Xbox 360Potential Xbox 360 softmod
Posted:
Xbox 360Potential Xbox 360 softmodPosted:
Status: Offline
Joined: Sep 26, 20149Year Member
Posts: 2
Reputation Power: 0
|
What's going on ttg today I'm asking for the help of the ogs in the Xbox 360 hacking community..
I believe I have found two possible entry points to enable chain loading a homebrew program The talk here [Minimum post requirement for links] at 11:00 mentions "if a game had a way to reload code into data areas and jump there this alone would >kill< the system.. The talk here [Minimum post requirement for links] mentions at 14:00 something like a return to libc attack could still be possible Inspired by this and the PS5 kernel exploit in the presence of a hypervisor I looked into the xam.xex (Xbox application manager) looking for a kernel exploit however hard it may be and whatever hurdles may come next.. and came across the function xamloaderlaunchtitleondvd theoretically if a game has kernel privileges it should be able to call any function export right? So basically to call a function from a game in the xam you just store the address using mtctr r11 and then blr to the function So If you branch to the address from a game on disc in a RGH console then hotswap in a disc two that contains a patched title id just before you call it with the same game assets accept you swap the xex it boots.. theoretically the hypervisor should allow some unsigned game somewhere if nothing else to invoke this function if kernel mode alone won't work and if the xamloaderpriortitleid passes and the iso appears in the correct format it will load any xex into memory at the same location on disc as the normal game.. Its also worth mentioning you can patch out weather a disc can be fully removed and still run what's in memory without issues to an extent obviously.. So placing in a disc two in the drive literally cannot be detected or be an issue. I have a strong feeling that this very old function was designed for use in games because it uses getpriortitleid and not the getdashtitleid (I forget the actual name tbh i think its getdashtitleid)and its also not a function import of the dash or hud.. Tonight I looked at terraria and found that the default.xex that loads the god file container does not appear to contain a method to check the signature of the god file containing the game so I replaced it with the xex menus god file then I noticed you could use the HUD to reload the same terraria game so I did and sure enough it booted xex menu. I figured there would obviously be more checks in this second method but personally found it hilarious.. Obviously these tests weren't performed in the presence of a hypervisor but they were performed in the presence of a retail xam.xex dash.xex and HUD.xex for good measure.. My question is what specifically can the hypervisor check on a game that doesn't do the hmacsha or sha1 or rc4 or any of that it should only check the title id before loading it into memory and jumping there in the presence of a flashed DVD drive correct? My second question is does a game in kernel mode have access to this specific function that isn't imported by the dashboard or the HUD? Because if so I should be able to chainload an xex regardless if its in the correct format? My third question is to ask if someone has a idc or something to label the function imports and exports in the 17559 xboxkrnl.exe so that I can actually make out what anything is.. surely there's a way but its buried under months of research.. My final question can anyone create the machine code to load the address of xamloaderlaunchtitleondvd into r11? I haven't managed to do so yet.. |
#2. Posted:
Status: Offline
Joined: Oct 13, 200914Year Member
Posts: 218
Reputation Power: 7
Status: Offline
Joined: Oct 13, 200914Year Member
Posts: 218
Reputation Power: 7
| If a softmod to the 360 can be done. I would love to see this. As I want to get online achievements and DLC to games that have closed or delisted |
- 0useful
- 0not useful
#3. Posted:
Status: Offline
Joined: Dec 14, 20149Year Member
Posts: 1,114
Reputation Power: 7493
Motto: The Simplest Things Can Cause The Biggest Problems | Nfinite Live Lifetime | 5000 REP - 20/04/2021
Motto: The Simplest Things Can Cause The Biggest Problems | Nfinite Live Lifetime | 5000 REP - 20/04/2021
Status: Offline
Joined: Dec 14, 20149Year Member
Posts: 1,114
Reputation Power: 7493
Motto: The Simplest Things Can Cause The Biggest Problems | Nfinite Live Lifetime | 5000 REP - 20/04/2021
| The only way you will find out is by testing on a retail system. But I highly doubt it will work |
- 0useful
- 0not useful
Users browsing this topic: None