Hacking [Info] Xbox One - Getting somewhat started

[FR0ZN]

I have done RGH on my Xbox 360 slim and flash the drive on a Zephyr. I made my own probe by following tutorial. I tried to activate Dev mode on my console, I use my school email and still didn't get to activate it. Not sure why.

That's not what I meant.
You used finished products and followed tutorials - but you probably don't know what exactly you did there and why you had to do it to achieve a certain goal.

If you realy want to start attacking devices you need to understand the way they work and what exactly they are doing.
Try to reimplement them in your own way from scratch and start with the easier hacks.

Only so you can learn what it realy takes to hack these things.
You will not find points on the XBO drives where it basically says "solder your wires here to dump the drive" - trust me
After all that happened to the 360, this won't be the way to do it

 

[Max4life]

That's not what I meant.
You used finished products and followed tutorials - but you probably don't know what exactly you did there and why you had to do it to achieve a certain goal.

If you realy want to start attacking devices you need to understand the way they work and what exactly they are doing.
Try to reimplement them in your own way from scratch and start with the easier hacks.

Only so you can learn what it realy takes to hack these things.
You will not find points on the XBO drives where it basically says "solder your wires here to dump the drive" - trust me
After all that happened to the 360, this won't be the way to do it

You said there is a dump of the drive firmware. Do you have a copy of it or can you get a copy of it?

 

[FR0ZN]

You said there is a dump of the drive firmware. Do you have a copy of it or can you get a copy of it?

I checked again, I was wrong, it was a picture of a NAND dump which has references to the ODD (look for PLDS).

 

[Joom]

The extent of "Win32" would allow people to eventually write their own services and command-line applications, of course for services it would require an exploit of sorts (mainly priv-esc) but would be useful. Nothing graphical will happen with Win32 without patching some critical parts. I could be wrong.

Cool, so something basic could be possible. I might look into getting something to execute. I don't need anything graphical, and I can compile COM binaries.

 

[Deleted User]

i only register for say THANK YOU,because in 2016 i upload a video about the S: Path but people not believe me and reply with comments that the video is fake and blablabla , i'm really happy that now in 2018 someone show that i was truth,thank you , and BTW it's just the start there is more much to come to show for proof.
So Thank you very much.

That's been known for a very long time. Those paths are useless though. Mainy things happening but takes time. Those also aren't the absolute real paths of any apps. The console uses it for other reasons. Not really a secret either but I can see why many would be curious.

 

[Max4life]

That's been known for a very long time. Those paths are useless though. Mainy things happening but takes time. Those also aren't the absolute real paths of any apps. The console uses it for other reasons. Not really a secret either but I can see why many would be curious.[/QUOTE

That's been known for a very long time. Those paths are useless though. Mainy things happening but takes time. Those also aren't the absolute real paths of any apps. The console uses it for other reasons. Not really a secret either but I can see why many would be curious.

Good morning everyone.
One path leads to another right. It's based on Windows.
Can someone modify a Emulator to make it overload the memory. I am thinking something like the Spectre meltdown. Or maybe have the console spot out something.

 

[FR0ZN]

Emulators are running in isolated RAM areas, you won't touch the host RAM.
Also, why modify an emulator ? Just write an app that "overloads" the RAM

 

[Max4life]

Emulators are running in isolated RAM areas, you won't touch the host RAM.
Also, why modify an emulator ? Just write an app that "overloads" the RAM

I found a flaw with the drive, doing some more testing, nothing is 100% secure.
Never say never. Anything is possible..

 

[FR0ZN]

I found a flaw with the drive, doing some more testing, nothing is 100% secure.
Never say never. Anything is possible..

I never said never, nor impossible

 

[Max4life]

I never said never, nor impossible

Ha ha
Do you know how to dump Xbox one games?
If you do can you tell me please?

 

[Awesomeslayerg]

Has anyone tried running metasploit on it?

 

[FR0ZN]

Ha ha
Do you know how to dump Xbox one games?
If you do can you tell me please?

The game discs? You should be able to read them just fine with a stsndard BD drive including the PIC area!

 

[Max4life]

The game discs? You should be able to read them just fine with a stsndard BD drive including the PIC area!

Wow backing up all my games. No security on the disc, really Microsoft.
This is too easy now. I am waiting for my chips to arrive.

 

[FR0ZN]

Wow backing up all my games. No security on the disc, really Microsoft.
This is too easy now. I am waiting for my chips to arrive.

Can't be 100% certain here, there might be something like security sectors or anyting hidden somewhere that no standard PC drives picks up.
But that's how the preservation community does it for now until (maybe) a proper method shows up.

 

[IwearHelmet4Bed]

It’s definitely not going to be that simple .. Especailly playing online, look at how you had to patch the 360 ISO’s. Also when the later games came out, you had to buy a iHas burner beause of the way the games were burnt to disk.

 

[Shadow LAG]

Metasploit is useless because it requires a payload to be ran on the target machine. Most of the system is so incredibly alien to what the payload expects, most of them would have to be re-written or heavily modified.

I've been using deep file access within the standard account to attempt to find an exploitable service / COM. I've hit it with every exploit known to man (and a few not so known) in an attempt to breakout / elevate privileges.

The largest issue I'm running into are the XVD containers are intentionally deployed without an existing administrative account, and the internal administrative / default accounts are strategically disabled. I've dumped the majority of the registry and SIDs are linked to either missing profiles, or NT AUTHORITY services. I do see administrative groups; however, they are entirely empty.

The only way forward I can see at this point in time is to either build and sign our own XVD's or write our own zero day exploit. Microsoft has done a very good job at keeping the filesystem contained and sandboxed.

Now to create our own XVD we would need to first decrypt the existing XVD generated by the "retail devkit" and deploy a new one using the Dev keys. The problem I can see with this method, is I'm doubting very highly Retail Devkit's have the ability to run dev signed XVD's; however, I have yet to remove my HDD and try it for myself.

The second way would be to find a security exploit that could chainload CMD over Telnet/SSH under NT AUTHORITY\SYSTEM.

I'm open for any ideas brought to the table; however, as it stands, I'm no longer confident this level of file access within such compartmentalized virtual disk containers is the way forward.

Anyone else have better luck?

 

[Deleted User]

Metasploit is useless because it requires a payload to be ran on the target machine. Most of the system is so incredibly alien to what the payload expects, most of them would have to be re-written or heavily modified.

I've been using deep file access within the standard account to attempt to find an exploitable service / COM. I've hit it with every exploit known to man (and a few not so known) in an attempt to breakout / elevate privileges.

The largest issue I'm running into are the XVD containers are intentionally deployed without an existing administrative account, and the internal administrative / default accounts are strategically disabled. I've dumped the majority of the registry and SIDs are linked to either missing profiles, or NT AUTHORITY services. I do see administrative groups; however, they are entirely empty.

The only way forward I can see at this point in time is to either build and sign our own XVD's or write our own zero day exploit. Microsoft has done a very good job at keeping the filesystem contained and sandboxed.

Now to create our own XVD we would need to first decrypt the existing XVD generated by the "retail devkit" and deploy a new one using the Dev keys. The problem I can see with this method, is I'm doubting very highly Retail Devkit's have the ability to run dev signed XVD's; however, I have yet to remove my HDD and try it for myself.

The second way would be to find a security exploit that could chainload CMD over Telnet/SSH under NT AUTHORITY\SYSTEM.

I'm open for any ideas brought to the table; however, as it stands, I'm no longer confident this level of file access within such compartmentalized virtual disk containers is the way forward.

Anyone else have better luck?

There are exploitable services and even drivers. I can't go into details and I would expect people to handle those things responsibly. I personally have achieved and persisted privilege esclation but I can't really share that but it's possible. Also there's no way to deploy our own "OS"-based virtual drives as they use a specific key that we'll never have unless there's a security processor exploit.

Also; retail devkits can in fact use red-signed XVD's. From what I've noticed but it really depends. Still trying to determine a few things.

 

[Shadow LAG]

There are exploitable services and even drivers. I can't go into details and I would expect people to handle those things responsibly. I personally have achieved and persisted privilege esclation but I can't really share that but it's possible. Also there's no way to deploy our own "OS"-based virtual drives as they use a specific key that we'll never have unless there's a security processor exploit.

Also; retail devkits can in fact use red-signed XVD's. From what I've noticed but it really depends. Still trying to determine a few things.

Well, to clarify I figured there were exploitable services, in fact I'll be running a scan for open quotations and insecure entry points tonight, but so far none of the metasploit payloads have worked out of the box.

Thanks for the heads up. I'll look more into XVD when I have time to test.

The reason I am doing this is purely on the basis of research and development.

 

[Deleted User]

Well, to clarify I figured there were exploitable services, in fact I'll be running a scan for open quotations and insecure entry points tonight, but so far none of the metasploit payloads have worked out of the box.

Thanks for the heads up. I'll look more into XVD when I have time to test.

The reason I am doing this is purely on the basis of research and development.

All good. We have started to get things running and decided to start a wiki although we're very busy but will try get things going there. If you need any heads up we usually help and provide on our discord since that's hip.

 

[Shadow LAG]

All good. We have started to get things running and decided to start a wiki although we're very busy but will try get things going there. If you need any heads up we usually help and provide on our discord since that's hip.

Sounds good, feel free to DM me the discord group when you have time. Thanks again.