Post by: ledjohnnyboy on December 04, 2009, 03:50:00 PM
Post by: xrkahn76 on December 05, 2009, 12:14:00 AM
ITS NOT GOING TO HAPPEN!
Post by: tactical on December 05, 2009, 08:27:00 AM
QUOTE(xrkahn76 @ Dec 4 2009, 10:14 PM) 
Do you have the money to pay someone to spend countless hours going through the code of each game.
ITS NOT GOING TO HAPPEN!
Some of us have been around here for long enough to avoid saying "it's not going to happen!" (IMG:style_emoticons/default/smile.gif)
This post has been edited by tactical: Dec 5 2009, 04:28 PM
Post by: halleluia on December 05, 2009, 09:13:00 AM
If its possible to make some kind of a software or a proxy site that can report a fake ping it will be much more easier
Post by: legssmit on December 05, 2009, 10:12:00 AM
Post by: xrkahn76 on December 05, 2009, 07:33:00 PM
The ping limit can easily be avoided if we had more users. Problem is, we don't! People are still too busy trying to unban, uncripple and whining about the same to realize we are trying to get some games going. Games they can easily be playing if the got on Xlink.
Post by: tactical on December 06, 2009, 07:19:00 AM
This room is practically DEAD. Now if a ping bypass was found, that really could change everything because more people would be on xlink 1,000's playing cod mw2 just like they used to play halo on xbox1.
Post by: ledjohnnyboy on December 06, 2009, 10:39:00 AM
Post by: InvidiousDemise on December 07, 2009, 09:27:00 PM
Post by: majinsoftware on December 08, 2009, 01:15:00 AM
Also you need XBR or Freeboot because the game has been modifyed so its running in dev mode.
Ill investigate it more before doing a tutorial.
Post by: Filthy512 on December 08, 2009, 09:20:00 AM
Post by: danked on December 08, 2009, 10:34:00 AM
QUOTE(majinsoftware @ Dec 8 2009, 12:15 AM) 
Iv spent quite a bit of time today messing around with halo3. It looks like iv been able to remove the ping limit in the game but it apares there is also another limit in the console. Its a bit more laxed as I can play with my friend in Austrilia which I have a ping of 120ms to. But still cant get the game with my mate in the UK to show up. My ping to him is 305ms.
Also you need XBR or Freeboot because the game has been modifyed so its running in dev mode.
Ill investigate it more before doing a tutorial.
good news, I would love to help out as well if I had any idea of were to look
Post by: ledjohnnyboy on December 08, 2009, 06:46:00 PM
Post by: InvidiousDemise on December 09, 2009, 04:45:00 PM
Post by: ledjohnnyboy on December 12, 2009, 02:58:00 PM
thanks please help!
Post by: ledjohnnyboy on December 13, 2009, 12:35:00 AM
Post by: kotix on December 13, 2009, 07:15:00 AM
Tnx
Post by: Need Help Now! on December 13, 2009, 08:31:00 AM
Rehosted the "rapidshare" picture to maintain forum sanity.
-NHN!
Post by: ledjohnnyboy on December 13, 2009, 09:05:00 AM
could explain repacking the xex that would help alot! Then if someone wants
to test it I could send it. One last question what does the output xex have to be? Devkit, unencrypted, uncompressed? Thanks for all your help!
Post by: kotix on December 13, 2009, 09:28:00 AM
If you are looking at deafault_mp.xex from MW2 the deault_mp.exe baseline start at addr 0x4000 (see the "MZ").
Post by: ledjohnnyboy on December 13, 2009, 09:46:00 AM
Post by: ramaa on December 13, 2009, 10:03:00 AM
QUOTE(ledjohnnyboy @ Dec 13 2009, 05:46 PM)
So I past the default_mp.exe at the beginning of the default-hack.xex starting with default_mp.exe at 0x4000? One last question what do you think I should change in that last pic? Maybe I'll try ffing out the sending packet part. Thanks for the quick reply!
ledjhnny are u close to bypassing it. I reall want to play on xlink!
anyways good luck
Post by: ledjohnnyboy on December 13, 2009, 10:09:00 AM
Post by: kotix on December 13, 2009, 10:18:00 AM
QUOTE(ledjohnnyboy @ Dec 13 2009, 05:46 PM)
So I past the default_mp.exe at the beginning of the default-hack.xex starting with default_mp.exe at 0x4000? One last question what do you think I should change in that last pic? Maybe I'll try ffing out the sending packet part. Thanks for the quick reply!
Man i have no idea what you should change, i've tried searching too for something to change in it, but there is not anything like "maxping=30".
Post by: ledjohnnyboy on December 13, 2009, 10:39:00 AM
almost done with my homework than im gonna take a serious look at the coding also if i haven't got it ill have more than enough time over winter break!
Post by: ledjohnnyboy on December 13, 2009, 10:58:00 AM
iv found max ping and maximum ping allowed by the server
Post by: ramaa on December 13, 2009, 11:11:00 AM
Post by: ledjohnnyboy on December 13, 2009, 11:24:00 AM
Post by: kotix on December 13, 2009, 12:22:00 PM
QUOTE(ledjohnnyboy @ Dec 13 2009, 07:24 PM)
on my default_mp.exe it doesnt have MZ at ox4000 MZ starts at the very first line
Look at offset 0x4000 of default_mp.xex not "exe".
Idapro already have support for ppc.
Post by: ledjohnnyboy on December 13, 2009, 12:32:00 PM
Post by: birdy57 on December 20, 2009, 08:08:00 AM
The first 34 bytes are system link hearder:
- 4 bytes : CMD
- 2 bytes : option, .....
We can see a sequence number, a answer number ...
The CMD for ping is 00:00:00:00 00:58 and the answer 00:00:00:00 01:58.
But all bytes after 0x34 are encrypted, if we can found how is this bytes encrypted, we can fake a echo-replay.
Post by: ledjohnnyboy on December 21, 2009, 11:37:00 PM
Post by: birdy57 on December 22, 2009, 03:59:00 AM
this CMD come out from packets the xbox sends out.
All system link use the same, and are generated by the M$ API.
Not exactly ALL, because some all game don't have this "ping limit", but use the same API.
I see now two possible solutions:
- Found in the nand the key used to encrypt the daya after 0x34 and than fake a echo-reply (the best because no need to have a hacked xbox).
- compare the API call in this old game and a new one. Than modify the XEX to disable this "ping test".
Ledjohnnyboy , you have make a good search, if you found now the call to this API, for sure you can disable this limit.
Post by: ledjohnnyboy on December 22, 2009, 04:13:00 PM
thanks for your help guys!
Post by: d0ct0r46 on December 28, 2009, 12:35:00 PM
Iv'e said for ages someone needs to crack this ping limit in system link. It would be like the old days - xbox, xlink & halo 2...... rock on.
I would love to help but don't know enough but you guys rule, keep up the good work I'm sure you'll crack it.
full support given
Post by: maximilian0017 on December 28, 2009, 01:00:00 PM
QUOTE(d0ct0r46 @ Dec 28 2009, 08:35 PM)
This is great stuff
Looking at these kind of threads always makes me smile
Post by: ramaa on December 29, 2009, 05:18:00 PM
I got now frigging idea to what you are saying but i think you are close
u have my support
Cant wait to play with those european guys
Post by: zrs_guy on December 30, 2009, 11:56:00 PM
By the way, the episode basically shows how a device responds to windows computers that send a request out for their particular network. I was thinking if it was possible to use a device such as that, or simply a computer to sorta do the same concept. Basically the xbox game sends a packet with certain data to a host, and we just intercept the packet and send a reply packet that shows we are that particular host.
Post by: ledjohnnyboy on December 31, 2009, 05:50:00 PM
Post by: zrs_guy on December 31, 2009, 09:50:00 PM
http://img109.images...454/maxping.jpg
Take a look of the data in that blue selection, obviously those are variables for determining or storing the host name, now maybe by analyzing other files we might be able to find some examples of these Hosts. In my opinion if we can figure out what the packets being sent contain and what the packets being received contain, then we can send a reply packet that duplicates the reply packets being sent by a actual xbox server.
Post by: henno88 on January 12, 2010, 12:33:00 PM
Post by: Cincinnatus on January 13, 2010, 08:24:00 PM
QUOTE(zrs_guy @ Dec 31 2009, 01:56 AM)
Hi, is it just possible to intercept that packets that the 360 game sends so we can fake reply to those packets? Why make it so hard? It seems that it would be possible to just intercept, and send reply packets so the 360 thinks its getting a good connection under 30ms.
I was just going to suggest this as I was reading this thread. This has to be the easiest thing to do. Just have the PC intercept ICMP packets, find out the source information, drop the packet, spoof the reply; you're done.
http://diablohorn.wo.../06/icmp-spoof/
Am I missing something more complicated?
I feel this would be much more easier than targetting each game.
Post by: xboxbman on January 15, 2010, 02:30:00 PM
QUOTE(Cincinnatus @ Jan 13 2010, 10:24 PM)
I was just going to suggest this as I was reading this thread. This has to be the easiest thing to do. Just have the PC intercept ICMP packets, find out the source information, drop the packet, spoof the reply; you're done.
http://diablohorn.wordpress.com/2008/12/06/icmp-spoof/
Am I missing something more complicated?
I feel this would be much more easier than targetting each game.
last i checked all the network traffic to and from the 360 is encrypted. Ever try pinging a 360? They don't ping back. Because your ping is not encrypted.
Good luck though. This thread had me laughing. There is more people saying "i don't what is going on, but I support this" than any relevant information.
I am hoping someone will recommend bruteforcing the encryption. That always makes me laugh
Post by: Cincinnatus on January 16, 2010, 04:48:00 PM
QUOTE(xboxbman @ Jan 15 2010, 04:30 PM)
last i checked all the network traffic to and from the 360 is encrypted. Ever try pinging a 360? They don't ping back. Because your ping is not encrypted.
Good luck though. This thread had me laughing. There is more people saying "i don't what is going on, but I support this" than any relevant information.
I am hoping someone will recommend bruteforcing the encryption. That always makes me laugh
Judging by your response, it sounds like it is not sending out traditional ICMP packets. The console could have a simple firewall rule to block ICMP traffic, doesn't mean the consoles 'PING' requests are encrypted though. Although, it could be encrypting TCP/UDP packets at L4 and the console is just timing the other console's response (or sending it out unencrypted). I'm curious on how the boxes do key agreement, and whether or not it's built into the individual games, or consoles.
I can't image typical gameplay traffic being encrypted and decrypted at a software layer. Best way to see what's going on is to sniff the traffic I guess.
Post by: neo8222 on January 19, 2010, 05:34:00 PM
PIK-A-TURE!
next time someones online for the games i have ill sniff the packets sent when attempting connection.
Post by: ledjohnnyboy on January 20, 2010, 11:50:00 AM
Post by: neo8222 on January 20, 2010, 12:43:00 PM
also one things to note is each packet sent has a checksum and a identification hex code that are different each time so im thinking it's the "key" for de-encrypting the code. i'd hope that the relation could be found between them. onces that's done it should be easy to script/write a program to intercept the packets on port 3074 (the only one the 360 uses for connection) and "spoof" the proper reply in under 30ms. if it can be done it'd be a major step in the right direction, true?
oh and the "frame xx" area is from wireshark, it stamps the capture or arrival time for that packet and some header data.
This post has been edited by neo8222: Jan 20 2010, 08:51 PM
Post by: ledjohnnyboy on January 21, 2010, 10:03:00 PM
Post by: neo8222 on January 22, 2010, 05:55:00 AM
edit: now that i think about it the block cipher should be contained in the nand chip, someone that can get in and dump the nand should start looking for a block cipher. i would fdo it but i got a 8955 kernel and can't get in (IMG:style_emoticons/default/sad.gif)
This post has been edited by neo8222: Jan 22 2010, 02:13 PM
Post by: Mr-Woo on January 22, 2010, 07:04:00 AM
http://v3.espacenet.com/publicationDetails...DB=&locale=
Please read it fully and it is directed to the xbox360 because of the wireless connection
and it explains the 3 stages of key exchange
Phase I: Generate Shared Secret Keys
Phase II: Session Discovery
Phase III: Key Exchange
[0054] The hash digest is placed in the "Hash" field of the key exchange packet. The response packet now has the following contents:
KeyExResp: [NonceInit, NonceResp, g<Y>, NKID, NADDR, Time, HashResp].
(IMG:style_emoticons/default/ph34r.gif)
This post has been edited by Mr-Woo: Jan 22 2010, 03:07 PM
Post by: ledjohnnyboy on January 22, 2010, 07:06:00 AM
ledjohnny
Post by: neo8222 on January 22, 2010, 10:15:00 AM
Post by: danked on January 22, 2010, 10:26:00 AM
yeah I have a few nand dumps
Post by: InvidiousDemise on January 22, 2010, 05:27:00 PM
I am willing to setup a constantly running server/ test box for while I'm away if necessary also.
Post by: vb_encryption_vb on January 22, 2010, 06:13:00 PM
QUOTE(tactical @ Dec 6 2009, 09:19 AM)
Unless we get xbox-scene and xlink to do a HARD PUSH by putting it on front page and talking it up, we will not get the masses to play on xlink.
This room is practically DEAD. Now if a ping bypass was found, that really could change everything because more people would be on xlink 1,000's playing cod mw2 just like they used to play halo on xbox1.
To hell with xlink to many mods going on in that garbage ass shit
Post by: danked on January 22, 2010, 08:51:00 PM
QUOTE(vb_encryption_vb @ Jan 22 2010, 07:13 PM)
To hell with xlink to many mods going on in that garbage ass shit
wow that was very insightful,
Post by: iPryoR on February 08, 2010, 03:18:00 PM
Post by: toybox on February 23, 2010, 08:45:00 PM
Post by: toybox on February 23, 2010, 11:28:00 PM
the running server, so we can get known values for decryption. I am not good at coding, so thats all i can do
for now. I strongly believe, thats enough data to get around the encryption
Post by: x_redentor on February 25, 2010, 12:19:00 PM
QUOTE
game.cfg - ejemplo
// Internet simulation (only active in multiplayer)
Server.IsInternetSimulationEnabled true
Server.MinLatency 0.025
Server.MaxLatency 0.100
Server.PacketDrops 0.005
Server.DropSpikeChance 0.001
Server.MinDropDuration 0.100
Server.MaxDropDuration 0.300
Server.ReorderingChance 0.005
Server.DuplicationChance 0.005
Server.CorruptionChance 0.001
Server.UnrestrictedUnlocks false
// Internet simulation (only active in multiplayer)
Server.IsInternetSimulationEnabled true
Server.MinLatency 0.025
Server.MaxLatency 0.100
Server.PacketDrops 0.005
Server.DropSpikeChance 0.001
Server.MinDropDuration 0.100
Server.MaxDropDuration 0.300
Server.ReorderingChance 0.005
Server.DuplicationChance 0.005
Server.CorruptionChance 0.001
Server.UnrestrictedUnlocks false
http://www.megaupload.com/?d=PUWC1XM4
i am spanish
Post by: NLA on February 26, 2010, 02:11:00 PM
QUOTE(x_redentor @ Feb 25 2010, 02:19 PM)
Neat. I have some time later when I won't be JTAG'ing a Falcon, I'll give this a look. I have.. many games.. I'll look for some ping-related information.
Also, from the picture someone posted earlier, those look like commands to be entered into MW's console to change server variables.. I'll take a look at that as well.
Post by: Rubens87 on March 05, 2010, 07:09:00 PM
Post by: henno88 on March 11, 2010, 01:17:00 PM
I spend mutch time to find a way to bypass this limit but in all games with syslink there is nothing to find.
so i think it goes like
gametype set to system link
xboxs itself does manage the connection and knows if gametype is systemlink use pinglimit true
Post by: Rubens87 on March 11, 2010, 05:43:00 PM
Post by: henno88 on March 12, 2010, 02:33:00 AM
Cause you want to play system link so you cant chance it.
Xbox manage the connection so xbox must be patched.
Also i think you want to play more then one game so it is easyer to patch xbox/nand then 100 games
Post by: Rubens87 on March 14, 2010, 07:18:00 PM
Post by: SoLovely on March 15, 2010, 06:33:00 PM
Do you lag out if your connection begins below the limit but spikes slightly above? Or is it only really a problem while finding and joining games?
Post by: ledjohnnyboy on March 16, 2010, 03:01:00 PM
Post by: SoLovely on March 16, 2010, 08:03:00 PM
The way I see it, the connection times out somewhere during the initial broadcast/exchange packets (if anyone could upload some captures from netmon or wireshark of both successful and unsuccessful joins we could establish exactly when it happens). The best way to beat this is a man in the middle program on both ends of a connection. Allow me to demonstrate
Xbox1 = Computer1 = (internet) = Computer2 = Xbox2
(assume each computer is running our hypothetical program)
Bored User1 is sitting at home and decides he wants to play some games over the web. Unfortunately, he just lost his job, so no xbox Live service, and consequently he had to downgrade his internet package to the point that his ping between nearly everyone makes him unable to connect. So he boots up his Xbox1 and the Computer1 which is connected to his xbox and launches our software. The software is, in essence, a software bridge that receives data on one nic, either leaves it untouched or edits it somehow, and forwards it out of the other. After the program fires up and User1 has chosen his two nics, he goes into the system link lobby and searches games, which causes Xbox1 to begin sending out some boadcast packets seeking a game and Computer1 forwards these packets as they come. Just as it happens regularly, these packets go across the virtual lan network and all available hosts respond, ect, ect up until the point that User1 decides to join one of the games now populating his screen. As User1 joins User2s game (what a coincidence!), Xbox1 creates a key exchange packet and sends it out. The software on Computer1 receives this packet but does not forward it, instead creating a generic packet that requests a connection to Computer2. Quickly, the software on Computer1 creates a fake key exchange response and sends it to Xbox1, establishing the secret key between them (DH, the algorithm used in key generation, is extremely susceptible to MITM which makes this possible). Upon receiving the generic connection request packet, Computer 2 does the same for Xbox 2. Each computer has established an encrypted and hashed connection between it and its respective xbox, and in a time far faster than would be regularly possible by sending the exchange packets over the network, so the connection passes the ping limit. Now to communicate, Xbox1 sends out a packet which is received by Computer1, stripped of its hash and decrypted using Xbox1s negotiated key, sent over the network to Computer2 where it is hashed and encrypted using Xboxs2s negotiated key, and sent out to Xbox2 (this process is done both ways).
Its not perfect, and definitely just a simple outline, but it pans out conceptually and you get the idea. The hashing and encrypting seem like they would take a lot of time but Im predicting no more than 20 m/s overhead. Still working on that bridge
not very good at programming and didn't know C++ till this morning. Once that's set up we'll have a platform to manipulate packets from.The only really glaring problem is that the exact way the broadcast and exchange packets work is somewhat blurry at this point; specifics are not mentioned in the xbox or 360 sdk, there's not any particularly useful information the winsockx.h file, and the netmon parser can only tell us packet layouts and not implementation. Either someone reverse engineers... well, whatever controls the xbox's network security, or we're left to do a lot of guess and check work based on what very little we know, and that is, in all honesty, extremely unlikely to succeed.
Anyways just my perspective on the issue. Tell me if you see any other problems.
Post by: InvidiousDemise on April 03, 2010, 05:34:00 AM
I have 2 separate internet connections in the same room with 2 separate computer/xbox setups.
1 of my consoles is jtagged, the other is not.
I just got kai running on both computers and managed to get to a point where I could see the lobby for a game of halo 3. I think my ping was too high to play unfortunately(i'm trying to setup kai for my university but that's another topic).
Post by: Rubens87 on April 06, 2010, 05:04:00 AM
Post by: SoLovely on April 11, 2010, 12:53:00 PM
QoS packets aren't really important, but are actually hashed and encrypted with some preshared key that every xbox must know, since there's no exchange preceding it. They contain state data for the available session (IE: number of players, room status, gametype, map, etc).
A comparison of key ex request packet payloads looks like this:
I'll post more later
Post by: 10camaross on April 13, 2010, 01:44:00 PM
Post by: theninjaway on April 17, 2010, 10:00:00 AM
Post by: SoLovely on April 20, 2010, 10:06:00 PM
The 360's SDK comes with a netmon parser for the Xbox's Secure Protocol (henceforth, XSP). This gives us a good bit of insight into how everything works, far deeper than the intentionally sheltered and cryptic 360 whitepapers and the outdated but more liberal original Xbox whitepapers (it looks like the person making the parser didn't get the don't-reveal-things-important-to-security memo).
I think I laid out the attack in an earlier post so I won't go into it much here. Pretty much you're setting up a MITM between the client and the host on a local machine. This MITM acts as a bridge between the two connections, but spoofs two key exchanges on either side of the wire, so the exchange appears to have "transvered the network" in no time at all to your console. This is assuming the ping limitation is dependent on the DH exchange itself. Someone told me that. If they're wrong, blame them. Alternatively, someone could just check it; make a capture of a game that doesn't connect. If the data in the last packet after you try and join begins with 00 00 00, we're all good. But I think we're all good. So no worries.
So this key exchange, exactly what the fuck is in it you ask? What do we need to do? Isn't DH mega exploitable to MITM? Shouldn't this be easy? Good questions. I dont really know the answers. What do we know so far? We know that from the exchange, at least two keys are decided upon; the DES key for encryption and the HMAC Sha-1 key for authentication. We know that the exchange is Diffie Hellman. We know what the exchange packets look like and the data fields they contain. We dont exactly know how the keys are decided. We think there is a universal key that all xboxs already know when on lan, which would explain encrypted state data sent during QoS probing on sys link. We also think there may be some kind of per title key (according to the sdk), though were not sure why or its relevance in all of this. We know what a regular XSP packet looks like and, if we can obtain the keys, how to encrypt and hash the data (laid out in original sdk article secure sockets I believe). We have a simple software platform ready for future development. It probably sucks pretty bad.
Oh well. With all of that said, all we need to do is figure out how to get keys out of the exchange to get this up and running.
The Exchange packet fields go about like this for anyone trying to figure this out (direct from parser):
Spi //presumably security parameter index, used to decide what the packet is
Key Ex V1 Request To Xbox Using System Link
>Type
>Size
>Version
>Retry
>Flags
>Key ID
>>Systemlink Xnkid //Xbox key ID, kind of gives a name to the session if I remember correctly
>SpiInit
>SpiResp
>NonceInit
>NonceResponse
>Time
>InitVector
>XnAddrInit: Encrypted Xnaddr //xbox address optimized for xbox I think. Pretty clearly laid out in whitepapers if you really want to know
>XnAddrResp: Encrypted Xnaddr
Diffie Hellman G^x Value
>Type
>Size
>GXValue
HMAC Sha Value
>Type
>Size
>HMACSha
So, if you have any insight as to how all of this should work given this data, feel free to share. Frankly, I dont right now. Of course, I havent put very much time into it, so thats not really surprising. Ill do some research after APs I guess. If you need anything else, just say the word. Happy manipulating.
Post by: thesonandheir on April 21, 2010, 05:46:00 AM
I was perusing XBH when I came across this post by xxANTMANxx
http://www.xboxhacke...?topic=14581.20
struct SystemFlags {
DWORD NoForceReboot : 1; //= 0x00000001
DWORD ForegroundTasks : 1; //= 0x00000002
DWORD NoOddMapping : 1; //= 0x00000004
DWORD HandleMceInput : 1; //= 0x00000008
DWORD RestrictHudFeatures : 1; //= 0x00000010
DWORD HandleGamepadDisconnect : 1; //= 0x00000020
DWORD InsecureSockets : 1; //= 0x00000040
DWORD Xbox1XspInterop : 1; //= 0x00000080
DWORD SetDashContext : 1; //= 0x00000100
DWORD TitleUsesGameVoiceChannel : 1; //= 0x00000200
DWORD TitlePal50Incompatible : 1; //= 0x00000400
DWORD TitleInsecureUtilitydrive : 1; //= 0x00000800
DWORD TitleXamHooks : 1; //= 0x00001000
DWORD TitlePii : 1; //= 0x00002000
DWORD CrossplatformSystemLink : 1; //= 0x00004000
DWORD MultidiscSwap : 1; //= 0x00008000
DWORD MultidiscInsecureMedia : 1; //= 0x00010000
DWORD Ap25Media : 1; //= 0x00020000
DWORD NoConfirmExit : 1; //= 0x00040000
DWORD AllowBackgroundDownload : 1; //= 0x00080000
DWORD CreatePersistableRamdrive : 1; //= 0x00100000
DWORD InheritPersistedRamdrive : 1; //= 0x00200000
DWORD AllowHudVibration : 1; //= 0x00400000
DWORD TitleBothUtilityPartitions : 1; //= 0x00800000
DWORD HandleIPTVInput : 1; //= 0x01000000
DWORD PreferBigbuttonInput : 1; //= 0x02000000
DWORD Reserved26 : 1; //= 0x04000000
DWORD MultidiscCrossTitle : 1; //= 0x08000000
DWORD TitleInstallIncompatible : 1; //= 0x10000000
DWORD AllowAvatarGetMetadataByXUID : 1; //= 0x20000000
DWORD AllowControllerSwapping : 1; //= 0x40000000
DWORD DashExtensibilityModule : 1; //= 0x80000000
/* These next ones dont even fit into a DWORD?
DWORD AllowNetworkReadCancel : 1; //= 0x100000000
DWORD XexUninterruptableReads : 1; //= 0x200000000
DWORD RequireExperienceFull : 1; //= 0x400000000
DWORD GamevoiceRequiredUI : 1; //= 0x800000000
*/
};
Does anyone know what the one in bold does?
Post by: Haruno on April 28, 2010, 12:29:00 AM
Post by: SoLovely on April 29, 2010, 09:09:00 AM
On to business, I have a few questions. I remember reading quite some time ago that there is a "LAN Key" in the KV? Would anyone know anything about that? Are all LAN keys across all xboxs the same? Is the location of a per-game key on the game disk well known (I know it exists, does anyone know where?)? Can anyone make me a capture of a failed connection so I can actually confirm exactly where the limit is implemented? Thanks.
I'm moving forward pretty fast, faster if I could just get some major kinks out of the way with your help. Lets hope for some solid products soon...
Post by: warwolf on April 29, 2010, 11:25:00 PM
.If you could tell me how I can make it fail I would gladly help.
Here's my capture:
Wireshark Capture File
Post by: warwolf on April 30, 2010, 05:01:00 AM
.rdata:81870750 __imp__XeCryptBnQwBeSigVerify:.long 0x166
.rdata:81870754 __imp__XeKeysGetKey:.long 0x244
along with other functions for encription, like :
.rdata:818707C8 __imp__XeCryptRc4Ecb:.long 0x18C
.rdata:818707CC __imp__XeCryptRc4Key:.long 0x18B
.rdata:818707D0 __imp__XeCryptHmacShaFinal:.long 0x181
.rdata:818707D4 __imp__XeCryptHmacShaUpdate:.long 0x180
.rdata:818707D8 __imp__XeCryptHmacShaInit:.long 0x17F
.rdata:818707DC __imp__XeCryptBnDwLePkcs1Verify:.long 0x163
.rdata:818707E0 __imp__XeCryptBnQwNeRsaPubCrypt:.long 0x16D
.rdata:818707E4 __imp__XeCryptBnQw_SwapDwQwLeBe:.long 0x170
and since they are in the .section ".rdata", I believe they are defined in the same file.
I don't understand all the assembler stuff yet, but if someone is willing to explain or give some other hints, I'll gladly try to contribute. I will look more into this after I get home from my courses.
Post by: warwolf on April 30, 2010, 12:38:00 PM
There are 2 functions the hosts and clients call: XNetQosLookup and XNetQosListen.
These functions are used to probe the quality of service (QoS) between itself and specified remote hosts.
XNetQosLookup has a parameter ppxnqos which is a pointer to a pointer to an XNQOS structure that receives the results from the QoS probes.
The XNQOS structure contains data about the total number of remote hosts being probed and the number of remote hosts for which data has not yet been received. When this member is zero, all probes are complete.
The way the probes "know" when to stop probing a device is through the data in the XNetStartupParams structure, which looks like this:
typedef struct {
BYTE cfgSizeOfStruct;
BYTE cfgFlags;
BYTE cfgSockMaxDgramSockets;
BYTE cfgSockMaxStreamSockets;
BYTE cfgSockDefaultRecvBufsizeInK;
BYTE cfgSockDefaultSendBufsizeInK;
BYTE cfgKeyRegMax;
BYTE cfgSecRegMax;
BYTE cfgQosDataLimitDiv4;
BYTE cfgQosProbeTimeoutInSeconds;
BYTE cfgQosProbeRetries;
BYTE cfgQosSrvMaxSimultaneousResponses;
BYTE cfgQosPairWaitTimeInSeconds;
} XNetStartupParams;
From all these stuff I think we should concentrate on modifying the following:
cfgQosProbeTimeoutInSeconds (The amount of time to wait for a response after sending a QoS packet before sending it again (or giving up). This should be set to the same value on clients (XNetQosLookup callers) and servers (XNetQosListen callers). The default value is 2 seconds. )
and
cfgQosPairWaitTimeInSeconds (The maximum amount of time for QoS listeners to wait for the second packet in a packet pair. The default value is 2 seconds. )
Now the problem is that this data is in a structure, and I can't think of a permanent way of increasing the value from here...
This is where I'm momentarily stuck.
Any comments would be appreciated
Post by: Garzahd on May 08, 2010, 12:24:00 PM
Sorry if that was too obvious.
Does anyone have an opcode / instruction format reference sheet the for Xbox 360 hardware?
Something similar to this but for Power PC Xenon or whatever it is that the 360 uses.
I don't have a jtagged Xbox yet, but I've got a BS in Comp. Sci, I've taken an assembly language class, and I've got some time on my hands so I might be able to help you guys out.
Post by: tiderium on May 10, 2010, 03:11:00 AM
QUOTE(warwolf @ May 9 2010, 07:23 AM)
Damn, you need a Jtagged Xbox even for this ? In that case, I'm droppin the idea because not so many ppl have a jtagged xbox.
Umm, as for the structure, I've heard it has some default values, but they are also set in the game code, so changing it here wouldn't be a good idea, unless the game developers were too lazy to put their own values.
BTW, here u can find most of the instructions, but I find them a bit harder than the Intel ones
.Don't do that we need people to keep the scene alive and moving forward, I'm sure people are still trying to figure out 8995 upwards can be jtagged which would blow open the whole scene.
I have played someone in Germany at cod and I'm in Scotland over x link Kai so it does work just need to find that pesky ping limit and break it.
Post by: warwolf on May 10, 2010, 09:08:00 AM
, I'm just dropping the "Try to increase ping limit by modifying the nand" idea There's the "Try to increase ping limit by modifying packets" idea also which would be more accessible to everyone, but harder to do.
Post by: Garzahd on May 10, 2010, 11:05:00 AM
Post by: warwolf on May 10, 2010, 12:43:00 PM
, and there were some more about encryption, but I can't make anything out of them because I find ppc instructions a bit weird There's also the XNetConnect function which I read about in the XDK Documentation, and I remember seeing it in the xam.xex also.
XNetConnect
Establishes a secure connection with a specified Internet address (in_addr).
INT XNetConnect(
const IN_ADDR ina
);
Returns zero if successful, an error code otherwise.
If the in_addr specified in ina is invalid, the function returns WSAEINVAL. For a valid in_addr that is in the PENDING or COMPLETED states, the function does nothing and returns zero (but see XNetGetConnectStatus). For an in_addr to an online server with which a security connection has been lost, the function will reinitiate the security connection and return zero. For an in_addr to an Xbox 360 peer with which a security connection has been lost, the function does not reinitiate a connection, and instead returns WSAEINVAL.
Secure connections are normally automatically created in the background the first time a packet is sent to a valid in_addr. A title can call XNetConnect to explicitly start that process before the first packet is sent, initiating the NAT traversal and key exchange required to establish a secure connection. Once a security connection has been lost, the connection is not automatically reestablished when packets are sent; to reestablish lost security connections, titles must either call XNetConnect (for connections to an online server), or XNetXnAddrToInAddr (for connections to another Xbox 360).
A secure connection can be lost when either side of the connection calls XNetUnregisterInAddr or XNetUnregisterKey, or when normal background keep-alive packets are not received for long enough that the connection is deemed broken. XNetGetConnectStatus will return XNET_CONNECT_STATUS_LOST for connections that are in the LOST state.
The process for creating a secure connection and for reestablishing a lost connection depends on the type of connection: Xbox 360-to-Xbox 360 (active), or Xbox 360-to-Xbox 360 (passive).
Xbox 360-to-Xbox 360 (Active Connect)
For a connection from one Xbox 360 to another Xbox 360, the title gets the in_addr to the other Xbox 360 by calling XNetXnAddrToInAddr. This security association starts out in the IDLE state. The state becomes PENDING if the title calls XNetConnect or if a packet is sent to the given in_addr. In the PENDING state all packets sent on the security association are queued for transmit until the key exchange completes successfully and the state changes to CONNECTED.
Should key exchange fail, or should the security association become disconnected (either because the other side sent an explicit disconnect request with a call to XNetUnregisterInAddr or XNetUnregisterKey, or because a packet has not been received from the other side for a while), the state of the security association becomes LOST. An Xbox 360-to-Xbox 360 in_addr in the LOST state is forever invalid, and any attempt to transmit a packet to that in_addr will return WSAEHOSTUNREACH.
Once a peer-to-peer security association becomes LOST the only way to reestablish connectivity to the peer is for the title to once again call XNetXnAddrToInAddr, which will return a different in_addr to the peer. A packet transmitted over this new security association, or an explicit call to XNetConnect, will initiate key exchange and a new security connection with the peer.
Xbox 360-to-Xbox 360 (Active Connect)
For a connection from one Xbox 360 to another Xbox 360, the title gets the in_addr to the other Xbox 360 by calling XNetXnAddrToInAddr. This security association starts out in the IDLE state. The state becomes PENDING if the title calls XNetConnect or if a packet is sent to the given in_addr. In the PENDING state all packets sent on the security association are queued for transmit until the key exchange completes successfully and the state changes to CONNECTED.
Should key exchange fail, or should the security association become disconnected (either because the other side sent an explicit disconnect request with a call to XNetUnregisterInAddr or XNetUnregisterKey, or because a packet has not been received from the other side for a while), the state of the security association becomes LOST. An Xbox 360-to-Xbox 360 in_addr in the LOST state is forever invalid, and any attempt to transmit a packet to that in_addr will return WSAEHOSTUNREACH.
Once a peer-to-peer security association becomes LOST the only way to reestablish connectivity to the peer is for the title to once again call XNetXnAddrToInAddr, which will return a different in_addr to the peer. A packet transmitted over this new security association, or an explicit call to XNetConnect, will initiate key exchange and a new security connection with the peer.
Xbox 360-to-Xbox 360 (Passive Connect)
A passive connection from Xbox 360 to Xbox 360 occurs when a host or peer that has registered a key pair (with a call to XNetRegisterKey) receives an incoming key exchange initiator from another peer. At that point, a security association is passively created. The title, upon receiving a packet from the peer, can determine the XNADDR of the peer by calling XNetInAddrToXnAddr.
The initial state of a passive security association is CONNECTED, because a packet cannot arrive until the security association has been established. The security association becomes LOST if the other side fails to send a packet for a while, or if the other side sends an explicit disconnect request with a call to XNetUnregisterInAddr or XNetUnregisterKey. An Xbox 360-to-Xbox 360 in_addr in the LOST state is forever invalid, and any attempt to transmit a packet to that in_addr will return WSAEHOSTUNREACH.
As for an active connection, once a passive peer-to-peer security association becomes LOST the only way to reestablish connectivity to the peer is for the title to once again call XNetXnAddrToInAddr, which will return a different in_addr to the peer. A packet transmitted over this new security association, or an explicit call to XNetConnect, will initiate key exchange and a new security connection with the peer.
Requirements
Header: Declared in Winsockx.h.
Library: Use Xnet.lib.
I'm sorry for posting this if you already know about it
Post by: codfan21 on May 10, 2010, 06:46:00 PM
Post by: Garzahd on May 10, 2010, 07:35:00 PM
QUOTE(warwolf @ May 10 2010, 02:43 PM)
Damn, my IDA is acting up...I can't open the xex for some reason I can't understand, but if you look at page 6, i posted some function names I found while browsing the xam.xex file
, and there were some more about encryption, but I can't make anything out of them because I find ppc instructions a bit weird There's also the XNetConnect function which I read about in the XDK Documentation, and I remember seeing it in the xam.xex also.
*snip*
I'm sorry for posting this if you already know about it
No, I have not seen this before. Where did you get this documentation?
Post by: warwolf on May 10, 2010, 11:58:00 PM
I uploaded it here .
Password: forums.xbox-scene.com
Post by: Garzahd on May 11, 2010, 09:31:00 AM
Post by: kevinlekiller on May 11, 2010, 12:44:00 PM
Post by: SoLovely on May 12, 2010, 06:13:00 PM
Anyways, yeah, probably doable through nand modification and it'd be good to get that up and running even if everyone can't do it; packet manipulation method will inflict some lag, more so if your computer isn't that fast or you're arp cache poisoning to get packets.
But back to packet manipulation. Happened upon some information as I had said. Outdated but probably still applicable. All I need to COMPLETE the program is two keys. The first key is in the nand, perhaps going by something like LAN key, should be the same across every xbox console, not really sure about length. The second key is on whichever game disk that we decide to use (Oh, and for testing's sake, what game should we use? Any preference? PGR3 is like five bucks used at most gamestops but I think most everyone owns a copy of halo 3).
So...
uh...
yeah...
Get me those keys and I could probably have a working prototype for people with two nics up in about two weeks with source for improvements seeing as I'm not really a programmer.
Post by: kevinlekiller on May 12, 2010, 07:12:00 PM
Post by: SoLovely on May 12, 2010, 07:24:00 PM
Post by: warwolf on May 12, 2010, 11:35:00 PM
Post by: SoLovely on May 13, 2010, 06:49:00 AM
Post by: InvidiousDemise on May 14, 2010, 10:40:00 PM
Post by: thesonandheir on May 15, 2010, 04:47:00 AM
QUOTE(SoLovely @ May 15 2010, 06:15 AM)
I'll break it down mad simplified for you.
Xbox sends message to host Xbox. Message contains g^x mod p value for DH and some other information needed for the connection (nonces, addresses, nothing you need to worry about). This packet is authenticated with a key created from another key located locally on the xbox (henceforth LAN key) and a per-game title key. Every xbox game console running the same xbox game will generate the same key.
The host Xbox receives validates the request packet using the aforementioned key, generates its g^y mod p value and derives the secret key for the session from the DH value sent. It then creates and authenticates its own (similar) response and sends it back to the other xbox.
The other xbox receives and checks the validity of the response, and then derives the secret key from the DH value sent.
I was going to explain how the attack was going to work, but I believe I wrote all of that on another page and it's pointless to expand upon that area now because all I need is the LAN key and I can finish this whole thing by my lonesome. So, could anyone work on getting me that key?
Please?
:3
Can I just refer you to this thread on XBH?
http://www.xboxhacke...?topic=14581.20
Post by xxANTMANxx
QUOTE
enum IMAGEKEYS {
ResourceInfo = 0x000002FF,
BaseFileFormat = 0x000003FF,
BaseReference = 0x00000405,
DeltaPatchDescriptor = 0x000005FF,
BoundingPath = 0x000080FF,
DeviceId = 0x00008105,
OriginalBaseAddress = 0x00010001,
EntryPoint = 0x00010100,
ImageBaseAddress = 0x00010201,
ImportLibraries = 0x000103FF,
ChecksumTimestamp = 0x00018002,
EnabledForCallcap = 0x00018102,
EnabledForFastcap = 0x00018200,
OriginalPEName = 0x000183FF,
StaticLibraries = 0x000200FF,
TLSInfo = 0x00020104,
DefaultStackSize = 0x00020200,
DefaultFilesystemCacheSize = 0x00020301,
DefaultHeapSize = 0x00020401,
PageHeapSizeAndflags = 0x00028002,
SystemFlags = 0x00030000,
ExecutionID = 0x00040006,
ServiceIdList = 0x000401FF,
TitleWorkspaceSize = 0x00040201,
GameRatings = 0x00040310,
LANKey = 0x00040404,
Xbox360Logo = 0x000405FF,
MultidiscMediaIDs = 0x000406FF,
AlternateTitleIDs = 0x000407FF,
AdditionalTitleMemory = 0x00040801,
ExportsByName = 0x00E10402
};
struct OptionalHeaderEntry {
IMAGEKEYS ID;
DWORD Data; // Data or Offset to Data
};
Post by: SoLovely on May 15, 2010, 07:50:00 PM
and hey, APs are done with, so I have about four periods a day to work on it on paper.@kevin: Nope, I'm actually good at this point. I really do appreciate the enthusiasm though
@thesonandheir: I don't really know what all of that means
I started this project (well, a general online manipulation project) about a year back with absolutely no knowledge on the subject, and I've just read up on C++ over spring break so not very good on the programming side of things. But Anthony said that those are optional headers for xex files, so maybe that's the per title lan key?
Post by: twinillusion on May 15, 2010, 08:04:00 PM
QUOTE(SoLovely @ May 15 2010, 09:50 PM)
Sorry about being so lazy guys. I'll get started on making the program; even without the needed keys, I have enough get well over ninety percent of it done
and hey, APs are done with, so I have about four periods a day to work on it on paper.@kevin: Nope, I'm actually good at this point. I really do appreciate the enthusiasm though
@thesonandheir: I don't really know what all of that means
I started this project (well, a general online manipulation project) about a year back with absolutely no knowledge on the subject, and I've just read up on C++ over spring break so not very good on the programming side of things. But Anthony said that those are optional headers for xex files, so maybe that's the per title lan key?so i spent today learning about xkai and lanning xbox's online and whatnot and ran into the 30ms problem and then came here to read the 8 pages before us. i created an account on here just to say thanks and i'm looking forward to seeing the end result of your endeavor.
Post by: twinillusion on May 19, 2010, 04:29:00 PM
You still working on this? Any way I can help?
Post by: theninjaway on May 19, 2010, 08:59:00 PM
Post by: BrooksyX on May 19, 2010, 11:36:00 PM
QUOTE(theninjaway @ May 19 2010, 07:59 PM)
You guys are moving along nicely, you're doing a good job, keep it up!
Yeah this is some interesting stuff. Looking forward to see how this project turns out.
Post by: ssneeky on May 20, 2010, 02:25:00 PM
Post by: SoLovely on May 21, 2010, 03:34:00 PM
Right now I'm making a sort of... well, dichotomous key I guess for the packets based on the Netmon parser that comes with releases of the 360 SDK and the packet layouts given in the original xbox SDK. Essentially, this breaks down packets and decides what to do with them, discerning between the actions to execute on an exchange packet versus a basic UDP packet. Simple as it sounds really, but kind of required some planning to get started right. I need to get everything ready for the final product now, which I really should have been doing months ago since I've know most of this part of the program for ages. It's kind of up to me to get this done at this point. And we'll see if my hypothesis on the keys is right or wrong (and, if it's wrong, we can still reuse most of the program anyways).
Still need that console key though
I found this on XH, and I guess what I'm looking for would probably be in the KV, one of the three keys common to all boxes? I'm really terrible at any inside-of-the-xbox stuff; if I knew PPC assembly, I could have just reverse engineered the key exchange process without doing tons of abstract research and speculation. Thanks for your support and any help guys. Off to work on the program, be back with any progress and feel free to ask questions about anything.
Post by: codfan21 on May 21, 2010, 05:49:00 PM
Post by: Michael_T on May 22, 2010, 02:26:00 PM
They bypassed the ping limit with a .dll for Hamachi .
Maybe this is something we can do with a Jtag Xbox 360 ?
Post by: twinillusion on May 22, 2010, 02:31:00 PM
QUOTE(Michael_T @ May 22 2010, 04:26 PM)
Did anyone see this Youtube video ?
They bypassed the ping limit with a .dll for Hamachi .
Maybe this is something we can do with a Jtag Xbox 360 ?
that's the PC version of GTA 4
Post by: danked on May 22, 2010, 04:28:00 PM
http://www.youtube.com/watch?v=ZSjpz44bi6I...feature=related
but again that still maybe the PC version
This post has been edited by danked: May 22 2010, 11:48 PM
Post by: Michael_T on May 22, 2010, 05:36:00 PM
QUOTE(twinillusion @ May 22 2010, 10:31 PM)
that's the PC version of GTA 4
i know , but making a .dll file that can bypass the ping limit .
Post by: danked on May 22, 2010, 06:52:00 PM
it is possible they could help
Post by: Kaonashi on May 26, 2010, 10:25:00 AM
Is there any news about the working status from SoLovely ?
And I have a question that could be really stupid but I'm no programmer and knows nothing about security and all other stuffs around this issue, and so, sorry for the question.
If I'm undestanding right what is going on here, to bypass the ping limit will be needed to break the secutity about the Xbox net traffic. Doing this, what's the chance to understand the exchange information between the Live Server and the Xbox that could be used to create a Live emulator ? I know this is an Old Topic, but now looks like there is some chance to do it as decrypting Xbox packet are going to be made...
With a Live Emulator and a gateway to redirect the Xbox to the PC running this there would be no need to use a MITM anymore, as the console would allow online play whitout ping limitation thinking that it is really concected to a Live Server...
Anyways, sorry if this is a stupid question and for my really bad english...
Thanks again and keep it up with the great work !
Post by: warwolf on May 26, 2010, 02:29:00 PM
Post by: SoLovely on May 26, 2010, 02:55:00 PM
As for the private live server thing, apart from being very complex to implement (you'd have to run a KDC that knows every consoles private live key and every account's private key, a very complex SG, all of the service servers for specific games and matchmaking and state data and friends and statistics + much more), illegal (?I know blizzard has won court cases for people running private servers and I wouldn't dare tempt MS) and requiring your own KV to even play on, I don't plan on releasing anything live related any time soon for the sake of the sanctity of xbox live. Sorry
Too many people looking for a way to exploit.
Post by: theninjaway on June 08, 2010, 10:18:00 PM
Post by: warwolf on June 18, 2010, 11:37:00 AM
Post by: thesonandheir on June 20, 2010, 03:07:00 PM
QUOTE(warwolf @ Jun 18 2010, 06:37 PM)
Ok...I'm finally done with my exams. If there's anything on the programming side that I can help with, pls let me know. I don't have that much exp in networking, but if you give me some leads, I'll figure it out.
Basically,all the juicy stuff is contained in xam.xex. MS wanted to nake the networking for the 360 safe and secure, instead ofhaving numerous devs create their own networking stuff they did it all for them. The game xex's then call them if they use the system link.
This would be excellent for the scene if pulled off.
Maybe these guys could help?
http://xedev.xbins.o...p...p;t=11&p=18
Post by: vitorbiouerj on June 29, 2010, 04:53:00 PM
btw, someone know how this patch works? Or have the souce code? Maybe understaning how it´s work, will be possible make somekind of software, or a patch to be apply in the game disc, for any one play online off the live.
Sorrry for my bad english (I'm brazilian)
Post by: vitorbiouerj on July 10, 2010, 05:07:00 PM
Post by: vitorbiouerj on July 20, 2010, 12:00:00 PM
any others ideas for this problem? I really don't wanna view this topic dead...
Post by: soulwarrior on July 20, 2010, 03:05:00 PM
QUOTE(vitorbiouerj @ Jul 20 2010, 02:00 PM)
No one know how this really work? I know that remove the ping check from the client side, but i wonder how this work, to get at least ideas for make an app, to run in a pc, to bypass this limit... I download the patch, but I don't know the program to open it, anyone can help me?
any others ideas for this problem? I really don't wanna view this topic dead...
1. Considering the ping limit is built into the 360, a pc program will not be able to doing anything about (hence why the patch goes onto the 360 and is not simply a program on the pc). 2. If any program was able to run on nonjtagged/nondev kit 360's it would be front page news. 3. once you updated you've screwed yourself over. it sucks, but that's your reality unfortunately. 4. Get a jtaggable system and jtag it yourself and/or have someone jtag a system for you and be done with it.
Post by: vitorbiouerj on July 20, 2010, 10:29:00 PM
2- people said it's nearly impossible hack a 1024bit encryption in OpenSSL, but in may, an article produce by some MIT students demonstrate this was wrong. They underclock the server, generate a minimum corrupt bits in the private key, and after 100h they hack the key. They also explain this method works in EVERY Public-Private key encryption systems, so isn't impossible either, just very hard to get the m$ private key... I only agree whit you in the question about the front page news...
3- Yes, I know I'm stupid for update my system, just like a thousand others. I'm just trying to get the knowledge to undo this, and maybe work with some friends (that also have update they consoles) to resolve at least this problem... We don't wanna run emulators or others things, just play online without live...
4- In my country, this console is very expensive, in a store they are sale about R$800-900 the old one (arcade), and R$1200-1500 the slim. And the major of population gain something between R$500-2000/month. And a jtag console is sale for the same price of slim version, and they are rare AND I don't find only one with a second NAND for running the freeboot... And the was more difficult find someone capable of jtagging than find a jtag console for sale. And recently I have to bought another console, because my old one fries, and it came from the store with the kernel 8499 and in the internal memory the update for 9199... And talking with the vendors, no one sale the console with the dash 7XXX, or even one console produce before 06/2009
5- Knowing how this work, it's more easy to understanding how/what:
a) an xbox find another in the intranet;
b) the xbox make the connection
c) the connection still alive
d) is the elements contain in the key exchange, and they functions
6- I have a strange sensation of you thing I'm crying like a little children about my non-jatggeble xbox, and how I wanna play online, but I don't. I just trying find help/ideas/information to a least try something, and make some useful for the crescent number of players unable to play at live OR without a jtaggable console AND without the knowledge or the capacity to do something about it...
Post by: soulwarrior on July 20, 2010, 11:12:00 PM
QUOTE(vitorbiouerj @ Jul 21 2010, 12:29 AM)
1- actuality in theory, it´s possible making a men-in-the-middle attack to bypass this limit, isn't easy, but is one of the ideias
2- people said it's nearly impossible hack a 1024bit encryption in OpenSSL, but in may, an article produce by some MIT students demonstrate this was wrong. They underclock the server, generate a minimum corrupt bits in the private key, and after 100h they hack the key. They also explain this method works in EVERY Public-Private key encryption systems, so isn't impossible either, just very hard to get the m$ private key... I only agree whit you in the question about the front page news...
3- Yes, I know I'm stupid for update my system, just like a thousand others. I'm just trying to get the knowledge to undo this, and maybe work with some friends (that also have update they consoles) to resolve at least this problem... We don't wanna run emulators or others things, just play online without live...
4- In my country, this console is very expensive, in a store they are sale about R$800-900 the old one (arcade), and R$1200-1500 the slim. And the major of population gain something between R$500-2000/month. And a jtag console is sale for the same price of slim version, and they are rare AND I don't find only one with a second NAND for running the freeboot... And the was more difficult find someone capable of jtagging than find a jtag console for sale. And recently I have to bought another console, because my old one fries, and it came from the store with the kernel 8499 and in the internal memory the update for 9199... And talking with the vendors, no one sale the console with the dash 7XXX, or even one console produce before 06/2009
5- Knowing how this work, it's more easy to understanding how/what:
a) an xbox find another in the intranet;
the xbox make the connectionc) the connection still alive
d) is the elements contain in the key exchange, and they functions
6- I have a strange sensation of you thing I'm crying like a little children about my non-jatggeble xbox, and how I wanna play online, but I don't. I just trying find help/ideas/information to a least try something, and make some useful for the crescent number of players unable to play at live OR without a jtaggable console AND without the knowledge or the capacity to do something about it...
1. So what's your theory of how an unmodded 360 would be able to communicate with a pc program that can manipulate the 360's ping function (without breaking signatures on the files that would be manipulated on the 360) with no type of modification? If this was ever possible, don't you think someone would have mentioned it by now?
2. Even if someone found a way to get cpu keys from updated systems (which hackers that are involved with the 360 say can't be done), how do you suppose you get around the fact that efuses have been physically destroyed and there is no realistic way of accessing/repairing them?
3. you don't need a jtagged system/ping patch to host a game on xlink.
4. thats unfortunate
5. im not calling you a child or anything, i'm just saying you are waiting on a pipe dream. There's been 1 hack/exploit discovered in all of this time and now all ways to access that exploit have been closed.
6. Many people on many threads post the same "it must be possible" type stuff and it just gets a little old. If the xbox gods find a way to do the type of thing you are asking, they will reveal how to do it.
PS. A word of advise: don't hijack threads asking how to get things to work on your nonjtagged/dev kit 360 when the post is clearly aimed at those with jtagged/dev kit 360s. It's just a waste of thread space.
Post by: vitorbiouerj on July 21, 2010, 08:28:00 AM
system link 1 ==> package encrypted ==> pc ==> decrypted and removed ping limit ==> re-encryption of package ==> system link 2
.....................<== ....fake package.......<==.....<==......................................................<==.........................................<==
2- I'm not talking about the cpu keys, I'm talking about the m$ assigned key, so, no efuses are involved, that will make any homebrew work on any console (but I not intent to retrieve this, was just an example). But I believe the cpu key is used in the encryption of the package, knowing it will be less difficult to decrypt the package.
3- I'm knowing this, but I need to have a very lower ping to join games hosted by others, and vice-versa (except for those who have jtaggeg consoles)
4- No, it´s very unfortunate.
5- Sorry for my bad interpretation. Yes I knowing this fact, and is because of it that i make question about the how exactly works the system link, and try to find a way to forge the ping in a pc. I don't wanna find one second exploit in the xbox, just make an "exploit" in the weakest part of the system link, the network.
6- I know a lot of people says "it's possible", but a lot of then don't do anything about they questions. I'm not one of then. I'm really wanna do something. That's why I'm keeping make questions about how is made the package used in system link, and it's work on the non-dev/jtag xbox...
7- This topic was release before the patch, to try find a way to bypass the ping limit AND understanding how this patch works, it's a way to find the objective of this topic: bypass the ping limit, with or without jtag consoles. So I don't think it's time and space used for nothing...