Print

[jsrlepage]

Just a little thought on how to end this problem...

Could the coders make something in the hack that, on power-on, loads time from a file if the clock has been re-setted?

Or anything... Shoot your ideas! More heads on this problem could very well mean some crasy-ass but working solutions... Go ahead! Make that useless gray matter work for a change !

edit : we COULD as well hack the xip/xbx/xbe loaded when the clock wants to be setted and load a "default time and date". That way, no loop! (Bios calls for a clock set -> intercepted by the hack -> set time and date to preset -> reboot -> loop T.E.R.M.I.N.A.T.E.D.)

This post has been edited by jsrlepage: Feb 29 2004, 07:55 PM

[shodanjr_gr]

I think that in order to do what u are suggesting you have to alter the msdashboard xbe.

That is not possible for two reasons
a)Its illegal (but who cares )

b)The xbox will detect an altered unsigned xbe and wont load it.

[Jesper64]

As the poster above said, this wouldn't work because it would be unsigned code.

QUOTE

Or anything... Shoot your ideas! More heads on this problem could very well mean some crasy-ass but working solutions... Go ahead! Make that useless gray matter work for a change !

The font exploits have been out for a while now, not to mention a couple of revisions, if a solution was to be found it would probably have been done by now...

[joeyjermiah]

QUOTE

b)The xbox will detect an altered unsigned xbe and wont load it.

I just got to thinking to launch the msdash we alter the xtf extention in the xbe without signing so why would this be any different?

QUOTE

The font exploits have been out for a while now, not to mention a couple of revisions, if a solution was to be found it would probably have been done by now

If everyone thought like this the exploits would never have been thought of in the first place.

This post has been edited by joeyjermiah: Mar 2 2004, 01:58 PM

[shodanjr_gr]

QUOTE (joeyjermiah @ Mar 2 2004, 03:21 PM)

QUOTE b)The xbox will detect an altered unsigned xbe and wont load it. I just got to thinking to launch the msdash we alter the xtf extention in the xbe without signing so why would this be any different? QUOTE The font exploits have been out for a while now, not to mention a couple of revisions, if a solution was to be found it would probably have been done by now If everyone thought like this the exploits would never have been thought of in the first place.

Because when u do the fonts exploit you do not change the MS Dash xbe, you just downgrade it to 4920. The exploit works this way.
1.XBOX Opens
2.XBOX Bios Detects a valid MS Dashboard file
3.XBOX Loads the MS Dash (which results in the dash trying to load the font files)
4.Font Exploit (modified font files) kick in
5.Default.xbe is loaded from c:

As you see, the font part is after the dashboard loading part.

[ldots]

QUOTE

I just got to thinking to launch the msdash we alter the xtf extention in the xbe without signing so why would this be any different?

When do you do that? If you mean changing the font extension in the msdash in order to load it from evox, xbmp, whatever... you either re-sign the modified msdash.xbe with the appropriate public key (oh yes you do) or you have invoked PBL to load a hacked bios which disables the signature check.

To your other suggestion about making the exploit either set a default time or check a flag to see whether the time need setting or not. This is kind of what the reloaded and bigfonts do (please correct me if I am wrong!). Or at least are trying to do. The catch here is that there is a "time-issue" here, or a race going on if you like. In order to have real control of the xbox the actual exploit code of the hacked fonts needs to be reached before the bios finds that the clock is not set. It is my understanding that the loop occurs if the exploit code of ernie (any version) is not reached (and executed). Why is it not reached. Check out : http://forums.xbox-scene.com/index.php?showtopic=95297&st=0
Ernie has a big exception net that is supposed to catch an exception generated by the hached fonts (by its alteration of the memory). After this exception is caught multiple jumps are made to reach the exploit code. If we dont get here in time the clock-setting code in the msdash could be called - it needs the (real) fonts to work - it tries to load the hacked ones -> loop

I guess it is a bit at random which thread generates an exception and is caught by ernies exception net so after a number of loop we could be lucky that we hit the net in such a place that the exploit code is reached in time so that that what ever clock-rescue code is included (reloaded,bigfonts,mechfonts) can do its magic. Maybe this is also the reason why some people have success in escaping the loop by stalling the xbox in various ways (network cable, statched audio cd etc.). If no such code is included (original free-X fonts) the xbox will loop forever.

Anyway. This is just my picture of what could be going on. Someone with more insight is welcome to correct me... But the bottom line is that before coming up with ways to check or set the clock via the exploit we need to find a way to increase the propability of actually reaching the exploit code of Ernie.  

[Xboxhakur_band]

I like the idea, it would require more payload to be added to the exploit code, it would most likely be easiest to change the xbxodashdata dir.
The whole boot-sequence can be manipulated with the xips, as can the menus and alot of other things.

The main problem here is most of these guys do not understand the mechinstaller fonts, let alone even know they exist...

Here's how I believe ionic's fonts work...
Kernel loads xboxdash.xbe and then that loads the fonts causing the overflow (underflow?).
They dump their payload that wait for certain events to happen. The fonts then do a warm reboot and modify *.xtf in RAM to *.bak. They also search for The Live tab and modify that. The whole time while waiting for a DVD to be inserted so that they can then switch between the original M$ key and the habibi key depending on what type of disk is inserted. (the hacked ones use habibi, the original Linux version used their own private key)

The only part I can't figure out is how to get theses fonts to load a hexed dash instead of the original unless it is also possible to modify the dashes signature in RAM at that point too. Loading the origianal with modified xips will cause an error.

[ldots]

The Mech fonts truly are a piece of beauty. They dont include code to try and prevent the clock from being set, but instead quickly reload the dash while watching certain memory locations in order to patch the font extensions (as xboxhakur_band says). That way, if the clock setting code needs to be called it will look for the original fonts (*.bak). However if this doesn't happen before the clock code is called - loop away!
So yes. Changing the boot sequence might help the fonts in succeeding but we cant change any xips before the first boot (-> error), and doing any patching requires control of the xbox, i.e an initial first succesfull exploit.
So again. How do we increase the chance of reaching the main exploit code of Ernie. As I understand from Grospolinas analysis of Bigfonts they dont jump down towards the exploit code (like the other versions) but instead up. When the top is reached a jump down to the actual code is done (exact memory location must be known). I wonder what the Mech fonts do? Jump up or down. If down maybe up could be tried. Another idea : Could one put in checkpoints in this jumping code, so that we only had to jump to the nearest checkpoint and then do a big jump to the actual code. Just throwing out ideas  B)

This post has been edited by ldots: Mar 2 2004, 07:00 PM

[Grospolina]

You mean someone actually understands my article?  Seems like it!

QUOTE (Idots)

As I understand from Grospolinas analysis of Bigfonts they dont jump down towards the exploit code (like the other versions) but instead up. When the top is reached a jump down to the actual code is done (exact memory location must be known). I wonder what the Mech fonts do? Jump up or down.

I thought I had updated the article for MI fonts, but I guess not.  I believe they jump up.  However, I later found another, more important reason that the exception net was changed: No matter where it jumps in the net, the first instruction executed will always be to clear interrupts.  It's very slick.

QUOTE (Idots)

Another idea : Could one put in checkpoints in this jumping code, so that we only had to jump to the nearest checkpoint and then do a big jump to the actual code.

I'm afraid you can't do that (or shouldn't).  A checkpoint would have to be around 10-12 bytes or so, and there's a chance that the code will jump from Bert into the middle of those bytes and die.  It might work for some, but it wouldn't be as robust.

QUOTE (Xboxhakur_band)

The only part I can't figure out is how to get theses fonts to load a hexed dash instead of the original unless it is also possible to modify the dashes signature in RAM at that point too.

That wouldn't possible.  It checks xboxdash.xbe before running it, and it loads the fonts after running it.  The only ways are to launch a hexed copy after exploiting (which we can already do), or modify the dashboard in RAM (like MI fonts).

[joeyjermiah]

QUOTE

QUOTE  I just got to thinking to launch the msdash we alter the xtf extention in the xbe without signing so why would this be any different? When do you do that? If you mean changing the font extension in the msdash in order to load it from evox, xbmp, whatever... you either re-sign the modified msdash.xbe with the appropriate public key (oh yes you do) or you have invoked PBL to load a hacked bios which disables the signature check.

yes you are right I am sorry i was thinking of linking msdash from evox after pbl has loaded not sure what I was thinking there.

[jsrlepage]

i just read your posts and this is what i think (sorry, i'm not in this as well as you are):

when the xboxdash.xbe tries to set the clock and loops because of the font, there MUST be a special command issued as to the loading of the fonts. they MUST be called in some special way (was this already covered? i'm not sure) and MUST try to load the font files directly from some precise address. What we (excluding the orator - me) COULD do is put a command-net that catches the "special" load call and jumps to the loading hack normally. or put a "check" routine that sees if the clock config was called.

I'm just throwing ideas here.

[ldots]

My whole point was exactly that at the time xboxdash.xbe tries to set the clock we do not yet have real control of the xbox. We could "be" somewhere in the exception net. Therefore we cannot "listen" for this call. That was the "time-issue" I referred to.

You are of course right Grospolina. Checkpointing would be a bad idea for that reason exactly.

I guess the Mech fonts are almost as good as they get. However their success seem to depend very much on which particular xbox version/which environment, they run on - isn't that so? Maybe the size of the exception net could be optimized on the versions that seem to have trouble (catfish did a bit of experimenting with that I think). Personaly I have never had any serious looping with neither Reloaded,Bigfonts or Mech fonts on my v1.0. That of course would produce Mech fonts for v1.0, v1.1 ... which would mean even more ways for uncarefull font-exploiters to end in the loop    

[jsrlepage]

we do not have control of the box ? be it.

but the clock still tries to load fonts. how can we catch that load? And yes, it could be a very good idea to make specialized hacks for each of the versions. Unpractical, yes, but great alternatives nontheless. Still, we can keep the old hacks for newcomers, who will then install the generics and dig a little so they can understand the hacks completely, and then they'll pick the specialized when they'll know.

Specialized hacks could be a VERY good alternative. That way, the Xbox will be truly hijacked ;-).