What's new

Discussion [Theory] Xbox One Cold Boot Exploit

  • Thread starter KittenMilkshake
  • Start date
  • Views 45,292
Chr0m3 x MoDz

Chr0m3 x MoDz

From the top to the fall, lessons through it all.
VIP
Sinner Services Seasoned Veteran
Messages
5,377
Reaction score
7,882
Points
1,170
Sin$
0
Interesting to see what little progress is being made, if anyone wants to test anything ever I have a very old system that is console banned (it's on windows 8 OS still), yes it's that old.

Few notes, I'm not interested in working with people who will be releasing / selling what's found, I've been in enough lawsuits thanks.

But if anyone serious ever needs a console that old to test on PM me, goes without saying that I won't be sharing anything that comes out of it, and I'd hope you don't either.

I'd even be happy to just possibly give the console to someone (if they pay shipping) if they are actually going to make use out of it and get somewhere.

Don't bother messaging me just for a free xbox, as I said you'd have to actually be able to prove you are able to put it to good use.

I also have an Ex-ERA xbox one devkit if that'd be of use (doubt it), important to note the Ex, I use it as a retail now lol.
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
Here is a interesting article
Wifi card for Xbox one was I guess is exploitable https://www.google.com/amp/s/www.zd...s-laptops-smartphones-routers-gaming-devices/
The card itself isnt the exploitable part. The consoles code for seeking wifi however is.
One pf the biggest problems with this is there is nothing to go off of released. The person that found this bug refuses to share to public. It would be building from scratch. And very short lived. I would expect a patch soon. And since nobody was working on this for the xbox one it just remains a theory. The console could very well protect itself against this kind of intrusion.
I would bet not though.
Bigger question would be what access would you have after entry?
 
S

Sketch

Enthusiast
Messages
531
Reaction score
278
Points
170
Sin$
7
The card itself isnt the exploitable part. The consoles code for seeking wifi however is.
One pf the biggest problems with this is there is nothing to go off of released. The person that found this bug refuses to share to public. It would be building from scratch. And very short lived. I would expect a patch soon. And since nobody was working on this for the xbox one it just remains a theory. The console could very well protect itself against this kind of intrusion.
I would bet not though.
Bigger question would be what access would you have after entry?
It'd most likely end up with Host OS kernel execution. From there you could pull off an alright amount but it comes down to the implementation.
 
Sycc

Sycc

Custom Title:
Programmer Modder Experienced Veteran
Messages
1,868
Reaction score
509
Points
365
Sin$
0
if you could do this on an xbox one the xbox one engineers would have already been fired.
 
KittenMilkshake

KittenMilkshake

Enthusiast
Messages
58
Reaction score
10
Points
65
Sin$
7
if you could do this on an xbox one the xbox one engineers would have already been fired.
Don't be so skeptic. Developers cannot know of every exploit they missed and couldn't patch. There is a vulnerability to the Xbone as with every other single piece of tech. The issue is we do not know that exploit.

Thing about exploits is they like to hide. You do not know until they are there until you push the system beyond what it can do. Developers know this but they are not perfect. You should study penetration testing buddy.

Note: I never thought I would get 8k views I was just spit balling here.
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
Don't be so skeptic. Developers cannot know of every exploit they missed and couldn't patch. There is a vulnerability to the Xbone as with every other single piece of tech. The issue is we do not know that exploit.

Thing about exploits is they like to hide. You do not know until they are there until you push the system beyond what it can do. Developers know this but they are not perfect. You should study penetration testing buddy.

Note: I never thought I would get 8k views I was just spit balling here.
Did you ever get anything from cold booting?
I have dumped something from the security processor. Not sure if I have it all though. Seems a bit small. Now waiting on a blank chip and gonna try to image it to the blank then im going to cap it.
 
Skudge

Skudge

Getting There
Messages
460
Reaction score
350
Points
190
Sin$
0
Did you ever get anything from cold booting?
I have dumped something from the security processor. Not sure if I have it all though. Seems a bit small. Now waiting on a blank chip and gonna try to image it to the blank then im going to cap it.

You ever get anywhere with this?
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
You ever get anywhere with this?
I did. I learned I should stick to building games within a game engine.
I have spent a ton of money to get basically no where. I dumped the security processor. I wrote it back to a blank chip. I used a very expensive machine a installed the copy chip to the console. It functions completely.
So yay successful dump.
Best I can see is the two processors work as a shared logical process.
I had no luck with capping. (Likely because I really didnt know what I was doing there)
The more I look at the flash the more it appears to almost be its own os. Not much of one but enough to process signed headers.
This is where I stopped. (Basically no further)
Work has gotten in the way of fun for now.
 
N

NIGHTDEAMON

Newbie
Messages
5
Reaction score
0
Points
35
Sin$
0
... what if we just build another console that runs xb1 games, but allows cfw? Much like the N64 but, more advanced. Is it even possible?
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
... what if we just build another console that runs xb1 games, but allows cfw? Much like the N64 but, more advanced. Is it even possible?
Not needed
Don’t listen to sketch. He doesnt know what he talking about.... lol
All anyone has to do is ask cortana to run custom firmware on the xbox one and she will. It’s simple but nobody ever thought to just ask cortana.
I asked her to give me godmode on the new cod and just as fast as I asked I was in call of duty with godmode.
Then I asked her to hack the console and she did. Then I asked her to pirate some games and now I have every game out for xbox.
 
AzzidReign

AzzidReign

Teabaggin in 2024
Administrator
Platinum Record A Milli Tutorial Creator
Messages
21,696
Solutions
3
Reaction score
28,306
Points
2,755
Sin$
0
Don’t listen to sketch. He doesnt know what he talking about.... lol
All anyone has to do is ask cortana to run custom firmware on the xbox one and she will. It’s simple but nobody ever thought to just ask cortana.
I asked her to give me godmode on the new cod and just as fast as I asked I was in call of duty with godmode.
Then I asked her to hack the console and she did. Then I asked her to pirate some games and now I have every game out for xbox.
That's incredible. Care to write up a tutorial on the process? I want Godmode on Pokemon Go...so all I gotta do is ask Cortana and she can mod my android phone?! This is next level ****.
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
That's incredible. Care to write up a tutorial on the process? I want Godmode on Pokemon Go...so all I gotta do is ask Cortana and she can mod my android phone?! This is next level ****.
Lol, truth be told on windows at least cortana has full access. On xbox one I do not know if this is the case. I would assume the same permissions are granted. And actually it is likely cortana was not written custom for the xbox so there would be a slim chance the ai could be key. Hehe.
(Even siri on iphone is given low level access)
 
T

Tyguy13455

Getting There
Messages
63
Reaction score
51
Points
195
Sin$
7
Lol, truth be told on windows at least cortana has full access. On xbox one I do not know if this is the case. I would assume the same permissions are granted. And actually it is likely cortana was not written custom for the xbox so there would be a slim chance the ai could be key. Hehe.
(Even siri on iphone is given low level access)
Interesting stuff buddy, I think the whole reason everyone is struggling with any xb1 exploitation’s so far is that #1 it’s running basically it’s own os (yes kinda a subversion if win 10) but every time I think of it as “windows” type os it throws me a curve ball. If you want my opinion the trust zone exploit was and may be the only way to get past this consoles sand box
 
CycloneXCry

CycloneXCry

Newbie
Messages
12
Reaction score
0
Points
45
Sin$
0
Don't be so skeptic. Developers cannot know of every exploit they missed and couldn't patch. There is a vulnerability to the Xbone as with every other single piece of tech. The issue is we do not know that exploit.

Thing about exploits is they like to hide. You do not know until they are there until you push the system beyond what it can do. Developers know this but they are not perfect. You should study penetration testing buddy.

Note: I never thought I would get 8k views I was just spit balling here.
Still down to link up? because im ready for this thing to get a crack
 
dr NHA

dr NHA

Enthusiast
Messages
85
Solutions
1
Reaction score
16
Points
65
Sin$
7
Still down to link up? because im ready for this thing to get a crack
I'm down to sick of thinking myswell get to work. Even if we can't hide from xbl and can't go online a retail console with full permissions is all I ask for
 
Tanksrforchumps

Tanksrforchumps

Enthusiast
Messages
70
Solutions
1
Reaction score
10
Points
55
Sin$
0
Im down to try seems the ps4 scene is dying and theyve gone politically insane with there webkit bs
 
roy w gibson

roy w gibson

Enthusiast
Messages
86
Reaction score
37
Points
70
Sin$
0
What about modding a game save from the Xbox console or useing USB Media
 
KittenMilkshake

KittenMilkshake

Enthusiast
Messages
58
Reaction score
10
Points
65
Sin$
7
Sorry for the hiatus guys. I was working on securing a job and getting things in order. Now that I do my interest in console modding has peaked again. Recently bought 2 Trinity's and a Jasper, JProgs, CR4's, 0603 SMD LEDS for ROL and Controller and a few XMODE chips. Despite that being 360 related I'm still very much interested in working with Xbox One.

Interesting to see what little progress is being made, if anyone wants to test anything ever I have a very old system that is console banned (it's on windows 8 OS still), yes it's that old.

Few notes, I'm not interested in working with people who will be releasing / selling what's found, I've been in enough lawsuits thanks.

But if anyone serious ever needs a console that old to test on PM me, goes without saying that I won't be sharing anything that comes out of it, and I'd hope you don't either.

I'd even be happy to just possibly give the console to someone (if they pay shipping) if they are actually going to make use out of it and get somewhere.

Don't bother messaging me just for a free xbox, as I said you'd have to actually be able to prove you are able to put it to good use.

I also have an Ex-ERA xbox one devkit if that'd be of use (doubt it), important to note the Ex, I use it as a retail now lol.
I'm going to PM you, I am very interested to purchase them.

Still down to link up? because im ready for this thing to get a crack

If you're still around sure. 2 brains is better than 1 at solving something

Not needed

Don’t listen to sketch. He doesnt know what he talking about.... lol
All anyone has to do is ask cortana to run custom firmware on the xbox one and she will. It’s simple but nobody ever thought to just ask cortana.
I asked her to give me godmode on the new cod and just as fast as I asked I was in call of duty with godmode.
Then I asked her to hack the console and she did. Then I asked her to pirate some games and now I have every game out for xbox.

Have you ever even flashed firmware before? Xbox will only run signed code. That's why you have to flash the NAND with ECC then the firmware.

What about modding a game save from the Xbox console or useing USB Media

Signed code

I have not read much into the leaked SDK but that looks very interesting and could lead somewhere. That in combination with an Xbox One with Dev Mode activated might be able to get something to work. I believe you can wrap .exes with a UWP Windows wrapper and run it on an Xbox One with Dev Mode activated. The only problem is we would need to find essentially a 0-day sandbox/hypervisor escape exploit. I do cyber security for career but I'm not even close to having my certs to do security analysis and exploit discovery. I would like to explore the idea of breaking out of a sandbox maybe via a segmentation fault or faulty permissions. The more "stuff" and how complicated and OS works greatly increases the amount of exploits present. There are tons for Windows 10 which is basically Xbox OS.
 
S

schitzotm

Member
Messages
2,582
Solutions
6
Reaction score
2,429
Points
420
Sin$
7
Without getting into some heavy hardware hacking it would appear the web browser is just about the best entry. It appears some games have game to browser connection. I do not know if that is a two way street or not. Would seem one could set up a site with the payload and use a entire network browser redirect using whatever site the game directs you to. As far as payloads and websploits go I have not made any attempts. Been quite busy lately.
This may be the only real way to start.
 
Top Bottom
Login
Register