xboxscene.org forums

Pages: 1 [2] 3

Author Topic: Softmod Bios Chain Loading From Tsop - No Exploit.  (Read 277 times)

Movax

  • Recovered User
  • Hero Member
  • *
  • Posts: 611
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #15 on: June 21, 2011, 01:10:00 PM »

You could just FTP over the softmod with a Kingroach ndure setup.. but wouldn't solve most of the things you were saying. Some variation of creating a flashable bios from a softmod or loading and patching in one shot should be possible.
Logged

xman954

  • Archived User
  • Hero Member
  • *
  • Posts: 835
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #16 on: June 21, 2011, 02:41:00 PM »

QUOTE
Yes I am not sure if it is possible to skip the exploit part since you have a retail bios at that point.. but it should be possible to create a tool if one doesn't exist to load a retail bios and patch it at once, or load the bios, then load and run the patcher without calling the bios.. just ideas


here is the code to patch the public key (to run habi signed xbe)

 

CODE
patchpublickey:
 mov ebx,[ebp+XePublicKeyData-base]
 test ebx,ebx
 jnz .chk

.searchkey:
 mov ebx,esi
 inc esi
.chk: cmp dword [ebx],31415352h
 jne .searchkey
 cmp dword [ebx+10h],10001h
 jne .searchkey

.searchkeyend:
 inc ebx
 cmp dword [ebx],0A44B1BBDh
 jne .searchkeyend

 pushf
 cli
 mov ecx,cr0
 push ecx
 and ecx,0FFFEFFFFh
 mov cr0,ecx

 xor dword [ebx],2DD78BD6h

 pop ecx
 mov cr0,ecx
 popf



decript the stock bios

find 31415352h   ( 52534131 bytes reversed lo to hi)

verfy found location + 10h = 00010001 (010001000)

find A44B1BBD ( BD1B4BA4 ) should be next string

replace with 899C906B ( 6B909C89 )

 

if the bios editer lets you change the boot dash then change it to nkpatcher (default.xbe)

or change all occrences of xboxdash.xbe and/or xboxdash to nboxdash (nkpatcher.xbe)

 

Logged

Movax

  • Recovered User
  • Hero Member
  • *
  • Posts: 611
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #17 on: June 22, 2011, 10:27:00 AM »

I think I get it.

1)Flash TSOP
2)set up ROM BIOS to Boot PBL + BFM retail BIOS
  - Retail bios was patched to allow it to boot knpatcher (habi public key rather than MS public key)
3) Point retail bios to nkpatcher file in some manner - hex edit retail bios or rename files on disk.

So I just patch those four bytes in the retail kernel to allow nkpatcher to boot?

What about unlocked harddrives, or no DVD roms?

This post has been edited by Movax: Jun 22 2011, 05:27 PM
Logged

xman954

  • Archived User
  • Hero Member
  • *
  • Posts: 835
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #18 on: June 22, 2011, 11:43:00 AM »

1 to 3 yes
QUOTE

So I just patch those four bytes in the retail kernel to allow nkpatcher to boot
yes, it should work

QUOTE
What about unlocked harddrives, or no DVD roms
i have no info on that
but im sure it could be done
there is a windows program that will help,  IDA Pro Disassembler (bios must be decrepted first)
you could look at stock bios and a very old hacked bios to get some idea
if your brave or have a bank switch you could flash the non BFM version once you know it works
also any other habi signed xbe IE: evox as a BFM bios selector / nkpatcher


i have a old executer 1 chip non flash that nkpatcher works with but has LBA problems
could dump the Kernal as a starting point
you should be able to remove/jump over the fluber code and nkpatcher still work


This post has been edited by xman954: Jun 22 2011, 07:13 PM
Logged

xman954

  • Archived User
  • Hero Member
  • *
  • Posts: 835
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #19 on: February 02, 2020, 09:44:00 PM »

found this nkpatcher.asm

CODE


;;; --------------------------------------------------------------------------
;;; Helper macros for patchers
;;; --------------------------------------------------------------------------


%macro patcherinit 0
pushad
mov eax,[esp+32+12]
mov [caller_param],eax
mov edx,[esp+32+8]
push edx
mov ecx,[esp+36+4]
call init_patcher_vars
%endmacro


%macro patcherfinish 0
pop edx
call erasescrap
popad
ret 12
%endmacro


CODE_SECTION

init_patcher_vars:
push ecx
sub ecx,80010000h
mov [memdiff],ecx





then

CODE
%macro m7extra 2
%ifdef INIT_SEC_PATCHES

mov eax,[memdiff]
;; HD locking check bypass (?). No importance for nkpatcher and
;; cannot be enabled anyway because inside INIT section.

mov word [eax+%1],9090h

;; DVD drive check bypass (?). No importance for nkpatcher and
;; cannot be enabled anyway because inside INIT section.

mov byte [eax+%2],0EBh

%endif; INIT_SEC_PATCHES
%endmacro  



also at end of nkpatcher.asm it lists all kernal versions
CODE

patcher_4034:
    m7extra 800551E6h,8005558Dh


looks easy if you can find the right place in the INT section (if you want to flash moded stock bios)

NOTE that a BFM skips the init section so a stock bios chained should work with a unlocked HDD, i think...

 

 

edit::::

QUOTE
find A44B1BBD ( BD1B4BA4 ) should be next string
it's not next string its found location + 110h


 



This post has been edited by xman954: Yesterday, 06:34 AM
Logged

Movax

  • Recovered User
  • Hero Member
  • *
  • Posts: 611
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #20 on: February 03, 2020, 10:50:00 AM »

Awesome! Thanks for the help/knowledge. Now I just have to learn how to encrypt and decrypt bioses and I can give it a try.
Logged

Movax

  • Recovered User
  • Hero Member
  • *
  • Posts: 611
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #21 on: February 03, 2020, 01:18:00 PM »

Error 5 - HD not locked..
Locked the HD.. it works! Pretty cool.. got to patch the no DVD, locked HD check and it's perfect!

All I installed was PBL with retail bios, bios.xbe from Kingroach ndure setup and my dash in E:\dash\default.xbe where nkpatcher likes it. (no exploit files).

Edit.. Strange - it seems to load unleashX fine.. I can browse files, but any attempt to launch an xbe creates a lockup..IGR seems to do that same thing...?

This post has been edited by Movax: Yesterday, 09:33 PM
Logged

xman954

  • Archived User
  • Hero Member
  • *
  • Posts: 835
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #22 on: June 23, 2011, 02:43:00 PM »

http://www.xbox-scen...kFpppFyUAcKwoNZ

XBtool

 

so you decrypted the stock bios and hex edited the 4 bytes and encryped it with BFM set ??

Logged

Movax

  • Recovered User
  • Hero Member
  • *
  • Posts: 611
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #23 on: February 03, 2020, 01:51:00 PM »

Yes.. v1.1 ..4817.. I patched it, it was easy to find the string.. I think I encrypted it correctly. I used xbtool to decrypt it, I may have not encrypted it back correctly? It does boot though. And it does check the hard drive.

I have to go, I'll try encrypting it again tomorrow.
Logged

Movax

  • Recovered User
  • Hero Member
  • *
  • Posts: 611
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #24 on: June 24, 2011, 07:18:00 AM »

Still can't get it to work. Can anyone walk me through on how to encrypt a BFM bois to make sure I am doing it correctly?
Are there other files nkpatcher needs to function correctly?
I added e:\NKP11\eeprom_off.bin,shadowc_off.bin
I also installed the ndure toolset (which freezes like other xbes)

I deleted unleashx from  e:\dash and added TEAM XBMC shortcut - XBMC boots, but I still can't launch anything, which is odd considering the shortcut launches XBMC.

Why would it be happy to boot the dash and not anything else?
Logged

xboxmods2977

  • Recovered User
  • Hero Member
  • *
  • Posts: 733
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #25 on: June 24, 2011, 08:06:00 AM »

There may be nothing wrong with your encryption.

Keep in mind that upon loading an XBE from a dash, the bios image stored in ram is "checked", or re-verified before said XBE is launched so, refresh my memory on how you have it set up. Maybe I can come up with an idea on what is going on.
 
So far, I got that you've modified the retail kernel a little and flashed it back to the TSOP, right? What does this bios (on the TSOP) load first?
Logged

Movax

  • Recovered User
  • Hero Member
  • *
  • Posts: 611
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #26 on: June 24, 2011, 08:37:00 AM »

Right now, My boot process is
1)X2 4981 (TSOP),
2)PBLmetoo+BFM 4817 patched as described, (C:\evoxdash.xbe, 4817_retail.bin)
3)nkpatcher, (C:\xboxdash.xbe)
4)XBMCshortcut, (e:\dash\default.xbe)
5)XBMC (e:\apps\xbmc\default.xbe)

XBMC works fine, shows xbox info fine, can't launch xbe s. BTW I have (and it seems faster) tried PBLite. Actually it boots extremely fast with PBLite.
Logged

xboxmods2977

  • Recovered User
  • Hero Member
  • *
  • Posts: 733
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #27 on: June 24, 2011, 09:28:00 AM »

Yep. PBLlite is fast. That is what I used.
I have a suspicion that what is happening is redundant patching.

In your step 2, you have loaded your custom retail, which has the signature modification done, but in step 3, NKP loads the softmod bios which attempts to also patch the same section of the bios (in memory) that you've already modified (in the BFM). It should crash before it even loads the dash, but it doesn't, and for some reason, the effect of this "redundant patching" doesn't occur until you try to load an xbe after the xbox has fully booted to the dash.

Here is an idea. (I think I have this thing licked)
Try this. Take another fresh copy of retail 4817 and ONLY remove the HD check and DVD-Rom check, BFM it, and then use that in your step 2. From there, you will be "ever-so-slightly" modified retail, and should be able to install, and boot a softmod.

The reason this should work is because in theory, it isn't possible for a softmod bios to patch out the HD and DVD checks, because these checks are done before the BFM loads, therefore, it is safe to assume that BFM's don't touch the regions of memory where these checks are contained. If this is indeed the case, we should be able to remove the checks without repercussion, while still allowing NKPatcher to do it's thing.
Logged

Movax

  • Recovered User
  • Hero Member
  • *
  • Posts: 611
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #28 on: June 24, 2011, 09:38:00 AM »

I thought about redundant patching, but my understanding is that the code contained in the font exploit patches the four bytes I have patched (that is all I have patched thus far). Therefore nkpatcher should be getting the same kernel it would have gotten from retail+exploit.
Logged

ldotsfan

  • Archived User
  • Hero Member
  • *
  • Posts: 2072
Softmod Bios Chain Loading From Tsop - No Exploit.
« Reply #29 on: June 24, 2011, 09:51:00 AM »

My theory to be confirmed by xman954/Movax:

1. BFM bios was patched to execute habibi signed XBE, ie the dash, or first XBE.
2. When nkpatcher loads, it no longer finds the byte sequence hence no more patching of public key.

By the way, good work guys. It's incredible that the xbox 1 scene is capable of doing stuff like this so late in its life cycle thanks to the collective experience/knowledge of all of you who contributed in the thread.
Logged
Pages: 1 [2] 3