Xbox:ENDGAME: Difference between revisions

From ConsoleMods Wiki
Jump to navigation Jump to search
No edit summary
 
(12 intermediate revisions by 3 users not shown)
Line 9: Line 9:
|source = [https://github.com/XboxDev/endgame-exploit GitHub Repo]
|source = [https://github.com/XboxDev/endgame-exploit GitHub Repo]
|download = [https://github.com/XboxDev/endgame-exploit GitHub Repo]
|download = [https://github.com/XboxDev/endgame-exploit GitHub Repo]
}}
}}[https://github.com/XboxDev/endgame-exploit ENDGAME] is a dashboard exploit for the Original Xbox that allows you to copy habibi-signed XBE payloads from a memory card and execute them automatically. This exploit is compatible with all retail kernel and dashboard versions and, unlike other softmod methods, does not require a game or even a working DVD drive — only a memory card.


'''ENDGAME''' - A Dashboard Exploit for the Original Xbox
ENDGAME was developed by Markus Gaasedelen (gaasedelen) with credit to shutterbug2000 for the initial discovery of the exploit vector and first proof of concept and to xbox7887 for minor contributions. The Xbox Softmodding Tool by Rocky5 utilizes this exploit to run the softmod installer. A video of this process can be found on [https://www.youtube.com/watch?v=FqgQWe_r5I4 MrMario2011's channel].


== Overview ==
== Softmodding your Xbox ==
ENDGAME is a universal dashboard exploit for the original Microsoft Xbox. This exploit has been carefully engineered to be compatible across all retail kernel and dashboard versions released for the original Xbox. It does not require a game, or even a working DVD drive -- only a memory card.


Special credit belongs to @shutterbug2000 for the initial discovery of this vector within the dash and the first to demonstrate code execution against it. With further research, ENDGAME was developed by @gaasedelen leveraging an adjacent vulnerability that offered greater control and facilitated a more ubiquitous exploitation strategy.
===Materials Needed===
* A Female USB to Xbox controller port adapter such as [https://www.amazon.com/gp/product/B07FCFGG8Y/ this one from Amazon] OR an Xbox memory card with another modded Xbox or GameShark/Action Replay to load the softmod installer onto the card.
* A USB flash drive that is 4GB or smaller ([[Xbox:USB Device Compatibility List|USB Compatibility List]]) or an Android device using [[Xbox:DriveDroid|DriveDroid]]. You do not need either if you are using a memory card.


== Disclaimer ==
=== Running the Exploit ===
This project does NOT use any copyrighted code, or help circumvent security mechanisms of an Xbox console. Upon success, ENDGAME will launch a habibi-signed XBE from the root of the memory card. It does not patch kernel code or allow you to launch retail-signed executables.
# Download the [https://drive.google.com/drive/folders/1Gs_yYVotDxAxtHZeHUVr_ts7KeMgqEmQ Xbox Softmodding Tool.zip], open it, open the Softmod Package folder, and extract the contents of Endgame.zip. It should be a folder named `helper`, a folder named `trigger`, and a file called `payload.xbe`.
# Copy the helper folder, trigger folder, and `payload.xbe` to the root of your flash drive or memory unit.
# Plug the memory device into your controller and turn on the Xbox. Select "Memory", then click your memory device. It will freeze for a minute and then the LED ring on the front of your Xbox should cycle colors before booting into the softmod installer.
#* If it does not boot into the softmod installer within a minute after cycling the LED ring colors, turn off your Xbox and try again.
# Press A to install the softmod. Read the prompts that come up and press A to acknowledge them. Your Xbox will reboot.
# The tool will finish setting up. You will be left on the Xbox Softmodding Tool dashboard, which is just a skinned UnleashX dashboard. You can change the skin under System → Skins.


By using this software, you accept the risk of experiencing total loss or destruction of data on the console in question.
=== (Optional) Standardising your HDD Key ===
One of Microsoft's techniques for tamper-proofing each Xbox console involved the placement of an [[Xbox:Drive Locking|ATA security lock]] on the internal HDD. The password used for each lock is partially based upon a special HDD key, uniquely encoded into the [[Xbox:EEPROM]] chip on each system's motherboard. The use of unique keys prevents Xbox HDDs from being swapped between game consoles, and also makes it difficult to access the contents through other devices (eg PCs).


== Building ==
After softmodding your Xbox you may easily "uno" its HDD key, setting it to a ''non-''unique string of thirty-two 1's. Secured Xbox HDDs can be readily switched between consoles which are set to use the same key, and if your actual EEPROM backup is ever lost, then accessing or replacing your HDD will be much easier with a key so readily remembered. The convention may also benefit a potential new owner if the console later passes from your hands, as it's well known throughout the Xbox modding scene.
The exploit files can be generated from scratch using Python 3 + NASM on Windows.


Example usage is provided below:
<u>'''Be aware'''</u> that if an Xbox has already been registered for use with [[Xbox:Online Play|Insignia]], then changing its HDD key afterwards will break that registration (there's no problem registering after your key has been changed). Any pre-installed DLCs / [[Xbox:Games with Non-Roamable (EEPROM-Locked) Saves|EEPROM-locked saves]] will also need to be resigned with FeudalNate's [https://github.com/feudalnate/Content-Recovery-Tool Content Recovery Tool] before they can be loaded again (there's no problem creating new saves or installing DLCs after your key has been changed). If the console is later hardmodded (for example, by [[Xbox:TSOP Flashing]] it), then the HDD can subsequently have its ATA security lock disabled entirely, making a HDD key change quite pointless: secured HDDs are only required when using stock Xbox firmware.
<pre>
python main.py
</pre>
Successful output should look something like the following:


<pre>
If you wish to change your Xbox's HDD key, launch NKPatcher Settings from the Applications menu and then go to EEPROM > Advanced Features > Hard Drive > Change EEPROM HDD Key.
[*] Generating ENDGAME v1.0 exploit files -- by Markus Gaasedelen & shutterbug2000
[*] Assembling shellcode...            done
[*] Un-swizzling payload...            done
[*] Compressing payload...            done
[*] Saving helper files...            done
[*] Saving trigger files...            done
[+] Success, exploit files available in ENDGAME/ directory
</pre>


A pre-built zip of the exploit and sample payload XBE is available on the releases page of this repository.
* If you softmodded with an installer other than Rocky5's Xbox Softmodding Tool, make sure you [https://drive.google.com/file/d/1ftNJiU7SLT7t9Aq-ddxgd0Ka3aFcBlNw/view upgrade to the Xbox Softmodding Tool] before you attempt to change your HDD key. Some alternate installers configure a "virtual" EEPROM which may prevent changes to the actual chip's contents, potentially leading to a softbrick with [[Xbox:Error Codes#Error Code 06|error code 06]].
* Previous versions of the Softmodding Tool "nulled" the HDD key instead of "uno'ing" it, by setting it to thirty-two zeros instead of ones. This behaviour changed in September 2020 with v1.1.8, as it was found that nulled keys would not be compatible with [[Xbox:Online Play|Insignia]]. Anything other than a totally nulled key will work - eg your original key is also fine for online play - but "all ones" is the current recommendation.
* If a console has already had its key nulled to zeroes in the past, it's still possible to change it to all ones later.
* Your Xbox [[Xbox:EEPROM]] chip also contains other important configuration data specific to your system, including its serial number. Although the key is the only component required for building a new HDD, it's still strongly recommended to copy the complete EEPROM dump saved by the Xbox Softmodding Tool from your Xbox HDD over to your PC - using [[Xbox:FTP]], for example. The dump, along with other relevant files, can be found in `E:\Backups`.


== Usage ==
[[Category:Xbox]]
Copy the contents of the generated ENDGAME/ directory to a Xbox memory card such that the root directory of the memory card has the following structure, where payload.xbe can be any habibi-signed XBE of your choosing:
[[Category:Softmods]]
 
<pre>
/helper/
/trigger/
/payload.xbe
</pre>
 
To trigger the exploit, plug the memory card into a controller and navigate to it while in the dashboard.
 
After a few seconds, the system should begin cycling the front LED to green/orange/red to indicate success. This is followed by it launching the payload.xbe placed on the memory card.
 
== FAQ ==
<pre>
Q: Is this a softmod?
A: No, by itself, ENDGAME is not a softmod. But it will make softmodding significantly more accessible as the community integrates it into existing softmod solutions.
 
Q: What is new about this exploit?
A: This exploit will enable people to softmod any revision of the original Xbox without needing a specific game. It will also allow people to easily launch a homebrew XBE (such as the Insignia setup assistant, or content scanning tools) by simply inserting a memory card into an unmodded Xbox.
 
Q: I don't have a memory card, can I use something else?
A: Yes, any FATX-formatted compatible USB device and controller port dongle should work.
 
Q: Why am I getting Error 21 after placing my own XBE on the memory card?
A: Your XBE must be signed using the habibi key. Several tools can do this, xbedump being the most popular.
 
Q: Why does my habibi-signed XBE result in a black screen with ENDGAME but not on a modded xbox?
A: The most common explanation is that your XBE may be using the Debug/XDK kernel thunk & entry point XOR keys rather than the retail ones, resulting in a crash.
 
Q: I triggered ENDGAME but my system quickly rebooted to the dash rather than my XBE...
A: While this should be uncommon, it means the exploit probably crashed. It's recommended to navigate straight to the memory card on a cold boot for successful exploitation.
 
Q: My XBE requires multiple files and external assets to run, will it work with ENDGAME?
A: No. Currently, ENDGAME is only structured to copy & execute a standalone XBE.
 
Q: How does this exploit work?
A: The exploit targets an integer overflow in the dashboard's handling of savegame images. When the dash attempts to parse the specially crafted images on the memory card, ENDGAME obtains arbitrary code execution.
</pre>
 
 
== Authors ==
* shutterbug (@shutterbug2000), discovery and initial exploitation efforts
* Markus Gaasedelen (@gaasedelen), root-cause-analysis & ENDGAME development
* xbox7887 (@xbox7887), minor contributions and assistance with testing

Latest revision as of 01:35, 5 June 2024

ENDGAME

Endgame.png

Information
Author gaasedelen
Type Dashboard Exploit
Version v1.0
License MIT License
Links
Website GitHub Repo
Source GitHub Repo
Download(s) GitHub Repo

ENDGAME is a dashboard exploit for the Original Xbox that allows you to copy habibi-signed XBE payloads from a memory card and execute them automatically. This exploit is compatible with all retail kernel and dashboard versions and, unlike other softmod methods, does not require a game or even a working DVD drive — only a memory card.

ENDGAME was developed by Markus Gaasedelen (gaasedelen) with credit to shutterbug2000 for the initial discovery of the exploit vector and first proof of concept and to xbox7887 for minor contributions. The Xbox Softmodding Tool by Rocky5 utilizes this exploit to run the softmod installer. A video of this process can be found on MrMario2011's channel.

Softmodding your Xbox

Materials Needed

  • A Female USB to Xbox controller port adapter such as this one from Amazon OR an Xbox memory card with another modded Xbox or GameShark/Action Replay to load the softmod installer onto the card.
  • A USB flash drive that is 4GB or smaller (USB Compatibility List) or an Android device using DriveDroid. You do not need either if you are using a memory card.

Running the Exploit

  1. Download the Xbox Softmodding Tool.zip, open it, open the Softmod Package folder, and extract the contents of Endgame.zip. It should be a folder named helper, a folder named trigger, and a file called payload.xbe.
  2. Copy the helper folder, trigger folder, and payload.xbe to the root of your flash drive or memory unit.
  3. Plug the memory device into your controller and turn on the Xbox. Select "Memory", then click your memory device. It will freeze for a minute and then the LED ring on the front of your Xbox should cycle colors before booting into the softmod installer.
    • If it does not boot into the softmod installer within a minute after cycling the LED ring colors, turn off your Xbox and try again.
  4. Press A to install the softmod. Read the prompts that come up and press A to acknowledge them. Your Xbox will reboot.
  5. The tool will finish setting up. You will be left on the Xbox Softmodding Tool dashboard, which is just a skinned UnleashX dashboard. You can change the skin under System → Skins.

(Optional) Standardising your HDD Key

One of Microsoft's techniques for tamper-proofing each Xbox console involved the placement of an ATA security lock on the internal HDD. The password used for each lock is partially based upon a special HDD key, uniquely encoded into the Xbox:EEPROM chip on each system's motherboard. The use of unique keys prevents Xbox HDDs from being swapped between game consoles, and also makes it difficult to access the contents through other devices (eg PCs).

After softmodding your Xbox you may easily "uno" its HDD key, setting it to a non-unique string of thirty-two 1's. Secured Xbox HDDs can be readily switched between consoles which are set to use the same key, and if your actual EEPROM backup is ever lost, then accessing or replacing your HDD will be much easier with a key so readily remembered. The convention may also benefit a potential new owner if the console later passes from your hands, as it's well known throughout the Xbox modding scene.

Be aware that if an Xbox has already been registered for use with Insignia, then changing its HDD key afterwards will break that registration (there's no problem registering after your key has been changed). Any pre-installed DLCs / EEPROM-locked saves will also need to be resigned with FeudalNate's Content Recovery Tool before they can be loaded again (there's no problem creating new saves or installing DLCs after your key has been changed). If the console is later hardmodded (for example, by Xbox:TSOP Flashing it), then the HDD can subsequently have its ATA security lock disabled entirely, making a HDD key change quite pointless: secured HDDs are only required when using stock Xbox firmware.

If you wish to change your Xbox's HDD key, launch NKPatcher Settings from the Applications menu and then go to EEPROM > Advanced Features > Hard Drive > Change EEPROM HDD Key.

  • If you softmodded with an installer other than Rocky5's Xbox Softmodding Tool, make sure you upgrade to the Xbox Softmodding Tool before you attempt to change your HDD key. Some alternate installers configure a "virtual" EEPROM which may prevent changes to the actual chip's contents, potentially leading to a softbrick with error code 06.
  • Previous versions of the Softmodding Tool "nulled" the HDD key instead of "uno'ing" it, by setting it to thirty-two zeros instead of ones. This behaviour changed in September 2020 with v1.1.8, as it was found that nulled keys would not be compatible with Insignia. Anything other than a totally nulled key will work - eg your original key is also fine for online play - but "all ones" is the current recommendation.
  • If a console has already had its key nulled to zeroes in the past, it's still possible to change it to all ones later.
  • Your Xbox Xbox:EEPROM chip also contains other important configuration data specific to your system, including its serial number. Although the key is the only component required for building a new HDD, it's still strongly recommended to copy the complete EEPROM dump saved by the Xbox Softmodding Tool from your Xbox HDD over to your PC - using Xbox:FTP, for example. The dump, along with other relevant files, can be found in E:\Backups.