What's new

Some Xbox One Research Progress

P

Potato_of_Doom

Newbie
Messages
3
Reaction score
2
I just wanted to share some of my recent findings in the xbox one's dev mode:

First of all:
I actually achieved some sort of messy unsigned & unsandboxed user mode code execution
But as of now I wasn't able to find any interesting entrypoints to elevate to admin or even change something in the hypervisor.
Therefore I am hereby publishing some of my findings (Maybe you'll see something interesting)

My Research:

The most part of it was about dumping files and processes to get an overview how the OS works.
As of now it looks like it is very similar to the hololens/ windows 10 mobile uwp-only win10 versions

Some things I found out:
  • There are two user accounts on the system: DefaultAccount and UserMgr0
  • All apps launched by the user are running as UserMgr0
  • The OS apparently has about 14 drives mounted (obviously virtual)
  • There are multiple of these mounted drives pointing to the same locations (for example Q and U are both pointing to the user directory)
  • System is obviously on C
  • Other Things like Resources, Media and UWP apps are distributed among the other drives
  • UWP only Win10 means: All executables have uncommon dll imports (for example kernel32.dll doesn't exist on the xbox one)
  • All of the tested executables are also running on any windows pc (but not vice versa because of this^)
  • All of the interesting registry keys are in hkey_local_machine :frown: (Btw. You can explore the registry by yourself using Interop Tools)
Code:
https://mega.nz/#!pto3EAjI!64cpWnmmawhHQhh0748pl2Bc95PglOhKt0AzXZ5UjUs
Virus Scan cuz why not: https://www.virustotal.com/de/file/a0f980bdfa79cde0c013a6aca44b7e545cf2ef8459f8a8bc16811411bad1aac6/analysis/1498398689/
The list was too big for pastebin ¯\_(ツ)_/¯
Code:
SERVICE_NAME: ApplicationClipService
DISPLAY_NAME: ApplicationClip Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: AppServices
DISPLAY_NAME: AppServices
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: AudioEndpointBuilder
DISPLAY_NAME: Windows Audio Endpoint Builder
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Audiosrv
DISPLAY_NAME: Windows Audio
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: BFE
DISPLAY_NAME: Base Filtering Engine
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: BrokerInfrastructure
DISPLAY_NAME: Background Tasks Infrastructure Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: CDPSvc
DISPLAY_NAME: Connected Devices Platform Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Cloud Settings
DISPLAY_NAME: Cloud Settings
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: ConnectedStorage
DISPLAY_NAME: Connected Storage
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: CoreMessagingRegistrar
DISPLAY_NAME: CoreMessaging
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: CryptSvc
DISPLAY_NAME: Cryptographic Services
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: DataCacheService
DISPLAY_NAME: Data Cache Services
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: DcomLaunch
DISPLAY_NAME: DCOM Server Process Launcher
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: DeveloperToolsService
DISPLAY_NAME: Developer Tools Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: DeviceAssociationService
DISPLAY_NAME: Device Association Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Dhcp
DISPLAY_NAME: DHCP Client
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: DiagTrack
DISPLAY_NAME: Connected User Experiences and Telemetry
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Dnscache
DISPLAY_NAME: DNS Client
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: etwuploaderservice
DISPLAY_NAME: etwuploaderservice
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: FontCache
DISPLAY_NAME: Windows Font Cache Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: IKEEXT
DISPLAY_NAME: IKE and AuthIP IPsec Keying Modules
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: InputService
DISPLAY_NAME: InputService
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: iphlpsvc
DISPLAY_NAME: IP Helper
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: KeyIso
DISPLAY_NAME: CNG Key Isolation
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: LanmanServer
DISPLAY_NAME: Server
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: LanmanWorkstation
DISPLAY_NAME: Workstation
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: lfsvc
DISPLAY_NAME: Geolocation Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: LicenseManager
DISPLAY_NAME: Windows License Manager Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: lmhosts
DISPLAY_NAME: TCP/IP NetBIOS Helper
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: LtvDvr
DISPLAY_NAME: LtvDvr
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: MicrosoftXboxSecurityClip
DISPLAY_NAME: Microsoft Xbox Security Clip Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: MpsSvc
DISPLAY_NAME: Windows Firewall
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: NcbService
DISPLAY_NAME: Network Connection Broker
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: netprofm
DISPLAY_NAME: Network List Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Network Statistics
DISPLAY_NAME: Network Statistics
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Network Transfer Manager
DISPLAY_NAME: Network Transfer Manager
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: NlaSvc
DISPLAY_NAME: Network Location Awareness
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: NPSMSvc
DISPLAY_NAME: NPSMSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: nsi
DISPLAY_NAME: Network Store Interface Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Power
DISPLAY_NAME: Power
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: ProfSvc
DISPLAY_NAME: User Profile Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: PRProvisioningService
DISPLAY_NAME: PRProvisioningService
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: RpcEptMapper
DISPLAY_NAME: RPC Endpoint Mapper
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: RpcSs
DISPLAY_NAME: Remote Procedure Call (RPC)
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: SamSs
DISPLAY_NAME: Security Accounts Manager
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (NOT_STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Schedule
DISPLAY_NAME: Task Scheduler
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: ShellCoreService
DISPLAY_NAME: ShellCoreService
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: ShellUiService
DISPLAY_NAME: Shell UI Services
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: SpcService
DISPLAY_NAME: Legacy SPC Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: SpeechService
DISPLAY_NAME: SpeechService
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: SSDPSRV
DISPLAY_NAME: SSDP Discovery
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: SshSvc
DISPLAY_NAME: SshSvc
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: StateRepository
DISPLAY_NAME: State Repository Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: SystemEventsBroker
DISPLAY_NAME: System Events Broker
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: tiledatamodelsvc
DISPLAY_NAME: Tile Data model server
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: TimeBrokerSvc
DISPLAY_NAME: Time Broker
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: TokenBroker
DISPLAY_NAME: TokenBroker
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: TVCommandControlService
DISPLAY_NAME: TVCommandControlService
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: upnphost
DISPLAY_NAME: UPnP Device Host
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: UserManager
DISPLAY_NAME: User Manager
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: Wcmsvc
DISPLAY_NAME: Windows Connection Manager
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: WebManagement
DISPLAY_NAME: Web Management
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: WinHttpAutoProxySvc
DISPLAY_NAME: WinHTTP Web Proxy Auto-Discovery Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: WlanSvc
DISPLAY_NAME: WLAN AutoConfig
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: WpcMonSvc
DISPLAY_NAME: WpcMonSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: WpnService
DISPLAY_NAME: Windows Push Notifications System Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: WSearch
DISPLAY_NAME: Windows Search
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: XBBlackbox
DISPLAY_NAME: XBBlackbox
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: XblAuthManager
DISPLAY_NAME: Xbox Live Auth Manager
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: XboxDevService
DISPLAY_NAME: Xbox Developer Tools Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: XboxNetApiSvc
DISPLAY_NAME: Xbox Live Networking Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: XboxPackageState
DISPLAY_NAME: XboxPackageState
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: XtfRtService
DISPLAY_NAME: Xtf Runtime Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: XUpdMgr
DISPLAY_NAME: XUpdMgr
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: XvdStreamSvc
DISPLAY_NAME: XvdStreamSvc
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: CDPUserSvc_10b776
DISPLAY_NAME: Connected Devices Platform User Service_10b776
        TYPE               : e0  USER_SHARE_PROCESS INSTANCE
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0
 
SERVICE_NAME: WpnUserService_10b776
DISPLAY_NAME: Windows Push Notifications User Service_10b776
        TYPE               : e0  USER_SHARE_PROCESS INSTANCE
        STATE              : 4  RUNNING
                                (STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN)
        WIN32_EXIT_CODE    : 0  (0x0)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

PS: I won't publicly share my code exec method for obvious reasons.

Edit: Added a VirusTotal Scan for my txt file...
 
Last edited:
P

Potato_of_Doom

Newbie
Messages
3
Reaction score
2
Keep in mind that the OS you see is System or "SRA". It's booted by host and is used for apps.
X:\ = SystemAux (SystemAuxilary)
Y:\ = SystemAuxY (Contains main SysOS apps such as Home, etc)

Also: kernel32.dll does exist on the Xbox One. You might have missed it.
The registry keys don't really matter either.

DefaultAccount is the same as Windows 10 except it is used on the Xbox. UserMgrX is for whatever account you added to the Xbox.

O:\ = ODD (Disc Drive)
R:\ = SystemUpdate partition on the HDD.
S:\ = Settings.xvd
T:\ = Temp
U:\ = user.xvd
P:\ = pagefile (I think)

Keep in mind that SystemOS and GameOS use host paths for xvd/xvc mounting (thanks to Hex for pointing that out.)

We're currently working on releasing all OS's (maybe just two, not sure) and some more "documentation" for ya'll.
Thank you very much for your answer.
Regarding the kernel32.dll thing:
Yeah I noticed that there is a kernel32legacy thing but it's not quite the same.
The biggest difference is the fact that all executables/dlls are only using imports from kernelbase.dll etc. unlike mainline windows where every application depends on kernel32.dll... This makes developing own programs harder.
 
Last edited by a moderator:
H

HexDecimal

Getting There
Messages
439
Reaction score
172
Removed.
 
Last edited:
D

Dirty Potato

Enthusiast
Messages
152
Reaction score
23
From my understanding of the Xbox One system, I don't think this is the right way to go about exploiting it. Currently it seems like you're trying to at least get kernel execution in the System OS which I don't think is worth the effort. Even if you do achieve that I don't think you'll be in any better situation to gain execution in the Host OS (called the nanovisor I believe?).

From what I understand neither the Game OS or the System OS should have any notion of the existence of the Host OS as it is a hypervisor. Therefore gaining execution in the kernel of the Game OS or System OS shouldn't really provide you with a much better way of interfacing with the Host OS or get you much closer to exploiting the Host OS.

From what I've seen on the Team Xecuter site, it seems like they've literally read the CPU key from the CPU and decrypted the NAND that way. So from there it's much easier to find an exploit via RE.

I think realistically the best method for most people to find a way to gain execution in the Host OS is through fuzzing. You can guarantee that anything that requires hardware interaction has to go through the Host OS therefore fuzzing any API calls that result in hardware interaction is a potential avenue for discovering a vulnerability in the Host OS. This can be done using UWP apps or games, the only advantage I can see to having kernel execution in the Game OS or System OS is by having access to more ways of interfacing with hardware and therefore increasing the attack surface as you aren't as limited by the UWP API, I'd assume. Obviously you could just end up finding a vulnerability in the Game or System OS because it has to go through those before an API call even reaches the Host OS.

The major problem is without a decrypted NAND I don't believe there is a way to get any information about the Host OS that's useful for exploiting it, even if you have kernel execution in the Game or System OS they shouldn't have any interface into the Host OS apart from indirectly through things like hardware interaction. Essentially we have to blindly find an exploit in the Host OS which outside of fuzzing I don't see how you can.

Just my 2 cents, not looking to **** on people's work.
 
S

Sketch

Enthusiast
Messages
525
Reaction score
478
REMOVED
 
Last edited:
D

Dirty Potato

Enthusiast
Messages
152
Reaction score
23
The HostOS is just HostOS, not nanovisor as far as we can tell. It's unlikely to get an attack point anyway too.
Team Xecuter also have not decrypted the NAND. Only few files on the flash are actually encrypted (boot.bin for example, although header isn't (might be mistaking)).

But I highly doubt that TX have dumped any keys to even begin decrypting, along with figuring out the additional obfuscation that MS did. Anyways, good news is that we have HostOS dumped along with GameOS which will be released whenever things get sorted. Having a lil' waiting game right now.
Yeah just re-checked the Frank Savage talk on the Xbox One, the Host OS is almost certainly a hypervisor, not only because of how he describes what its functionality is but also the fact that he said that it used to run what were 2 hyper-v VMs. This alludes to the fact they used to use some version of hyper-v which is a hypervisor, source: ~21 mins in Frank Savage talk. Also this tweet and this news post, both respectable sources refer to it as the nanovisor, so I think I got that right too. Also that name suggests its a hypervisor.

Ah well I only assumed they had based on the vague information they put out, they just seemed to infer they probably had. Also based on what I had assumed, they didn't 'dump' the keys I thought they read it straight off the physical CPU using a laser microscope. I think you use a laser microscope (not 100% sure), but I do know you can physically read data embedded on chips if you de-lid them and use some special equipment which I think is a laser microscope.

Again I had assumed the whole NAND is encrypted, I don't have access to one myself so couldn't verify but yes you are correct the header isn't encrypted which is how the NAND tool can read it.

I'd be very surprised if you have dumped the Host OS, I mean that would be awesome because that is where code sign checks and stuff will happen, so you've almost won at this point. The reason I'd be surprised though is because you seem to have been talking like you're just breaking into the Windows OS running in the System OS, not sure how much you would really be able to do even with kernel execution in that area. Although that being said I guess you could probably make changes to the dashboard on the fly.
 
D

Dirty Potato

Enthusiast
Messages
152
Reaction score
23
There's a lot of information that isn't out yet obviously but the HostOS is just a lean and mean Win8 (pretty sure it was based on a Win8 tree). It uses its own VM tech as well that utilities a binary image known as "VBI". That information will be in the wiki at some point.
Here is host:

They were simply referring to the hyper-v that is used. It uses a VBI for the main components of whatever VM you are creating (SRA/ERA).

Example of how the boot stages look from this:

-> SP binaries -> 2BL -> Host VBI -> Host OS -> System VBI

I'll need to check up on that again.
From what Frank states @24:55-25:20 in the video, he's saying that the ERA is a lean mean version of Windows not the Host OS. He also says @21:30-22:00 that the SRA is running a full version of Windows. I don't think it would make any sense to have a 3rd Windows running in the Host OS, there just isn't a reason too. He also mentions at no point that the Host OS is running Windows (@20:40-21:40) which I'd be surprised if it was and he didn't mention it considering he mentioned the others did. Also I think its Windows 10 now? I mean I would expect it to be.

Not sure what you mean by this comment: "They were simply referring to the hyper-v that is used". Frank was stating that they initially used Hyper-V VMs (said @21:30) but ended up making some modifications so that the ERA sometimes goes through the SRA (said @23:20-23:40) which as far as I'm aware is not typical behaviour for a VM to be able to see and talk to another VM in that way (and that appears to be what he's saying @23:55-24:05).

"2BL -> Host VBI" this boot stage doesn't make sense to me, I'm assuming "2BL" is the 2nd stage bootloader and from what I understand you were saying that a "VBI" is some kind of VM. If that is the case then the 2BL would have to load a hypervisor as VMs need to run on a hypervisor (as far as I'm aware - you can just boot into a VM without something running underneath the VM). Again as far as I'm aware you have to have a hypervisor to run the 2 VMs (SRA and ERA) to handle sharing hardware resources between the VMs and for security as well, so the Host OS has to be a hypervisor, it makes little sense for it to be Windows running some kind of VM manager or something, the performance implications of that would be huge and it would be unnecessary.

It seems like you are doing a lot of good research it's just this talk from a Microsoft employee about the architecture of the Xbox One seems to contradict some of the things you are saying. Don't get me wrong I'm not trying to just criticize for the sake of it I'm genuinely trying to understand how this thing works. Whether I'm right or wrong that picture shows you've done some pretty impressive work either way, looks like you have a full dump of Windows in either the SRA or ERA.
 
H

HexDecimal

Getting There
Messages
439
Reaction score
172
Removed.
 
Last edited:
D

Dirty Potato

Enthusiast
Messages
152
Reaction score
23
I am restricted with what I can say due to my relation with Microsoft, but what Sketch showed is infact Host OS. GameOS(Era), SystemOS, and Host are all VMs running under the hypervisor. They are all also different editions of Windows 10. SystemOS being close to Windows IoT, Host and GameOS both being very slimmed down client builds. You can think of VBIs as images, containing critical files needed to boot the OS as well as some of the reg hives. Host isn't a hypervisor, its running under it. The same thing happens when you enable hyper-v on your PC. Host starts the hypervisor then the hypervisor "moves" Host. Host has the manager for SRA and ERA, using a special application and drivers to interact with the HyperVisor.


EDIT: Take whatever Microsoft says publicly with a grain of salt, they are careful what they say. It wouldn't make sense for them to reveal the deep technical stuff.
Okay, fair enough. Seems a needlessly complicated system for what they are trying to achieve, especially running 3 copies of Windows 10 cannot be good for performance even if they are very slimmed down
 
S

schitzotm

Contributor
Messages
2,178
Reaction score
2,222
Okay, fair enough. Seems a needlessly complicated system for what they are trying to achieve, especially running 3 copies of Windows 10 cannot be good for performance even if they are very slimmed down
They are very small os builds.
About the same as running three small apps on one pc. Not really using many resources. And actually pretty effecient.
Its just running like vSphere.
And since they arent all making calls to video cards and a bunch of other un needed stuff they run as if they are simple a small applet running.

OP, this is fantastic. There is a good bit of movement on the breaking front.
Has anything as far as modified code been pushed on retail side or are you running strictly in dev mode?
And is/are the console/ consoles in question online or completely removed from internet?
(Are they live or totally offline)
I know the goal is to be offline only but I am curious if you are able to work online without being noticed.
(Feel free to not answer these questions as I wish you no failures)
 
K

KittenMilkshake

Enthusiast
Messages
56
Reaction score
6
Good progress. Anything is a step forward to figuring out how to exploit the Xbox One.

I'm not an expert of RE or anything of this sorts but I had an idea reading this thread. It may have been thought of before and even posted about on this site but I will still share.

I think something that ought to be tried is looking at Windows before the XB1 OS. I may be mistaken on this but the XB1 OS is very similar to Win 10 and could be based from its framework, kernal, etc. and If possible we should find weaknesses, exploits, buffer overflows and so forth that could be potentially used on an Xbox one. I'm going to read up more on this topic but I have waited long enough for an exploit and I'm going to try and contribute myself.

Nothing is full proof electronically. Anything can be hacked and exploited. It is just a matter of when and how. Remember that.
 
M

masan

Newbie
Messages
1
Reaction score
0
can you run 2 commands and post somewhere the result? maybe i can help in further more digging.
1) reg export "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\ProductOptions" Xbox_PP.reg
2) [may will fail] C:\Windows\System32\licensingdiag.exe and the resulting cab in %temp% Filename will be like: %ComputerName%_%date%_diag.cab
 
H

Hassan abulla

Newbie
Messages
17
Reaction score
0
Okay, if you really got, outside of the sandbox with system privlige. I will like you having a video injecting payloads, inside system process, You can also inject a RAT, inside the system.
 
Top Bottom