Looking for testers for potential xbox one vulnerabilities

[XboxModder2]

Hello there, It has been confirmed that the BD-JB Blu-ray Disc Java Sandbox Escape by TheFlow can be used on the xbox one family and potentially xbox series x/s, even on the current firmware of each of the consoles, so the tech is available on the Xbox One. We would need to dump the interpreter's binary and look for vulnerabilities. As for reversing & exploiting the interpreter: it's very easy to obtain the binaries from a dev-mode console nowadays, so it isn't a far-fetched idea to maybe look up for vulns.


How? (quoted from torus)

"You'll likely need to do static reverse engineering of that application, using tools like Ghidra, IDA Pro, or radare2.
To do that, you first also need to find the application itself in your devmode console, and extract it to your PC. Where can you find the binary in charge of executing BD-J in the xbox one? Honestly no idea. I took a quick look at the drivers in C:\Windows\System32 in the Xb1 to see if I could quickly identify something related to ODD, BD, BluRay but I saw nothing. I'll let you know if I stumble upon it, or, if someone knows where to look into, don't hesitate to share w/ all of us "

Post automatically merged: Nov 29, 2022

 

[Kopimist]

If I had a blu-ray burner I'd be a tester but alas I do not. I do have Durango ftp installed on retail mode on my Xbox one, not sure if that's of any help at all for poking around inside the system files.

If I can be of assistance in anyway please let me know

 

[XboxModder2]

Post automatically merged: Dec 2, 2022

If I had a blu-ray burner I'd be a tester but alas I do not. I do have Durango ftp installed on retail mode on my Xbox one, not sure if that's of any help at all for poking around inside the system files.

If I can be of assistance in anyway please let me know

will do!

 

[Kopimist]

Post automatically merged: Dec 2, 2022

will do!

Just to clarify, I don't have access to dev mode nor can I afford it at this point in time. I wish Microsoft was still doing free dev accounts for students, I'd be all set. Oh well, I missed that boat on that offer

 

[XboxModder2]

Just to clarify, I don't have access to dev mode nor can I afford it at this point in time. I wish Microsoft was still doing free dev accounts for students, I'd be all set. Oh well, I missed that boat on that offer

Ah i see..., alright

 

[MrQQ]

This isnt going to lead to anything sadly based on my own research. No sandbox escape or hyperv escape. ODD key is stored in NVram on the ODD and cannot be read as registers for the flash arent known. You may be able to achieve some sort of userland exploit but the ryzen co processor will be watching. Much more research needed sadly.

 

[XboxModder2]

This isnt going to lead to anything sadly based on my own research. No sandbox escape or hyperv escape. ODD key is stored in NVram on the ODD and cannot be read as registers for the flash arent known. You may be able to achieve some sort of userland exploit but the ryzen co processor will be watching. Much more research needed sadly.

Oh alright, thank you for the information, but can this be considered as some sort of escape from the sandbox?

 

[TomChaai]

Oh alright, thank you for the information, but can this be considered as some sort of escape from the sandbox?

He said the escalation happened on dev consoles, so it won't work on retail.
Escaping the BD app probably does nothing as the administrator privilege only happens in appOS, it can't reach down into the hostOS, it probably isn't able to see the real hardware, only the virtual ones presented to the appOS by the hostOS.
You can mess with the appOS all you want, still nothing gets to the hostOS to alter the gameOS from what I know.
And the fact that this is dev mode only probably means you have zero insight into the retail side of things, which uses totally different key trees enforced by the hostOS and the security processor on the SoC, can't even get to the files in this situation.

 

[fringle]

He said the escalation happened on dev consoles, so it won't work on retail.
Escaping the BD app probably does nothing as the administrator privilege only happens in appOS, it can't reach down into the hostOS, it probably isn't able to see the real hardware, only the virtual ones presented to the appOS by the hostOS.
You can mess with the appOS all you want, still nothing gets to the hostOS to alter the gameOS from what I know.
And the fact that this is dev mode only probably means you have zero insight into the retail side of things, which uses totally different key trees enforced by the hostOS and the security processor on the SoC, can't even get to the files in this situation.

He said Dev mode not Dev console. If you are not aware Dev mode is an option available on retail consoles. It use to be free but MS started charging for access to it.

 

[XboxModder2]

He said the escalation happened on dev consoles, so it won't work on retail.
Escaping the BD app probably does nothing as the administrator privilege only happens in appOS, it can't reach down into the hostOS, it probably isn't able to see the real hardware, only the virtual ones presented to the appOS by the hostOS.
You can mess with the appOS all you want, still nothing gets to the hostOS to alter the gameOS from what I know.
And the fact that this is dev mode only probably means you have zero insight into the retail side of things, which uses totally different key trees enforced by the hostOS and the security processor on the SoC, can't even get to the files in this situation.

it is dev mode

 

[MrQQ]

it is dev mode

Precisely so nothing will work sadly. Retail keys are not known sadly.

 

[XboxModder2]

Precisely so nothing will work sadly. Retail keys are not known sadly.

okay thanks

 

[lolki]

Is there something we can do? If yes, how? Otherwise, let's wait for news, one day there will be for sure, and it's a matter of time.

 

[lolki]

Are the keys in dev the same keys in retail mode? asking another way: if I get the keys in dev mode, I believe that dev mode is superior to retail mode and provides the basis for this or because it has more privileges than retail mode: so should it work or are the systems completely different? thanks for the patience

 

[MrQQ]

Are the keys in dev the same keys in retail mode? asking another way: if I get the keys in dev mode, I believe that dev mode is superior to retail mode and provides the basis for this or because it has more privileges than retail mode: so should it work or are the systems completely different? thanks for the patience

No they are not. Retails keys are not known as I said earlier

 

[Kopimist]

Are the keys in dev the same keys in retail mode? asking another way: if I get the keys in dev mode, I believe that dev mode is superior to retail mode and provides the basis for this or because it has more privileges than retail mode: so should it work or are the systems completely different? thanks for the patience

Dev mode runs in a sandbox so it's limited in comparison to retail mode. Major difference is it lets you run unsigned homebrew etc though. I mean theoretically if someone could write an exploit to break out of said sandbox that would be another option. Much easier said than done though I'm afraid. The Xbox One is pretty damn locked down against software exploits. I wonder if attacking via hardware might be a better option. Perhaps some sort of hardware mod to enable a coldboot exploit or something. Of course I'm just brainstorming here. Retail keys may still need to be dumped for even that to work but I'm honestly not sure

 

[TomChaai]

He said Dev mode not Dev console. If you are not aware Dev mode is an option available on retail consoles. It use to be free but MS started charging for access to it.

Doesn't change anything, dev mode is the same on retail or dev consoles, as long as it is the "same" dev mode, SRA/UWA or ERA. We have retail consoles activated as ERA just fine, not the free/cheap SRA stuff MS gives out to the general public.
Dev mode runs on seperate keychains entirely, anyting done dev mode can't be decrypted by retail keychains.
If there is no hostOS exploit, any dev mode changes are useless.

Post automatically merged: Dec 18, 2022

it is dev mode

Doesn't change anything. A retail console in dev mode is an entirely separate instance, reaching sideways from appOS into gameOS isn't possible, you need to reach down into hostOS, hypervisor or even SP then reach up into gameOS for any useful exploit to happen.