What's new

Discussion Xbox one windows exploit

  • Thread starter Lipton01
  • Start date
  • Views 13,447
Status
Not open for further replies.
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
im on an iPad so bare with me,

From what I’m hearing you can allow your Xbox to run windows32 applications if this is the case I can basically port my Xbox 360 backdoor to support the one to force the user out of sandbox and and decompile the xvd files. I probably didn’t make any sense I’ll explain more as this topic goes on
 
S

Sketch

Enthusiast
Messages
531
Reaction score
278
Points
170
Sin$
7
Basically a rat for Xbox one which forces admin privileges by making changes to the registry or is that too far fetched
You require a way to elevate privileges on a retail console. Can't modify registry at the current privilige level that apps run in. And yes, you can run Win32 programs freely on Developer Mode but on retail no (unless executing a signed executable within your own app container)
 
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
You require a way to elevate privileges on a retail console. Can't modify registry at the current privilige level that apps run in. And yes, you can run Win32 programs freely on Developer Mode but on retail no (unless executing a signed executable within your own app container)
okay going to hit your pm
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
First you need to know how the app processes on the console.
Once you know that you can utilize an exploit from the remote user. This can be done many different ways. There were some runc exploits about earlier this year that almost seemed promising.
I have a feeling at the rate which vulns are patched on xbox the only thing to do is utilize dev mode. If you are looking for an exploited console in terms of online hacking move on.
Anyone with knowledge of getting to that point is not planning on sharing.

I will however give a little advice.
So you need a valid execute that isnt so nice.
So lets think about our 360 saves. So lets move instruction on these saves. Now we have to treat xbox one as xbox one running in compatibility mode for 360. So just because we can push on the 360 does not mean an escape on the one.
So what we need are lists of known executes on the xbone for backwards games.
For this matter we need the full list on the xbox 360 to know what the game is loading and when.
So our save needs to be legit in terms of signature. But needs to push the game out but not just cause an error. We need a pop in elevated command. So what is going to execute from this game that is loading elevated? (I know of at least two and not arguing that out)
You need that save to push that into the games space. Remember we are using everything within this app container so currently if it doesnt exist here then we cant use it. Also keep in mind these have to show as not corrupt on a retail 360.

Ok so if you figured out what to push open and hold open. What to do with it?
Now we can point to a textbox.
(Oh boy you should know the process running elevated now)
Now we can enter a series of commands into our text box.

Now like I said nobody is going to share.
So have fun guessing the how and what and where.
 
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
First you need to know how the app processes on the console.
Once you know that you can utilize an exploit from the remote user. This can be done many different ways. There were some runc exploits about earlier this year that almost seemed promising.
I have a feeling at the rate which vulns are patched on xbox the only thing to do is utilize dev mode. If you are looking for an exploited console in terms of online hacking move on.
Anyone with knowledge of getting to that point is not planning on sharing.

I will however give a little advice.
So you need a valid execute that isnt so nice.
So lets think about our 360 saves. So lets move instruction on these saves. Now we have to treat xbox one as xbox one running in compatibility mode for 360. So just because we can push on the 360 does not mean an escape on the one.
So what we need are lists of known executes on the xbone for backwards games.
For this matter we need the full list on the xbox 360 to know what the game is loading and when.
So our save needs to be legit in terms of signature. But needs to push the game out but not just cause an error. We need a pop in elevated command. So what is going to execute from this game that is loading elevated? (I know of at least two and not arguing that out)
You need that save to push that into the games space. Remember we are using everything within this app container so currently if it doesnt exist here then we cant use it. Also keep in mind these have to show as not corrupt on a retail 360.

Ok so if you figured out what to push open and hold open. What to do with it?
Now we can point to a textbox.
(Oh boy you should know the process running elevated now)
Now we can enter a series of commands into our text box.

Now like I said nobody is going to share.
So have fun guessing the how and what and where.
you completely went off topic
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
you completely went off topic
Oh hey, we havent met yet. Lol
I tend to stray way off topic.
But this is the only thing I know that has the juice to even come close to working in terms of executing anything coming from the xbox 360.

Within the backwards compat. app there are two elevated function executables for sure.
You can in fact make a save execute them again.

Really long explanation for something totally different from the asked question. Mostly because the rat idea has never worked for this console. And has been asked about many times before.
So instead of leaving the same answer that is always given for why it will not work I decided to share little bits of a functional permissions escalation.
The hope would be someone else will figure it out and the rest of us can stay out of the lawsuit battles.
That and since its all software there is no money in it.
 
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
Oh hey, we havent met yet. Lol
I tend to stray way off topic.
But this is the only thing I know that has the juice to even come close to working in terms of executing anything coming from the xbox 360.

Within the backwards compat. app there are two elevated function executables for sure.
You can in fact make a save execute them again.

Really long explanation for something totally different from the asked question. Mostly because the rat idea has never worked for this console. And has been asked about many times before.
So instead of leaving the same answer that is always given for why it will not work I decided to share little bits of a functional permissions escalation.
The hope would be someone else will figure it out and the rest of us can stay out of the lawsuit battles.
That and since its all software there is no money in it.

i wouldn’t doubt using permission escalation but seeing how things have upgraded now. but even with the original xbox. an exploit was found in the king kong game. i wasn’t around for the saves , but i heard about it care to fill me in more ?
 
XBLToothPik

XBLToothPik

Contributor
Programmer Modder Frame In Gold
Messages
577
Reaction score
1,068
Points
350
Sin$
7
Admin privileges don't grant this kind of power on the X1. Also, I'm not sure how you could port something to X1 from 360 seeing as they are running an entirely different OS, 10x more secure and an entirely different instruction set.

Also, having Kernel privileges haven't gotten me too far yet either; there's more layers above that are harder to get into tbh.
 
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
Admin privileges don't grant this kind of power on the X1. Also, I'm not sure how you could port something to X1 from 360 seeing as they are running an entirely different OS, 10x more secure and an entirely different instruction set.

Also, having Kernel privileges haven't gotten me too far yet either; there's more layers above that are harder to get into tbh.
So since it’s windows basically , can anyone list what the console does on boot? I think everyone is looking In the wrong direction with this
 
S

Sketch

Enthusiast
Messages
531
Reaction score
278
Points
170
Sin$
7
So since it’s windows basically , can anyone list what the console does on boot? I think everyone is looking In the wrong direction with this
The Xbox One runs a modified operating system and makes use of the AMD Platform Security Processor. OS Data is stored inside an encrypted virtual disk, written from scratch, known as an XVD (Xbox Virtual Drive/Disk). These are signed, encrypted and contain flags in the header which determine if they can be written to or read-only, as well as unique identifiers. The primary XVD's are stored in the consoles flash (eMMC). This is obviously where the bootloaders are stored too.

When you start the console, it'll begin by loading in the boot.bin located in flash, verify, decrypt and move on to each stage. Once it reaches the last stage, 2BL, it'll boot the Host operating system. Responsible for creating and monitoring the Xbox VM's (SRA, ERA).
After Host is booted it'll straight up boot into System (Pretty much the OS we use and see) and will load home.

Keys are stored in said Security Processor and no way of obtaining them so far. Probably expensive but mind you that not many at all, pretty much no one as far as I am aware, has looked much into it.
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
So since it’s windows basically , can anyone list what the console does on boot? I think everyone is looking In the wrong direction with this
Sketch is a wealth of knowledge.

To add it is a custom os but has many characteristics of the win10rt os in terms that it is locked to xbl store only. Much like rt being locked to store only items.
 
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
The Xbox One runs a modified operating system and makes use of the AMD Platform Security Processor. OS Data is stored inside an encrypted virtual disk, written from scratch, known as an XVD (Xbox Virtual Drive/Disk). These are signed, encrypted and contain flags in the header which determine if they can be written to or read-only, as well as unique identifiers. The primary XVD's are stored in the consoles flash (eMMC). This is obviously where the bootloaders are stored too.

When you start the console, it'll begin by loading in the boot.bin located in flash, verify, decrypt and move on to each stage. Once it reaches the last stage, 2BL, it'll boot the Host operating system. Responsible for creating and monitoring the Xbox VM's (SRA, ERA).
After Host is booted it'll straight up boot into System (Pretty much the OS we use and see) and will load home.

Keys are stored in said Security Processor and no way of obtaining them so far. Probably expensive but mind you that not many at all, pretty much no one as far as I am aware, has looked much into it.
if we can get linux to run on xbox one there are scripts that will force the user to root. i have knowledge with running scripts on linux computers that force root basically a shell. since the xbox one has basically no Virus protection what so ever and uses java what if i were create a shell , basically going on the xbox web browser and visiting an infected site i would like to see what useragent the xbox uses while web browsing , there could be a possible vuln in gaining root and once you have root you can literally attach dbgprint to anything that outputs data. this would be for just gathering more info on the bootprocess and what we can touch or cant
 
if we can get linux to run on xbox one there are scripts that will force the user to root. i have knowledge with running scripts on linux computers that force root basically a shell. since the xbox one has basically no Virus protection what so ever and uses java what if i were create a shell , basically going on the xbox web browser and visiting an infected site i would like to see what useragent the xbox uses while web browsing , there could be a possible vuln in gaining root and once you have root you can literally attach dbgprint to anything that outputs data. this would be for just gathering more info on the bootprocess and what we can touch or cant
i saw the xbox has something similiar called an RCE Exploit or anything. i cant seem to find anything worth remembering as everyone is just putting in their two sense and not giving actual research.
 
if we can get linux to run on xbox one there are scripts that will force the user to root. i have knowledge with running scripts on linux computers that force root basically a shell. since the xbox one has basically no Virus protection what so ever and uses java what if i were create a shell , basically going on the xbox web browser and visiting an infected site i would like to see what useragent the xbox uses while web browsing , there could be a possible vuln in gaining root and once you have root you can literally attach dbgprint to anything that outputs data. this would be for just gathering more info on the bootprocess and what we can touch or cant
 

i saw the xbox has something similiar called an RCE Exploit or anything. i cant seem to find anything worth remembering as everyone is just putting in their two sense and not giving actual research.
we could be able to exploit the box via linux via Apache or glitching the console, but if i remember correctly at e3 backstage someone had asked the devs about glitching and said something about the proccesor was too new for flaws, i wouldnt knock the glitching method entirely but it would be alot of trial and error and alot of xboxs to even get somewhere worth posting about
 
S

Sketch

Enthusiast
Messages
531
Reaction score
278
Points
170
Sin$
7
Can't run linux without a way to break the bootchain, modify bootloaders (VBI) and actually get it going.
You're overlooking too much. Glitching is a possibility yes, there's only one place that I personally know of that had interest on the board but probably results in nothing.

Quite a bit has been looked into. Also, Xbox One does enforce security dramatically. It's locked down, will only run signed executables and will kill the console on instance of possible bugs present in the host or system VM. Again, without a way to tamper the Host kernel memory or at some point in the boot chain will not yield interesting results.

Overlooking far too much. You need to understand a little bit more of how it works.
 
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
Can't run linux without a way to break the bootchain, modify bootloaders (VBI) and actually get it going.
You're overlooking too much. Glitching is a possibility yes, there's only one place that I personally know of that had interest on the board but probably results in nothing.

Quite a bit has been looked into. Also, Xbox One does enforce security dramatically. It's locked down, will only run signed executables and will kill the console on instance of possible bugs present in the host or system VM. Again, without a way to tamper the Host kernel memory or at some point in the boot chain will not yield interesting results.

Overlooking far too much. You need to understand a little bit more of how it works.
honestly my college has a quantum computer. what you ttryna do.
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
if we can get linux to run on xbox one there are scripts that will force the user to root. i have knowledge with running scripts on linux computers that force root basically a shell. since the xbox one has basically no Virus protection what so ever and uses java what if i were create a shell , basically going on the xbox web browser and visiting an infected site i would like to see what useragent the xbox uses while web browsing , there could be a possible vuln in gaining root and once you have root you can literally attach dbgprint to anything that outputs data. this would be for just gathering more info on the bootprocess and what we can touch or cant
 

i saw the xbox has something similiar called an RCE Exploit or anything. i cant seem to find anything worth remembering as everyone is just putting in their two sense and not giving actual research.
 

we could be able to exploit the box via linux via Apache or glitching the console, but if i remember correctly at e3 backstage someone had asked the devs about glitching and said something about the proccesor was too new for flaws, i wouldnt knock the glitching method entirely but it would be alot of trial and error and alot of xboxs to even get somewhere worth posting about
Whoa... slow it down a bit.
Edge had and still has multiple flaws to exploit it. But what are you going to do once you get there? Are you trying to exploit by simply entering a root command in userspace?
It does not work that way.
So you want to use a linux shell to exploit the console to root?
How are you going to boot linux while preserving the original operating system?
Now on the web attack vector this can and has already happened. To my knowledge they never escaped edge.
I dont know if sketch ever got around to his write up or not on the operating system of the xbox one or not. If so you can learn much from there. There are also multiple other avenues to look up this info. You need a deeper understanding of how the system operates and the differences between it and windows 10.
This is not windows 10 operating system. It is based on windows 10 kernel. (Not the os and it is not windows 10 kernel like your pc)
It is custom made for the xbox one. Many exploit vectors on windows 10 are not shared on xbox one. Many edge exploits that gain permissions on windows 10 simply will never gain anything on xbox one.

honestly my college has a quantum computer. what you ttryna do.
Ok if you have access to a “quantum computer” then brute force the hard drive.
Should only take you about 30 minutes.
Then I will dump the mmc data and send it to you.
I need two keys and a signature key.
 
S

Sketch

Enthusiast
Messages
531
Reaction score
278
Points
170
Sin$
7
I don't think I've even saw anything in regards to quantum computing being able to even begin at having a chance at breaking RSA 2048. We're far off... and a lot of articles sensationalize the technology.

Ok if you have access to a “quantum computer” then brute force the hard drive.
Should only take you about 30 minutes.
Then I will dump the mmc data and send it to you.
I need two keys and a signature key.
Just a little heads up; hard drive is useless to touch since it's all readable, except from the contents, so yeah. eMMC is kinda mapped out, seems to be only the bootloader, few OS XVD's and a couple files encrypted but the rest is readable content. Just slow to map out since System OS doesn't deal much with them directly. Assuming Host OS does it, ofc.

One key to rule them all though.
 
Lipton01

Lipton01

Enthusiast
Messages
94
Reaction score
17
Points
75
Sin$
7
Whoa... slow it down a bit.
Edge had and still has multiple flaws to exploit it. But what are you going to do once you get there? Are you trying to exploit by simply entering a root command in userspace?
It does not work that way.
So you want to use a linux shell to exploit the console to root?
How are you going to boot linux while preserving the original operating system?
Now on the web attack vector this can and has already happened. To my knowledge they never escaped edge.
I dont know if sketch ever got around to his write up or not on the operating system of the xbox one or not. If so you can learn much from there. There are also multiple other avenues to look up this info. You need a deeper understanding of how the system operates and the differences between it and windows 10.
This is not windows 10 operating system. It is based on windows 10 kernel. (Not the os and it is not windows 10 kernel like your pc)
It is custom made for the xbox one. Many exploit vectors on windows 10 are not shared on xbox one. Many edge exploits that gain permissions on windows 10 simply will never gain anything on xbox one.


Ok if you have access to a “quantum computer” then brute force the hard drive.
Should only take you about 30 minutes.
Then I will dump the mmc data and send it to you.
I need two keys and a signature key.
basically going on edge and visiting a java drive by site which can exectue scripts once the user visits the page.

if you need more information i suggest checking this link out.

with a shell exploit you can escalate privlages easily
 
I don't think I've even saw anything in regards to quantum computing being able to even begin at having a chance at breaking RSA 2048. We're far off... and a lot of articles sensationalize the technology.


Just a little heads up; hard drive is useless to touch since it's all readable, except from the contents, so yeah. eMMC is kinda mapped out, seems to be only the bootloader, few OS XVD's and a couple files encrypted but the rest is readable content. Just slow to map out since System OS doesn't deal much with them directly. Assuming Host OS does it, ofc.

One key to rule them all though.
interesting. i would like to see the system os and seeing that the xbox has a task manager im almost possible a shell exploit could work but from what im reading it seems alot depends on privileges and bios sequence
 
Status
Not open for further replies.
Top Bottom
Login
Register