Just thought I'd give everyone an update on what I believe is a big part of 2013 and 360 modding. Ben Vanik has begun work on an Xbox 360 Emulator. Currently, it does nothing but some XEX print outs, but the immense amount of time and research put into this project is amazing and shows that 2013 will be the year for 360 Modding.

If you have a GitHub account, you can star this REPO and watch as development progresses. Its open source, as you probably guessed. Whats even more interesting is that Ben's previous jobs include working at Google and Microsoft.

https://github.com/benvanik/xenia -> @benvanik

http://i46.tinypic.com/24yweac.jpg

Looks like Skyrim to me.

<!--url{0}-->

<!--url{0}-->

<!--url{1}-->

Halo 4 is the next blockbuster installment in the iconic franchise that's shaped entertainment history and defined a decade of gaming. Set in the aftermath of Halo 3, Master Chief returns to confront his own destiny and face an ancient evil that threatens the fate of the entire universe. Halo 4 marks the start of a new trilogy that begins with its release in 2012

The scheduled Horde Command Pack release for Gears of War 3 is temporarily delayed due to a technical issue. We apologize to those of you who are anxiously awaiting to play. We know this is disappointing news as we’ve seen a lot of posts today showing excitement for this content. We have folks working around the clock to resolve this issue ASAP so you can all play and enjoy the Command Pack.

 

The Epic Games Community team will stick around and keep you posted with any further information. Stay tuned for updates!

What a joke. They promise the 1st, and now this.

Microsoft and Epic Games announced “RAAM’s Shadow,” the new campaign experience for the award-winning blockbuster, "Gears of War 3", Starring a cast of characters both new and eerily familiar to the series, “RAAM’s Shadow” will deliver more than three hours of gameplay set in a storyline that precedes the events of the first “Gears of War,” as well as six new multiplayer characters, the Chocolate Weapon Set and an additional 250 Gamerscore. “RAAM’s Shadow” will launch Dec. 13 for 1,200 Microsoft Points on Xbox LIVE Marketplace, marking the second major game add-on for this year’s critically-acclaimed blockbuster, “Gears of War 3.”

RAAM’s Shadow drops players into the events of Sera post-Emergence Day, as Zeta Squad is enlisted to evacuate Ilima City and protect the citizens against a Locust Kryll storm. Taking on the infamous Locust leader from Gears 1, General RAAM, Zeta is led by Michael Barrick (from Gears comics fame) and comprised of familiar faces such as Lt. Minh Young Kim (Gears 1) and Tai Kaliso (Gears 2), and also includes a new female comrade, Alicia Valera.

Yes, if you have the Season Pass you are fine.

New characters:

• RAAM - General RAAM was a silent and savage Locust general. Once a Theron Guard, the cunning and ambitious RAAM usurped the military leadership of the Locust Horde through skill and intellect. When using him in campaign, it has been confirmed you are able to use the Kryll as a shield.
  
• Minh Young Kim - Lieutenant Minh Young Kim was a Gear officer who served in the Coalition of Ordered Governments army during the Locust War, most notably during the Lightmass Offensive. A firm, honorable soldier with a "by-the-book" leadership style. If you remember, he got sliced by RAAM.
  
• Michael Barrick- Corporal Michael Barrick was a former Stranded who enlisted with the Coalition of Ordered Governments army using Operation Lifeboat, becoming a Gear soldier.
  
• Tai Kaliso - Corporal Tai Kaliso was a Gear soldier who hailed from Irohma Island in the South Islands. He joined the Coalition of Ordered Governments army after his hometown was wiped out by Union of Independent Republics forces during the Pendulum Wars. A boulder of a man, Tai's muscular appearance stands in contrast to his quiet, meditative personality. If you remember, he killed himself after being tortured by locust.
  
• Alicia Valera - No information given, except she is voiced by Aisha Tyler.
  

360 owners are going to want to clear some space on their hard-drive ahead of next week's Battlefield 3 launch.

 

As previously reported, the 360 version of Battlefield 3 will ship with an additional DVD containing a texture pack for optional installation to the 360's hard-drive. These high-definition textures will be streamed from the hard-drive during the game to enhance DICE's visual representation of its own take on modern warfare.

 

The original story raised a number of questions concerning a possible disparity between the different versions of Battlefield 3 and so at this week's EA showcase in London, Gamerzines asked executive producer, Patrick Bach, to clarify the purpose of the optional texture pack.

 

"There's nothing magic about it," explained Bach. "It's the same thing we do for PC and PS3, so there's nothing extra."

"I think the controversy about this is that we actually let you do it on 360 for once. So what it does is it gives you the same abilities, kind of, as the PC and PS3. You can actually stream information from the hard drive.

Whats this? I don't have extra GBs laying around my harddrive. I only have the stupid internal 4gb. If they pack a 500mb texture file onto my hdd. I'm gonna be pissed.

Three new maps:

• Blood Drive – The Jacinto Medical Plaza was overwhelmed by evacuated citizens after the government-sanctioned Hammer Strikes, and the ensuing riots quickly turned this safe haven into a dangerous inferno. An abundance of high ground and funneled choke points make this map a returning favorite to Horde
  
• Rustlung – Once the pride of the Royal Tyran Navy, the foredecks of this decommissioned battleship are now riddled with bullet holes. Any team with the fortitude to hold the exposed central torpedo bay will find that the ship’s Loader has been replaced with a battle-ready Silverback mech suit.
  
• Azura – This island resort was once the exclusive domain of Sera’s educated elite, but the tranquil water gardens and lush foliage have become a hotly contested combat zone. Dual snipers overlook a powerful explosive weapon, while the defensive central platform may be your last resort of retreat.
  

New fortification upgrades:

• Command Center – A brand new type of fortification that allows you to call in fire support from sniper teams, mortar strikes and even multiple Hammers of Dawn.
  
• Decoy Upgrade – A new fortification level that turns your decoy into an Onyx Guard bot that will fight in your defense.
  
• Sentry Upgrade – This upgrade adds a fire bolt sentry that deals much more damage and is very effective against Berserkers.
  
• Silverback Upgrade – This advancement allows you to upgrade your Silverback exo-suit with devastating rockets and extra levels of repair cost reduction.
  

New characters:

• Onyx Guard
  
• Big Rig Dizzy
  
• Bernie
  

New weapon skins:

• Team Plasma
  
• Jungle Camo
  

This is also playable in Beast Mode and private Versus matches, which means the Gears of War 3 Horde Command Pack is a snip at 800 Microsoft Points or at a 33% discount as part of a Season Pass purchase. You'll be able to grab it from November 1st. Check out four new screens from the add-on right here.

NEW CHARACTERS

http://i52.tinypic.com/dq6sg8.jpg

RUSTLUNG

http://i55.tinypic.com/3313h1w.jpg

BLOOD DRIVE

http://i56.tinypic.com/2mwuslh.jpg

AZURA

]http://i56.tinypic.com/16746lk.jpg

343i has revealed the gameplay footage for the pre-order exclusive skull, Grunt Funeral.

http://www.youtube.com/watch?v=UYfNBCHYHFE

GliGli & Tiros are proving the opposite! They developed a Hack which glitches all recent Xbox360 Kernels to run unsigned Code on:

ZEPHYR, JASPER .......and...... TRINITY (aka SLIM!).

(no matter which Dashboard/Kernel they are running)

http://www.youtube.com/watch?v=JyYdL4L6vwE

**********************************
* The Xbox 360 reset glitch hack *
**********************************

Introduction / some important facts
===================================

tmbinc said it himself, software based approaches of running unsigned code on the 360 mostly don't work, it was designed to be secure from a software point of view.

The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND (CB).

CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it's using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
 - A hash of the entire fuseset.
 - The timebase counter value.
 - A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there's a check for "apparent randomness" (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.

CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.

Basically, CD will load a base kernel from NAND, patch it and run it.

That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.

On the other hand, tmbinc said the 360 wasn't designed to withstand certain hardware attacks such as the timing attack and "glitching".

Glitching here is basically the process of triggering processor bugs by electronical means.

This is the way we used to be able to run unsigned code.

The reset glitch in a few words
===============================

We found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.

Details for the fat hack
========================

On fats, the bootloader we glitch is CB, so we can run the CD we want.

cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a test point on the motherboard that's a fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.

So it goes like that:
- We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value (it's often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.

The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.

Details for the slim hack
=========================

The bootloader we glitch is CB_A, so we can run the CB_B we want.

On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn't yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it's even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus 

So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.

When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don't decrypt CD, instead expect a plaintext CD in NAND.
- Don't stop the boot process if CD hash isn't good.

CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
 crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
 guessed-pseudo-random-keystream = crypted xor plaintext
 new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there's a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!

The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.

Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !

Caveats
=======

Nothing is ever perfect, so there are a few caveats to that hack:
- Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
- That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
- It requires precise and fast hardware to be able to send the reset pulse.

Our current implementation
==========================

We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it's fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.

Conclusion
==========

We tried not to include any MS copyrighted code in the released hack tools.
The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.

Credits
=======

GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360.

Master Chief Avatar Armor– Heroes Never Die, and to honor the 10th anniversary of John 117, you will finally be able to transform your Xbox LIVE Avatar into the iconic hero by outfitting it with Master Chief’s signature MJOLNIR Powered Assault Armor.

 

“Grunt Funeral†Skull – An exclusive, game-modifying skull that changes the rules of the game for an explosively humorous experience, “Grunt Funeral†sends Halo’s most lowly and lovable enemy out in a blaze of glory. And plasma. And then more glory. Once the skull has been activated, every Grunt’s methane tank will explode like a plasma grenade when killed. Watch out for the Grunt chain reaction!

The grunts burn in their final blaze of glory Nov. 15, 2011.

After videos and copies of the highly anticipated Gears of War 3 appeared on the web, Epic did not hesitate in realeasing an official statement.

Dana Cowley, head of PR for Epic Games has taken the time to release an official statement regarding the Gears of War 3 leak, despite her being on vacation. Yesterday, reports of an early build of Gears 3 had been leaked onto the web. This early build contains the full campaign as well as all the game’s multiplayer modes. We were just emailed a joint statement from Microsoft and Epic via Dana Cowley:

 

We have seen the reports of Gears of War 3 content being propped on the Web and working closely with our security teams and law enforcement to address the situation. This content is not from a final build and is not representative of what fans will enjoy when the game launches worldwide on September 20, 2011.

 

We hope to see this resolved. There has still been no word on whether or not anything will be added to the retail version of the game that was not included in the leaked version.

 

Justin McFarland

Save & Quit

It seems that old man Bungie has been holding the community back, as many players have been demanding a title update for months. Some of the most prominent demands include a more classic halo feel in matchmaking, as well as more custom game options to be available. 343i has been listening, and has announced that they are working on a patch that will be released soon after Bungie officially hand over control of reach to them.

We’re pleased to confirm that we’re planning a Title Update (a small download which will add some interesting functionality) for Halo: Reach in preparation for the multiplayer aspect of Halo: Anniversary.

 

If your heart suddenly sped up, fret not, Reach fan. This is something that will not only sit side-by-side with Reach’s existing gameplay and will be accessible by both Reach and Anniversary players, but will allow us to make fairly significant changes to multiplayer gameplay within the confines of Matchmaking. We’ve talked about this as a way to better recreate the classic Halo: CE feel for the new classic maps, and it will let us do some things in gameplay that simply aren’t possible now. I don’t want to give too much away until we get through gameplay and bug-testing, but an example scenario would be allowing you to play, say, [REDACTED] with zero fall damage. Now that’s a limited and simplistic example, but it does speak to the way we’re approaching the changes philosophically. There are some bigger ticket “classic†Halo gameplay elements which people are clamoring for and which we intend to do our best to deliver on. More news about specific changes and the timing of the Title Update will be forthcoming. But I can say that, having tried a few of the more significant tweaks, certain “classic†elements are already working with beautiful and deadly efficiency.

Heres hoping we get access to all the options that Bungie left out of the menu (and chooses to tease us with, making thier own gametypes that use options we cannot access.)

"In one of the biggest gaming leaks ever, Modern Warfare 3 has been leaked" ~Jack from Rooster Teeth

Call of Duty: Modern Warfare 3 is coming Nov. 8, 2011, Kotaku has learned, delivering with it mammoth battles that engulf a dozen cities around the world including New York, Paris and London.

 

Multiple sources have shared details of the game's story, art, sounds and game modes with Kotaku, noting that the game will reshape the landscape of the Call of Duty franchise, bringing an impressive number of eclectic settings, deep multiplayer gaming and a story that ties up nearly all loose ends from previous titles, including the final moments of key figures in the series' history.

While we haven't seen the game in action ourselves, we've gone to great lengths to nail down as much as possible the veracity of our sources. We believe that the imagery and chief details are accurate. That doesn't mean things can't change before release, but this appears to be a full run down of where Infinity Ward, Sledgehammer Games and Raven Software is on Modern Warfare 3 as they add the final polishing touches.

Game modes, characters, locations, tons of stuff has been leaked...

Full article <-- SPOILER ALERT

The legal action between Sony and George Hotz has come to a close, with both sides seemingly happy with the results. Sony has Hotz agreeing not to do bad things to its hardware, and Hotz gets to be left alone and continue with his life. Neither side has admitted any liability in the matter, and things seemed to have worked out... for the best?

Quote from geohot's website:

As promised, all left over legal defense money, plus a little to bump it to a nice number, has been sent to the EFF. Thank you all so much for your support, without it, things could have been much worse.

 

This money goes to the EFF in hopes that America can one day again be a shining example of freedom, free of the DMCA and ACTA, and that private interest will never trump the ideas laid out in the constitution of privacy, ownership, and free speech.

 

At the end of the day, something I take comfort in. The PS3 got OWNED.

"Once the code works they'll never be able to take it away from us."

Will you be continuing your work on Sony products anonymously?

Nah. As much as I don't respect the goons at Sony, I do respect the court.

Will future research on Sony products be chilled?

Nah. If you piss them off enough for them to pull out the legal team and their million dollar checkbook, worst thing that happens is you have to super swear to never do it again.

 

Will Sony do a better job with security next time?

LOL, I think they'll do a lot worse. It wouldn't surprise me if the people who did PS3 security were fired. And I'm curious as to who Sony is hiring for NGP security. Lawyers? Get the code to sign a contract that it won't have exploits? You shouldn't piss off the community of people who are actually talented at this stuff. Hell, maybe you even pissed off your engineering employees enough to leave some nice backdoors?

Remember april fools last year? When bungie claimed they were making a chess game mode for reach?

Bungie does, which is why they released an official chess variant to the community.

You can play Chess on any map that contains the necessary Forge objects. That means Tempest is in, and oddly enough Anchor 9 also makes the grade, making Space Chess a certified Space Reality. That’s one small step for a man, one giant leap for…well, you know the rest.

It appears that it utilizes bump possession, and does not have a checkmate thus forcing players to rely on the honor system for certain aspects of the game.

Get your fix here: http://www.bungie.net/Stats/Reach/FileDetails.aspx?fid=15992988

Heres a video from rooster teeth explaining how to play:

http://www.youtube.com/watch?v=M2FrLwkgLZk&feature=player_embedded