Tony Hawk's Pro Strcpy is a new RCE exploit that can hack several consoles, including the Xbox 360

thpstrcpy_twitter-470x140.png

Through the years those following the hacking scene have seen plenty of games exploited in order to run code and help softmod game consoles. Cubic Ninja's QR code reader was exploited to allow for the Homebrew Launcher to be installed on the Nintendo 3DS, and an edited save file of Tom Clancy's Splinter Cell for the original Xbox could execute a payload that would softmod the system. A member of the Xbox scene by the name of Grimdoomer wanted to test their skill, and see if they could discover a new exploit for older consoles. Choosing to see what potential exploits could be done in Tony Hawk's Pro Skater 4 for Xbox, Grimdoomer has managed to create and release an RCE exploit that can hack not just one console, but also the PlayStation 2, GameCube, and shockingly, the Xbox 360.



Named Tony Hawk's Pro Strcpy, the exploit exists across Tony Hawk's Pro Skater 3, Tony Hawk's Pro Skater 4, Tony Hawk's Underground 1, Tony Hawk's Underground 2, and Tony Hawk's American Wasteland. The hack is a pre-made save file that you can load for your console of choice, which utilizes the game's Create-A-Park level builder to allow remote code execution.

Fast forward to present day (2024) and I finally got around to cleaning up and releasing all these Tony Hawk exploits. However, since I’m most likely retiring from game console hacking after this I wanted to drop an absolute banger of a release so I ported the exploit to some other game consoles that are vulnerable to it. This bug exists in 5 different iterations of the Tony Hawk video game series across numerous game consoles and handhelds. No one is safe from Tony Hawk’s Pro Strcpy. Since you’re probably tired of me talking about the same strcpy bug over and over I’m only going to provide some brief details of which games for which platforms I ported the exploit to and how it may or may not make hacking those consoles easier.

Grimdoomer posted a highly-detailed blog that goes in-depth on how the strcpy bug works, and how to execute it. They also released the exploit, available on GitHub, with versions that support Tony Hawk's American Wasteland for the Xbox 360, Tony Hawk Pro Skater 4 for the GameCube, Xbox, and PlayStation 2. He also noted that the PC version of Tony Hawk's Underground, which has a community built around a fan-patch of the game and has network play, is also exploitable, and that players should be wary.

And there you have it, the first software only exploit for the Xbox 360. It’s kind of ironic that this worked out almost exactly the same as the save game exploits for the original Xbox: performing a stack buffer overflow from a strcpy call on data contained in a save game file you can copy to your console using a memory card. You can use the strcpy bug to get ROP execution on any Xbox 360 OS version, but you’ll only be able to get full hypervisor code execution on the 4548 kernel version. If a new hypervisor bug is discovered this can easily be paired with it to work on newer kernel versions. I still have some hope that there might be an exploitable bug that would get you hypervisor code execution on a new kernel version. But I highly suspect it would be some kind of CPU or MMU bug rather than a bug in the hypervisor code.

:arrow: Source
:download: GitHub Release
 

Chris2055

Well-Known Member
Member
Joined
May 10, 2019
Messages
251
Trophies
0
Age
37
XP
942
Country
United States
Kingkong exploit is arguably softmod (depending if you want to draw the line at undoing a couple of screws). Modified shaders in a game into unsigned code using the same hypervisor exploit this uses on 4548.

So we are on to blind hope now. It's not the hypervisor is just that secure, it's no one could be bothered because it was still getting updates.
So does this mean anything of substance for softmodding prospects or is it likely to be impractical and only usable on very old firmware?
 

master801

Well-Known Member
Member
Joined
Feb 24, 2011
Messages
1,240
Trophies
1
XP
2,691
Country
United States
Ok I have had a thought about softmodding.
The Xbox 360 supports the ability to update the system via USB. Has been for a long time.
Check Google for the support page straight from Microsoft.
The file it gives on this page contains a bunch of XEX files, which from what little I've seen, can be opened up and dug through.
Has no one tried to make a modified version of the update files to run a custom dashboard, for example? Or were people afraid that if it was used it would be disabled?
Not how it works.

The private keys for signing executables would have to be cracked (and not from a leak - because you're liable to being sued to hell) for them to run on unmodified consoles.

This is why signed homebrew can run on the PSP and certain PS3 firmwares (3.55 OFW and below).
 

alexfree

Well-Known Member
Member
Joined
Nov 17, 2021
Messages
260
Trophies
0
Website
alex-free.github.io
XP
1,462
Country
United States
Not only is this very impressive that there is support for multiple platforms and versions of the games, but the XBOX 360 also got its own version, I never thought this would ever happen since the short lived King Kong exploit.
Exploiting a very popular game series is also a very good thing, it will be incredibly easy to get ahold of a used copy of the game for cheap since so many of them were produced and sold worldwide.

Too bad this dropped just a little too late, the same thing released 10-12 years ago would have been a smashing hit that could have changed the course of history, especially when you consider how big this truly is in term of numbers for compatible versions.

Congratulations, this was most definitely a tremendous amount of work to get all of this figured out and exploited!

This didn’t drop too late at all. This guy is a genius. He waited for EOL of the 360 and dropped a save game exploit that has very little risk of ever being patched. If he dropped this 12 years ago, you wouldn’t be able to use it today because it would have been patched 11 years and 364 days ago in a game update. Now there is basically zero chance that this will ever get fixed. I really hope so anyway.

I can’t believe how many tonyhawk games have the same type of exploit related to strcpy. Tonyhax is literally the same exploit type but on a PS1.
 

MasterJ360

Well-Known Member
Member
Joined
Jan 10, 2016
Messages
2,848
Trophies
1
Age
35
XP
3,626
Country
United States
It did become very difficult to burn backups as newer Xbox360 titles were released you needed a special disc drive also that needed flashing so it would burn a dual layer disc above the 8.5gb point then when you had done it you had to test that burn was below certain testing levels for it to run properly on the 360. I can’t remember now what everything was called it was so long ago luckily I do still have all my burned back ups all in green boxes I used to buy stacked in boxes put away but yes you had to exploit the 360 disc drive but I found in the end actually burning a back up was nearly impossible I wasted/binned god knows how many dual layer discs back in the day trying
Yeah I'm in the same boat I still have my collection of burned games that I even extracted the game files from them to play on my RGH slim trinity. Unfortunately I didn't burn any Tony hawk game lol and plus I don't have all the software for the burning process besides imgburn. So I'll just have to buy a used game to try this. I'm not sure what year that version of the dash was released, but if it was around 2012 then I can do it. That xbox hasn't been powered on since then.
 

VinsCool

Persona Secretiva Felineus
Global Moderator
Joined
Jan 7, 2014
Messages
14,623
Trophies
5
Location
Another World
Website
www.gbatemp.net
XP
25,473
Country
Canada
This didn’t drop too late at all. This guy is a genius. He waited for EOL of the 360 and dropped a save game exploit that has very little risk of ever being patched. If he dropped this 12 years ago, you wouldn’t be able to use it today because it would have been patched 11 years and 364 days ago in a game update. Now there is basically zero chance that this will ever get fixed. I really hope so anyway.

I can’t believe how many tonyhawk games have the same type of exploit related to strcpy. Tonyhax is literally the same exploit type but on a PS1.
I did not think of this that way, good point indeed!
 

InsaneNutter

Well-Known Member
Member
Joined
Dec 26, 2007
Messages
1,099
Trophies
2
Age
38
Location
Yorkshire, UK
Website
digiex.net
XP
3,359
Country
United Kingdom
This didn’t drop too late at all. This guy is a genius. He waited for EOL of the 360 and dropped a save game exploit that has very little risk of ever being patched. If he dropped this 12 years ago, you wouldn’t be able to use it today because it would have been patched 11 years and 364 days ago in a game update. Now there is basically zero chance that this will ever get fixed. I really hope so anyway.

I can’t believe how many tonyhawk games have the same type of exploit related to strcpy. Tonyhax is literally the same exploit type but on a PS1.

Indeed, very smart move. It might well be another 12 years until theirs a hypervisor exploit discovered on 17559. However if / when that happens exploiting the console totally though software should hopefully be an option indefinitely then.

Who knows this might even rejuvenate interest in hacking the 360 hypervisor. Discussions around Tony Hawk's Pro Strcpy shows theirs a fair bit of interest in a totally software only hack for the 360, despite RGH consoles not really been scarce.
 

americandadsonic

New Member
Newbie
Joined
Aug 8, 2024
Messages
3
Trophies
0
Age
30
XP
14
Country
United States
Indeed, very smart move. It might well be another 12 years until theirs a hypervisor exploit discovered on 17559. However if / when that happens exploiting the console totally though software should hopefully be an option indefinitely then.

Who knows this might even rejuvenate interest in hacking the 360 hypervisor. Discussions around Tony Hawk's Pro Strcpy shows theirs a fair bit of interest in a totally software only hack for the 360, despite RGH consoles not really been scarce.
My hope is that this exploit could be hidden in future firmwares/kernels but just not in the same place/location. The king kong exploit was patched immediately as it was released since it was announced before it was released. This exploit even though it's on an old kernel may still be present since Microsoft might have not found it yet. The Xbox One hack was probably even more useless since you had to download an app from the store (which was immediately removed) that can't be sideloaded and you can't use game backups at all. Still good news but felt wasted and will defiantly be a decade until the Xbox One is fully hacked.

I remember when you had to flash the PS3's firmware before installing CFW and eventually we got a homebrew hack that eliminated you taking your PS3 apart. This hack feels like it could be a similar situation but too early to tell. I enjoyed using my PS3 CFW console but your later 360 models were built so much more quieter and solid than the PS3 that it's why a softmod is something alot of people want.
 
  • Like
Reactions: Sonic3320

thekarter104

Well-Known Member
Member
Joined
Mar 28, 2013
Messages
2,026
Trophies
1
XP
3,221
Country
United States
My disc drive died a few months ago.
Thought I had red ring. When I took the disc out, my Xbox 360 started working again and is still working. So no soft mod for me.

Still have to get a premodded one some where...
 

urbanman2004

Well-Known Member
Member
Joined
Jan 10, 2013
Messages
1,114
Trophies
1
XP
1,957
Country
United States
Any adventurous scene hackers have a long way to go to perfect this exploit before they can repurpose it for softmodding consoles in order to forgo the need for mod chips especially for the Xbox 360.
 

AkikoKumagara

The Coolest Bear Around
Member
Joined
Jan 4, 2017
Messages
1,552
Trophies
1
Website
akiko.social
XP
4,068
Country
United States
Something with these THPS games that just keeps exploiting consoles, rofl! it was on the PS1 and now this..
Tho a softmod for the 360 would be a game-changer.. Fingers crossed for this working on new kernels!
I think they're being targeted because of their multiplatform availability increasing the likelihood that an exploit like this would come around. That, and they are basically always available in a seemingly endless supply for $5 on the used market, which certainly doesn't hurt. I would guess there are a lot of games which could be exploited in similar ways with the right amount of effort and dedication, kind of like how TonyHax was leading the charge for a bunch of other games exploits being discovered on PS1.
 

Sonic3320

Active Member
Newcomer
Joined
Feb 3, 2023
Messages
33
Trophies
0
Age
32
XP
280
Country
Brazil
Ok I have had a thought about softmodding.
The Xbox 360 supports the ability to update the system via USB. Has been for a long time.
Check Google for the support page straight from Microsoft.
The file it gives on this page contains a bunch of XEX files, which from what little I've seen, can be opened up and dug through.
Has no one tried to make a modified version of the update files to run a custom dashboard, for example? Or were people afraid that if it was used it would be disabled?
as said, it is impossible because the system checks everything before applying the update.
On the PS3, hen only works doing this because they carefully change the internal web browser to a version that is exploitable.

One thing I said before was to use a game that loads things externally like how Super Smash Bros Brawl on the Wii does. It has a stage builder that loads stages saved on the SD Card. The Xbox 360 has another game that does this: Lips. It has a feature to play songs on a USB drive or iPod. I wonder if it would be possible to insert a modified MP3 file that triggers code execution.
Post automatically merged:

Yet PS3 = RetroArch hence why the default Retroarch menu looked like a PS3.

I guess having Retroarch for PS3 make it less interested for homebrew. By the way both Retroarch for Vita and PS3 has been dead for years. But Vita at least has a core loader that works.
the retroarch menu doesnt have any relation to how easy or not, or how it is intended to run, it is only a aesthetic choice, actually, even if hacking the PS3 is considerably easier now, Retroarch on PS3 is extremely limited and in some cases, even on Wii it runs better.
 

_47iscool

Feststellend
Member
Joined
Nov 18, 2013
Messages
768
Trophies
1
XP
1,319
Country
United States
This didn’t drop too late at all. This guy is a genius. He waited for EOL of the 360 and dropped a save game exploit that has very little risk of ever being patched. If he dropped this 12 years ago, you wouldn’t be able to use it today because it would have been patched 11 years and 364 days ago in a game update. Now there is basically zero chance that this will ever get fixed. I really hope so anyway.

I can’t believe how many tonyhawk games have the same type of exploit related to strcpy. Tonyhax is literally the same exploit type but on a PS1.

IIRC, in the video he mentions that he found the exploit years ago but only recently decided to release it.

But on the upside, he released the source code.
 
  • Like
Reactions: Sonic3320

Site & Scene News

Popular threads in this forum

General chit-chat
Help Users
    DexterYeen @ DexterYeen: also why are there ads , I have patron shit