Please note, there are many ways of modding an XBOX. I've decided to be opinionated, but I also want to give you all the information required to go your own path. The point of this guide is for you, and me, to understand how XBOX modding actually works.
The main focus is really to backup a relatively clean image and migrate the HDD.
I will assume that you're acquainted with using a terminal.
- Making a USB stick with a basic set of XBOX software for hacking and backup purposes
- Backing up the XBOX's EEPROM, which contains the disk password
- Connecting the XBOX HDD to a computer, unlocking it, and making a 1:1 backup of its contents
- A working XBOX. If your XBOX doesn't work due to a dead disk, then this will not work for you. I'm thinking about making a guide on how to recover from this.
- Torx screwdrivers in three different sizes. According to iFixit, a TR10, TR15 and TR20. Flatheads of the right size can also work. Philips don't work very well. For the case screws, which I believe are TR20, I recommend you use an electric screwdriver, as they require a lot of torque.
- USB stick that is 4GB or smaller. SD Card readers supposedly work good. I don't recommend using multi card readers.
- XBOX female USB adapter. It goes into one of your controller ports and exposes a standard USB connector for you to plug your stick in.
- Computer running Linux
- 2.5" SATA HDD/SSD that supports locking (most do) - I used an old Toshiba laptop HDD.
- A way to connect a SATA disk. If you have an internal SATA connector, use that. USB to SATA adapters should hopefully also work, but it has to support disk (un)locking.
- A way to connect an IDE disk. If you have an internal IDE slot, use that. USB to IDE adapters for 3.5 inch drives should hopefully also work, however, you have to be careful to get the right one. It has to support disk (un)locking.
- IDE to SATA adapter, the StarTech one works well but may be pricey. Have a look around. -- IDE to SD Card adapters will not work on softmodded consoles, because SD Cards don't support password protected locking.
- Recommended: 80 wire IDE cable (Ultra ATA) - 40 wire IDE cables, like the ones found in the vanilla XBOX, often have bad isolation. Due to the Ultra ATA speeds of modern adapters, whether your's will work with the 40 wire cable is a gamble. When buying a cable, of note is that the path from the DVD drive to the onboard IDE slot is a little long and involves a twist, and some length is required from the DVD to the HDD as well. Here is an image of a cable with the right dimensions.
The XBOX's original HDD is locked. This is done with a feature done on the harddrive itself, where it will refuse any read commands unless the correct vendor or user password is provided. This means, without unlocking the disk, we wont be able to make a backup.
The vendor password is part of the disk itself and cannot be changed. Some people reported success unlocking the disk with a set of default passwords, but I have not been able to. So I will ignore this avenue in this guide.
The user password is another password that can be used. It basically functions the same as the vendor one, with the difference that it can be changed. This is what the XBOX uses. This can be found inside the EEPROM, a small 256 byte chip on the XBOX. There are hardware dumpers for it, but we will be dumping it with software.
When a password is submitted to the disk, it is unlocked until it is powered off again. A disk can also be permanently unlocked or have its password changed, but you shouldn't do that.
Note that on HDDs, changing the password will not destroy the data. But it might on an SSD.
IMPORTANT: Never, ever permanently unlock the disk of your softmodded XBOX or change the password, unless you know what you're doing. There's little reason to do it. The XBOX will not boot unlocked disks or disks with a different password compared to what's in the EEPROM.
Should you end up permanently unlocking your disk, as long as you have your EEPROM dump, you should be able to recover from it.
To do anything interesting with the XBOX, we need to set up an exploited USB stick.
Note: The XBOX will format your stick without warning. Back up any important data.
Turn on your XBOX, plug the stick into the XBOX using your adapter. Go into the Memory menu. The XBOX should automatically detect your USB and tell you that it's been deleted. It should now show as a Memory Unit. Turn off your XBOX.
To mount your memory unit in Linux, we will need a FATX driver. Check out its git page (How to Build (Natively)) to see which prerequisites you need. Execute these commands to compile and install it:
git clone https://github.com/mborgerson/fatx
cd fatx
mkdir libfatx/build
cd libfatx/build
cmake ..
make
sudo make install
cd ../..
mkdir fatxfs/build
cd fatxfs/build
cmake ..
make
sudo make install
cd ../../..
If that is successful, plug in your USB. If you run lsblk, or alternatively blkid, you should see it. Usually, it shows as something similar to /dev/sdX. Take note of it.
Since the FATX driver is a userspace one and FATX has no permission system, it's advantageous for your user to own the device. Run: sudo chown $USER /dev/sdX -- The ownership will be reset if you unplug the drive.
Now mount it like this:
mkdir munit
fatxfs /dev/sdX munit --sector-size=4096 --offset=0 --size=$(sudo blockdev --getsize64 /dev/sdX)
Your memory unit should now be mounted inside the munit directory :)
ENDGAME is the exploit that allows us to start up third party software.
wget "https://github.com/XboxDev/endgame-exploit/releases/download/v1.0/ENDGAME-v1.zip"
unzip ENDGAME-v1.zip
mv ENDGAME/* munit
You may get some errors about being unable to set permissions or flags. You can safely ignore them; The FATX filesystem inherently only has a small feature set.
fusermount -u munit
sudo eject /dev/sdX
You may now unplug it.
We need the EEPROM to unlock the HDD.
Turn on your XBOX, plug in a LAN cable. Head into settings -> network settings. Make sure your settings fit your network. If you use automatic IP configuration, your XBOX will show you your current IP, if connected. If you go to advanced, you can also choose a static host name that you can reach the XBOX under.
Note down either your IP or host name.
Go back to the main menu. Plug your memory unit into the XBOX and head into the memory menu, and select your memory unit. It should blink some, and then boot into the lithiumx dashboard. It will tell you at first that no settings were found, press B to close the message.
There are a lot of tools here but we are just interested in dumping the EEPROM. Press START, then select Settings -> EEPROM Config -> Backup EEPROM to E: -- It should show you where your eeprom.bin has been dumped.
Now connect to your XBOX via FTP. You can use filezilla for example. The connection is unencrypted, and the default username and password are xbox. Download eeprom.bin onto your computer. You can shut your XBOX down now.
IMPORTANT: Keep the eeprom.bin somewhere safe, preferably in multiple locations. You can have one copy on your XBOX, one on your computer, you could put it on a CD and put that in the XBOX, etc...
Now that you have the EEPROM dump and by extension the HDD password, you can unlock your disk and back it up.
Get and extract xbhdm2's custom smartctl:
wget "https://downloads.sourceforge.net/project/xboxhdm2/smartctl/Version6.2/smartctl6.2.bin.7z"
7z x smartctl6.2.bin.7z
This contains two binaries, smartctl.bin/smartctl (64-bit) and smartctl.bin/smartctl.32 (32-bit). Connect the disk to your computer, and unlock it like so:
sudo smartctl.bin/smartctl -s security-eeprom-unlock,/path/to/eeprom.bin /dev/sdX
You should now be able to read the disk. Go ahead and back it up:
sudo chown $USER /dev/sdX
pv /dev/sdX > xbox.img
You may also use cat, but pv gives you a progress report. Anyways, you now have a full backup of your XBOX disk. Unplug it now.
You can now use the backup you've made to create a new XBOX disk. Connect your SATA disk to your computer and lock it using the password from your EEPROM:
sudo smartctl.bin/smartctl -s security-eeprom-setpass,/path/to/eeprom.bin /dev/sdX
Should you need to unlock it later, you can do so with the same method as before. A permanent unlock (CAUTION!) can be achieved with security-eeprom-disable.
Now you can put your backup on the new disk:
sudo chown $USER /dev/sdX
pv xbox.img > /dev/sdX
sudo eject /dev/sdX
When you insert it into your XBOX, it should boot up. Make sure the jumper on your adapter is set to either Cable Select or Master.
- Maybe you forgot to lock your new drive, or perhaps it doesn't support locking? - The drive should not be readable if you don't unlock it, i.e.
sudo cat /dev/sdX > /dev/nullshould fail. Try locking the drive again. On a HDD, you shouldn't need to clone the data again. On an SSD, you might need to, as setting the password could wipe it. - Make sure your new adapter has its jumper set to either Master or Cable Select. If you don't have a jumper, it's probably one of those already
- Try a different IDE cable, preferably of Ultra ATA variety -- When trying a different IDE cable, you may have to set your new disk to Master specifically (not all IDE cables have the Cable Select capability)
By default, the XBOX seems to use Cable Select, but I'd probably recommend using Master instead: to the XBOX, it will technically be the same thing, and it's compatible with all cables.
I'm not sure what the current procedure is to auto-boot a custom dashboard. What I do know, is that usually one replaces the fonts on the C drive to exploit the default dashboard, so it boots another dashboard. This is called "double dashboard", I believe.
It seems to me that Ndure 3.1 was the last standalone hack to do this. Xbox Softmodding Tool seemingly has its own hack for this (?), however, I'm not sure if it can be made to work as standalone. Compared to Ndure, it also doesn't seem to be able to boot the standard MS Dashboard?
I feel this should not be as shrouded in mystery as it is - The Xbox Softmodding Tool GitHub has no place to discuss the project or ask questions. It feels like the project does a lot, but only explains very little about how it's doing it.