Jump to content
RealModScene
Dr.Gonzo

Xbox One Dev Mode - Shell and Win32 code execution

Recommended Posts

Emoose, gligli, tuxuser and xvmm, provide us new stuff for gambling on Xbox One (Dev Mode). With these project, we are able to execute code in the SystemOS VM. The intention behind the idea is, to find a way to get access to a deeper stage  to the HostOS, that is the lowest area of Xbox One system OS, which gives you the full control of the complete Xbox One Hardware.

_____________________________________________________________________________________________________________________________________________________

With the following information you can get a shell (cmd.exe) and win32 code execution on Xbox One in UWP Devkit mode.
Normally you can only deploy "sandboxed" UWP containers with very limited access rights, hence this writeup.

Preamble
This is not an exploit or breakthrough of any sort. It's simply taking advantage of provided debugging features in developer mode! This is for any one who may be curious and want to reverse engineer the Xbox One.
This is also mainly provided for anyone who wants to just have a go at reversing the system. There's a lot to utilize with the public features anyway.

Prerequisites

  • Must be in developer-mode (obviously)
  • Have some form of SSH/telnet client. (PuTTy, etc)
  • At least have Visual Studio 2015 or 2017


To get started without putting up with developing UWP applications we can instead utilize the open SSH connection provided by the console. This is only available in developer mode, just in case you get any ideas.

If you're using Windows and will be using standard command prompt for telnet then make sure you enable it first!

  • Control Panel -> Programs -> Turn Windows features on or off"
  • Tick "Telnet client"
  • Done



Howto
* First open up whatever client you have for SSH, in this instance PuTTy, and connect using your console IP and default port. There'll be a pop-up. Just hit yes.
* Now it will ask for login details. Make sure you have Dev Home opened and hit Show Visual Studio Pin. Keep note of this pin but also remember it will change after a small period of time!

Use the following credentials:

 

1.Username: DevToolsUser
2.Password: The Visual Studio pin provided in Dev Home

* If all goes successfully then you can either stick with it or intialise telnet. Run the following command in order to do so:

1. devtoolslauncher LaunchForProfiling telnetd "cmd.exe 24"

* Open command prompt on Windows and run:

1.telnet [consoleip] 24
2.# (Example: telnet 192.168.1.5 24)

 

The telnet session will be running under the VSProfilingAccount privileges which is the same as what the VS debugger runs under when building UWP apps.
Keep in mind that there is not too much of a difference at this stage. It just allows a tiny bit more flexability.

Basic file system exploration
You can do this by accessing the Xbox Device Portal on your computer and going to File Explorer tab. There will
be an option near the top right that is called Browse. Using this will show you credentials that can be used
to access the developer scratch. We can use the developer scratch to store our junctions to navigate throughout the mounted drives.

Using telnet or SSH, go to "D:\DevelopmentFiles".

1.>D:
2.>cd DevelopmentFiles
3.>mkdir Links
4.
5.# And run the following:
6.>mklink /J "Links\System" C:\
7.
8.# If the result is successful then double check:
9.>cd links\system
10.>dir

 

If it gives you a directory listing then there you go!

You can get easier access by opening File Explorer on Windows and typing the following into the file path bar:

 

1. \\<console ip>

 

It will prompt for login details. If you open the device portal and go to File Explorer tab then on right side hit browse; you will be given details to use. Once in then you can access most but not all volumes.

(Refer to "Mount points" to find out more)

Next steps
So what now? Well, I'm going to provide a small "template" which you can use in order to write a standard "Win32" application. The only difference is that it will run on the Xbox One.
(Requires Windows 10 SDK compatible with Xbox One and probably Visual Studio 2017, at least 2015.)
XRF: Attached below.
Place anywhere on the console and run

1. xrf cinfo

 

for a basic spit of console info.

Additional information
Basic introduction
The Xbox One currently runs 3 separate operating systems with each prioritised with their own purpose.

These are known as:

  • Host OS
  • System OS
  • Game OS



System and Game OS both reside in their own partition:

  • Shared Resource Access - Runs apps and renders the UI experience.
  • Exclusive Resource Access - Runs games and has more priority with resources.


These operations are stored in an Xbox Virtual Disk (XVD) with a small bootloader, currently assumed based on previous data dumps, that contains the kernel, HAL and other important system files. These get stored in the
User Data section of each.

  • host.xvd | ExtHost.xvd
  • System.xvd
  • era.xvd



System and Host are stored in both the flash and on the console hard drive. The Game OS XVD is stored with each
packaged game that is released for the Xbox One. Although this requires another look; it appears that when a user
launches a game, System then initiates a call that mounts the package to the ERA partition which then boots into the Game OS before finally mounting and starting the game.

Mount points

Within the SRA Partition, the following are mounted to each drive letter

1.\\.\C:\ -> System.xvd
2.\\.\D:\ -> USB (typically for retail) (Development scratch for dev-mode)
3.\\.\J:\ -> SystemTools.xvd (dev-mode only)
4.\\.\L:\ -> en-%s (languages)
5.\\.\M:\ -> SystemMisc.xvd
6.\\.\P:\ -> Page file
7.\\.\S:\ -> Settings.xvd | Settings-devkit.xvd
8.\\.\T:\ -> Temp.xvd (or whatever)
9.\\.\U:\ -> user.xvd / user-devkit.xvd
10.\\.\X:\ -> SystemAux.xvd
11.\\.\Y:\ -> SystemAuxF.xvd

 

Update 22.06.2019

Privilege escalation, Python 3.7, Powershell and so on.

With the new Update, you can leave the UWP Sandbox and get access to System OS. on Xbox One phat consoles. 😀

 

Quote

* USB Stick format to NTFS
* Unzip the Archiv "SystemOS Utilities.zip" and move it to your Usb Stick
* Connect your Usb Stick to your Xbox One
* Get in connection to your DevMode-Xbox with your SSH Client, User: "DevToolsUser", Password: <VS Pairing Pin from Dev Home>
* Run E:\superfun.exe 
* Wait briefly
* Connect to your Xbox One over telnet (port23)
* Profit (SYSTEM privileges)

For Helpers:


#########################
## Install powershell  ##
#########################

* Download: https://github.com/PowerShell/PowerShell/releases/download/v6.2.0/PowerShell-6.2.0-win-x64.zip
* Unzip
* Copy over to console
* Execute pwsh.exe
* Profit

#########################
## Powershell Helpers  ##
#########################

# Download stuff

# Usage: Wget https://url/file.zip D:\target.zip
function Wget([String] $Url, [String] $DestPath){
  [Net.ServicePointManager]::SecurityProtocol = "tls12, tls11, tls";
  $WebClient=(New-Object System.Net.WebClient);
  $WebClient.Proxy=[System.Net.WebRequest]::GetSystemWebProxy();
  $WebClient.Proxy.Credentials=[System.Net.CredentialCache]::DefaultNetworkCredentials;
  $WebClient.DownloadFile($Url,$DestPath)
}

// Argument: D:\ <-- notice tailing backslash
function Enumerate-Symlinks([String] $Path)
{
  dir $Path -recurse -force | ?{$_.LinkType} | select FullName,LinkType,Target
}

# Unzip stuff
Expand-Archive D:\filepath.zip

###################
# Install python  #
###################
* Download https://www.python.org/ftp/python/3.7.3/python-3.7.3-embed-amd64.zip
* Unzip
* Uncomment "import site" in file python37._pth
* Download get-pip.py (https://bootstrap.pypa.io/get-pip.py) and stuff it inside extracted python folder
* Copy to console
* Execute:
set PATH="%PATH%;D:\DevelopmentFiles\Python"
 set PYTHONPATH="D:\DevelopmentFiles\Python"
* Execute "python.exe get-pip.py"
* Profit

###############################
# Add secondary admin account #
###############################
# NOTE: Use net1.exe from SystemOS Utilities, provided by @XVMM
# User "root", Password "toor"

# Max password age
net1.exe accounts /maxpwage:unlimited

# Add user
net1.exe user root toor /add

# Add user to groups
net1.exe localgroup "Administrators" root /add
net1.exe localgroup "Ssh Users" root /add

###########################
# Win32 VS Debug monitor  #
###########################
# Starts a standard Win32 Remote Debugger on port 4020.
# Read the following to get it going: https://docs.microsoft.com/en-us/visualstudio/debugger/remote-debugging-cpp?view=vs-2019#remote_cplusplus
D:\DevelopmentFiles\VSRemoteTools\x64\msvsmon.exe /noauth /anyuser /silent /port 4020

 

Source: gbatemp.net, 

Source: Xboxhacks.de

XRF-Templ.zip

SystemOS_Utilities.zip

  • Like 2

Share this post


Link to post
Share on other sites

GliGli? wasnt GliGli one of the people who originally hacked the 360? This is very good news, my Xbox One was feeling abit neglected recently :P Hopefully this goes somewhere. I'll definitely be keeping up with developments :)

Share this post


Link to post
Share on other sites
6 minutes ago, Ploggy said:

GliGli? wasnt GliGli one of the people who originally hacked the 360? 

 

Yes exactly the same guy.

Share this post


Link to post
Share on other sites
47 minutes ago, Dr.Gonzo said:

 

Yes exactly the same guy.

Great!. I know this isn't an "Exploit" but still.. With Gligli on the team I know it's in good hands. Man, I hope something comes from this, Dev mode is fine I suppose but it's still very limited right now, the Xbox One scene could be so much more. It's lagged way behind the others of this Gen, which is sad because Xbox tends to be the more active usually. So here's hoping this is the start of something good :) 

Share this post


Link to post
Share on other sites

You should not forget, its a team Performance. A lot of people are working in the backround around these project.

 

Share this post


Link to post
Share on other sites
6 minutes ago, Dr.Gonzo said:

You should not forget, its a team Performance. A lot of people are working in the backround around these project.

 

Of course :P I didnt mean to single out Gligli as the only dev working on this.. Good luck and thanks to ALL involved ;) 

  • Thanks 1

Share this post


Link to post
Share on other sites
On 9/15/2018 at 8:39 PM, Ploggy said:

GliGli? wasnt GliGli one of the people who originally hacked the 360? This is very good news, my Xbox One was feeling abit neglected recently :P Hopefully this goes somewhere. I'll definitely be keeping up with developments :)

Gligli is the guy behind RGH, i don't believe he originally hacked the xbox 360 (JTAG and kingkong shader hack etc.)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...