Topic: Could The Exploit Be Modified Like This? (Read 62 times)

Mordenkainen · « **on:** July 08, 2003, 09:50:00 PM »

My understanding of what is going on with the exploit is:

The xbox boots, and shadows the BIOS into memory. Then, the MSDashboard loads and loads the font files. Through an magical combination of buffer errors, some arbitrary code gets executed.

This code patches the kernal to change a few things (like the sig checking) and invokes Evox.

Now to my question:
If the code can patch the kernal in memory, Can it patch the BIOS? Just have it load one of the modchip BIOSes into memory, then go about it's business?

Morden

Troed · « **Reply #1 on:** July 08, 2003, 11:32:00 PM »

It's amazing to see the amount of people interested in this hack, and how few of them know enough about programming to actually make something out of it.

I mean - the first thing people should react to is the fact that a lot of these hacks need signatures on files they can execute. Have you thought about what that might mean they've done to the bios-shadow?

(Some people usually respond to my posts and say "why don't you .. ". The answer is: This is what I want to do - make people think for themselves instead of just using ready-made solutions)

So, can anyone answer my question above? Come on - show off a bit

Troed · « **Reply #2 on:** July 09, 2003, 06:34:00 AM »

Damnit.

Read through my post above again. There are way to many useless threads (the latest about getting signed things working on 3944) here.

THINK people. THINK about what the exploits are doing - THEN try to change them towards working as you want. Remember that Free-X are _proof of concept_ exploits. They WILL do what you want if you only ...

*sigh*

Troed · « **Reply #3 on:** July 09, 2003, 09:58:00 AM »

*lol*

I didn't get a response here, but over at Xbox-Linux someone had done all the hard work already

Read this - then you'll understand a lot more. (Only the part where the real code is executed and its description at the end is important).

http://xbox-linux.so...d=2003189065649

So, do you NOW understand why you have to sign everything you want to run when using these hacks?

Do you also understand what should be modified in a new 007/MechAssault exploit to get rid of having to sign everything .. ?

CabaretVoltaire · « **Reply #4 on:** July 09, 2003, 10:52:00 AM »

That's an interesting read, Troed. But I don't think it's all that relevant to the question asked.

Basically it's just changing the key to something known, right? So then you can sign things with this known key and they will run (does this mean legitimate software wont run??). This hack just changes the key, it doesn't remove the need for it.

The fake hack stuff hints at removing the need for the key as it's patching the kernel memory, which is what Mordenkainen is asking about. Although rather than patching kernel memory we'd want to completely replace its contents with a hacked BIOS image. Which seems plausible to me. The existing hack (bert cheating on ernie) is writing bits to kernel memory, why not completely replace what's there instead? Seems like the only universal way of doing a softmod to me.

Until then the only way I can think of of getting this to work on v1.1 and up is to change the memory addresses that the hack is patching. I don't know nearly enough about the Xbox (or x86 asm!) to do this though

Troed · « **Reply #5 on:** July 09, 2003, 11:28:00 AM »

You're correct.

Change the 007 hack to instead of patching 4 bytes of the public key, change the code where the signature is verified. The modbioses do this already - just diff them against an original bios (or look at !Loader for 4034). This will create a 007/MechAssault exploit that when having loaded EvoX will also load all backups, homebrew, originals etc.

Regarding patching the kernel in ram vs replacing it with a modbios - that's the same thing. It's all a matter of how many bytes you want to write to ram, and whether you want to have a list of different positions to patch for different kernels or just brute force overwrite it all (caveat: that's a bit more difficult) with a complete already-patched image.

I hope this thread will be pointed to when people ask why they have to sign stuff they want to boot using the habibi and Free-X hacks.

CabaretVoltaire · « **Reply #6 on:** July 09, 2003, 11:38:00 AM »

Is documentation and disassemblys of the various BIOSs available? I'm tempted to have a poke around and have a go at getting this stuff running on my v1.1.. Probably wont get anywhere but it's better to try than to sit around moaning until someone else does it

I'm sure that FreeX mentioned it's possible to cause a buffer overflow with wav files (not the playlist database thing) in the same way as the font files.. Do you think it's possible to make a music cd with a "bad" wav track on that does the same thing as the 007 hack?

eug2k · « **Reply #7 on:** July 09, 2003, 01:29:00 PM »

thats what i was thinking

CabaretVoltaire · « **Reply #8 on:** July 09, 2003, 01:48:00 PM »

QUOTE

!loader does these things. nut a few bugs with the font hack need to be worked out like the clock error.

!Loader only works on one kernel version though, doesn't it?

Cherry · « **Reply #9 on:** July 09, 2003, 05:43:00 PM »

QUOTE (Troed @ Jul 9 2003, 08:32 AM)

I mean - the first thing people should react to is the fact that a lot of these hacks need signatures on files they can execute.

Well, that wasn't my first reaction. It's clever, true, but I would have just gone straight for the kernel hack, and removed the need for it completely

NeoKast · « **Reply #10 on:** July 09, 2003, 07:19:00 PM »

QUOTE (CabaretVoltaire @ Jul 9 2003, 07:38 PM)

Do you think it's possible to make a music cd with a "bad" wav track on that does the same thing as the 007 hack?

No.

The .wav exploit would have to be invoked from a .wav file related to the MS dash on the hard drive, not the disc.

So, you'd still have to get the .wav file on the HDD somehow.

Don't confuse this with the audio hack since that uses the database file and not a .wav file.

Think font exploit when you think .wav exploit. It would happen the same way.

Artifex · « **Reply #11 on:** July 09, 2003, 07:48:00 PM »

Ok, yes these exploits modify the bios (/kernel) to do fun things. In the original proof of concept free-x exploit, it simply replaced the key in memory with something that was very easy to factor. "Bert is cheating on ernie" expanded upon this, and put simple additions in to make it run even things with no signature, assuming you had a bios that was easily patchable towards such an end.

However, just 'replacing the whole bios' is another sort of cookie alltogether. Since the bios is really the kernel, and the kernel is the "O.S." so to speak, replacing your bios by just writing the new one to memory would be like trying to take a computer running windows 98 and "replace the os in memory" with windows xp, and expecting doom 3 to not skip a frame. It's theoretically possible, but in practice it's very close to the 'not realistically possible.'

--Artifex

luther349 · « **Reply #12 on:** July 09, 2003, 08:29:00 PM »

i fake .wma file would work even better hehehe. then ya can just slect it right from the music menu.

NeoKast · « **Reply #13 on:** July 09, 2003, 08:33:00 PM »

Won't work.

The audio hack resides in the database file, not in any audio file.

The .wav file exploit would be kicked off on boot by MS dash, just like the font hack.

Author Topic: Could The Exploit Be Modified Like This? (Read 62 times)