Topic: The Ultimate Exploit (Read 408 times)

Pocki · « **Reply #30 on:** September 25, 2003, 04:00:00 AM »

Hmm, so you are able to create a sector image of an Xbox DVD by using IE's FTP folder view?

evil_inside · « **Reply #31 on:** September 26, 2003, 10:05:00 AM »

A few ideas(discard if irrelevent):

Correct me if I'm wrong, but isn't a DVD's menu system in essence an application that lets the user navigate the DVD disc to jump to sectors(chapter select) or setup the language/subtitles?

If the main menu allows this type of interaction, then wouldn't it be possible to place a file on the DVD that could be run from the DVD's main menu?

Now how to test this theory:

We know(from previous posts) that DVD-r copies of DVDs will work on an unModded Xbox. They play as any other DVD would. I think it's safe assume that these copies are simply exact duplicates of DVDs made using a DVD copying application. (I might be wrong though.)

My question is: Has anyone tried to author a DVD using something such as iDVD(apple's DVD authoring tool) or a Windows based DVD authoring app?

SKoT · « **Reply #32 on:** September 26, 2003, 11:25:00 AM »

Xboxhakur · « **Reply #33 on:** October 04, 2003, 02:35:00 PM »

later...

stanneh · « **Reply #34 on:** October 06, 2003, 05:52:00 PM »

kickass

Reno_000 · « **Reply #35 on:** October 09, 2003, 12:35:00 AM »

Bump

Keep it up

Xboxhakur · « **Reply #36 on:** October 09, 2003, 01:46:00 AM »

later...

Reno_000 · « **Reply #37 on:** October 09, 2003, 05:53:00 AM »

What will you call your exploit?

Elmo?

Yoshiofthewire · « **Reply #38 on:** October 09, 2003, 06:49:00 AM »

XanTium · « **Reply #39 on:** October 09, 2003, 05:53:00 PM »

The ISO crashed the xbox ...

Here's the nfo:

QUOTE

Retail Xbox Crasher Disk
------------------------

Burn this disk to a CD-RW or DVD-RW. When you stick it in a retail Xbox,
it will crash =) (Reboot without the disk and it'll be fine.)

Q. How is this disk useful?

A. It isn't. It has only a symbolic meaning: the Xbox doesn't have perfect
error checking. This was made to demonstrate that buffer overflowing the
kernel should be looked into, since at least 1 bug was found so easily.

Q. Can variations on this disk be used to buffer overflow?

A. Probably not. The kernel just loops forever.

Q. How does this disk work?

A. The answer lies in the GDFS file system structure. In GDFS, the list of
files in a directory is a binary search tree keyed on the filename. If
a filename is smaller than the current file, it looks to the left. If
it's bigger, it looks to the right. This disk was made by making a file
whose name was less than default.xbe have its right child point to
itself. When the Xbox GDFS file system driver tries to find default.xbe,
it gets into an infinite loop continually looking for the right child.

Note that the file can't be the first file (root of the tree), because
the value 0000 in a child pointer is reserved for meaning "none".

Q. How does this disk get read at all? I thought the Xbox didn't read any
disks but the special DVD-ROMs.

A. Not true. The Xbox actually will mount GDFS disks on any medium that the
laser can read. They even will load default.xbe. (If the media type
field in the XBE header actually said both HDD and DVD, and the XBE were
signed by MS's private key, it would even boot it.)

by anonymous.

Dunno if it can be useful for your research.

You can download the iso here: http://dwl.xbox-scen...s/crashxbox.zip (yes it's legal

).

LEDHaywire · « **Reply #40 on:** October 09, 2003, 08:42:00 PM »

Here is acopy of what DVDinfopro had to say about my copy of HALO on my Optorite DD0203 drive
-----------------------------------------------------------------------------------------------------------------
Disc Regions are 1,2,3,4,5,6,7,8
Media code/Manufacturer ID N/A Pressed DVD
Format Type UDF 1.02
Volume Name SEP13011042072
Application id
Implementation id Smart Storage, Inc.
Recording Date/Time (mm/dd/yyyy) 9/13/2001 10:42:55
Format Capacity 0.01GB(0.01GB)
Book Type DVD-ROM
Media Type DVD-ROM
Data area starting sector 30000h
Data area end sector 1B4Fh
Layer 0 end sector 31AAFh
Linear Density 0.293um/bit
Track Density 0.74um/track
Number of Layers 2
Layer Track Path direction (OTP) Opposite track path
Layer Type Recordable
--------------------------------------------------------------------------------------------------------------

Could someone shed light on this "Opposite Track Path"....its listing the Layer Type as "recordable" as well.......could this mean that the second layer is not finalized or is there something hidden, someone please school me on this

Secondly you can see that this disc is 2 layers...this was purchased the same day as I bought my first XBOX ( release day ). Note that Halo is a 3.3GB game...on a dual layer disc?

?

Now for another Game...Moto GP 2
----------------------------------------------------------------------------------------------------------------
Disc Regions are 1,2,3,4,5,6,7,8
Media code/Manufacturer ID N/A Pressed DVD
Format Type UDF 1.02
Volume Name SEP13011042072
Application id
Implementation id Smart Storage, Inc.
Recording Date/Time (mm/dd/yyyy) 9/13/2001 10:42:55
Format Capacity 0.01GB(0.01GB)
Book Type DVD-ROM
Media Type DVD-ROM
Data area starting sector 30000h
Data area end sector 1B4Fh
Layer 0 end sector 31AAFh
Linear Density 0.293um/bit
Track Density 0.74um/track
Number of Layers 2
Layer Track Path direction (OTP) Opposite track path
Layer Type Recordable
-----------------------------------------------------------------------------------------------------------------
Despite the fact that all xbox discs are copy protected the data read and end sectors are always going to be the same when reading info via pc.

Moto GP2 clocks in at 2.7GB

Lets see Brute Force's information...
---------------------------------------------------------------------------------------------------------------
Disc Regions are 1,2,3,4,5,6,7,8
Media code/Manufacturer ID N/A Pressed DVD
Format Type UDF 1.02
Volume Name SEP13011042072
Application id
Implementation id Smart Storage, Inc.
Recording Date/Time (mm/dd/yyyy) 9/13/2001 10:42:55
Format Capacity 0.01GB(0.01GB)
Book Type DVD-ROM
Media Type DVD-ROM
Data area starting sector 30000h
Data area end sector 1B4Fh
Layer 0 end sector 31AAFh
Linear Density 0.293um/bit
Track Density 0.74um/track
Number of Layers 2
Layer Track Path direction (OTP) Opposite track path
Layer Type Recordable
-----------------------------------------------------------------------------------------------------------------
Not only are all three media info reads the same.....All games have 2 layers ( I couldnt post all of them )...In this case Brute Force legitimately needs both layers because of its 5.1GB size

check this link out Smart Storage Inc.

To sum this all up in a nutshell ( after you have read the link ). Smart Storage Inc is really tight with MS. MS used their software to compile GDFS images then to be burned onto disc ( along with copy protection ). Perhaps one of their data recovery software packages involving "Media Cloning" can help us lean about this 2048-bit key....

"Smart Storage Inc." is written on every single media ID of every xbox game released....I would suppose that breaking the key within the privacy of our own home is not too far off....is anyone listening

LEDHaywire · « **Reply #41 on:** October 10, 2003, 06:25:00 AM »

that 13 megs of "true data" happens to be a vob file of the xbox logo, try putting an xbox game in your home dvd drive and youll see what im talking about. When you put an xbox game in your pc you can only see the Video_TS folder. Its a cool animation that i have yet to include in my MXM skinning ( after a wmv conversion ). The Vob is unencrypted BTW

What someone needs to do is figure out a way to emulate the xbox disc strategy by installing an xbox drive on a drive on a regular PC, while this may not be new, it is quite possible to emulate disc activity. Perhaps there is already something out there that can do it but has not been adressed.

Remember that dual layered discs operate just like a single layer disc, and just because one layer is not finalized does not mean that it doenst have data on it. Hidden files on the xiso format...very possible.

Maybe there is a way to change the implementation ID on standard media to reflect that of a genuine disc...

Disc creation dates are set to September 13th.....

Xbox discs are a hybrid format, having both UDF and XDFS. Kind of rememnicent of those aol discs that work in both Mac and PC's.

Even though the data in and data out track only point to the UDF portion of the disc, there is a possible way to read the entire disc in raw format ( forced sector copy )

here is a funny read on this topic we are all talking about
Click Here

LEDHaywire · « **Reply #42 on:** October 10, 2003, 06:28:00 AM »

derived · « **Reply #43 on:** October 10, 2003, 10:22:00 PM »

CODE

open DVD filesystem...
(The Xbox will never execute any bootstrap or bootblock code from the DVD)

if its a movie DVD, then,
verify DVD
call the dashboard and ask it to play the DVD, streaming DVD data to the player

or else, if its a XISO, then,
open file default.xbe
hash default.xbe
verify media flag with what DVD-drive says
if the hash & media flag are correct, then and only then
copy XBE into RAM
jump to start of XBE code

Once the dashboard is launched, it will run code like

if its a CD-DA disc
open CD-DA audio player, streaming CD data to the player

These are the only times the Xbox will read the disc. Since with CD-DA and DVD movies it is merely streaming data, it will never perform the two required operations required to boot any code whatsoever from the DVD. These are copying it to RAM and jumping to it.

You may be able to get it to copy XBE data into RAM, but it will only copy RAM into temporary RAM, and this will not be run unless the kernel or dash is programmed to jump to it. Thus it will not boot just any data loaded.

Your only chance is to have it load data engineered such that when the kernel or dash processes it, it overflows from its allocated part of memory into the program code section, overwriting the program code the Xbox is running. This avoids the necessity for a jump. Accordingly, this is called a "buffer overflow" attack.

How do you do this data engineering? you must first to alot of reverse engineering to find out exactly how it is processing loaded data, to find a possible weakness. Otherwise you don't stand a chance.

Of course, you may think its possible to fool the Xbox into thinking its a pressed DVD. However, with the DVD-drive built-in check for the media type, this is impossible.

LEDHaywire · « **Reply #44 on:** October 13, 2003, 01:45:00 PM »

xboxhakur, one thing you cant rule out, we know that MS uses UDF and GDFS for their file system on a DVD disc. What if they are using a different format as well on the disc we are not aware of.

Look at the Halo Disk for the xbox under a strong 100 watt lightbulb. Youll notice 2 sets of rings in the middle sections of the disk. You dont get this same effect by copying the disk via ftp and compiling/burning it. These rings are random on just about every other xbox game. I think the protection scheme on the disks have to do something with multisessions.

In theory I think that the xbox carries an encrypted lead in/ lead out track that recognizes these "partitions" on the xbox game disk, thus if this lead in/ lead out cannot be found on a DVDR the xbox will not recognize it as authentic.

What someone needs to do is create an xbox program that can rip the contents on the dvd raw to an ISO file, keeeping the file system and any abnormailties on the DVD intact. Upon obtaining this "compatible" image it would then be possible to upload it to your pc and burn it to a DVDRW or DVDR for testing

Note as well that the linear density on xbox dvds are .293, while the linear density of DVDr's are .267. Track density is the same for blank DVDs and xbox games at .74. The xbox probably reads the atip info as well and if they dont meet these paramerters that could be a 1st level of defense for the xbox against playing copied games.

BTW i have not tried this yet, but is there a way to hotwire the actual xbox DVD drive to your regular pc. I have searched through various posts, but if this is sucessfull, why not rip the image that way.....

Author Topic: The Ultimate Exploit (Read 408 times)