Print

[The_Truth]

if it helps, here are the ranges for non routeable ip addresses


     10.0.0.0        -   10.255.255.255  (10/8 prefix)
     172.16.0.0      -   172.31.255.255  (172.16/12 prefix)
     192.168.0.0     -   192.168.255.255 (192.168/16 prefix)

good luck

[The_Truth]

yeah, almost positive that very few make a reference to that .xbe... atleast I dont recall a reference to that after dissasembling music mixer.

[The_Truth]

QUOTE

A new Xbox still contains the file XMTAXBOX.XBE on the first cache partition, as well as some temporary files on the third one.

ok, what's on the 3rd one? lol... hmmm... seems like this puts us back to pedro's work...
Edit: seems like shooting in the dark again

[PedrosPad]

QUOTE(The_Truth @ Feb 9 2005, 06:28 PM)

ok, what's on the 3rd one?

[cmiz]

hmmm....let me get this straight....with that last part (about fixing broken hard disks), would there be potential of running unlocked hard drives on unmodded xboxes, formatting them, then locking them? (through the use of the utility disc?) that would be a useful ability

[The_Truth]

i dont think that would work, because (the way i see it) the eeprom has to be zeroed before use of the disk. it may be able to be modified, but it would only work for anyone with a kernel 4043+ (i.e. not me, 3944)

[cmiz]

didn't it say that this would happen if the eeprom passed? i thought that meant that it had a valid eeprom seeing as they then talked about swapping hard drives without having to rewrite eeproms. i would assume that an xbox coming in for service would have an eeprom to begin with.

and yes, there's the kernel limit....but most xboxes are 4034+ (sorry about your dinosaur, err....i mean xbox)  

[atomiX]

nope, didn't work
tried with both unlocked xbox HD and unlocked blank  HD with same results...error 5

the next step is to completely blank out my physical eeprom to make sure it boots that way. i'm only gonna do this after i'm 100% sure i can recover.

[PedrosPad]

QUOTE(atomiX @ Feb 9 2005, 05:34 PM)

just a small tidbit:

[The_Truth]

QUOTE

@cmiz
i would assume that an xbox coming in for service would have an eeprom to begin with.

 but that also means it's at MS

QUOTE

@cmiz
and yes, there's the kernel limit....but most xboxes are 4034+ (sorry about your dinosaur, err....i mean xbox)   

and it's not dinosaur... it's dinosaurS.. yeah... I got another 3944 about 3 weeks ago.(got a bad thomson, so saving up to replace the drive).

QUOTE

@atomiX
i guess we won't be able to continue until we can get past that screen

which screen is this? i suppose you "successfully" reflashed your eeprom?

[PedrosPad]

atomiX I've done the same tests and can verify your results.
1) Ethereal reported that defaut.xbe on the DVD does use DHCP to obtain an IP address.
2) APILogger only lists up to the font being opened.

I've disassembled the default.xbe, and investigated the tests that lead up to the error message "BL: LAN Address is not correct" being output.

1st, bytes 3 & 4 of the IP address returned from DHCP are compared with 0x8E8E
2nd, the 2nd byte is compared to 0x50.
If any of these checks fail, the error message is displayed.
Finally the code sets byte 1 to 0x01

Thus I believe it's either expecting an IP address of 1.80.142.142, or 142.142.80.1 (depending on byte ordering)  from DCHP.

Hexing the default.xbe thus
Offset 0x40E1, change byte from 0x74 to 0xEB
Offset 0x4108, change byte 0x76 to 0xEB
forces both these tests true and allows the XBE to continue.

It then attempts to create a socket to an IP address, and stops there - due to non-response.  

BTW - fyi IP address 255.64.192.192 is also hardcoded in the vicinity.  Maybe this is a gateway, or DNS server.

[DaddyJ]

QUOTE(PedrosPad)

Thus I believe it's either expecting an IP address of 1.80.142.142, or 142.142.80.1 (depending on byte ordering)  from DCHP.

Have we tried to spoof this address, as I believe the IP would be 1.80.. as it allows for more combinations of and is usually true of Mainframe Cysco 118 80 Routers. Dont know if its related or not

QUOTE(PedrosPad)

BTW - fyi IP address 255.64.192.192 is also hardcoded in the vicinity.  Maybe this is a gateway, or DNS server.

It might be an internal DNS, as I couldnt find any related whois lookups. My best guess would be an internal gateway thou.

[The_Truth]

pedro... did you find any remote directories hard coded in the .xbe? like an automated ftp client... might give some clue as to what to send to spoof...
and that address has GOT to be gateway. They wouldnt really have a need in a dns server to setup an xbox...

[PedrosPad]

QUOTE(PedrosPad)

Thus I believe it's either expecting an IP address of 1.80.142.142, or 142.142.80.1 (depending on byte ordering)  from DCHP.

atomiX has found clear evidence of M$ using a static IP address of 142.142.1.1 in other XBOX apps, so this looks like the appropriate byte ordering.

Which means the other IP address observed is now also likely to be 192.192.64.255.

Why use DHCP then check the result against a static IP address?  I'm beginning to suspect that these are network submasks rather then IP addresses.

[Angerwound]

Excellent job Pedros. Your getting good with that disassembler.
I will have some free time tonight, I will also begin looking into this little project.