shaders used during bootup?

[Surrido]

TheSpecialist mentioned in a thread that the 360 dashboard might be accessing shaders...

I wonder if the Bootup animation does as well. if so, maybe that would be an option to inject the exploit code directly before the system completes boot. The animation has to be stored somewhere in the TSOP... maybe the new findings (keys) allow us to decrypt it and reencrypt it with some changes to shaders...

[Takires]

There are quite a number of shaders used but they are all stored inside xex files (xam.xex has 3 vertex and 12 pixel shaders).

[TheSpecialist]

There are quite a number of shaders used but they are all stored inside xex files (xam.xex has 3 vertex and 12 pixel shaders).

Yes, that's a bit disappointing ... Would be so nice if we could have just modded some shader that's used during bootup

Something else: I've not yet looked myself at the demo packages containers. Maybe it's possible to strip the files out of them and find a 'vulnerable' XEX that's tagged to boot from HDD ? I'm certain we can now 'unpack' them, with some analysis of the kernel. But then again, I'm not sure if such a XEX would even boot if it's stripped from its container package, it's just an idea It's very well possible that such file is tagged to run from within a container only and that the whole container is signed (I know that that's the way I would do it )

[Surrido]

There are quite a number of shaders used but they are all stored inside xex files (xam.xex has 3 vertex and 12 pixel shaders).

do we have a list of everything inside? are there only XEXs? is there any chance we can modify one of those shaders?

[Surrido]

garyopa posted this:

640K FIXED COMMON BIOS PART (1/2)
-----------------------------------------------------------
>000000 = 4K COPYRIGHT HEADER
>001000 = SMC encrypted code --- Southbridge code, always starts here.
>008000 = "CB" encrypted code --  Bootup cpu code, always starts here.
>00E5E0 = "CD" encrypted code --  Sometimes starts at this address: >0E1E0
>013CD0 = "CE" encrypted code --  Sometiems starts at this address: >138D0
>06C000 = "CF" kernal original    ---  Base x360 kernal, always starts here.
>0704C0 = "CG" kernal original   --- THIS four parts are still encrypted as same as the rest above.
>07C000 = "CF" kernal live ver   ---  JUST the two parts are the "BASE" shipped factory version.
>0804C0 = "CG" kernal live ver   --- And the bottom two are the same until updated by "LIVE"!!
 
15200K VARIABLE FILE STORAGE AREA
---------------------------------
(Always start at location :A0000)
(But can vary at anytime/updated)
(Think of like a 15MB Hard Drive)
>0A0000 = mfgbootlauncher.xex
>0AC000 = xam.xex
>1D8000 = bootanim.xex
>23C000 = hud.xex
>25C000 = signin.xex
>268000 = friends.xex
>284000 = vk.xex
>2A0000 = updater.xex
>2A8000 = feedback.xex
>2BC000 = deviceselector.xex
>2C4000 = voicemail.xex
>2DC000 = minimediaplayer.xex
>2E8000 = marketplace.xex
>30C000 = quickchat.xex
>314000 = gamerprofile.xex
>328000 = createprofile.xex
>5F8000 = ximedic.xex
>688000 = dash.xex
>904000 = hudiskin.xex
>924000 = (xex2 file)
>928000 = (xex2 file)
>930000 = (xex2 file)
>934000 = (xex2 file)
>A18000 = (xex2 file)
>A1C000 = (xex2 file)
>A20000 = (xex2 file)
>A2C000 = (xex2 file)
>A34000 = (xex2 file)
>A38000 = (xex2 file)
>A3C000 = (xex2 file)
>A48000 = (xex2 file)
>A4C000 = (xex2 file)
>A50000 = (xex2 file)
>A54000 = (xex2 file)
>A58000 = (xex2 file)
>A5C000 = (xex2 file)
>A64000 = (xex2 file)
>A68000 = (xex2 file)
>AB8000 = (xex2 file)
>AC8000 = (xex2 file)
>ACC000 = (xex2 file)
>AD4000 = (xex2 file)
>AD8000 = (xex2 file)
>BBC000 = (xex2 file)
>BC0000 = (xex2 file)
>BC4000 = (xex2 file)
>BD0000 = (xex2 file)
>BD4000 = (xex2 file)
>BDC000 = (xex2 file)
>BE0000 = (xex2 file)
>BEC000 = (xex2 file)
>BF0000 = (xex2 file)
>BF4000 = (xex2 file)
>BF8000 = (xex2 file)
>BFC000 = (xex2 file)
>C00000 = (xex2 file)
>C04000 = (xex2 file)
>C08000 = (xex2 file)
>C58000 = (xex2 file)
>C7C000 = (xex2 file)
>C84000 = (xex2 file)
>C8C000 = (xex2 file)
>C90000 = (xex2 file)
>E58000 = (xex2 file)
>E5C000 = (xex2 file)
>E64000 = (xex2 file)
>E74000 = (xex2 file)
>E7C000 = (xex2 file)
>E84000 = (xex2 file)
>E88000 = (xex2 file)
>E98000 = (xex2 file)
>E9C000 = (xex2 file)
>EA0000 = (xex2 file)
>EA8000 = (xex2 file)
>EB0000 = (xex2 file)
>EB4000 = (xex2 file)
>EBC000 = (xex2 file)
>EC8000 = (xex2 file)
>F38000 = (xex2 file)
>F3C000 = Flash   LAYOUT (1/4)
>F3C200 = Filename TABLE (1/4)
        - mfgbootlauncher.xex
        - xam.xex
        - bootanim.xex
        - hud.xex
        - signin.xex
        - friends.xex
        - vk.xex
        - updater.xex
        - feedback.xex
        - deviceselector.xex
        - voicemail.xex
        - minimediaplayer.xex
        - marketplace.xex
        - quickchat.xex
        - gamerprofile.xex
        - createprofile.xex
>F3C400 = Flash   LAYOUT (2/4)
>F3C600 = Filename TABLE (2/4)
        - xenonjklatin.xtt
        - xenonclatin.xtt
        - ximedic.xex
        - dash.xex
        - huduiskin.xex
        - sysupdate.xexp1
        - aac.xexp1
        - bootanim.xexp1
        - createprofile.xexp1
        - dash.xexp1
        - deviceselector.xexp1
        - feedback.xexp1
        - friends.xexp1
        - gamerprofile.xexp1
        - hud.xexp1
        - huduiskin.xexp1
>F3C800 = Flash   LAYOUT (3/4)
>F3CA00 = Filename TABLE (3/4)
        - marketplace.xexp1
        - mfgbootlauncher.xexp1
        - minimediaplayer.xexp1
        - quickchat.xexp1
        - signin.xexp1
        - updater.xexp1
        - vk.xexp1
        - voicemail.xexp1
        - xam.xexp1
        - XenonCLatin.xttp1
        - ximedic.xexp1
        - sysupdate.xexp2
        - acc.xexp2
        - bootanim.xexp2
        - createprofile.xexp2
        - dash.xexp2
>F3CC00 = Flash   LAYOUT (4/4)
>F3CE00 = Filename TABLE (4/4)
        - deviceselector.xexp2
        - feedback.xexp2
        - friends.xexp2
        - gamerprofile.xexp2
        - hud.xexp2
        - huduiskin.xexp2
        - marketplace.xexp2
        - mfgbootlauncher.xexp2
        - minimediaplayer.xexp2
        - quickchat.xexp2
        - signin.xexp2
        - updater.xexp2
        - vk.xexp2
        - voicemail.xexp2
        - xam.xexp2
        - XenonCLatin.xttp2
>F3D200 - ximedic.xexp2 (ENTRY)
 
544K FIXED COMMON BIOS AREA (2/2)
---------------------------------
>F78000 - SETTINGS
>F78600 - ZERO
>F7C000 - TABLE
>F7C200 - SETTINGS
>F7C600 - ZERO
>F80000 - 512K EMPTY SPACE

bootanim.xex would be the nice one... but i guess we are unlucky cause its an xex... 

[revolt]

is the hypervisor already checking every xex when the xbox is turned on ?

most of the time when you get some kind of error message on the boot the box first shows a little part of the bootup animation and then the flash on the screen followed by an error code so does it even check the boot animation xex ?

revolt

[revolt]

how about the the .xtt files ?? like
xenonjklatin.xtt

revolt

[uberfry]

I don't mean to crash the party but...
can the kiosk disc be run without a valid drive key?

[loser]

the kiosk disk will indeed run if u use a disc image on dual layer media in the "original disc" style format. (ie contains security sector etc). it is only blocked if it is booting from anything other than an original disc.

.xtt (font files) are signed, just like xex files.

in fact every file that gets accessed by the system is either an xex, and so signed, or inside a package file (which is signed). make it kinda tricky

if a shader is inside an xex or signed package, you might as well try to just change some game code inside such a package its just as hard.

[TheSpecialist]

the kiosk disk will indeed run if u use a disc image on dual layer media in the "original disc" style format. (ie contains security sector etc). it is only blocked if it is booting from anything other than an original disc.

.xtt (font files) are signed, just like xex files.

in fact every file that gets accessed by the system is either an xex, and so signed, or inside a package file (which is signed). make it kinda tricky

if a shader is inside an xex or signed package, you might as well try to just change some game code inside such a package its just as hard.

I haven't looked at this myself, but interesting to hear that the container is signed. Next thing to find out then would be: can the files inside the container boot outside of that container ? In other words, is there a flag in XEX'es that can be set to run ONLY from within a container ?

Probably that won't work, I guess there's no signature for the xex inside a container, only a signature for the container itself, but of course, it might be worth checking out

[Serie]

i think this says it all :

allowed media types: 0x08000605
    hard disk
    DVD/CD
    SMB filesystem
    direct-from-RAM
    Live-signed package

[TheSpecialist]

i think this says it all :

allowed media types: 0x08000605
    hard disk
    DVD/CD
    SMB filesystem
    direct-from-RAM
    Live-signed package

Yep, it does Too bad, but very understandable

[Serie]

after all this i was thinking about what flags a debug game has ...
so i tried xextool with a debug game and this is the result :
allowed media types: 0xFFFFFFFF
    hard disk
    DVD-X2
    DVD/CD
    DVD-5
    DVD-9
    system flash
    memory unit
    mass storage device
    SMB filesystem
    direct-from-RAM
    insecure package
    save game package
    locally signed package
    Live-signed package
    Xbox platform package

these should be all the allowed types of medium, x360 supports

[ben_stringer]

after all this i was thinking about what flags a debug game has ...
so i tried xextool with a debug game and this is the result :
allowed media types: 0xFFFFFFFF
    hard disk
    DVD-X2
    DVD/CD
    DVD-5
    DVD-9
    system flash
    memory unit
    mass storage device
    SMB filesystem
    direct-from-RAM
    insecure package
    save game package
    locally signed package
    Live-signed package
    Xbox platform package

these should be all the allowed types of medium, x360 supports

thats looks intresting

[Serie]

locally signed package AKA PIRS thats not really interesting

[roofus]

locally signed packages are CON, not PIRS.

Have had a keypair and have been resigning these for the past few months - if you find anything modifiable to a useful end, let me know.

[god-like-noob]

Now I apolgize if this is a stupid comment but I was thinking you might be able to use a saved game file (if they are signed they must be able to be altered by the game and resigned) to gain acess to a exploit ingame. I dunno if it is possible I have been reading this forum for the last 3 hours or so and no one seemed to post this point. Possibly because its been nullified already.. But it was worth a shot..

[fickdiach]

Now I apolgize if this is a stupid comment but I was thinking you might be able to use a saved game file (if they are signed they must be able to be altered by the game and resigned) to gain acess to a exploit ingame. I dunno if it is possible I have been reading this forum for the last 3 hours or so and no one seemed to post this point. Possibly because its been nullified already.. But it was worth a shot..

so what kind of error do you try to get ? you know that the hypervisor blocks overflows etc

[tmbinc]

well, it doesn't block overflows. It just don't let you escape usermode (except via the known exploit).

In theory, yes, this would work (of course restricted to 4532/4548, as usual). But there is not much of a gain, as you still need to boot a game each time then.

[Surrido]

we simply have to boot without the hypervisor or with OUR hypervisor :-p LOL