diergray

Has anyone been watching the screensavers lately. They have been doing a lot of console mods. I decided to post a poll to see who has modded their systems. I am thinking about modding my xbox so I can have a media system. Still haven't decided which chip to use.

__________________
"Behold the turtle. He makes progress only when he sticks his neck out.” ~ James Bryant Conant

stazen

You don't even need to use a chip anymore...

Thanks to the free-x exploit
<a href="http://forums.xbox-scene.com/index.php?act=ST&f=45&t=73499&">Xbox Scene</a>

Here's the official release from the person who discovered the exploit.
XBOX Security

-= Security Advisory =-



Advisory: XBOX Dashboard local vulnerability
Release Date: 2003/07/04
Last Modified: 2003/07/04
Author: Stefan Esser [se@nopiracy.de]

Application: Microsoft XBOX Dashboard (up to today)
Severity: A vulnerability within the XBOX Dashboard allows to
totally compromise the security features of the XBOX.
Risk: Critical
Vendor Status: Vendor is not willing to talk about XBOX vulnerabilities.


Overview:

The XBOX Dashboard is what appears when you turn the XBOX on without a
disc in the DVD drive. It will let you adjust system settings, manage
your save games, play and rip audio CDs and configure your XBOX Live
account. It is the heart of the XBOX and its most vulnerable point,
because it lacks several security restrictions which are enforced on
games. This includes the lack of the reboot-on-eject-button "feature",
which is obligatory for all games.

The existance of an exploitable vulnerability within the dashboard could
totally compromises the XBOX security system. It will make the box
independent from Microsoft signed code and therefore this information is
released to the public now on the 4th of July 2003, the day of the XBOX
Independence.


Details:

Microsoft knows that a vulnerability within the XBOX dashboard could
have serious impact. This is underlined by the fact that the dashboard
checks most of its files against an internal stored SHA1 hash value
before it uses them.

For an unknown reason this check is not performed on the audio (.wav)
and font (.xtf) files. Unfourtunately for Microsoft there exists an
exploitable integer underflow vulnerabilitiy within the font file loader
which can be exploited with a malformed font file. When the XTF header
is processed the dashboards reads a 4 byte blocksize field from the font
file. This is expected to represent the size of some datablock including
the 4 bytes of the size field itself. The blocksize is then allocated
and the sizefield is copied into the beginning of the buffer. This is
already a possible overflow bug when the field contains the values 0..3.
Due to memory alignment this is not exploitable. But then the blocksize
is decreased by 4 because the dashboard wants to read the rest of the
block into memory. Obviously values of 0..3 will underflow when
decreased by 4 and this results in the dashboard wanting to read up to
~4 gigabytes of data from the font file in a f.e. 3 bytes buffer.

Because the XBOX malloc()/free() implementation is also storing control
information inbound and is similiar to the Windows 2000/XP heap
allocators this bug is exploitable and allows execution of arbitrary
code. The attached proof of concept code shows that exploiting is
possible with offsets that are equal on all dashboards and XBOX versions
known.

BTW: the dashboard loads its font files directly after the XBOX start
animation. This means the exploit does not need any user
interaction and when the code is executed only part of the
dashboard background is on screen.


Proof of Concept:

Attached you will find a proof of concept exploit which will start
linux. To install it you have to rename the 2 XBOX font files within the
font directory of the dashboard partition and then copy ernie.xtf and
bert.xtf into this directory. (If you have an XBOX with an older
dashboard the font directory does not exist and you must do the renaming
and file adding work in the main directory). Once the new fonts are in
place you copy the default.xbe (which is a copy of xbeboot) into the
main directory and add your favourite linux to it.


Trustworthy Computing:

Trustworthy Computing at its best. Nearly 2 Years ago I reported an SSL
vulnerability within IE to Microsoft. 1 month later I released
information about this bug to the public because MS did absolutely
nothing. The vulnerability was nearly forgotten, it only exists on the
list of 19 unpatched IE vulnerabilities anymore. But this is wrong, the
vulnerability was indeed fixed with one of the many IE patches in the
middle of last year. Well is secretly fixing bugs without an official
advisory trustworthy?


Anticipated Questions:

Q1: How do I get the files onto the harddisk?

A1: There are several ways. You could f.e. install the files with the
Mechassault or 007 hacks. This requires one of the games and the
files on a memorycard. The other way is to open the box and do the
harddisk swap trick which is described all over the net.


Q2: This vulnerability is in the dashboard, isn't it? So Microsoft can
simply update the dashboard with XBOX Live or with the help of new
games.

A2: Yes Microsoft could try to upgrade the dashboard and fix the
vulnerability with such an update, but keep in mind that this
vulnerability is like a "local root" hole. You can do nearly
everything with it and this includes redirecting reads and writes to
the xboxdash.xbe file. Additionally people who do not play games on
their box will not be reachable with such updates. And groups who
pirate games can always disable the update feature.


Q3: Well but MS can make the kernel block the vulnerable dashboard.

A3: Indeed they can. But until boxes with new kernels reach the market
we will have the end of this year (You can still get 1.0 boxes in
shops over here) and they can only fix the bugs they know about.


Q4: Is it possible to play "backed-up" games with this?

A4: Yes it is possible to play pirated games by using this vulnerability
but my proof of concept code will not allow this. You have to change
the exploit to patch the kernel in memory. This is not very hard and
I am not going to help you with this.


Q5: Can I go "Live" with this hack?

A5: You have full control over the box with this vulnerability. You can
modify the exploit to allow XBOX Live playing but this will only
start a cat & mouse game with Microsoft.


Q6: I have read that I can solder my mainboard with this hack...

A6: This exploit has nothing to do with soldering, It will just run
everything you want on unmodded (and even unopened) XBOXes. Infact
when this hack is installed you do not need to solder anything to
get your homebrew or whatever applications to run.


Copyright 2003 Stefan Esser. All rights reserved.

Ganguro

I would only buy an xbox TO mod, but i would love a modded gamecube but cant get one.. know why?
because other than a region modifier.. you cant mod the sucker!
It's kinda a pain, but i love Nintendo for thinking ahead.

2 years and only 1 non critical hack? That's unheard of these days

TerresqueÜ

I've equipped a PS2 with a mod-chip to play import games. Does that count?

__________________
Say yes to the 'Tilted Roleplaying' Forum

http://www.tfproject.org/tfp/showthread.php?s=&threadid=1932&highlight=petition

BAMF

I wouldnt say Nintendo thinks to far ahead.
Proof:
Playstation
Nintendo 64

Playstation 2
Gamecube

Remember that nintendo could have owned it all. That and the recent statement that nintendo doesnt believe in the future of online gaming, so it wont be included on the next system.

Manw/0pants

if i had a console to mod i would but i dont have one thats worth modding so o well

LNCPapa

I have 2 modded PS1a and a modded PS2. Does a Z64 for my N64 count as a mod? I doubt it, but I have one of those too. I haven't modded my XBox yet - since I never really play it.

__________________
No mercy for the bandwidth impaired

oscar0308

i have a PS1 that i modded a long time ago, but havent done my PS2 and not sure that i will. my buddy says that his modded PS1 (we did the mod together) wont play any of the newer games and can 'see' the mod chip.

that said.. can this happen with this xbox 'mod'? why couldnt they just write a check into a game and refuse to allow the game to progress in a modded unit like the PS1 problems my buddy has. i may be totally off here cause i cant say i totally understand this xbox hack. sounds very promising though... and if it works, i may be going out and purchasing one myself.

LNCPapa

I believe that was the reason they released the stealth mod chip for the PS1. I have that version installed in one of my PS1s (the one I actually use) and I've never had a problem with any PS1 game. Not sure if the XBox mods out there already are or need to be stealth.

__________________
No mercy for the bandwidth impaired

guthmund

I've modded two x-box systems.

I helped a friend install his mod chip, install a new dashboard, and slap in a bigger hard drive.

I've installed a "solder-less" chip in mine and installed a new dashboard. I'm fixing to install the bigger hard drive.

My friend didn't bother "locking" his drive (it's a security feature for x-box live) so he can't play his online, but I plan to lock mine so when I jump on x-box live there will be no problems.

__________________
No signature. None. Seriously.

rockzilla

I modded my PS1 by myself back in the day, as did one of my friends. Between us, we must have about 250 or so PS1 games.
Shortly after the PS2 came out, my buddy bought one, and ordered a chip off the net. He tried to install it himself but ended up blowing the power source. He still managed to sell it on Ebay for something like $180 US, which he put towards another PS2. This time he paid someone to install the chip for him.
I was rather amused when Sony was claiming that the PS2 was unhackable, and some kid in Hong Kong came up with a hack within minutes of getting one of the first run of PS2's home.