Tony Hawk's Pro Strcpy is a new RCE exploit that can hack several consoles, including the Xbox 360

thpstrcpy_twitter-470x140.png

Through the years those following the hacking scene have seen plenty of games exploited in order to run code and help softmod game consoles. Cubic Ninja's QR code reader was exploited to allow for the Homebrew Launcher to be installed on the Nintendo 3DS, and an edited save file of Tom Clancy's Splinter Cell for the original Xbox could execute a payload that would softmod the system. A member of the Xbox scene by the name of Grimdoomer wanted to test their skill, and see if they could discover a new exploit for older consoles. Choosing to see what potential exploits could be done in Tony Hawk's Pro Skater 4 for Xbox, Grimdoomer has managed to create and release an RCE exploit that can hack not just one console, but also the PlayStation 2, GameCube, and shockingly, the Xbox 360.



Named Tony Hawk's Pro Strcpy, the exploit exists across Tony Hawk's Pro Skater 3, Tony Hawk's Pro Skater 4, Tony Hawk's Underground 1, Tony Hawk's Underground 2, and Tony Hawk's American Wasteland. The hack is a pre-made save file that you can load for your console of choice, which utilizes the game's Create-A-Park level builder to allow remote code execution.

Fast forward to present day (2024) and I finally got around to cleaning up and releasing all these Tony Hawk exploits. However, since I’m most likely retiring from game console hacking after this I wanted to drop an absolute banger of a release so I ported the exploit to some other game consoles that are vulnerable to it. This bug exists in 5 different iterations of the Tony Hawk video game series across numerous game consoles and handhelds. No one is safe from Tony Hawk’s Pro Strcpy. Since you’re probably tired of me talking about the same strcpy bug over and over I’m only going to provide some brief details of which games for which platforms I ported the exploit to and how it may or may not make hacking those consoles easier.

Grimdoomer posted a highly-detailed blog that goes in-depth on how the strcpy bug works, and how to execute it. They also released the exploit, available on GitHub, with versions that support Tony Hawk's American Wasteland for the Xbox 360, Tony Hawk Pro Skater 4 for the GameCube, Xbox, and PlayStation 2. He also noted that the PC version of Tony Hawk's Underground, which has a community built around a fan-patch of the game and has network play, is also exploitable, and that players should be wary.

And there you have it, the first software only exploit for the Xbox 360. It’s kind of ironic that this worked out almost exactly the same as the save game exploits for the original Xbox: performing a stack buffer overflow from a strcpy call on data contained in a save game file you can copy to your console using a memory card. You can use the strcpy bug to get ROP execution on any Xbox 360 OS version, but you’ll only be able to get full hypervisor code execution on the 4548 kernel version. If a new hypervisor bug is discovered this can easily be paired with it to work on newer kernel versions. I still have some hope that there might be an exploitable bug that would get you hypervisor code execution on a new kernel version. But I highly suspect it would be some kind of CPU or MMU bug rather than a bug in the hypervisor code.

:arrow: Source
:download: GitHub Release
 

x65943

习近平万岁!新中国万岁!!
Supervisor
GBAtemp Patron
Joined
Jun 23, 2014
Messages
6,520
Trophies
6
Location
ΗΠΑ
XP
29,972
Country
United States
Very impressive, never heard of a cross platform exploit like this before

Brings me back to the days of the twilight hack on my Wii, poor Epona's name was sacrificed for a greater cause
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
4,604
Trophies
1
Age
41
XP
4,850
Country
Argentina
All hacks for videogame consoles that are dead online at least officially.

Let's see; my two PS2 are chipped, don't have a Xbox 360 and my two gamecubes would need a fake memory stick rom loader to make this useful as I don't have a drive that can burn mini discs the Gamecube uses.

Edit: So neat, but not a game changer, save for hacking a 360 cause softmod.
 
Last edited by raxadian,

AndorfRequissa

Well-Known Member
Member
Joined
Sep 8, 2019
Messages
252
Trophies
0
Age
40
XP
681
Country
United States
i wonder if the 360 exploit can take a cfw xbox 360 that was modded using disc juggler and update it to a newer version. The disc juggler stuff became a pain in the butt and i stopped updating it when max payne 3 came out. would be nice to be able to update it finally.
 

ItsAshleyFTW

Well-Known Member
Member
Joined
Sep 20, 2017
Messages
139
Trophies
0
Age
22
XP
680
Country
United States
So neat, but not a game changer, unless hacking a 360 was really hard?
There was pretty much no way to softmod an Xbox 360 until now. Microsoft basically designed the console in such a way that it is impossible to run unsigned code. To mod a 360 you would have to open up the console and solder in a modchip or wires to boot into a custom environment. Not everyone has soldering experience and it's for these reasons that there isn't much in the way of homebrew, apps, and emulators designed for the 360. Everyone who has a modded 360 and wants these apps pretty much have to get the version for Original Xbox and run it through the xefu emulator. And that means you are not using the full potential of the 360. So this is a huge breakthrough for Xbox 360 modding and modding in general. Although I think this only works on very old dashboard versions (still cool to see nonetheless)
 

Robert Newbie

Well-Known Member
Member
Joined
May 10, 2014
Messages
477
Trophies
1
Age
44
XP
1,017
Country
United States
There was pretty much no way to softmod an Xbox 360 until now. Microsoft basically designed the console in such a way that it is impossible to run unsigned code. To mod a 360 you would have to open up the console and solder in a modchip or wires to boot into a custom environment. Not everyone has soldering experience and it's for these reasons that there isn't much in the way of homebrew, apps, and emulators designed for the 360. Everyone who has a modded 360 and wants these apps pretty much have to get the version for Original Xbox and run it through the xefu emulator. And that means you are not using the full potential of the 360. So this is a huge breakthrough for Xbox 360 modding and modding in general. Although I think this only works on very old dashboard versions (still cool to see nonetheless)
Thanks for the write-up. It seems that later kernels will need one more breakthrough.
 
  • Like
Reactions: DrgnMasterKota

VinsCool

Persona Secretiva Felineus
Global Moderator
Joined
Jan 7, 2014
Messages
14,623
Trophies
5
Location
Another World
Website
www.gbatemp.net
XP
25,473
Country
Canada
Not only is this very impressive that there is support for multiple platforms and versions of the games, but the XBOX 360 also got its own version, I never thought this would ever happen since the short lived King Kong exploit.
Exploiting a very popular game series is also a very good thing, it will be incredibly easy to get ahold of a used copy of the game for cheap since so many of them were produced and sold worldwide.

Too bad this dropped just a little too late, the same thing released 10-12 years ago would have been a smashing hit that could have changed the course of history, especially when you consider how big this truly is in term of numbers for compatible versions.

Congratulations, this was most definitely a tremendous amount of work to get all of this figured out and exploited!
 

Ryab

Well-Known Member
Member
Joined
Aug 9, 2017
Messages
3,377
Trophies
1
XP
4,790
Country
United States
All hacks for videogame consoles that are dead online at least officially.

Let's see; my two PS2 are chipped, don't have a Xbox 360 and my two gamecubes would need a fake memory stick rom loader to make this useful as I don't have a drive that can burn mini discs the Gamecube uses.

So neat, but not a game changer, unless hacking a 360 was really hard?
To this day the Xbox 360 exploits have all been hardmods. Whether that be a simple disc drive flash to play pirated games or full modchips. This is the first ever software exploit on the 360.
 

Armadillo

Well-Known Member
Member
Joined
Aug 28, 2003
Messages
4,322
Trophies
3
XP
5,500
Country
United Kingdom
Early drives + kingkong exploit was arguably a softmod. The early drives needed nothing special to flash them, plug them into a compatible chipset and away you go. Unless we are redefining softmods as not having to open the console, seems odd to exclude it.

I won't hold out hope for another hypervisor exploit though. It's been so long and in all that time, just the one existed.
 

KelSolaar

Well-Known Member
Member
Joined
May 19, 2023
Messages
202
Trophies
0
Age
41
XP
595
Country
Sweden
Omg. So this actually works?
Can any kind soul make a walkthrough on how to softmod an Xbox 360 Slim?
 

Ryab

Well-Known Member
Member
Joined
Aug 9, 2017
Messages
3,377
Trophies
1
XP
4,790
Country
United States
Early drives + kingkong exploit was arguably a softmod. The early drives needed nothing special to flash them, plug them into a compatible chipset and away you go. Unless we are redefining softmods as not having to open the console, seems odd to exclude it.

I won't hold out hope for another hypervisor exploit though. It's been so long and in all that time, just the one existed.
Well many would consider a softmod to be entirely software and not require disassembly of the system. Say plugging something into the system externally would I'd say still be softmodding.
 

Armadillo

Well-Known Member
Member
Joined
Aug 28, 2003
Messages
4,322
Trophies
3
XP
5,500
Country
United Kingdom
Omg. So this actually works?
Can any kind soul make a walkthrough on how to softmod an Xbox 360 Slim?

Yes, but only on 4548 (a software version released way back in 2006). No hypervisor exploit in anything past that, so no slim softmod.

Even Jtag and RGH rely on the same old hypervisor exploit to grab control before loading a later kernel.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    Sonic Angel Knight @ Sonic Angel Knight: Why are there ducks in chat?