Xbox ONE Gaining win32 code execution in UWP DevMode' garyopa By Gary Bowser (garyopa)

Everydaynine_

Working on Me Full Time
Messages
1,376
Reaction score
402
Earlier today, @XVMM posted up some key info on 'getting started' on your path of enlightenment when using the 'dev mode' that is available on all Xbox One consoles, now normally this UWP is sandboxed, but thanks to the anonymous creators if this unique exploit you can now get a shell (cmd.exe) and win32 code execution on Xbox One in UWP Devkit mode.



Normally, you can only deploy "sandboxed" UWP containers with very limited access rights, hence this write-up, which is very technical, but its aim at those that want to explore more of inner workings and power of XB1 console itself, and hopefully now with this information out to public, more developers will get on-board and help expand the scene of greatness in the Xbox landscape.
 

ddrkingjb

Newbie
Messages
9
Reaction score
0
i dont have a way to get visual studio to create it im on linux is there a alternative for linux
 
Last edited:

Mattkocmut

Newbie
Messages
1
Reaction score
0
I am an expert in Microsoft and Unix operating systems. CMD in windows is equivalent to term/bash in Unix.

You can't just launch binaries that may or may not exist, as well they are likely bound using attributes, policies, sandboxing etc.

You need to dump the Xbox drive contents first in order to know it's file structure. If their is a CMD.com and or it is used by the system, it is easy to go about.

No need to hop from one os to the next. Stay in Linux. Modify system files they can autoexec a terminal at boot. I believe the Xbox is sensitive to unauthorized file modifications, I can presume they validate the integrity of the system often.

Why not go to the post above this and try "run telnet server"? This would give u a way to access command prompt without compromising your system.
 

Sketch

Enthusiast
Messages
525
Reaction score
477
I am an expert in Microsoft and Unix operating systems. CMD in windows is equivalent to term/bash in Unix.

You can't just launch binaries that may or may not exist, as well they are likely bound using attributes, policies, sandboxing etc.

You need to dump the Xbox drive contents first in order to know it's file structure. If their is a CMD.com and or it is used by the system, it is easy to go about.

No need to hop from one os to the next. Stay in Linux. Modify system files they can autoexec a terminal at boot. I believe the Xbox is sensitive to unauthorized file modifications, I can presume they validate the integrity of the system often.

Why not go to the post above this and try "run telnet server"? This would give u a way to access command prompt without compromising your system.
This is more than the standard running of cmd. Due to the great nature of the Xbox One running on a variant of Windows Core, building and deploying your own Win32-based applications is smooth. All within developer mode.
 

0x329847

Newbie
Messages
4
Reaction score
4
UWP itself is the ISIL(UWP isn't DRM it's a rebuilt .NET runtime with Store integration) engine running in AppContainer instances under the Xone OS which is a managed HyperV snapshot....

Best case scenerio you can fuzz the Zen TEE interface through some wrapper API... This forum is packed with people who think SDK has some overlooked access..
 

Sketch

Enthusiast
Messages
525
Reaction score
477
UWP itself is the ISIL(UWP isn't DRM it's a rebuilt .NET runtime with Store integration) engine running in AppContainer instances under the Xone OS which is a managed HyperV snapshot....

Best case scenerio you can fuzz the Zen TEE interface through some wrapper API... This forum is packed with people who think SDK has some overlooked access..
I haven't seen anyone claim UWP itself as DRM but not going to go into that as it's pretty meh. Also, the console operating system is designed with state seperation in mind and isn't necessarily a "Hyper-V Snapshot".

And unless you're a time traveler, the current generation of Xbox One consoles don't utilise the Zen CPU. Never mind that instead of the standard TPM/TEE interaction, it's different and done through psp.sys (pspsra for the proxy in sra) which provides its limited subset of privileged calls.
 
Top Bottom