Post by: PedrosPad on July 12, 2004, 07:51:00 AM
so I thought I'd start one of me infamous rambling development threads (I've heard some people like to read them). As always do feel free to join in and post your own thoughts - even if their not workable in themselves, they often inspire other ideas.I've been focusing on finding an exploitable XBE for use as a new K:5713+ compatible UDE bootstrap.
Problem definition:
The existing UDE uses an XBE from the 4920 Dashboard family of XBEs (xodash\update.xbe - in fact).
xbedump reports the header of the update.xbe as:
| CODE |
| Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x3E306D50 Thu Jan 23 22:31:44 2003 Title ID : 0xFFFE0000 Title name : "Online Updater Application" Alternate title ID's : none Allowed media types : 0x00000001 : XBE_MEDIA_HDD Allowed game regions : 0x7FFFFFFF : XBE_REGION_US_CANADA : XBE_REGION_JAPAN : XBE_REGION_ELSEWHERE |
It's the XBE_MEDIA_HDD that means it can be executed from the hard disk, thus can be used as the bootstrap for UDE.
The problem with the new kernels >=5713 is
| QUOTE (rmenhal @ May 19 2004, 09:17 AM) |
| We know that kernels 5713 or higher won't allow dash downgrades. Actually - while I didn't bother to trace out the logic exactly - there's a new check in 5713's XBE loader. It checks the XBE certificate structure. If the title ID is 0xFFFE0000 (dash's ID), the kernel then checks the time and date field and anything prior to about Aug 5 2003 causes it to bail out. So dash 4920 and prior versions are out. |
So the search is on for an XBE that
- Doesn't check the clock! (we don't want any clock loops back ) - thus excludes all Dashboard XBEs.
- has a title ID equal to 0xFFFE0000, and a date after Aug 5 2003 that is exploitable! (of course all the new Dashboard's support files (such as 5960's xodash\update.xbe) meet this criteria, but these are unlikely to be exploitable (M$ learns from its mistakes) )
- has Allowed media types = XBE_MEDIA_HDD, and a titleID not equal to 0xFFFE0000
So far, the known candidates are:
XTMAXBOX.xbe
plus 2 MA utility XBEs devz3ro spotted in his cache.
Please feel free to post others. The hunt is on.
Post by: PedrosPad on July 12, 2004, 07:52:00 AM
(for completeness) 5960's xodash\update.xbe:
| CODE |
| Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x409BCB24 Fri May 07 18:45:08 2004 Title ID : 0xFFFE0000 Title name : "Online Updater Application" Alternate title ID's : none Allowed media types : 0x80000001 : XBE_MEDIA_HDD Allowed game regions : 0x7FFFFFFF : XBE_REGION_US_CANADA : XBE_REGION_JAPAN : XBE_REGION_ELSEWHERE |
Title ID = Dashboard families 0xFFFE0000, and date > 05 Aug 2003, so
Allowed media types = XBE_MEDIA_HDD
(but all known holes closed
)XMTAXBOX.xbe:
| CODE |
| Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x3E67B7E8 Thu Mar 06 21:04:40 2003 Title ID : 0xFFFD0001 Title name : "XMTAXBOX" Alternate title ID's : none Allowed media types : 0x00000001 : XBE_MEDIA_HDD Allowed game regions : 0x80000000 : XBE_REGION_DEBUG |
Date old but Title ID <> to the Dashboard families 0xFFFE0000, so
Allowed media types = XBE_MEDIA_HDD
Allowed game regions = XBE_REGION_DEBUG (Not too promising, but see here)
From MechAssault's downloaded content....
MA's /E/TDATA/4d530017/$u/default.xbe:
Allowed media types = XBE_MEDIA_HDD
Allowed game regions = XBE_REGION_DEBUG
(Not too promising, but see here)From MechAssault's downloaded content....
MA's /E/TDATA/4d530017/$u/default.xbe:
| CODE |
| Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x3F57CBAA Fri Sep 05 00:32:58 2003 Title ID : 0x4D530017 Title name : "MechAssault" Alternate title ID's : none Allowed media types : 0x00000001 : XBE_MEDIA_HDD Allowed game regions : 0x00000005 : XBE_REGION_US_CANADA : XBE_REGION_ELSEWHERE |
So far, so good
MA's /E/TDATA/4d530017/$u/downloader.xbe:
| CODE |
| Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x3F57CBB8 Fri Sep 05 00:33:12 2003 Title ID : 0x4D530017 Title name : "Downloader" Alternate title ID's : none Allowed media types : 0x00000001 : XBE_MEDIA_HDD Allowed game regions : 0x00000005 : XBE_REGION_US_CANADA : XBE_REGION_ELSEWHERE |
So far, so good
Post by: adil786 on July 12, 2004, 08:17:00 AM
pity i dont have a 5713+ xbox... only 5101
Post by: Angerwound on July 12, 2004, 11:40:00 AM
EDIT: pedro if you could post the xbedumps of the MA .xbe's. I don't have them readily available atm.
This post has been edited by Angerwound on Jul 12 2004, 06:42 PM
Post by: krayzie on July 12, 2004, 10:43:00 AM
Post by: Angerwound on July 12, 2004, 10:51:00 AM
Post by: ripcurl on July 12, 2004, 11:56:00 AM
| QUOTE (Angerwound @ Jul 12 2004, 06:37 PM) |
| What timestamp is located on the update.xbe that comes with a brand new (5713) box. It would have to have the XBE_MEDIA_HDD flag if it is located within /xodash/. I really need a 5713 box. I might be interested in someone swapping my virgin 1.0 box that I use for LiVE with a 5713.. Offers? EDIT: pedro if you could post the xbedumps of the MA .xbe's. I don't have them readily available atm. |
i have a brand spanking new untouched xbox 5713 which i would trade for a 1.0 anyday!! Lets do it up.
MFG 03-03-2004
k 5713
d 5969..i think
Post by: Flame2k on July 12, 2004, 12:17:00 PM
EDIT: just realised it wud prob have 2 be ms signed....
This post has been edited by Flame2k on Jul 12 2004, 07:18 PM
Post by: Angerwound on July 12, 2004, 12:20:00 PM
| QUOTE (Flame2k @ Jul 12 2004, 03:14 PM) |
| You know the live tab, this might sound abit lame at first cos i dont know anything! lol (and its prob already been suggested). but has anyone thought about hexing xboxdash.xbe or something, so that live tab will execute another xbe? is that possible? EDIT: just realised it wud prob have 2 be ms signed.... |
This in general was the purpose of the double dashboard exploit. Search for the thread somewhere around if you would like to read up on it.
Post by: krayzie on July 12, 2004, 11:28:00 AM
Post by: adil786 on July 12, 2004, 12:38:00 PM
| QUOTE (Flame2k @ Jul 12 2004, 08:14 PM) |
| You know the live tab, this might sound abit lame at first cos i dont know anything! lol (and its prob already been suggested). but has anyone thought about hexing xboxdash.xbe or something, so that live tab will execute another xbe? is that possible? EDIT: just realised it wud prob have 2 be ms signed.... |
yes but not on new kernels, m$ learn from their mistakes.
Post by: mkjones on July 12, 2004, 12:52:00 PM
| QUOTE (krayzie @ Jul 12 2004, 08:28 PM) |
| are xbe files the only type of files that can be exploited? Couldn't there be vulnarubilities (or however you write it) in other type of xbox files? |
You mean like Audio? I too have wonderd, there must be something they missed, this is M$ after all
How about (looks in some xbox folders)
The creditcard files in "\xodash\media\Content" (creditcard.csv) I have no idea how they are used but they are very simple text files:
| QUOTE |
| VISA,0 MASTERCARD,1 AMERICAN_EXPRESS,2 |
Is an example of the content? Maybe some data can be "pushed" into such a file to cause an overflow? This is pure bull im speaking right now but you have to get ideas from somewhere
The same files are used in the Content folders sub folders too? But I have no idea when they are loaded, they are something to do with the Live! Dash but as I have never used it...
May be worth asking the tHc guys? I mean, they have decompiled and recompiled the whole xbox dash and remade it, maybe they saw something??
Another idea? Maybe the screensaver/visualisation file that runs when you play music?? I belive its the right thumbstick press that launches it. tHc has a replacement for it? Just an idea...
Hmm.... One last one before I give up
The WAV files in the Audio directory?? Has anyone looked at modding these? Surely they are not "signed" in anyway, as they are basic WAVs (surprisingly NOT WMAs) again, they are launched when certain buttons are pressed.. If the main "beep" that appers when A is press could be hacked then a single button style exploit could be made up??
I have no idea if these ideas will help, but I remember the old Live! exploit thread was a LOT of brainstorming and that led to something!
See ya.....
Post by: Spectracide on July 12, 2004, 02:18:00 PM
I can't wait to test when something solid comes out.
Post by: Chicken Scratch Boy on July 12, 2004, 03:34:00 PM
unless we can exploit the execution process to make it read an error and load a back up file, which can be changed (or but then we need an exploit able xbe candidate, because the kernal would check the flags still)
Post by: Australian Rat on July 12, 2004, 11:30:00 PM
| QUOTE (Chicken Scratch Boy @ Jul 13 2004, 06:31 AM) |
| maybe the dash has an anti speaker blow out thingy, if we put a really really loud wav in there.... or not? thats the only thig i can think we would be able to do with a wav unless we can exploit the execution process to make it read an error and load a back up file, which can be changed (or but then we need an exploit able xbe candidate, because the kernal would check the flags still) |
I doubt it. If MS didn't put a really loud WAV in there, they certainly wouldn't put in protection to blow out the speakers.
The only thing would be with CDs being copied. But then again, I'm pretty sure all tracks are normalised when ripped.
Post by: PedrosPad on July 13, 2004, 12:36:00 AM
| QUOTE (krayzie @ Jul 12 2004, 08:28 PM) |
| are xbe files the only type of files that can be exploited? Couldn't there be vulnarubilities (or however you write it) in other type of xbox files? |
This is a big question.
Some excellent links to read are Project B (Hacking) Overview and the 6.5MB PDF XBOX Software Hacking (all interesting but page 37 onwards covers Dashboard exploits
).Post by: PedrosPad on July 13, 2004, 12:40:00 AM
| QUOTE (mkjones @ Jul 12 2004, 09:52 PM) |
| You mean like Audio? How about (looks in some xbox folders) The creditcard files in "\xodash\media\Content" (creditcard.csv) The WAV files in the Audio directory?? Has anyone looked at modding these? I have no idea if these ideas will help, but I remember the old Live! exploit thread was a LOT of brainstorming and that led to something! |
Indeed it did
This is just the brainstorming I'm hoping for
Post by: adil786 on July 13, 2004, 12:59:00 AM
| QUOTE (PedrosPad @ Jul 13 2004, 09:36 AM) |
| This is a big question. Some excellent links to read are Project B (Hacking) Overview and the 6.5MB PDF XBOX Software Hacking (all interesting but page 37 onwards covers Dashboard exploits ). |
i highly reccomend those 2 links, excellent pdf, well done xbox-linux, very very nice and intresting!
they should update it with ude etc etc aswell..
regards
Post by: mkjones on July 13, 2004, 01:36:00 AM
| QUOTE (PedrosPad @ Jul 13 2004, 09:40 AM) |
| Heavily snipped quote: Indeed it did This is just the brainstorming I'm hoping for |
Thats good then Ped.. at least it wasnt a waste of my time
Im really interested in finding a new exploit in the dash, I mean were talking M$ here.. I belive the chances are high..
Post by: PedrosPad on July 13, 2004, 02:33:00 AM
| QUOTE (PedrosPad @ Jul 12 2004, 04:52 PM) |
| From MechAssault's downloaded content.... |
This downloaded content sounds like it could be good place to search for suitable UDE/5713 XBE's (those with the XBE_MEDIA_HDD flag
).What we need is a homebrew utility XBE that'll search the XBOX hard disk drives, walking the directory trees, looking for any XBE's that meet the necessary criteria to be used an an UDE bootstrap, and drop their paths and filenames into a log file on C:\ (for FTPing off
).That sounds like it could speed up the search. A nice little project, should anyone wish to contribute
. (I'll have a go at putting something together myself if no one beats me to it and time allows).
Post by: Australian Rat on July 13, 2004, 04:47:00 AM
| QUOTE (mkjones @ Jul 13 2004, 06:36 PM) |
| Thats good then Ped.. at least it wasnt a waste of my time Im really interested in finding a new exploit in the dash, I mean were talking M$ here.. I belive the chances are high.. |
Yeah there will always be flaws in m$ code
Just a matter of finding them. I mean, the UDE was available essentially as early as many of the original fonts. It was just never explored before.Wonder what else is lieing around we haven't prodded yet?
Post by: adil786 on July 13, 2004, 04:48:00 AM
| QUOTE (PedrosPad @ Jul 13 2004, 11:33 AM) |
| This downloaded content sounds like it could be good place to search for suitable UDE/5713 XBE's (those with the XBE_MEDIA_HDD flag ). What we need is a homebrew utility XBE that'll search the XBOX hard disk drives, walking the directory trees, looking for any XBE's that meet the necessary criteria to be used an an UDE bootstrap, and drop their paths and filenames into a log file on C:\ (for FTPing off ).That sounds like it could speed up the search. A nice little project, should anyone wish to contribute . (I'll have a go at putting something together myself if no one beats me to it and time allows). |
nice, i think ldots could make this kinda program cause he's good at these things...
Post by: mkjones on July 13, 2004, 05:14:00 AM
| QUOTE (adil786 @ Jul 13 2004, 01:48 PM) |
| nice, i think ldots could make this kinda program cause he's good at these things... |
True, maybe a little linux distro could do this, but dont pressure the penguin!
Im sure hes busy enuf
I mean, he did turn down the Mod possition for the same reasons as me, no bloody time these days
I would love to find some time just to PLAY a little more on my xbox not just develop new softmod tools for it
Post by: ldots on July 13, 2004, 05:24:00 AM
I dont have a 5713, but I guess a freshly Live upgraded xbox would do?
Would every file need searching or could the file extension be narrowed down? (xbe, xip,...?).
Post by: adil786 on July 13, 2004, 05:45:00 AM
| QUOTE (ldots @ Jul 13 2004, 02:24 PM) |
| True, I'm a little short on time at the moment, but I think I could easily cook up a a little package to do this search. It would be linux based of course I dont have a 5713, but I guess a freshly Live upgraded xbox would do? Would every file need searching or could the file extension be narrowed down? (xbe, xip,...?). |
i would say that all files should be searched, just to add the chance of finding a vunerability...
Post by: PedrosPad on July 13, 2004, 05:58:00 AM
| QUOTE (ldots @ Jul 13 2004, 02:24 PM) |
| very file need searching or could the file extension be narrowed down? (xbe, xip,...?). |
I was thinking of simply scanning for *.xbe, and checking the media type for XBE_MEDIA_HDD
, but I guess crafty software houses may have renamed their XBEs...
Post by: mkjones on July 13, 2004, 06:14:00 AM
| QUOTE (PedrosPad @ Jul 13 2004, 02:58 PM) |
| I was thinking of simply scanning for *.xbe, and checking the media type for XBE_MEDIA_HDD , but I guess crafty software houses may have renamed their XBEs... |
Hmm, do you think there are any games around or maybe even game demos (lots of MS ones on certain CDs like Halo/Links2004) that use the exploitable fonts?
I mean, you would need an origional game CD, as before but has anyone tried ever just copying a game default.xbe and folders to C and renaming the file to xboxdash?
Would it load? Or does DVD2Xbox and other such tools patch the XBE_MEDIA string??
Post by: PedrosPad on July 13, 2004, 06:31:00 AM
| QUOTE (mkjones @ Jul 13 2004, 03:14 PM) |
| Or does DVD2Xbox and other such tools patch the XBE_MEDIA string?? |
Yes, it does (breaking the signature). XBEs from DVDs have the XBE_MEDIA_XBOX_DVD media type, and wouldn't be able to be launched from the HDD of an XBOX with a retail BIOS
.I've every OXM cover disk - just in case a demo XBE has both MEDIA types set
. (and I'll search all again if Ldots produces an XBE searcher )Please, do keep on thinking...
Post by: PedrosPad on July 13, 2004, 06:45:00 AM
| QUOTE (PedrosPad @ Jul 13 2004, 03:31 PM) |
| I've every OXM cover disk - just in case a demo XBE has both MEDIA types set . |
Which reminds me, Ldots, it'll be the lower significant bit of the media type flag that needs to be checked - not simply the whole flag (XBE media flag ANDed with 0x00000001). It's possible to set the media flag to support multiple medias. The LSB is the HDD bit.
Post by: ldots on July 13, 2004, 07:11:00 AM
Post by: PedrosPad on July 13, 2004, 07:28:00 AM
| QUOTE (ldots @ Jul 13 2004, 04:11 PM) |
| I simply thought of doing a simple linux script using xbedump to search all xbe's for the XBE_MEDIA_HDD flag. Would still be automatic - as in run the default.xbe (bootloader) and afterwards ftp out the log-file. |
That'd be ace.
Post by: PedrosPad on July 13, 2004, 07:35:00 AM
Having backup up everything and taken every precaution, I have actually executed XTMAXBOX.xbe on my modded XBOX, networked to my PC with Ethereal (a Network Protocol Analyzer) running.
All that appeared to happened was that I was returned to the Evox Dashboard.
I was hoping that ethereal would catch a DNS lookup or IP address but no,
ethereal did actually catch a network ARC broadcast message that was sent - so I believe the XBE did run
. I'm working on the limits of my knowledge here, but the network ARC broadcast message appears to be a "Hey! I'm here"/network enrolment message. The regular Dashboard's send these too.I theorized that this quick-exit behavior was caused by the XBE failing to find a configuration file, and exiting. And since it didn't try to contact any kind of server, I suspected that the DNS server/server IP address would be in that file.
I've now disassembled the file and started looking in to it. From my interpretation of the disassembly, it appears that the program first checks the Kernel version - to ensure that it's one supported by the XTMA program (the XTMAXBOX.xbe I've got only appears to support up to K:5101
), then does indeed go on to look for a configuration file, one named XTMA.INI. What's particularly interesting is that it appears to not look for this file on the HDD, but on a memory card!. I can speculate why this might be. I can imagine the manufacturing line operators plugging in different memcards into different XBOXs to ensure that localized copies of the operating software are sucked down from appropriate servers, etc.Obviously we don't have a copy of this XTMA.INI file, but I'm currently trying to rebuild one from looking at how the XBE processes it. It appears to be a text based name/value pair INI file - like a traditional Windows one.
What's potentially neat about this is, if my speculation above is correct, the XTMA.INI file can't be a signed file, and therefore the first candidate for modification and overflow investigation.
More news as it breaks...
Post by: []V[]nm6687 on July 13, 2004, 09:22:00 AM
Post by: Tomilius on July 13, 2004, 09:35:00 AM
And hold on.
... Okay, I still don't know what TDATA folder you're talking about. I thought maybe you meant on the DVD itself but nope.
If you mean the gamesave (which is in the UDATA folder) that default.xbe isn't MechAssault ...
Post by: krayzie on July 13, 2004, 09:44:00 AM
Post by: []V[]nm6687 on July 13, 2004, 10:00:00 AM
Post by: krayzie on July 13, 2004, 10:06:00 AM
Post by: PedrosPad on July 13, 2004, 10:06:00 AM
Interesting idea []V[]nm6687. I don't know that the default.xbe is a updated MA game engine - the xbe title may simply mean it's from MA suite of files - and I haven't had a chance to look into it yet. But if it is, that's a very interesting idea - you could boot into MA, load the save game, and end up at Evox with no ROE! (since ROE isn't set for the boot xbe)
- If I had MA I'd try it. I'll take a peek into the default.xbe when time allows to find out more.Edit: Ok the /E/TDATA/4d530017/$u/default.xbe is 3,727,360 bytes - certainly big enough to be an updated game engine I'd have thought - although this updated game engine may have MA's savegame bug fixed
.
Post by: Tomilius on July 13, 2004, 10:14:00 AM
Post by: Chicken Scratch Boy on July 13, 2004, 10:14:00 AM
but replaceing it with the one from the disc would probaly cause err21 (due to media flags)
Post by: PedrosPad on July 13, 2004, 10:16:00 AM
| QUOTE (Tomilius @ Jul 13 2004, 07:14 PM) |
| What's the file size? In bytes? Even better, MD5 it. |
/E/TDATA/4d530017/$u/default.xbe is 3,727,360 bytes - certainly big enough to be an updated game engine I'd have thought.
Post by: Chicken Scratch Boy on July 13, 2004, 10:17:00 AM
Post by: PedrosPad on July 13, 2004, 10:19:00 AM
| QUOTE (Chicken Scratch Boy @ Jul 13 2004, 07:14 PM) |
| it may be a n upgraded version but replaceing it with the one from the disc would probaly cause err21 (due to media flags) |
True, but copying MA's DVD content onto the HDD wouldn't.
(Obviously we'd not need all the DVD contents - later levels, etc. could be left out)
Post by: Tomilius on July 13, 2004, 10:19:00 AM
| QUOTE (PedrosPad @ Jul 13 2004, 12:16 PM) |
| /E/TDATA/4d530017/$u/default.xbe is 3,727,360 bytes - certainly big enough to be an updated game engine I'd have thought. |
For some reason I missed your huge post, PedrosPad. Hmm.
Post by: PedrosPad on July 13, 2004, 10:28:00 AM
Also if someone want to PM me the "xbedump d:\default.xbe -da >MAretail.txt" - that'd be good.
Post by: PedrosPad on July 13, 2004, 10:49:00 AM
.Also, info req: can you still save games on downloaded MA levels?
Post by: mkjones on July 13, 2004, 10:56:00 AM
| QUOTE |
Allowed media types : 0x00000002 : XBE_MEDIA_XBOX_DVD |
Info
the files are:FuzionFrenzyDemo.xbe
MunchFinal.xbe
XDemos.xbe
Worth a shot I suppose
Post by: adil786 on July 13, 2004, 11:08:00 AM
I just found out that the game "Frogger Beyond" is also exploitable, ie, gamesave wise.
You can buy it for a few pounds here in UK.
The game was made by a cheap-ass company who messed up a few files and therefore the game did not get distributed massively.
But the game still runs from original, untouched xbox. There may be a vunerable file here... if any1 has it.?
hope something comes outta this.
Post by: Angerwound on July 13, 2004, 11:10:00 AM
Post by: mkjones on July 13, 2004, 11:10:00 AM
I have something:This is the xbedump header info from the Update.xbe file taken from the game Shadow Ops: Red Mercury more info about the game: http://www.xbox.com/en-gb/shadowops/
| QUOTE |
| Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x40AA006D Tue May 18 13:24:13 2004 Title ID : 0x49470041 Title name : "Online Updater Application" Alternate title ID's : none Allowed media types : 0xC00001FF : XBE_MEDIA_HDD : XBE_MEDIA_XBOX_DVD : XBE_MEDIA_ANY_CD_OR_DVD : XBE_MEDIA_CD : XBE_MEDIA_1LAYER_DVDROM : XBE_MEDIA_2LAYER_DVDROM : XBE_MEDIA_1LAYER_DVDR : XBE_MEDIA_2LAYER_DVDR : XBE_MEDIA_USB : XBE_MEDIA_ALLOW_UNLOCKED_HDD Allowed game regions : 0x00000004 : XBE_REGION_ELSEWHERE Allowed game rating : 0x00000000 Disk number : 0x00000000 Version : 0x00000001 |
What I wanna know is, what the HELL do:
| QUOTE |
| : XBE_MEDIA_USB and : XBE_MEDIA_ALLOW_UNLOCKED_HDD |
Mean
I REALLY hope this helps, if you need any more info PED then PM me
Post by: adil786 on July 13, 2004, 11:15:00 AM
| QUOTE |
| XBE_MEDIA_ALLOW_UNLOCKED_HDD? |
HUH??? what????
Post by: mkjones on July 13, 2004, 11:16:00 AM
| QUOTE (adil786 @ Jul 13 2004, 08:15 PM) |
| HUH??? what???? |
tell me about it
When I saw that I just though "HOLY SHIT"
And just look at the rest of em:
| QUOTE |
| : XBE_MEDIA_HDD : XBE_MEDIA_XBOX_DVD : XBE_MEDIA_ANY_CD_OR_DVD : XBE_MEDIA_CD : XBE_MEDIA_1LAYER_DVDROM : XBE_MEDIA_2LAYER_DVDROM : XBE_MEDIA_1LAYER_DVDR : XBE_MEDIA_2LAYER_DVDR : XBE_MEDIA_USB : XBE_MEDIA_ALLOW_UNLOCKED_HDD |
Its like ALL the types you could ever dream off
AND this is a BRAND new game, only been out since e3
so its bound to run on new Kernals, well some of them maybe? Dont wanna get too excited, see what Ped has to say..
Post by: YoshiKool on July 13, 2004, 11:26:00 AM
Post by: adil786 on July 13, 2004, 11:31:00 AM
| QUOTE (YoshiKool @ Jul 13 2004, 08:26 PM) |
| i'm pretty sure that won't be exploitable, dream broken basically - it's a newer update.xbe so the font exploits won't be there, unless some other exploit comes into being... |
let the guy have his 2 mins m8...
Post by: Tomilius on July 13, 2004, 11:32:00 AM
| QUOTE (YoshiKool @ Jul 13 2004, 01:26 PM) |
| i'm pretty sure that won't be exploitable, dream broken basically - it's a newer update.xbe so the font exploits won't be there, unless some other exploit comes into being... |
We're looking for new exploits. That's kind of the point.
I think?
Post by: mkjones on July 13, 2004, 11:37:00 AM
| QUOTE (YoshiKool @ Jul 13 2004, 08:26 PM) |
| i'm pretty sure that won't be exploitable, dream broken basically - it's a newer update.xbe so the font exploits won't be there, unless some other exploit comes into being... |
Yeh but that doesnt mean it cant be exploited using something else, I mean it can be run from the HD, by the looks of it anyway.. So that means it can hopefully be run as a replacement for xboxdash.xbe much like UDE is run now with the OLD update file..
All that needs to be done is find a flaw in this file and it could at very least be another update.xbe to add to the list if you are finding it hard to find another..
I have no idea if anything will come of it, but we do have some kind of recent exploits in the form of the EEE so you never know!
If not, it was still nice to see all those strange media flags in an XBE, I mean, USB? and Unlocked HD?
Either M$ really have there system locked and these are in for a reason or it could be of use to someone...
Also, its a decent game
and works with Kai ;P
Post by: YoshiKool on July 13, 2004, 11:42:00 AM
Post by: mkjones on July 13, 2004, 11:43:00 AM
| QUOTE (Tomilius @ Jul 13 2004, 08:32 PM) |
| We're looking for new exploits. That's kind of the point. I think? |
I hope its the point anyway
I was sure M$ had us all screwd with the dash updates etc a few months ago, a few clever new members later and here we are with a new PBL an updated NKPatcher and the UDE and EEE exploits, its been a non stop few weeks!
Hopefully we can all ride the wave to another exploit of some kind, something that runs on the latest kernels and will re-open the exploits as a real option other than getting a chip..
Its a shame the Linux guys dont seem to be working on anything anymore, maybe we pissed them off hacking the MA fonts
Post by: mkjones on July 13, 2004, 11:44:00 AM
| QUOTE (Dark Master Sephiroth @ Jul 13 2004, 08:41 PM) |
| : XBE_MEDIA_ALLOW_UNLOCKED_HDD but why in the world would this be there it makes no since |
Who knows? My 120gb is locked up so I cant test it but like Yoshi says, someone give it a try
Any idea what the USB thing could be? I assume memory card support but why?
Post by: YoshiKool on July 13, 2004, 11:51:00 AM
Post by: mkjones on July 13, 2004, 11:53:00 AM
| QUOTE (YoshiKool @ Jul 13 2004, 08:51 PM) |
| that update.xbe is taunting us imo, i can understand most of the tags but dual layer and stuff like that? the fuck? |
True, its a very evil little file full of false hope and cruelness
Pedro PMed me, seems very interested
hope he can work his magic..
Post by: cyberplague on July 13, 2004, 11:56:00 AM
Just a thought...hopefully this works out, running out of local stores with old versions to mod for friends and family.
CP
Post by: mkjones on July 13, 2004, 11:59:00 AM
| QUOTE (cyberplague @ Jul 13 2004, 08:56 PM) |
| Only thing I can think as far as all the new media flags is... xbox 2(next) whatever... Just a thought...hopefully this works out, running out of local stores with old versions to mod for friends and family. CP |
Xbox 2 eh? well yes, I suppose? That would help back up the idea of backwards compatibility
Wish I had some more files with interesting headers, but nope, the rest are very boring
I urge anyone out there to start looking now
Post by: mkjones on July 13, 2004, 12:18:00 PM
Tested 3 more games....
| QUOTE |
Full Spectrum Warriar: Good news Allowed media types : 0x400001FF : XBE_MEDIA_HDD : XBE_MEDIA_XBOX_DVD : XBE_MEDIA_ANY_CD_OR_DVD : XBE_MEDIA_CD : XBE_MEDIA_1LAYER_DVDROM : XBE_MEDIA_2LAYER_DVDROM : XBE_MEDIA_1LAYER_DVDR : XBE_MEDIA_2LAYER_DVDR : XBE_MEDIA_USB : XBE_MEDIA_ALLOW_UNLOCKED_HDD |
| QUOTE |
Rainbow 6 3: More Good news Allowed media types : 0x400001FF : XBE_MEDIA_HDD : XBE_MEDIA_XBOX_DVD : XBE_MEDIA_ANY_CD_OR_DVD : XBE_MEDIA_CD : XBE_MEDIA_1LAYER_DVDROM : XBE_MEDIA_2LAYER_DVDROM : XBE_MEDIA_1LAYER_DVDR : XBE_MEDIA_2LAYER_DVDR : XBE_MEDIA_USB : XBE_MEDIA_ALLOW_UNLOCKED_HDD |
BUT:
| QUOTE |
Driv3r: Not so good Allowed media types : 0x00000202 : XBE_MEDIA_XBOX_DVD |
ALL these tests are on the udate.xbe found on the ROOT of the DVDs
If anyone needs info, PM me... or check your game collection
Post by: mkjones on July 13, 2004, 12:30:00 PM
Sorry for jumping to conclusions!
Its also worth mensioning I used Quix to extract the Update.xbe from the Special Ops DVD? I am not sure if that does patching on-the-fly??
Oh dear! Im starting to doubt this "finding"
I knew it seemed too good to be true...
------------------------------------------------------------
EDIT:
------------------------------------------------------------
A quick google has shown me the error of my ways
FROM: http://dvd2xbox.xbox.../changelog.html
| QUOTE |
| v0.4.3 Changed set media type from 0x000000FF to 0x400001FF to enable start of app even from unlocked hdd. |
AHH!
bugger, looks like I may have been duped!Does anyone know if Quix patches files it takes from DVDs in the SAME way? if so, the Specual Ops file is useless!
Ohh well, at least I tried..
If this has shown one thing it will at least help ldots produce his searching app so he doesnt fall for the same mistake..
I do however hold a hope that the Special Ops file is for real, it was taken from a real DVD not my HD unlike the rest of the files....
feell kinda foolish now, guess I got caught up in the excitement!!!Hope I dont put people off looking
I will go and stick my head in a door for a moment, see if I can knock some scence back in
Post by: devz3ro on July 13, 2004, 12:41:00 PM
| CODE |
Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x3E306D50 Thu Jan 23 17:31:44 2003 Title ID : 0xFFFE0000 Title name : "Online Updater Application" Alternate title ID's : none Allowed media types : 0x00000001 : XBE_MEDIA_HDD Allowed game regions : 0x7FFFFFFF : XBE_REGION_US_CANADA : XBE_REGION_JAPAN : XBE_REGION_ELSEWHERE Allowed game rating : 0xFFFFFFFF Disk number : 0x00000000 Version : 0x1012A700 |
&
s1914880:
| CODE |
Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x3D5D3C09 Fri Aug 16 13:53:13 2002 Title ID : 0xFFFE0000 Title name : "Online Updater Application" Alternate title ID's : none Allowed media types : 0x00000001 : XBE_MEDIA_HDD Allowed game regions : 0x7FFFFFFF : XBE_REGION_US_CANADA : XBE_REGION_JAPAN : XBE_REGION_ELSEWHERE Allowed game rating : 0xFFFFFFFF Disk number : 0x00000000 Version : 0x10027100 |
as rmenhal stated before K:5713+ first checks the Title ID which must be 0xFFFE0000, if true it then checks the timestamp (thanks to PedrosPad for pointing out) which has to be later than around august 2003. If either of the two aren't true, it isn't going to boot (unless you're a eeprom hacker
).-devz3ro
http://sh0x.tk/
Post by: PedrosPad on July 13, 2004, 12:42:00 PM
Post by: mkjones on July 13, 2004, 12:46:00 PM
| QUOTE (devz3ro @ Jul 13 2004, 09:41 PM) |
| as rmenhal stated before K:5713+ first checks the Title ID which must be 0xFFFE0000, if true it then checks the timestamp (thanks to PedrosPad for pointing out) which has to be later than around august 2003. If either of the two aren't true, it isn't going to boot (unless you're a eeprom hacker ). -devz3ro http://sh0x.tk/ |
Yeh, I noticed the 0xFFFE0000 seemed ok, but this may again be either DVD2XBOX or Quix, I am guessing you missed my last post above
Im kinda pissed off now
I should have reserched before posting, but I was SURE the Special Ops file wouldnt be un-hacked? Now im pretty sure Qwix has messed with it.. Sorry guys!
Hopefully I havent put us behind
Post by: mkjones on July 13, 2004, 12:49:00 PM
| QUOTE (PedrosPad @ Jul 13 2004, 09:42 PM) |
| mkjones, pity - but well spotted - want me to zap your posts to tidy the thread up? |
Could be worth it man
Or it could serve as a lesson for others
Up to you
its your thread!
Post by: PedrosPad on July 13, 2004, 02:12:00 PM
. - doesn't let me load a savegame , but that's normal for the demo content.Moved E:\MA to C:\. Renamed HDD MA's default.xbe to xboxdash.xbe, and booted. Doesn't work - (interesting symptoms through - blue screen and the HDD sounds like it is trying to locate a missing file). same symptom with mod chip on or off.
Moved E:\MA to E:\ - doesnt work. Hmmmm. It seems the HDD MA engine wont run from the root folder on any drive, but works fine in a folder. Hmmmm.
I know where a folder is on C:\ - the C:\xodash folder!. Popped the E:\MA contents into C:\xodash folder, renamed default.xbe xboxonline.xbe and rebooted.
Got Error21 on boot odd. Hadnt even pressed the XBOX Live Dashboard option. it seems that Dash 5960 must have the CRC of the C:\xodash\xonlinedash.xbe in C:\xboxdash.xbe, or C:\xboxdash.xbe checksums the C:\xodash\xonlinedash.xbe on launch. Errrr.
Downgraded to 5659 (thatll still work on K:5713 Im sure). Booted fine and now when I press the XBOX Live option, the MA demo runs mod chip off
This is looking good. I powered on the XBOX using the DVD-tray eject, and popped in a backup DVD-RW. Left the tray open while the Dashboard 5659 booted. Closed the tray and the same time I pressed the XBOX Live option. Upshot? I was running the MA demo on a retail XBOX, with a backup DVD-RW in the closed DVD-tray!.
Unfortunately, the demo MA wont let me load a gamesav, but if the retail MA can be stripped down to fit in C:\xodash, with just enough to load the gamesav I think weve got it cracked. Not quite as pretty as UDE, but it would give K:5713+ owners a way to play backup DVD-RWs.
PS. And because were hijacking C:\xodash\xonlinedash.xbe, theres no chance of it updating to Dashboard 5960
[]V[]nm6687, your contribution may just have cracked this
Edit: Hey! what da you know - deleting the MA demos "LiveDemo.mgf" get's you the load game options back
Edit2: Bugger - I selected the "Run Linux" save game, and MA pops up a dialog saying it can't load that save game
. Looks like they have fixed this hole in the new XBE.
Post by: Mate98 on July 13, 2004, 02:33:00 PM
| QUOTE (PedrosPad @ Jul 13 2004, 11:12 PM) |
| []V[]nm6687, your contribution may just have cracked this |
well done the both of u i wish i could help in some way but im a n00b when it comes to the tech stuff i mean i can get it all to work no probs but i just dont know where to go to find leaks in the xbes and stuff =(
Post by: PedrosPad on July 13, 2004, 02:56:00 PM
| QUOTE ([) |
| V[]nm6687,Jul 13 2004, 11:31 PM] hey pedrospad look at my post above yours about the splinter cell 2 xbe's |
Is there a GameSav exploit for SC2? If so, go for it - some of the ideas voiced above may be helpful.
PS. You do know that 4920's update.xbe won't work on K:5713+?
Post by: []V[]nm6687 on July 13, 2004, 03:11:00 PM
| QUOTE (PedrosPad @ Jul 13 2004, 06:56 PM) |
| PS. You do know that 4920's update.xbe won't work on K:5713+? |
i thought that 5713+ would still launch the gamesave hack for 007 wouldn't it? so you're saying that any xbe that has a timestamp prior to Aug 3, 2003 will never boot on a 5713+ K?? fuck
Post by: PedrosPad on July 13, 2004, 03:18:00 PM
| QUOTE ([) |
| V[]nm6687,Jul 14 2004, 12:11 AM]i thought that 5713+ would still launch the gamesave hack for 007 wouldn't it? so you're saying that any xbe that has a timestamp prior to Aug 3, 2003 will never boot on a 5713+ K?? fuck |
007 GameSav should work fine. It uses 007 AUF, not 4290's update.xbe.
and
No, only XBEs that have the Dashboard's title ID, AND a date < Aug 3, 2003 won't boot on K:5713+. Other early XBEs will.
Post by: Angerwound on July 13, 2004, 03:23:00 PM
Post by: ldots on July 13, 2004, 03:51:00 PM
I could start to see if it's possible to strip MA to something like 300-400 MB though.
Back to the original topic
I made the XBE media flag scanner, but again, as I'm not on XBOX!Live the result from my own scan was not that useful. Currently it locates every xbe in C: and E: and checks the media flag. If its XBE_MEDIA_HDD flagged the certificate will be printed. The log file with first hit looks like this :
| CODE |
| -------------------------------------------------- Scanning HDD for xbe's with XBE_MEDIA_HDD flag -------------------------------------------------- ---------------- Entering /mnt/C: ---------------- *************************************************************************** Correct Media flag found in : /mnt/C/xodash/update.xbe *************************************************************************** Certificate ~~~~~~~~~~~ Size of certificate : 0x000001EC Certificate timestamp : 0x409BCB24 Fri May 7 17:45:08 2004 Title ID : 0xFFFE0000 Title name : "Online Updater Application" Alternate title ID's : none Allowed media types : 0x80000001 : XBE_MEDIA_HDD Allowed game regions : 0x7FFFFFFF : XBE_REGION_US_CANADA : XBE_REGION_JAPAN : XBE_REGION_ELSEWHERE Allowed game rating : 0xFFFFFFFF Disk number : 0x00000000 Version : 0x185EAD00 |
So, what else would you guys like?
To check more file extensions : xip's ?
To check X,Y,Z drives ?
Let me know and I'll add the changes. Then other users with a (soft)modded xbox could run this to build up a database of HDD flaggged xbe's.
Post by: Chicken Scratch Boy on July 13, 2004, 03:55:00 PM
it appears that unless SC or AUF have hdd launchable variants, signed after the date specified, we(you?) need to find a new exploit (even if is a boot strap for 4920's update.xbe
Post by: afon on July 13, 2004, 06:24:00 PM
Post by: chimpanzee on July 13, 2004, 06:30:00 PM
| QUOTE (afon @ Jul 14 2004, 03:24 AM) |
| I was thinking, and what if we used some kind of file from the xboxlive update disc itself? The way it shifts from dashboard to update app to demo makes me suscpicious. Anyone have a new xbox live update disc? |
But these are usually 'plugged' like newer dashboard. The chances of exploit for 5713+ still seems to be in older games MA/SC/007AUF.
Post by: afon on July 13, 2004, 06:46:00 PM
Post by: Australian Rat on July 13, 2004, 06:56:00 PM
Aw well, making progress anyway. You all will get it, just a matter of time.
Post by: mkjones on July 13, 2004, 11:26:00 PM
| QUOTE (Australian Rat @ Jul 14 2004, 03:56 AM) |
| lol, reading pages 2 & 3 is such a killjoy. First it looks like it's nearly there, with loads of hopeful stuff being posted, then finally coming to page 3 where everything hits a brick wall Aw well, making progress anyway. You all will get it, just a matter of time. |
Yawn
tell me about it, I was up all nite trying to come up with any new ideas but it seems it was all down to Qwix patching the file which I didnt think it would do what a bummer ANYWAY (trying to change the subject
)The MA thing sounds amazing, booting a game insted of the xbox dash from C has always been a cool idea, it would just mean:
a) finding a hackable game
finding a very small gamec) finding a universaly availiable game
Of course it would need to be run from the HDD. So its gonna have to be a game update or something from Live! or maybe even from a Magazine CD... But this is gonna take a while!
I hope ldots tool comes up with something, I fear it would only be good for Live! users and possibly heavy duty ones at that. We need someone that has shit loads of live! games with downloadable content and all that...
I mean, lets try and list all the games that have downloadable content that we know of:
- Ninja Gaiden
- MechAssault
- Rainbow 6 3
- Spinter Cell (?)
- Prince of Persia (?)
Any others? I kinda lost the track of things by the end....
Post by: PedrosPad on July 13, 2004, 11:28:00 PM
| QUOTE (ldots @ Jul 14 2004, 12:51 AM) |
| I made the XBE media flag scanner, but again, as I'm not on XBOX!Live the result from my own scan was not that useful. Currently it locates every xbe in C: and E: and checks the media flag. If its XBE_MEDIA_HDD flagged the certificate will be printed. <snip/> So, what else would you guys like? To check more file extensions : xip's ? To check X,Y,Z drives ? Let me know and I'll add the changes. Then other users with a (soft)modded xbox could run this to build up a database of HDD flaggged xbe's. |
Hi ldots, good work
,Given the problems mkjones found, with DVD2XBOX (and other utils) ticking-all-the-boxes for media types, I think we'll need a way to discard this noise or nearly every XBE will be reported. Can you discard xbedump outputs that contain the very odd media types (USB, etc)?
Also, The X,Y,Z drives are tiny, so there's no harm including them in the search. I say this because titles like Shemue II has an "Outrun" Easter egg, and I believe this is temporarily cached in X,Y, or Z.
Post by: PedrosPad on July 13, 2004, 11:43:00 PM
| QUOTE (afon @ Jul 14 2004, 03:46 AM) |
| Pedro, did you check for any files that MA has that are unsigned? |
Well that is an interesting question.
Had this thought as soon as I shutdown last night....
When the original Linux guys were looking for exploits, they were limited to HDD and memory card files, as they knew they couldn't change any files on the DVD, not because of file signing issues, but solely because they knew they couldn't burn a DVD media that would boot on a retail XBOX!.
Now that I've got MA booting on a retail XBOX from the HDD, this opens up a whole load of support data files that could now be altered and possibly exploited - graphic files, font files, level files, etc.
The fact that I managed to get the retail MA engine to work with my MA demo content, implies to me that the signatures of the support files aren't compiled into the XBE game engine (It's highly likely that demo files are different to the retail ones). So even if the support files are runtime checksum'ed, it would be through the game engine at runtime (like GameSavs) - meaning that they may be able to be altered and then the right checksum recalculated
. (Although I suspect that even this level of checksuming is not actually going on ).I think this is a promising avenue, and I'll look into tampering with the MA demo support files next.
Post by: PedrosPad on July 13, 2004, 11:53:00 PM
| QUOTE ([) |
| V[]nm6687,Jul 14 2004, 07:24 AM]good news guys, i just downloaded some levels from Xbox LIVE for Splinter Cell (the first one) and it too has its own default.xbe in TDATA that is HDD signed! the only bad thing is that the timestamp is from 2002. |
Since Splinter Cell 1 won't have the Dashboard's title ID, the date won't matter (and it's age predates the SC GameSav exploit so it may mean that the GameSav hasn't been fixed
). This could be another good candidate .Post by: PedrosPad on July 13, 2004, 11:53:00 PM
Post by: PedrosPad on July 14, 2004, 12:06:00 AM
| QUOTE (ldots @ Jul 14 2004, 12:51 AM) |
| I could start to see if it's possible to strip MA to something like 300-400 MB though. |
That'd be good - Angerwound is already is looking into this too.
But I found that the MA Demo content appears to be significant get the HDD MA engine to the point where a GameSav could be loaded. Not sure how big that is - may already be < 400MBs (or could be a better candidate to strip further)
.If an exploit can be found in one of the early MA content files the engine loads, what's eventually needed could turn out to be a very small bootstrap indeed.
Post by: PedrosPad on July 14, 2004, 12:09:00 AM
| QUOTE (Australian Rat @ Jul 14 2004, 03:56 AM) |
| lol, reading pages 2 & 3 is such a killjoy. First it looks like it's nearly there, with loads of hopeful stuff being posted, then finally coming to page 3 where everything hits a brick wall |
Exciting, wasn't it? hehe
Post by: PedrosPad on July 14, 2004, 12:17:00 AM
| QUOTE (mkjones @ Jul 14 2004, 08:26 AM) |
| The MA thing sounds amazing, booting a game insted of the xbox dash from C has always been a cool idea, it would just mean: a ) finding a hackable game b ) finding a very small game c ) finding a universaly availiable game Of course it would need to be run from the HDD. So its gonna have to be a game update or something from Live! or maybe even from a Magazine CD... But this is gonna take a while! |
Why "c) finding a universaly availiable game"? Didn't this only apply when original DVD media was required (like MA)? If it can be FTPed onto the HDD, it could be, er, distributed universally
.Edit: 2nd thought - I guess we should keep an eye on the region codes.
Post by: chimpanzee on July 14, 2004, 12:22:00 AM
| QUOTE (PedrosPad @ Jul 14 2004, 09:17 AM) |
| Why "c) finding a universaly availiable game"? Didn't this only apply when original DVD media was required (like MA)? If it can be FTPed onto the HDD, it could be, er, distributed universally . |
If I were a game developer, I would introduce a game that is 'not perfect' but still it will sell like hotcake, regardless of whatever game critics say :-).
Post by: PedrosPad on July 14, 2004, 12:27:00 AM
| QUOTE ([) |
| V[]nm6687,Jul 14 2004, 09:00 AM] Ok everyone I think I may have solved this, but I don't have a newer box so I cannot test it. Like i said before, the downloadable content from Splinter Cell (first one) gives you an XBE that is HDD-signed, but unlike the MA HDD-signed XBE, it has not been fixed by MS so you cannot load the hacked savegame. This means that we can do exactly what PedrosPad did with MA, but instead we can use the first Splinter Cell and still be able to load a hacked game! I've cut the original Splinter Cell down to about 200 MB or so, so it fits on the C partition no problem running with only the bare essential files. This file also does not boot directly from the C drive so it has to be put in the xodash folder and renamed xonlinedash.xbe like PedrosPad did. I'm just wondering though, PedrosPad, will this file work even tho it's timestamp is in 2002? |
| QUOTE (PedrosPad @ Jul 14 2004, 08:53 AM) |
| Since Splinter Cell 1 won't have the Dashboard's title ID, the date won't matter (and it's age predates the SC GameSav exploit so it may mean that the GameSav hasn't been fixed ). This could be another good candidate . |
Does it work on your BIOS? - Does the the GameSav get you into Evox?
If it doesn't work on your BIOS, it won't work on a later one.
If it does work on your BIOS, it has a good chance of working on a later one.
PS. I bet 200MB compresses down really well
Post by: Dan Wysocki on July 14, 2004, 12:36:00 AM
| QUOTE (ldots @ Jul 14 2004, 12:51 AM) | ||
| This all sounds very interresting, but of course if the HDD flagged xbe is the non-exploitable one it's a no go. I have MA but I'm not on XBOX!Live so I dont have the HDD engine to test I could start to see if it's possible to strip MA to something like 300-400 MB though. Back to the original topic I made the XBE media flag scanner, but again, as I'm not on XBOX!Live the result from my own scan was not that useful. Currently it locates every xbe in C: and E: and checks the media flag. If its XBE_MEDIA_HDD flagged the certificate will be printed. The log file with first hit looks like this :
So, what else would you guys like? To check more file extensions : xip's ? To check X,Y,Z drives ? Let me know and I'll add the changes. Then other users with a (soft)modded xbox could run this to build up a database of HDD flaggged xbe's. |
This seems like a really cool app, is there any way of developing a PC version cause I have numerous backups of my whole xbox hdd on my pc and it may be nice to be able to run an app to search within folders in windows...
Post by: Australian Rat on July 14, 2004, 12:49:00 AM
Post by: PedrosPad on July 14, 2004, 12:50:00 AM
| QUOTE (mcjules @ Jul 14 2004, 09:43 AM) |
| The only files necessary to get to the menu screen are movies.mgf, text.mgf and of course default.xbe. Without those 2 mgf files I get a blue screen. This would be quite a nice solution if the save game hack still worked cos it loads quick with no movies. Is it possible to exploit those mgf files maybe? |
[]V[]nm6687, may have this cracked with SC1.
But if not, your information will help me when I come to look at the MA content. cheers.
Post by: chimpanzee on July 14, 2004, 12:53:00 AM
| QUOTE (Australian Rat @ Jul 14 2004, 09:49 AM) |
| lol, I bet whoever is responsible for all the bugs in MA is smacking themself in head about now... Or Bill's smacking him in the head...? |
May be Bill himself is, after all he still codes according to some report
Post by: Raebis on July 14, 2004, 01:02:00 AM
wouldn't the downloaded content xbe look for support files on the cd rather than in the local dir?
meaning if you ran the hdd default.xbe wouldn't it look for the dvd with movies and other support files? what happens if it doesn't find these files on the dvd drive?
Post by: PedrosPad on July 14, 2004, 01:08:00 AM
| QUOTE (Raebis @ Jul 14 2004, 10:02 AM) |
| wouldn't the downloaded content xbe look for support files on the cd rather than in the local dir? |
Understandable conclusion, but one already disproved in the posts above.
Post by: Raebis on July 14, 2004, 01:36:00 AM
| QUOTE (Angerwound @ Jul 13 2004, 09:15 PM) |
| I have launched the MA .xbe that is HDD Signed with the game files along side it on the HDD. The game does launch however, the true test would be to launch it from a retail bios. This would be impossible at the moment for the entire game will not fit on the c partition. |
musta missed it.
is this true for other games to? namely sc?
Post by: ldots on July 14, 2004, 01:39:00 AM
| QUOTE (PedrosPad @ Jul 14 2004, 08:28 AM) |
| Hi ldots, good work , Given the problems mkjones found, with DVD2XBOX (and other utils) ticking-all-the-boxes for media types, I think we'll need a way to discard this noise or nearly every XBE will be reported. Can you discard xbedump outputs that contain the very odd media types (USB, etc)? Also, The X,Y,Z drives are tiny, so there's no harm including them in the search. I say this because titles like Shemue II has an "Outrun" Easter egg, and I believe this is temporarily cached in X,Y, or Z. |
Will try to make these changes. Then some volunteers should try and run this scan.
Post by: PedrosPad on July 14, 2004, 01:56:00 AM
| QUOTE (Raebis @ Jul 14 2004, 10:36 AM) |
| is this true for other games to? namely sc? |
| QUOTE (Vnm6687 @ Jul 14 2004, 09:00 AM) |
| I've cut the original Splinter Cell down to about 200 MB or so, so it fits on the C partition no problem running with only the bare essential files. |
Raebis, are you reading the same thread as the rest of us?
Post by: Raebis on July 14, 2004, 02:05:00 AM
lordy i must be tired, neurons aren't firing like they should be...noobie out.
Post by: ldots on July 14, 2004, 03:14:00 AM
Will scan C,E,X,Y,Z for xbe and xip files.
Will check if they are xbe executables (relevant for xip's)
Will check for the XBE_MEDIA_HDD flag but filter those with the XBE_MEDIA_USB or XBE_MEDIA_ALLOW_UNLOCKED_HDD flag (or both).
Will dump the certificate for those hits to E:\XBE_SCAN.LOG
Procedure for running this would be upload the scan dir. to your modded xbox and run the scan\default.xbe from your dash or filemanager. When it's done reboot and ftp out the E:\XBE_SCAN.LOG files.
PM me if you want to run this scan. It's linux based (open-source) so there shouldn't be any copyright issues.
Did the scan myself but nothing interresting turned up. I havent been on Live though!
Post by: mkjones on July 14, 2004, 04:00:00 AM
| QUOTE (ldots @ Jul 14 2004, 12:14 PM) | ||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||||
| OK - make some changes to the xbe scanner. Post by: ldots on July 14, 2004, 04:42:00 AM It's linux based so it includes a linux kernel. I could probably strip it down, but dont see the point in spending time on that for this purpose. Post by: PedrosPad on July 14, 2004, 04:46:00 AM
It's a 2MB RAR - Can anyone host this for ldots? Post by: BluhDeBluh on July 14, 2004, 05:36:00 AM
Assuming there is nothing made with the Xbox SDK (so it's legal), couldn't you just start a new Sourceforge project? Another thing I've got to mention is the hard-disk drive limits that people have mentioned - does it matter what size each partition is? Couldn't you rebuild another HDD with different sized partitions (resulting in a larger C drive that you could fit more game data on)?
I have another question based on this - would LiveDemo.mgf from MechAssault be exploitable? Post by: chimpanzee on July 14, 2004, 06:12:00 AM
The xbedump used is already on xbox-linux cvs, ldots may have written some shell scripts for that which doesn't honour a sourceforge project. Having the xbox-linux cvs to host it is an option but there may be more admin job than needed. may be better to just put them on the usual place. For the HD limit, not everyone would buy a new larger HD so not practical. Post by: chimpanzee on July 14, 2004, 06:15:00 AM
since most people is going to use your package to install UDE, why not just add them to it ? All one need is telnet into it and run it. Post by: PedrosPad on July 14, 2004, 06:24:00 AM
The HDD partition table is hardcoded into the BIOS, unlike PCs. Post by: eh. on July 14, 2004, 06:42:00 AM
This earlier version might then be of interest too:
Post by: PedrosPad on July 14, 2004, 06:47:00 AM
Very! - it may predate the GameSav fix - and since me HDD is still currently set up to test it
Post by: PedrosPad on July 14, 2004, 07:05:00 AM
Now that's the feedback we've been waiting for .Now you need to get ya 200MB package to someone with a K:5713, Dash <5960 and who is confident they can recover (but since you leave the boot dashboard process alone, this is actually fairly safe to test. )I've no doubt brave some volunteers will present themselves
Post by: chimpanzee on July 14, 2004, 07:10:00 AM
I see this as an enhanced game save exploit but see a number of issues : 1. ROE - better than starting from DVD as we can have one more chance to use a different DVD/CD whatever. 2. copyright - this still means a legal copy of SC1(?) Post by: ldots on July 14, 2004, 07:12:00 AM
That is just what it is. A script that finds, and checks for executables and Media flags and dumps the certificate with xbedump to a log file. No point in making a sourceforge project or even to setup a new host. If someone can host a 2MB file that would be great - otherwise the usual places could probably host it. But if it's just a few persons who want to scan their HDD's even that is kind of pointless. Edit : I dont want to update 4 UDE installer packages just to add this scanner
Post by: PedrosPad on July 14, 2004, 07:22:00 AM
I'm sure it'll work fine - it's just legacy Dashboards that won't run on K:5713+, not all old XBEs - otherwise legacy games wouldn't work.
Post by: cyberplague on July 14, 2004, 07:24:00 AM Keep up the great work guys, I wouldn't mind testing it out, I have a box sitting at home just waiting to be used and abused. Won't be able to test it for 10 hrs as I am still at work. Pmsg me the instructions or whatever I need. CP Post by: chimpanzee on July 14, 2004, 07:29:00 AM
MS is plugging this hole too as it was mentioned that newer dash check for xondash So it is 5713+ kernel and some not so new dash would work. Post by: PedrosPad on July 14, 2004, 07:38:00 AM
Correct - the C:\xodash\xonlinedash.xbe check only came in with Dash 5960!. Post by: Chicken Scratch Boy on July 14, 2004, 07:47:00 AM you think it can be stripped down further (200mb doesnt seem to appealing) Post by: Chicken Scratch Boy on July 14, 2004, 08:11:00 AM i bet it'll be like 6mb or osomthing like that i hope, rather Post by: Chicken Scratch Boy on July 14, 2004, 08:25:00 AM Post by: Angerwound on July 14, 2004, 08:28:00 AM Excellant job.
Post by: Chicken Scratch Boy on July 14, 2004, 08:30:00 AM Post by: Angerwound on July 14, 2004, 08:53:00 AM Post by: Angerwound on July 14, 2004, 09:09:00 AM
sounds great, contact []V[]nm6687. Post by: Chicken Scratch Boy on July 14, 2004, 09:20:00 AM why not just do the straight exploit to evox? less chance of error, thats for sure Post by: BeMoreOpenXBox on July 14, 2004, 09:33:00 AM Secondly what is in the SC1 package to run on the hard drive? Can I get all the content from MY original SC1 DVD? What is the location on C: I put the pcakage? Thanks for the superb work. Enjoy, every one. Post by: Chicken Scratch Boy on July 14, 2004, 09:44:00 AM Post by: devz3ro on July 14, 2004, 10:15:00 AM
Post by: PedrosPad on July 14, 2004, 10:31:00 AM
I'd had you in mind since the off . (Wondered where you'd been.)
Post by: devz3ro on July 14, 2004, 10:37:00 AM .-devz3ro http://sh0x.tk/ Post by: afon on July 14, 2004, 10:43:00 AM Post by: PedrosPad on July 14, 2004, 10:58:00 AM
Been thinking about this too. Got a few ideas brewing (as always ).
Post by: Angerwound on July 14, 2004, 11:05:00 AM
Post by: PedrosPad on July 14, 2004, 11:19:00 AM
That was one of them - accompanied by a DOS batch file to delete unwanted files, rename and move others. Surly that'd pass inspection?
Post by: Angerwound on July 14, 2004, 11:32:00 AM
Sounds good here. BTW, changed the pinned folders around a bit. Better Look? or should we stick with the one pinned 'Pinned Topics' thread. EDIT: LOL, dumbass free hosting company decided to not let me link to my sig anymore. Off to either make new sig or sign up for new web hosting. Post by: Angerwound on July 14, 2004, 12:11:00 PM Post by: PedrosPad on July 14, 2004, 12:22:00 PM
Not if the ppf patch also patched the signature back to what was required - after all it's only bytes as well. MA DVD ->PPFGen<- MA HDD = ppf file. Everyone has MA DVD, applies PPF, gets MA HDD. (However I suspect the ppf file would turn out to be almost as big as MA HDD though )
Post by: PedrosPad on July 14, 2004, 01:07:00 PM
ldots XBE candidate scanner can now be downloaded from here (all Linux, all legal) (Many thanks to cyberplague for the hosting )Post by: Musashi on July 14, 2004, 07:28:00 PM I would just need the HD signed xbes and info on what files can be deleted from the complete game to reap it. PM me to test this. Post by: []V[]nm6687 on July 14, 2004, 07:57:00 PM ) we'll see how it goes. this is still a WIP! ;
Post by: chimpanzee on July 16, 2004, 02:28:00 AM
the question left is, is this an updater that only share the same name or it is the same updater appears in the dashboard. I believe if there is some reference to the "Xbox Book" fonts in the file, there is a 90% probability that it is exploitable. Post by: SargeZT on July 16, 2004, 02:36:00 AM Post by: chimpanzee on July 16, 2004, 02:41:00 AM
A WAG: The XDK has some sample codes for the updater(as they have live in mind and need to help the developer on how to do it) which every live game vendor would use(and modify) to suite its need. So there could be more than one game having this probably exploitable xbe. just dreaming. Post by: chimpanzee on July 16, 2004, 02:44:00 AM
May be we can ask ldots to do us one more favour and add a bit more functionality to the scanner to scan for the reference of "Xbox Book" or whatever fonts in the file as that is still the most prabable exploitable route. EDIT: I just tried ldots' patcher on the update.xbe found in my MA retail DVD(that is not exploitable as it is a 'run from DVD' one) but it did find the font reference. So whoever found this updater, you can do a easy test to see if it does refer to the fonts by running the patcher against it. Post by: adil786 on July 16, 2004, 04:32:00 AM
great work , your awesome, When you click xbox live tab, does xbox need to be connected to net for exploit to work? regards Post by: Flame2k on July 16, 2004, 06:17:00 AM you can also hex the xboxdash.xbe and get the xbox live tab to say something other than xbox live. You can modify it to say something else. i think its around offset 00143474 or just below that... you could change it to say evo x or whatever. Post by: Infamous_One on July 16, 2004, 07:10:00 AM Post by: Australian Rat on July 16, 2004, 07:27:00 AM
Nope, the updated MA xbe is patched so it doesn't work with the GameSave Post by: eh. on July 16, 2004, 07:59:00 AM
Hope you're not offended but I wanted Pedro to have it first; UDE's his baby eh. (BTW: It ref's the fonts etc.  )
Post by: chimpanzee on July 16, 2004, 08:17:00 AM
rmenhal is the man to have it then. If it really looks for Xbox fonts, I believe the solution has been found. Post by: eh. on July 16, 2004, 08:26:00 AM Post by: PedrosPad on July 16, 2004, 08:47:00 AM Post by: krayzie on July 16, 2004, 08:52:00 AM
yeah please share. Us lonely PAL users want candy too.
Post by: eh. on July 16, 2004, 09:11:00 AM
I guess my box has an unusual past and thanks to ldots scan it's (hopefully) presently contributing to the future too eh.
Post by: chimpanzee on July 16, 2004, 09:14:00 AM EDIT: And why the update.xbe is there ? Because it is yet another MS game, too bad MechAssault doesn't have this HDD runnable update.xbe :-) http://www.xbox.com/...003/default.htm check who wrote it. So may be we can focus our search on those MS titles that is live enabled to look for pontential update.xbe Post by: adil786 on July 16, 2004, 09:23:00 AM
this is a breaktrhough, Post by: SSJ4Gohan on July 16, 2004, 09:59:00 AM Post by: krayzie on July 16, 2004, 10:03:00 AM Post by: SSJ4Gohan on July 16, 2004, 10:56:00 AM Post by: SSJ4Gohan on July 16, 2004, 11:19:00 AM Post by: chimpanzee on July 16, 2004, 11:22:00 AM Post by: Chicken Scratch Boy on July 16, 2004, 11:25:00 AM
Post by: -=MiNuS=- on July 16, 2004, 11:40:00 AM
I don't have any acces to XboxLive. Than i can't download PAL level. I can see 2 files "/E/TDATA/5553000c/" directory on my Xbox : -> /E/TDATA/5553000c/audiovideo.par -> /E/TDATA/5553000c/contentimage.xbx I can give you more details if you need informations. Post by: []V[]nm6687 on July 16, 2004, 12:05:00 PM
Post by: EthanHunt_IMF on July 16, 2004, 03:54:00 PM Post by: EthanHunt_IMF on July 16, 2004, 05:09:00 PM
That's the reason i was asking, I got this working, but I didn't want to replace it before i knew, I hate hotswapping. I don't think anyone has posted about it, or if it even matters, this works on K:5838 also, seems like everyone else is using 5713 Post by: krayzie on July 16, 2004, 05:13:00 PM Post by: EthanHunt_IMF on July 16, 2004, 05:21:00 PM
D 5659.03
ok, but if you replace the install.xbe with one that is un-signed, what do you think will happen? Post by: []V[]nm6687 on July 16, 2004, 05:38:00 PM
No that won't happen. Clicking the LIVE tab will just launch splinter cell and then when you perform the gamesave it will shoot out an error because install.xbe is activated when you launch the gamesave within SC Post by: EthanHunt_IMF on July 16, 2004, 05:47:00 PM EDIT:Just some spelling mistakes Post by: PedrosPad on July 16, 2004, 06:01:00 PM Were getting closer to UDE, but not quite there yet. []V[]nm6687 has put together a Splinter Cell 1 double-dash package, that allows homebrew programs on DVD-RW media to the played. However, currently this is limited to USA XBOXs only, and suffers from ROE (so the exploit has to be re-triggered to change games). Were still hoping a PAL XBOX!Live user will have a PAL HDD flagged SC1 game engine on their XBOXs HDD. Yell if you find one .(btw - It is possible to use ConfigMagic to modify the EEPROM and change a PAL XBOX into a US XBOX Ive done this in order to help with testing but then PAL originals no longer play ).Working has also been progressing on a Mech Assault based solution. rmenhal adjusted the GameSav, and now this can also be launched via double-dash. It also suffers from ROE, but works on both US and PAL XBOXs . This work has progressed and it is now possible to boot directly into MA, which gets you into Evox with ROE off! However the way this is achieved is involved!.Most promising is the HDD update.xbe that eh. discovered with the odd xbe non-dashboard titleID. Ive verified that the font hole still exists , but memory layout is slightly different, meaning that the existing UDE fonts dont work. Hopefully rmenhal will be able to perform his magic here. This would make an ideal UDE/5713 bootstrap. But note that eh.s update xbe is only flagged for the USA, so we still need a PAL one.So there's K:5713+ solutions for all - they're just being refined! Edit: Soz. not sure on the JAPAN status. Will need to check. Post by: devz3ro on July 16, 2004, 10:29:00 PM -devz3ro http://sh0x.tk/ Post by: EthanHunt_IMF on July 16, 2004, 10:53:00 PM Post by: xman954 on July 16, 2004, 10:58:00 PM Post by: chimpanzee on July 16, 2004, 11:02:00 PM
yet another MS title game that has the update.xbe. But this one has a late 2003 date. Since it is after the July 4 date, the font hole may have been plugged. Beside, it is still a NTSC one, we are in need of a PAL one. Post by: krayzie on July 16, 2004, 11:24:00 PM
So you are saying that if you mess up it wouldn't be possible to delete the gamesave and put in another gamesave to grant you acces back to your evox dash. I didn't mean to offend you on the 5838 kernel part I was just spitting out a theory. I'm happy it works for you. Post by: EthanHunt_IMF on July 16, 2004, 11:34:00 PM
No offense taken, just saying since that was my only way of putting the gamesave on there to begin with, if i screwed up putting an install.xbe that wasn't signed or wrong signature in the game save directory, the only way for me to fix it would be hotswapping since i don't have a memory card/mod chip etc... hopefully the super geniuses we have here (no that's not sarcasm, I'm dead serious) will get this thing cracked soon (again). Makes me laugh that M$ has some of the brightest ppl in the USA(or at least they should) and they still can't make the xbox unmoddable (via software for crying out loud). Sometimes I wonder why they even bother. 7 revisions to the hardware and they still can't get it right. Anyway, i'm rambling how... Post by: krayzie on July 16, 2004, 11:42:00 PM Post by: EthanHunt_IMF on July 17, 2004, 12:11:00 AM didn't mean to crap on the thread, so if anyone has any idea's pm me, don't want to fill this thread with my useless dribble. Post by: adil786 on July 17, 2004, 02:19:00 AM
i think it is possible with the new sc exploit, read back a few pages. Post by: PedrosPad on July 17, 2004, 03:24:00 AM
Ah! but has got HDD, a non-Dashboard titleID, US and the JAPAN region flag. This is an improvement! We need this, for our eastern friends . Although chimpanzee may be right about the known font hole being closed
Post by: gronne on July 17, 2004, 03:46:00 AM Couldn't someone ask for this on the front page or something also? Post by: adil786 on July 17, 2004, 04:59:00 AM
i dont see why live users would want to do it, probally to scared to get banned or summat. ya cant force em... Post by: krayzie on July 17, 2004, 05:56:00 AM Post by: PedrosPad on July 17, 2004, 07:12:00 AM
Hi m8, got friend with SC1 or a blockbuster nearby? Post by: chimpanzee on July 17, 2004, 08:50:00 AM
I hope anyone have games(live enabled) in this page http://www.MS.com/ga...ox/default.aspx and live access to scan for the occurence of update.xbe in their game download areas. Post by: adil786 on July 17, 2004, 09:21:00 AM
since you asked nicely, ill try and get my friend to do it, been on live for over 1 year. Post by: eh. on July 17, 2004, 11:03:00 AM
That sounds like ground-breaking stuff yet again; awesome work guys! Presuming that's based on the "v401" (per page 9 and below) then my box sure had some hidden treasures in it eh. (Let me know if you're interested in its "Downloader" too, but it doesn't seem to have the font feature.)
Edit: it's "C" not "E/TDATA" as I'd saved it there (before installing mech-fonts) eh. Post by: BluhDeBluh on July 17, 2004, 12:26:00 PM Unfortunately, I don't have the original version to make a comparison patch at the moment. From XBEDump.exe:
Post by: BluhDeBluh on July 17, 2004, 01:06:00 PM
Post by: BluhDeBluh on July 17, 2004, 01:21:00 PM Copy/paste the below into scpaldvd2hdd.uue then decode with Iceows, then uncompress the rar, then apply with PPF-O-Matic 3.
Post by: krayzie on July 17, 2004, 01:25:00 PM Post by: adil786 on July 17, 2004, 02:07:00 PM
nice work! Post by: anu|b|iss on July 17, 2004, 05:16:00 PM Post by: PedrosPad on July 17, 2004, 08:21:00 PM Excellent news! Using eh.s HDD based, USA flagged, update.xbe from the US NFL Fever 2003, rmenhal has performed the necessary font adjustment, and we now have a true UDE/USA package that works on all US XBOXs (v1.0-to-v1.6) and Kernels (tested all the way up to K:5838) devz3ro has built on rmenhals work (adding NKPatcher, etc.) and produced a distribution this will be made available very soon. This kinda supersedes []V[]nm6687s Splinter Cell 1 double-dash package, however some may still prefer this method of invocation.Since no one has found a PAL flagged update.xbe like the US NFL Fever 2003 one (anyone got a PAL copy of this and !Live? yell if you find one!) For PAL users
Using BluhDeBluhs PAL HDD Splinter Cell 1 game engine, and PAL SC1 content, Ive managed to duplicate []V[]nm6687s Splinter Cell 1 double-dash packages functionality for PAL owners . And now put together the equivalent PAL distribution . Like []V[]nm6687s original, it allows homebrew programs on DVD-RW media to the played. However, it suffers from ROE - so the exploit has to be re-triggered to change games.Since the launch of UDE/USA, booting into Mech Assault is no longer of any interest to our US friends, but investigation into this is continuing for PAL users as this technique gets you into Evox with ROE off! However the way this is currently achieved is involved!.
Post by: anu|b|iss on July 17, 2004, 08:28:00 PM Ok, this is the part where everyone gets a the cheat and starts breakdancing. Here guys, have a trophy! No.. better, a pizza trophy! Well done guys. Post by: devz3ro on July 17, 2004, 08:35:00 PM Enjoy -devz3ro http://sh0x.tk/ Post by: db-ie on July 17, 2004, 08:45:00 PM Post by: devz3ro on July 17, 2004, 08:57:00 PM  . The hint states "Not the usual places, but the 'other' usual places" .-devz3ro http://sh0x.tk/ Post by: PedrosPad on July 17, 2004, 08:57:00 PM
devz3ro, since this is really a WIP thread, I think you should start a new thread with the announcement of UDE/USA, or Ultimate Dashboard Exploit 2, (or whatever you finally christen it) .
Post by: chimpanzee on July 17, 2004, 08:58:00 PM
I assume usual place. However, I wish the root post of UDE can be updated to include the latest version of fonts so people want DIY can get from there. Further, it would be great to have a ppf diff of the update.xbe with a known update.xbe as well. Post by: Dolfhin on July 17, 2004, 09:07:00 PM Post by: BluhDeBluh on July 17, 2004, 09:08:00 PM * The "impossible" is overcome with PBL: Metoo Edition * Hope over XTMAXBOX.xbe that seems to be fruitless * Potentially a file is found that is signed for everything, but it turned out to be patched by the ripping app * Release of ldot's XBE finder * Hope over a MechAssault binary but it turns out MS have already patched it * Turns out you can still do it with the HDD-signed Live! Splinter Cell, making the newer NTSC Xboxes finally exploitable * Discovery of the US NTSC updater.xbe that may work for the UDE * HDD-signed Live! Splinter Cell for PAL boxes found, making newer PAL 'boxes finally exploitable * Release of the new version of the UDE for NTSC boxes. Absolutely amazing everybody. Well done to everybody involved The race is now on to find someone to get the PAL NFL Fever 2003 update.xbe... Anybody who has a modded PAL box, and Live! please go and buy/rent this game to obtain the file. Post by: BluhDeBluh on July 17, 2004, 09:09:00 PM
Now that's a good idea A PPF patch means you can post it anywhere as it's legal. Post by: Deciphile on July 17, 2004, 09:14:00 PM Post by: chimpanzee on July 17, 2004, 09:22:00 PM
Actually, my ideal situation is to find a ppf equivalent in linux so ldots can make his stuff better by including most possible combinations of diffs in his package and patch up a machine like that. Post by: BluhDeBluh on July 17, 2004, 09:26:00 PM
You could use an IPS patcher. http://www.zophar.ne.../patchutil.html has one (uIPS) with its source written in C. I've just noticed on the PPF website there is the sources for ApplyPPF and MakePPF which will work in Linux. Post by: chimpanzee on July 17, 2004, 09:30:00 PM
thanks. Do I use the same program to produce the diff ? Will grab it and have a look anyway. EDIT: got the ppf sources, thanks. Post by: Angerwound on July 17, 2004, 09:34:00 PM Post by: Deciphile on July 17, 2004, 09:36:00 PM Post by: SargeZT on July 17, 2004, 10:01:00 PM I feel left out. However, this is truly extraordinary. I had NO doubt that Pedro and the others would find this. I went to work today at 4:00'ish, and I was telling myself that it would be figured out by now.Hip-Hip Hooray! Post by: krayzie on July 18, 2004, 12:25:00 AM Post by: chimpanzee on July 18, 2004, 12:30:00 AM
there is country north to it and I love it very much, share everything except the president :-) Post by: Chicken Scratch Boy on July 18, 2004, 12:33:00 AM i wonder if they would import it to europe since football isnt that popular. then again EA whould do anything for a little money Post by: krayzie on July 18, 2004, 12:33:00 AM
I'm packin right now
Post by: krayzie on July 18, 2004, 12:36:00 AM
Please don't kill my dreams. Anyway I saw other nfl games in stores here. Post by: chimpanzee on July 18, 2004, 12:37:00 AM
It has to be a MS title as the update.xbe is from them, sharing the same bug :-) Post by: BluhDeBluh on July 18, 2004, 12:38:00 AM I don't have any money, nor Live! though. Post by: chimpanzee on July 18, 2004, 12:45:00 AM
could someone just grab a copy of it and applies for one or two months of live to get the update.xbe ? Post by: krayzie on July 18, 2004, 12:45:00 AM Post by: BluhDeBluh on July 18, 2004, 12:52:00 AM
Yes. They'd have to: Subscribe to Live! Run the game in Live! Use the gamesave exploit to FTP the file over Post by: krayzie on July 18, 2004, 01:00:00 AM Post by: chimpanzee on July 18, 2004, 01:07:00 AM
I have posted a link that shows MS titles which has potential to contain this update.xbe Post by: chimpanzee on July 18, 2004, 03:15:00 AM
try MechAssault, that has an update.xbe on the DVD. So we can check to see if there is also a downloadable update.xbe that can run from HDD. The only problem is, the game has been fixed before so may be the font hole(even in update.xbe) may have also been fixed. Basically all those 4d53xxxx has pontential. Post by: gronne on July 18, 2004, 04:33:00 AM EDIT: isn't it possible, as I said earlier, that M$ have updated the files that could be exploitable now? I mean they're definitely reading all these posts, so they might've just updated them now. Guess we'll see that if the files have a very new date. Post by: chimpanzee on July 18, 2004, 04:48:00 AM
That is why the quicker, the better. Well, at least I believe the MechAssault double dash style has been cracked, just not as elegant as UDE. Post by: krayzie on July 18, 2004, 05:45:00 AM
would you be willing to sacrifice a few bucks and go to the store and buy a copy of nfl fever 2003 and go live with it. You could save the pal users out there before it's too late. The game will not cost more than 15 since it's old anyway. Small price for a big acomplishment. Post by: PedrosPad on July 18, 2004, 08:14:00 AM
It's got the non-dash titleID , but I think the recent date of the xbe means that the font hole would be closed in this version.
Post by: Spectracide on July 18, 2004, 09:00:00 AM Ignore me...
Post by: chimpanzee on July 18, 2004, 09:40:00 AM Post by: YoshiKool on July 18, 2004, 09:40:00 AM they need a nfl update.xbe that is non-US
Post by: krayzie on July 18, 2004, 09:58:00 AM
That's what we were askin the whole day allready Post by: YoshiKool on July 18, 2004, 10:05:00 AM
Post by: krayzie on July 18, 2004, 10:13:00 AM Post by: eh. on July 18, 2004, 11:55:00 AM
Awesome! You (Pedro), rmenhal and ldots have put a huge amount of effort into UDE et al for the benefit of others - thank you, tHaNk yOu, THANK YOU eh. 
Post by: YoshiKool on July 18, 2004, 12:30:00 PM Post by: Chicken Scratch Boy on July 18, 2004, 12:33:00 PM i guess it's too bad for our european friends they always seem to be getting shafted
Post by: YoshiKool on July 18, 2004, 12:34:00 PM are there any differences between PAL/NTSC boxes besides the eeprom and PSU?
Post by: krayzie on July 18, 2004, 12:36:00 PM Post by: YoshiKool on July 18, 2004, 12:42:00 PM Post by: YoshiKool on July 18, 2004, 01:15:00 PM Post by: PedrosPad on July 18, 2004, 01:19:00 PM
Own up - You're just worried that then I'd inflict another long, boring, thread on you in order to find another exploit - lol .
Post by: YoshiKool on July 18, 2004, 01:22:00 PM Post by: chimpanzee on July 18, 2004, 04:37:00 PM
Devicing a fix for this is a bit more difficult than before. They cannot blindly disable 4d53xxxx title id or game won't run. There will be quite some ugly patches in the kernel to disable this. Post by: []V[]nm6687 on July 18, 2004, 05:29:00 PM
i guess i'll post the X-S legal version of the SC1 PAL release by PedrosPad. here it is for all you PAL users, read the readme.
Post by: gronne on July 18, 2004, 06:27:00 PM Post by: ThE MaSTeR 3 on July 18, 2004, 09:11:00 PM So its now possible 2 soft mod any NTSC Xbox with UDE2? Will there be a all in one package with all the needed files like the first UDE? Why isnt this a headline on Xbox-Scene Main page? Ive modded 10 Xboxs with the original UDE but I cant make sence of what UDE2 is about due 2 all this talk about Pal compatability?? Post by: RiceCake on July 18, 2004, 09:52:00 PM This is because MS included some code to prevent say, PAL (European, Japanese, etc.) Xboxes from running NTSC Xbox executables, to prevent you from using import CD's. UDE2 only works with NTSC Xboxes because the flag in the file thats being exploited is set to only run on NTSC Xboxes. It would cause an error if you run it on a PAL Xbox. However the fix is to edit the EEPROM to turn your PAL (Or other) Xbox into an NTSC Xbox so the file runs fine. The problem with this is it changes the way that the Xbox works, and now your Xbox will only run NTSC executables! Meaning your Xbox games probably won't work right. Post by: as1986 on July 18, 2004, 10:01:00 PM I think it's a sub-standard of NTSC, but I'm not pretty sure... The J stands for"Japan" AFAIK. However I've heard that in Japan they use PAL...weird. Post by: RiceCake on July 18, 2004, 10:19:00 PM
^ Not everyone... And NTSC-J won't work, because it has a different region code. Post by: krayzie on July 18, 2004, 10:55:00 PM Post by: ThE MaSTeR 3 on July 19, 2004, 01:06:00 AM and I would just use the replace the update.xbe and the fonts and it would work thats it? Post by: PedrosPad on July 19, 2004, 02:43:00 AM
along with NKPatcher, since only this works on K:5317+, but, basically, yes. (The use of the very specific M$ copyright update.xbe is hampering the distribution. Unlike UDE1 most people won't have this file already.) Post by: gronne on July 19, 2004, 05:16:00 AM Post by: m.e on July 19, 2004, 05:48:00 AM link 1 Post by: YoshiKool on July 19, 2004, 09:31:00 AM Post by: BluhDeBluh on July 19, 2004, 09:37:00 AM
As I stated earlier shop.game.net are selling it for £10 + postage. Post by: krayzie on July 19, 2004, 09:42:00 AM Post by: YoshiKool on July 19, 2004, 09:42:00 AM Post by: krayzie on July 19, 2004, 09:43:00 AM Post by: YoshiKool on July 19, 2004, 09:47:00 AM Post by: krayzie on July 19, 2004, 09:48:00 AM Post by: YoshiKool on July 19, 2004, 09:50:00 AM hehehe
Post by: PedrosPad on July 19, 2004, 10:10:00 AM
Please! ssssh! Post by: Chicken Scratch Boy on July 19, 2004, 12:45:00 PM
yes, so we better get that pal xbe fast, hope it still has the exploit (if it ever did, but it's almost 100% that it did) Post by: YoshiKool on July 19, 2004, 12:48:00 PM Post by: krayzie on July 19, 2004, 12:48:00 PM Post by: krayzie on July 19, 2004, 01:25:00 PM Post by: Angerwound on July 19, 2004, 01:29:00 PM Post by: krayzie on July 19, 2004, 01:37:00 PM
Post by: krayzie on July 19, 2004, 01:48:00 PM Post by: YoshiKool on July 19, 2004, 01:49:00 PM Post by: krayzie on July 19, 2004, 01:53:00 PM Post by: PedrosPad on July 20, 2004, 12:49:00 AM Because here in Europe we get everything months after our US (and Japanese) cousins, the XBL service was stable by this point, and they felt confident enough to commit a DVD flagged update.xbe to the DVD media (there is a DVD flagged one on the media). To progress this speculation, I'd be intrested is seeing a list of the xbe's from the US NFL Fever 2003 DVD media, and their lengths. Post by: ThE MaSTeR 3 on July 20, 2004, 01:07:00 AM Post by: gronne on July 20, 2004, 05:59:00 AM Post by: PedrosPad on July 20, 2004, 06:12:00 AM
Early PAL XBOX!Live games would now look to be the next best hunting ground. Although M$'s XBL servers probably no longer send out the update.xbe's we're looking for. So they now may only exist on peoples HDDs. (I suspect that this now may also be true for the US NFL Fever 2003. If someone in the US has the US NFL Fever 2003 and XBL, I'd be interested to know if the update.xbe is still being sent out.) Post by: gronne on July 20, 2004, 06:24:00 AM Post by: Slrpgeit on July 20, 2004, 06:54:00 AM
Don't know if its still needed, but i don't file like reading through alot of pages but i might be able to host the 2mb rar. Post by: m.e on July 20, 2004, 06:58:00 AM
Post by: mkjones on July 20, 2004, 07:32:00 AM
Its also a very old game.. So it wont have what we are looking for, probably
Post by: Slrpgeit on July 20, 2004, 08:01:00 AM Post by: chimpanzee on July 20, 2004, 08:05:00 AM
needs or not, please back up the files ASAP, just in case it would be 'updated' again if you go live. Post by: Slrpgeit on July 20, 2004, 08:06:00 AM
Post by: chimpanzee on July 20, 2004, 08:10:00 AM
there is a scanner written by ldots which will give us more info for the given file. Can't find the link off-hand. Or if you know how to run unix or know about the xbedump program, you can also run : xbedump <your file> -dc Post by: Slrpgeit on July 20, 2004, 08:14:00 AM
|
