about how they keep you from getting code on the hard drive itself and learned the following about it:

  • The Xbox uses standard ATA locking to keep you from fiddling with the drive
  • Some hard drives have a master override, but Microsoft disabled this feature (“maximum security mode”)
  • The password is generated by taking a SHA1 hash of a value in an eeprom and some other intrinsics, like the MAC address of the ethernet adapter, the drive model and the drive serial number
  • The other intrinsics are pretty easy to get, but dumping the eeprom is difficult, though not impossible

The trick to getting something on the hard drive then (since the contents are not encrypted) is to get the Xbox to unlock the drive and then detach it without the reset command getting sent over to it. If the drive gets powered down, it locks.

After a few tries of swapping over the IDE cables to my desktop without turning off the drive, I did manage to get it mounted using a livecd called Xlinux. Microsoft used a fork of the FAT filesystem called xfat, so the livecd was needed to mount the filesystem. You can build the xfat patches, but I couldn’t get it to compile with gcc 3.3 or gcc 2.95 on debian, so I just used the livecd.

I copied over the install files for Xebian onto the box, but I was so excited that I forgot to copy over the specially crafted MechAssault game that lets you boot into the linux installer (MechInstaller). I did the hard drive song and dance again and got the save files needed for that on the hard drive. In retrospect, it would have been easier just to order the right usb adapter from the start.

With the MechAssault game started up, I hopped over to “Campaigns” and there was the emergency linux boot game, which actually worked as advertised. The rest of the install is an exercise in installing Xebian or gentoo, that of which I probably wont actually do for a little bit since my new project is getting StepMania to run on here :).

Speaking of which, to run stepmania requires installing a dashboard replacement binary which is fairly trivial to do once you have emergency linux on your hard drive. It’s only necessary to pick up a copy of “Bert is cheating on Ernie.rar” and “snufflelopagus” (no, I didn’t make up these names) and do a couple of things. I’m not certain about the legality of it, but since it’s my hardware, I don’t see why not.

To replace the dashboard, open up Rescue Linux and cd into /mnt/C, ftp the xbe file and the ini into the root directory, rename the .xtf files to something as a placeholder name, and move the two files from the RAR into the fonts directory and bert to “Xbox book.xtf” and snuffle-boy to “Xbox.xtf”. Stick the skin.ini file into /mnt/C/Skins and the two jpegs into a subdirectory of that named PheoniX. That should be about it to it, though it needs the version of the dashboard that comes with any xbox live game for it to work. Also note that while the link for the network has to be up to upgrade the dashboard, it should not give the machine a route to the internet because the replacement dashboard depends on behavior that is patched in later versions.