Print

[rmenhal]

QUOTE ({later} @ May 23 2004, 12:59 PM)

And still this does not work   Every other exploit worked perfect for me...

It just freezes in the xbox-logo screen? What happens if you eject the tray at that point? If your box reboots, then the kernel has crashed - possibly because the exploit didn't work.

Can you try the bert_ate_ernie.xtf below? Led will blink red if execution ever gets to the exploit. I also increased the landingzone a bit. Trouble here is that it cannot be made very large. First of all, in general, it's good to keep memory corruption as minimal as possible. Second, there's going to be a page-fault if bert overflows into a non-mapped page.

Here's the md5sum and crc-32 of my update.xbe so you can check you have the correct file. Remove the first 8192 bytes of the file - in unix-type systems you can do this with "dd if=update.xbe of=noheader bs=8192 skip=1".

md5sum: 571de69aaf0a32a59f843b50cc922521
crc-32: b8fa9c6e

CODE

begin-base64 644 uftest.tar.bz2 QlpoOTFBWSZTWcdPLS0AIRf///3//d1YY/+vP+v+Zv99n0r6KkAARhhRo2hC QYigTUydsAGZozWiIjRRptR6gNNAaAaGjT9U0A0aGgAGgBkGg9RoaaeRB6jI 9TQxk0g1U/SJP1TYkMTQ0aNDRo0AMAjTQDQGBGQAAAaaaaAZAAASSRoinqeK Y1GT0QMmTE2hNG1AaNAxDBAwIwJoYmRpiaZMg0DJp9p8MMyLy4NbJ3udZVZA gX+eKxaFkanuoaWm9CXyZLlskU7Ak6cOVSy18TFIJ/EonFCjxnHKhjSMcljl bbrhJY1IDBYRwQsC2yOjcoDcLnx555mKDKJHLiRbpzUFJiKCulMqAAAAA3+D I7kUklGHIktDrQQFixtPNSClazJ2kRHw7OPUDjvU9z+KSgxLsA6RNMRgmiYK mgEGK2C8RaXHd04h9qxGwYZ+XzTh+Zwxry5FvVTo4xPG1vZwiQ9mJhADDnyj aZyFbZQIgII4TC/idFdNxkjQVlsA8+X1gmFIpkinmpDTK4QIUhgjAjKSIT2E jRqvniqpNumIgcaEcdPdg0S8pT2iajPRSfwzQ7IMmUiY2G2nMe9UxBImBx6D 5W0FAoQWNA0TVv4KRrKg3SMFp6hdT9gzE4IJALEqkMIjK3h/flt9yZmRv0Ne dvS5hQL7sx5/oo7xWK6bIF2q3DviXGZAdwdCHRLiL575RiyP6ZO9JnZ1vYEo j6f6mSObVQ388q2EkkkkhCqZrqcuxdPGUsfB6dpy3TtagRwPjAEAn7LRwxZn xfNqB9D/F3JFOFCQx08tLQ== ====

[Nailed]

Absolutely brilliant work, PedrosPad & rmenhal.  To quote the Merovingian... "Okay, you have some skill."    

[wivenhoe123]

anyone know how i can get my xbox up to dashboard 4920 cause trying to update it using splinter cell fails and i don't know another way!

cheers
mark

[diablohtr]

I would like to do this exploit but I was wondering if it will work with my xbox. k:5101
d:5659

Thanks

[arel]

sorry guys,
sometimes things don´t work....trouble in paradies...

in this case....here is my bad and sad "story".

---------------
configuration:
Xbox: Kernel 4817 (stated after 007 hack, in evo-x settings display)
Dash: 4920 (exactly copied from slayers 2.5 .../all/C directory)...by the way there are more than one "versions" which called 4920 dashboard...mine has a directory named "xboxdashdate.1012a700"
-----------------

after I´ve copied the files to C from Slayer I´ve tried to start the "refreshed" raw Xbox....what I´ve got was error 21  

therefore I don´t expected to get the exploit running as described...
so I´ve connected my pc and the box again by using 007 hack (evox)
and I´ve copied the "update.xbe" on C:\ and renamed it to xboxdash.xbe. afterthat ive copied the bert_ate_ernie.xtf to c:\. Last but not least I´ve renamed the fonts directory to F0nts (yes it´s a zero).
After booting the box shows the green "blubber" and after that the box was frozen (during the X screen, where you can read "MS")

I thought it could be, that I´ve signed the default.xbe (located on e:\) wrong ?

therefore I´ve copied the evo-x version which i usually use with the 007 hack to e:\default.xbe (this have to be a habibi signed XBE, because it runs perfect after starting it through 007 savegame...)
the result was the same....screen frozen....

Maybe we have to admit, that "earlier" Kernels (e.g. 4817 ?) will not run the 4920 Dash

any hints ??

So it could be that this (former) unbeatable exploit know is a solution for Xboxes which have a kernel "younger" than 4817 and older than 57xx ?

Sad, but a possible "restriction".

greets
Arel

[CooperS]

Fantastic work guys!
K:5101 D:4920

BTW. I never could get PBL 1.41 to work with ANY exploit on my box, if you're having trouble maybe use 1.4 like I do.

[X_n00b]

QUOTE (rmenhal @ May 23 2004, 02:40 PM)

Here's the md5sum and crc-32 of my update.xbe so you can check you have the correct file. Remove the first 8192 bytes of the file - in unix-type systems you can do this with "dd if=update.xbe of=noheader bs=8192 skip=1". md5sum: 571de69aaf0a32a59f843b50cc922521 crc-32: b8fa9c6e

Hmmm, I get a different MD5Sum (haven't tried CRC32) - Looks like I have the wrong update.xbe...  

EDIT: Also CRC'd now, and it's also different. Tried both the stripped and unstripped version (just incase) and I definately get a different result.

[{later}]

okay, here's what happens (with the first and your new xtf file)

xbox boots up, I see xbox screen and MS letters, then it just stays there with a green led.

when I press eject my xbox resets, and then it all starts over.

so i really think that my kernel crashes :S

also, I'm using windows xp, and I dunno how to remove the first 8192 bytes from a file so i cannot check my crc, could you upload your update.xbe file to that ftp server? would be of great help.

[PedrosPad]

QUOTE (PedrosPad @ May 23 2004, 12:59 AM)

I don't want to take this thread to far off topic, but... I named the exploit the "Ultimate Dashboard Exploit" because I think I've already devised a solution to: Cons: No Dashboard access to the XBOX!Live console. (Rendering the remaining "No XBOX!Live game access to the XBOX!Live console." irrelevant.) And if it works out, there'll no longer be any reason to manually toggle the exploits.  (My idea is restricted to accessing the XBOX!Live console in a safe state - XBOX!Live games will still need to be played from original media!) I get broadband in 10 days - So I'll know a lot more then.

Regarding restoring Dashboard access to the XBOX!Live console…

I’m a great believer in K.I.S.S. (Keep-It-Simple-and-Straightforward), and try to avoid getting ‘prematurely complicated’.  I’ve many ideas for restoring Dashboard access to the XBOX!Live console when using the “Ultimate Dashboard Exploit” (so don’t get disappointed by the simplicity of this first suggestion).

Let’s leave PBL out of the picture initially.

It’s a given that we need to be in an unexploited, safe, system state before launching the xonlinedash.xbe.  What this actually means is at-the-point xonlinedash.xbe is launched, the BIOS must be unmodified (because it’s known that XBOX!Live checksums it).  The unmodified BIOS can only launch M$ signed XBEs – Now that’s convenient as xonlinedash.xbe happens to already be M$ signed.  It’s also known that xonlinedash.xbe doesn’t use the C:\fonts\ folder – so no issue there.

Thus, how about:
Boot->update.xbe->bert_ate_ernie.xtf->Evox->restore.xbe->xodash\xonlinedash.xbe

Key:
Blue = M$ signature in effect.
Red = Habibi signature in effect.

Update.xbe is M$ signed.Bert_ate_ernie patches the BIOS signature to the habibi signature (i.e. pokes a few bytes), and launches Evox.
An Evox menu launches restore.xbe.
restore.xbe itself is habibi signed, but simply patches back the original M$ key (pokes a few bytes) in the BIOS, then launches xonlinedash.xbe.

I think this has a chance because xonlinedash.xbe is already M$ signed, and already has the XBE_MEDIA_HDD media type (unlike XBOX!Live games that have the DVD_MEDIA_TYPE, which can’t be changed without breaking the signature, or the BIOS modified to work around – due to the BIOS checksum).

Anyone see any issues with this?  It all sounds too easy.

PS. PBL could also be launched as an app from this boot-Evox menu, removing the need to for every XBE to be re-signed.

This post has been edited by PedrosPad: May 23 2004, 06:56 PM

[PedrosPad]

QUOTE (arel @ May 23 2004, 03:43 PM)

sorry guys, sometimes things don´t work....trouble in paradies... in this case....here is my bad and sad "story". --------------- configuration: Xbox: Kernel 4817 (stated after 007 hack, in evo-x settings display) Dash: 4920 (exactly copied from slayers 2.5 .../all/C directory)...by the way there are more than one "versions" which called 4920 dashboard...mine has a directory named "xboxdashdate.1012a700" ----------------- Maybe we have to admit, that "earlier" Kernels (e.g. 4817 ?) will not run the 4920 Dash So it could be that this (former) unbeatable exploit know is a solution for Xboxes which have a kernel "younger" than 4817 and older than 57xx ?

My only XBOX has K:4817.  Nuff said.

This post has been edited by PedrosPad: May 23 2004, 03:14 PM

[{later}]

okay I'v uploaded my update.xbe file (that doesnt seem to work with the exploit) to digisatman's ftp server. Could someone with a working exploit please compare his update.xbe with mine? I really think the problem is in the update.xbe file.

[devz3ro]

Maybe this should have been an official help thread. I knew there was going to be problems with this because of:

1. The way it has to be installed
2. Not all Xboxs are the same (different regions)
3. Its nature, since xboxdash (the real one) isn't being booted first

Another note, please do not post any ftps / links that could contain M$ copyright code, they will be removed (such as full dashboards etc.)

-devz3ro

http://sh0x.tk/

[afon]

Fell asleep last night waiting the ftp transfer, and just woke up. I can not get this to work. My settings are as follows:
Xbox: Kernel 4817
Dash: 4920

Ive got bert_ate_ernie.xtf of my C drive, along with: Update.xbe (xboxdash.xbe), xodash, xboxdata, skins (for unleashx), evoxdash.xbe (unleashx), MODxboxdash.xbe (Retail 4920).

On my E drive i have a habibi signed default.xbe (PBL 1.4.1 by Guex)

I obtained the update.xbe by: Downgrading dashs, unplugging ethernet, and entering xbox live option in unreal.

Symptoms;

QUOTE

It just freezes in the xbox-logo screen? What happens if you eject the tray at that point? If your box reboots, then the kernel has crashed - possibly because the exploit didn't work.

This post has been edited by afon: May 23 2004, 04:53 PM

[rmenhal]

I checked the update.xbe included in SlaYer's v2.1 and it does NOT work with the current bert_ate_ernie on my box. The file size is 1914880 bytes and has md5sum (without removing the first 8192 bytes) 73402a42463766842e56e82b839d5669. I don't know what update.xbe is included in other SlaYer's discs.

There's probably nothing else wrong with these other versions of update.xbe except that they just require a specially "tuned" version of bert_ate_ernie. Here's the md5sum of my update.xbe - again, but now without removing the first 8192 bytes:

8ab653c39f555758fb65d9014928c4cd

The file size is 1974272 bytes.

[PedrosPad]

update.xbe

QUOTE (rmenhal @ May 23 2004, 06:48 PM)

The file size is 1974272 bytes.

Snap here! - I know I used PAL Splinter Cell to update my pre-live 4817 to Live 1.0 Dashboard 4290.