Xbox One:Dumping Games with Durango Dumplings v1: Difference between revisions
No edit summary |
|||
Line 60: | Line 60: | ||
#* Note that most anti-viruses will flag NetCat as a virus. | #* Note that most anti-viruses will flag NetCat as a virus. | ||
# Double-click `start_exploit_server.bat`. It will open a window for the server process with the last line being "Server listening..." and a second window running NetCat with the text "listening on [any] 7070 ...". | # Double-click `start_exploit_server.bat`. It will open a window for the server process with the last line being "Server listening..." and a second window running NetCat with the text "listening on [any] 7070 ...". | ||
#* It may ask multiple times for permission to run on the network, check both boxes and select "Allow Access" | #* It may ask multiple times for permission to run on the network, check both boxes and select "Allow Access". | ||
# On your Xbox, open the Game Script app if not already there. Hold X and press RB to select "Windows", then let go of X. | # On your Xbox, open the Game Script app if not already there. Hold X and press RB to select "Windows", then let go of X. | ||
# Using the D-PAD, select "Show Code Run window" and press A. On the new window that pops up, highlight the "Run code once" button and press A. | # Using the D-PAD, select "Show Code Run window" and press A. On the new window that pops up, highlight the "Run code once" button and press A. | ||
#* After about 10-60 seconds, some traffic will appear on the payload and NetCat command windows, and if successful, you will have a reverse shell on the NetCat command window to be able to run commands against the Xbox. | #* After about 10-60 seconds, some traffic will appear on the payload and NetCat command windows, and if successful, you will have a reverse shell on the NetCat command window to be able to run commands against the Xbox. | ||
#* If the Game Script app | #* If the Game Script app or the NetCat window closes, re-launch them and try again. If after multiple attempts it is still crashing, go to Settings > General > Power Options > Shutdown now, then turn your console back on and try again. | ||
== Modifying the Vermintide Game Save == | == Modifying the Vermintide Game Save == |
Revision as of 20:58, 10 August 2024
This guide is very WIP. Please do not touch it, as I (Derf) am planning on packaging it up to be simpler for end users. |
A great video tutorial can be found on KsAmJ Gaming & Tech's YouTube channel.
Credit to BirdonWheels for the original guide, adapted here with permission.
Credit to burninrubber0 from the Xbox Scene Discord for the dump.bat script.
Pre-requisites
- Works on Xbox One / Series firmware version 4478.
- Not working on firmware 4908 or 4909, as the Temp Drive is 0 bytes
- Edit this if it works for you on other firmware!
- A copy of Warhammer Vermintide 2:
- Digital copy will allow you to dump a disc OR digital game
- Disc copy will allow you to dump a digital game
- The game you are dumping must be installed on your Internal Storage.
- Backup the game you want to dump. Copy the game to a USB flash drive via the Xbox dashboard.
- Games that are less than 2GB, or larger than 39GB might not be able to be dumped via this method.
- Certain games can't be dumped using this method. The known issue games are:
- Minecraft
- Undertale
Later backup your license files in S:\Clip to a USB flash drive!*
PC Preparation
- Download the .NET 6.0 SDK x86_64 Binary for Windows.
- Format a USB flash drive as NTFS.
- Extract dotnet-sdk-6.0.424-win-x64.zip to a new folder named dotnet. Copy the dotnet folder to the root of your USB flash drive. For example, if your flash drive is
E:
, move it so it display asE:\dotnet
. - Download the following three XML files and copy them to the root of the USB flash drive:
- Open Notepad and paste the below code. Save the file as dump.bat, making sure to set "Save as Type" to "All Files" when saving. Copy dump.bat to the root of your USB flash drive:
for /R /D %%d in (.\*) do ( mkdir D:\xb1\saves%%~pnxd ) for /R %%f in (.\*) do ( copy %%f D:\xb1\saves%%~pnxf )
- Safely Eject the USB flash drive.
Obtaining a Reverse Shell
Perform the Collateral Damage Game Script exploit as detailed below to obtain a reverse shell.
- If you haven't already, launch Warhammer Vermintide 2, press A to start game, and choose "Use Offline". This will create a game save on your hard drive.
- Download and extract miniweb to your PC.
- Download the latest Collateral Damage zip file and extract it into
miniweb/htdocs
. - Open the collateral_damage_v1_remote folder and edit gamescript_autosave.txt. Replace
YOUR IP HERE
with the IP of the PC you are going to run the exploit from. - Run miniweb.exe. If it asks for permissions to run, check both boxes and select "Allow Access". A command prompt window should open.
- Note the IP address and port listed, e.g.
192.168.1.77:8000
.
- Note the IP address and port listed, e.g.
- On your Xbox, open Microsoft Edge and enter the full IP address and port into the address bar (e.g.
192.168.1.77:8000
). It should list all of the files present in thehtdocs
folder on your PC. - Select the
collateral_damage_v1_remote
folder and thengamescript_autosave.txt
. It should display the contents of the script. Hover your cursor before the very first character, then hold A and drag the left stick down to highlight all of the text. Let go of A and then select "Copy" from the small menu that opens up. - Launch the Game Script app. Use the D-PAD to highlight "Paste code" and press A to paste the contents of the file you copied. Press B to close the keyboard.
- Download NetCat (nc.exe) and place it in the
collateral_damage_v1_remote
folder.- Note that most anti-viruses will flag NetCat as a virus.
- Double-click
start_exploit_server.bat
. It will open a window for the server process with the last line being "Server listening..." and a second window running NetCat with the text "listening on [any] 7070 ...".- It may ask multiple times for permission to run on the network, check both boxes and select "Allow Access".
- On your Xbox, open the Game Script app if not already there. Hold X and press RB to select "Windows", then let go of X.
- Using the D-PAD, select "Show Code Run window" and press A. On the new window that pops up, highlight the "Run code once" button and press A.
- After about 10-60 seconds, some traffic will appear on the payload and NetCat command windows, and if successful, you will have a reverse shell on the NetCat command window to be able to run commands against the Xbox.
- If the Game Script app or the NetCat window closes, re-launch them and try again. If after multiple attempts it is still crashing, go to Settings > General > Power Options > Shutdown now, then turn your console back on and try again.
Modifying the Vermintide Game Save
- In the reverse shell, enter the following commands:
set DOTNET_CLI_TELEMETRY_OPTOUT=1 D:\dotnet\dotnet.exe msbuild D:\mount_connectedstorage.xml
- The previous command will output the Harddisk# where your saves are located (e.g.
XVD Mounted to \\?\GLOBALROOT\Device\Harddisk16\Partition1
indicates it is on Harddisk16). The rest of this guide will use Harddisk16 as an example.
- The previous command will output the Harddisk# where your saves are located (e.g.
- In the reverse shell, enter the following command, substituting your own Harddisk#, and your game saves and licenses will be dumped:
mklink /j T:\connectedStorage "\\?\GLOBALROOT\Device\Harddisk16\Partition1\" T: cd connectedStorage D:\dump.bat mkdir D:\Licenses copy S:\Clip D:\Licenses
- When it completes, unplug your USB flash drive and plug it into your PC.
- Download LuaFFI-CE. Edit
stage1.lua
and replace the IP address inlocal serverIp = "192.168.123.1"
with your PC's IP address. - On the flash drive, navigate to
\xb1\saves\connectedStorage\u_################_C05F0100-EAC5-49EB-943F-1A0E3C108361\
. This is your save for Warhammer Vermintide 2. Open the sole folder and there should be two files, one of them has a unique ID and the other is named "container". Open the unique ID file with notepad, delete all of the contents, and then paste the entire contents ofstage1.lua
into it and save. - Write down the path to this game save for future use, e.g.
\xb1\saves\connectedStorage\u_1111111111111111_C05F0100-EAC5-49EB-943F-1A0E3C108361\{AABBCCDD-EEFF-GGHH-IIJJ-KKLLMMNNOOPP}
. - Safely Eject your USB flash drive and plug it into your Xbox.
- In the reverse shell, enter the following command, substituting your own path, and type "All" when prompted to overwrite:
copy D:\xb1\saves\connectedStorage\{AABBCCDD-EEFF-GGHH-IIJJ-KKLLMMNNOOPP} T:\connectedStorage\u_1111111111111111_C05F0100-EAC5-49EB-943F-1A0E3C108361\{AABBCCDD-EEFF-GGHH-IIJJ-KKLLMMNNOOPP}
- Reboot your Xbox. This is required to unlink T:\connectedStorage.
Dumping your Game
The next steps will walk you through setting up the server that will receive the game dump(s). /////// and OneDumpGame (source) by Invoxiplaygames/Emma.
- Copy the contents of the
Licenses
folder on the flash drive into the\License Clip Finder\Clips\
folder on your PC. - Double click
run_license_clip_finder.bat
to start LicenseClipFinder (source). It will output a "Licenses.txt" file which will contain the content ID and license file associated with all of your games.- If you do not have a recent enough .NET version, it may prompt you with a link to download it from Microsoft. Install it and try again.
- Copy the game you wish to dump to a USB flash drive, as the dumping process can go wrong and it will be useful to have a backup. //////////////////////////////////////////////////////////////
- Start Warhammer Vermintide 2. Press the Xbox (home) button, then on the Warhammer icon press Start and choose "Quit".
- Plug your flash drive into the Xbox.
- On your PC, run
start_exploit_server.bat
again. - Open the Game Script app and run the exploit again by holding X and pressing RB to select window, selecting "Show Code Run window", and clicking "Run code once" to obtain a reverse shell again.
- In the reverse shell, enter:
D:\dotnet\dotnet.exe msbuild D:\get_tempxvd_owners.xml
- Temporary XVD(s) will be listed. Note the value listed for "Vermintide2", e.g.
00
. Avoid launching any games on your system from this point onward, as it will change this value. - Plug your flash drive into your PC and edit prepare_gamedump.xml. Search for
/* EDIT ME */
and you will find a marked section toward the bottom with three lines that you will need to edit:- Replace the
00
intemp00
with the value found in the last step (if it's not 00) - Replace
PUT-CONTENT-ID-OF-GAME-HERE
with the content ID for the game you want to dump listed in your Licenses.txt file - Replace
PUT-LICENSE-FILE-NAME-HERE
with the name of the file of the game you want to dump listed in your Licenses.txt file (numbers and letters following.\Clips\
)
- Replace the
- Plug your USB flash drive back into your Xbox.
- In the reverse shell, enter:
D:\dotnet\dotnet.exe msbuild D:\prepare_gamedump.xml
- If successful, it will stream the files into the temp XVD for Warhammer Vermintide 2 and constantly update the status. When complete, it will show "License file loaded".
- If the game is >39GB, it may fail out and show the error "There is not enough space on the disk". //////////////////////////////////////////////
- On your PC, open the OneDumpgame folder and open
dumpgame.lua
in Notepad. Replace the IP address near the top with the IP of your PC and save. - Double-click
dump_game.bat
. It will open another NetCat instance and a second window showing "Waiting for connection...".- It may ask multiple times for permission to run on the network, check both boxes and select "Allow Access".
- If you compiled OneDumpgame manually, make a folder named
tx
the same folder as DumpgameServer.exe. This is where the games will dump to, and the program won't dump if the folder is missing.
- Launch Warhammer Vermintide 2 and press "A" on the title screen. If everything was done correctly, the game should freeze and you should see traffic in one of the command prompt windows and files being written to
.\OneDumpgame\tx\
.- If the DumpgameServer.exe exits with no files transferred, then your game may not be compatible.
////////////////////// WIP Derf (talk) 05:40, 9 August 2024 (UTC)
Restoring Games after Dumping
You may notice that your game might not start after successfully running prepare_gamedump.xml, and it will be stuck in an updating state.
1. Uninstall the game from the internal storage. The Xbox may appear to be stuck when attempting to uninstall the game, but be patient and if reboot until the game is gone from Internal Storage.
2. Copy the game over from USB External Storage to the Internal Storage via the Storage Devices option in Settings.
3. Do Collateral Damage/Game Script exploit. Copy license for game from USB flash drive to S:\Clip
4. Reboot Xbox, then start the game. It will get the game ready and then launch.
Troubleshooting
🛠️Cannot find the file specified error:
The "PrepareGameDump" task failed unexpectedly System.IO.FileNotFoundException: The system cannot find the file specified (0x80070002) I. Make sure the game is installed on the Xbox's Internal Storage.
II. In prepare_gamedump.xml, check if the content id of the game matches the XVC file.
To verify, copy game to USB drive via the dash.
Then on a PC use Xbox One External Storage Device Converter (https://digiex.net/threads/xbox-one-external-usb-storage-device-converter-xbox-one-formatted-usb-drives-on-pc.13583/)
Convert drive to PC format. The games will be named after the content ID. If you have multiple games on the drive, you can use the file size to determine which is the XVC of the game you want (won't have a file extension but it's a XVC). III. Check that you're using the right license for the game.
🛠️There is not enough disk space error:
D:\prepare_gamedump.xml(529,7): error MSB4018: The "PrepareGamedump" task failed unexpectedly. D:\prepare_gamedump.xml(529,7): error MSB4018: System.Runtime.InteropServices.COMException (0x80070070): There is not enough space on the disk. (0x80070070) This means that the Temp Content Partition on your Xbox is too small, it must be resized.
Edited Thursday at 01:20 AM by BirdonWheels