Print

[PedrosPad]

I'm feeling a bit left out here - not having my own PBL flavor to post  so I thought I'd start one of me infamous rambling development threads (I've heard some people like to read them).  As always do feel free to join in and post your own thoughts - even if their not workable in themselves, they often inspire other ideas.

I've been focusing on finding an exploitable XBE for use as a new K:5713+ compatible UDE bootstrap.

Problem definition:
The existing UDE uses an XBE from the 4920 Dashboard family of XBEs (xodash\update.xbe - in fact).

xbedump reports the header of the update.xbe as:

CODE

Certificate ~~~~~~~~~~~ Size of certificate                 : 0x000001EC Certificate timestamp               : 0x3E306D50 Thu Jan 23 22:31:44 2003 Title ID                            : 0xFFFE0000 Title name                          : "Online Updater Application" Alternate title ID's                :    none Allowed media types                 : 0x00000001                                    : XBE_MEDIA_HDD Allowed game regions                : 0x7FFFFFFF                                    : XBE_REGION_US_CANADA                                    : XBE_REGION_JAPAN                                    : XBE_REGION_ELSEWHERE

It's the XBE_MEDIA_HDD that means it can be executed from the hard disk, thus can be used as the bootstrap for UDE.

The problem with the new kernels >=5713 is

QUOTE (rmenhal @ May 19 2004, 09:17 AM)

We know that kernels 5713 or higher won't allow dash downgrades. Actually - while I didn't bother to trace out the logic exactly - there's a new check in 5713's XBE loader. It checks the XBE certificate structure. If the title ID is 0xFFFE0000 (dash's ID), the kernel then checks the time and date field and anything prior to about Aug 5 2003 causes it to bail out. So dash 4920 and prior versions are out.

So the search is on for an XBE that

• Doesn't check the clock! (we don't want any clock loops back ) - thus excludes all Dashboard XBEs.
• has a title ID equal to 0xFFFE0000, and a date after Aug 5 2003 that is exploitable! (of course all the new Dashboard's support files (such as 5960's xodash\update.xbe) meet this criteria, but these are unlikely to be exploitable (M$ learns from its mistakes) )
• has Allowed media types = XBE_MEDIA_HDD, and a titleID not equal to 0xFFFE0000

The last point looks the most likely source of a UDE/5713 bootstrap.  Even files that meet these criteria are then only possible candidates.  There is a lot of work to do after a candidate has been identified to see it can be usefully exploited.

So far, the known candidates are:
XTMAXBOX.xbe
plus 2 MA utility XBEs devz3ro spotted in his cache.

Please feel free to post others.  The hunt is on.

[PedrosPad]

Candidate analysis.

(for completeness) 5960's xodash\update.xbe:

CODE

Certificate ~~~~~~~~~~~ Size of certificate                 : 0x000001EC Certificate timestamp               : 0x409BCB24 Fri May 07 18:45:08 2004 Title ID                            : 0xFFFE0000 Title name                          : "Online Updater Application" Alternate title ID's                :    none Allowed media types                 : 0x80000001                                    : XBE_MEDIA_HDD Allowed game regions                : 0x7FFFFFFF                                    : XBE_REGION_US_CANADA                                    : XBE_REGION_JAPAN                                    : XBE_REGION_ELSEWHERE

Title ID = Dashboard families 0xFFFE0000, and date > 05 Aug 2003, so
Allowed media types = XBE_MEDIA_HDD
(but all known holes closed )

XMTAXBOX.xbe:

CODE

Certificate ~~~~~~~~~~~ Size of certificate                 : 0x000001EC Certificate timestamp               : 0x3E67B7E8 Thu Mar 06 21:04:40 2003 Title ID                            : 0xFFFD0001 Title name                          : "XMTAXBOX" Alternate title ID's                :    none Allowed media types                 : 0x00000001                                    : XBE_MEDIA_HDD Allowed game regions                : 0x80000000                                    : XBE_REGION_DEBUG

Date old but Title ID <> to the Dashboard families 0xFFFE0000, so
Allowed media types = XBE_MEDIA_HDD
Allowed game regions = XBE_REGION_DEBUG (Not too promising, but see here)

From MechAssault's downloaded content....
MA's /E/TDATA/4d530017/$u/default.xbe:

CODE

Certificate ~~~~~~~~~~~ Size of certificate                 : 0x000001EC Certificate timestamp               : 0x3F57CBAA Fri Sep 05 00:32:58 2003 Title ID                            : 0x4D530017 Title name                          : "MechAssault" Alternate title ID's                :    none Allowed media types                 : 0x00000001                                    : XBE_MEDIA_HDD Allowed game regions                : 0x00000005                                    : XBE_REGION_US_CANADA                                    : XBE_REGION_ELSEWHERE

So far, so good

MA's /E/TDATA/4d530017/$u/downloader.xbe:

CODE

Certificate ~~~~~~~~~~~ Size of certificate                 : 0x000001EC Certificate timestamp               : 0x3F57CBB8 Fri Sep 05 00:33:12 2003 Title ID                            : 0x4D530017 Title name                          : "Downloader" Alternate title ID's                :    none Allowed media types                 : 0x00000001                                    : XBE_MEDIA_HDD Allowed game regions                : 0x00000005                                    : XBE_REGION_US_CANADA                                    : XBE_REGION_ELSEWHERE

So far, so good

[adil786]

w.i.p. is good, ill try to help aswell,

pity i dont have a 5713+ xbox... only 5101

[Angerwound]

What timestamp is located on the update.xbe that comes with a brand new (5713) box. It would have to have the XBE_MEDIA_HDD flag if it is located within /xodash/. I really need a 5713 box. I might be interested in someone swapping my virgin 1.0 box that I use for LiVE with a 5713.. Offers?

EDIT: pedro if you could post the xbedumps of the MA .xbe's. I don't have them readily available atm.

This post has been edited by Angerwound on Jul 12 2004, 06:42 PM

[krayzie]

yeah the 5713 (5659) update.xbe would have the right timestamp I guess but it might not be exploitable. (at least not the way we are used to).

[Angerwound]

Anyone with a 5713 dash that wants to post up the xbedump of the 5713 update.xbe?

[ripcurl]

QUOTE (Angerwound @ Jul 12 2004, 06:37 PM)

What timestamp is located on the update.xbe that comes with a brand new (5713) box. It would have to have the XBE_MEDIA_HDD flag if it is located within /xodash/. I really need a 5713 box. I might be interested in someone swapping my virgin 1.0 box that I use for LiVE with a 5713.. Offers? EDIT: pedro if you could post the xbedumps of the MA .xbe's. I don't have them readily available atm.

 i have a brand spanking new untouched xbox 5713 which i would trade for a 1.0 anyday!! Lets do it up.

MFG 03-03-2004
k 5713
d 5969..i think

[Flame2k]

You know the live tab, this might sound abit lame at first cos i dont know anything! lol (and its prob already been suggested). but has anyone thought about hexing xboxdash.xbe or something, so that live tab will execute another xbe? is that possible?

EDIT: just realised it wud prob have 2 be ms signed....

This post has been edited by Flame2k on Jul 12 2004, 07:18 PM

[Angerwound]

QUOTE (Flame2k @ Jul 12 2004, 03:14 PM)

You know the live tab, this might sound abit lame at first cos i dont know anything! lol (and its prob already been suggested). but has anyone thought about hexing xboxdash.xbe or something, so that live tab will execute another xbe? is that possible? EDIT: just realised it wud prob have 2 be ms signed....

 This in general was the purpose of the double dashboard exploit. Search for the thread somewhere around if you would like to read up on it.

[krayzie]

are xbe files the only type of files that can be exploited? Couldn't  there be  vulnarubilities (or however you write it) in other type of xbox files?

[adil786]

QUOTE (Flame2k @ Jul 12 2004, 08:14 PM)

You know the live tab, this might sound abit lame at first cos i dont know anything! lol (and its prob already been suggested). but has anyone thought about hexing xboxdash.xbe or something, so that live tab will execute another xbe? is that possible? EDIT: just realised it wud prob have 2 be ms signed....

 yes but not on new kernels, m$ learn from their mistakes.

[mkjones]

QUOTE (krayzie @ Jul 12 2004, 08:28 PM)

are xbe files the only type of files that can be exploited? Couldn't  there be  vulnarubilities (or however you write it) in other type of xbox files?

You mean like Audio? I too have wonderd, there must be something they missed, this is M$ after all

How about (looks in some xbox folders)

The creditcard files in "\xodash\media\Content" (creditcard.csv) I have no idea how they are used but they are very simple text files:

QUOTE

VISA,0 MASTERCARD,1 AMERICAN_EXPRESS,2

Is an example of the content? Maybe some data can be "pushed" into such a file to cause an overflow? This is pure bull im speaking right now but you have to get ideas from somewhere

The same files are used in the Content folders sub folders too? But I have no idea when they are loaded, they are something to do with the Live! Dash but as I have never used it...  

May be worth asking the tHc guys? I mean, they have decompiled and recompiled the whole xbox dash and remade it, maybe they saw something??
Another idea? Maybe the screensaver/visualisation file that runs when you play music?? I belive its the right thumbstick press that launches it. tHc has a replacement for it? Just an idea...

Hmm.... One last one before I give up  

The WAV files in the Audio directory?? Has anyone looked at modding these? Surely they are not "signed" in anyway, as they are basic WAVs (surprisingly NOT WMAs) again, they are launched when certain buttons are pressed.. If the main "beep" that appers when A is press could be hacked then a single button style exploit could be made up??

I have no idea if these ideas will help, but I remember the old Live! exploit thread was a LOT of brainstorming and that led to something!

See ya.....

[Spectracide]

I can't wait to test when something solid comes out.

[Chicken Scratch Boy]

maybe the dash has an anti speaker blow out thingy, if we put a really really loud wav in there.... or not? thats the only thig i can think we would be able to do with a wav

unless we can exploit the execution process to make it  read an error and load a back up file, which can be changed (or but then we need an exploit able xbe candidate, because the kernal would check the flags still)

[Australian Rat]

QUOTE (Chicken Scratch Boy @ Jul 13 2004, 06:31 AM)

maybe the dash has an anti speaker blow out thingy, if we put a really really loud wav in there.... or not? thats the only thig i can think we would be able to do with a wav unless we can exploit the execution process to make it  read an error and load a back up file, which can be changed (or but then we need an exploit able xbe candidate, because the kernal would check the flags still)

 I doubt it.  If MS didn't put a really loud WAV in there, they certainly wouldn't put in protection to blow out the speakers.

The only thing would be with CDs being copied.  But then again, I'm pretty sure all tracks are normalised when ripped.