Crazy hacks #2 – Drill a hole in your chip and find out
Possibly one of the craziest console hacks ever (even for this series) was the Kamikaze Hack for the Xbox 360, which involved drilling a hole in the DVD Drive’s chip.
Crazy Hacks – What’s this all about?
In this series of articles, we’ll be discussing imaginative hacks for various consoles and devices. Some became instantly popular at the time of their release, others were a bit obscure or got forgotten with time, but all of them were really crazy in this writer’s humble opinion. From “It’s so dumb it can’t possibly work” to “wait, how did they even think of that?” and everything in between, we hope you’ll enjoy this series.
Physically drilling a hole in the chip. What’s the worst that could happen?
Most of the early days of XBox 360 hacking consisted in hacking the DVD Firmware on the consoles. Our very own Acid_Snake had this to say about the original XBox 360 hacks:
For consoles with optical discs, the disc reader is an essential and important sector in preventing piracy and unlicensed games. It’s simple: the game disc has something special that no other disc has and the laser drive is customized to be able to tell this difference, essentially letting the underlying BIOS or OS know if the disc is legit or not. Hardware makers can use special and closed machinery to craft game discs in a way that allows the system to differentiate them from standard discs and drives, and since this information is usually closed and the hardware/process involved in creating the discs is strictly locked behind doors, it is almost impossible for outsiders to replicate the structure a legit game disc has to be able to bypass the protection.
So we are facing the problem that we cannot craft our own discs to be just like legit ones, we have two options at this point if we want to achieve disc-based hacks: either we hack the drive so that it ignores the disc protection and always tells the system that it’s booting a licensed game, or we hack the system itself so it ignores the disc drive telling it that the disc is not legit
The Firmwares on the DVD Drives were encrypted with unique-per-device keys, but those were “fairly easy” to acquire, via a mix of software and hardware means. Microsoft regularly introduced new hardware revisions of their DVD drives, but hackers were usually able to provide key-acquisition methods quickly after each new revision. It was then only a matter of flashing back a custom firmware on the DVD Drive, to let it accept unofficial discs. (For more details on these “early days” Xbox 360 hacks, please read Acid_Snake’s excellent article.)
In 2010, with the release of the XBox 360 slim, Microsoft attempted to tighten that security mechanism, and introduced a new DVD model, the Lite-on DG16D4S. The drive was physically locked into “read only” mode, meaning that even if its encryption keys were acquired, it would be impossible to write any Custom firmware back to the drive. Adding insult to the injury, the SoC was encased in epoxy resin to fend off hardware hacks attempts.
It was still possible to read the contents of the drive’s firmware (thanks to the work of hacker Geremia and his tool tarablinda), and clone it onto older drives, on which custom firmwares could then be installed. This “DVD Drive swapping” or spoofing technique was pretty useful for hacking purposes, but also for legitimate Xbox users with a broken DVD Drive who had to “remarry” their replacement DVD Drive with its motherboard, by copying the keys.
But DVD Drive swapping required to use a “donor” drive, which wasn’t necessarily practical for everyone.
The mystery remained for a while, as to how the DG16D4S was locked. But in August 2011, Geremia resurfaced, and revealed an impressive way to remove the “read only” status of the drive, by (you’ve guessed it by now) drilling a hole in the DVD drive’s flash chip.
What was initially named the Geremia Winbond Unlock quickly became known as the XBox 360 Kamikaze hack. A fitting name, given the risks involved: drill too much, or at the wrong position, and instead of unlocking your drive you would simply destroy it.
The drilling was used as a way to shortcut some specific wires inside the chip (a technique most likely discovered by the hackers through decapping of the chip), which were responsible for the read-only state. Because the chip was multi-layered, drilling too far would risk damaging other critical components within it. (That’s also why “simply” cutting the pins outside the chip would have impacted other layers of the chip, and therefore wouldn’t have worked.)
Drilling might be a strong word here (some folks said it was better to dig a tiny hole with a heated needle), and some people might have taken it a little bit too seriously. The hack wasn’t for the faint of heart, and a steady hand was required. Multiple people ended up damaging their chips, but a significantly higher number were just impressed at how the hack simply worked! Automated (hardware) tools were even made to help with the drilling process, telling people exactly when to drill and when to stop.
Xbox 360 Kamikaze Hack – Where are they now?
Soon after the Kamikaze hack was released, Microsoft started pushing new revisions of DVD Drives to the Xbox 360. The 16D5S brought a new set of complications for hackers, and the Kamikaze hack wasn’t useful on those.
More from the “Crazy Hacks” Series
If you enjoyed this article, please check all articles in the series:
- Crazy hacks #1 – What do you mean I have to die to hack my PSP? (PSP)
- Crazy hacks #2 – Drill a hole in your chip and find out (XBox 360)
- Crazy Hacks #3: How 3 of Nintendo’s consoles got defeated by everyday-life household items (Wii, 3DS, Nintendo Switch)
- Crazy Hacks #4: When the PS3 was so weak you could even hack it with a Ham and Cheese sandwich (PS3)
What other crazy hacks have you witnessed? Let us know in the comments!
This is definitely one of (if not) the craziest hardware mods out there. Second is probably cutting a particular trace of certain 360 DVD Drives to get the Key as you can still kill the drive if not careful but much less likely to do so.
definitely the craziest hack, the Kamikaze hack was insane and amazing at the same time
Not crazy as this one, early back of wii when you need to bridge two pin to set as high expose full memory by team twizeers
I used to do this. Many times though my college days did I drill a Lite-on for someones 360. A steady hand and Ace Hardware Dremel.
i managed to get one done but the drive was tripping after – crazy fast ejects and all kinds of weird behavior. but it worked!
IT REMINDS ME OF THE OLD CRAZY DAYS WHEN I WAS JUST A KID AND DOING ALL THIS RISKING EXPENSIVE XBOX BUT NEVER FAIL ONE
Now this is one hack that I would have never dared to do lol.
JUST put a bullet in dvd drive.
Jeeze! Did this soooo many times! Botched my first attempt for a customer and had to order a new board, threw him a few extra games for his trouble, ended up ordering a guide plate from Italy that sat over the chip with the point of entry exposed, had so many xboxs done, used to sell the games for £5 each! Still have all the equipment and the bones of over 10 360s stored away in the attic! Good Times! Enjoyed this article!
Back in the day, if you wanted to run Super Famicom cartridges on the SNES, you could open up the system and cut off some tabs on the cartridge slot so the games would fit properly. They eventually sold other things to make it easier but that was the OG way.
Also with cartridge-based games you could simply open up the game and swap out the chip. So you could go rent a game, take out the chip, swap it with a chip from a game you noonger wanted (or just broken garbage LOL) and return the game. It worked best of you returned the game immediately claiming it was defective. Of course you had to move around to different rental stores for that.