Print

[ldots]

I could start to see if it's possible to strip MA to something like 300-400 MB though.

Back to the original topic
I made the XBE media flag scanner, but again, as I'm not on XBOX!Live the result from my own scan was not that useful. Currently it locates every xbe in C: and E: and checks the media flag. If its XBE_MEDIA_HDD flagged the certificate will be printed. The log file with first hit looks like this :

CODE

--------------------------------------------------   Scanning HDD for xbe's with XBE_MEDIA_HDD flag -------------------------------------------------- ---------------- Entering /mnt/C: ---------------- *************************************************************************** Correct Media flag found in : /mnt/C/xodash/update.xbe *************************************************************************** Certificate ~~~~~~~~~~~ Size of certificate                 : 0x000001EC Certificate timestamp               : 0x409BCB24 Fri May  7 17:45:08 2004 Title ID                            : 0xFFFE0000 Title name                          : "Online Updater Application" Alternate title ID's                :        none Allowed media types                 : 0x80000001                                     : XBE_MEDIA_HDD Allowed game regions                : 0x7FFFFFFF                                     : XBE_REGION_US_CANADA                                     : XBE_REGION_JAPAN                                     : XBE_REGION_ELSEWHERE Allowed game rating                 : 0xFFFFFFFF Disk number                         : 0x00000000 Version                             : 0x185EAD00

So, what else would you guys like?
To check more file extensions : xip's ?
To check X,Y,Z drives ?

Let me know and I'll add the changes. Then other users with a (soft)modded xbox could run this to build up a database of HDD flaggged xbe's.

[Chicken Scratch Boy]

yes so the second idea would be a no also.... (2 strikes, damn)

it appears that unless SC or AUF have hdd launchable variants, signed after the date specified, we(you?) need to find a new exploit (even if is a boot strap for 4920's update.xbe

[afon]

I was thinking, and what if we used some kind of file from the xboxlive update disc itself? The way it shifts from dashboard to update app to demo makes me suscpicious. Anyone have a new xbox live update disc?

[chimpanzee]

QUOTE (afon @ Jul 14 2004, 03:24 AM)

I was thinking, and what if we used some kind of file from the xboxlive update disc itself? The way it shifts from dashboard to update app to demo makes me suscpicious. Anyone have a new xbox live update disc?

But these are usually 'plugged' like newer dashboard. The chances of exploit for 5713+ still seems to be in older games MA/SC/007AUF.

[afon]

Pedro, did you check for any files that MA has that are unsigned?

[Australian Rat]

Aw well, making progress anyway.  You all will get it, just a matter of time.

[mkjones]

QUOTE (Australian Rat @ Jul 14 2004, 03:56 AM)

lol, reading pages 2 & 3 is such a killjoy.  First it looks like it's nearly there, with loads of hopeful stuff being posted, then finally coming to page 3 where everything hits a brick wall Aw well, making progress anyway.  You all will get it, just a matter of time.

Yawn    tell me about it, I was up all nite trying to come up with any new ideas but it seems it was all down to Qwix patching the file which I didnt think it would do what a bummer  

ANYWAY (trying to change the subject )

The MA thing sounds amazing, booting a game insted of the xbox dash from C has always been a cool idea, it would just mean:

a) finding a hackable game
finding a very small game
c) finding a universaly availiable game

Of course it would need to be run from the HDD. So its gonna have to be a game update or something from Live! or maybe even from a Magazine CD... But this is gonna take a while!

I hope ldots tool comes up with something, I fear it would only be good for Live! users and possibly heavy duty ones at that. We need someone that has shit loads of live! games with downloadable content and all that...

I mean, lets try and list all the games that have downloadable content that we know of:

- Ninja Gaiden
- MechAssault
- Rainbow 6 3
- Spinter Cell (?)
- Prince of Persia (?)

Any others? I kinda lost the track of things by the end....

[PedrosPad]

QUOTE (ldots @ Jul 14 2004, 12:51 AM)

I made the XBE media flag scanner, but again, as I'm not on XBOX!Live the result from my own scan was not that useful. Currently it locates every xbe in C: and E: and checks the media flag. If its XBE_MEDIA_HDD flagged the certificate will be printed. <snip/> So, what else would you guys like? To check more file extensions : xip's ? To check X,Y,Z drives ? Let me know and I'll add the changes. Then other users with a (soft)modded xbox could run this to build up a database of HDD flaggged xbe's.

Hi ldots, good work ,

Given the problems mkjones found, with DVD2XBOX (and other utils) ticking-all-the-boxes for media types, I think we'll need a way to discard this noise or nearly every XBE will be reported.  Can you discard xbedump outputs that contain the very odd media types (USB, etc)?

Also, The X,Y,Z drives are tiny, so there's no harm including them in the search.  I say this because titles like Shemue II has an "Outrun" Easter egg, and I believe this is temporarily cached in X,Y, or Z.

[PedrosPad]

QUOTE (afon @ Jul 14 2004, 03:46 AM)

Pedro, did you check for any files that MA has that are unsigned?

Well that is an interesting question.

Had this thought as soon as I shutdown last night....

When the original Linux guys were looking for exploits, they were limited to HDD and memory card files, as they knew they couldn't change any files on the DVD, not because of file signing issues, but solely because they knew they couldn't burn a DVD media that would boot on a retail XBOX!.

Now that I've got MA booting on a retail XBOX from the HDD, this opens up a whole load of support data files that could now be altered and possibly exploited - graphic files, font files, level files, etc.

The fact that I managed to get the retail MA engine to work with my MA demo content, implies to me that the signatures of the support files aren't compiled into the XBE game engine (It's highly likely that demo files are different to the retail ones).  So even if the support files are runtime checksum'ed, it would be through the game engine at runtime (like GameSavs) - meaning that they may be able to be altered and then the right checksum recalculated .  (Although I suspect that even this level of checksuming is not actually going on ).

I think this is a promising avenue, and I'll look into tampering with the MA demo support files next.

[PedrosPad]

QUOTE ([)

V[]nm6687,Jul 14 2004, 07:24 AM]good news guys, i just downloaded some levels from Xbox LIVE for Splinter Cell (the first one) and it too has its own default.xbe in TDATA that is HDD signed!  the only bad thing is that the timestamp is from 2002.

Since Splinter Cell 1 won't have the Dashboard's title ID, the date won't matter (and it's age predates the SC GameSav exploit so it may mean that the GameSav hasn't been fixed ).  This could be another good candidate .

[PedrosPad]

[PedrosPad]

QUOTE (ldots @ Jul 14 2004, 12:51 AM)

I could start to see if it's possible to strip MA to something like 300-400 MB though.

That'd be good - Angerwound is already is looking into this too.

But I found that the MA Demo content appears to be significant get the HDD MA engine to the point where a GameSav could be loaded.  Not sure how big that is - may already be < 400MBs (or could be a better candidate to strip further) .

If an exploit can be found in one of the early MA content files the engine loads, what's eventually needed could turn out to be a very small bootstrap indeed.

[PedrosPad]

QUOTE (Australian Rat @ Jul 14 2004, 03:56 AM)

lol, reading pages 2 & 3 is such a killjoy.  First it looks like it's nearly there, with loads of hopeful stuff being posted, then finally coming to page 3 where everything hits a brick wall

Exciting, wasn't it?  hehe    

[PedrosPad]

QUOTE (mkjones @ Jul 14 2004, 08:26 AM)

The MA thing sounds amazing, booting a game insted of the xbox dash from C has always been a cool idea, it would just mean: a ) finding a hackable game b ) finding a very small game c ) finding a universaly availiable game Of course it would need to be run from the HDD. So its gonna have to be a game update or something from Live! or maybe even from a Magazine CD... But this is gonna take a while!

Why "c) finding a universaly availiable game"?  Didn't this only apply when original DVD media was required (like MA)?  If it can be FTPed onto the HDD, it could be, er,  distributed universally .

Edit: 2nd thought - I guess we should keep an eye on the region codes.

[chimpanzee]

QUOTE (PedrosPad @ Jul 14 2004, 09:17 AM)

Why "c) finding a universaly availiable game"?  Didn't this only apply when original DVD media was required (like MA)?  If it can be FTPed onto the HDD, it could be, er,  distributed universally .

If I were a game developer, I would introduce a game that is 'not perfect' but still it will sell like hotcake, regardless of whatever game critics say :-).