What's new

[Theory] Xbox One Cold Boot Exploit

  • Thread starter KittenMilkshake
  • Start date
  • Views 23,473

KittenMilkshake

Enthusiast
Messages
56
Reaction score
6
I hate to make threads to ask questions or just propose topics but however here is my thought.

I have not seen anyone talk about Cold Boot attacks on the RAM of the Xbox One. In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. A cold reboot for a computer would be holding the power button off or unplugging the power cord. It is also know as a "hard reboot"
Now, this is a cryptography attack and, I may be mistaken, but the Xbox One NAND has already been dumped and we know what files to exploit but we cannot decompile and read them.

I'm starting to research into hardware exploits and attacks and I have a good amount of experience in pen testing, hardware engineering and writing software exploits. I will buy an Xbox One X for x-mas so I will experiment on my current xbox one at the time. If anyone would like to team up I would be happy to put the effort into modding an Xbox one.

Back to the cold boot attack on the RAM. If done successfully, the contents on the DRAM could be read and keys could be found. However the DRAM is 16 individual components placed on the motherboard.

I am almost 100% there is a way to mod the console but I feel as if the community has lost ambition or progress has slowed down. With anything cyber related there will always be a backdoor.

What are y'alls takes on the RAM attack and does anyone have any thoughts or ideas they would like to add?

Thank you.
 
Last edited:

Sketch

Enthusiast
Messages
526
Reaction score
478
I hate to make threads to ask questions or just propose topics but however here is my thought.

I have not seen anyone talk about Cold Boot attacks on the RAM of the Xbox One. In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. A cold reboot for a computer would be holding the power button off or unplugging the power cord. It is also know as a "hard reboot"
Now, this is a cryptography attack and, I may be mistaken, but the Xbox One NAND has already been dumped and we know what files to exploit but we cannot decompile and read them.

I'm starting to research into hardware exploits and attacks and I have a good amount of experience in pen testing, hardware engineering and writing software exploits. I will buy an Xbox One X for x-mas so I will experiment on my current xbox one at the time. If anyone would like to team up I would be happy to put the effort into modding an Xbox one.

Back to the cold boot attack on the RAM. If done successfully, the contents on the DRAM could be read and keys could be found. However the DRAM is 16 individual components placed on the motherboard.

I am almost 100% there is a way to mod the console but I feel as if the community has lost ambition or progress has slowed down. With anything cyber related there will always be a backdoor.

What are y'alls takes on the RAM attack and does anyone have any thoughts or ideas they would like to add?

Thank you.
If I recall correctly Microsoft already thought of this and worked on the security to circumevent manyu things. The keys aren't there either, technically.
 

schitzotm

Contributor
Messages
2,117
Reaction score
2,163
If I recall correctly Microsoft already thought of this and worked on the security to circumevent manyu things. The keys aren't there either, technically.
https://www.google.com/amp/s/www.di...ng/cold-boot-attack-modern-pc-data-theft/amp/
This would require a chip to be over written to allow the ram to not be written over.
I see where the OP is coming from but I dont know it would be of any use. Over writing the chip however could make for some other exploits to function. Could even give us the data collision we need. But I dont know if the system would even boot without another hack to ignore the ram not being writen over.
 

KittenMilkshake

Enthusiast
Messages
56
Reaction score
6
https://www.google.com/amp/s/www.di...ng/cold-boot-attack-modern-pc-data-theft/amp/
This would require a chip to be over written to allow the ram to not be written over.
I see where the OP is coming from but I dont know it would be of any use. Over writing the chip however could make for some other exploits to function. Could even give us the data collision we need. But I dont know if the system would even boot without another hack to ignore the ram not being writen over.
I'm already working on this, well something similar, for the Xbox One. It's clearly do-able there are many vulnerabilities it just needs some effort.

EDIT:
The exploit will almost defiantly be a hardware exploit. The software is too locked down.
 
Last edited:

Sketch

Enthusiast
Messages
526
Reaction score
478
I'm already working on this, well something similar, for the Xbox One. It's clearly do-able there are many vulnerabilities it just needs some effort.

EDIT:
The exploit will almost defiantly be a hardware exploit. The software is too locked down.
The software isn't as locked down as many think. You can perform more than you know even through Edge surpisingly.
 

KittenMilkshake

Enthusiast
Messages
56
Reaction score
6
The software isn't as locked down as many think. You can perform more than you know even through Edge surpisingly.
Doesn't surprise me that edge could be used as an attack. I don't think you could get SU through software privilege escalation exploits or any other exploit and persistence might be a problem. Basing that assumption on my experience of doing remote and local exploits on Windows 10 x64.
 

Professional

Staff
Staff
Messages
6,050
Reaction score
4,845
Doing things through edge kinda reminds me of the PS3 and PS4 issues going on:whistle:
 

schitzotm

Contributor
Messages
2,117
Reaction score
2,163
Browser exploits will always plague consoles. Would like to see edge be the reason xbox one gets sploited
 

POPINSMOKE

Ryzen Master ®
Messages
267
Reaction score
61
Unfortunately until we find a solution to Bug bounties someone will always cash out to the dark side.
 

ddrkingjb

Newbie
Messages
9
Reaction score
0
If I recall correctly Microsoft already thought of this and worked on the security to circumevent manyu things. The keys aren't there either, technically.
what about a coldboot exploit on the xbox 360 because i formatted my usb and i made it so my computer does not have hidden files and i saw data files and i used hxd one of them was e:\bt\547408\core\private\flash\xam\apps
 
Last edited:

AzzidReign

Man with the plan
Administrator
Messages
21,609
Reaction score
27,464
Browser exploits will always plague consoles. Would like to see edge be the reason xbox one gets sploited
I just saw this posted on another site:

Previously, I had posted some of the Xbox One Controller Protocols that was released by a reverse engineer named Quantus. This had a ton of offsets, hex, bin, and more code for your own purpose. If you haven't checked it out, you can view it here: Xbox One Controller Protocols. Today, major thanks to ZiL0G80 for sharing this out for me. Here is a Edge Exploit for Xbox One that an unknown developer released by the name UnknownV2 (unknown v2). Credits are the bottom on how he had found this and got it work.

GitHub Link: [Click here to view this link]


To quote from the README.md: ms-xb1-edge-exp

For Xbox-SystemOS version: 10.0.14393.2152 (rs1_xbox_rel_1610 161208-1218) fre, 12/14/2016

Other versions will most likely need modifications to the script.

Credits:

[Click here to view this link]

952 - Microsoft Edge: Info Leak in JSON.parse - project-zero - Monorail

https://bugs.chromium.org/p/project-zero/issues/detail?id=945
 

H Y X

RGH and CFW hoster
Messages
1,316
Reaction score
352
I just saw this posted on another site:

Previously, I had posted some of the Xbox One Controller Protocols that was released by a reverse engineer named Quantus. This had a ton of offsets, hex, bin, and more code for your own purpose. If you haven't checked it out, you can view it here: Xbox One Controller Protocols. Today, major thanks to ZiL0G80 for sharing this out for me. Here is a Edge Exploit for Xbox One that an unknown developer released by the name UnknownV2 (unknown v2). Credits are the bottom on how he had found this and got it work.

GitHub Link: [Click here to view this link]


To quote from the README.md: ms-xb1-edge-exp

For Xbox-SystemOS version: 10.0.14393.2152 (rs1_xbox_rel_1610 161208-1218) fre, 12/14/2016

Other versions will most likely need modifications to the script.

Credits:

[Click here to view this link]

952 - Microsoft Edge: Info Leak in JSON.parse - project-zero - Monorail

https://bugs.chromium.org/p/project-zero/issues/detail?id=945
That GitHub post looks to not be working, the MS XB1 Edge Xploit
 

Cam8528

Enthusiast
Messages
66
Reaction score
11
xb1 mod scene begins with quantus' edge script for old version xbone dashboards still vulnerable to edge scripts. by using scripts to call up protected code from m$ xbl servers into console memory, hardware exploits will have to simultaneously dump this from 16 different chips with 100 soldered pins each into an old printer cable connected to Arduino ic's that is plugged in to an operating system environment. xbone will be not be modded solely by software exploits nor solely by hardware exploits. the software component and hardware component approach both sides of acquiring Su access, running unsigned code and developing and deploying xbone exploits that the community expects. 5 staars kudos for cold boot. best damn idea for exploit I've seen to date.

nobody can say $chitt to kitten milkshakes because unlike 96% of all posts in xbox one modding section, this user actually soldered cables to the ram chips and is producing data dumps so chumps like my little brother can get pissed off by fortnite modders.
[Edit] HAIL AZZID! HAIL SE7ENSINS! LONG LIVE XBOX MODS!

 
Last edited:

afterjo

Enthusiast
Messages
728
Reaction score
102
xbox one is not so worth investing in exploit research.

Most exclusive games are windows compatible. And exclusive games are kinda meh.
Base xbox one is inferior system.
And xbox one x is kinda pointless, since you can build way more efficient PC system and less restrictive.

This is my opinion.
 

AzzidReign

Man with the plan
Administrator
Messages
21,609
Reaction score
27,464
xbox one is not so worth investing in exploit research.

Most exclusive games are windows compatible. And exclusive games are kinda meh.
Base xbox one is inferior system.
And xbox one x is kinda pointless, since you can build way more efficient PC system and less restrictive.

This is my opinion.
See, I disagree. I would love to see the One exploited. Could be the ultimate media center + gaming unit. Think about it...it already has the basics for it for the media center. Add in the ability to play emulators and roms on your One + 360 games + I'm not sure if you can play og xbox on there, but being exploited, it likely can happen (Xbox emulation on the PC is coming along nicely - likely result in a port).

Add that with the Kinect, controlling everything with your voice is pretty cool. Kind of sucks it seems they have discarded the Kinect, had a lot of potential but I guess people would rather sit and game as opposed to moving their bodies to be the controller.
 

Lipton01

Enthusiast
Messages
92
Reaction score
18
screw what everyone else is talking about im down to reboot the scene. ill also invest in whatever you need fbout to shoot you a pm right now and if the exploit was mostly hardware modifications the bounty program would be useless the only way m$ would patch it is to release newer consoles lol
 

Sketch

Enthusiast
Messages
526
Reaction score
478
Anyone got any idea what this is?

[Click here to view this link]

Also found this
[Click here to view this link]

I would assume it would grab ur keys dunno if it works and I dont know python but someone take a look?

ALSO REPORT BACK TO ME IF IT ALLOWES U TO EXTRACT KEYS FROM A RETAIL!
Keys won't in any situation be dumped from a retail console unless you've got the expensive equipment to pull off the difficult work.
It's simply related to make working with developer mode easier and also the second link is a repository for working with files that are Xbox specific.
 

NoHacksAllowed

Enthusiast
Messages
75
Reaction score
9
Keys won't in any situation be dumped from a retail console unless you've got the expensive equipment to pull off the difficult work.
It's simply related to make working with developer mode easier and also the second link is a repository for working with files that are Xbox specific.
Thanks now we all know what that is :smile:
 
Top Bottom