Print

[Ndure protagonist]

PedrosPad, do you mean porting the HULK audio exploit's code to run with it (17cdc100) under normal boot conditions first?

{: I confirmed on my 3944 a long time ago that, as expected, a 4920 audio exploit works with it that way. :}

[xman954]

some good news
i have a working ST.DB for cold boot > uber4020 dash > st.db > habibi
(using a NDURE C:\ along side it)
that is based on the "doublestdb" by rmenhal
the one that uses "BUFF" instead of "RIFF" as HEAD0 (the one that cleans up the music dir)

so now we just need to find the offset of 5960 dash from <<EggsBox>>
i will try to do a xbe (settings_adoc.xip) that just writes this offset to a file

here it is incase some wants to work on this.

CODE

;;;
;;; Compile: nasm -o ST.DB stdb.asm
;;;

  BITS 32

stdbmemofs   equ 1498BCh      ; < fixed by 4920 dash

D5960_offset    equ 00000000h  ; what is it ?  <<<<<<

mem_offset   equ 0D004B694h + D5960_offset     ; adrress when launched from 4920 only

bin_start:

.HEAD0  dd 'BUFF'
.HEAD1  dd (mem_offset-1498C8h)/4
.HEAD2  dd .start-.HEAD0+stdbmemofs

;;;
;;; Summary:
;;;   1) Remove the subdirectory 1498c8 (HEAD2) that Dashboard created.
;;;   2) Rewrite ST.DB to disk (because Dashboard gobbles it.)
;;;   3) Change the MS public key in kernel to habibi-key.
;;;   4) Load and run a habibi-signed XBE.
;;;

.start:
   call   .base
.base:   pop   ebp
   jmp   short .continuecode
;----------------
.xbestring   db 'default.xbe',0

.trnumstr   db 'T:\music\1498c8',0
.trnum  dw $-.trnumstr-1, $-.trnumstr-1
.ptrnumstr   dd .trnumstr-.HEAD0+stdbmemofs
.tmusicstdb   dw 14, 14
  dd 17E10h; "T:\MUSIC\ST.DB"
.dispose   db 1
;----------------
.continuecode:   

;   jmp   short $   ; make it hang <<<<<<<<<<<<<<<<

   dec   dword [ebp+.HEAD1-.base]
   dec   dword [ebp+.HEAD2-.base]
   push   dword [ebp+.HEAD0-.base-4]
   call   dword [12034h]; NtClose

   push   byte 26
   pop   ecx
   xor   eax,eax
   mov   edi,stdbmemofs+416
   rep   stosd
   inc   eax
   stosd
   mov   dword [edi-12],21371h

   push   eax
   mov   ebx,esp   ; File handle

   push   eax
   push   eax
   mov   esi,esp   ; IO status

   lea   eax,[ebp+.trnum-.base]
   push   byte 40h
   push   eax
   push   byte -3
   mov   edi,esp   ; Object attributes

   push   byte 1
   push   byte 4
   push   esi
  push   edi
   push   dword 10000h
   push   ebx
   call   dword [12040h]; NtOpenFile

   push   byte 13   ; 13 = FileDispositionInformation
   push   byte 1
   lea   eax,[ebp+.dispose-.base]
   push   eax
   push   esi
   push   dword [ebx]
   call   dword [120A0h]; NtSetInformationFile

   push   dword [ebx]
   call   dword [12034h]; NtClose


   lea   eax,[ebp+.tmusicstdb-.base]
   mov   [edi+4],eax

   push   byte 22h
   push   byte 3
   push   esi
  push   edi
   push   dword 40100000h
   push   ebx
   call   dword [12040h]; NtOpenFile

   mov   eax,512+12
   lea   edx,[ebp+.HEAD0-.base]
   call   .write

   push   byte 101
   pop   ecx
   mov   eax,512-12
.wl:   push   ecx
   mov   edx,10D70h; zeroes at 0x10D70
   call   .write
   mov   eax,512
   pop   ecx
   loop   .wl
   
   push   dword [ebx]
   mov   esi,dword [12034h]; NtClose
   call   esi

;  add   esp,byte 12+8+4
   

.patchpublickey:   
   mov   ebx,dword [121A8h]; XePublicKeyData
   test   ebx,ebx
   jz   short .badexport
   cmp   dword [ebx],31415352h
   jne   short .badexport
   cmp   dword [ebx+10h],10001h
   je   short .keyfound

.badexport:

   and   si,0F000h
.findkernel:
   mov   ax,[esi]
   cmp   ax,'ZM'
   je   short .check
   cmp   ax,'MZ'
   je   short .check
.retry:   sub   esi,1000h
   jmp   short .findkernel
.check:
   mov   eax,[esi+3Ch]
   cmp   eax,0FFFh
   ja   short .retry
   cmp   dword [esi+eax],'PE'
   jne   short .retry

   mov   ebx,esi
.searchkey:   
   inc   ebx
   cmp   dword [ebx],31415352h
   jne   short .searchkey
   cmp   dword [ebx+10h],10001h
   jne   short .searchkey
.keyfound:

.searchkeyend:   
   inc   ebx
   cmp   dword [ebx],0A44B1BBDh
   jne   short .searchkeyend

   cli
   mov   ecx,cr0
   push   ecx
   and   ecx,0FFFEFFFFh
   mov   cr0,ecx

   xor   dword [ebx],2DD78BD6h

   pop   ecx
   mov   cr0,ecx
   sti

.loadrunxbe:   
   push   byte 0
   push   esp
   push   byte 0
   push   byte 2
   push   127C8h   ; "\Device\Harddisk0\partition1"
   lea   eax,[ebp+.xbestring-.base]
   push   eax

   mov   esi,555A9h
   call   esi
.inf:   jmp   short .inf
;------------------------
.write:
   xor   ecx,ecx
   push   ecx
   push   eax
   push   edx
   push   esi
   push   ecx
   push   ecx
   push   ecx
   push   dword [ebx]
   call   dword [120D8h]; NtWriteFile
   ret
;
%if $-.HEAD0 > 416
   %error 416 bytes maximum!
%endif

   times 512-$+.HEAD0 db 0

   dd 21371h, 0, 1   ; An empty no-name track (for HD to HD copy)

   times 52224-$+bin_start.HEAD0 db 0

[Ndure protagonist]

Well done yet again xman954!

I've confirmed it works on my 3944; hopefully someone can test it on 5713/5838...

[PedrosPad]

QUOTE(xman954 @ Oct 3 2005, 01:50 AM)

some good news

[dumdasme]

Alright, I've been out of the scene for a while but was going to try this on my ntsc 5838 box.  I'm still pretty confused but this is what i've been able to put together (can't someone just put everything in one posts instead of making jump post to post, lol)

using kingroaches ndure 2.1 i should have:

C\

Audio/
bios/
Fonts/
media/
shadowc/
xboxdashdata.17cdc100/ (with only? Default.xip, keyboard.xip, mainmenu5.xip,                music_copy3.xip, music_playedit2.xip and music2.xip)
xboxdashdata.185ead00/ (with 4817 xboxdash.xbe renamed settings_adoc.xip)
xodash/ (with s1974272->s1994752 patched update.xbe)
msxboxdash.xbe
xboxdash.xbe
default.xip (from dash 4817)
mainmenu5.xip (from dash 4817)
bert.xtf and ernie.xtf (from here http://forums.xbox-s...post&p=1387970)

and

E\

Dash\
TDATA/fffe0000/music/ (with xman954’s st.db)

[Ndure protagonist]

{: dumdasme, that's similar to the setup I have on mine! :}

If you haven't yet, delete the 21 MB filler from shadowc (Ndure 2.1 preallocates that for easter-egging).

The 4817 stuff (incl. the bert and ernie in /C) wont work on a 5838, so delete those too.

The update.xbe in xodash should be the original one (the 185EAD00 version).
.
.
.
This test needs the Uber4920 xboxdash.xbe in C (the MS signed 17CDC100 version).

Also, copy /C/bios/bios.xbe to /E/default.xbe (as that's the habibi signed file this test's st.db launches).

If I haven't missed anything your Xbox should boot, look like "normal" (but only the Music tab will work) and the 10 button presses ("code" segment earlier in this thread) will hopefully trigger the audio exploit on your 5838...

[xman954]

need some help here

QUOTE

Cold boot->D:5960->"<<EggsBox>>"->ProbeEnabledUberDash

= REBOOT and no file write...(modchip ON, OFF = "not a xbox disk")
could someone test this out also...

what i did find is, if you run a probe xbe that has a kernal thunk
table in it, all the "normal X86" reg are the same value no matter how it
booted, DVD or eggsbox or evox, i must be missing something.
is it something to do with the CPU "protected mode" ?
i can add code to the probe to find what we need, but i just dont know what to do  
then write it to a file (that part works good)

[PedrosPad]

QUOTE(xman954 @ Oct 5 2005, 06:55 AM)

need some help here

[dumdasme]

Worked perfect on my ntsc 5838 using the generic fonts.

[dumdasme]

Sorry for the double post, but it wouldn't let me edit.  I also tested this on an ntsc 4920 with generic fonts and it works.  If anyone is interested in my final file setup look here

[Cio]

@dundasme

AFAIK, this bit is wrong:
msxboxdash.xbe (uber4920 [.17cdc100] one) needs to be the 185ead00 xboxdash.xbe
and
xboxdashdata.185ead00/
should note: 17cdc100 xboxdash.xbe as settings_adoc.xip


And i was wondering how i should save this PPF since i keep getting "this is not a valid ppf file" errors..

[kingroach]

QUOTE(Cio @ Oct 6 2005, 07:48 AM)

@dundasme

[xman954]

QUOTE(PedrosPad @ Oct 5 2005, 04:08 AM)

Obviously try
Cold boot->D:5960->"<<EggsBox>>"->UberDash
works first! - in order to verify that all the UberDash support files are in place. 

that was the first thing i did and that works fine

QUOTE

After injecting probe.bin into the UberDash, re-sign the ProbeEnabledUberDash with xbedump - as this recalcs the XBE section checksums!  If you haven't already, it would be a good idea to rename the 'output file' from "bert.xtf", as we don't actually want this mistakenly read as a font at this point.

did that too, data.dat...
also with bert.xtf and ernie.xtf in the root of C:\ (even though there not used by NDURE)

i think the problem is:
the way it was intended to be booted was from the XBL tab of a newer
dash (not 5960) then you would do the audio hack using the doubleST.DB
that would, on it's first pass

CODE

;;;   1) Remove the subdirectory 1498c8 (HEAD2) that Dashboard created.
;;;   2) Read a replacement hack from the end of ST.DB and write it to the
;;;    beginning.
;;;   3) Change the MS public key in kernel to habibi-key.
;;;   4) Return to Dashboard. <<<<<<<<<<

then the Return to Dashboard would then triger the probe in the 4920 dash...
but the (double)st.db still works coldboot>ProbeEnabledUberDash just no file write

as of yet, no file write...
can someone try to get it to write a file (any setup) ?

[dumdasme]

QUOTE

Sorry for the double post, but it wouldn't let me edit. I also tested this on an ntsc 4920 with generic fonts and it works. If anyone is interested in my final file setup look here

oops, I meant my ntsc 3944.

@cio- On the 5838 i can't use the settings_adoc.xip xbe because that has been fixed in this kernel.  So instead, on both xboxes, i used the st.db to trigger the default.xbe in E\.

I'm not sure if how i have it setup i can access my live console or not, i don't use live so i can't really test it.  Since I have the dualboot setup, can i access the live console or do i need to boot straight into the uber4920 dash's xboxdash.xbe?

[krayzie]

QUOTE(dumdasme @ Oct 7 2005, 12:28 AM)

oops, I meant my ntsc 3944.