Print

[thesonandheir]

Hey, great work SoLovely!

I was perusing XBH when I came across this post by xxANTMANxx

http://www.xboxhacke...?topic=14581.20



struct SystemFlags {
    DWORD   NoForceReboot                   : 1; //= 0x00000001
    DWORD   ForegroundTasks                 : 1; //= 0x00000002
    DWORD   NoOddMapping                    : 1; //= 0x00000004
    DWORD   HandleMceInput                  : 1; //= 0x00000008
    DWORD   RestrictHudFeatures             : 1; //= 0x00000010
    DWORD   HandleGamepadDisconnect         : 1; //= 0x00000020
    DWORD   InsecureSockets                 : 1; //= 0x00000040
    DWORD   Xbox1XspInterop                 : 1; //= 0x00000080
    DWORD   SetDashContext                  : 1; //= 0x00000100
    DWORD   TitleUsesGameVoiceChannel       : 1; //= 0x00000200
    DWORD   TitlePal50Incompatible          : 1; //= 0x00000400
    DWORD   TitleInsecureUtilitydrive       : 1; //= 0x00000800
    DWORD   TitleXamHooks                   : 1; //= 0x00001000
    DWORD   TitlePii                        : 1; //= 0x00002000
    DWORD   CrossplatformSystemLink         : 1; //= 0x00004000
    DWORD   MultidiscSwap                   : 1; //= 0x00008000
    DWORD   MultidiscInsecureMedia          : 1; //= 0x00010000
    DWORD   Ap25Media                       : 1; //= 0x00020000
    DWORD   NoConfirmExit                   : 1; //= 0x00040000
    DWORD   AllowBackgroundDownload         : 1; //= 0x00080000
    DWORD   CreatePersistableRamdrive       : 1; //= 0x00100000
    DWORD   InheritPersistedRamdrive        : 1; //= 0x00200000
    DWORD   AllowHudVibration               : 1; //= 0x00400000
    DWORD   TitleBothUtilityPartitions      : 1; //= 0x00800000
    DWORD   HandleIPTVInput                 : 1; //= 0x01000000
    DWORD   PreferBigbuttonInput            : 1; //= 0x02000000
    DWORD   Reserved26                      : 1; //= 0x04000000
    DWORD   MultidiscCrossTitle             : 1; //= 0x08000000
    DWORD   TitleInstallIncompatible        : 1; //= 0x10000000
    DWORD   AllowAvatarGetMetadataByXUID    : 1; //= 0x20000000
    DWORD   AllowControllerSwapping         : 1; //= 0x40000000
    DWORD   DashExtensibilityModule         : 1; //= 0x80000000
    /* These next ones dont even fit into a DWORD?
    DWORD   AllowNetworkReadCancel          : 1; //= 0x100000000
    DWORD   XexUninterruptableReads         : 1; //= 0x200000000
    DWORD   RequireExperienceFull           : 1; //= 0x400000000
    DWORD   GamevoiceRequiredUI             : 1; //= 0x800000000
    */
};


Does anyone know what the one in bold does?

[Haruno]

thesonandheir maybe playing sys link with 360 and origxbox? or probably pc live and 360 live

[SoLovely]

(Sorry if I butcher terminology) The ping limit may be part of the xNetConnect (I think that's the name) function call, and is probably defined in the nand. The library that defines that function is xOnline (I think) if you want to look, but I don't know if it's completely defined in there or just diverts it all to the nand. I don't really know much about this kind of thing though :3

On to business, I have a few questions. I remember reading quite some time ago that there is a "LAN Key" in the KV? Would anyone know anything about that? Are all LAN keys across all xboxs the same? Is the location of a per-game key on the game disk well known (I know it exists, does anyone know where?)? Can anyone make me a capture of a failed connection so I can actually confirm exactly where the limit is implemented? Thanks.

I'm moving forward pretty fast, faster if I could just get some major kinks out of the way with your help. Lets hope for some solid products soon...

[warwolf]

Ughh I couldn't make it fail, because it didn't find any games, although there should have been some because there were many players in the room. Anyway, I created a game (COD MW2) and 1 person joined and we moved around a little .
If you could tell me how I can make it fail I would gladly help.
Here's my capture:

Wireshark Capture File

[warwolf]

While looking for the ping function, I found these functions (I think) declared in xam.xex (from the nand.bin):

.rdata:81870750 __imp__XeCryptBnQwBeSigVerify:.long 0x166
.rdata:81870754 __imp__XeKeysGetKey:.long 0x244

along with other functions for encription, like :

.rdata:818707C8 __imp__XeCryptRc4Ecb:.long 0x18C
.rdata:818707CC __imp__XeCryptRc4Key:.long 0x18B
.rdata:818707D0 __imp__XeCryptHmacShaFinal:.long 0x181
.rdata:818707D4 __imp__XeCryptHmacShaUpdate:.long 0x180
.rdata:818707D8 __imp__XeCryptHmacShaInit:.long 0x17F
.rdata:818707DC __imp__XeCryptBnDwLePkcs1Verify:.long 0x163
.rdata:818707E0 __imp__XeCryptBnQwNeRsaPubCrypt:.long 0x16D
.rdata:818707E4 __imp__XeCryptBnQw_SwapDwQwLeBe:.long 0x170

and since they are in the .section ".rdata", I believe they are defined in the same file.

I don't understand all the assembler stuff yet, but if someone is willing to explain or give some other hints, I'll gladly try to contribute. I will look more into this after I get home from my courses.

[warwolf]

There seems to be a problem...
There are 2 functions the hosts and clients call: XNetQosLookup and XNetQosListen.
These functions are used to probe the quality of service (QoS) between itself and specified remote hosts.
XNetQosLookup has a parameter ppxnqos which is a pointer to a pointer to an XNQOS structure that receives the results from the QoS probes.
The XNQOS structure contains data about the total number of remote hosts being probed and the number of remote hosts for which data has not yet been received. When this member is zero, all probes are complete.
The way the probes "know" when to stop probing a device is through the data in the XNetStartupParams structure, which looks like this:

typedef struct {
    BYTE cfgSizeOfStruct;
    BYTE cfgFlags;
    BYTE cfgSockMaxDgramSockets;
    BYTE cfgSockMaxStreamSockets;
    BYTE cfgSockDefaultRecvBufsizeInK;
    BYTE cfgSockDefaultSendBufsizeInK;
    BYTE cfgKeyRegMax;
    BYTE cfgSecRegMax;
    BYTE cfgQosDataLimitDiv4;
    BYTE cfgQosProbeTimeoutInSeconds;
    BYTE cfgQosProbeRetries;
    BYTE cfgQosSrvMaxSimultaneousResponses;
    BYTE cfgQosPairWaitTimeInSeconds;
} XNetStartupParams;

From all these stuff I think we should concentrate on modifying the following:

cfgQosProbeTimeoutInSeconds (The amount of time to wait for a response after sending a QoS packet before sending it again (or giving up). This should be set to the same value on clients (XNetQosLookup callers) and servers (XNetQosListen callers). The default value is 2 seconds. )
and
cfgQosPairWaitTimeInSeconds (The maximum amount of time for QoS listeners to wait for the second packet in a packet pair. The default value is 2 seconds. )

Now the problem is that this data is in a structure, and I can't think of a permanent way of increasing the value from here...
This is where I'm momentarily stuck.
Any comments would be appreciated

[Garzahd]

A pointer to a pointer eh?  Well, then that struct must be instantiated and those variables assigned before XNetQosLookup and XNetQosListen are ever called.  You'd have to find the point at which that is done.

Sorry if that was too obvious.

Does anyone have an opcode / instruction format reference sheet the for Xbox 360 hardware?

Something similar to this  but for Power PC Xenon or whatever it is that the 360 uses.

I don't have a jtagged Xbox yet, but I've got a BS in Comp. Sci, I've taken an assembly language class, and I've got some time on my hands so I might be able to help you guys out.

[tiderium]

QUOTE(warwolf @ May 9 2010, 07:23 AM)

Damn, you need a Jtagged Xbox even for this  ? In that case, I'm droppin the idea because not so many ppl have a jtagged xbox.

Umm, as for the structure, I've heard it has some default values, but they are also set in the game code, so changing it here wouldn't be a good idea, unless the game developers were too lazy to put their own values.

BTW, here u can find most of the instructions, but I find them a bit harder than the Intel ones   .

Don't do that we need people to keep the scene alive and moving forward, I'm sure people are still trying to figure out  8995 upwards can be jtagged which would blow open the whole scene.


I have played someone in Germany at cod and I'm in Scotland over x link Kai so it does work just need to find that pesky ping limit and break it.

[warwolf]

I'm not dropping the "Try to increase the ping limit idea" , I'm just dropping the "Try to increase ping limit by modifying the nand" idea There's the "Try to increase ping limit by modifying packets" idea also which would be more accessible to everyone, but harder to do.

[Garzahd]

It might be a good idea to keep exploring the NAND, I'm not exactly sure what information is kept in there but if we can find the portion of code that encrypts the packets it would greatly aid us.

[warwolf]

Damn, my IDA is acting up...I can't open the xex for some reason I can't understand, but if you look at page 6, i  posted some function names I found while browsing the xam.xex file , and there were some more about encryption, but I can't make anything out of them because I find ppc instructions a bit weird  
There's also the XNetConnect function which I read about in the XDK Documentation, and I remember seeing it in the xam.xex also.

XNetConnect

Establishes a secure connection with a specified Internet address (in_addr).

INT XNetConnect(
  const IN_ADDR ina
);

Returns zero if successful, an error code otherwise.

If the in_addr specified in ina is invalid, the function returns WSAEINVAL. For a valid in_addr that is in the PENDING or COMPLETED states, the function does nothing and returns zero (but see XNetGetConnectStatus). For an in_addr to an online server with which a security connection has been lost, the function will reinitiate the security connection and return zero. For an in_addr to an Xbox 360 peer with which a security connection has been lost, the function does not reinitiate a connection, and instead returns WSAEINVAL.

Secure connections are normally automatically created in the background the first time a packet is sent to a valid in_addr. A title can call XNetConnect to explicitly start that process before the first packet is sent, initiating the NAT traversal and key exchange required to establish a secure connection. Once a security connection has been lost, the connection is not automatically reestablished when packets are sent; to reestablish lost security connections, titles must either call XNetConnect (for connections to an online server), or XNetXnAddrToInAddr (for connections to another Xbox 360).

A secure connection can be lost when either side of the connection calls XNetUnregisterInAddr or XNetUnregisterKey, or when normal background keep-alive packets are not received for long enough that the connection is deemed broken. XNetGetConnectStatus will return XNET_CONNECT_STATUS_LOST for connections that are in the LOST state.

The process for creating a secure connection and for reestablishing a lost connection depends on the type of connection: Xbox 360-to-Xbox 360 (active), or Xbox 360-to-Xbox 360 (passive).

Xbox 360-to-Xbox 360 (Active Connect)
For a connection from one Xbox 360 to another Xbox 360, the title gets the in_addr to the other Xbox 360 by calling XNetXnAddrToInAddr. This security association starts out in the IDLE state. The state becomes PENDING if the title calls XNetConnect or if a packet is sent to the given in_addr. In the PENDING state all packets sent on the security association are queued for transmit until the key exchange completes successfully and the state changes to CONNECTED.

Should key exchange fail, or should the security association become disconnected (either because the other side sent an explicit disconnect request with a call to XNetUnregisterInAddr or XNetUnregisterKey, or because a packet has not been received from the other side for a while), the state of the security association becomes LOST. An Xbox 360-to-Xbox 360 in_addr in the LOST state is forever invalid, and any attempt to transmit a packet to that in_addr will return WSAEHOSTUNREACH.

Once a peer-to-peer security association becomes LOST the only way to reestablish connectivity to the peer is for the title to once again call XNetXnAddrToInAddr, which will return a different in_addr to the peer. A packet transmitted over this new security association, or an explicit call to XNetConnect, will initiate key exchange and a new security connection with the peer.

Xbox 360-to-Xbox 360 (Active Connect)
For a connection from one Xbox 360 to another Xbox 360, the title gets the in_addr to the other Xbox 360 by calling XNetXnAddrToInAddr. This security association starts out in the IDLE state. The state becomes PENDING if the title calls XNetConnect or if a packet is sent to the given in_addr. In the PENDING state all packets sent on the security association are queued for transmit until the key exchange completes successfully and the state changes to CONNECTED.

Should key exchange fail, or should the security association become disconnected (either because the other side sent an explicit disconnect request with a call to XNetUnregisterInAddr or XNetUnregisterKey, or because a packet has not been received from the other side for a while), the state of the security association becomes LOST. An Xbox 360-to-Xbox 360 in_addr in the LOST state is forever invalid, and any attempt to transmit a packet to that in_addr will return WSAEHOSTUNREACH.

Once a peer-to-peer security association becomes LOST the only way to reestablish connectivity to the peer is for the title to once again call XNetXnAddrToInAddr, which will return a different in_addr to the peer. A packet transmitted over this new security association, or an explicit call to XNetConnect, will initiate key exchange and a new security connection with the peer.

Xbox 360-to-Xbox 360 (Passive Connect)
A passive connection from Xbox 360 to Xbox 360 occurs when a host or peer that has registered a key pair (with a call to XNetRegisterKey) receives an incoming key exchange initiator from another peer. At that point, a security association is passively created. The title, upon receiving a packet from the peer, can determine the XNADDR of the peer by calling XNetInAddrToXnAddr.

The initial state of a passive security association is CONNECTED, because a packet cannot arrive until the security association has been established. The security association becomes LOST if the other side fails to send a packet for a while, or if the other side sends an explicit disconnect request with a call to XNetUnregisterInAddr or XNetUnregisterKey. An Xbox 360-to-Xbox 360 in_addr in the LOST state is forever invalid, and any attempt to transmit a packet to that in_addr will return WSAEHOSTUNREACH.

As for an active connection, once a passive peer-to-peer security association becomes LOST the only way to reestablish connectivity to the peer is for the title to once again call XNetXnAddrToInAddr, which will return a different in_addr to the peer. A packet transmitted over this new security association, or an explicit call to XNetConnect, will initiate key exchange and a new security connection with the peer.

Requirements
Header: Declared in Winsockx.h.

Library: Use Xnet.lib.


I'm sorry for posting this if you already know about it  

[codfan21]

My friend recently got a jtag and we've been trying to figure out how to get me to join his lobby since he lives in FL and I live in CT and my ping is around 75-82 and needs to be lower than 30. Thank you so much for tryin to figure out this problem because I for one am extremely grateful!

[Garzahd]

QUOTE(warwolf @ May 10 2010, 02:43 PM)

Damn, my IDA is acting up...I can't open the xex for some reason I can't understand, but if you look at page 6, i  posted some function names I found while browsing the xam.xex file , and there were some more about encryption, but I can't make anything out of them because I find ppc instructions a bit weird  
There's also the XNetConnect function which I read about in the XDK Documentation, and I remember seeing it in the xam.xex also.

*snip*

I'm sorry for posting this if you already know about it  

No, I have not seen this before.  Where did you get this documentation?

[warwolf]

It's the documentation from the Xbox SDK.
I uploaded it here .
Password: forums.xbox-scene.com

[Garzahd]

Excellent, thanks.