Slashdot Mirror
Xbox Linux Made Possible Without a Modchip
An anonymous reader writes "Free-X have released an exploit for the Xbox that will let you get Linux on the machine without any hardware mods at all... Microsoft is already threatening them with legal action. Here's the Free-X statement. Free-X say they had been trying to contact MS for a month but were ignored, which is why they've released the exploit. Should be interesting to watch this one."
007 Agent Under Fire contains an exploit in the save-game loading routine which can lead to a local-root compromise on your X-box with a specially corrupted save game file.
This can be used, for example, to boot Linux, or flash the BIOS.
The reason that this didn't win Mike Robertson's 100 large is because you still need to rip the lid off the box and solder a pair of jumpers (or use conductive pen) in order to enable 'write' on the flash rom.
You're doing it wrong.
It's a base-64 encoded proof-of-concept font and loader program. Base-64 is sort of like uuencode -- it's just a reversible way to represent a binary file as ascii code. The line "begin-base64 644 dayX.tgz" is the header that includes the encoded filename (dayX.tgz). Ask google about it for more info. Google knows all.
everything in moderation
Underflow is the same, but opposite, making it so you wrap from near zero to a very big number... You say the font size is 0x0003, and the X-Box subtracts 0x0004, and ends up thinking it needs to read in 0xffff more data from the font file...
Both just involved wrapping around the maximum/minimum values a variable can hold.
You don't know when someone will laywer their way into taking this thing offline. Make it as available as you can.
If the DMCA continues to be used to shut down what used to be considered fair use, we'll see more and more open source endeavors moving out of the US. Here's to fervently hoping the MPAA/RIAA doesn't manage to implement DMCA clones in all countries on this planet. They seem to be doing a pretty good job at it in Europe.
why their exploit would work (integer underflow..?)
It looks at the file. The first four bytes are how big the file is, including its own size. So if the file is 16 bytes long, that is 4 bytes of the header and 12 bytes of data. That first four bytes reads 16.
So the XBox reads in the first four bytes (16), takes 4 away and then knows to look for 12 more bytes (16-4).
Apparently it uses those first four bytes (16) to allocate the memory. It then takes 4 away from that value (4 from 16 is 12) and reads those bytes (next 12) into memory.
Well, if you feed it 0..3 instead of 16 in that example, you get an underflow. It sees those first 0..3, takes away 4, and gets a very large number (whatever the maximum is, assume 8^4). So it then writes large amounts of YOUR data to memory even when only 0..3 bytes are allocated (or it is smart and will only do 4). So now you have YOUR own code/data in memory that isn't for that file.
I think. Fuck if I really know.
-Eyston
It's too bad they probably won't get the 100k. In order to get the files onto the xbox, you need to use a prior exploit that DOES require something(007 save, swapping HDD etc)
Not at all. You do not need to make any modifications to the hardware to use the 007 hack. If you have a memory card with the savegame on it, then you can simply copy that to the HD and load the game. This boots linux with an ftp server. You do NOT need to open the box or solder the pins; you only need to do that if you want to flash the TSOP and effectively mod the bios. Once you use the 007 trick you have temporary ftp access to the box - you can ftp over and replace the font files. Now the box is as good as modded and no one will know the difference. In addition this is safer than flashing the TSOP because the BIOS is simply intercepted in hardware.
So in short - you can have a completley modded xbox without ever opening the cover.
Also from the DMCA:
(f) Reverse Engineering. -
(1)
Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.
Sadly this is not funny, it's true. There's the new Copyright Directive in the European Union and the USA is ''exporting'' the DMCA to other countries like Singapore.
Up the Mod of the parent since it is entirely correct.
They did not "blackmail", as the last Slashdot article ad-libbed in its summary, Microsoft but gave them every opportunity to cooperate in creating a signed Linux loader.
As well the released code by X-Free does not allow you to pirate games. (Although by modifying their release and using their same technique it could be.)
As well it must be remembered that there is no EULA for hardware, we are freely able to use hardware we bought anyway we choose to. As well, people are legally able to reverse engineer the hardware, much the same way that other game consoles (NES, SNES, N64, PSX) were reverse engineered to create emulators like BLEEM.
P.S. Remember that it is likely the computer you are using now (IBM-CLONE) would not be here without the work of people reverse engineering the original IBM desktop computers.