Print

[atomiX]

(IMG:http://ca.geocities.com/[email protected]/files/Bootloader_Disc_small.jpg)
(IMG:http://ca.geocities.com/[email protected]/files/certificate.jpg)
some ppl here might already know about these disks. they are quite rare (i only know of another) so not much is known about them. I recently got my own copy to see if there was something interesting about it. My main goal would be to see if there would be a possible exploit. I've already talked with a few ppl on the subject and they pretty much all told me that I should post it here to get help from the community.

I don't know where to begin. Here are a few peculiar things about it:
-The XBE is signed with debug region (as you can see in the certificate above)
-The disk contains a few tools usually included with the XDK (dolphin, gamepad)
-There is only a single XBE (default.xbe) on the disk, which means that all utilities are contained in that XBE
-The whole disk contains about 491MB of data (mostly support media like textures and audio)
-The disk uses a TTF font file (tahoma.ttf) that MIGHT be exploitable. I know XTF fonts are cousins of TTF fonts so this is why i'm saying this. I have no idea on how this would be accomplished but it's my idea.
-I couldn't get it to boot with a retail bios (reported wrong region) and freezes on a hacked bios (IND-BIOS 5003) telling me that it couldn't get a proper IP address (even if it's connected to a router with DHCP server). I also tried with XDK files installed on the xbox with debug bios. This produced the same results.

I'd like to know if anyone has heard stuff on how to make it boot correctly.

This post has been edited by atomiX: Aug 21 2005, 07:30 PM

[kingroach]

eh. was looking for the disk.. you can PM him and get help from him.. Is there any other .xbe that supports all  media and retail signed?/ if its even exploitbale then how could you run this into a retail box...

[atomiX]

i already talked to eh about it. i was wondering that as well. if it's not easily bootable then it probably won't be a very good exploit but a new discovery wouldn't hurt now would it?

i'd like to figure how it boots first and then move on to other things after

[fghjj]

Too bad, hope you didn't pay mad $$ for it.

Why would MS repair service use this for retail xboxen, maybe they use another disc with PBL to load a debug bios

[triggernum5]

Is it possible that all boxes of its era with writable tsops were originally flashed with debug bioses for diagnostic reasons?  It would be a piece of cake to build a unit that temporarily jumpers the write points while it performs tests and finalizations..

[atomiX]

QUOTE(fghjj @ Feb 8 2005, 04:07 PM)

Too bad, hope you didn't pay mad $$ for it.

Why would MS repair service use this for retail xboxen, maybe they use another disc with PBL to load a debug bios

nah, i got it for free
plus, i didn't get it to make it work, i got it because it's a collectors item (very rare)
i was thinking something similar...
debug bioses can load a kernel from media (HD or cd/dvd) so maybe they have a similar setup.
who knows, they might have their own bios loader that they use for debugging...

QUOTE

Is it possible that all boxes of its era with writable tsops were originally flashed with debug bioses for diagnostic reasons? It would be a piece of cake to build a unit that temporarily jumpers the write points while it performs tests and finalizations..

seems like an unnecessary risk for MS to flash the TSOP for testing purposes. maybe they use this disk in conjuction with an LPC device



This post has been edited by atomiX: Feb 8 2005, 11:19 PM

[PedrosPad]

QUOTE(atomiX @ Feb 8 2005, 06:32 PM)

-The XBE is signed with debug region (as you can see in the certificate above)
<snip />
-I couldn't get it to boot with a retail bios (reported wrong region) and freezes on a hacked bios (IND-BIOS 5003) telling me that it couldn't get a proper IP address (even if it's connected to a router with DHCP server). I also tried with XDK files installed on the xbox with debug bios. This produced the same results.

I'd like to know if anyone has heard stuff on how to make it boot correctly.

Not tried this myself, but see here.
I suspect the new XBOX's EEPROM is  blank at the point on the production line where this disk is used.  Maybe for refurbishment, they remove/replace the EEPROM, or use  a clip to  hide it.

This post has been edited by PedrosPad: Feb 8 2005, 11:34 PM

[atomiX]

mmm, seems like a good idea. i'll have to break out nkpatcher again to try this.

even if i can get it to boot, i'll still get stuck on the IP screen.
maybe disassemby would help with this task...

[PedrosPad]

QUOTE(atomiX @ Feb 8 2005, 10:58 PM)

even if i can get it to boot, i'll still get stuck on the IP screen.
maybe disassemby would help with this task...

Some of this may be relevant.

[atomiX]

gee, can't believe i didn't try that
i'll get sniffing right away  (network sniffing that is)

[atomiX]

well, if people are following this, i tried a few things

i tried what pedro mentioned with a blank eeprom using nkpatcher10. it booted fine like i thought it would but got stuck on the IP screen again saying "LAN address is not correct". i should note that it requires DHCP to assign it an IP but i'm not sure if it's a specific IP or a range. I tried on 192.168.1.x and 192.168.0.x subnets. this is barely scratching the surface but with my setup, it's harder to go indepth.

also tried packet sniffing without good results. it did send out DHCP requests but refused  the IP when given one.

This post has been edited by atomiX: Feb 9 2005, 06:34 AM

[cmiz]

perhaps it's looking for a particular dns server? probably something named MS or whatever. i really don't know a lot about this topic, but i'm quite interested and will throw in my thoughts when necessary.... keep up the good work guys

[atomiX]

QUOTE(cmiz @ Feb 9 2005, 02:45 AM)

perhaps it's looking for a particular dns server? probably something named MS or whatever. i really don't know a lot about this topic, but i'm quite interested and will throw in my thoughts when necessary.... keep up the good work guys

quite possible.
i think this disk is used to prep new xboxes off the line. since they have blank eeproms, the disk gets loaded (if a blank eeprom does indeed cause it to go in debug mode) and it searches for a specific IP/server. it then connects via network and receives the eeprom info (serial #, region, MAC, HDD key,...) from that server and then writes it to the eeprom chip. however, i don't know if the bios in debug mode is able to boot with an unlocked drive. if so, it locks the drive after getting the eeprom info and installs the dash files via network. if it can't boot with an unlocked drive no matter what, then this theory goes down the flush.

keep in mind that it's only a theory of what might actually happen. i have no idea on how it actually goes on in the factories.

[The_Truth]

hmmm... well, If I were a betting person, and this disk is used on a "line" (assembly, refurbish, whatever the case). then there is a range of anywhere from 10~60 ip addresses... they will most likely be NON routeable... it WILL be an acceptable range of ip addresses(most likely). so, I think an asm check would be nice on this .xbe... if the range is specific it WILL be there somewhere..lol

[atomiX]

yeah, i'll be attempting this sometime today. i also gave the files to a select few to attempt the same thing.

to everyone: don't ask me for the files since i won't reply...sorry

This post has been edited by atomiX: Feb 9 2005, 06:14 PM