What's new

Discussion [Theory] Xbox One Cold Boot Exploit

  • Thread starter KittenMilkshake
  • Start date
  • Views 45,297
KittenMilkshake

KittenMilkshake

Enthusiast
Messages
58
Reaction score
10
Points
65
Sin$
7
I hate to make threads to ask questions or just propose topics but however here is my thought.

I have not seen anyone talk about Cold Boot attacks on the RAM of the Xbox One. In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. A cold reboot for a computer would be holding the power button off or unplugging the power cord. It is also know as a "hard reboot"
Now, this is a cryptography attack and, I may be mistaken, but the Xbox One NAND has already been dumped and we know what files to exploit but we cannot decompile and read them.

I'm starting to research into hardware exploits and attacks and I have a good amount of experience in pen testing, hardware engineering and writing software exploits. I will buy an Xbox One X for x-mas so I will experiment on my current xbox one at the time. If anyone would like to team up I would be happy to put the effort into modding an Xbox one.

Back to the cold boot attack on the RAM. If done successfully, the contents on the DRAM could be read and keys could be found. However the DRAM is 16 individual components placed on the motherboard.

I am almost 100% there is a way to mod the console but I feel as if the community has lost ambition or progress has slowed down. With anything cyber related there will always be a backdoor.

What are y'alls takes on the RAM attack and does anyone have any thoughts or ideas they would like to add?

Thank you.
 
Last edited:
S

Sketch

Enthusiast
Messages
531
Reaction score
278
Points
170
Sin$
7
I hate to make threads to ask questions or just propose topics but however here is my thought.

I have not seen anyone talk about Cold Boot attacks on the RAM of the Xbox One. In cryptography, a cold boot attack is a type of side channel attack in which an attacker with physical access to a computer is able to retrieve encryption keys from a running operating system after using a cold reboot to restart the machine. A cold reboot for a computer would be holding the power button off or unplugging the power cord. It is also know as a "hard reboot"
Now, this is a cryptography attack and, I may be mistaken, but the Xbox One NAND has already been dumped and we know what files to exploit but we cannot decompile and read them.

I'm starting to research into hardware exploits and attacks and I have a good amount of experience in pen testing, hardware engineering and writing software exploits. I will buy an Xbox One X for x-mas so I will experiment on my current xbox one at the time. If anyone would like to team up I would be happy to put the effort into modding an Xbox one.

Back to the cold boot attack on the RAM. If done successfully, the contents on the DRAM could be read and keys could be found. However the DRAM is 16 individual components placed on the motherboard.

I am almost 100% there is a way to mod the console but I feel as if the community has lost ambition or progress has slowed down. With anything cyber related there will always be a backdoor.

What are y'alls takes on the RAM attack and does anyone have any thoughts or ideas they would like to add?

Thank you.
If I recall correctly Microsoft already thought of this and worked on the security to circumevent manyu things. The keys aren't there either, technically.
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
If I recall correctly Microsoft already thought of this and worked on the security to circumevent manyu things. The keys aren't there either, technically.
https://www.google.com/amp/s/www.di...ng/cold-boot-attack-modern-pc-data-theft/amp/
This would require a chip to be over written to allow the ram to not be written over.
I see where the OP is coming from but I dont know it would be of any use. Over writing the chip however could make for some other exploits to function. Could even give us the data collision we need. But I dont know if the system would even boot without another hack to ignore the ram not being writen over.
 
KittenMilkshake

KittenMilkshake

Enthusiast
Messages
58
Reaction score
10
Points
65
Sin$
7
https://www.google.com/amp/s/www.di...ng/cold-boot-attack-modern-pc-data-theft/amp/
This would require a chip to be over written to allow the ram to not be written over.
I see where the OP is coming from but I dont know it would be of any use. Over writing the chip however could make for some other exploits to function. Could even give us the data collision we need. But I dont know if the system would even boot without another hack to ignore the ram not being writen over.

I'm already working on this, well something similar, for the Xbox One. It's clearly do-able there are many vulnerabilities it just needs some effort.

EDIT:
The exploit will almost defiantly be a hardware exploit. The software is too locked down.
 
Last edited:
S

Sketch

Enthusiast
Messages
531
Reaction score
278
Points
170
Sin$
7
I'm already working on this, well something similar, for the Xbox One. It's clearly do-able there are many vulnerabilities it just needs some effort.

EDIT:
The exploit will almost defiantly be a hardware exploit. The software is too locked down.
The software isn't as locked down as many think. You can perform more than you know even through Edge surpisingly.
 
KittenMilkshake

KittenMilkshake

Enthusiast
Messages
58
Reaction score
10
Points
65
Sin$
7
The software isn't as locked down as many think. You can perform more than you know even through Edge surpisingly.

Doesn't surprise me that edge could be used as an attack. I don't think you could get SU through software privilege escalation exploits or any other exploit and persistence might be a problem. Basing that assumption on my experience of doing remote and local exploits on Windows 10 x64.
 
Professional

Professional

Admin
Administrator
Hidden Devils
Programmer Bug Finder Supreme Bounty Hunter
Messages
6,164
Reaction score
5,180
Points
2,112
Sin$
1,337
Doing things through edge kinda reminds me of the PS3 and PS4 issues going on:whistle:
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
Browser exploits will always plague consoles. Would like to see edge be the reason xbox one gets sploited
 
POPINSMOKE

POPINSMOKE

Ryzen Master ®
Messages
267
Reaction score
61
Points
105
Sin$
7
Unfortunately until we find a solution to Bug bounties someone will always cash out to the dark side.
 
D

ddrkingjb

Newbie
Messages
9
Reaction score
0
Points
30
Sin$
0
If I recall correctly Microsoft already thought of this and worked on the security to circumevent manyu things. The keys aren't there either, technically.
what about a coldboot exploit on the xbox 360 because i formatted my usb and i made it so my computer does not have hidden files and i saw data files and i used hxd one of them was e:\bt\547408\core\private\flash\xam\apps
 
Last edited:
AzzidReign

AzzidReign

Teabaggin in 2024
Administrator
Platinum Record A Milli Tutorial Creator
Messages
21,696
Solutions
3
Reaction score
28,307
Points
2,755
Sin$
0
Browser exploits will always plague consoles. Would like to see edge be the reason xbox one gets sploited
I just saw this posted on another site:

Previously, I had posted some of the Xbox One Controller Protocols that was released by a reverse engineer named Quantus. This had a ton of offsets, hex, bin, and more code for your own purpose. If you haven't checked it out, you can view it here: Xbox One Controller Protocols. Today, major thanks to ZiL0G80 for sharing this out for me. Here is a Edge Exploit for Xbox One that an unknown developer released by the name UnknownV2 (unknown v2). Credits are the bottom on how he had found this and got it work.

GitHub Link: [Click here to view this link]



To quote from the README.md: ms-xb1-edge-exp

For Xbox-SystemOS version: 10.0.14393.2152 (rs1_xbox_rel_1610 161208-1218) fre, 12/14/2016

Other versions will most likely need modifications to the script.

Credits:

[Click here to view this link]

952 - Microsoft Edge: Info Leak in JSON.parse - project-zero - Monorail

https://bugs.chromium.org/p/project-zero/issues/detail?id=945
 
HYX

HYX

Administrator
Administrator
Lifetime
Hidden Devils
Scaling the Mountain Programmer Odysseus' Summit
Messages
2,503
Solutions
31
Reaction score
1,240
Points
1,075
Sin$
0
I just saw this posted on another site:

Previously, I had posted some of the Xbox One Controller Protocols that was released by a reverse engineer named Quantus. This had a ton of offsets, hex, bin, and more code for your own purpose. If you haven't checked it out, you can view it here: Xbox One Controller Protocols. Today, major thanks to ZiL0G80 for sharing this out for me. Here is a Edge Exploit for Xbox One that an unknown developer released by the name UnknownV2 (unknown v2). Credits are the bottom on how he had found this and got it work.

GitHub Link: [Click here to view this link]



To quote from the README.md: ms-xb1-edge-exp

For Xbox-SystemOS version: 10.0.14393.2152 (rs1_xbox_rel_1610 161208-1218) fre, 12/14/2016

Other versions will most likely need modifications to the script.

Credits:

[Click here to view this link]

952 - Microsoft Edge: Info Leak in JSON.parse - project-zero - Monorail

https://bugs.chromium.org/p/project-zero/issues/detail?id=945

That GitHub post looks to not be working, the MS XB1 Edge Xploit
 
Cam8528

Cam8528

Enthusiast
Messages
65
Reaction score
12
Points
55
Sin$
0
xb1 mod scene begins with quantus' edge script for old version xbone dashboards still vulnerable to edge scripts. by using scripts to call up protected code from m$ xbl servers into console memory, hardware exploits will have to simultaneously dump this from 16 different chips with 100 soldered pins each into an old printer cable connected to Arduino ic's that is plugged in to an operating system environment. xbone will be not be modded solely by software exploits nor solely by hardware exploits. the software component and hardware component approach both sides of acquiring Su access, running unsigned code and developing and deploying xbone exploits that the community expects. 5 staars kudos for cold boot. best damn idea for exploit I've seen to date.

nobody can say $chitt to kitten milkshakes because unlike 96% of all posts in xbox one modding section, this user actually soldered cables to the ram chips and is producing data dumps so chumps like my little brother can get pissed off by fortnite modders.
[Edit] HAIL AZZID! HAIL SE7ENSINS! LONG LIVE XBOX MODS!

iu.jpg
 
Last edited:
afterjo

afterjo

Enthusiast
Messages
883
Solutions
10
Reaction score
126
Points
155
Sin$
0
xbox one is not so worth investing in exploit research.

Most exclusive games are windows compatible. And exclusive games are kinda meh.
Base xbox one is inferior system.
And xbox one x is kinda pointless, since you can build way more efficient PC system and less restrictive.

This is my opinion.
 
AzzidReign

AzzidReign

Teabaggin in 2024
Administrator
Platinum Record A Milli Tutorial Creator
Messages
21,696
Solutions
3
Reaction score
28,307
Points
2,755
Sin$
0
xbox one is not so worth investing in exploit research.

Most exclusive games are windows compatible. And exclusive games are kinda meh.
Base xbox one is inferior system.
And xbox one x is kinda pointless, since you can build way more efficient PC system and less restrictive.

This is my opinion.
See, I disagree. I would love to see the One exploited. Could be the ultimate media center + gaming unit. Think about it...it already has the basics for it for the media center. Add in the ability to play emulators and roms on your One + 360 games + I'm not sure if you can play og xbox on there, but being exploited, it likely can happen (Xbox emulation on the PC is coming along nicely - likely result in a port).

Add that with the Kinect, controlling everything with your voice is pretty cool. Kind of sucks it seems they have discarded the Kinect, had a lot of potential but I guess people would rather sit and game as opposed to moving their bodies to be the controller.
 
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
screw what everyone else is talking about im down to reboot the scene. ill also invest in whatever you need fbout to shoot you a pm right now and if the exploit was mostly hardware modifications the bounty program would be useless the only way m$ would patch it is to release newer consoles lol
 
S

Sketch

Enthusiast
Messages
531
Reaction score
278
Points
170
Sin$
7
Anyone got any idea what this is?

[Click here to view this link]

Also found this
[Click here to view this link]

I would assume it would grab ur keys dunno if it works and I dont know python but someone take a look?

ALSO REPORT BACK TO ME IF IT ALLOWES U TO EXTRACT KEYS FROM A RETAIL!
Keys won't in any situation be dumped from a retail console unless you've got the expensive equipment to pull off the difficult work.
It's simply related to make working with developer mode easier and also the second link is a repository for working with files that are Xbox specific.
 
dr NHA

dr NHA

Enthusiast
Messages
85
Solutions
1
Reaction score
16
Points
65
Sin$
7
Keys won't in any situation be dumped from a retail console unless you've got the expensive equipment to pull off the difficult work.
It's simply related to make working with developer mode easier and also the second link is a repository for working with files that are Xbox specific.
Thanks now we all know what that is :smile:
 
Top Bottom
Login
Register