New dev mode privilege escalation exploit published

Discussion in 'Xbox One - Hacking & Homebrew' started by carizard, Jun 12, 2019.

  1. Rintron

    Rintron Newbie

    Newcomer
    2
    Jun 16, 2019
    Poland
    New guy here, hello. This whole thing is neat, I was playing with it the other day and after doing symlinks using a different tutorial in this section of the site, I found myself in (keep in mind this refers to drives on the xbox one) J:\ where there's two applications and also a folder "tools". In the tools folder there's a bunch of .dll's and .exe's. Among the more interesting ones are the ones called wdapp, wdrun, wdconfig etc. wdapp handles installing and running apps, registering/reregistering and some other functions. I decided to use the "install" command on the .xvc package from the game disc that's in my console. It worked? It started installing, showing both a percentage in the cmd as well as progress bar on the console. It even showed the usual "ready to play" before finishing install, however because the devmode we have access to blocks all games from running, and only allows uwp apps, you can't actually run this. It installed the game on my external drive, and I did check to see how its installed and unlike usual filename (which after install is a bunch of letters and numbers) it also had a "-devkit" added at the end. So the number/letter string was correct for the game in question, just that the "-devkit" part was added to its end.
    Oh and while installing in devmode, it doesn't even show the name or icon for the game. As I said, this is known most likely to people who research xbone but even though it doesn't work for games, it can maybe properly work for apps? Alternate means of installing them n'all? I believe you could also supply (instead of the optical disk) the location of a non-xbox formatted pen/hdd drive. Wonder if this is even useful at all.
    Oh and wdconfig.exe can be used to change some options on the system, including forcing the change of sandbox id(I was able to change it to retail, because usually it stops you.. well, not like it changes much as far as I can see).

    Oh and I myself don't care for piracy. I'm just screwing around because I want to get into the filesystem of a certain game. Just to clarify.
     
    Last edited by Rintron, Jun 16, 2019
    Subtle Demise likes this.
  2. Carltrek

    Carltrek Newbie

    Newcomer
    1
    Jun 15, 2019
    China
    May not very related to topic, but is Xbox One device region information stored in Xbox One OS or in security processor (kinda like Sony PS Vita) ? Since Chinese Xbox One have some strange features/behavior/perks(?) that ordinary Xboxes don't.
     
    Last edited by Carltrek, Jun 16, 2019
  3. XVMM

    XVMM Advanced Member

    Newcomer
    4
    Sep 9, 2018
    Afghanistan
    United Kingdom
    While it's a thing, the images are usually fetched from Xbox Live or if it's a disc then the images are actually available, raw, from there. It has been useful for making the opposite work in retail but it's not been working too well.

    Also the wdconfig modifies the XConfig, it's a writable registry hive that is used to determine what to use, start, etc. Retail & dev mode have their separate settings though.

    — Posts automatically merged - Please don't double post! —

    Yes, the SP has a couple things, as far as I'm aware and as far as what the OS names/indicates them, that determines device region. The security processor handles anything related to security, licensing and all that. That's why it's a pain.
     
  4. wakabayashy

    wakabayashy GBAtemp Advanced Fan

    Member
    6
    Dec 25, 2014
    France
    France
    @XVMM will you work on a cfw?
     
  5. Rintron

    Rintron Newbie

    Newcomer
    2
    Jun 16, 2019
    Poland
    Ah, I see. As for the wdconfig stuff... I guess that's why I couldn't change 'consolemode' value to "Xbox One X Devkit with 44 CUs" or even just "Xbox One X Devkit". The only ones available to me were "Default (which is what I have it set to), Xbox One and Xbox One S". Still, this was an interesting experience. Might come in handy one day, or so I hope.

    EDIT:
    Worth noting for reference I got these two values for consolemode from 'Toggle_ConsoleMode.xboxunattend' script in J:\QuickActions
     
    Last edited by Rintron, Jun 16, 2019
  6. XVMM

    XVMM Advanced Member

    Newcomer
    4
    Sep 9, 2018
    Afghanistan
    United Kingdom
    Yep, lots of interesting things around. There's a lot I'd need to write about I suppose.

    Sure but it's gonna be limited. Might work on a custom service and also a universal app to set as the default; handles any scripts/plugins/starts the service on boot essentially (obviously specific to System OS).
     
    wakabayashy likes this.
  7. wakabayashy

    wakabayashy GBAtemp Advanced Fan

    Member
    6
    Dec 25, 2014
    France
    France
    thanks, can't wait, good luck !

    maybe the start of the rebirth of xbox one
     
  8. XVMM

    XVMM Advanced Member

    Newcomer
    4
    Sep 9, 2018
    Afghanistan
    United Kingdom
    Meh, unless something hardware wise comes out of it then it's gonna suck. Unless there's something that pops up again.
     
    vitality34 and wakabayashy like this.
  9. wakabayashy

    wakabayashy GBAtemp Advanced Fan

    Member
    6
    Dec 25, 2014
    France
    France
    you're right but your work will be a good start for others dev (I hope)
     
  10. lisreal2401

    lisreal2401 GBAtemp Advanced Fan

    Member
    7
    Jun 4, 2013
    United States
    You know I use my retail Xbox One more than any other console.

    I don't get the multiple posts here that all of this is good for only piracy despite the same company giving away Game Pass on the regular. The only thing I really want out of XBO hacking is the ability to boot into a different OS, dev mode facilitates mostly everything else you'd do except maybe save hacking if those aren't locked like installed titles.

    That and, isn't dev mode only bootable while online? I guess if you had your console set to boot into it you might get away with keeping it there?
     
    Last edited by lisreal2401, Jun 16, 2019
  11. XVMM

    XVMM Advanced Member

    Newcomer
    4
    Sep 9, 2018
    Afghanistan
    United Kingdom
    Technically yes but it's possible to keep it offline. And the posts here don't indicate it's good for piracy, some seem to want that.
     
  12. lisreal2401

    lisreal2401 GBAtemp Advanced Fan

    Member
    7
    Jun 4, 2013
    United States
    How would you get past the check? Don't answer if I'm pushing too much but I take it you found a bug in stock mode that will ignore connectivity checking on app start.
     
    Last edited by lisreal2401, Jun 16, 2019
  13. wakabayashy

    wakabayashy GBAtemp Advanced Fan

    Member
    6
    Dec 25, 2014
    France
    France
    I've dev mode activated but I can't say no to a cfw
     
  14. XVMM

    XVMM Advanced Member

    Newcomer
    4
    Sep 9, 2018
    Afghanistan
    United Kingdom
    The console relies on another certificate, stored in flash, to determine if your console can convert to a kit, etc. It's possible to grab a cert, depending on console token, and store it and reboot.
     
    jammybudga777 likes this.
  15. NathanBrown

    NathanBrown GBAtemp Regular

    Member
    4
    Jun 19, 2018
    India
    I just want this thing to fully run CFW.
     
  16. Dominator211

    Dominator211 JFK's Jelly Donut

    Member
    9
    Oct 15, 2016
    United States
    agreed.

    — Posts automatically merged - Please don't double post! —

    what does this do exaclty?
     
  17. carizard
    OP

    carizard Member

    Newcomer
    2
    Dec 4, 2018
    Antarctica
    I'm gonna guess the console has to be an original launch console Durango
     
  18. lisreal2401

    lisreal2401 GBAtemp Advanced Fan

    Member
    7
    Jun 4, 2013
    United States
    Launch firmware doesn't even have the dev feature - it's not included as a default application anyway...

    For all I know the dev mode partition was at least there, but for retail I'm almost sure it's not even accessible if you didn't launch into it normally at least once as I believe it doesn't keep the files for dev mode if you don't use it.
     
    Last edited by lisreal2401, Jun 17, 2019
  19. coffinbirth

    coffinbirth GBAtemp Regular

    Member
    4
    Jun 15, 2009
    United States
    Speaking of Durango, did anyone ever manage to pull the 360 emulator out of that dev kit dump? I recall superDAE saying that it wasn't locked down. I'm sure it will be useful eventually.
    Honestly, what interests me most in having a hacked XBO would be in having the ability to inject OG XBOX and 360 games into their respective emulators, and tweak the settings.
    Also curious what the structure of those games looks like. I'm assuming close to G.O.D. format on 360?
     
  20. lisreal2401

    lisreal2401 GBAtemp Advanced Fan

    Member
    7
    Jun 4, 2013
    United States
    The emulators aren't apart of the dashboard, each game contains a configured emulator specific to it. The only portion of code that is there from factory might be the 360 kernel/dashboard, but I'm inclined to say this also is specific to each game and is contained in every emulated game. Not to mention, that dump would predate any of the software portion of the emulation so it's not really helpful in terms of modifying anything BC - though, I also think injection is the biggest retail end hack I want for the 4K scaling and the apparent compatibility the OG emulator has, which may not be specific for each game.
     
Quick Reply
Draft saved Draft deleted
Loading...