Print

[Cio]

Or maybe it was this:
Lindows CEO rant

Get simple way to run linux (and anything else from there)
Get $200,000
Get publicty for (what then was) Lindows

Everone wants an M$ linux box! (a brand new user friendly PC for only $200!)
Billy G. wouldn't sleep very well knowing what might happen to his monopoly...

[underthebridge]

Here is my attempt at applying the exploit through Xblive (no clock or dvd remote problem, very convenient, no risks involved in installation):

The latest dash (4920) has an "Xbox Live" tab which when pressed loads C:\xodash\xonlinedash.xbe . This can be ANY xbe, as long as it is MS-signed. If I put a copy of the original ms dashboard and run it through xbox live, it works.

I wanted this second instance of the dash (xonlinedash.xbe) to load the font exploit independently of the first dash (xboxdash.xbe). The solution was to use an old (4817) msdash that looks only on the root (C:) for fonts, instead of in [fonts] folder. 4817 is a pre-live dashboard and is fully exploitable if bert+ernie are placed on the root, I checked this.

A recap of what happens:

4920 dash boots --> Press "Xbox Live" --> 4817 dash loads --> sees bert.xtf +ernie.xtf on root --> default.xbe loads

Unfortunately, there was a problem. Bert+ernie ONLY work on bootup. If you run them in any other way, they crash. I tried running them through evox and through this xblive method, but they just crash. I don't know why they ONLY do their thing on bootup. This should've worked I tell ya, I can't believe this stupid problem... Help

[mnm6687]

hey underthebridge, did you put bert and ernie in xodash? or in the c:\ root ? if you tried putting it in the xodash folder, than i think that's ur problem.  also, what version of B&E did u use? this is sweet, i've been trying to figure out another way of loading unsigned code from the dash, but have been unsuccessful.  also, if you are looking for another xbe signed by MS (for the dash, not for a game) then rename your file settings_adoc.xip to settings_adoc.xbe.  this file is the 'easter egg' that was hdden by MS.  i dont know if that will prove useful at all, but we need all the input we can get!

[skiz]

you cant execute font files... thats why it doesnt work by executing through evox  

if u dont believe me, try to execute a windows font file.. it just brings up a font viewer

This post has been edited by skiz: Aug 21 2003, 11:47 AM

[wmadoss]

Who said anything about executing font files.

He is trying to execute an xbe file which then uses the font files.

[PedrosPad]

underthebridge, Bert & Ernie are an 'overflow' exploit, and exploits of this nature typically rely on code being in a known location in memory.  On boot up, the RAM is empty, the BIOS executes the dashboard, and thus this address is calculatable.

When you execute the second dashboard from the first:
1. The child is probably executed by a library routine compiled into the parent dashsboard, and not the BIOS loader.  This may not do quite the same thing.

2. The RAM isn't in a predicable state (afterall you may have just ripped a CD and consumed additional buffer/caches, etc.), and the child process will consequently end up somewhere different if memory.

Consequently, when Bert & Ernie 'overflow', the address they jump to doesn't hold what is expected.

Pedro.

[wimpie007]

the font expoits doesn't know exactly where the instruction pointer will be after the loading of the fonts, thats why the font files are so big... allmost all instructions just say 'advance a few steps' ...

[underthebridge]

QUOTE (mnm6687 @ Aug 21 2003, 08:59 AM)

hey underthebridge, did you put bert and ernie in xodash? or in the c: root ? if you tried putting it in the xodash folder, than i think that's ur problem.  also, what version of B&E did u use? this is sweet, i've been trying to figure out another way of loading unsigned code from the dash, but have been unsuccessful.  also, if you are looking for another xbe signed by MS (for the dash, not for a game) then rename your file settings_adoc.xip to settings_adoc.xbe.  this file is the 'easter egg' that was hdden by MS.  i dont know if that will prove useful at all, but we need all the input we can get!

I tried all versions of B&E - DayX, reloaded, BiCoE, bigfonts - all to no avail.

I KNOW that 4817 is seeing the fonts because I successfully loaded 4817 normally with xblive using its original fonts. Then I just replaced them with bert+ernie, I even gave them the names Xbox.xtf and Xbox Book.xtf to make sure. B&E are loading, just crashing...

Another idea I had was to use an xbox live starter kit CD and see if I can replace the files it's supposed to update with other ones - essentially to get the xbe to do something else.

This post has been edited by underthebridge: Aug 21 2003, 05:30 PM

[underthebridge]

QUOTE (PedrosPad @ Aug 21 2003, 01:04 PM)

underthebridge, Bert & Ernie are an 'overflow' exploit, and exploits of this nature typically rely on code being in a known location in memory.  On boot up, the RAM is empty, the BIOS executes the dashboard, and thus this address is calculatable. When you execute the second dashboard from the first: 1. The child is probably executed by a library routine compiled into the parent dashsboard, and not the BIOS loader.  This may not do quite the same thing. 2. The RAM isn't in a predicable state (afterall you may have just ripped a CD and consumed additional buffer/caches, etc.), and the child process will consequently end up somewhere different if memory. Consequently, when Bert & Ernie 'overflow', the address they jump to doesn't hold what is expected. Pedro.

Can we make a fix to bert and ernie in this way? It shouldn't be too hard, The source code is documented here http://phoenix.maxco...rternie.inc.php . If anyone can do this, then we'll be able to get out an xblive exploit pack, the third and BEST method for the exploit (only con is that you can't access your live account thru dash, but I'm sure we can find workarounds for that).

[PedrosPad]

QUOTE

Can we make a fix to bert and ernie in this way? It shouldn't be too hard

I agreed.

The Technical Analysis of 007: Agent Under Fire save game hack (http://xbox-linux.sourceforge.net/articles.php?aid=2003189065649) contains source code to find out where you are in memory during execution.

This all sounds very plausible to me, and would solve the clock issue completely.

Pedro.

[Sykotek]

Sounds like you're all on to something here.  Keep it going!  Good find!

[Anusko]

mechinstaller1.0 uses a custom font hack that is only 5kB. 5kB won't blow xbox memory but we can't use that font hack

[underthebridge]

QUOTE (Anusko @ Aug 22 2003, 05:08 PM)

mechinstaller1.0 uses a custom font hack that is only 5kB. 5kB won't blow xbox memory but we can't use that font hack

I haven't tried MechInstaller, but just now I tried their custom fonts, and yep they don't work.

They say your "Xbox Live" option is replaced with "Linux", and I wanted to see how this was done. So I watched the mechinstaller video and noticed that they just use B&E to run a hacked MS dashboard on bootup.
So the clock and dvd remote bug must still be there.... unless they fixed it? Can anyone who tried mechinstaller let us know if these bugs are still there?

[nonzero]

Why do people use the font exploit with all of its potential drawbacks when the audio exploit seems so much more stable and hassle free?

[underthebridge]

QUOTE (nonzero @ Aug 22 2003, 11:40 PM)

Why do people use the font exploit with all of its potential drawbacks when the audio exploit seems so much more stable and hassle free?

that is why we are trying to get this XBLive exploit working, which ALSO has none of the drawbacks of the font exploit since you can run it voluntarily

This post has been edited by underthebridge: Aug 22 2003, 11:06 PM