Project started: rebooting into an(y) unsigned kernel + hypervisor

[klipseracer]

OOooook.. Lets do a 180* turn here and get back on topic.

I'm sure that just 'booting' an unsigned XBE isn't so simple, but with the release of the new firmware that allows running xb1 games, maybe someone should look into this new part of the firmware a little and see how the files are laid out and what calls are loading them into memory. I'm sure they've added addition security in this area as well... Has anyone else thought to explore this new feature in this way? I do realize no matter how we TRY to load an xbe, there is still the underlying security preventing and unsigned xbe from running, but its a different approach to consider, and i'm sure it would be easier to hitch hike off of the xbox's own design.

As far as 'Fully Rebooting' into a modified Dash/HV I suppose we need to find this 'moving needle' that arnezami speaks of. Until then we're really at a standstill with all the XBE/XBMC crap. These ideas are comming from someone thats picturing the 'end user' end result. Which really isn't contributing toward the goal here.

[safety]

well, not the best place to post, but here it goes...
Whats the mechanism in the xbox emulator to determen wich disc is compatible and wich is not?

Ya i know its a shoot on the moon with a water pistol, but isn't there some solution to disquise  (or what I'm not english) so it boots up? (some code).

Those xbox1 games use the GPU too.
is there any chanse that an xbox1 version game can be patched and booted up by the emulator?

--nothing fancy, just would like to know if is it has any possibilities or not--

[Arakon]

There's two theories: one is that the emulator actually contains a list of disk IDs, the other that it checks what libraries and functions are used by the game, and runs only if all are supported.
the problem with patching would be that the game would very likely crash, because MS usually does check if the games work or not, and if not, they don't get added to the list.

[loser]

* the xbox emulator consists of a frontend and a backend.
* the backend is the actual emulator which does all the work (there are multiple of these).
* the frontend just decides if it should let the game play, and which backend to use.

* each xbox game has a unique titleid (embedded in the xbe).
* the emu frontend (xbox.xex) contains a list of titleids for supported games, if the game isn't in this list, it won't try to play it.
* this list matches the titleid to the emulator version, as well as containing info such as whether to use xbox live and whether to apply patches to the xex.

* each emu backend (xefu.xex) is self contained and has a small xbox1 kernel inside it. this kernel does the signature, hash, region, media checks, and doesnt play a game if they dont pass these check.

** so to summarise, the frontend decides whether to try to play the game or not, the backend enforces all restrictions. removing the frontend checks does indeed allow quite a few other games to play fine or almost fine, and removing the backend checks allows u to play any region game on any media such as your hdd.

[safety]

//** so to summarise, the frontend decides whether to try to play the game or not, the backend enforces all restrictions. removing the frontend checks does indeed allow quite a few other games to play fine or almost fine, and removing the backend checks allows u to play any region game on any media such as your hdd.///

Thats more than intresting. So a well forged xbox1 xbe can be launched from any media.

Hmm..  emulator can acces the memory with the help of the gpu?

Allso i know that xbox1 games can call other xbe s, if an xbe passes the cheqs, and loads an other xbe, are the cheqs applyd again?

[loser]

a well "forged" xbe cannot be made as such since every xbe has to be signed with the xbox1 private key which no one has. as for loading of other xbe files, everytime an xbe is loaded in-game the backend performs checks upon them.

[MastaG]

wasnt the private key for signing xbe (xbox1) files cracked a while ago?

[Arakon]

no, never. it's a 1024 bit encryption, it won't be cracked in a long, long time.

[safety]

thats pretty bad..
I'm searching for bits of info, and PREY that You are wrong.
But probably You are not...

Anyways, 1024 vs 2048 is a pretty nice catch, LOL
trying to chear my self up a bit..

some sorth of information about this emulator would allso be nice.
Searching for it, but can not guarantee I'm going to find anything usefull..
probably a waist of time.. like most of my "bright" ideas.- expect the posts I made about overheating when the FIRST red light issues have seen daylight.. and the solution with PROPER heatsink, LOL..
2 out of a thousand.. much better than 1024..)

[dieselboy]

keep up the good work all of you! this is fascinating stuff.
thanks!

[.ISO]

keep up the good work all of you! this is fascinating stuff.
thanks!

oi, check the date

[nickcas]

Shouldn't this be unstuck? It's obvious that this project was completed and is not going to be released, so what's the point of having it here still? Absolutely no disrespect to anyone involved in this project, but it seems as though most of these types of topics start out pouring with information, and then abruptly end?

I really don't understand why something like this couldn't be released now, considering the 4532 kernel is over two years old, and exploitable boxes are becoming a rarity. Not to mention that the only real form of a hack to date is modified dvd drive firmware, and that allows for ONLY piracy.

Just my two cents on the situation. Again, no disrespect to anyone involved in these projects. Your work is greatly appreciated.

[masterluke]

<snip> It's obvious that this project was completed and is not going to be released<snip>

oh yes, the fact that no-one is posting on the thread is definitely conclusive proof that a complex technical hack was completed and then hidden in some kind of anti-linux pro-piracy conspiracy.

..that is definitely the most likely explanation..

[SUDDEN73]

Team, who do you listen?  There is a lot of people, as well as opinions.
Disrespect from the side of one - does not yet mean not respecting from the side of others.
About your work the few knows yet, but nevertheless you already on the nosedive of popularity. Costs only information to spread, as all hear about your legendary work.

Ignore idiots! aspire to the primary purpose! enough already dramatize!! You are the best!

Biggest respect from Russia!!

p.s: sorry for my bad english)

[nickcas]

Both of you should look at the date that I posted that, which was before this new hack was announced.

@masterluke: tmbinc himself said that one or more rebooter projects were completed, so get your facts straight.

@SUDDEN73: I don't know if your response was to me, I can't really understand what you said, but I was not disrespecting anybody in my post, just asking a question.

[judokan]

Hi I have a xbox360 with kernel 4532 and created the reboot with the following files "reboot-readcd.bin CB.1903.bin CD.1888.bin xboxkrnl.4532.exe xboxkrnl.4532.edit.exe @ reboot_and_patch" and the xbox360 is hanging on "* Re-booting ...". Can anyone help me?

[arnezami]

Hi I have a xbox360 with kernel 4532 and created the reboot with the following files "reboot-readcd.bin CB.1903.bin CD.1888.bin xboxkrnl.4532.exe xboxkrnl.4532.edit.exe @ reboot_and_patch" and the xbox360 is hanging on "* Re-booting ...". Can anyone help me?

You can help by debugging the problem  . Do you have a RS23 cable attached? Are you measuring the POST output? With an LA maybe? Do you have RE-ing skills? Do you have ways to use the jtag exploit with an external flasher?

Or do you want it to work (right now) and want a quick answer by double posting? 

Regards,

arnezami

PS. I'm currently playing around with the rebooter again (using the jtag exploit as new base) and I'm making some progress...

[MastaG]

keep it up bro:D
We now have linux, libxenon, a snes emulator using libxenon and soon a rebooter thanks to you!:)

[arnezami]

keep it up bro:D
We now have linux, libxenon, a snes emulator using libxenon and soon a rebooter thanks to you!:)

Soon (tm) 

[judokan]

You can help by debugging the problem  . Do you have a RS23 cable attached? Are you measuring the POST output? With an LA maybe? Do you have RE-ing skills? Do you have ways to use the jtag exploit with an external flasher?

Or do you want it to work (right now) and want a quick answer by double posting? 

Regards,

arnezami

PS. I'm currently playing around with the rebooter again (using the jtag exploit as new base) and I'm making some progress...
[/quote]

And finally the juicy stuff. Go here to try out (and help testing/developing) the rebooter itself:

http://www.xboxhacker.net/index.php?topic=8737.0

Ok. That was it. I'm totally and utterly exhausted now . Going to get some sleep and/or vacation.

Regards,

arnezami

PS. Just to be clear: you can ask questions or post ideas or whathever you want in this thread.

Thank you for answering, I have welding skill, lpt jtag for testing it and infectus, I need the rs232 diagrams, the xploit works very well in my xenon, I only want to test. Sorry for my english