Named Tony Hawk's Pro Strcpy, the exploit exists across Tony Hawk's Pro Skater 3, Tony Hawk's Pro Skater 4, Tony Hawk's Underground 1, Tony Hawk's Underground 2, and Tony Hawk's American Wasteland. The hack is a pre-made save file that you can load for your console of choice, which utilizes the game's Create-A-Park level builder to allow remote code execution.
Fast forward to present day (2024) and I finally got around to cleaning up and releasing all these Tony Hawk exploits. However, since I'm most likely retiring from game console hacking after this I wanted to drop an absolute banger of a release so I ported the exploit to some other game consoles that are vulnerable to it. This bug exists in 5 different iterations of the Tony Hawk video game series across numerous game consoles and handhelds. No one is safe from Tony Hawk's Pro Strcpy. Since you're probably tired of me talking about the same strcpy bug over and over I'm only going to provide some brief details of which games for which platforms I ported the exploit to and how it may or may not make hacking those consoles easier.
Grimdoomer posted a highly-detailed blog that goes in-depth on how the strcpy bug works, and how to execute it. They also released the exploit, available on GitHub, with versions that support Tony Hawk's American Wasteland for the Xbox 360, Tony Hawk Pro Skater 4 for the GameCube, Xbox, and PlayStation 2. He also noted that the PC version of Tony Hawk's Underground, which has a community built around a fan-patch of the game and has network play, is also exploitable, and that players should be wary.
And there you have it, the first software only exploit for the Xbox 360. It's kind of ironic that this worked out almost exactly the same as the save game exploits for the original Xbox: performing a stack buffer overflow from a strcpy call on data contained in a save game file you can copy to your console using a memory card. You can use the strcpy bug to get ROP execution on any Xbox 360 OS version, but you'll only be able to get full hypervisor code execution on the 4548 kernel version. If a new hypervisor bug is discovered this can easily be paired with it to work on newer kernel versions. I still have some hope that there might be an exploitable bug that would get you hypervisor code execution on a new kernel version. But I highly suspect it would be some kind of CPU or MMU bug rather than a bug in the hypervisor code.
Source
GitHub Release