Print

[Chicken Scratch Boy]

Premise: This tutorial was made to teach the new exploit user what’s what and how it works. Thus curbing user incompetence and moronic posts.

Security: The key to your stupid questions… Read up.

The Xbox a whole slew of security features out to get you. Learn these, and you will be able to out smart the box… or it won’t be able to out smart you at least.

Signatures: Why you can’t run homebrew code without kernel modifications.
Every xbe in any xbox game or dash files on the hard drive is signed with the MS Private Key. Every xbe has it’s own signature, (as long as they are different xbes) since the signature is essentially a checksum of the xbe. If you change a single bit in the xbe, the signature will be invalid. If you attempt to run unsigned code (any xbe without a valid signature) you will most likely get an error 21 screen.

Media Checks: Why you can’t burn a game and just run it.
A media check is a small flag in the xbe header that says what types of media the xbe can be run on. If you want to run it on other media types, you need to patch that part of the header, invalidating the signature.

Hard Drive Locking: Why you can’t drop just any drive in that box.
The xbox has a small chip called the EEPROM this chip holds 256 bytes which includes important non-box specific information. This includes the xbox live key, xbox region and, most importantly, the HDD unique master key (32 characters). Upon booting, this key goes through a mathematical equation which includes some drive-specific information; the result is the HDD key (40 characters). This key is used to unlock the hard drive, allowing the information to be accessed. If the drive cannot be unlocked you will get error 6(for wrong key) and 5 (for not locked).
In-Depth: Check you the Xbox-Linux site for more technical info!

New Developments in 5713 Kernel Why kernels past 5713 are a bit different.
In the 5713 kernel, a few new security features came out that threw a wrench in the softmodding works. Basicly, if a xbe has a title ID equal to 0xFFFE0000(the MS Dash  title ID), and a date before Aug 5 2003, he kernal will not allow the xbe to load. This basicly means thatthe 4920 dash cannot be launched with kernels after 5713.

Exploits: The key to softmodding.

How they work: The basics of exploits.
Merriam-Webster defines “Exploit” as “a notable or heroic act.”
Well frankly that doesn’t make any sense at all! So let me define it for you.
An exploit is a hole or vulnerability in a piece of software that can be taken advantage of. In the case of softmodding, this hole is used to patch the kernel in memory, usually the portion which contains the public key, replacing it with a public key for which we can easily create a private key to tack onto the an xbe, allowing it to be launched, circumventing all of the security features mentioned in the Security section.

What they are: A rundown of the exploits out there.
Audio exploit: The audio exploit takes advantage a hole in the cd ripping area of the MS Dashboard.
The exploit consists of a st.db file that replaces the one currently used by the MS dash. The exploit  requires the user to attempt to rip a cd in order launch the exploit. Newer “swapless” versions of the exploit do not require a cd to be inserted to the drive in order to execute the exploit.
Keys Used:
Audio or Habibi
Only for MS Dash version 4920!

Font exploit: The font exploit manipulates vulnerability in the MS Dashboard on boot.
The exploit consists of 2 font files (bert.xtf and ernie.xtf) that replace the stock fonts (xbox.xtf and xbox book.xtf). There are many version of this exploit including: bigfonts, bert and ernie reloaded, and bert is cheating on ernie. The exploit activates on boot and requires no monitoring or user input to execute.
Note: In order to launch the MS Dash from any font exploit, you need to have a second hex edited copy that changes the font references to point to the original fonts reside.
Warning: Running this antiquated exploit puts you at risk for a clock loop.
Keys used:
Font
Only for MS Dash version 4920!

Mechfonts: An offshoot of the font exploit.
These fonts load a edited version of the MS Dash into memory which will launch an xbe when the (renamed) Live tab his launched. These fonts were originally made for launching Linux only but they were hacked to work with any xbe. Some people say these fonts are rid of the clock loop, but this may not be the truth, since there is no solid proof to this.
Keys Used:
Audio or Habibi
Only for MS Dash version 4920!

Savegame exploit: Uses a hole in various games.
The savegame exploit takes use of flaws in the savegame loading areas in 3 games (so far) Splinter Cell, Mech Assault, and 007: Agent Under Fire. The savegame exploits are a very important part of softmodding, since they can be loaded on through a memory card, allowing you to avoid hotswapping, which can be a bit dangerous.
Keys Used:
Habibi

UDE (Ultimate Dashboard Exploit): Exploit that launches on boot with no risk of clock loop.
This exploit uses a hole in the 4920 dash’s update.xbe. Consists of a single font named “bert_ate_ernie.xtf.”
Keys Used:
Habibi

UDE2 (Ultimate Dashboard Exploit 2):
Exploit that launches on boot with no risk of clock loop.
Uses a NFL Fever 2003 update.xbe to side step the added security in kernels past 5713!
Keys Used:
Habibi
Only for NTSC boxes! (for now)

EEE (Easter Egg Exploit):
An Audio exploit spin off-ish exploit.
Compatible with kernels past 5713. Uses a hacked st.db like the audio exploit, but requires the user to type out “<<Eggsßox>>” with the MS Dash’s on screen keyboard.

DDE (Double Dash Exploit):
Replace the live tab.
Replace the live tab with a second dash. Previously allowed you to go on live.

Tip: Most, if not all, exploits have customizable boot paths, allowing you do change the xbe loaded after the exploit is executed. These can easily be found in the hex of the .xft or st.db files.

End notes:
This tutorial is unfinished; I plan on added sections for bios loaders/kernel patchers and smaller sections on dashesand bioses as well as a key terms and definitions area.
I hope this tutorial helps you figure all this “softmodding’ nonsense. Good luck!
Questions? Comments? Compliments? Post!
Complaints? Shove it… you know where.

Credits: Since I wrote most of this from memory, using a few release posts for referance...
Me
People who like to make corrections (you know who you are)

[EthanHunt_IMF]

Slight mistake in lock/unlock error codes.
they both aren't 6

5 - kernel - HDD not locked (retail bioses require the hd to be locked)

6 - kernel - Cannot unlock HDD

from http://www.xbox-scene.com/articles/errorcodes.php

Edit: Oh yeah... great job!!

This post has been edited by EthanHunt_IMF: Jul 21 2004, 05:28 AM

[chimpanzee]

Correction :

Easter Egg is not an audio exploit, but a font exploit. It is the same as double dash but use a different path to launch the MS signed xbe(usually 4034 dash).

[Chicken Scratch Boy]

doesnt it use a ST.DB?

that is part of the audio stuff?

so audio exploits are font exploits too?

[dabbage]

QUOTE (Chicken Scratch Boy @ Jul 21 2004, 07:09 AM)

UDE (Ultimate Dashboard Exploit): Exploit that launches on boot with no risk of clock loop. This exploit uses a hole in the 4920 dash’s update.xbe. Consists of a single font named “bert_ate_ernie.xtf.”

updatefonts7 has separate bert and ernie font files again, and an optional third font in addition.


nice work!

[adil786]

needs a few minor correction,

apart from that, one of the best tuts ive seen!

EDIT: yes, you are cool now..

[ldots]

QUOTE (Chicken Scratch Boy @ Jul 21 2004, 08:02 AM)

doesnt it use a ST.DB? that is part of the audio stuff? so audio exploits are font exploits too?

Doesn't have to be a hacked ST.DB. The <<eggsßox>> text when entered as a soundtrack just trickers the easter egg wich is launching setting_adoc.xip (an xbe). The EEE was just replacing setting_adoc.xip with a font-exploitable dashboard (pre-live dash).

[PedrosPad]

QUOTE (ldots @ Jul 21 2004, 01:40 PM)

Doesn't have to be a hacked ST.DB. The <<eggsßox>> text when entered as a soundtrack just trickers the easter egg wich is launching setting_adoc.xip (an xbe). The EEE was just replacing setting_adoc.xip with a font-exploitable dashboard (pre-live dash).

All true - but then you've got an audio CD in the DVD-tray. devz3ro produced an ST.DB with a track already in it - which means you could pop in a homebrew DVD, and simply to a HDD to HDD track copy to fire the EEE exploit (just like the swapless audio hack).

This post has been edited by PedrosPad: Jul 21 2004, 01:14 PM

[ldots]

QUOTE (PedrosPad @ Jul 21 2004, 01:45 PM)

All true - but then you've got an audio CD in the DVD-tray. devz3ero produced an ST.DB with a track already in it - which means you could pop in a homebrew DVD, and simply to a HDD to HDD track copy to fire the EEE exploit (just like the swapless audio hack).

Exactly.

QUOTE

Doesn't have to be a hacked ST.DB

Just wanted to make it clear that the EEE is not an audio exploit as such.

[Australian Rat]

Very nice!

Hopefully no more n00b questions in the forums  

...ah who are we kidding, they're noobs

[Deciphile]

Uh if you dont ask questions how are you supposed to learn anything. There are new people here that want to do more than just figure out how to play back ups and then never come back to the site again.

[krayzie]

definatly a great peace of work. just another small point:

QUOTE

Font exploit: The font exploit manipulates vulnerability in the MS Dashboard on boot. The exploit consists of 2 font files (bert.xtf and ernie.xtf) that replace the stock fonts (xbox.xtf and xbox book.xtf). There are many version of this exploit including: bigfonts, bert and ernie reloaded, and bert is cheating on ernie. The exploit activates on boot and requires no monitoring or user input to execute. Note: In order to launch the MS Dash from any font exploit, you need to have a second hex edited copy that changes the font references to point to the original fonts reside. Warning: Running this antiquated exploit puts you at risk for a clock loop. Keys used: Font Only for MS Dash version 4920!

Don't all these regular fonts work on dashes prior to the 4920 also?

[adil786]

QUOTE (Deciphile @ Jul 21 2004, 03:42 PM)

Uh if you dont ask questions how are you supposed to learn anything. There are new people here that want to do more than just figure out how to play back ups and then never come back to the site again.

i know what you mean,

the whole idea is to share your thoughts and create better, newer things.

[Deciphile]

QUOTE

QUOTE (Deciphile @ Jul 21 2004, 03:42 PM) Uh if you dont ask questions how are you supposed to learn anything. There are new people here that want to do more than just figure out how to play back ups and then never come back to the site again. i know what you mean, the whole idea is to share your thoughts and create better, newer things.

What I posted ( I think) may have souded a little sour now that I read it,  but it was not at all intended that way.

And I agree with adil786. I want to contribute as much as possible and try different things becasue I want to be able to eventually import models and all that stuff into an xbox enviorment to see how they look and react vs a PC enviorment.


I think the guide is a good one and defienently worth the read.

[PedrosPad]

QUOTE (adil786 @ Jul 21 2004, 04:38 PM)

the whole idea is to share your thoughts and create better, newer things.

I think it's fair to that my WIP threads do that