Difference between revisions of "Exploits"
(Update state of my proposals) |
(List my 2 most promising findings from the past week of exploit experiments) |
||
Line 82: | Line 82: | ||
{| class="wikitable" | {| class="wikitable" | ||
! Purpose || Author || Description || Status | ! Purpose || Author || Description || Status | ||
+ | |- | ||
+ | | Preserving memory across boot || JayFoxRox | ||
+ | | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | ||
+ | | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. | ||
+ | |- | ||
+ | | Early boot control || JayFoxRox | ||
+ | | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. | ||
+ | This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. | ||
+ | | This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). | ||
|- | |- | ||
| Dumping the MCPX ROM || JayFoxRox | | Dumping the MCPX ROM || JayFoxRox |
Revision as of 23:34, 1 September 2018
Contents
MCPX
LDT (Hypertransport) bus tap
See bunnie's adventures hacking the Xbox.
Visor hack
Exploits incorrect rollover of memory address.
MIST hack
Exploits error in xcode interpreter security check. There are at least 2 variations of this hack.
A20M# hack
Uses a legacy x86 feature.
RC4 attack (MCPX 1.0 only)
Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL. However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked. As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects.
This can be used to take over the 2BL entry point.
When the attack happens, the MCPX ROM is still visible, making this a very powerful attack.
This attack is described by Michael Steil in his Google talk.
TEA attack (MCPX 1.1 only)
TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [1][2]. And yet, Microsoft used it that way.
The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are E9 83 01 00 00
.
This is jmp 0xffffd588
(which is a jump within the flash region).
When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: E9 83 01 80 00
.
This is jmp 0x7fd588
(which is a jump into the RAM region).
For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped.
The RAM can be controlled using the x-code command to write to RAM. So the idea is to copy a program from Flash to RAM using x-codes. Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above). The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken.
As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM.
When the attack happens, the MCPX ROM is still visible, making this a very powerful attack.
The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).
Dashboard
Audio hacks
Font hacks
Analysis of "Bert & Ernie" font-exploit.
Easter-egg exploit
Savegames
Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames [citation needed] [3]
007: Agent Under Fire
Frogger Beyond
MechAssault
Tom Clancy's Splinter Cell
Tony Hawk's Pro Skater 4
Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer. a video demonstrating the game trigger (custom skatepark)
10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow - grimdoomer
another website talking about his exploit. xbmc4xbox.org.uk
Attack ideas
Purpose | Author | Description | Status |
---|---|---|---|
Preserving memory across boot | JayFoxRox | Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack). | Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet. |
Early boot control | JayFoxRox | Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping.
This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes. |
This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace). |
Dumping the MCPX ROM | JayFoxRox | Trying to find problems with the SMC reset chain:
|
Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40).
Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset). The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost. As MCPX and CPU are both reset by the SMC directly, this is not surprising. |
Dumping the MCPX ROM | JayFoxRox | Trying to find problems with the SMC reset chain:
|
Concept only: No interest in experimenting with NV2A DMA. |
Dumping the MCPX ROM | JayFoxRox | Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots:
|
Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me. |
Unknown | JayFoxRox | Partial system reset using 0xCF9 I/O register | Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page. |
Dumping the MCPX ROM | JayFoxRox | Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot. | Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran. |
Unknown | JayFoxRox | Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address. | Concept only: Needs more research |
Dumping the MCPX ROM | JayFoxRox | Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still. |
|
Dumping Kernel INIT | JayFoxRox | INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run. | Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost. |
Dumping Kernel INIT | DaveX | An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-explot, audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod. | WIP as of 2018-03-04 |
Homebrew entry point | Community | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R[FIXME]. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R. | |
Star Wars: Clone Wars - Volume Two
Untested | |||
Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)
Untested | |||
Star Wars Trilogy (Widescreen Edition with Bonus Disc)
Untested | |||
Star Wars Trilogy DVD with Demo
Untested | |||
Star Wars: Clone Wars - Volume One
Untested | |||
The Chronicles of Riddick (Widescreen Unrated Director's Cut)
Untested | |||
Doom (Unrated Widescreen Edition)
Untested | |||
Hulk (Special Edition)
Untested | |||
King Arthur - The Director's Cut (Widescreen Edition)
Untested | |||
Robots (Widescreen Edition)
Untested | |||
Van Helsing (Widescreen Edition)
Untested | |||
Clone Wars Volume 1
Untested |