Fun for young and old! Seriously, if you’ve got some time to kill (and potentially an XBox to kill as well!) you can take the opportunity to stick it to ol’ Bill Gates up in Redmond and hack his little console machine.
Depending on the application it can be a pretty cheap way to get the power you need: I can get a brand-new console for A$244 retail (without going to a real discount shop, or I could brave the second-hand and private sale market and save even more) and then sell the controller on eBay for a few bucks — for that money, I get a Celeron/Pentium (reports vary) 733MHz with 64MB of RAM, a 8-10GB hard disk, built in 100MBps Ethernet, in a low-power moderately compact form-factor.
That’s right — the XBox is just a PC. Sure, it has no keyboard or mouse, but it is made of standard PC components. The only thing stopping anyone from running normal PC programs (such as Linux, or normal Windows) is the software protections that Microsoft designed into the XBox system to stop it — and it is these protections that XBox modding defeats.
There are quite a few people about building clusters of XBoxes for doing… well, whatever someone who wants a cluster but can’t afford a real one would do with a cluster.
Anyway, back to my modding adventure.
Late in 2003, I was invited to present at the Darwin Linux User Group annual Install-Fest. One of the presentations (not mine) was a cracker — basically, the presenter stopped at the local shopping centre on the way to the venue and bought a brand-new XBox, and proceeded to apply a software exploit and install Linux. It was what I’d always wanted to do to the XBox I bought when I was working in Auckland, but never got around to. Even after having seen it done, though, I didn’t get my finger out and do it myself.
The exploit that the presenter at DarLUG used is known as “MechInstaller”. It was one of the early programs that exploited bugs in games. The first game with an exploitable bug was “007: Agent Under Fire” by Electronic Arts, but soon afterwards Microsoft themselves released the game “Mech Assault” that contained a similar bug. Basically, you “obtain” special files that look to the game like a “save-game” (a file containing saved progress through the game). Instead of being real game progress data however, the file contains code that triggers the bug in the game and defeats the protection that Microsoft built into the XBox to prevent it from running unauthorised programs.
MechInstaller was the first exploit that I tried — but first I had to get a copy of the game. Having heard that Microsoft had fixed the exploitable bug in later versions of the game, I figured that buying a “pre-played” copy of the game would increase my chances (and save me a few bucks on a game that I’d rarely play). What I should have done is research if there was a way to determine if you had a patched copy of the game — because sure enough, I got home and found that the exploit didn’t work with my copy of MechAssault. Boo hoo. At this late stage I did the research and found that the DVD media of the original game had different identifying markings than the patched version, and what the markings were.
Susan joins the story at this point — she volunteered to go back to the game shop and play “Gamer’s Girlfriend” to try and get me the right version of the game. Whatever she said to them worked, because she got it! MechInstaller was GO, and before long I had a Linux system running on the XBox!
Now I had to choose which Linux to run. Being a long time Gentoo user I was interested in Gentoo or Gentoox (a customised Gentoo specifically for XBox), but Xebian (or Ed’s Debian) has the best and longest track record in the XBox Linux scene so I pulled down the CD and went for it. Before long I was booting the CD, installing, and rebooting off a real Linux system on the XBox.
Now what? It was always my intention to use Linux on the XBox for media streaming. Xebian comes with the Freevo package already installed, but I didn’t see that it would really suit the task. I found the XBMP and XBMC projects (XBMC the descendant of the first, XBMP) which looked very attractive. There was also a XBMC competitor that looked like a customised Gentoox build running MythTV, but again it did not seem to be exactly what I needed. So, XBMC it was.
The folks that maintain XBMC do not build binaries of it. Legally, XBMC can only be built using the Microsoft XDK — which is well beyond my price reach and far beyond the budget of this project (from what I understand the XDK is one of these “if you have to ask the price you can’t afford it” things). A project to build a Free DK for the XBox, but XBMC will not build cleanly this way. So how can you get it? I cannot say — but if you poke around places like XBox-Linux and XBox-Scene for long enough you will find out.
Having found a way to get XBMC, I had to install it. This is where things got interesting… The MechInstaller was good only to perform a very basic modification to the XBox Dashboard (the program that provides the funky green blobby control panel on the XBox when it’s not running a game) that allows you to boot Linux. Using MechInstaller, you always had to first boot up the XBox to the Dashboard, then select the “Linux” option that appeared, in order to run Linux. Booting automatically to Linux, or running some other program (like XBMC) from the Dashboard, did not seem to be possible. I started to face the possibility that the only way to proceed would be to replace the BIOS in my XBox with a BIOS that would allow other programs to run. I set the project aside for a little while (during Christmas and New Year) while I contemplated doing possibly irreperable damage to my XBox…
When I came back to the XBox, I stumbled onto a new breed of software exploits: the UBE, and its descendant the UXE. The original exploits like MechInstaller had a flaw — they were a two-part exploit. The main bug they exploited was the buffer-overrun exposure in the game, but they also needed a gap in the way the Dashboard operates to make the needed Dashboard change. Microsoft was busily patching this up, using updates to the XBox kernel and Dashboard in later builds of the XBox, but also using the “XBox Live” service to update the software on XBoxes without warning or permission from owners. Some games also had updates to the XBox software, that were automatically applied when the game ran. Consequently, by the very latest versions of the XBox software it was getting very difficult to use the existing exploits.
Then came the UBE. While it still relied on a game with the exploitable bug, the trick it did on the XBox was different. I don’t know the details, but apparently by the time the second version of the UBE was released (called UBE2) only the very latest PAL XBoxes could not be modded out-of-the-box — and even those could be done with a small and reversible change before running the exploit. The UXE takes this even a step further — apparently any XBox can be modded. There is a utility called ltools that you can use to install an exploit (now it provides UXE) and install one of a variety of alternative Dashboards which run at bootup instead of the Microsoft one.
UXE provided my answer to running XBMC. I used MechInstaller’s Emergency Linux system to get the ltools files over the network to the XBOX, then I used the MechInstaller to restore the previous Dashboard (probably didn’t have to do this, but figured that the ltools installer might not handle a box that already had an exploit installed). Then, I started MechAssault and loaded the ltools savegame. What appears is one of the available alternative Dashboards for the XBox, and by pressing a couple of buttons I got the ltools installation script. When it was time to run, a mini Linux system booted and did the work: first, it made a compressed copy of the XBox C: partition, then it did its real work (copying or modifying files, etc). When I restarted, the XBox booted into my chosen Dashboard (MXM).
After that I installed XBMC by copying the files over the network using MXM’s built-in FTP service. After selecting “Reset Menu Cache” in MXM and rebooting, XBMC was available in a new Applications menu of MXM. My fun with XBMC was about to start!
About the only thing I’d like to do now is make the XBox boot up to XBMC. Running via MXM only adds two button presses to the startup sequence, but if I’m going to be running XBMC all the time I might as well boot straight there (and if I need to run the M$ Dashboard or MXM I can do so from XBMC).
Crossed Wires 