Hacking Possible entrypoints and current roadblocks

[TwoNs]

Heya. I'm TwoNs. I'm sort of new to this, but I've been around lurking for a long time. I was wondering if someone could summarise what's going on with the state of the system.
From what I can tell, we are attempting to use dev mode to escalate privelleges, but to what end and have we been successful?
Avenues of attack: I'm assuming that the CD drive is protected in some way, either encrypted or won't execute unsigned code. USB ports similarly. Has IP spoofing of some form for software or firmware updates in order to get a dump of the OS?
What about controller inputs? Microsoft's adaptive controller system might leave wireless controller inputs vulnerable in some way.
Does the one system have a hypervisor? What are the main roadblocks we have here, and where should I start to investigate?

 

[EmulateLife]

I don't know all the technical details, I just know there's no hack as of yet.

 

[carizard]

You are able to dump updates but they are encrypted.
You can dump games but they are encrypted.
You can run win 32 apps.
You can escalate permissions to system.
you can run powershell core.
you can run python.
you can add a root user.
you can use apps in devmode such as emulators
you can use some pc apps in dev mode
the system does have a hypervisor and multiple OSs (gamecore, systemos and host os).

 

[kingtut]

You are able to dump updates but they are encrypted.
You can dump games but they are encrypted.
You can run win 32 apps.
You can escalate permissions to system.
you can run powershell core.
you can run python.
you can add a root user.
you can use apps in devmode such as emulators
you can use some pc apps in dev mode
the system does have a hypervisor and multiple OSs (gamecore, systemos and host os).

you can run win32 apps?

 

[TwoNs]

You are able to dump updates but they are encrypted.
You can dump games but they are encrypted.
You can run win 32 apps.
You can escalate permissions to system.
you can run powershell core.
you can run python.
you can add a root user.
you can use apps in devmode such as emulators
you can use some pc apps in dev mode
the system does have a hypervisor and multiple OSs (gamecore, systemos and host os).

Hmm, okay. I'm assuming that an end goal here is to have the stuff running from the dashboard and/or have an easier way to use these things. Does anybody know where I can find a tutorial about dumping updates? I'd like to have a look at the encryption.

 

[carizard]

you can run win32 apps?

yes but only console win32 apps at the moment (you can get visual output but it would take some work)

Hmm, okay. I'm assuming that an end goal here is to have the stuff running from the dashboard and/or have an easier way to use these things. Does anybody know where I can find a tutorial about dumping updates? I'd like to have a look at the encryption.

https://support.xbox.com/en-US/xbox-one/console/system-updates-solution

 

[Deleted User]

The Xbox One currently runs on three operating systems:
- Host
- System
- Game OS (ERA)

(Each OS is stored inside an encrypted and signed XVD, similar to VHD in a sense but completely rewritten for Xbox One)

The XVD format is shared for the OS data, apps and games. All encrypted.

The Host operating system is a very minimal version of Windows, known as MinWin, which the Game OS is also built from, and mainly manages the VM resources, additional monitoring and performs the primary operations in regards to security. From verifying, mounting and unmounting Xbox Virtual Disks/Drives (XVD) and handling licenses. However, these are most likely passed down to the security processor, evidently by what is present on both System OS and Host, to avoid handling sensitive data at that level.

To touch on the updates, there is an updater.xvd that contains the new bootloaders (encrypted) and other firmware and also contains hash files for validation by the XUpdMgr service. These updater.xvd's also contain 2 update DLL's (update.dll and update2.dll, only update2.dll seems to be used so far but both seem to be the same last time I checked).

The System OS will mount the Updater (XUpdMgr.exe does this) and then load the update2.dll. From there, it will verify the incoming files and begin preparing any user data that will be migrated over.
Simplified with a little extra detail. Still need to write more on this... but I'm just back from a trip.

Example of what an updater.xvd typically contains (ignore patches, separate):

Spoiler

In regards to the encryption of XVD's, you should check out the xvdtool source (written by emoose and updates from tuxuser) at https://github.com/xboxoneresearch/xvdtool

It should help you understand a little bit. I'm always free to answer questions to the best of my ability.

 

[Carltrek]

Are XVD files encrypted by BitLocker technology? Also, is the decryption key stored in Xbox One hardware it self, or provided externally e.g on disc or network?

These two scenes may not have much intersection, but for those who have hacked and dumped SEGA Nu arcade machine system, the first thing to do is to get BitLocker busted. It's not sure how they get this done and they don't want to provide method, but according to how they hack SEGA RingEdge arcade system (which the main HDD is TrueCrypt encrypted), what they do is to grab the decryption key out of the detachable security chip on the machine.

We just don't know if there is such a part on Xbox that handle the key, and whether it's vulnerable to some kind of exploit.

 

[Deleted member 668561]

How is the security enforced, how does the console build a secure chain of trust? How is revision locking done? iirc isn't security enforced using dedicated hardware separate from the actual system?

 

[Deleted User]

Are XVD files encrypted by BitLocker technology? Also, is the decryption key stored in Xbox One hardware it self, or provided externally e.g on disc or network?

These two scenes may not have much intersection, but for those who have hacked and dumped SEGA Nu arcade machine system, the first thing to do is to get BitLocker busted. It's not sure how they get this done and they don't want to provide method, but according to how they hack SEGA RingEdge arcade system (which the main HDD is TrueCrypt encrypted), what they do is to grab the decryption key out of the detachable security chip on the machine.

We just don't know if there is such a part on Xbox that handle the key, and whether it's vulnerable to some kind of exploit.

No, it's using its own implementation. The hardware security processor performs the crypto operations. When you have a disc based game, the console will verify the license file that comes with it but that license contains the encrypted key, and other data it needs, and will then install the encrypted xvc onto the console hard drive. After the game is installed and you hit Launch, the console will check if there is a digital license that you own for it or if there is a disc inserted. It will check the disc (or pull license from Microsoft Store) and then validate the license and send it to the security processor. I haven't looked into that stage enough to go any further but as far as I am aware once a license is loaded in then you can mount the target accordingly. But yes, the main key is on the hardware and other keys are encrypted into the bootloaders (similar to 360). So if you manage to sopmehow get the key that's in the SP Fuses then you can decrypt everything.

How is the security enforced, how does the console build a secure chain of trust? How is revision locking done? iirc isn't security enforced using dedicated hardware separate from the actual system?

]
Correct, the security is enforced by using the AMD Platform Security Processor but as far as I am aware it uses a complete custom firmware (obvious from the updater and drivers). Anything that would consider sensitive is unlikely to be exposed to any OS level. Although in regards to the ODD there is something that may intrigue people but it's something I won't go into as after looking at the responsible DLL... you could probably do something with it.

 

[Deleted member 668561]

So ultimately one would need to be able to exploit the security processor to gain true/full system access, though I would assume even an exploit within game os would be sufficient since you'd have more resources available vs dev mode, though it probably would get patched very quickly and you still wouldn't have full system access so there would still be limitations.

 

[NathanBrown]

rip I just want backups.

 

[djinc91]

I am interested to see where we can get with the ODD. I see a log like this;

ODDFW update sequence: 0.
FOUND DeviceInstance AHCI\Port\0
Got PDO: \Device\00000017
Drive type detected: Monterey.
Drive is Locked!
Nvkey is Programmed!
Expected firmare version:014R
Running firmware version:014R
Already running expected firmware, skipping ODD update
Update is not neccessary.
Not Elk drive, no lock down is needed.
Got drive auth status : 2
ODDFW update finished, hr = 00000000

And I have to ask, do we know all the hardware revisions/codenames of the ODD's? Clearly Elk seems to have a vulnerability from this readout.

 

[Deleted User]

I am interested to see where we can get with the ODD. I see a log like this;

ODDFW update sequence: 0.
FOUND DeviceInstance AHCI\Port\0
Got PDO: \Device\00000017
Drive type detected: Monterey.
Drive is Locked!
Nvkey is Programmed!
Expected firmare version:014R
Running firmware version:014R
Already running expected firmware, skipping ODD update
Update is not neccessary.
Not Elk drive, no lock down is needed.
Got drive auth status : 2
ODDFW update finished, hr = 00000000

And I have to ask, do we know all the hardware revisions/codenames of the ODD's? Clearly Elk seems to have a vulnerability from this readout.

I believe we might but it wouldn't be hard to get. Also, the Elk thing might be something else if I remember correctly. If anyone wants to risk messing with their ODD... first step is to look inside C:\Program Data\ on your console.

 

[djinc91]

If anyone wants to risk messing with their ODD... first step is to look inside C:\Program Data\ on your console.

I have a couple spare consoles sitting around and can follow instructions. If anyone wants to experiment they can be the guinea pigs.

 

[SolidSnakeUk89]

Hi All, I came across this because Im having one of those E100 errors on Verify update.

I got this XBOX one S that had one of the power rail mosfet smashed and after successful replacement I managed to get it running, I went to do factory reset and now is coming up with the E100 error...

this is the Log I found:

ODDFW update sequence: 7.
FOUND DeviceInstance AHCI\Port\0
Got PDO: \Device\00000017
Drive type detected: Monterey.
Drive is Locked!
Nvkey is Programmed!
Expected firmare version:014R
Running firmware version:014R
Already running expected firmware, skipping ODD update
Update is not neccessary.
Not Elk drive, no lock down is needed.
Auth IOCTL 000240C4 failed, error = e0e80085
IOddDriverApi:riveAuthPowerOn failed
ODDFW update failed, hr = 80910008, retry again in two seconds.
Expected firmare version:014R
Running firmware version:014R
Already running expected firmware, skipping ODD update
Update is not neccessary.
Not Elk drive, no lock down is needed.
Auth IOCTL 000240C4 failed, error = e0e80085
IOddDriverApi:riveAuthPowerOn failed
ODDFW update failed, hr = 80910008, retry again in two seconds.
Expected firmare version:014R
Running firmware version:014R
Already running expected firmware, skipping ODD update
Update is not neccessary.
Not Elk drive, no lock down is needed.
Auth IOCTL 000240C4 failed, error = e0e80085
IOddDriverApi:riveAuthPowerOn failed
ODDFW update failed, hr = 80910008, retry again in two seconds.
ODDFW update finished, hr = 80910008​

anybody knows what does it mean? - if is a complete brick, I would be happy to test stuff if you tell me what to do
May as well use it for something if it will never get back to work..

 

[TwoNs]

anybody knows what does it mean? - if is a complete brick, I would be happy to test stuff if you tell me what to do
May as well use it for something if it will never get back to work..

From the looks of it, your hardware repair was wack.
First restart the console. Make sure your hardware looks alright, because my suspicion is that you haven't got an official part or it's broken and you've tripped some sort of lockout. (I'm not too sure, might be best to get a second opinion or start your own thread if you really want to fix it)
If you can, take it back to whoever repaired it. If not, try doing an offline system update from the Xbox website.
If you have a backup of the NAND, or you can find one, flashing that is a last resort.

 

[TwoNs]

I believe we might but it wouldn't be hard to get. Also, the Elk thing might be something else if I remember correctly.

Do we have any idea what Elk is? If it is something to do with the drive, it may be that a certain generation may have a hardware vulnerability.
Speaking of Elk, does anyone have any idea of how we find our console generations? I'd be up for trying to categorise them if we have certain hardware markers to look for.

 

[Deleted User]

Do we have any idea what Elk is? If it is something to do with the drive, it may be that a certain generation may have a hardware vulnerability.
Speaking of Elk, does anyone have any idea of how we find our console generations? I'd be up for trying to categorise them if we have certain hardware markers to look for.

ELK is the firmware of the ODD I believe. It may be something to do with a couple of the ODD's but I can't recall.

 

[Dominator211]

Do we have any idea what Elk is? If it is something to do with the drive, it may be that a certain generation may have a hardware vulnerability.
Speaking of Elk, does anyone have any idea of how we find our console generations? I'd be up for trying to categorise them if we have certain hardware markers to look for.

They would have to be bound by some numbers maybe, like the switch is, there has to be a identifier