Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xbox Linux Made Possible Without a Modchip

Posted by CowboyNeal on from the well-and-probably-software-piracy-too dept.

An anonymous reader writes "Free-X have released an exploit for the Xbox that will let you get Linux on the machine without any hardware mods at all... Microsoft is already threatening them with legal action. Here's the Free-X statement. Free-X say they had been trying to contact MS for a month but were ignored, which is why they've released the exploit. Should be interesting to watch this one."

18 of 996 comments (clear)

  1. Re:what a "habibi exploit"? by Michael+Hunt · · Score: 5, Informative

    007 Agent Under Fire contains an exploit in the save-game loading routine which can lead to a local-root compromise on your X-box with a specially corrupted save game file.

    This can be used, for example, to boot Linux, or flash the BIOS.

    The reason that this didn't win Mike Robertson's 100 large is because you still need to rip the lid off the box and solder a pair of jumpers (or use conductive pen) in order to enable 'write' on the flash rom.

    --
    You're doing it wrong.
  2. Re:Just wondering... by randyest · · Score: 5, Informative

    It's a base-64 encoded proof-of-concept font and loader program. Base-64 is sort of like uuencode -- it's just a reversible way to represent a binary file as ascii code. The line "begin-base64 644 dayX.tgz" is the header that includes the encoded filename (dayX.tgz). Ask google about it for more info. Google knows all.

    --
    everything in moderation
  3. Integer Underflow: by Kelmenson · · Score: 5, Informative
    You understand overflow, right? There is a maximum integer that can be stored in a variable, and if you "overflow" this maximum amount, the number wraps around. So 0xffff + 0x0003 = 0x0002.

    Underflow is the same, but opposite, making it so you wrap from near zero to a very big number... You say the font size is 0x0003, and the X-Box subtracts 0x0004, and ends up thinking it needs to read in 0xffff more data from the font file...

    Both just involved wrapping around the maximum/minimum values a variable can hold.

  4. Re:After reading the articles... by Kaeru+the+Frog · · Score: 4, Informative

    The DMCA. Circumventing a copyright protection system is illegal.

  5. Download this while you can. by Anonymous Coward · · Score: 5, Informative
    Select and copy the uuencoded bit of the message in your browser, then pop open an xterm.
    $ uudecode
    (shift-insert or third mouse button)
    (return)
    ^D
    This will give you dayX.tgz

    You don't know when someone will laywer their way into taking this thing offline. Make it as available as you can.
    1. Re:Download this while you can. by Anonymous Coward · · Score: 4, Informative

      It's not uuencoded, it's base64. But the uudecode tool will still know how to decode it.

  6. No DMCA in Austria by janolder · · Score: 5, Informative
    Fortunately, the DMCA has no teeth in Austria where these guys seem to live. Note the reference to a Mr Kritsch working for MS Austria and the somewhat awkward choice of words, mediocre grammar and poor spelling.

    If the DMCA continues to be used to shut down what used to be considered fair use, we'll see more and more open source endeavors moving out of the US. Here's to fervently hoping the MPAA/RIAA doesn't manage to implement DMCA clones in all countries on this planet. They seem to be doing a pretty good job at it in Europe.

  7. Re:After reading the articles... by Eyston · · Score: 5, Informative

    why their exploit would work (integer underflow..?)

    It looks at the file. The first four bytes are how big the file is, including its own size. So if the file is 16 bytes long, that is 4 bytes of the header and 12 bytes of data. That first four bytes reads 16.

    So the XBox reads in the first four bytes (16), takes 4 away and then knows to look for 12 more bytes (16-4).

    Apparently it uses those first four bytes (16) to allocate the memory. It then takes 4 away from that value (4 from 16 is 12) and reads those bytes (next 12) into memory.

    Well, if you feed it 0..3 instead of 16 in that example, you get an underflow. It sees those first 0..3, takes away 4, and gets a very large number (whatever the maximum is, assume 8^4). So it then writes large amounts of YOUR data to memory even when only 0..3 bytes are allocated (or it is smart and will only do 4). So now you have YOUR own code/data in memory that isn't for that file.

    I think. Fuck if I really know.

    -Eyston

  8. Re:After reading the articles... by smashr · · Score: 5, Informative


    It's too bad they probably won't get the 100k. In order to get the files onto the xbox, you need to use a prior exploit that DOES require something(007 save, swapping HDD etc)

    Not at all. You do not need to make any modifications to the hardware to use the 007 hack. If you have a memory card with the savegame on it, then you can simply copy that to the HD and load the game. This boots linux with an ftp server. You do NOT need to open the box or solder the pins; you only need to do that if you want to flash the TSOP and effectively mod the bios. Once you use the 007 trick you have temporary ftp access to the box - you can ftp over and replace the font files. Now the box is as good as modded and no one will know the difference. In addition this is safer than flashing the TSOP because the BIOS is simply intercepted in hardware.

    So in short - you can have a completley modded xbox without ever opening the cover.

  9. in case MS makes /. remove this by cyborch · · Score: 4, Informative

    As seen before microsoft does not like people who publish exploits. So I have made an off-US mirror in a country where releasing exploits to the public is still legal...

  10. Re:After reading the articles... by wiggles · · Score: 5, Informative

    Also from the DMCA:

    (f) Reverse Engineering. -

    (1)

    Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.

  11. Re:what a "habibi exploit"? by rpresser · · Score: 4, Informative
    1. You don't need to flash the rom to use the habibi 007 exploit. You can use the savegame, plus a USB memory card, plus a USB-to-xbox cable, to run linux on your xbox whenever you like. You have to boot 007 first in order to load linux, but that's merely an annoyance.
    2. Once you're in linux, IF you've soldered the motherboard, you can use a utility to flash the ROM. This is logically equivalent to installing a mod chip and flashing that; it just requires one less piece of hardware.
    3. The new hack's purpose is to have linux load instead of the dashboard when the xbox starts up, thus removing 007 from the step. Logically, however, we're still using a hack as a linux bootloader; the difference being that the dashboard itself loads the hack, rather than the 007 game.
    4. The 007 hack is one of a few possible springboards to implement the new hack; it happens to be one that does not require opening the case.
    5. Footnote: there is actually another game besides 007 Agent Under Fire -- MechAssault -- which has a similar vulnerability. So you have a choice of 3 linux bootloaders.
  12. INTEGER UNDERFLOW for dummies by Alsee · · Score: 4, Informative

    integer underflow..?

    Here's a completely non-technical explanation:

    Think of it like a clock. The XBOX loads a number expecting it to be something like 10 minutes. It then subtracts 5 minutes and uses the number. But instead of giving it a number like 10 minutes you give it a number like 2 minutes. Then when the XBOX subtracts 5 from 2 it gets an underflow. It doesn't know about negative numbers. So what is does is it wraps around like a clock. If you look at the 2 minute mark on a clock, then count backwards 5 minutes where do you end up? You end up 3 minuts before the 12. That's 11 hours and 57 minutes. So XBOX thinks that 2 minus 5 equals 11 hours and 57 minutes.

    So by giving the XBOX a smaller number than it expects, and letting the XBOX make the number even smaller, it underflows - wraps around - to a really big number. That really big number tells the XBOX to load a HUGE amount of information. More than it's supposed to load. That means you can feed the XBOX any program you want and the XBOX will suck it up and run it.

    -

    --
    - - You can't take something off the Internet! That's like trying to take pee out of a swimming pool.
  13. Re:After reading the articles... by KAMiKAZOW · · Score: 5, Informative

    Sadly this is not funny, it's true. There's the new Copyright Directive in the European Union and the USA is ''exporting'' the DMCA to other countries like Singapore.

  14. "not negotiating with terrorists" by Imperator · · Score: 4, Informative

    That's a lie they love to tell. The US negotiates with terrorists all the time. Right now the Bush administration is engaged in intensive negotiations with several Palestinian terrorist groups. (And I'm not calling them terrorists because it's the US-Israeli line, but rather because they detonate bombs in places crowded with civilians.) We negotiate hostage exchanges, "disarmament" (cease fire) agreements, and much more. It all depends on how much we want the terrorists to cooperate. The US (and most other countries) have never had serious policies against negotiating with terrorists, no matter what their propaganda campaigns would like you to believe.

    --

    Gates' Law: Every 18 months, the speed of software halves.
  15. Re:honestly... by Avakado · · Score: 4, Informative

    In many countries, and I believe in USA too, you don't have to accept a license you haven't signed. If you don't sign the license, you only have the rights copyright provides you, which for closed source software for home use usually is better than what the license provides you. These rights includes installing the software on every computer in your home, but not every one in your company. This means you're "owning" your copy of the product. I attended the trial against Jon Johansen (co-author and distributor of DeCSS), where he explained they had used an uncompression program rather than the installation program to install the Xing DVD tool, in order to avoid accepting the click-through license. The prosecutor accepted this reasoning. The defender later stated that restrictions printed on the outside of DVD covers were invalid as long as the buyer didn't sign an agreement in the store. This was also undisputed by the prosecutor.

    --
    The world will end in 5 minutes. Please log out.
  16. Xbox-Linux Team confirms the exploit by k-hell · · Score: 4, Informative

    See here. ZDnet is also running a story here

  17. Re:Woops, too late by Famatra · · Score: 5, Informative

    Up the Mod of the parent since it is entirely correct.

    They did not "blackmail", as the last Slashdot article ad-libbed in its summary, Microsoft but gave them every opportunity to cooperate in creating a signed Linux loader.

    As well the released code by X-Free does not allow you to pirate games. (Although by modifying their release and using their same technique it could be.)

    As well it must be remembered that there is no EULA for hardware, we are freely able to use hardware we bought anyway we choose to. As well, people are legally able to reverse engineer the hardware, much the same way that other game consoles (NES, SNES, N64, PSX) were reverse engineered to create emulators like BLEEM.

    P.S. Remember that it is likely the computer you are using now (IBM-CLONE) would not be here without the work of people reverse engineering the original IBM desktop computers.