Print

[Angerwound]

Seeing as the xbox1 is open to any changes we can throw at it - perhaps we might be able to use our old friend as an tunnel into the x360 system.

1st Possibility: Many gamesaves, live content, and other materials that xbox1 will be sharing with the 360 are open to vulernabilities such as the way Forza uses Zlib to compress and uncompress the skins you use online for your cars. I'm sure zlib has its vulnerabilities and since a few of us around here know how to find XBOX Cert Key and sign gamesave data to be valid, why not attempt this route? Any sort of data our xbox1 titles are sharing with a 360 could potentially be compromisable.

[DaBiscuit]

Surely even if you could execute some kind of an exploit, it would be entirely contained within the X-Box 1 virtual machine. I like your idea, but I can't see how it would allow access to the architecture of the 360. It would seem to simply lead to an exploit running on the emulation layer, while the 360 remained unexploited.

Maybe I'm not quite clever enough to see the possibilities though.

[deadparrot]

Well, if you can run it under an emulator, it is a start at least.  It is very possible to gain access to the surrounding environment from a program running in an emulator.

I definatley see this as exploitable.

[deadparrot]

Yeah.  We'd have to find new games to exploit, seeing as AUF, SC, and MA are not listed as having backwards compatability.  Perhaps this means that the emulator is still prone to the buffer overflow?

[mkjones]

Nice ideas

But this would be especially hard seen as you cant transfer xbox 1 gamesaves to the 360, it was on Majornelsons blog that they decided against this purely becuase of exploits, poop

Also I would bet the reason MA, 007 and SC arnt on the BC list is becuase of this, probably "just in case" more than anything.

[d0wnlab]

I'm betting you the line drawn between the xbox1 "virtual machine" and the xbox360 is very spotty at best.  It's not a proper emulator.

- you need a different "emulator" for every game - I'm guessing this is so that critical sections are recoded to exploit the xbox360's speed (and possibly, use the full RAM, etc..)  If this is the case then there is probably an easy way to jump between native and emulation mode inside the emulator.

[krackheadbill]

QUOTE(mkjones @ Nov 20 2005, 05:52 PM)

Nice ideas

[Australian Rat]

I think one of the more interesting options available is the actual use of the emulation files that can be burned on to CDRs.

Very likely that they will be signed and safeguarded by ms to no end, but seeing as they are releasing loads of them, potential to slip up somewhere.

But I guess we'll have to wait and see how the actual emulation files work

[lordvader129]

QUOTE(Australian Rat @ Nov 20 2005, 08:14 PM)

I think one of the more interesting options available is the actual use of the emulation files that can be burned on to CDRs.

[rasmithuk]

From what I've heard the 'emulation profiles' are just recompiles of the game binaries for the powerpc, with any aditional patches required applied.
If this is correct then expect any well known backdoor to be closed and if they've used the bounding pages option then don't expect buffer overflows to be easily exploited.

[TheSpecialist]

Like said before in this thread, a buffer overflow in emulation mode will most likely just crash the emulator and not overflow the 'real' stack.

And about the emulation files loaded from CD: At first, this also looked promising to me, but if you think of it: all these emulation files will be signed and I'm quite sure they won't load if the signature is missing I also liked the idea, but, unfortunately, I don't think there will be some kind of weakness here ...

[heinrich]

QUOTE(rasmithuk @ Nov 21 2005, 11:41 AM)

From what I've heard the 'emulation profiles' are just recompiles of the game binaries for the powerpc, with any aditional patches required applied.

[cheztir]

What i wonder, correct me if i am wrong here, is if they might be recompiling the games from the source from x86 to PowerPC. This is might be wrong, but since Halo 2 is getting a big HD boost i don't see how you can suddenly emulate that.

I think they might take the approach like so:
Xbox HD Stores loads of just XBE (or what have you executables), when you insert an xbox 1 game it loads the x86 XBE into memory, it reads the XBE header to identify it, from there it tries to match it to an equivalent PPC XBE, then launching that PPC XBE. The PPC XBE then loads all of the game information off the disc. Since the game data (images, music, and such) are not compiled to x86 or anything this could work. This is much like moving Windows Games to Linux, only the exec changes.

I think it's more logical to recompile, have the app run natively, and just load the data from the disc. This could also explain why most games don't run yet. They simply haven't tweaked the source to compile on Xbox 360's arch. yet. Also, if this were true they could patch 007:AUF and other games with holes to no longer be vulnerable. Emulation would just be too slow for even 3 3.2ghz G5-Equals to handle, think Halo 2, and think about it, how can you emulate an HD performance boost?

Like i said correct me if i am wrong somewhere. But it just seems like recompiling to PPC is a better choice.

My 2 cents.

[DrNecessiter]

I personally doubt they are "recompiling" old apps for PPC.  Companies just aren't that good at keeping buildable versions of a 4 year-old game lying around like that.

My guess is that there is a generic emulator that requires application specific patches or "workarounds" for apps that used the hardware in a goofy way.  Not positive, but that'd be my guess.

Or, they may have some sort of binary translator that somehow pre-translates the X86 code into PPC code, and then they check for problems and make patches accordingly.  I just wouldn't use the word "recompile" for this type of process.  "recompile" implies rebuilding from the C/C++/whatever source code, which I think is very unlikely.

[deadparrot]

Could these emulator files be encrypted PPF-type patches which patches the x86 xbe in memory?