Xbox One:Dumping Games with Durango Dumplings v2

From ConsoleMods Wiki
Jump to navigation Jump to search
Exclamation-triangle-fill.svgEnsure that your network is setup to prevent the Xbox from reaching the internet. It's recommended to block your Xbox's MAC addresses from accessing the WAN in your router settings, to turn off auto-updates, and to set the DNS setting on the Xbox to 127.0.0.1.


This page will walk you through dumping Xbox One/Series games on a compatible firmware device.

Credit to InvoxiPlayGames/Emma and XboxOneResearch for most of these tools, BirdonWheels for the original guide which was used as the basis for this page, and burninrubber0 from the Xbox Scene Discord for the dump_gamesaves.bat script. A video tutorial can be found on KsAmJ Gaming & Tech's YouTube channel, though it does not use the pre-packaged dumping pack.

Pre-requisites

  • Xbox One / Series firmware version 4478, 4908, or 4909.
  • A copy of Warhammer Vermintide 2:
    • Digital copy will allow you to dump a disc OR digital game
    • Disc copy will allow you to dump a digital game
  • The game you are dumping must be installed on your Internal Storage.
  • The game you are dumping must be able to be launched while offline.
    • "Check your connection" - This error will show if it successfully launched, but the game requires an internet connection. These games can be dumped.
    • "To start this game or app you need to be signed in to the Xbox network." - You do not have a valid license for the game. It either was purchased and never launched or an expired Game Pass game. You cannot dump these games.
    • "Use this Xbox regularly? Make it your home Xbox so you can play games you own, even offline." - Displayed when you attempt to launch a game licensed to an account that does not have this Xbox set as the home Xbox. You cannot dump these games.
  • Preferably connect your Xbox via ethernet, as Wi-Fi connections have been shown to drop files out of dumps.

PC Preparation

  1. Download the File:Xbox One Game Dumping Pack v2.0.zip and extract it to your PC. This contains everything you need to dump games except copyrighted files.
  2. Download the .NET 6.0.424 SDK x86_64 Binary for Windows and extract dotnet-sdk-6.0.424-win-x64.zip into the \Copy to Flash Drive\dotnet\ folder.
  3. Download PowerShell-7.2.3-win-x64.zip and extract the contents into the \Copy to Flash Drive\pwsh\ folder.
  4. Format a USB flash drive as NTFS and copy the contents of the Copy to Flash Drive folder to the root of your USB flash drive and safely eject the flash drive.
  5. Open the htdocs folder and edit gamescript_autosave_network.txt. Replace YOUR IP HERE with the IP address of the PC you are going to run the exploit from.
  6. Open the htdocs folder and edit gamescript_autosave.txt. Replace YOUR IP HERE with the IP address of the PC you are going to run the exploit from.
  7. Open the TwoDump folder and open stage2.lua and make the following changes and save:
    • Replace YOUR IP HERE with the IP of your PC.
    • Replace the characters in targetXvdPath with the content id found earlier.

Game Script Reverse Shell (SystemOS)

A successful execution of Collateral Damage for Xbox One/Series, returning a reverse shell.

Perform the Collateral Damage Game Script exploit as detailed below to obtain a reverse shell.

  1. If you haven't already, launch Warhammer Vermintide 2, press A to start game, and choose "Use Offline". This will create a game save on your hard drive.
  2. Run miniweb.exe. If it asks for permissions to run, check both boxes and select "Allow Access". A command prompt window should open.
    • Note the IP address and port listed, e.g. 192.168.1.77:8000.
  3. On your Xbox, open Microsoft Edge and enter the full IP address and port into the address bar (e.g. 192.168.1.77:8000). It should list the files present in the htdocs folder on your PC.
  4. Select gamescript_autosave_network.txt. It should display the contents of the script. Hover your cursor before the very first character, then hold A and drag the left stick down to highlight all of the text. Let go of A and then select "Copy" from the small menu that opens up.
  5. Launch the Game Script app. Use the D-PAD to highlight "Paste code" and press A to paste the contents of the file you copied. Press B to close the keyboard.
  6. Double-click gamescript_reverse_shell_remote.bat. It will open a window for the server process with the last line being "Server listening..." and a second window running NetCat with the text "listening on [any] 7070 ...".
    • It may ask multiple times for permission to run on the network, check both boxes and select "Allow Access".
  7. On your Xbox, open the Game Script app if not already there. Hold X and press RB to select "Windows", then let go of X.
  8. Using the D-PAD, select "Show Code Run window" and press A. On the new window that pops up, highlight the "Run code once" button and press A.
    • After about 10-60 seconds, some traffic will appear on the payload and NetCat command windows, and if successful, you will have a reverse shell on the NetCat command window to be able to run commands against the Xbox.
    • If the Game Script app or the NetCat window closes, re-launch them and try again. If after multiple attempts it is still crashing, go to Settings > General > Power Options > Shutdown now, then turn your console back on and try again. It may take a few tries until it is successful, but the following optional steps will replace the entry method to make it successful every time.

Optional: Improve Exploit Success Rate

The following will permanently increase the success rate of running the Collateral Damage exploit. You will need a USB keyboard.

  1. In the reverse shell, enter the following command: 
    copy D:\collateral_damage_v1\* Q:\Users\UserMgr0\AppData\Local\Packages\27878ConstantineTarasenko.458004FD2C47C_c8b3w9r5va522\LocalState\
  2. Press the Home button, highlight Game Script, press Start, choose "Quit", then relaunch Game Script.
  3. Plug in your USB keyboard.
  4. Navigate to the text field containing the code you had pasted and press A to select it. On your keyboard, press Ctrl+A to select all of the text, then press Backspace to erase it. You can now unplug your USB keyboard.
  5. Open Edge again and press the back button in the browser to go back to the file listing being served from your PC.
  6. Select gamescript_autosave.txt and copy all of the text in the document.
  7. In Game Script, select the "Paste code" option. From now on, you can obtain a reverse shell by running gamescript_reverse_shell.bat on your PC and executing the code in Game Script as you did before.

Modifying the Vermintide Game Save

These steps will guide you through modifying your Vermintide game save to be able to run the game dumper.

  1. In the reverse shell, enter the following commands: 
     set DOTNET_CLI_TELEMETRY_OPTOUT=1
 D:\dotnet\dotnet.exe msbuild D:\mount_connectedstorage.xml
    • The previous command will output the Harddisk# where your saves are located (e.g. XVD Mounted to \\?\GLOBALROOT\Device\Harddisk16\Partition1 indicates it is on Harddisk16). The rest of this guide will use Harddisk16 as an example.
  2. In the reverse shell, enter the following command, substituting your own Harddisk#, and your game saves and licenses will be dumped: 
      3. mklink /j T:\connectedStorage "\\?\GLOBALROOT\Device\Harddisk16\Partition1\"
T:
cd connectedStorage
D:\dump_gamesaves.bat
mkdir D:\Licenses
copy S:\Clip D:\Licenses
  3. When it completes, unplug your USB flash drive and plug it into your PC.
  4. On the flash drive, navigate to \xb1\saves\connectedStorage\u_################_C05F0100-EAC5-49EB-943F-1A0E3C108361\. This is your save for Warhammer Vermintide 2. Open the sole folder and there should be two files, one of them has a unique ID and the other is named "container". Open the unique ID file with notepad, delete all of the contents, and then paste the entire contents of LuaFFI-CE\stage1.lua into it and save.
  5. Write down the path to this game save for future use, e.g. \xb1\saves\connectedStorage\u_1111111111111111_C05F0100-EAC5-49EB-943F-1A0E3C108361\{AABBCCDD-EEFF-GGHH-IIJJ-KKLLMMNNOOPP}.
  6. Safely Eject your USB flash drive and plug it into your Xbox.
  7. In the reverse shell, enter the following command, substituting your own path, and type "All" when prompted to overwrite: 
      8. copy D:\xb1\saves\connectedStorage\{AABBCCDD-EEFF-GGHH-IIJJ-KKLLMMNNOOPP}  T:\connectedStorage\u_1111111111111111_C05F0100-EAC5-49EB-943F-1A0E3C108361\{AABBCCDD-EEFF-GGHH-IIJJ-KKLLMMNNOOPP}

Finding your License File

Digital Game

Follow this process if the game you are dumping is a digital game.

  1. On your PC, copy the contents of the Licenses folder from the flash drive into the \LicenseClipFinder\Clips\ folder.
  2. Double click run_license_clip_finder.bat to start LicenseClipFinder. It will output a "Licenses.txt" file which will contain the content ID and license path associated with all of your games.
    • If you do not have a recent enough .NET version, it may prompt you with a link to download it from Microsoft. Install it and try again.

Xbox One/Series Disc Game

Follow this process if the game you are dumping is a disc-based Xbox One/Series game.

  1. In your the reverse shell, enter the following command: 
      type O:\MSXC\Metadata\catalog.js
    • The content ID of the game will be listed, e.g. 7049126b-609b-4d08-b5cb-0d407e8dfec1. It may be spaced out, so you will need to copy the value after "content ID" and remove the spaces. Note this information for later.
  2. In your the reverse shell, enter the following command: 
      dir O:\Licenses\
    • Note the name of the file it reports back, e.g. O:\Licenses\License0.xml. Note this license path for later.

Original Xbox or Xbox 360 Games

Follow this process if the game you are dumping is a disc-based original Xbox game.

  1. Insert your USB flash drive into the Xbox.
  2. In your the reverse shell, enter the following command: 
      S:
xbdiagcap
D:\pwsh
Copy-Item -Path "T:\Windows\Temp\xbdiag_capture\LicenseState.txt" -Destination "D:\" -Recurse
  3. Plug the flash drive into your PC and open the LicenseState.txt file and search for the game you want to dump. Note the EKB value and the content ID (CID) values for the game.
  4. Download this file and name it "DownloadedCatalog.diskcat".
  5. Open the file in Notepad++ and copy the contents to a new tab.
  6. Highlight all of the text in the new tab, and in the Notepad++ toolbar, select Plugins > MIME Tools > Base 64 Decode, then save the modified document as "DownloadedCatalog-2.diskcat".
  7. Create a new tab and repeat the process, copying the text generated in the previous step, pasting it in a new tab, and running Plugins > MIME Tools > Base 64 Decode. Save this file as "DownloadedCatalog-3.diskcat".
  8. In "DownloadedCatalog-3.diskcat":
    • Ctrl+F and search for the EKB value. Look for the nearest occurrence of <SignedLicense xmlns four lines up. Note the line number as 1st Line Number.
    • Ctrl+F, enter the 1st Line Number and click the "Find All in Current Document" button. Click inside the search results area at the bottom, press Ctrl+A to select all results, and Ctrl+C to copy it. Open a new tab and paste the results. Save this tab as SignedLicense.txt.
  9. In "SignedLicense.txt":
    • Press Ctrl+F and search for 1st Line Number. Note the actual line that this occurs on as 2nd Line Number.
  10. In "DownloadedCatalog-2.diskcat":
    • Ctrl+F and enter <LicenseRequestResponse xmlns and click "Find All in Current Document". Click inside the search results area at the bottom, press Ctrl+A to select all results, and Ctrl+C to copy it. Open a new tab and paste the results. Save this tab as LicenseRequestResponse.txt.
  11. In "LicenseRequestResponse.txt":
    • Press Ctrl+G, enter 2nd Line Number and press Go. Note the line that this occurs on as 3rd Line Number.
  12. In "DownloadedCatalog-2.diskcat"
    • Press Ctrl+G, enter 3rd Line Number and press Go. Press the Left arrow key until you reach the start of <?xml version="1.0"?>, then highlight it from there through the next instance of </LicenseRequestResponse>, and copy it to a new tab and save it as GameName-License.xml (replacing "GameName" with a nickname for the game).
  13. Copy the GameName-License.xml to your USB flash drive.
  14. In your the reverse shell, enter the following command: 
      Add-Type -Path license.cs
[LicenseManager]::LoadLicenseFile("D:\GameName-License.xml")

Dumping your Game

The next steps will walk you through setting up the server that will receive the game dump(s).

  1. Reboot your Xbox. This is required to unlink T:\connectedStorage.
  2. Double-click warhammer_dump_game.bat. It will open three command prompt windows.
    • It may ask multiple times for permission to run on the network, check both boxes and select "Allow Access".
  3. Launch Warhammer Vermintide 2 and press "A" on the title screen. If everything was done correctly, the game should freeze and you should see each command prompt window activate and files will start to be written to .\TwoDump\tx\.
    • If anything appears wrong, see the troubleshooting section below. You can always close Warhammer Vermintide 2 and re-open it, repeating this step.
  4. It's highly recommended to copy the contents of .\TwoDump\tx\ to another folder and dump the game again. Afterwards, check the file size of both folders to make sure they exactly match, verifying that you had a good dump.

Troubleshooting

  • The dumping process gets stuck after "XVD path conversion succeeded"
  • This occurs if you made a typo in the content ID in TwoDump\stage2.lua or do not have a proper license for a game.
  • The Xbox never connects to the PC:
    • If no connection is ever made from your Xbox, check your firewall rules. If you only select "Private network" when prompted to add exclusions for the programs, double check that your network is set to Private instead of Public. Also check that your PC's IP address has not changed from what you configured in the text files.
    • Check in your Xbox network settings to verify that it is set to "online" mode (i.e. you can see the "Go offline" button), as it will not communicate on your network otherwise.
Retrieved from "https://consolemods.org/wiki/index.php?title=Xbox_One:Dumping_Games_with_Durango_Dumplings_v2&oldid=47786"