Difference between revisions of "Exploits"

From xboxdevwiki
Jump to: navigation, search
(TEA attack)
Line 18: Line 18:
 
Uses a legacy x86 feature.
 
Uses a legacy x86 feature.
  
=== TEA attack ===
+
=== TEA attack (MCPX 1.1 only) ===
  
TEA can not be used as a hash.
+
TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way.
 +
 
 +
The original attack uses the 5 bytes at 0xffffd4FC which are <code>E9 83 01 00 00</code>.
 +
This is <code>jmp 0xffffd588</code> (which is a jump within the flash region).
 +
 
 +
When flipping the highest bit of the operand DWORD (at 0xffffd400) this will become: <code>E9 83 01 00 80</code>.
 +
This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region).
 +
For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped.
 +
 
 +
The RAM can be controlled using the x-code command to write to RAM.
 +
So the idea is to copy a program from Flash to RAM using x-codes.
 +
Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above).
 +
The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken.
 +
 
 +
As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM.
 +
 
 +
When the attack happens, the MCPX ROM is still visible, making this a very powerful attack.
 +
 
 +
''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).''
  
 
== Dashboard ==
 
== Dashboard ==

Revision as of 14:42, 6 June 2017

MCPX

LDT (Hypertransport) bus tap

See bunnie's adventures hacking the Xbox.

Visor hack

Exploits incorrect rollover of memory address.

MIST hack

Exploits error in xcode interpreter security check. There are at least 2 variations of this hack.

A20# hack

Uses a legacy x86 feature.

TEA attack (MCPX 1.1 only)

TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [1][2]. And yet, Microsoft used it that way.

The original attack uses the 5 bytes at 0xffffd4FC which are E9 83 01 00 00. This is jmp 0xffffd588 (which is a jump within the flash region).

When flipping the highest bit of the operand DWORD (at 0xffffd400) this will become: E9 83 01 00 80. This is jmp 0x7fd588 (which is a jump into the RAM region). For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped.

The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken.

As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM.

When the attack happens, the MCPX ROM is still visible, making this a very powerful attack.

The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).

Dashboard

Audio hacks

Font hacks

Easter-egg exploit

Savegames

007: Agent Under Fire

MechAssault

Tom Clancy's Splinter Cell

Notes