TSOP flashing: reflashing the onboard BIOS chip with a hacked BIOS to circumvent the security mechanisms.Modchip: installing a modchip inside the Xbox that bypasses the original BIOS, with a hacked BIOS to circumvent the security mechanisms.Softmods can be disabled by "coldbooting" a game (having the game in the DVD drive before turning the console on, so the softmod is not loaded) or by using a multiboot configuration. Having a modified Xbox may also disallow it from accessing Xbox Live, if detected by Microsoft, as it contravenes the Xbox Live Terms of Use, but most modchips can be disabled, allowing the Xbox to boot in a "stock" configuration. Modding an Xbox in any manner will void its warranty, as it may require disassembly of the console.
The code reloads the Dashboard with the original fonts, hacks it, and runs it. Now every time the Xbox is turned on, the Dashboard crashes because of the fonts and runs code embedded in these files. Coupled with the savegame exploit, this made 'cracking' a console as easy as transferring a modified savegame and loading it, running a script to modify the font files.
An integer vulnerability allowed for unsigned code to be run. The Dashboard and its dependencies were RSA-2048 signed, apart from two files: the fonts. The Dashboard loads its files from hard disk, and with savegame exploits modifying hard disk content was possible. But after a buffer exploit, we would expect only to be in user mode - but not on the Xbox, as all Xbox games run in kernel mode. The procedure for the user was then to simply copy a hacked savegame from a USB stick onto the Xbox hard disk, run the game and load the save-game. It was often as easy as extending the length of strings like the name of the player, and the game would overwrite its stack with data and eventually jump to the code embedded in the savegame. It is possible to use most USB sticks with the Xbox, and just store hacked savegames on them. Plenty of Xbox games had buffer vulnerabilities in their savegame handlers. Another flaw exposed poor decisions around sandboxing games and savegame data. The Secret ROM then 'falls down' to Flash memory where it can be captured. visor used XCodes to write the assembly instruction for “jmp 0xFFFF0000” to the memory location 00000000 in RAM, and changed the last four bytes in 2bl, in order to make the secret ROM run the panic code. Hackers from the Xbox Linux team checked with AMD employees and explained that AMD chips throw an exception in the case of EIP overflows, but Intel CPU's do not. All of Microsoft's Xbox prototypes were, in fact, AMD. The 'visor' bug, found by a hacker who never revealed his real name, was a critical flaw found in the console, due in part to Microsoft's decisions around suppliers for the microchips for use in the console. A flaw in the RC4 encryption algorithm implemented by Microsoft, used to encrypt the Secret ROM, gave attackers means to use brute-force attacks effectively, giving access to the console's secret RC4 key, the second part of the bootloader, '2bl', and the kernel. This was possible due to a number of critical flaws. Once this information was available, the code was soon modified so that it would skip digital signature checks and media flags, allowing unsigned code, Xbox game backups, etc., to be run. Within a few months of its release the initial layer of security on the Xbox BIOS (which relied heavily on obfuscation) was broken by MIT student Andrew Huang and the contents of the "hidden" boot ROM embedded on the MCPx chip were extracted using some custom built hardware.
The popularity of the Xbox, as well as (in the United States) its comparatively short 90-day warranty, inspired efforts to circumvent the built-in hardware and software security mechanisms, a practice known as "cracking".