Print

[devz3ro]

QUOTE (PedrosPad @ May 21 2004, 10:32 PM)

Worked! Restored Pre-live Dashboard 4817 (in its entirety to C:\) Replaced C:\setting_adoc.xip, with the Live 1.0 Dashboard 4290 xboxdash.xbe Put the double-dash Bert & Ernie font files in C:\fonts. Booted to 4817, entered the Easter egg code, Dashboard 4290 booted momentarily, then jumped to the Evox menu.  I then ejected the DVD tray, and closed it repeatedly – Evox correctly reported the tray state in the corner of the screen, and absolutely no sign of Reset-On-Eject. A bit cumbersome to use, I admit, but it worked. This seems to verify rmenhal's understanding of the relationship of the "Allowed media types = 0x80000001" XBE header field to Reset-On-Eject, but also reveals that this bit doesn't need to be set for the boot Dashboard.

Booting it backwards, very clever indeed. But I agree it is very cumbersome and isn't robust.

I believe if people wanted ROE (I say ROE because I do not recall "eject" ever starting with a "J" ) that bad, they could use the audio exploit, and have the Easter-egg load a script to recover / replace a corrupt ST.DB. It would be less finger-mashing to achieve the same result (being that you are running old dashboards.)

Reset on Ject
HAH

I KID, I KID!!

I do admit though, this information (well, understanding) could be very useful in the near future.

The only dashboard exploit I have on my Xbox is the Easter-egg, only because of the Live 2.0 compatibility.

I know this is your baby Pedro, but I don't see much use for it other than that.

-devz3ro

http://sh0x.tk/

[PedrosPad]

hehe - I largely agree with your points - I'm just playing.  (I’m the guy who’s just invented the chocolate tea pot).

However, there was a slightly more serious point to me research.

1st – this seemed a simple way to verify rmenhal's understanding of the relationship of the "Allowed media types” flag, and ROE

2nd – There are a lot more XBE’s around with Allowed media types = 0x00000001 and XBE_MEDIA_HDD, than there are with Allowed media types = 0x80000001 and XBE_MEDIA_HDD.  The finding I was after was the fact that the Allowed media types =0x00000001 didn’t set ROJ on the first XBE the BIOS loaded.

This opens up the possibility of not actually booting a Dashboard at all, but  possibly booting another XBE all together. One that simply happens to have the necessary Allowed media types = 0x00000001 and XBE_MEDIA_HDD.  Right now, I playing with booting versions of real settings_adoc.xip easter egg XBE, and the xodash\update.xbe.  These programs don't give a hoot if the clock is set or not (they're not looking out for it - unlike the Dashboard's).  And I’ve a few ideas regarding these early, non-maintained programs

[devz3ro]

"Non-maintained"

HAH

Watch how that suddenly changes

-devz3ro

http://sh0x.tk/

[PedrosPad]

I've been playing, and thinking, some more.

Me thoughts are that the update.xbe that get’s installed into the xodash folder by the update to Live 1.0 Dashboard 4290 also reads it’s fonts via the wildcard “*.xtf”.  The time of it's creation, and this similarity-in-operation, leads me to suspect that it is likely to contain exactly the same font overflow bug the 4290 Dashboard has.

I’ve been running some tests with custom Bert and Ernie fonts, and, although I’ve not got it fully working yet, I believe the symptoms I’m seeing support my theory.
I can contribute that the update.xbe checks C:\fonts\ for the fonts first, followed by C:\ - which is a slight pity (I’d hoped it was the other way round).

The reason this interests me is that I suspect that the update.xbe program isn’t going to be checking the system clock, like the Dashboard’s do.  Thus if XBOX boots update.xbe (and it does appear to have all the necessary flags set), instead of a Dashboard, can be hijacked via it’s fonts, and it pays no heed to the clock argument packet the BIOS passes to a boot Dashboard, it’s operation should be very stable.  i.e. No clock loop.

If all this proves true (and I strongly suspect it is) it would produce an “update” exploit that would allow directing booting to Evox, etc. (It can’t get easier than that), with absolutely no risk of clock-loop.  The holy grail?

I'll continue playing, but I suspect rmenhal would have more success in determining the correct values for Bert.xtf.  (Please!)

Comment invited.

[PedrosPad]

QUOTE (devz3ro @ May 22 2004, 01:15 AM)

"Non-maintained" HAH Watch how that suddenly changes -devz3ro http://sh0x.tk/

Ah! They may tighten up with new XBOXs (such they’ve done with the new 5713 Kernel) but they can't change what's already out in the field.

[PedrosPad]

QUOTE (PedrosPad @ May 22 2004, 01:26 AM)

I suspect that the update.xbe program isn’t going to be checking the system clock, like the Dashboard’s do.

Ok, I've set me XBOX to boot a renamed update.xbe (with the standard retail fonts), and I'm now unplugging me XBOX until tomorrow morning.  Should be revealing.  

[Kthulu]

i have no personal interest in these exploits (i'm tsop-flashed) but i find reading about them very interesting.  with my ignorance professed, i will now comment

if you indeed get this 'update exploit' working, i'm thinking it would have a Pro to it that you haven't mentioned.  if the update.xbe is replaced or hijacked, m$ would not be able to upgrade or over-write your existing dashes.  am i right?

[Australian Rat]

QUOTE (Kthulu @ May 22 2004, 07:30 AM)

i have no personal interest in these exploits (i'm tsop-flashed) but i find reading about them very interesting.  with my ignorance professed, i will now comment if you indeed get this 'update exploit' working, i'm thinking it would have a Pro to it that you haven't mentioned.  if the update.xbe is replaced or hijacked, m$ would not be able to upgrade or over-write your existing dashes.  am i right?

Not necessarily, by connecting to xbox live but the game discs would still be able to update the dash.  Games like Splinter Cell and Rainbow Six 3 automatically update the dash using an xbe on the actual disc.  They do not access the update.xbe on the xbox.

Then again, I might be wrong, but I'm pretty sure I'm not.

[ldots]

These are very good findings Pedro - keep it up  

I actually thought there would be some check from the bios that the boot xbe had to be a dashboard, but sure enough you can boot to the update screen using the update.xbe. Just for the fun of it I also tried using the rmenhal fonts which didn't produce an error but a reboot. I also think it is very likely that this xbe can be exploited.

So when Pedro confirms that this xbe does not check for an unset clock on boot, we just need rmenhal to do a little magic on Bert. This scene has really produced some interresting result the last few weeks  

[Kthulu]

QUOTE (Australian Rat @ May 22 2004, 05:51 AM)

Not necessarily, by connecting to xbox live but the game discs would still be able to update the dash.  Games like Splinter Cell and Rainbow Six 3 automatically update the dash using an xbe on the actual disc.  They do not access the update.xbe on the xbox. Then again, I might be wrong, but I'm pretty sure I'm not.

yeah, i remembered the game disc after i posted.  i'm 100% sure you are right...that's how non-live dashes get upgraded to live ones.

[PedrosPad]

QUOTE (PedrosPad @ May 22 2004, 01:38 AM)

Ok, I've set me XBOX to boot a renamed update.xbe (with the standard retail fonts), and I'm now unplugging me XBOX until tomorrow morning.  Should be revealing.

Ok - Me XBOX has been without power now for 15 hours (a nights sleep, plus the wife dragging me around the shops today) - just got in, applied power to the XBOX, booted, and the update.xbe executed flawlessly - that is to say it booted to the "can't connect" screen - the desired result.  Absolutely no sign of a clock setting screen

I'm off to play with Bert

[rmenhal]

Here come the update fonts.

Standard requirements: dash 4920 and kernel version strictly less than 5713.

Runs HABIBI-signed executable E:\default.xbe. Consider this as work-in-progress and take appropriate precautions.

1. Copy your C:\xodash\update.xbe to C:\xboxdash.xbe
2. Rename your C:\fonts directory to C:\font5 (or whatever)
3. Create directory C:\fonts and copy bert_ate_ernie.xtf from the package below
4. Reboot and pray

I had to put the exploit payload into bert, because update.xbe didn't load ernie. So there's only one font file now. Works great on my box. No sign of clock-loop. I tested it by setting the clock to zero using NtSetSystemTime. I've previously caused clock-loops that way.

CODE

begin-base64 644 updatefonts.tar.bz2 QlpoOTFBWSZTWQ13m0cACW7///3//V1W////P///7v////r6KkAARhhRo2hC QYigTUyd4Afvq9V7u7jahl3WAdAAADAZJDU0U9Go8kNiTYRlNHontSNAxDQa aAAaDIaNA0A0GgBvSI9TTQ8ptTI9T9CiDAIaMTQGTTCZNMgAwjRpgEwBMIND IGJkAYAATEyYCYCaBog0mU8k01TxTR6Rp6gA0Gho0AAAAAAAAADQANAAAAAC VPSJNNSeCnqDTaamn6KeoA9TTQDI9QAAAAAAAAaGgAAAAaA0EGAQ0YmgMmmE yaZABhGjTAJgCYQaGQMTIAwAAmJkwEwE0CRIgRk0CaJ6IyegRkJ6J6m1J6mn qA9RtTamgDTTQDQAepoyPUeoAaGT1GgAA0orLNmvIx+zs4E4OPRJZUQK6yAw gGegczXWAToITIQA67QozkLZa/Z6P0SWm3teTrZAYu0aIW5TFgjXjy5Yxg5p qJPbtAo5SC4TLRbO0YHmghTvIpN0OMFPl+5idaZaD0yVEI4e0PvJtD8OpSB7 3gKG/TmggKhpTKBHgOTDKcnSOwHT0KaFyNf9eKhKRujE+ETzuJSDdgSEqPOe SMizNAGZh2zIWkiht0MY22DRm1lRAMeRMznTE6XQMPs7izds/Y1lfze7b0I7 h8RUmPZTyKlUYIBgrYbV84dFZGaKS6ceB4MFMiFgZZjmRXjwzCeEqpe9RKjU U7RRnSEJ3Uz3tDZSN4KqYfMalDDuorzrRHCh0Vr6fUfCTjQJuKMbVw1Na6Ut EQKDK7bJm3WLCjy7KHHVFXFYJVn3l9QxJk4XeIZwAAGF/sDgzLYzh05sih6H vD3wPK+9VF1NDpUkzaTAOYNo5jW9H8/Y6+CA6+5xTzoMxUqmUnIQShj7sGEE kWZQARpLLJtUUDmDRPB4vAcrtRQz0AHmRYCqQZsW29y19fXjc46FxGUrOFfW hYwebmFqQVVmWxUrLp4mp0xxbNqzshiia26fE2m1RrU5ddjGV44CnVHnVXGN q3JK2+62CxYcWSuMwxJLSsUrqaFjHDx9AM/worUBCEsa4qpST2mWxqe5Ue1P JhNDrTYNsGMhiYyHmE6rRptP0mDDIKIiuoQJbQ0jV60GhobYgPHj3Jkkkl5T gbZLhobCxUHO2RY1x5gosaVHPPNqdBSBtakDDtyA+14XNEi5+kVKUgJxEXEI 6zJ58VCHwkFC8zeeQ9LBhVRYfP2++Tb0EpW0mIxqRU++og2DKRJMTzUbsgma gyH9rCgZetaSqz0X4KjBmr5+tUYJplQoy1pJV9FIng8WJw6rKcIYcKdPQIo/ MsrCbP0gmEZSEQ8lrp8/gRDe6S2A57BXUYk0EZIxZtFCPptAKYZVLYNFRLx9 3p8fC9G/PNj+Bp46iviUKvB5COokNDYD1nAuugAKjWQAiYKSYgcl+OVhBN+L YNTxsLmTPietsTh0boP5UBdzVSwv5TKF5hs8xJWStHqI5tS4YjtQvjYMEVvq yDV7yRTidGPHauxmNt1KkMXAN2AtaIiP4UEuCEJokDTvBhj5iMlEQXxxnrn6 O4eev1r1VoLjs82B7Gx27/bDGNjXLEIYiMNWQ4D3fe41zUE5QE5OERIYdmfR x8oqhQmlYSNe8hLyEWwU3/FKRnWml7xPbPNrr+YHWSwHnesPbkUtba2LcCaM WE+NU3RiKr0LtZDPOqfuWNDM0ZjxChRLuHrGXKIOt73QrAKr1o4N9I1JZGff hsMCZm6hiBSaEcOBA5atc3N4pF524pFtJ3kWbcqaa0rSnLbVdSYSpAa1GjYi GSAMTaRHK6WN266NkMKJKmEEDTVRIWMff4oEYBKnAsmk6kPETxECruBWJajL 6E3OMqxvPBXBENk+y6GGAtvUw0ETWjTtCBgbUkhF0jcNsZvFCRAqUsNyTc0c 8WZBoPVjxJDU1AQJoyG9Imv1IgWO2CpNKyKE2SyUndvWWZoF2w2i1bObNJZ9 vukBeXF6VfT5PX6ovGMosoWGwa4Wgy4Uw3DyjkMa3aG+dAXjC6c3xIZGws29 r4nNa5FPARw1ImuL7HPXVaR2ezuj0UTO71IFGY45d2UjvcroWUouYoXXZmcn WigEyW3HSlt0DTbBsbaTJHCPQKcUBtePzSRvnGU1J3HRVKU+g15gyhmIjUYS o/L4bgpYGEyuwdufr+MqWZDPlQcFaLa7CzfLkulXug6OkseiLRWN+gRdiVGm fKMNfBJmt2Asp1iAtC8RPKhLGjmCyg2RlLJNDJEU1FqlS4hUylIKgmKqyoUC chlLiqUpCbTOn0q7zVjjuGfOwyF6Oiruw3k4Ma62nv2MiZppDCQuItObS+BI pmbwJovAzqVhKjSEIFewzZyEZzZITltShIp1OsJwsZjSnMumJWGa+1StU4an AsScxUJDIaqwxKtZxR4jAWkksmCBiVbgUEBabFRIDSTN/DXMaddUpOkVOAV1 nTGWIXRRFAlK9IpsBXFpKhaKBEypa1dTUi0iX9bwwlEvpapoJtu578c6J3W3 lRs2kCsSLpBG4kNVjQWDleGQuCkorQV1g6ggtpNJhNNarSkVNp4S48/hzewS 7lnsyqLDOGEyja5wcgXz8vn19AqDfLRL2FQb+v0NHJYgWofOGUM3R8BlUl7R pcRhtRoUDcRDrKJJkxshQOHMJSkSIbGOOUJKSLeFnV7GqcdngMoFQfv0yNdW oZCBgMoTZAG3vTJMgXPWCTMHmUb4RK9N3UqOxqf86WlYyqvh8upxRXpfWto0 cOo9a1dA5sve5mOivEqxwWaA5y/y8OIvEpj4fR/E+O2raoPtxwrNuXHZ7kUS kBJJJMOrsv89WmXtfO3M/OyNja+2VrAGhgqBGFkv929brd0WrH/F3JFOFCQD XebRwA== ====

[Angerwound]

Absolutely Amazing.......

[ldots]

Kernel 4034 here and ernie-eating font works great! Uhh - and of course no ROE.

[PedrosPad]

QUOTE (rmenhal @ May 22 2004, 07:13 PM)

Here come the update fonts.

Thanks for the help rmenhal.  (Beat me to it again )

Congrats. m8