After Microsoft patched the SMC based “JTAG” exploit for the Xbox 360 after dashboard update 2.0.7371, which utilized the consoles SMC (System Management Controller) and the GPU’s JTAG Port to run unsigned code on boot, bypassing the hypervisors checks via hacked firmware. This brought in an era of DVD modding on the Xbox 360, with alternative methods had not been discovered for some time after the JTAG exploit was patched. Not only was the patched hypervisor preventing us from running unsigned code, but the CPU itself had embedded checks and codes to ensure that only signed executables from Microsoft could run on the console.
Then the first iteration of the RGH was born. The RGH hack works like this: It uses PLL’s (Phase-Locked Loops) to slow the CPU’s clock down, sending a signal to the CPU_RST (CPU_Reset) point on the console. This falsified signal tricks the console into thinking a positive check has occured, allowing unsigned code to run on the console as if it were signed. The first iteration of RGH was only able to be run on phat motherboards, with the success and speed varying drastically from console to console.
Eventually the design was revised, and RGH2 was born! This exploit opened up the possibilities of modification to slim consoles (Trinity & Corona Motherboard variants) while still requiring third party mod chips. The design was supposed to be for slims specifically, but was later ported over to the phat (Xenon, Opus, Jasper, etc) variants. With RGH2, there were no consistent or reliable PLL points discovered on the boards, so the i2c bus was utilized to perform the hack. This bus is connected to a multitude of components across the Xbox, most notably the CPU. The method is similar, where the CPU is slowed and modified signals are sent to trick the CPU into lowering its guard, running a modified hypervisor to allow for unsigned code execution.
Then came RGH1.2, a very reliable system that is used to consistently instaboot consoles. This method introduced variable timing files, where different timing files would be attempted and the most effective one was saved on the chip. This method is controversial within the Xbox modding scene because it does not allow for end-user control of the timing file. The X360 Ace version 5 is a great example of a chip used for RGH1.2 exploits.
Now we have RGH3, a complete overhaul on the RGH scene that requires absolutely no third-party chip like the Coolrunner3 by Team Xecuter. This method is by far the easiest to install, as it only requires two wires and a resistor. User xXBeefyDJXx on Se7ensins has a phenomenal guide on how to get your console running the exploit, but the method works like this: Post_1 & SMC_Post are soldered together with a 1n4148 diode running between them. A 22k resistor is then placed on the PLL point, utilized to slow the CPU after receiving the necessary information from POST.
All methods utilize a created ECC (Error Code Memory) to boot Xell, a Linux kernel created for the Xbox 360, gathering necessary information for building a modified image like your CPU key and DVD key. It also starts a sFTP server, allowing networking to the console in question without access directly to the HDD attached. Once the ECC is loaded, the keys are then placed into JRunner and a modified dashboard is created, then flashed to the console via a tool like the XFlasher or NAND-X.
That’s it! A brief history in the Xbox Modding scene that hopefully helps you better understand what is actually happening inside glitched consoles at a hardware and software level. If you have any questions, please feel free to contact us so we can revise this article.