Full Report
It’s an impressive feat, over a decade after the box was released: Since reset glitching wasn’t possible, Gaasedelen thought some voltage glitching could do the trick. So, instead of tinkering with the system rest pin(s) the hacker targeted the momentary collapse of the CPU voltage rail. This was quite a feat, as Gaasedelen couldn’t ‘see’ into the Xbox One, so had to develop new hardware introspection tools. Eventually, the Bliss exploit was formulated, where two precise voltage glitches were made to land in succession. One skipped the loop where the ...
Analysis Summary
# Vulnerability: Bliss (Xbox One Hardware Root-of-Trust Compromise)
## CVE Details
- **CVE ID**: N/A (Hardware-level flaw in silicon; no CVE assigned at time of reporting)
- **CVSS Score**: 7.4 (High) - Estimated: CVSS:3.1/AV:P/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
- **CWE**: CWE-1301 (Insufficient Operational Side-Channel Resistance) / CWE-1247 (Improper Protection Against Voltage and Clock Glitches)
## Affected Systems
- **Products**: Microsoft Xbox One Gaming Console
- **Versions**: All retail hardware revisions (Original, S, and X models) dating back to 2013 launch.
- **Configurations**: Standard retail hardware; specifically targets the Boot ROM and ARM Cortex memory protection early in the boot sequence.
## Vulnerability Description
The "Bliss" exploit is a hardware-based Fault Injection (FI) attack. It targets the SoC (System on a Chip) by inducing a momentary collapse of the CPU voltage rail.
The attack utilizes two precise, successive voltage glitches:
1. **Glitch 1**: Targets and skips the loop responsible for initializing the ARM Cortex memory protection.
2. **Glitch 2**: Targets a `memcpy` operation during a header read, causing a buffer overflow or logic error that redirects execution flow to attacker-controlled data.
Because the flaw exists in the Boot ROM residing in the silicon, the vulnerability is inherent to the hardware's physical design.
## Exploitation
- **Status**: PoC available / Publicly demonstrated (Created by researcher Gaasedelen).
- **Complexity**: High (Requires custom hardware introspection tools and precise microsecond-level timing).
- **Attack Vector**: Physical (Requires direct access to the console motherboard and voltage rails).
## Impact
- **Confidentiality**: Total (Allows decryption of games, firmware, and security processor secrets).
- **Integrity**: Total (Loading of unsigned code at all levels, including the Hypervisor and OS).
- **Availability**: High (Ability to modify or brick system firmware).
## Remediation
### Patches
- **None**: This is a hardware-level vulnerability in the silicon Boot ROM. It is categorized as "unpatchable" via software or firmware updates for existing units.
### Workarounds
- There are no known software workarounds. Physical security and preventing unauthorized hardware modifications are the only deterrents.
## Detection
- **Indicators of compromise**: Presence of third-party hardware soldered to the CPU voltage rails or motherboard.
- **Detection methods and tools**: Hardware-level introspection is required to detect the voltage instability caused by the glitching apparatus.
## References
- hxxps://www[.]schneier[.]com/blog/archives/2026/03/microsoft-xbox-hacked[.]html
- hxxps://www[.]tomshardware[.]com/video-games/console-gaming/microsofts-unhackable-xbox-one-has-been-hacked-by-bliss-the-2013-console-finally-fell-to-voltage-glitching-allowing-the-loading-of-unsigned-code-at-every-level