Linux Running on Xbox Without Modchip!

NiteStar writes "It looks like people on xbox-scene.com and xboxhacker.net managed to run Xbox-Linux on a non-modded Xbox console. It requires no soldering at all - you don't even have to open up the Xbox. They are using an exploit in the saved game handling of the EA xbox game '007 Agent Under Fire'. It requires the original version of the 007 game and a memorycard you can connect to PC like the mega-X-key or datel's action replay. Apparently you can even build this memorycard yourself using a standard USB memstick." Frankly it seems like just soldering in the modchip would be easy, but big points for being clever!

Perhaps a link to the source would be in order

[Call Me Black Cloud]

Here's the announcement [xboxhacker.net] in a forum...

A bufferoverflow

[rveno1]

ok all this is, is a buffer overflow exploit.

a link to the code is:
http://www.xbox-scene.com/007linux.txt
it is uuencoded

enjoy!

It's slashdotted.

[anonymous coword]

Here is the article text (don't forget to remove the spaces from the uuencoded file)
Subject : Project B Solved !
Ladies and Gentlemen,
I'm happy to present the first solution found for the Xbox Linux Project B:
Here is a way to run Xbox Linux on an unmodded, unopened Xbox !
Inlcuded is a uuencoded zip file containing all the necessary files. Here is
what you need:
- - You need an unmodded XBOX (not sure it works with modded bios)
- - You need the game 007 Agent Under Fire (*NOT* NIGHTFIRE, those are two
different games!)
- - You need a way to transfer a save to a memory card (that is, xbox-save.com's
hardware, or usb<>xbox cable + usb stick + xbox-save software, or you can
use a standard memory card too if you can put files on it (with EvoX for
instance).
- - You need to get the "Xbox Linux Live" small distro.
Got all this? Let's party!
- - Unzip 007linux.zip
- - Extract the Xbox Linux Live ISO with a STANDARD ISO extractor (ie WinISO)
- - Copy the Xbox Linux Live files into the UDATA41000d<!--POST BOX-->00000000000\
directory (including "boot" subdirectory) (don't copy the file "plugin.img"
or it won't fit on a standard memory card).
- - Now, replace the first 0x380 bytes of the default.xbe with the 0x380 bytes
contained in the "default.patch" from the included zip file
- - Copy the whole 4541000d directory to your memory card (starting from 4541000d,
not UDATA. UDATA directory is here so it works with xbox-save.com's software)
- - Use the Xbox Dashboard to copy the 007 save from the memorycard to the HD
- - Run 007 on the Xbox
- - In main menu choose "Load Mission", then "Xbox Hard Disk"
- - Et Voila ;-) If things went well you should get a Black Screen, and Xbox LED
turning to orange (this is done when linux kernel is loaded), and after a
couple of seconds you should heard the Xbox Live Linux "loading sounds"
Just take this as a "proof of concept", there won't be anything on screen
because video has to be initialised in Linux like it is in Xromwell, but as
there is no "official version" of Xromwell I found, I prefer to use Xbox
Linux Live as example as everybody can find it.
Basically there is a bug in the save handling, which has been found in several
games, I just took 007 because only one save is needed for both US and PAL
game version - for other games you usually need two (or even more).
More explanations on how it works, how to make other linux distro work
and GPL sourcecode will follow!
I'm already anticipating some questions:
Q: Will it run my backup games without a modchip ?
A: No, it won't. This trick works for running Xbox Linux ONLY.
Q: Is it real?
A: YES.
Q: What if MS removes 007 Agent Under Fire from the shelves now ?
A: 007 Agent Under Fire is just one of the several games with this bug, so
don't worry :-)
Enjoy!
Will.
Use uudecode to extract the following file,

begin-base64 644 linux007.txt
KiBnIG8gYSB0IHMgZSB4ICogZyBvIGEgdCBz IGUgeCAqIGcgbyBhIHQgcyBl
IHggKiAKZyAgICAgICAgICAg ICAgICAgICAgICAgICAgICAgICAgICAgICAg
ICAgICAgICAg ZyAgCm8gLyAgICAgXCAgICAgICAgICAgICBcICAgICAgICAg
ICAgLyAgICBcICAgICAgIG8gIAphfCAgICAgICB8ICAgICAgIC AgICAgIFwg
ICAgICAgICAgfCAgICAgIHwgICAgICBhICAKdH wgICAgICAgYC4gICAgICAg
ICAgICAgfCAgICAgICAgIHwgIC AgICAgOiAgICAgdCAgCnNgICAgICAgICB8
ICAgICAgICAgIC AgIHwgICAgICAgIFx8ICAgICAgIHwgICAgIHMgIAplIFwg
IC AgICAgfCAvICAgICAgIC8gIFxcXCAgIC0tX18gXFwgICAgICAg OiAgICBl
ICAKeCAgXCAgICAgIFwvICAgXy0tfn4gICAgICAg ICAgfi0tX198IFwgICAg
IHwgICAgeCAgCiogICBcICAgICAg XF8tfiAgICAgICAgICAgICAgICAgICAg
fi1fXCAgICB8ICAg ICogIApnICAgIFxfICAgICBcICAgICAgICBfLi0tLS0t
LS0t Ll9fX19fX1x8ICAgfCAgICBnICAKbyAgICAgIF

Everything you need for running linux unmodded

[FristPr0st]

Here is the website which has the 007 saved games, a movie file, and instructions. http://kotisivu.mtv3.fi/vilz/unmod/ [mtv3.fi]

Re:Hmm...

[Anonymous Coward]

im no expert or anything so im just going to shoot in the dark. they modify a save game and when the game starts to load the savegame there is a bufferoverflow. then they know where the programmpointer is and they load some bootloader code in that memmory area.

Re:clueless or troll?

[Anonymous Coward]

Do you think that an average app is going to deal with /dev/psaux and /dev/input/mouse0 when the two use entirely different protocols?

No, I would expect them to use X events, gpm or at a pinch, /dev/mouse (Which although the driver which drives /dev/mouse may change, does not mean that the software interface to the device node changes)

The number of people who people who don't understand the basic premise of device abstraction is scary.

Re:I Predicted This

[Anonymous Coward]

Teasing what key out? The only key stored on the xbox is the public key, and that key is well known IIRC. What we need is the private key that is used to sign the code of games.

Mega X-Key

[savvy]

http://www.xbox-saves.com/ [xbox-saves.com] is where you can find more info on the Mega X-Key mentioned in the article, and they also have the save needed to get linux going in their saves archive.

Re:And now I has linux...

[janda]

The exploit uses a buffer overflow to insert new code after the game has been verified as "being good". If you want to play something else, all you'd need to do is remove 007 game, insert new game, press "reset".

Not quite...

[boola-boola]

"Frankly it seems like just soldering in the modchip would be easy, but big points for being clever!"

This depends on whether or not you are actually good at soldering. I for one have destroyed many PSX's in the past due to my clumsiness. Regardless, CT forgot one important fact: if you mod your XboX, you will _permanently_ (well, without some creative hacking and another Xbox, which, in having one already defeats the purpose) lose the ability to use Xbox Live, as the Xbox's unique,internal serial number will become banned.