The XBOX "MechAssault" exploit

vbimport

#1

The complete documentation can be obtained here.

Requirements

XBOX
MechAssault game
USB Key that’s compatible with your xbox.
USB Adapter cable

The General Procedure

The MechInstaller will modify the Xbox’s system software on hard disk so that the Xbox accepts Linux. The problem is that this installer itself would be rejected by an unmodified Xbox, that’s why we have to apply a trick to run it. It can be wrapped in a savegame, so if you select “Load Game” in the game MechAssault, the MechInstaller will be launched.

Now the hard part about this is to get this savegame onto your Xbox. If you have the MechInstaller on an Xbox memory unit already or know someone who has, you can skip the following section, else you have to use a Linux, BSD or Mac OS X computer, a USB stick and an Xbox USB adaptor cable to get the savegame onto your Xbox.

Creating the MechInstaller USB Stick
Backup all data on the USB stickbecause it will be overwritten.
Format the USB stick: When the Xbox is in the Dashboard, connect the memory stick to the Xbox using the USB adaptor cable, and wait some seconds. Then enter the memory menu. You will see a notice that the USB stick has been formatted. If the USB stick is not detected, try again, wait longer before entering the memory menu, or try another USB stick.
Find out the formatted size of your USB stick: The Xbox will tell you the amount of free blocks on the USB stick, some number around 500 (8 MB), 1000 (16 MB), 2000 (32 MB), 4000 (64 MB), 8000 (128 MB) or 16000 (256 MB).
Connect the USB stick to your Linux, BSD or Mac OS X computer, Windows users can skip most of this. ( Mac OS X users: The computer will say “Disk contains volumes that Mac OS X cannot read” - just click “Ignore”)
Find out the device name of the memory stick: Copy and paste the following text into your text editor ( Mac OS X users: don’t forget "Format->Make Plain Text"in TextEdit), and save it as findfatx.sh in your home directory
for i in /dev/sd? /dev/disk?; do
test FATX = $(dd if=$i bs=4 count=1 2> /dev/null) 2> /dev/null && echo $i
done

On the command line ( Mac OS X users: Applications/Utilities/Terminal), type sh findfatx.sh - the script will tell you the device name of the USB stick, probably something like /dev/sda or /dev/disk2. If there is no output, you have no Xbox-formatted USB stick connected.
Download the MechInstaller images here and extract the ZIP file, MechInstaller-1.0-FATX-Images.zip. It contains three images.
Copy the savegame data to the USB stick: If you are certain that the device name is correct, write the the MechInstaller image of the correct size to the USB stick, by entering the following onto the command line:
cp -f MechInstaller-1.0-FATX-<yoursize>.img $(sh findfatx.sh)

If you have a less than 2000 blocks USB stick, use the image “MechInstaller-1.0-FATX-8MB-to-32MB.img”.
If you have a memory stick with at least 2000, but less than 4000 blocks, use “MechInstaller-1.0-FATX-64MB.img”.
If you have a memory stick with at least 4000, but less than 8000, use “MechInstaller-1.0-FATX-128MB.img”.
If you have a memory stick with at least 8000, but less than 16000, use “MechInstaller-1.0-FATX-256MB.img”.
If the correct image didn’t work, please try all other images one by one.

Windows 95/98/SE/ME/NT/2000/XP

For Windows users there is a great program called OzXMemory Stick Explorer (can be found at http://www.ozxchip.com/downloads_content.htm which can write the MechInstaller FATX images files to your memory stick. The Program has a GUI so it’s quite easy to use.

Connect the USB stick to your PC and launch the program.
Press Open 32MB image button and locate the required FATX image file
Press Write to xxx MB Stick button and the program should write the image file to the USB stick (you should choose the button corresponding your USB stick size).
Now you have a USB stick that looks like an Xbox memory unit to the Xbox and contains the savegame that starts the MechInstaller.

Preparing your Xbox
Now you need to copy all savegames from the USB stick to the Xbox hard disk, so you can load them from MechAssault without the USB stick being connected.

Connect the USB stick or Xbox memory unit containing the MechInstaller savegame to the Xbox and run the Dashboard
Select “MEMORY”
Select your memory unit
Select the savegame “Install Linux” - if the memory unit does not contain any savegames, then the image you have written had the wrong size. Try again using another image (Linux, BSD, Mac OS X) or press another button to write the image (Windows).
Select “COPY”
Select “XBOX HARD DISK”
Copy the uninstaller and the emergency system: Repeat the same with the savegames named “Restore Dashboard” and “Emergency Linux”.
Backing up your Xbox Hard Disk Key
In case of problems, it is important that you have your Xbox hard disk key.

Insert the MechAssault game
Select “CAMPAIGN”
Select “Emergency Linux”
Get the key: Using a telnet connection to 192.168.0.3 (a USB keyboard will not work in the Emergency Linux)
telnet 192.168.0.3

log in as root, password xbox, and type
xbox_tool -a
Then write down the hard disk key.

Making the Xbox Linux-compatible
Insert the MechAssault game
Select “CAMPAIGN”
Select “Install Linux”

Your Xbox will now be prepared. This will take some seconds. Afterwards, your Xbox is fully Linux-compatible, and there is an item “LINUX” in the Dashboard main menu which boots a minimal Linux system. Use an installation CD from http://xbox-linux.org to install a full Linux system.

Undoing the changes
You can always fully undo the changes by selecting “Restore Dashboard” in the “CAMPAIGN” menu of MechAssault.

Removing the Savegames
You can delete the “Install Linux” savegame from hard disk, if you wish, it is not needed any more. If you don’t plan to undo the changes, or if you can have the MechInstaller memory unit again when you wish to undo them, you can also delete the “Restore Dashboard” savegame.

Using your Modified Xbox
You can use the Xbox as before, you can play games and video DVDs (if you have the dongle), and you can run Linux. But you have to be cautious with the following:

Video DVDs will not work if they are already in the DVD drive when you turn on the Xbox. Instead, insert them when the Dashboard is running.
If you select “LINUX” on the Dashboard, a minimal Linux system with text mode only will start. After you install a full Linux system to E:, this will be booted if you select “LINUX”.
You can install a full Linux system by inserting an Xbox Linux installation CD, such as Ed’s Debian. As with video DVDs, only insert them when the Dashboard is running.
Creating a MechInstaller Xbox Memory Unit
With the savegames on your Xbox hard disk, you can easily copy them to a standard Xbox Memory Unit using the Dashboard, which you can give to your friends, so that they don’t need a USB stick and the USB adaptor cable to prepare their Xboxes.

Troubleshooting

Flickering Screen

If your screen starts flickering after you select “Emergency Linux” and you can’t see anything on the screen, then you have an Xbox manufactured since August 2003 (version 1.4+ Xbox). There is nothing wrong with that, a full Linux system such as Xebian will work without any problems, just the Emergency Linux shipped with MechInstaller does not support the new video encoders yet.

Error Message

Also, some users noticed that Emergency Linux prints the line “sh: can’t access tty: job control turned off” at the end. Just ignore this message.

USB Keyboard

No, USB keyboards cannot be used with MechInstaller 1.0 Emergency Linux yet. Just telnet connections work. A full Linux supports keyboards.

Black Screen

If you get a black screen when selecting “Install Linux”, your Xbox is very new. Try this workaround:

Notice: If your Dashboard version is >= 1.00.5659.0, you need to downgrade the Dashboard first (see below)!

start MechAssault
plug in Ethernet cable
“Multiplayer” -> “Xbox Live” -> A button -> “MechWarrior” -> A button (upgrade Dashboard)
start MechAssault again
“Campaign” -> “Emergency Linux”
upload fonts-2004-01-15.tar.gz to ftp://192.168.0.3/mnt/E
telnet 192.168.0.3 (user: root, pass: xbox)
type
cd /mnt/C/fonts
tar xzf /mnt/E/fonts*.tar.gz
mv XBox\ Book.xtf XBox\ Book.bak
mv Xbox.xtf Xbox.bak
mkdir /mnt/C/Linux
cd /mnt/E/UDATA/4d530017/E8FF68C9193B; cp -p default.xbe linuxboot.cfg vmlinuz initrd /mnt/C/Linux
umount /mnt/C
reboot and remove the game
This is the equivalent to “Install Linux”. Your Dashboard will now include the menu item “LINUX”.

‘Install Linux’ fails

If your Dashboard version is >= 1.00.5659.0, you need to downgrade the Dashboard first. Get the 500 MB image of a pre-5659 C: drive (/dev/hda51; this is legal if you have possessed an old version before, if not, we can’t tell and it is up to you), upload it to ftp://192.168.0.3/mnt/E, telnet 192.168.0.3 (user: root, pass: xbox) and type:

umount /mnt/C
cat /dev/discs/disc0/part51 > /mnt/E/backup-C.raw
cat /mnt/E/Xbox_Dashboard_pre_Live_C_FATX_image.raw > /dev/discs/disc0/part51

In case anything goes wrong, you can restore the old version:

umount /mnt/C
cat /mnt/E/backup-C.raw > /dev/discs/disc0/part51

=================

If you find another LEGAL exploit , feel free to add it to this topic.


#2

thanks for the softmod tutorial but im having a problem with running the mechassult save exploit. when i go to campaign in mechassult and click run linux it comes up with an error message saying that its unable to run linux etc… i know i have the correct gamesaves loaded and the correct mechassult game and i have no idea whats wrong or what i did wrong. please reply to this, or email me at extreme29@gmail.com. thanks


#3

my brother in-law has recently asked me to mod his original XBOX. :doh:

i guess since i am a CD/DVD and Wii Freak, he seems to think i can easily mod the XBOX. however, as of this posting, i know nothing about it. :disagree:

is this the easiest method? do you have any updates?

im sure there has been a few developments since 04-05-2004 at 09:00. :bigsmile:


#4

i realize this post is pretty old but what i use is basically pretty modern methods and basically free to so i thought i would post some info for those looking into moding their original XBox’s are they are still nice for SD playback of video files…

Well using XBoxHDM along with nDure v3.1 installer for XBoxHDM is what i used to softmod my systems but that is potentially risky as it requires hotswapping IDE cables with the power on but i used a old PC and done it quite a few times without problems. this is completely free to as it runs from a bootable CD that runs on the PC where as the exploit from memory card requires you to have a exploitable game disc and a way to get the exploits on the memory card etc which to me i never bothered with as i prefer the XBoxHDM hotswap method.

just recently i TSOP’ed 3 of my XBox 1 consoles (i have 5 total, 2 have a modchip in them as i recently fixed a v1.6 XBox by removing a modchip from my working one (which i TSOPed) and rebuilt the LPC (which was not fun) so the chip would work as it was the only way to fix that as the hard drive was dead when i got it and without EEPROM info you can’t swap in another hard drive to softmod it either) as now they function just like a modchip is in them and it’s basically free if you can solder which the solder points are pretty easy to do even though very small as all you have to to is bridge a couple of points together on the motherboard and then it will allow write access to the chip on the board. it takes very little solder to do it to.

TSOP Sizes…

v1.0-1.1 consoles = 1MB
v1.2-1.5 consoles = 256KB

all of my XBox’s are a v1.0 so i flashed x2.5035 bios to them as it’s a 512KB file so it’s only possible to use that bios file on v1.0-1.1 XBox’s since they got a 1MB TSOP.

but after all of that crap is sorted out i install XBMC on them which you can get the latest builds from… www.xbmc4xbox.org (these are the guys who took it over after the official guys dumped support of it a while back now) , those play SD h264 video on them without to much FPS issues as h264 does tax the CPU noticeably harder than XviD does but files play fine mostly as every now and then a scene is complex and it stutters in frame rate.

X2.5035… comes with a config file (x2config.ini , which you put on E partition) which it loads from hard drive at boot up which you can adjust the boot order of your files along with the XBox logo colors etc.

also i use ‘Heimdalls XBox Engineering Disc’ (which you need to burn on a DVD-R @ 4x (it’s a bootable disc for the XBox1 itself (requires XBox to be softmoded or TSOP flashed in order to boot)) as that will give you FTP access to the hard drive (it’s basically using UnleashX) and allow for flashing different firmware etc. using a DVD-R disc is crucial especially if you got a Thompson drive in your XBox as those are total crap as i was using a CD-RW disc and 3 out of the 4 Thompson drives i got would refuse to boot from it but with a DVD-R disc (i burned mine @ 8x , but according to people i talked to 4x seems to be guaranteed to work) it loads up first try.

to flash mine i actually used Evox 3935 but it depends on what RAM chip etc you got but if yours is like mine it’s pretty damn easy to flash a bios to the system. but for those who want to make it simple that Heimdall boot disc simplifies most of it for you as it’s fairly automatic i just prefer a more manual way myself in terms of how my XBox is setup as i have my x2config.ini file setup to boot to E:\XBMC\default.xbe first and then C:\unleashx.xbe 2nd, and then avalaunch.xbe 3rd and so on.

but if your XBox hard drive died for example but your TSOP has already been flashed you can simply pop in another hard drive of your choice and boot right to that Heimdall boot disc and setup everything nice and simply as a softmod won’t be as easy to recover if your hard drive where to die etc.

p.s. TSOP flashing only works on v1.0-1.5 consoles as a v1.6 and v1.6b consoles can’t be flashed. note: in order to flash TSOP it still requires you to softmod your XBox first. but i prefer TSOP since it’s more of a proper moding method and can be easier to fix problems down the road if say your hard drive dies as with a TSOP on your XBox it does not require your hard drive to be locked like a softmod which does so with a TSOP’ed XBox you can put in any IDE hard drive you want and it will just work unlike if yours is softmoded which will require you to lock the hard drive to the console etc.

it takes around 30seconds to flash my XBox v1.0 consoles TSOP’s as it erases the flash chip first and then writes the new bios to it. after it finishes, the XBox will power itself off.

WARNING: if you attempt a TSOP and the BIOS flashing process goes bad your XBox 1 is pretty much going to be dead (without installing a modchip to it as that would revive it) (but i did it on three of my XBox1’s and it went as smooth as possible i even reflashed them a few times to without issues)


#5

hi
Really nice and enchanting posts