What's new
  • Howdy, Guest!

    We have issued a forced password reset on all user accounts, meaning you will not be able to login until this process is complete. Instructions will be displayed when you login with your previous credentials, however if for any reason you do not have access to your associated email address, you will need to contact us at [email protected].

    For more information, please read this Important Announcement

    Thank you for being awesome!

Discussion Potential Xbox 360 softmod

A

AnonSec

Newbie
Messages
5
Reaction score
0
Points
10
Sin$
0
What's going on se7insins today I'm asking for the help of the ogs in the Xbox 360 hacking community..

I believe I have found two possible entry points to enable chain loading a homebrew program

The talk here

at 11:00 mentions "if a game had a way to reload code into data areas and jump there this alone would >kill< the system..

The talk here

mentions at 14:00 something like a return to libc attack could still be possible

Inspired by this and the PS5 kernel exploit in the presence of a hypervisor I looked into the xam.xex (Xbox application manager) looking for a kernel exploit however hard it may be and whatever hurdles may come next.. and came across the function xamloaderlaunchtitleondvd theoretically if a game has kernel privileges it should be able to call any function export right? So basically to call a function from a game in the xam you just store the address using mtctr r11 and then blr to the function
So
If you branch to the address from a game on disc in a RGH console then hotswap in a disc two that contains a patched title id just before you call it with the same game assets accept you swap the xex it boots.. theoretically the hypervisor should allow some unsigned game somewhere if nothing else to invoke this function if kernel mode alone won't work and if the xamloaderpriortitleid passes and the iso appears in the correct format it will load any xex into memory at the same location on disc as the normal game..
Its also worth mentioning you can patch out weather a disc can be fully removed and still run what's in memory without issues to an extent obviously.. So placing in a disc two in the drive literally cannot be detected or be an issue.
I have a strong feeling that this very old function was designed for use in games because it uses getpriortitleid and not the getdashtitleid (I forget the actual name tbh i think its getdashtitleid)and its also not a function import of the dash or hud..

Tonight I looked at terraria and found that the default.xex that loads the god file container does not appear to contain a method to check the signature of the god file containing the game so I replaced it with the xex menus god file then I noticed you could use the HUD to reload the same terraria game so I did and sure enough it booted xex menu. I figured there would obviously be more checks in this second method but personally found it hilarious..

Obviously these tests weren't performed in the presence of a hypervisor but they were performed in the presence of a retail xam.xex dash.xex and HUD.xex for good measure..

My question is what specifically can the hypervisor check on a game that doesn't do the hmacsha or sha1 or rc4 or any of that it should only check the title id before loading it into memory and jumping there in the presence of a flashed DVD drive correct?

My second question is does a game in kernel mode have access to this specific function that isn't imported by the dashboard or the HUD? Because if so I should be able to chainload an xex regardless if its in the correct format?

My third question is to ask if someone has a idc or something to label the function imports and exports in the 17559 xboxkrnl.exe so that I can actually make out what anything is.. surely there's a way but its buried under months of research..

My final question can anyone create the machine code to load the address of xamloaderlaunchtitleondvd into r11? I haven't managed to do so yet..
 
Last edited:
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Administrator
Hidden Devils
MotM 10th Anniversary Mr. Nice Guy
Messages
1,967
Solutions
6
Reaction score
722
Points
1,135
Sin$
-7
Hey, welcome to Se7ensins

Good to see fresh minds looking to dabble in the 360 :biggrin:

Let's talk these 2 points:
The talk here

at 11:00 mentions "if a game had a way to reload code into data areas and jump there this alone would >kill< the system..

The talk here

mentions at 14:00 something like a return to libc attack could still be possible

These are commonplace techniques relating to lack of checking code/data integrity, you won't get very far with these on a retail system because there's quite a bit of integrity and execution checking on the hardware and software level. (Hypervisor)


Inspired by this and the PS5 kernel exploit in the presence of a hypervisor I looked into the xam.xex (Xbox application manager) looking for a kernel exploit however hard it may be and whatever hurdles may come next.. and came across the function xamloaderlaunchtitleondvd theoretically if a game has kernel privileges it should be able to call any function export right? So basically to call a function from a game in the xam you just store the address using mtctr r11 and then blr to the function
So
If you branch to the address from a game on disc in a RGH console then hotswap in a disc two that contains a patched title id just before you call it with the same game assets accept you swap the xex it boots.. theoretically the hypervisor should allow some unsigned game somewhere if nothing else to invoke this function if kernel mode alone won't work and if the xamloaderpriortitleid passes and the iso appears in the correct format it will load any xex into memory at the same location on disc as the normal game..
Its also worth mentioning you can patch out weather a disc can be fully removed and still run what's in memory without issues to an extent obviously.. So placing in a disc two in the drive literally cannot be detected or be an issue.
I have a strong feeling that this very old function was designed for use in games because it uses getpriortitleid and not the getdashtitleid (I forget the actual name tbh i think its getdashtitleid)and its also not a function import of the dash or hud..

You're kinda on the right track with XAM but there's very little headroom for getting any titles running in userland to actually break free of the limitations and call restricted functionality on Retail, but I'll cover this in the next point...

You mention hotswapping and using multi disk:
Some of the earliest modifications for games came from hotswapping because games were NOT checking integrity of items (a simple CRC check, for example), and because the way the games loaded assets meant that XAM just trusted the game's contents were good in userland at that point, the mods would run.
Both the Hotswapping and USB Save Modding methods use this kind of exploit and over time games got patched to call CRC and other integrity checks on data as well as removing more lenient functions and features, which used to render a lot of modifications void. (I'm talking the Call of Duty W@W, MW2, Black Ops ISO and USB Mods, and things like GTA IV's ISO mods where they eventually added CRC Checking on the containers to prevent tampering with core MP files that allowed Mod Menus to execute)

If you take a game like GTA V, or Forza Motorsport 4 for example, both of these games have multidisk support. In the sense that XAM allows Disk1 to boot as trusted, and then the title calls for the swap. My memory is vauge on this and I don't think it's XAMLoaderLaunchTitleOnDVD, I think there's a specific hotswap function call, but it works by checking the TitleID of the new disk in the tray and also stops XAM resetting back to dashboard when Eject is pressed (Another security method to prevent hotswapping, and also game crashing thus blocking timed exploitation)
As long as the XEX of Disk2 is Retail Signed, and matches the TID of the previous game, it will run. If Disk2 is an installer, you can use this method to push custom contents to the console BUT the contents have to be retail signed and licensed or the console won't open them.
Tonight I looked at terraria and found that the default.xex that loads the god file container does not appear to contain a method to check the signature of the god file containing the game so I replaced it with the xex menus god file then I noticed you could use the HUD to reload the same terraria game so I did and sure enough it booted xex menu. I figured there would obviously be more checks in this second method but personally found it hilarious..

Obviously these tests weren't performed in the presence of a hypervisor but they were performed in the presence of a retail xam.xex dash.xex and HUD.xex for good measure..

Nice find with Terraria, however was that performed on a retail or a RGH?
To put it simply, RGH/JTAG images contain a patched XAM that reimplements the Debug functionality and unlocks the Hypervisor, there is no license checking, no tamper protection, no signed protection. The console will run just about any XBE or XEX that is thrown at it provided the executable is not a hot pile of garbage.
The Hypervisor doesn't specifically do checksuming.

My question is what specifically can the hypervisor check on a game that doesn't do the hmacsha or sha1 or rc4 or any of that it should only check the title id before loading it into memory and jumping there in the presence of a flashed DVD drive correct?

My second question is does a game in kernel mode have access to this specific function that isn't imported by the dashboard or the HUD? Because if so I should be able to chainload an xex regardless if its in the correct format?

The core principles are as follows:
TitleID doesn't matter. It's only the identifier of the title.
Every XBE is signed. They can be Retail, Debug, or Unsigned builds. Retail HV/XAM will throw an error and refuse to boot anything not signed by Microsoft. Debug consoles will only run Debug or unsigned unless you patch it to run Retail, and JTAG/RGH Patched will run anything, signed or unsigned.
The other important part of this puzzle is that XAM has a permission set on functionality. There's Kernel Level, and User Level. Any game, will be in user level and as such cannot call any functions defined as sensitive.
Containers are also supposed to be signed and are rejected if they're tampered without resigning, or not signed using the correct keys. These can be correlated with licensing and both work on either a Console or User basis, or may be universal depending on the context.
In Retail mode, NO applications except those signed and explicitly trusted by Microsoft can run in Kernel Mode. Everything else gets User Mode, and even in User Mode your applications have to be MS Signed or it's a no-go.

Flashing the DVD Drive will only defeat the copy protection/lockouts, this is needed because a legitimate Xbox DVD is burned backwards. Again, memory fades but IIRC the patched FW will just treat a detected burnt game as legitimate by bypassing the check.

My third question is to ask if someone has a idc or something to label the function imports and exports in the 17559 xboxkrnl.exe so that I can actually make out what anything is.. surely there's a way but its buried under months of research..

My final question can anyone create the machine code to load the address of xamloaderlaunchtitleondvd into r11? I haven't managed to do so yet..
There are some instances of Reverse Engineering for xboxkrnl.exe but they're private I'm afraid. It doesn't take too much to find one of the older revisions work though and update the memory maps accordingly. Ultimately the function structs are similar but some may have been updated to reflect changes to Xbox Live and various under the hood security updates, which of course in the context of "jailbreaking" the 360 offline, doesn't matter too much.


Your final question about using machine code to load addresses of functions into R11, that method simply will not work especially on retail. HV will not hesitate to kill the application if it detects funky behavior like that going on.
You have to call XAM to call the function. XAM will then either approve or deny the request depending on your title's permissions.
 
A

AnonSec

Newbie
Messages
5
Reaction score
0
Points
10
Sin$
0
Nice find with Terraria, however was that performed on a retail or a RGH?
To put it simply, RGH/JTAG images contain a patched XAM that reimplements the Debug functionality and unlocks the Hypervisor, there is no license checking, no tamper protection, no signed protection. The console will run just about any XBE or XEX that is thrown at it provided the executable is not a hot pile of garbage.
The Hypervisor doesn't specifically do checksuming.
the cd attempts to boot but crashes to dash with no message I had a feeling it may need to be compressed and encrypted does it matter its signed for all and not just retail? and detects it as terraria but im using the live god file xex menu v1.1 release I'm not sure what the difference in the god format is but i kinda already figured iso2god wouldn't work to make an equal image.. I swapped the god files in minecraft and terraria and both games boot opposite god files on a rgh lol but I'm out of cds to try it does the hypervisor do a check on the god file when the loader loads it or no?I thought games made at or before 2011 weren't signed by microsoft?
Your final question about using machine code to load addresses of functions into R11, that method simply will not work especially on retail. HV will not hesitate to kill the application if it detects funky behavior like that going on.
You have to call XAM to call the function. XAM will then either approve or deny the request depending on your title's permissions.
so for my reference to call a function in xam from a default.xex this is how?
this is where its imported by the game
Screenshot-49.png


this is a call to the function which contains the address

Screenshot-50.png



Screenshot-51.png


so your saying you could't just jump to it like this with it in r11?
To put it simply, RGH/JTAG images contain a patched XAM that reimplements the Debug functionality and unlocks the Hypervisor, there is no license checking, no tamper protection, no signed protection. The console will run just about any XBE or XEX that is thrown at it provided the executable is not a hot pile of garbage.
i know in the hypervisor and kernel are ptached i replaced the mentioned 3 files in my rgh flash with retail copys but I have a flashed triple nand also..

sorry my messages got jumbled greatly appreciate you taking the time to reply! this info is really hard to find..
 
A

AnonSec

Newbie
Messages
5
Reaction score
0
Points
10
Sin$
0
If you take a game like GTA V, or Forza Motorsport 4 for example, both of these games have multidisk support. In the sense that XAM allows Disk1 to boot as trusted, and then the title calls for the swap. My memory is vauge on this and I don't think it's XAMLoaderLaunchTitleOnDVD, I think there's a specific hotswap function call, but it works by checking the TitleID of the new disk in the tray and also stops XAM resetting back to dashboard when Eject is pressed (Another security method to prevent hotswapping, and also game crashing thus blocking timed exploitation)
As long as the XEX of Disk2 is Retail Signed, and matches the TID of the previous game, it will run. If Disk2 is an installer, you can use this method to push custom contents to the console BUT the contents have to be retail signed and licensed or the console won't open them.
what do you mean by licensed and signed I was using nascar unleashed published in later 2011 the xex does not appear signed and it doesn't implement an update feature at all so this means I could swap out the xex if the title id matches? I noticed I could patch the title id myself by finding the instances in a hex editor but after I patched it it wouldn't even run on an rgh can I fix this?
 
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Administrator
Hidden Devils
MotM 10th Anniversary Mr. Nice Guy
Messages
1,967
Solutions
6
Reaction score
722
Points
1,135
Sin$
-7
this is where its imported by the game
Screenshot-49.png


this is a call to the function which contains the address

Screenshot-50.png



Screenshot-51.png


so your saying you could't just jump to it like this with it in r11?


sorry my messages got jumbled greatly appreciate you taking the time to reply! this info is really hard to find..
No problem dude.

You can try jumping, but those particular points, it's "Move To Special Purpose Register" which usually moves general-purpose register (data from the game or in memory XAM in this instance) to special purpose register, then the jump reference is "Branch on Count", which will move to address contained within the count register.

So, in that instance you'd be looking to try modifying the address pointer in register to achieve a proper jump to what you want XAM to trigger instead of what the game or XAM set. In these instances, Terminate Title goes back to Dashboard or if it's a halt it will shut down the console. I don't know if the halt is conditionally called by another function in XAM though or if that's something deeper.

That will likely work on a RGH or such, but it most likely won't work on a Retail because there's no way to run modified titles and even if you managed to do so, you'd trigger the hypervisor since that instance is called by the game which would mean the call is coming from something in userland which has limited permissions.

what do you mean by licensed and signed I was using nascar unleashed published in later 2011 the xex does not appear signed and it doesn't implement an update feature at all so this means I could swap out the xex if the title id matches? I noticed I could patch the title id myself by finding the instances in a hex editor but after I patched it it wouldn't even run on an rgh can I fix this?
For the sake of simplicity: Licenses are assigned to all digital content on the console. The exception is Disk based media, I believe. Signed = the content has been signed by a trusted party to run on X type of console. Again, Unsigned and Debug Signed will run only on a Debug kit or a JTAG/RGH console. Retail signed only runs on retail consoles or JTAG/RGH (since they're more of a "hybrid")

Games don't implement update features. XAM does. Whenever a title runs and console is connected to Xbox Live, the console will call Live to check TitleID and verify if there's any title updates available.
TitleID is only an identifier, it is pretty much never used for security purposes. Hex editing an XEX will break it. They're checksum verified!

Don't let this stop you though. Trial by fire is a great way to learn, just be sure to have a good read around the internet. There's plenty of discussions new and old around the subject and lots of it is still relevant if you apply it properly.
 
A

AnonSec

Newbie
Messages
5
Reaction score
0
Points
10
Sin$
0
what about nascar unleashed and fast and furious showdown they both contain a unsigned vfs.bin file which is a kernel level driver that manages all the assets that are located in the vfs.pak file in the ISO..
the vfs.dat supposedly contains the signature of the vfs.pak file and that doesn't effect the vfs.bin which can be heavely modified without the default.xex doing anything..
the problem is the decompiled vfs.bin looks like this:
https://raw.githubusercontent.com/IcyModz420/Xbox-360/main/VFS.bin

so you can't really make out what the functions are doing without major disassembly work.. I thought about just dumping it from memory but haven't yet

would this driver being modified go unnoticed? and couldn't you load any assets with this file correctly modified?

the signature check for this game was defeated 10 years ago btw and supposedly it uses a custom compression method for assets in the vfs.pak container.
the pc version uses the same format also.

its also worth noting you can also run demo assets with the latest xex on an rgh online..

seriously thinking about an x360dock or xkey do the x360dock still work on latest dash?
 
A

AnonSec

Newbie
Messages
5
Reaction score
0
Points
10
Sin$
0
the god file container of terraria is not signed you can pull it off a disc and edit it then install it with horizon and it will run the game until you hit your edit and crash on a retail
 
Top Bottom
Login
Register