Post by: Chicken Scratch Boy on July 20, 2004, 11:06:00 PM
Security: The key to your stupid questions Read up.
The Xbox a whole slew of security features out to get you. Learn these, and you will be able to out smart the box or it wont be able to out smart you at least.
Signatures: Why you cant run homebrew code without kernel modifications.
Every xbe in any xbox game or dash files on the hard drive is signed with the MS Private Key. Every xbe has its own signature, (as long as they are different xbes) since the signature is essentially a checksum of the xbe. If you change a single bit in the xbe, the signature will be invalid. If you attempt to run unsigned code (any xbe without a valid signature) you will most likely get an error 21 screen.
Media Checks: Why you cant burn a game and just run it.
A media check is a small flag in the xbe header that says what types of media the xbe can be run on. If you want to run it on other media types, you need to patch that part of the header, invalidating the signature.
Hard Drive Locking: Why you cant drop just any drive in that box.
The xbox has a small chip called the EEPROM this chip holds 256 bytes which includes important non-box specific information. This includes the xbox live key, xbox region and, most importantly, the HDD unique master key (32 characters). Upon booting, this key goes through a mathematical equation which includes some drive-specific information; the result is the HDD key (40 characters). This key is used to unlock the hard drive, allowing the information to be accessed. If the drive cannot be unlocked you will get error 6(for wrong key) and 5 (for not locked).
In-Depth: Check you the Xbox-Linux site for more technical info!
New Developments in 5713 Kernel Why kernels past 5713 are a bit different.
In the 5713 kernel, a few new security features came out that threw a wrench in the softmodding works. Basicly, if a xbe has a title ID equal to 0xFFFE0000(the MS Dash title ID), and a date before Aug 5 2003, he kernal will not allow the xbe to load. This basicly means thatthe 4920 dash cannot be launched with kernels after 5713.
Exploits: The key to softmodding.
How they work: The basics of exploits.
Merriam-Webster defines Exploit as a notable or heroic act.
Well frankly that doesnt make any sense at all! So let me define it for you.
An exploit is a hole or vulnerability in a piece of software that can be taken advantage of. In the case of softmodding, this hole is used to patch the kernel in memory, usually the portion which contains the public key, replacing it with a public key for which we can easily create a private key to tack onto the an xbe, allowing it to be launched, circumventing all of the security features mentioned in the Security section.
What they are: A rundown of the exploits out there.
Audio exploit: The audio exploit takes advantage a hole in the cd ripping area of the MS Dashboard.
The exploit consists of a st.db file that replaces the one currently used by the MS dash. The exploit requires the user to attempt to rip a cd in order launch the exploit. Newer swapless versions of the exploit do not require a cd to be inserted to the drive in order to execute the exploit.
Keys Used:
Audio or Habibi
Only for MS Dash version 4920!
Font exploit: The font exploit manipulates vulnerability in the MS Dashboard on boot.
The exploit consists of 2 font files (bert.xtf and ernie.xtf) that replace the stock fonts (xbox.xtf and xbox book.xtf). There are many version of this exploit including: bigfonts, bert and ernie reloaded, and bert is cheating on ernie. The exploit activates on boot and requires no monitoring or user input to execute.
Note: In order to launch the MS Dash from any font exploit, you need to have a second hex edited copy that changes the font references to point to the original fonts reside.
Warning: Running this antiquated exploit puts you at risk for a clock loop.
Keys used:
Font
Only for MS Dash version 4920!
Mechfonts: An offshoot of the font exploit.
These fonts load a edited version of the MS Dash into memory which will launch an xbe when the (renamed) Live tab his launched. These fonts were originally made for launching Linux only but they were hacked to work with any xbe. Some people say these fonts are rid of the clock loop, but this may not be the truth, since there is no solid proof to this.
Keys Used:
Audio or Habibi
Only for MS Dash version 4920!
Savegame exploit: Uses a hole in various games.
The savegame exploit takes use of flaws in the savegame loading areas in 3 games (so far) Splinter Cell, Mech Assault, and 007: Agent Under Fire. The savegame exploits are a very important part of softmodding, since they can be loaded on through a memory card, allowing you to avoid hotswapping, which can be a bit dangerous.
Keys Used:
Habibi
UDE (Ultimate Dashboard Exploit): Exploit that launches on boot with no risk of clock loop.
This exploit uses a hole in the 4920 dashs update.xbe. Consists of a single font named bert_ate_ernie.xtf.
Keys Used:
Habibi
UDE2 (Ultimate Dashboard Exploit 2):
Exploit that launches on boot with no risk of clock loop.
Uses a NFL Fever 2003 update.xbe to side step the added security in kernels past 5713!
Keys Used:
Habibi
Only for NTSC boxes! (for now)
EEE (Easter Egg Exploit):
An Audio exploit spin off-ish exploit.
Compatible with kernels past 5713. Uses a hacked st.db like the audio exploit, but requires the user to type out <<Eggsßox>> with the MS Dashs on screen keyboard.
DDE (Double Dash Exploit):
Replace the live tab.
Replace the live tab with a second dash. Previously allowed you to go on live.
Tip: Most, if not all, exploits have customizable boot paths, allowing you do change the xbe loaded after the exploit is executed. These can easily be found in the hex of the .xft or st.db files.
End notes:
This tutorial is unfinished; I plan on added sections for bios loaders/kernel patchers and smaller sections on dashesand bioses as well as a key terms and definitions area.
I hope this tutorial helps you figure all this softmodding nonsense. Good luck!
Questions? Comments? Compliments? Post!
Complaints? Shove it you know where.
Credits: Since I wrote most of this from memory, using a few release posts for referance...
Me
People who like to make corrections (you know who you are)
Post by: EthanHunt_IMF on July 20, 2004, 10:27:00 PM
they both aren't 6
5 - kernel - HDD not locked (retail bioses require the hd to be locked)
6 - kernel - Cannot unlock HDD
from http://www.xbox-scene.com/articles/errorcodes.php
Edit: Oh yeah... great job!!
This post has been edited by EthanHunt_IMF: Jul 21 2004, 05:28 AM
Post by: chimpanzee on July 20, 2004, 10:50:00 PM
Easter Egg is not an audio exploit, but a font exploit. It is the same as double dash but use a different path to launch the MS signed xbe(usually 4034 dash).
Post by: Chicken Scratch Boy on July 20, 2004, 11:05:00 PM
that is part of the audio stuff?
so audio exploits are font exploits too?
Post by: dabbage on July 21, 2004, 12:34:00 AM
| QUOTE (Chicken Scratch Boy @ Jul 21 2004, 07:09 AM) |
| UDE (Ultimate Dashboard Exploit): Exploit that launches on boot with no risk of clock loop. This exploit uses a hole in the 4920 dashs update.xbe. Consists of a single font named bert_ate_ernie.xtf. |
updatefonts7 has separate bert and ernie font files again, and an optional third font in addition.
nice work!
Post by: adil786 on July 21, 2004, 03:18:00 AM
apart from that, one of the best tuts ive seen!
EDIT: yes, you are cool now..
Post by: ldots on July 21, 2004, 04:43:00 AM
| QUOTE (Chicken Scratch Boy @ Jul 21 2004, 08:02 AM) |
| doesnt it use a ST.DB? that is part of the audio stuff? so audio exploits are font exploits too? |
Doesn't have to be a hacked ST.DB. The <<eggsßox>> text when entered as a soundtrack just trickers the easter egg wich is launching setting_adoc.xip (an xbe). The EEE was just replacing setting_adoc.xip with a font-exploitable dashboard (pre-live dash).
Post by: PedrosPad on July 21, 2004, 04:48:00 AM
| QUOTE (ldots @ Jul 21 2004, 01:40 PM) |
| Doesn't have to be a hacked ST.DB. The <<eggsßox>> text when entered as a soundtrack just trickers the easter egg wich is launching setting_adoc.xip (an xbe). The EEE was just replacing setting_adoc.xip with a font-exploitable dashboard (pre-live dash). |
All true - but then you've got an audio CD in the DVD-tray. devz3ro produced an ST.DB with a track already in it - which means you could pop in a homebrew DVD, and simply to a HDD to HDD track copy to fire the EEE exploit (just like the swapless audio hack).
This post has been edited by PedrosPad: Jul 21 2004, 01:14 PM
Post by: ldots on July 21, 2004, 04:55:00 AM
| QUOTE (PedrosPad @ Jul 21 2004, 01:45 PM) |
| All true - but then you've got an audio CD in the DVD-tray. devz3ero produced an ST.DB with a track already in it - which means you could pop in a homebrew DVD, and simply to a HDD to HDD track copy to fire the EEE exploit (just like the swapless audio hack). |
Exactly.
| QUOTE |
| Doesn't have to be a hacked ST.DB |
Just wanted to make it clear that the EEE is not an audio exploit as such.
Post by: Australian Rat on July 21, 2004, 06:38:00 AM
Hopefully no more n00b questions in the forums
...ah who are we kidding, they're noobs
Post by: Deciphile on July 21, 2004, 06:45:00 AM
Post by: krayzie on July 21, 2004, 07:39:00 AM
| QUOTE |
| Font exploit: The font exploit manipulates vulnerability in the MS Dashboard on boot. The exploit consists of 2 font files (bert.xtf and ernie.xtf) that replace the stock fonts (xbox.xtf and xbox book.xtf). There are many version of this exploit including: bigfonts, bert and ernie reloaded, and bert is cheating on ernie. The exploit activates on boot and requires no monitoring or user input to execute. Note: In order to launch the MS Dash from any font exploit, you need to have a second hex edited copy that changes the font references to point to the original fonts reside. Warning: Running this antiquated exploit puts you at risk for a clock loop. Keys used: Font Only for MS Dash version 4920! |
Don't all these regular fonts work on dashes prior to the 4920 also?
Post by: adil786 on July 21, 2004, 07:41:00 AM
| QUOTE (Deciphile @ Jul 21 2004, 03:42 PM) |
| Uh if you dont ask questions how are you supposed to learn anything. There are new people here that want to do more than just figure out how to play back ups and then never come back to the site again. |
i know what you mean,
the whole idea is to share your thoughts and create better, newer things.
Post by: Deciphile on July 21, 2004, 07:51:00 AM
| QUOTE |
| QUOTE (Deciphile @ Jul 21 2004, 03:42 PM) Uh if you dont ask questions how are you supposed to learn anything. There are new people here that want to do more than just figure out how to play back ups and then never come back to the site again. i know what you mean, the whole idea is to share your thoughts and create better, newer things. |
What I posted ( I think) may have souded a little sour now that I read it, but it was not at all intended that way.
And I agree with adil786. I want to contribute as much as possible and try different things becasue I want to be able to eventually import models and all that stuff into an xbox enviorment to see how they look and react vs a PC enviorment.
I think the guide is a good one and defienently worth the read.
Post by: PedrosPad on July 21, 2004, 09:15:00 AM
| QUOTE (adil786 @ Jul 21 2004, 04:38 PM) |
| the whole idea is to share your thoughts and create better, newer things. |
I think it's fair to that my WIP threads do that
Post by: adil786 on July 21, 2004, 09:36:00 AM
| QUOTE (PedrosPad @ Jul 21 2004, 05:18 PM) |
| I think it's fair to that my WIP threads do that |
no doubt about that.
you and your....rambling threads lol, its funny that they always comes to something good so far lol
Post by: Chicken Scratch Boy on July 21, 2004, 11:04:00 AM
i remember that when i had no idea at all. i wish there was a tutorial that didn't just explained how to do things, but how things work
now i get how EEE works, time to rewrite that...
Post by: YoshiKool on July 21, 2004, 12:53:00 PM
Post by: psm on July 21, 2004, 02:07:00 PM
However, I have a couple of questions:
1. Are their any softmods/exploits that allow me play on live if I end up getting 1.6 version box?
2. Does the EEE allow me to go one live as long as I do not "activate" it?
3. Is the bios written to the Hd, and if so, could I simply buy another hard drive and switch between the two to get onto live?
Post by: Chicken Scratch Boy on July 21, 2004, 02:40:00 PM
@psm in order to get on live, you need to deactivate the exploit and restore it so you can boot to an unmodified dash with no changes in the kernel
to be safe, you can keep your old HDD stock and upgrade to a new one, so you can switch the hdds
Post by: Chicken Scratch Boy on July 21, 2004, 03:13:00 PM