Welcome, Guest!

Here are some links you may find helpful

XBOX OG Xbox Exploit Development

stuntpenguin

Donator
Donator
Registered
Joined
Dec 6, 2020
Donations
£735.48
Messages
33
Reaction score
33
Points
18
AG User Name
stuntpenguin
AG Join Date
2009
Is anyone interested in original Xbox exploit development?

I hacked together an Xbox kernel fuzzer a few years ago. It's pretty trash and I had no clue what I was doing. I still don't, but there are definitely improvements to be made.

Thanks to XQEMU, it should be possible to fuzz the Xbox kernel with kAFL. I'd like to target XBE loading, the network stack, or local Xbox Live services (since this can be partially replicated). The goal is for people to be able to easily get code running on their retail consoles. Most everyone has a router and two Ethernet cables. Blank CDs / DVDs and disc burners are becoming harder to find in the common household so XBE loading might be off the table. At some point, I had an idea of exploiting signed games (demos) capable of running off of CD / DVD but IIRC all resources were packed into the executable for games signed like that. Even so, a SHA1 collision would put us in business. Those have been getting cheaper and cheaper to obtain. I think the current computing power is around 100k USD for a reasonably timed collision.

Some version of kernel sources are also "in the wild" although, I'm not sure if we talk about those.

If anyone is interested, hit me up. I can probably do the kAFL porting. To use it you'd need some version of Ubuntu (planning on making this more generic Linux), and an Intel processor supporting "Processor Trace". Even if you don't have these things, you can still do binary analysis, come up with your own tactics, or just toss around ideas.

edit:

Can any mod give clarification on kernel source? Is talk permitted?
 
Last edited:

stuntpenguin

Donator
Donator
Registered
Joined
Dec 6, 2020
Donations
£735.48
Messages
33
Reaction score
33
Points
18
AG User Name
stuntpenguin
AG Join Date
2009
This is actually coming along nicely. Something is fucked up though. Seeing the hypercalls in KVM. Can't tell if its relaying back to QEMU. Driver program just runs through all hypercalls. Need to debug more :/

Update:

It lives!!! The crashes are coming from my sample program. It found both bugs in a relatively short time. Should be able to speed this up quite a bit by switching to my desktop, narrowing the trace range (using whole address space rn), and maybe even stripping off some bits of xqemu that aren't needed. I've got to get this cleaned up and documented -- hopefully this weekend. Going to start hammering down on the network stack.

Screenshot from 2021-01-14 19-09-55.png
 
Last edited:

stuntpenguin

Donator
Donator
Registered
Joined
Dec 6, 2020
Donations
£735.48
Messages
33
Reaction score
33
Points
18
AG User Name
stuntpenguin
AG Join Date
2009
I hate to triple post, but this works now. I've been staring at a lot of disassembly. I'd loooove to find something at the kernel level, but the fun DNS / DHCP stuff happens in "usermode"? I know everything runs in kernel mode. I can't seem to hook anything up there but I can find it.

A stock xbox requires an attempt to connect to XBL in order to initialize the interface. Fortunately there's a DNS error you can sit on to keep the interface alive. Using normal technique to send packets to the target isn't working. I'm trying to call the functions in question directly, it may involve loading actual binaries and going from there.
 
shape1
shape2
shape3
shape4
shape5
shape6
Top