Dr.Gonzo 396 Posted June 10, 2017 Xenomega released a Exploit that allows us, to get access (browse/read/write) to encrypted mounted virtual harddisk Xbox One partitions, in alliance with symlinks. Quote Xbox One Symbolic Link Exploit Access restricted/encrypted volumes using the Xbox File Explorer. Patched as of 5/5/2017: 10.0.15063.2022 (RS2_RELEASE_XBOX_1704.170501-1052). Thus in accordance with responsible disclosure. The Xbox One File Explorer does not check if a path is a symbolic link elsewhere, allowing an attacker to browse/read/write to mounted volumes which are normally restricted. This includes any encrypted virtual harddisk partitions (XVD files) which the console mounts for content such as gamesaves, etc. Prerequisites: Download Windows Server 2003 Resource Kit Tools, from which you'll need the "linkd" utility, as the program relies on it to create links, since mklink does not link to paths that do not exists, and the paths we intend to link to are likely non-existent on your computer. Instructions: Change the drive letter to your USB drive letter in Program.cs Run it Plug it into Xbox, use File Browser to browse through the symlinks, which will link to other parts of the system. Source: Github.com 3 Quote Share this post Link to post Share on other sites
Hexmaniac 0 Posted June 12, 2017 Hi, this news is incredible but l don't understand what means: "Patched as of 5/5/2017: 10.0.15063.2022 (RS2_RELEASE_XBOX_1704.170501-1052). Thus in accordance with responsible disclosure". Maybe it means that this exploit is patched with the update of the 5/5/2017? In this case it would be useless and why make the exploit public once the microsoft has patched it? Anyone can help me to understand? Thanks in advance Quote Share this post Link to post Share on other sites
Swizzy 2085 Posted June 13, 2017 6 hours ago, Hexmaniac said: Hi, this news is incredible but l don't understand what means: "Patched as of 5/5/2017: 10.0.15063.2022 (RS2_RELEASE_XBOX_1704.170501-1052). Thus in accordance with responsible disclosure". Maybe it means that this exploit is patched with the update of the 5/5/2017? In this case it would be useless and why make the exploit public once the microsoft has patched it? Anyone can help me to understand? Thanks in advance That's exactly what it means, and it's a way for hackers to stay "safe", disclosing information about exploits to the public before the company has been notified and given a chance to fix it means the hacker that found the exploit can be held responsible for damage caused by the exploit... Quote Share this post Link to post Share on other sites
Hexmaniac 0 Posted June 13, 2017 As I thought, this news is doubly useless. Quote Share this post Link to post Share on other sites
Dr.Gonzo 396 Posted June 13, 2017 For users/ warez Kiddies its unnecessary, lool. But the possibility for the scene to get access on encrypted virtual Hard Disc Container, should not be underestimated. It can provide an important insight into the Xbox One system/file architecture. There are a lot in the scene, who have never updated theirs Xbox One`s 3 Quote Share this post Link to post Share on other sites
Hexmaniac 0 Posted June 13, 2017 Of course, to get access on a Xvc it's the dream of everyone and it's almost impossible to do that on a PC with an Xvc file. Unfortunately even if you have an Xbox one with an old OS like the 10.0.15063.2019 (exploitable pre-patched OS) you can't run the UWP app offline. The OS mandatorily ask you to connect to internet, to get the access to your profile and it obliges you to update the Xbox (Microsoft security system). So at now the program.cs posted by the David Pokora aka Xenomega, is doubly useless. Maybe if he had posted his discovery before, somebody else could have contributed to the study of the file system or how these damn XVC works. Just for the record and obviously OT, how many of you have ever tried to dump the Nand of an Xbox one? Quote Share this post Link to post Share on other sites
Dr.Gonzo 396 Posted June 13, 2017 A lot of scene members get in touch & taking theier Hands on Xbox One. The main problem is, for XVD decryption you need a CIK. If you had download a game the cik is stored in your XVD Container in encrypted form. For decryption you need your own 256 Bit Origin Decryption Key, where is stored in your KeyVaults (sp_s.cfg). All encryptions & decryption of the Keyvault are monitored by a fixed unit in your Xbox One SoC, called Platform Security Processor. If you didn`t find a way to attack directly the PSP (hardware attack) or the Main OS, you have no chance to get the needed Keys. I know enough users who have dumped their Xbox One Nand. It remains to be seen what happens in the future. Quote Share this post Link to post Share on other sites
Hexmaniac 0 Posted June 13, 2017 Since UWP was available the first thing I thought was just to edit it to access the restricted area of the Xbox. Unfortunately, having not enough time and sufficient knowledge in the field of computer science I could not blur my idea. Of course with the ODK we can do everything we want but if people like Xenomega don't post their exploits in time the future of a CFW on XB1 is very far. Quote Share this post Link to post Share on other sites
Chrishockey55 129 Posted June 13, 2017 Dam dave posting some xbox one stuff interesting Quote Share this post Link to post Share on other sites
Swizzy 2085 Posted June 14, 2017 7 hours ago, Hexmaniac said: Since UWP was available the first thing I thought was just to edit it to access the restricted area of the Xbox. Unfortunately, having not enough time and sufficient knowledge in the field of computer science I could not blur my idea. Of course with the ODK we can do everything we want but if people like Xenomega don't post their exploits in time the future of a CFW on XB1 is very far. Just because it wasn't published for everyone to see doesn't mean he didn't share it with his friends in the scene, for example i already knew about this before this post was made, and i don't know dave, a friend of mine mentioned how i could get hold of my savegames... originally the filemanager wasn't even available without a hack itself... Besides, with news coming out that there are exploits that don't require you to be a rocket scientist even if patched already means those that feel like they have nothing to come with might try stupid ideas they might have which in the end may prove to be exactly what we need... Quote Share this post Link to post Share on other sites
Dr.Gonzo 396 Posted June 14, 2017 14 hours ago, Hexmaniac said: Of course with the ODK we can do everything we want but if people like Xenomega don't post their exploits in time the future of a CFW on XB1 is very far. There is a lot of work in the scene background of Xbox One hacking. A lot of known and unknown scene guys are working over several different projects at the same time. Like Swizzy said, the most stuff is kept in the background. Sometimes little stuff comes to daylight. 1 Quote Share this post Link to post Share on other sites
UndeadZombie II 0 Posted March 18, 2018 So I know this is an old exploit now, but I thought I'd see what exploits are vulnerable to my old xbox one that hasnt been updated in a while, and it turns out that mine is barely vulnerable to this one and I don't think it is to that other chakra exploit. Of the xbox one I do not have updated, the firmware is OS version 10.0.15063.2019 (rs2_release_xbox_1074.170407-2038). So I was wondering if theres any way I can use this one Edit: I have attempted the exploit and the file manager does see the files, but none are recognized as something the xbox can execute. I think I just dont know how to use it though Edit2: I got it all working great, this exploit is very interesting, and really cool Quote Share this post Link to post Share on other sites