-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Subject : Another Project B solution involving dashboard! Ladies and Gentlemen, Earlier today the team known as "free-x" released a dashboard exploit allowing people to run linux without a modchip using an integer overflow in the dashboard font files. A trick using the dashboard is way better than the usual 007 trick, because you don't need a game (only once, for installation), and you can eject the CD without reseting the system. Luckily, the XBOX Dashboard is quite buggy, and free-x bug is not the only one :-) I will present here another dashboard bug found and exploited independently. Using the dashboard, people can rip audio tracks from their favorite CDs and put them on the XBOX HD. They can then listen to their favorite tracks while playing some games. The dashboard stores a database of the songs in a file named "ST.DB". There are serious bugs when handling this file, that can be used to run unsigned code on the XBOX. When handling this file, an "array[index] = value" instruction is executed, with both "index" and "value" beeing 32 bits values taken from the ST.DB file. There is no boundaries check on "index" and this is the bug exploited here. The included ZIP file contains a proof of concept. It was tested on two different unmodded XBOXes (using 3944 and 4034 bios) running dashboard 4920. Note that for this proof of concept, only the dashboard 4920 is supported. It's the one that is installed by games using XBOX Live (it has the "XBOX LIVE" option). As for supported bioses, all ORIGINAL bioses *should* work, but the trick doesn't work if you're using a modified bios. Installation - ------------ * Use the 007 or Mechassault trick to log onto your XBOX * Copy the file ST.DB into E:\TDATA\fffe0000\music\ * Copy the file linux.xbe into E:\ * Done! Usage - ----- * You can use your XBOX as usual, but don't play too much with the "custom music playlist" options in games, as the bug is located here. * When you want to run Linux, just boot the XBOX with an AUDIO CD inserted, and once the CD plays press slowly the following 8 keys : B, Down, A, Right, Right, A, A, A (or go into the "audio cd" menu, choose "copy", then "copy" again and then "new soundtrack", then "ok") * Linux should be running! :-) Q: Can I run backup games using this trick ? A: No, only Linux can run. Q: I followed the instructions but when I start the "audio copy" the XBOX restarts, or just rips the audio from the CD instead of running linux, why? A: Be sure you're using the dashboard 4920 (provided with every game supporting XBOX Live), for now it's the only dashboard version supported. Q: Are there more bugs in the dashboard ? A: Who knows :-) Q: What's the difference between this thing and the "free-x" proof of concept? A: The bugs are totally different even if they're both located in the dashboard. Using Free-x bug the dashboard can't be loaded (for now), but linux is run everytime the XBOX is started without a game CD. Using mine, dashboard is loaded as usual, but when you want to run linux you've to put an Audio CD inside, and press some keys before linux is started from the dashboard. So each one has its own pros/cons. Alex - -----BEGIN PGP PUBLIC KEY BLOCK----- Version: PGP 8.0 mQGiBD8GR3QRBAD6ptRoNAM8hrZtS6Eng6FzG7f49wEul5WaZMpRA3jwMC75s5lq UptxLCK8ps4mOVf7b7NFggwZXUxuAEL6GrhMUOZ6sn5pambGOqcCWbZABCrTT/Ux 9nEKipt6QTmxJ5XUrAX/nmK8WUKvHGUNeqATXQzHlFXfBSy/VyNQaOeI7wCg/3eR F5atv2+ffNUBjnvVVkfHCRED/3SfCgwc11woh/R7CPFtqcFUljfUZl7adC523X5Q a4u3WBeEjp+tWgqi0oecaIIlOFxSc1LqQmd+mgpLRznwAPzGjr+l3JHH3TNxIBKC oMDdxOsNR7n8OmSdk8U+vGMFoc6DuJjTLrg9VjVKhk+A3s1cjt6g7twWSY3eitvl voi+A/4mR+F/I6Ga6UzW3z55TtRE9G18zvS+w/KN4PIShdwq1K9sKNDEYe4Y5anB P2Gjt6u9SVbPhliZWhBmjW37P24hGtSk8yKDTGqjfQZZc7w9cd1nG+1g1KtBGg2S qfHNIEO3H1IMvwPRigxaznsAwG3XPxjWNzKFIgVSJgtxniQ08bQOQWxleCBCb2xs YXN0b26JAFgEEBECABgFAj8GR3QICwkIBwMCAQoCGQEFGwMAAAAACgkQATR8zkPP o9vSHQCg8Pcc6xmzMxcPcWOu+inMoqKlsQAAoJjv2t/dA8p02zYJSgBKFDWFb7Fw uQINBD8GR3QQCAD2Qle3CH8IF3KiutapQvMF6PlTETlPtvFuuUs4INoBp1ajFOmP QFXz0AfGy0OplK33TGSGSfgMg71l6RfUodNQ+PVZX9x2Uk89PY3bzpnhV5JZzf24 rnRPxfx2vIPFRzBhznzJZv8V+bv9kV7HAarTW56NoKVyOtQa8L9GAFgr5fSI/VhO SdvNILSd5JEHNmszbDgNRR0PfIizHHxbLY7288kjwEPwpVsYjY67VYy4XTjTNP18 F1dDox0YbN4zISy1Kv884bEpQBgRjXyEpwpy1obEAxnIByl6ypUM2Zafq9AKUJsC RtMIPWakXUGfnHy9iUsiGSa6q6Jew1XpMgs7AAICCACwoVN+LE5hpa4Ef5OG/eui M8i02vjU/shL+Dn6vF1bdTn0wsHRIdXHzfyazs+zziOlanM7bkHLVjLpMkesl7g+ PG4WJTWAJK/KylqfXz+c4Ocyy/nPNkyt8KdIroygtB2vgqWEM+vAprUr6sfOjEPa 82qZntFJ8YmaF83tt4x2Ya3W8ESSMKH+YcPTNJlznwW9F2719TqU09B7r3rM9emm TVvja2PXMCbBSBZlg0hbQUZdVWux/uM6AUUKd/RpcpduitlsvZct0nQN0SKBQ9OU ABVkk5UrcBwIp/gM7m+TOxNdxCKGcQ33r2QXb4IZ9VVuxUFY6MUN66HEcki4e3AX iQBMBBgRAgAMBQI/Bkd0BRsMAAAAAAoJEAE0fM5Dz6Pb7wcAoL9i0sXU08GP7o/i F3DEftExQv7WAJ96SSY/0yyvPyOyItFCxET08sMPbQ== =gEFB - -----END PGP PUBLIC KEY BLOCK----- -----BEGIN PGP SIGNATURE----- Version: PGP 8.0 iQA/AwUBPwZK3wE0fM5Dz6PbEQI8ywCeOaKgUhn4nbqQmU89yFc8HSy4sEwAn3Mt 9Zj1TAwFZqceiotv7ztGzzXg =qec1 -----END PGP SIGNATURE-----