Tony Hawk's Pro Strcpy is a new RCE exploit that can hack several consoles, including the Xbox 360

thpstrcpy_twitter-470x140.png

Through the years those following the hacking scene have seen plenty of games exploited in order to run code and help softmod game consoles. Cubic Ninja's QR code reader was exploited to allow for the Homebrew Launcher to be installed on the Nintendo 3DS, and an edited save file of Tom Clancy's Splinter Cell for the original Xbox could execute a payload that would softmod the system. A member of the Xbox scene by the name of Grimdoomer wanted to test their skill, and see if they could discover a new exploit for older consoles. Choosing to see what potential exploits could be done in Tony Hawk's Pro Skater 4 for Xbox, Grimdoomer has managed to create and release an RCE exploit that can hack not just one console, but also the PlayStation 2, GameCube, and shockingly, the Xbox 360.



Named Tony Hawk's Pro Strcpy, the exploit exists across Tony Hawk's Pro Skater 3, Tony Hawk's Pro Skater 4, Tony Hawk's Underground 1, Tony Hawk's Underground 2, and Tony Hawk's American Wasteland. The hack is a pre-made save file that you can load for your console of choice, which utilizes the game's Create-A-Park level builder to allow remote code execution.

Fast forward to present day (2024) and I finally got around to cleaning up and releasing all these Tony Hawk exploits. However, since I’m most likely retiring from game console hacking after this I wanted to drop an absolute banger of a release so I ported the exploit to some other game consoles that are vulnerable to it. This bug exists in 5 different iterations of the Tony Hawk video game series across numerous game consoles and handhelds. No one is safe from Tony Hawk’s Pro Strcpy. Since you’re probably tired of me talking about the same strcpy bug over and over I’m only going to provide some brief details of which games for which platforms I ported the exploit to and how it may or may not make hacking those consoles easier.

Grimdoomer posted a highly-detailed blog that goes in-depth on how the strcpy bug works, and how to execute it. They also released the exploit, available on GitHub, with versions that support Tony Hawk's American Wasteland for the Xbox 360, Tony Hawk Pro Skater 4 for the GameCube, Xbox, and PlayStation 2. He also noted that the PC version of Tony Hawk's Underground, which has a community built around a fan-patch of the game and has network play, is also exploitable, and that players should be wary.

And there you have it, the first software only exploit for the Xbox 360. It’s kind of ironic that this worked out almost exactly the same as the save game exploits for the original Xbox: performing a stack buffer overflow from a strcpy call on data contained in a save game file you can copy to your console using a memory card. You can use the strcpy bug to get ROP execution on any Xbox 360 OS version, but you’ll only be able to get full hypervisor code execution on the 4548 kernel version. If a new hypervisor bug is discovered this can easily be paired with it to work on newer kernel versions. I still have some hope that there might be an exploitable bug that would get you hypervisor code execution on a new kernel version. But I highly suspect it would be some kind of CPU or MMU bug rather than a bug in the hypervisor code.

:arrow: Source
:download: GitHub Release
 

SergeantConagher

New Member
Newbie
Joined
Aug 8, 2024
Messages
1
Trophies
0
Age
25
XP
4
Country
Canada
Ok I have had a thought about softmodding.
The Xbox 360 supports the ability to update the system via USB. Has been for a long time.
Check Google for the support page straight from Microsoft.
The file it gives on this page contains a bunch of XEX files, which from what little I've seen, can be opened up and dug through.
Has no one tried to make a modified version of the update files to run a custom dashboard, for example? Or were people afraid that if it was used it would be disabled?
 
  • Like
Reactions: LNLenost

Naendow

Brick-Master
Member
Joined
Jan 4, 2016
Messages
695
Trophies
0
Age
24
XP
3,219
Country
Germany
The problem is that the 360 checks every file it loads. Downgrading or changing files in any way won't work. That is the reason why RGH is the best way right now.
 
  • Like
Reactions: BigOnYa

Marc_LFD

Well-Known Member
Member
Joined
Nov 3, 2021
Messages
6,305
Trophies
1
Age
34
XP
10,183
Country
United States
Ok I have had a thought about softmodding.
The Xbox 360 supports the ability to update the system via USB. Has been for a long time.
Check Google for the support page straight from Microsoft.
The file it gives on this page contains a bunch of XEX files, which from what little I've seen, can be opened up and dug through.
Has no one tried to make a modified version of the update files to run a custom dashboard, for example? Or were people afraid that if it was used it would be disabled?
It can also load games/demos transferred from PC to the console, and modded saves, but can it be used to softmod the console? Only the experts would know if there's a way to go through it.
 

Reecey

Mario 64 (favorite game of all time)
Member
Joined
Mar 7, 2010
Messages
5,877
Trophies
2
Location
At Home :)
XP
4,564
Country
Well damn I have another xbox360 with a flashed DVD drive to play burned games. With this hack it will be a complete hacked console. Welp time to look for this Tony Hawk game.
It did become very difficult to burn backups as newer Xbox360 titles were released you needed a special disc drive also that needed flashing so it would burn a dual layer disc above the 8.5gb point then when you had done it you had to test that burn was below certain testing levels for it to run properly on the 360. I can’t remember now what everything was called it was so long ago luckily I do still have all my burned back ups all in green boxes I used to buy stacked in boxes put away but yes you had to exploit the 360 disc drive but I found in the end actually burning a back up was nearly impossible I wasted/binned god knows how many dual layer discs back in the day trying
 

pustal

Yeah! This is happenin'!
Member
Joined
Jul 19, 2011
Messages
1,611
Trophies
2
Location
Emerald Coast
Website
web.archive.org
XP
6,700
Country
Portugal
Are you sure? Because Modern Vintage Gamer seems to think otherwise.
The X360 Homebrew community was much bigger than the PS3 ever was, even though the barrier of entry was higher (although technically you could hardmod most consoles, while PS3s were restricted in hacking until very late).
 

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
4,608
Trophies
1
Age
41
XP
4,853
Country
Argentina
The X360 Homebrew community was much bigger than the PS3 ever was, even though the barrier of entry was higher (although technically you could hardmod most consoles, while PS3s were restricted in hacking until very late).

Yet PS3 = RetroArch hence why the default Retroarch menu looked like a PS3.

I guess having Retroarch for PS3 make it less interested for homebrew. By the way both Retroarch for Vita and PS3 has been dead for years. But Vita at least has a core loader that works.
 
  • Like
Reactions: Blythe93

pustal

Yeah! This is happenin'!
Member
Joined
Jul 19, 2011
Messages
1,611
Trophies
2
Location
Emerald Coast
Website
web.archive.org
XP
6,700
Country
Portugal
Yet PS3 = RetroArch hence why the default Retroarch menu looked like a PS3.

I guess having Retroarch for PS3 make it less interested for homebrew. By the way both Retroarch for Vita and PS3 has been dead for years. But Vita at least has a core loader that works.
There is also RetroArch for the 360, although it has been also dead for over a decade now.

https://archive.org/details/retro-arch.-360.v-1.0.0.2
https://digiex.net/threads/retroarch-xbox-360-1-0-0-2-download.16416/
 

duwen

Old Man Toad
Member
Joined
Sep 6, 2013
Messages
3,265
Trophies
2
Location
Bullet Hell
Website
www.exophase.com
XP
4,514
Country
United Kingdom
Yet PS3 = RetroArch hence why the default Retroarch menu looked like a PS3.

I guess having Retroarch for PS3 make it less interested for homebrew. By the way both Retroarch for Vita and PS3 has been dead for years. But Vita at least has a core loader that works.
Bespoke emulators were always the way to go on Vita anyway... although I firmly believe that bespoke emulators are always the way to go on any platform - Retroarch has never been my preference, but I can see how the "all-in-one" approach is convenient to the masses.
 
  • Like
Reactions: raxadian

raxadian

Well-Known Member
Member
Joined
Nov 10, 2018
Messages
4,608
Trophies
1
Age
41
XP
4,853
Country
Argentina
Bespoke emulators were always the way to go on Vita anyway... although I firmly believe that bespoke emulators are always the way to go on any platform - Retroarch has never been my preference, but I can see how the "all-in-one" approach is convenient to the masses.

The core loader for Vita works okay even if a standalone emulator will probably get better performance.

Talking about Vita wish they updated the Dreamcast emulator for it. Sure you are unlikely to get more than 20 fps at best but is still cool.
 

americandadsonic

New Member
Newbie
Joined
Aug 8, 2024
Messages
3
Trophies
0
Age
30
XP
14
Country
United States
Yes, but only on 4548 (a software version released way back in 2006). No hypervisor exploit in anything past that, so no slim softmod.

Even Jtag and RGH rely on the same old hypervisor exploit to grab control before loading a later kernel.
All 360 consoles can use this hack (as well as all OS's) but only this kernel has been exploited for now. For now it's useless for most but in the near future or maybe even sooner we could get an exploit for newer kernels. It's not if but when.
 

Armadillo

Well-Known Member
Member
Joined
Aug 28, 2003
Messages
4,322
Trophies
3
XP
5,502
Country
United Kingdom
All 360 consoles can use this hack (as well as all OS's) but only this kernel has been exploited for now. For now it's useless for most but in the near future or maybe even sooner we could get an exploit for newer kernels. It's not if but when.

Without a hypervisor exploit for other kernals, it's not really working on all consoles is it? (which is what the person I replied to asked). The entrypoint works, the "softmod" does not. So it "works" once we have another piece that doesn't exist yet & may never exist, not helpful for someone asking for a slim softmod.

It's not if but when.

Yeah any moment now. Been nearly 20 years and there has only been a single hypervisor exploit to run unsigned code, even jtag still rely on it, but now we have a savegame hack, suddenly one will just pop up.
 
Last edited by Armadillo,
  • Haha
Reactions: duwen

gbadl

Well-Known Member
Member
Joined
Sep 13, 2009
Messages
211
Trophies
1
XP
585
Country
You might want to update the title/article for the 360, as it's effectively useless for most people, as of now at least.

Not saying the exploit isn't impressive, just don't want to get people's hope up.
I agree. This is pretty much the same as the king kong exploit. Useless if you don't have a 2006 firmware running on your console.
 

americandadsonic

New Member
Newbie
Joined
Aug 8, 2024
Messages
3
Trophies
0
Age
30
XP
14
Country
United States
Yeah any moment now. Been nearly 20 years and there has only been a single hypervisor exploit to run unsigned code, even jtag and rgh still rely on it, but now we have a savegame hack, suddenly one will just pop up.
The Xbox 360 isn't getting anymore updates which is why hackers didn't want to touch softmodding. Softmodding an Xbox 360 was believed to be impossible until now.
 

Armadillo

Well-Known Member
Member
Joined
Aug 28, 2003
Messages
4,322
Trophies
3
XP
5,502
Country
United Kingdom
The Xbox 360 isn't getting anymore updates which is why hackers didn't want to touch softmodding. Softmodding an Xbox 360 was believed to be impossible until now.

Kingkong exploit is arguably softmod (depending if you want to draw the line at undoing a couple of screws). Modified shaders in a game into unsigned code using the same hypervisor exploit this uses on 4548.

So we are on to blind hope now. It's not the hypervisor is just that secure, it's no one could be bothered because it was still getting updates.
 

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    DexterYeen @ DexterYeen: oh shit