# Looking for testers for potential xbox one vulnerabilities



## XboxModder2 (Nov 29, 2022)

Hello there, It has been confirmed that the *BD-JB Blu-ray Disc Java Sandbox Escape by TheFlow can be used on the xbox one family and potentially xbox series x/s, even on the current firmware of each of the consoles, *so the tech is available on the Xbox One. We would need to dump the interpreter's binary and look for vulnerabilities. As for reversing & exploiting the interpreter: it's very easy to obtain the binaries from a dev-mode console nowadays, so it isn't a far-fetched idea to maybe look up for vulns.


How? (quoted from torus)

"You'll likely need to do static reverse engineering of that application, using tools like Ghidra, IDA Pro, or radare2.
To do that, you first also need to find the application itself in your devmode console, and extract it to your PC. *Where can you find the binary in charge of executing BD-J in the xbox one?* Honestly no idea. I took a quick look at the drivers in C:\Windows\System32 in the Xb1 to see if I could quickly identify something related to ODD, BD, BluRay but I saw nothing. I'll let you know if I stumble upon it, or, if someone knows where to look into, don't hesitate to share w/ all of us "


	Post automatically merged: Nov 29, 2022


----------



## Kopimist (Dec 2, 2022)

If I had a blu-ray burner I'd be a tester but alas I do not. I do have Durango ftp installed on retail mode on my Xbox one, not sure if that's of any help at all for poking around inside the system files.

If I can be of assistance in anyway please let me know


----------



## XboxModder2 (Dec 2, 2022)

Post automatically merged: Dec 2, 2022



Kopimist said:


> If I had a blu-ray burner I'd be a tester but alas I do not. I do have Durango ftp installed on retail mode on my Xbox one, not sure if that's of any help at all for poking around inside the system files.
> 
> If I can be of assistance in anyway please let me know


will do!


----------



## Kopimist (Dec 2, 2022)

brouh said:


> Post automatically merged: Dec 2, 2022
> 
> 
> will do!


Just to clarify, I don't have access to dev mode nor can I afford it at this point in time. I wish Microsoft was still doing free dev accounts for students, I'd be all set. Oh well, I missed that boat on that offer


----------



## XboxModder2 (Dec 2, 2022)

Kopimist said:


> Just to clarify, I don't have access to dev mode nor can I afford it at this point in time. I wish Microsoft was still doing free dev accounts for students, I'd be all set. Oh well, I missed that boat on that offer


Ah i see..., alright


----------



## MrQQ (Dec 4, 2022)

This isnt going to lead to anything sadly based on my own research. No sandbox escape or hyperv escape. ODD key is stored in NVram on the ODD and cannot be read as registers for the flash arent known. You may be able to achieve some sort of userland exploit but the ryzen co processor will be watching. Much more research needed sadly.


----------



## XboxModder2 (Dec 4, 2022)

MrQQ said:


> This isnt going to lead to anything sadly based on my own research. No sandbox escape or hyperv escape. ODD key is stored in NVram on the ODD and cannot be read as registers for the flash arent known. You may be able to achieve some sort of userland exploit but the ryzen co processor will be watching. Much more research needed sadly.


Oh alright, thank you for the information, but can this be considered as some sort of escape from the sandbox?


----------



## TomChaai (Dec 4, 2022)

XboxModder2 said:


> Oh alright, thank you for the information, but can this be considered as some sort of escape from the sandbox?



He said the escalation happened on dev consoles, so it won't work on retail.
Escaping the BD app probably does nothing as the administrator privilege only happens in appOS, it can't reach down into the hostOS, it probably isn't able to see the real hardware, only the virtual ones presented to the appOS by the hostOS.
You can mess with the appOS all you want, still nothing gets to the hostOS to alter the gameOS from what I know.
And the fact that this is dev mode only probably means you have zero insight into the retail side of things, which uses totally different key trees enforced by the hostOS and the security processor on the SoC, can't even get to the files in this situation.


----------



## fringle (Dec 4, 2022)

TomChaai said:


> He said the escalation happened on dev consoles, so it won't work on retail.
> Escaping the BD app probably does nothing as the administrator privilege only happens in appOS, it can't reach down into the hostOS, it probably isn't able to see the real hardware, only the virtual ones presented to the appOS by the hostOS.
> You can mess with the appOS all you want, still nothing gets to the hostOS to alter the gameOS from what I know.
> And the fact that this is dev mode only probably means you have zero insight into the retail side of things, which uses totally different key trees enforced by the hostOS and the security processor on the SoC, can't even get to the files in this situation.


He said Dev mode not Dev console.  If you are not aware Dev mode is an option available on retail consoles.  It use to be free but MS started charging for access to it.


----------



## XboxModder2 (Dec 4, 2022)

TomChaai said:


> He said the escalation happened on dev consoles, so it won't work on retail.
> Escaping the BD app probably does nothing as the administrator privilege only happens in appOS, it can't reach down into the hostOS, it probably isn't able to see the real hardware, only the virtual ones presented to the appOS by the hostOS.
> You can mess with the appOS all you want, still nothing gets to the hostOS to alter the gameOS from what I know.
> And the fact that this is dev mode only probably means you have zero insight into the retail side of things, which uses totally different key trees enforced by the hostOS and the security processor on the SoC, can't even get to the files in this situation.





it is dev mode


----------



## MrQQ (Dec 5, 2022)

XboxModder2 said:


> it is dev mode



Precisely so nothing will work sadly. Retail keys are not known sadly.


----------



## XboxModder2 (Dec 5, 2022)

MrQQ said:


> Precisely so nothing will work sadly. Retail keys are not known sadly.


okay thanks


----------



## lolki (Dec 6, 2022)

Is there something we can do? If yes, how? Otherwise, let's wait for news, one day there will be for sure, and it's a matter of time.


----------



## lolki (Dec 6, 2022)

Are the keys in dev the same keys in retail mode? asking another way: if I get the keys in dev mode, I believe that dev mode is superior to retail mode and provides the basis for this or because it has more privileges than retail mode: so should it work or are the systems completely different? thanks for the patience


----------



## MrQQ (Dec 7, 2022)

lolki said:


> Are the keys in dev the same keys in retail mode? asking another way: if I get the keys in dev mode, I believe that dev mode is superior to retail mode and provides the basis for this or because it has more privileges than retail mode: so should it work or are the systems completely different? thanks for the patience


No they are not. Retails keys are not known as I said earlier


----------



## Kopimist (Dec 10, 2022)

lolki said:


> Are the keys in dev the same keys in retail mode? asking another way: if I get the keys in dev mode, I believe that dev mode is superior to retail mode and provides the basis for this or because it has more privileges than retail mode: so should it work or are the systems completely different? thanks for the patience


Dev mode runs in a sandbox so it's limited in comparison to retail mode. Major difference is it lets you run unsigned homebrew etc though. I mean theoretically if someone could write an exploit to break out of said sandbox that would be another option. Much easier said than done though I'm afraid. The Xbox One is pretty damn locked down against software exploits. I wonder if attacking via hardware might be a better option. Perhaps some sort of hardware mod to enable a coldboot exploit or something. Of course I'm just brainstorming here. Retail keys may still need to be dumped for even that to work but I'm honestly not sure


----------



## TomChaai (Dec 18, 2022)

fringle said:


> He said Dev mode not Dev console.  If you are not aware Dev mode is an option available on retail consoles.  It use to be free but MS started charging for access to it.


Doesn't change anything, dev mode is the same on retail or dev consoles, as long as it is the "same" dev mode, SRA/UWA or ERA. We have retail consoles activated as ERA just fine, not the free/cheap SRA stuff MS gives out to the general public.
Dev mode runs on seperate keychains entirely, anyting done dev mode can't be decrypted by retail keychains.
If there is no hostOS exploit, any dev mode changes are useless.

	Post automatically merged: Dec 18, 2022



XboxModder2 said:


> it is dev mode



Doesn't change anything. A retail console in dev mode is an entirely separate instance, reaching sideways from appOS into gameOS isn't possible, you need to reach down into hostOS, hypervisor or even SP then reach up into gameOS for any useful exploit to happen.


----------

