Jump to content


Photo

Double dashboard exploit


  • Please log in to reply
267 replies to this topic

#1 Angerwound

Angerwound

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,719 posts
  • Location:Hell
  • Xbox Version:v1.0
  • 360 version:none

Posted 04 May 2004 - 02:02 AM

The Double-Dash Font Exploit:
*M$'s Newest Dash UPDATE was an attempt at killing this exploit.(An update just for us, don't we feel special) Don't run Live with this exploit unless you want a pretty ERROR 21 on boot.*

OVERVIEW:

Up till now all font exploits suffered from the clock-loop problem. In short, the font hacks try to take control of the xbox on boot by having the dashboard load hacked fonts. Problem comes if the xbox has lost power and therefore lost the time. The xbox will see this on boot and try to reach the clock-setting screen. This requires the fonts to be loaded -> these have been hacked to not let xboxdash load normally -> this will in some cases cause a reboot -> clock loop! See the official clock loop thread for more information.

The audio exploit doesn't have this problem since it boots to an unmodded state and therefore can access the clock setting screen if needed. The double-dash fonts exploit tries to do the same - boot to an unmodded state. This exploit takes advantage of the fact that live-enabled xbox dashes have the 'live tab', that when pressed will launch xonlinedash.xbe from C:\xodash. Moreover, it exploits the fact that live-enabled dashboards loads its fonts from the C:\fonts folder while older dash version loaded the fonts from the root of C: Thanks MS!

By replacing xonlinedash.xbe with an old 'pre-live' dashboard's xboxdash.xbe we can therefore boot to an unmodded state by having the original fonts in C:\fonts.We then launch the font exploit by launching the old dashboard via the 'live-tab' and having hacked fonts in the root of C. If the clock needs setting we will reach the clock-setting screen, just like with the audio exploit.

The hacked fonts needed are not the same as the usual hacked fonts, since these were designed to work on boot. New fonts were needed for this new scenario, and such fonts have now cleverly been designed by rmenhal. On occasion, some users have reported that around 1 out of 10 tries they will have their xbox reboot. This is caused by thier individual kernel/dash setups and can easily be solved by following the readme file included in the package below. The tuning of the bert/ernie files is not necessary if you do not experience this however.

For those of you having trouble extracting:

1. Copy the code into a .txt file.
2. Rename to "doubledash.b64".
3. Install ICEOWS.
4. Open "doubledash.b64" within ICEOWS.
5. You should see "Unknown.001".
6. Open this file with WinRar.
7. You should now see a file named "Unknown".
8. Once again, open this file with WinRar, just as before.
9. You should now see your files.

Complete Package Available in Usual Places thanks to devz3ro!

================================================

INSTALL INSTRUCTIONS:
(Please Read Above before attempting to Install)
(All Files Needed for Install Are Located Within devz3ro's Package)

WORKING KERNEL AND DASHBOARDS.

K: This exploit will not work if your kernel version is higher than 5713. The reason for this is because this kernel will not allow for your old dash to be booted.

D: 4920 is recommended for this exploit, it MAY work with your current dash as long as it supports the 'Live Tab' and is not the newest dash supplied by MS. The very newest Dash versions will not work. If you are having problems or are unsure if your dash is compatible please downgrade to 4920.(Tons of downgrading information throughout the forums, use the Search Button.)


You are going to need a way to access your XBOX's HD. Use your preferred method or just boot a gamesave exploit of your liking. I recommend leaving it saved to your HD for future use in case you screw something up.

1. First off, when you click on the live tab it will boot xonlinedash.xbe within the c:\xodash\ directory. So let's replace it with the default.xbe from a Pre-Live dash. (already named xonlinedash within the package.) Just delete or rename the current xonlinedash.xbe and copy over your new one.

2. Next, in order for this dash to boot when the 'Live Tab' is selected it's gonna need a few support files; mainly, default.xip and mainmenu5.xip. These are needed from a pre-live dash. Again, look in the 'c' folder within the package or grab from your pre-live dash backup. Place them within c:\ on your XBOX. (NOTE: These files will only allow the dash to load far enough to boot the font files. Do not try and load the dash currently for it will give you an error 21. )

3. Enough of the dash has been copied to your HD now to boot far enough in that it will load the hacked font files. (NOTE: Pre-live dashes boot font files from c:\ - All other's boot from c:\fonts ) Your hacked font files will need to be placed within the c:\ directory within your XBOX. They are called bert.xtf and ernie.xtf. Original font hack files will not work for this. You must get them from the above mentioned package or CODE below. If XBOX.xtf and XBOX BOOK.xtf currently exist in c:\ on your XBOX, remove them or rename them to something else for backup purposes.

4. Okay, the files copied so far will Boot the old dash, load the hacked fonts, which will in turn try and boot default.xbe from e:\. The default.xbe needs to be signed with the HABIBI Key so you may sign whatever .xbe you like and have it launched or use the PBL Files within the package (Already Signed). Just copy over the files, double checking they have correct signature and are named accordingly. The ones you are looking for are located with the E\ Directory in the package. If you have a newer XBOX that incorporates the Focus chip you must use PBL 1.4.1 located in the directory of the package of the same name. Insure you have a folder named 'Bioses' in the same DIR of your PBL files (E:\) and it has a file named xboxrom.bin within.(BFM Bios of your choice.)

5. Now, if you have used PBL before you know that it boots whichever file your bios is pointing towards. In the packages case, it boots a file within 'c:\'. (evoxdash.xbe, mxmdash.xbe, xboxdash.xbe etc....) Insure the XBE is named something of this nature. Don't forget to include the support files for whatever you are launching after PBL. (XML's, INI's, SKINS etc....). This is not included in the package for it's your choice on which dash you would like to run.

6. You are finished copying the necessary hack files to your XBOX. You may power down your XBOX and turn it back on. When you boot up you should see the 'LIVE' tab just waiting to be clicked. Go ahead and select it. You should no see PBL booting, then your dash of your choice. If you do not see any of this and just recieve an error screen or blank screen review the steps and insure you copied all the necessary files to your XBOX. If it does work correctly congratulations, exploit style without the clock loop or corrupted ST.DB. Don't forget the Reset-On-Eject is still enabled so if you want to play a game or use your DVD drive at all; open the drive at the original xbox dash screen, select the 'Live' tab and after the hack boots place your disc into the drive and then play away.

Thanks to RMENHAL once again for his excellant files and devz3ro for the package!

=============================================

RMENHAL's Original POST:
QUOTE
The code section below contains a working/workable solution to the "double dash" exploit. It's basically a rehash of the known font and audio exploits and as such I make no claim of originality on my part. Audio used only in tuning Bert. Look at the included readme.txt for instructions.

Here's a breif description of my understanding of how the font exploit works (to expand on and correct some of the statements made about it in this thread):

Ernie loads first. No overflow there. Bert loads next and because of the less than 4 data field size, Dash tries reading 4 GB - 1 bytes (stops at the end of Bert, though) into a 16 byte space. Hence, it overflows into the heap arena of the next memory block. The memory allocation functions subsequently cause the overwrite of an address with a value, both of are provided by Bert at offset 0x40.

The .rar file below contains a working Bert for Dashboard 3944. The dword at offset 0x40 of Bert is the value that gets written into address given by dword at offset 0x44. If you follow the instructions in readme.txt and get a working Bert for your version of Dash, please, post these 2 dwords here with Dashboard version information. The second dword is an address to a pointer to an SEH (the pointer is located in the stack). The first value is the address where the execution goes to once the corresponding thread causes an exception.

The provided ernie.xtf is 390 bytes with a few bytes to shave off. Making Ernie bigger may help getting the exploit working even when an audio CD is inserted (currently, you mustn't have an audio CD in the tray when pushing "XBOX LIVE".) I rather have a really small Ernie than fix that and have megabytes of Ernie.

Hope it works for you.
CODE

begin-base64 644 doubledash.tgz
H4sIAPbElUAAA+xbYWwbR3Ze2q4TLpLYh8TAoWnQietAUkUxu+RSomQ7tShR
seEopizZsR0J6JK7NJciuQx316JyuDRqkB+qoP+H/ihS4H5ckZ9FAeOKyyXI
AU3+tX+SA+7+5IIkvip10yaogdyd2fdmdsklRclJz1aC3vtkmtzZeW/evHkz
+97MW8P28hXT0J3Sk9K9gqJoylgqBd+KOpZSwt8BJBUqpZJaIgm/FRX+khJL
3TOJQvAcV28wthdNfRthdMZ/fiE+nbkXbcBoKqOa1n/8VW20Pf6JUSWV4OM/
qqkSU+6FML34Ax//s9nLOee+3ybf+cEj0l/ewJKlrccXJharnmMVFlVtPF1I
S4fg79+gwkPwd/iliBRpzf53a/Z/Wt6/t45oLCLl1j/M5dY/3sw+XD6VK/9u
/ZNypHzg4nMlSYpI860jp6BK+cFyZDP7Z7mLrWTryGtQgN9Iu5l9dP3pA+Wj
5f2c4PCbPsFPpcMRSX13rvTFu5K0UHpgnyQ9d3Fubg7pHng8Il0qS+sfXMfi
9S9v/CPIXTYvX/8iIklzP64/iJQ3/g4Kr0tQ4fKvtlrJjRS21nrvlZ+xjcd+
BAxe/YX7nbXj5+cnVS+69j1oLCK5U8W1j6XPihsHiyevzLoPFU/OXnHvX7sp
HZakrV9vzJw42TokSSs3104czGXBdD5a/3zKZ3HLZ+HdhJKfPHr2h96tLw+x
t+bWPmi1brcOHX1rLfnexvsjl+HXb3T1zdLIP+2X3p5T382dDzr1cxDv7T0f
/xce3se/I3veMoFAIBAIBAKBQCAQCAQCgUAgEAgEAoFAIBAIBAKBQCAQCAQC
gUAgEAgEAoFAIBAIBAKBQCAQCAQCgUAgEAgEAoFAIBAIBAKBQCAQCAQCgUAg
EAgEAoFAIBAIBAKBQCAQCAQCgUAgEAgEAoFAIBAIBAKBQCAQCAQCgUAgEAgE
AoFAIBAIBAKBQCAQCAQCgUAgEAgEAoFAIBAIBAKBQCAQCAQCgUAgEAgEAoFA
IBD+0JC5MDPj3Pfb5Ds/eES6gQVLWyOGWdS9ihtv5k1pYWKx6jlWYVHVxtOF
tHQI/n4JdR+Cv8MvRaRIa/bz1uytlrfVOqKxiFT+48vqmz9d/NtHpM9fP/X6
vzz9xQsP75Ny6x/mcusfb2b/tHwqV/7d+iflSPnAxedKkhSR5ltHTiHdg+XI
ZvbJ3MVWsnXkNSjAb2S4mR1Yf/pA+Wh5Pyc4fMonuP7APknavPCfN94Aocvm
5etfRCRp7sf1ByPSjdeh6LoE9y//6j9ayY0U8mm9t/HYjx6PSK/+wv3O2vHz
85OqF1373mHogeROFdc+lj4rbhwsnrwy6z5UPDl7xb1/7aZ0WJK2fr0xc+Jk
65AkrdxcO3Ewl5Uk76P1z6d8Frd8Ft5NKPnJo2d/6N368hB7a27tg1brduvQ
0bfWku9tvD9yGX79piwtlKXyvtI7A9ir/bk3/uHCH4FYW7fVd+dy5y/Ozc1h
n38Osr69d+OPw4MA5UmG7eUrpqE7pSfNRs0y47pTvdvtKaqijGqapCiKOpZS
wt8ILTWWkFT8TowqqQSUq+qYOiYx5W4L0g+e4+oNxvaiqW8jjh8/LsOHTdnV
ulUxJ6I1MAA2YjNhDU23yNp2gRVlORrNnFmYZ8mELJdM3TAbE1EoM/Js4NLC
jDKAvw28K8qaebuJZa5VNR0oHtEYFCty3NBdXa2YNaytzKgJLTFWErT+zUTN
q3JWfmmM/5Plil4zrNrVF+2aOSH7fDVWrtaZU7IbLsPxdIMbSd5aNlMC0pls
SZb5XaAr6JVKNK87poz/TUTrdj1q5utyFBhFBaOCXXOtmmcWbMOEbst1oHTc
BrTNe7Y4bV6zCubiab1hGJazrCzmoILlWnZNHYgpMqykodqh9RVvystmsw6N
OFHzBY8dk4+z03rluYblmvOzGc+5qFc8k0GvU4p8yczBFLUKZ83VaVALliZT
qUBVshwWEzomR+ueU4qaejP8y7EMN/q86dSHE0uy6CyvEPyo2teipmPFnoer
YW1JFPjXcAUqxytlBqZrSS5aNWMZrMKsTIiKehMqOhZULID24GrgyiwMetn0
NRkvlMzCcufu7JU+d+MN022sTkQdL89FUXlbofHoNCsLEr91029+ODlV8kXA
ImVmZgbp9aAZzl+OVkw9ahqWIBHdQxJjxW4Y7Hm4sxQbyGVRwJrZTSqH2zOs
4bE0tteHH69V8GupSiko4rWwaKpD6MuO7YZ55evDgYmMoIUuyVdN1y/ACRcW
BAhdsDV+zUez/GIguAGzRBYqxZuFZhclDPWfC4l3ojerdRd0phuGuOtYsiiD
cXJtxwiPT0dAmbc7AQqr626hVOf2u2yutgXPN0UXe2zb76kvDVSCT1iaPCw3
vIXuIcs3l2JJVVNTyVSi1DVuOxLwUeEmppbCpghCFm2vZshyh3aiIzTvv2Pq
jULJ745VK0S5lF9NoDbtHQTqR9EWDhTbKTbhejc5lElNy6iZzPQObE3sbLRQ
sTpmW2gowdqBBoOTH4txQmVnxKzCqlCNW5QcbdqNrjYT09Nj6cz0KKy3YokJ
7C4gAeOxwDqOMxj82jL4H9CF4yw0ScA2ti+IvnlARS6cMgnrQ3CRX3VNWA67
LtPdlwlRna/80Er3TXVXTmO7c4KHkq0bDa8Gq/tEsAL7fHxFOvV+xYKbP+91
f1J0njPBfOis410V20+YbfU6CzpYFFhWYC8opnhgc3sBa+6yF1jCYwllUh3V
+hmLIO6lGB4FmpSSVtKZr0HErT0xOgmO4eRuZPzpUuFL5EjCfxDBNTyISv7j
pBIbU+7UMFcz5zEOEyKb3qW+f2U29YKLejLMHfQEsyE7lc6kUv2YcXLZ9zKQ
3KoVJ0JLJVzK37TnJ7DN/weP7263cQf/XxlVRrf5/8kE+f97AfTZGXyjn75b
vYFj/8W/9/eUbz2wJW/dv3Vw6zb++bsJ6m6+sRTeaihEBJtc7lDkmWP7Ll3a
qB8obihfLTbfPHFw7S94dP7hxtNNuNo4d3jjr/5k85GnNr8f27jv1Tfdh4be
2Tjw1/BjX+Sz17c+3ViK9dsKeOT3iu0xrN/Mstwbh4FuZu0p4++ZBHxeOrjx
cm6fd3PtpcNYy/vob2ZuH/vsRN375csv3brhvffs2lMXNj5tebdwN+AuD+rX
QGj+582Gey/C/zvN/0RS2zb/U1BE838PsGP8z60Bw//ALP4v0f8lWFVYxraX
u7YAxvtsAST7xv6qX6yheahKgu8QrOClChE9lpZ6K8SvoavIC1PTUAgP+ziE
Lw3TcXgDUJZUpzVBGN4bQH47/ydzLfH/Jl0G0Q2r21bNZdMwc/I2LHNMG08o
DJ73dkGH+IUJ7bT7yPQquO5AWWRVs2pDNImsBsVv5gvIlKamjY4Whxj4Ocwt
AVkD2GxjNqIxdGkc4MbZYDkrNuxqe9TijO8VrFiVCrOvmY1ixV5hro08kVmd
6Q2zpqM0WFIzmy5n5IuTh04sx7t6vE3QVDoF6gM2nINVA0/UK+AC73ToeJ2J
aHqcKTrrAbp2+P0EhhaDT0AwOtSmMThNSmWKtgMNhM2gq0Ek5mScFItZSXdA
C6A57tAZoAK3FOgvkB61i6RdN7ndiE73VLccVijZDvB0vEIJ+quDB+cKA3BQ
q7r4bTb4RY3NZ09zPr563RKOIkhWMyDcucrLinYNdzQqpsPHbKA2INyvjvIu
mg0H1cnqDcvmnLmF1Rt2Xs9XVtHUgOU1oX9Hr8IgOA70ICBkyXFN45wKdq1o
NaqmEWdnaqwIrmmsq9NcH70qyoPZ8OEtYuPQZc7qmuAdEnMBWq/ojsvSbZuE
6pbTWUAc06wyr1YzC8BYRyOC5hybGcIcbfivwVnBNGOmWwApB6BvEOqIzlUZ
6Lte0QsgDwjGgLlrNyzwrVnBA904lrvKrCIKytnUgCOq2aw4gT6/6VX224ve
5/89cP/v6P+r8Mzvff6nkvT83wsE/n/7Sb1DvcDvfxA++yalyQh88Pu0tCSd
emz/v27dnuTYE6EJdw2h+Y8PqaoZd5vuXW7jTud/iW3+f0JV6PxvT6CiTwAq
QD+xYrDBOjzxK9Y180l0NoZC7u2g2SyYdTwVq68y3C1Am8EYHjwTGXyyqYnF
po1l8FUDN8cM7g/F2ay+DC6KB6zBbVqxG8sOa1hXS/AbXVzHrJjgOdauIpuj
lzLnLrFnzlzMHgWnMtR+VYfLqlnz4rKciLPz4L5Whe/DnYyQPwX1QBh0mOJ5
fZmB+7IC7osJrguQJuMQ6kAP2t4JOiOds04gAlqod97M27bLVm2vwfjayJ0W
00RHI+hEnM1z0buEBg4NryafnsycyZwZmT/z9LPZaZadWAztesRZBlrveKqu
B9riflanu+i88Tar+qoMHg1vEbvG3aXADwMRzppmXYipe4ZlM7NZr9ggIc7m
VSQo6A7Xu2GbTm3AfVyerDh2DF1HdJLAWxV0U9NYmburDX01qM2bBXUs2FxK
IThK2lbMhCxrvk7nF+LTGVQAdHdhenJhcrFYLJo4xf18EmCUirNzdegzGlu7
twNOt0WBIODmmU1mGha4ekA2KpoYqYOnKUYdx5o7w2Y8j4Lb4HgWHdOF0ARP
Ubju7NoKcAclgZMKxueUbK9ioJVBGxXb5b7qi2YDusqrN2y7Cm2N4bjiLi7v
qNhhx5rCvU1nmKYwJc1GM2xKYepUnD0DrTaRJ3dnhRRQP50BZmkQHM8q0W74
2TNXuhtUa46oCSRrCF9bNAFRT0phMzMsCd0+U0SHNoZSBye9TGwy+5xAIXU2
Bk2Ng9x9WoixFTxGYaNpBmpRQXYVf0wlkeUgtA3m0TCFf40dEDKASn3GQ7Ks
KsA6CDW44vmsaYJVYUl7lFRYTeatq7VOPR5g4ZU/H85mL7NBsAUQEQba8Kp1
zj/hWxAPZYABTgckF9Ox/7qC7cFszmyfpn5gIey6pEMoy864GFI4YNhHL9Qg
fOKscSk7Gkc1gIHoLlihvYwrSxVDn9CUwqlRxALmOSZaFczgZyGezgNr5tWD
uBpXKM4MVyl/vehdHuIiXgIuwhiFTYhjMFCK4Ot6jRpvn3Pj3YLB7OwJQPzF
pnv7yPSr0D7yh9gLt1pwzvuNwILEdM5s12UJFApTOde2BK9WtQ2raGGfw9O1
3/K/yziJRcMXhUesV2HIvLoBi7LRNjQcy9N23eTM2o+Jmr3CpwD2xcXNDH9d
isEqtSq6jDYcdLlugSLaQSWOFGcHkxHGEIbp9DTX4mn/YggNg8enjojqHbtq
im0qvYjhfMPEsUBrxd0Vzqujdcf1isWYGPrQvglfNbL4RMETcae9JWSIHRox
DqDWIkz6WhDYQus1sC4PKq+ywbxZ0MHUUO6O0oGr30zBbjS8Ou61cF68rgHz
tsciYuwMqAsX8WVQI/T1XM0f2KPIASzzKBPxP6iPHyzzVYaV7BV8WMbQbHjf
u81EdCP8yPMVaItnVN1sFIF3ZZUzG7T4gw6lKOoWGj4ME7BHKy6YMeZ7FdwR
CB5JPc8iWCG+aS/p/y9C/r94mO59/l9yVNue/5dQyf/fC+y4/99xrdp2se0E
IEim43kH/uF40ZlQlkTGEOabLcX44bvWySES6RZ4Bt9Ja/j6+XhRGc/Ube7x
u407JeQlFgN/H5PvAkI8Sjg2EmIzosZ6C9p5dj0Je8+6U+Bhu+YM52MwdVyB
Mp6wEhQlkqNYrWI74jhCTY/JO2b57ZDOR9l8lM337cnm44EETo+JaLQnFyk8
afxsJBSt696wJm7FRIpSx5476XX1aPQ4wwkkTkvMHSZAYOA+wZlz6Ee7niPv
JFZXhpRYkZTSNt5BblYwvD77c/kyuvG6C6Fg3gPlyuH6o4lSF3lyh8u0Uuqf
GWYFvwyraynV8Lkppo24z9P7cJ1s59rVh8PrkN9JkY+HFsstpKMPWC/UxHCa
rwid9L4elfRPWEtvH4eO3G0u/X6F8gL7Sd9eMdvCfxUqvqi2Kbg9O3XxZEn7
fRxOg8GG0gu/YnJhKLVwp3y9dPgiwRPRgkTAroTCnejHdqbf+zyxbf4fPPHv
dht3Ov/RUtvOf8YUOv/ZExitFH69fODYgVfe/G7OT+DKfCVfSnoC/hD4Otan
8Pln+CR8xnc9o0vtl9G1md2/nh1pv2s2hO+aSeuflPPl/eX9pZdBjrLUfofs
gqq+uzl97Ltz5VML5ftz/ttXF1L43/grPxvc+P7J0mucpHx/mbXeL0fg1334
65vM0Lq3CM1/8dNxjfxdDgJ3n/9qKqH1zv/EWJLyv/YE7TyOIABkQQAodvO7
jUJkU3SHgEYet6WKIjDCN0YzUyUMl1b5ux9mA99WOJ2dnFZ4iDNwNns5NyAf
Z7xMxaJBkZM1Oq6VRpB+Kl0aelKT/QrtGlqmb40ErxHnoeiIaGi4I5S8exJT
UlcTRvc2G0+ywf3E7qymDh9OI5KaCiydYoU0G09Dx3FTvSupSWmK92cHY0+g
/6UNdXhgQf9MJd7pngQl3k2eu8N328UBT4wzEtVDCUq22Mjkm5IgSzsBTJwB
YLHY02wrYdASfeNb765eWB4K0paKXo13vc3MwmMBP6Om05d5r1rVIdTDi6g6
FOyfc35e3rBwoxG1LpTBBnlvhoSYHbUXuBdrcO7RBHLRDaYHBxNV3Cnlu9x8
85GrocYHTlgp6kv0EI8k+NY4Z8SPeq5afBtTsE4OsSkILa4KAWetQsN27KLL
xDtKDMwWtx5FYIqcSnreylsjUC7oNRSNKxButsUPlCLHw1siuhG8AhDnOxvx
Hbc24t3vGspxt1HzqsHGRs/72LiFISpExQ5Gu7bYvwhdyvF6hxPMkvadPhMl
7vJGsAjZqloMPmJfQh3L4kskEAhaTh23M0AqFcXs2qyIyuJ1iZCnLubwSNz3
rfvdTbTvdjv+/m1F3B7ReuIANaEktdISRGd+NCDfo4iyJ6AUKuyWefd4ciT5
NQPKrshBC4VbrH+cqO4aJIKiQDShKDx5RVV0N5dEkdQkO8nVNM2HmHt6ZyB4
blR1vvx1y9etEt8qupXSL1LcMaoDIScDIedNN9RwWNzdyLcbQ8+wtY27LabY
nzAsiIfDOxIiLOsO6pN3HgVl6k7hev+RCL321pmNw5o62rEa1d886wrre8Ls
VCKR0EZSamJETWwL4aF4uFPcFvz3DuExT2fK7xEu2MFgtTckt22qFPiU7Gxb
BZKJrsJNFE4smXw977ZURe15n9BngX2Or/xvO1fTkzAQRM/dX1EbiXKw4SMV
5GAC4sFET8bEgx4kipAANY0m/nxnpt3udqEYtAgm751aPrqbtjP73nzsrGdN
XF+w2Rh2GhOaoc7zpwUC9KFzP+1B7WtbI85iOqJxVr6P2oEUX0nfvJKmGawk
YqHYo5Y3zJp73u/KhZ3m2f1rm3UjzeGOQs1hRbFmp4eRY62lwWW0DG+nZZi/
JF6V2m4a4fYK5tgeRC2eOD0Hjw1KLLpnT26FGzVr1XNl8U3yAMNu5hzzKKfM
iw29Nh0zVROK45/74u9rL0kSJ3ycFeHMnz6n84/5garRLZ+Old7Vgl3eYcaP
0l4aJQmnZrvD7SoNYm68pvcXvkT3/UV8klbLJUyhj7lAQZdASBFM3VzZWkZo
CKPiCoMpT1nEnImfrfB4e6GjyuXbtmRGKhvy0jUOdpkCDPPH13g0kuLC97Be
lZC4jlnjLLL6HP2LrP7pfnC5rCp+JibW70Syl1qD3t6ApnJzd3t18SAPJ9h3
+WGzx1PLiVmeSpVSPTInnYITtyxZ3vSc/2LSmWSX5CzF0CF4IHh2KHi+TU+W
PAiX+pvEuWN0j3+nBDYh/96qh7MJ+yfFV+D/Gfv3wP7B/sH+17L/8Jf77MhJ
s9UhBsprQLCc5nzL96kIXI9qtttZ8vvGAURR1D+bWOYeOil9PmcCnQuTdVEd
CJNd58cAAAAAAAAAAAAAAAAAAAAAAAAAAAD+C74AXUBY+ABAAQA=
====


Edited by Angerwound, 19 May 2004 - 05:57 PM.


#2 rmenhal

rmenhal

    X-S Senior Member

  • Members
  • PipPip
  • 254 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 04 May 2004 - 03:46 AM

Some people reported stability issues on Dashboard 4034,but the bert.xtf included in doubledash.tgz worked otherwise right away. Updating bert using steps 4-14 in readme.txt won't fix it. Instead you need to make the "landingzone" in ernie bigger or play around with header.data1len or such and try to stabilize the location of the allocated memory block.

The code section below includes an ernie with a huge "landingzone". You could trim it down by running steps 4-14 several times. Keep two berts: the one with the smallest dword at offset 0x40 and the one with the highest dword. Then you need to make the "landingzone" big enough so that it touches both of these. Optimal would be to put the higher value to bert at offset 0x40 and then make NUMJUMPS in ernie.asm equal to (highvalue-lowvalue+2)/2, but you will probably want just a bit larger on both ends. In case the dwords at offset 0x44 are different from the others in some of the berts you saved, then you can't make it work stably.

Ok, on my setup: I now trimmed down the Dash 3944 install and ended up needing only the files default.xip and mainmenu5.xip in C:\ with xboxdash.xbe copied to C:\xodash\xonlinedash.xbe. The value in bert at offset 0x40 changed a bit, though. The 8 bytes are now 48 00 5A 00 40 1D 03 D0. Thus, the location of ernies memory block got a bit lower, which is reasonable.

CODE

begin-base64 644 bigdd.tar.bz2
QlpoOTFBWSZTWUJTxDIAAqf/gei4AEBEn//4P3tv3n////EACCQAUATvbuzs
7cOGNWdnA7wlNIptQT1PVPyTRptJoyn6JD1GIzUDamjQMJp6gBiQCZEyFAYn
qNAeiNNAA9J6geoAACU9UkmQZpAaDRpoBkAGQMgAAABtVUYAEwABNMAAAACY
mAEwCRISYKaT0YmITaEaNDQMgDRoBpk00aP7DZ9ercwGLaoa6MJAxvY65ApJ
2KMWO2NoQ1UxtAaQG2c2Tpl8efqkoI/GARKeMaAoV/UYc+eKYF0omiCK94oB
ePhhDcIQUnwcMwU0j99lBC6IpYEZ0AMdCSLJGFBI8vtEaaQThPhUTBValNlT
15J+TyluR++3QoxJeEcWK3bdRifgfbC3eFUqlBECZxUqoXYPjhVz2UbKEGSa
0dT2gzgw0uNKT8njjllCk1mwxva01MvCE1vOHUlTTodKZz59boa9Fh36cPPZ
+WLLr7pqGVcBpUWJGquveDU0CCswmbjqiRKJOQIz4XmUbkrUJXiEzBFELnnu
37JePZJqs1/L19/VqvcWAupNTjuiNCcQ4mTbRVHIqByax4iICGg7QSZIEZJF
ESbXdwrVc6eQllGFVUVRVgcsjZUzhFaryW6zG0UjyEiZQN0DYG6OQGiEPVB5
3Bg2xEDWj4sGE09MuDNxa5ZDJBI8eVK32mMYOAtd4agYmJHpAVp8pGQrAHmk
w38JXohrOGm6rwzNsuxF02MAxiXBoSMmrEZ6uqMGPopOF1RQFqPwEDURdM5o
VDkIqau2tVDMogp8IGIT9tm4mD8t/Vk6IZnyx5HICm4+F4E3MZ2YSEy/yrpZ
YbMKrsfd5RZJt6WOvAfmPZQWHALtIM7JCnTl7iuXKDWadR3B6t+68i5wGkqp
UDwOzvO44zQZp6MFG3HSzUjIEkkgSRlhRv8GrUvY6HWeMxatOzv0PMLjeLTt
MN+tIRJ+li0venJdBvh+iSz2KtCqjc5S1LpPdxHnKclqC8aTYHMUSrU9PqRr
h/t/LYtNC4QWJGqQ9kkDvXrQsdSnQAgrw70zlKAW4mcDIAuSGom7zAFqrYFh
tM+AP7MQRQg0uQuD8JEiIhnKJEr8SRn6SsCNqlWA8JWblEVC3YQshhF1tIfC
dUpIZOCEgLSOYPECjRCJRE2LSvGgR8wgIE7B9t5LcYCwrwyZMJVNuGMxtZfJ
2nkkg2CB6kq6OGoiFbRjDfYDp5ffrfm61CqOvn+ny5/jqkM8vnMohT5ACkZh
Jq5leYVVFAYGGEmPRlWCzFylGpFwr09MLVkWcGlpRBGAvURPX1y9DWMbAcPI
UhPhsD2NVecBICwM+NwxZC43EATJPIBy3lPgZl80mcIkiKyEkmDgZv1cmJK4
26svQ5m0HH2JEGMSGja7Z5UBmGJYhsYRsDRm23POF6UF0kBnLGjOtVQQhSSH
trCH8KCoAqNsGa1ETTMxSiWBCkgLBIqSG02h5KKSJrDQrm3BZiWg1GJGaILQ
mD4ki8rVhrFUluFK5oqUC2DsJnsJahWXvXK+8VIDsU0BdiSIxaFaoGDblInN
RUEOggnRBCQILRu3sGKz24JM0jC9Imd3GugppdyIEgSSBAj0gSBJIECPX+6P
ZigrJMprJT0e6mBt3GAQIAAgAQQABhAJqNFQhEwqEInMUFZJlNZbYvHewNu4
wCBAAEACCAAMIBNRhUIRNFQhE5igrJMprJT0e6mBt3GAQIAAgAQQABhAJqNF
QhEwqEInMUFZJlNZbYvHewNu4wCBAAEACCAAMIBNRhUIRNFQhE5igrJMprJT
0e6mBt3GAQIAAgAQQABhAJqNFQhEwqEInMUFZJlNZbYvHewNu4wCBAAEACCA
AMIBNRhUIRNFQhE5igrJMprJT0e6mBt3GAQIAAgAQQABhAJqNFQhEwqEInMU
FZJlNZbYvHewNu4wCBAAEACCAAMIBNRhUIRNFQhE5igrJMprJT0e6mBt3GAQ
IAAgAQQABhAJqNFQhEwqEInMUFZJlNZbYvHewNu4wCBAAEACCAAMIBNRhUIR
NFQhE5igrJMprJT0e6mBt3GAQIAAgAQQABhAJqNFQhEwqEInMUFZJlNZbYvH
ewNu4wCBAAEACCAAMIBNRhUIRNFQhE5igrJMprJT0e6mBt3GAQIAAgAQQABh
AJqNFQhEwqEInMUFZJlNZbYvHewNu4wCBAAEACCAAMIBNRhUIRNFQhE5igrJ
MprJT0e6mBt3GAQIAAgAQQABhAJqNFQhEwqEInMUFZJlNZbYvHewNu4wCBAA
EACCAAMIBNRhUIRNFQhE5igrJMprOOWPGSA9yV///7x9gcqE//H/+f/Oz/e7
+35HSAAEgQAQbAgKMYVtqZM2AC8qzaxFTypp6j00PVP1Q9E0NPSGgNqAxAxD
Q8o0DTJoZqDTEaGmjTagDNQemoVT00hplGE9T0mQwRmoGQxAMAJkGQGgxoQ9
TaQPUwBAYAMkSamAmjQAaDRoABoaAAAMgAANABo0AAZGR7KYz8xo+ly6FAQ3
eMgMIADbo9ScQAo6CjIR+5EBB42xmGdFDEarDDCOlAfKAGI6Ci2dzStlhSQH
GKlSxOQHuv0C5EVTbleDBhuwOO3VoAduHtDKY1ezYQPqTzaN2gyjowVO34KH
SRMEgLwCDwoLMbC1laXdWvkaNA2vcxYk0wW1ZSNCz2sMIywpkMl+Jr91Ay7M
ExFz4QhlEHMAwv7xfVnwShNdnKjM3ScVCsZ5NVLlpp2/yRQNQCAjsJIh5uV5
tec3LIA6PMNeUKiohHdRgjiWoyhDIK4M0wx28VLCVBQZnc4WAp1JQwCqRTHg
pgLCmI/HIWv+prMVegSI3IrHnEtwhTDfZwxaUHYI/vkDDQQyASSQQSCT84L4
SL7s8B5Q7WP/DN9L/vg/CvtKX/LVmKxYIwlpWUlb6uM1Hb2sNlUO11k8mSb+
hKWD75GyXXoZRrN+IE/K+DGniASSQQSCTNyn0tly3cCVJbRZamgcoHayRCcb
YS5yGqQPixi7kinChICdovto
====


#3 mkjones

mkjones

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,427 posts

Posted 04 May 2004 - 08:56 AM

I love it when something like this happens in the scene smile.gif

Well done everyone involved!

#4 evil clone

evil clone

    X-S Member

  • Members
  • Pip
  • 147 posts
  • Location:USA
  • Xbox Version:v1.0

Posted 04 May 2004 - 09:07 AM

this is alwsom.... now i just need to come back home and fig out how to extract it... i must be doing somthing wrong


peace

EC

#5 mkjones

mkjones

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,427 posts

Posted 04 May 2004 - 10:12 AM

OK, wanna try this when I get home, I think I can get 4034 from Slayers 2.4 (confirm ph34r.gif) but what are the LEAST ammount of system files I need in my C root?

I have 490 so most of the system files are in the xboxdashxxx folder I belive its well known that I can just copy the needed files from this folder, therefore all I will need is the xboxdash.xbe from 4034 in my xodash folder...

Any help would be jester.gif

#6 ldots

ldots

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,496 posts

Posted 04 May 2004 - 11:45 AM

QUOTE (mkjones @ May 4 2004, 12:12 PM)
I think I can get 4034 from Slayers 2.4 (confirm ph34r.gif) but what are the LEAST ammount of system files I need in my C root?

I think what you need for an older (pre-live) dash to run depends on the old dash version. For 4034 I found that I needed to have the following in C: for this double-dash exploit to run :
CODE

Audio        
Message.xip  
default.xip  
fonts          
xboxdash.xbe          
xodash
Keyboard.xip  
bert.xtf    
ernie.xtf    
mainmenu5.xip  
xboxdashdata.1012a700

This will let the old dash boot (which is all we need), but will not allow you to enter any menus with this dash (which we dont need).

#7 ldots

ldots

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,496 posts

Posted 04 May 2004 - 12:03 PM

OK - some more test results, and unfortunately not as positive as yesterdays results.

Yesterday I did some testing on an old 4034 kernel xbox, using dash 4034 as the xonlinedash.xbe replacement. The double-dash exploit worked fine using the font from the original post from rmenhal. A did get a few reboots however. As rmenhal suggested one should play with the size of the "landingzone" of ernie (the big block of jumps). Just using the big ernie from the post above did however work for this xbox. No reboots from 15 tests.

Just now, I tried the exploit on a 5101 kernel xbox. Same dash-files were used as on the old xbox. Usin the original (small) ernie the exploit did work occasionally, but wasn't as stabil as on the old xbox. Did the probing/tuning of bert as explained in the readme. Had no effect on bert. Tried using the huge ernie from the post above. This seemed to make the exploit more stabil, execution time is slower than on the old xbox (also using big ernie). The green web becomes visible before the hack executes PBL. What is the problem though is that everytime the exploit does work, and loads a hacked bios using PBL and reached my dash (xbmc in my case), the xbox resets on eject!. This is not due to the hacked bios not being configured correctly, because launching the audio exploit, using the same PBL and bios, the xbox doesn't reset on eject. I can only think of two explanations :
1) MS has foreseen the possibility of hackers using the xonlinedash for exploits, and have made these newer kernels set the "reset of eject" flag not only when launching games from DVD but also when launching xonlinedash.
2) Ernie is causing this and should be modified.

I dont see how 2) could be the explanation though???

Please, anyone else with a 5101 kernel try this exploit and report back.

rmenhal, any idea if this exploit will only work on pre 5101 kernels ?

Edit : Just tried skipping the PBL step and loading evox directly from the double-dash exploit. It still reboot on eject???
Also retried this on the old xbox (kernel 4034). Same thing - reboot on eject!!!
Please try ejecting when you have this exploit running somebody! If its not just my setups, this would be a blow to this exploit!!!

Edited by ldots, 04 May 2004 - 04:56 PM.


#8 Chicken Scratch Boy

Chicken Scratch Boy

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,665 posts
  • Location:In the Study With the Candlestick
  • Xbox Version:v1.1

Posted 04 May 2004 - 01:34 PM

uh...did i miss somthing?

anyway why not 4920 dash?

edit: read some of the other thread, can you maybe explain the theory, and operation of said exploit?

Edited by Chicken Scratch Boy, 04 May 2004 - 01:37 PM.


#9 {later}

{later}

    X-S Senior Member

  • Members
  • PipPip
  • 242 posts
  • Xbox Version:v1.0

Posted 04 May 2004 - 01:42 PM

sounds nice, but I dunno what to do after I get the file called unknown.001

I unpack that file with winrar and then I get a file called 'UNKNOWN'. Without any extension ohmy.gif

What I think what happens:

Xbox starts with 4920 dashboard, so with the xbox live button.
When you choose xbox live, it will load the 4034 dashboard with the bert and ernie fonts, and so it will load phoenix+evox.

This way you will never have any clock loop again, cuz you load an original dashboard smile.gif


Edited by {later}, 04 May 2004 - 01:44 PM.


#10 Angerwound

Angerwound

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,719 posts
  • Location:Hell
  • Xbox Version:v1.0
  • 360 version:none

Posted 04 May 2004 - 02:05 PM

Once again open that file with winrar and you should see the files.

#11 Code-X

Code-X

    X-S Senior Member

  • Members
  • PipPip
  • 195 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 04 May 2004 - 02:37 PM

Amazing, Works like a charm smile.gif

My Xbox Details
v1.4 - PBL 1.4
K:5101
D:4920

Exploit Dash is 4817, Had to do the config thing to reset ernie for it but it works.
Great work to those who made this. beerchug.gif

Edited by Code-X, 04 May 2004 - 02:41 PM.


#12 zorxd

zorxd

    X-S Senior Member

  • Members
  • PipPip
  • 154 posts

Posted 04 May 2004 - 03:54 PM

What I have :
1.3 Xbox
k:5101
d:4920
d2:4817
pbl 1.4.1
audio exploit that load an other pbl (for security reasons)

pbl 1.4.1 as e:\default.xbe habibi signed

After I load PBL with the audio exploit and then launch the MS dash 4920, the exploit seems to work (but the kernel is moded)

But when I click on "xbox live" BEFORE loading pbl with the audio exploit, it reboots
I've tried both big and small ernie.xtf

I did the trick to modify bert.xtf (but was modded when I did it)

Maybe my bert.xtf doesn't work?

edit: Dash 4817 loads if I disable bert and ernie on C (so it's MS signed)

Edited by zorxd, 04 May 2004 - 04:24 PM.


#13 Grospolina

Grospolina

    X-S Expert

  • Members
  • PipPipPip
  • 642 posts
  • Xbox Version:v1.1

Posted 04 May 2004 - 06:50 PM

I'm glad someone was able to get the double-dash idea working. It's nice to see progress. However...

QUOTE (ldots @ May 4 2004, 08:03 AM)
What is the problem though is that everytime the exploit does work, and loads a hacked bios using PBL and reached my dash (xbmc in my case), the xbox resets on eject!.

Edit : Just tried skipping the PBL step and loading evox directly from the double-dash exploit. It still reboot on eject???
Also retried this on the old xbox (kernel 4034). Same thing - reboot on eject!!!
Please try ejecting when you have this exploit running somebody! If its not just my setups, this would be a blow to this exploit!!!


And that brings us full circle to August, when this first began:

QUOTE (Grospolina @ Aug 27 2003, 12:54 AM)
One thing I noticed was that without the exploit fonts, D 4817 loads fine, except that reset-on-eject is enabled.  If you eject the tray, the Xbox reboots to D 4920.  Even if we get this working, I suspect that we might run into the gamesaves' reset-on-eject problem. sad.gif


Yup. Even loading the dashboard without any exploits causes it to reset on eject. I wonder what happens if you execute the "disable reset-on-eject" command? It could easily be incorporated into ernie.xtf. I know that for the gamesave hack, it doesn't work, so I have a feeling it won't work here either. It had some weird behavior though.

I can't remember if it ejects halfway and then resets, or if it immediately resets when you push the eject button. Which one is it again?


#14 ldots

ldots

    X-S Freak

  • Members
  • PipPipPipPipPip
  • 1,496 posts

Posted 04 May 2004 - 07:17 PM

Oh boy! So indeed the "reset on eject" flag is set when launching xonlinedash. I expected that, but am glad you can confirm this Grospolina.

This is still a major progres though, and maybe it can be perfected by adding code to ernie as you suggest.

I would expect a reset when the tray is halfway out like you get when running PBL from xonlinedash. When running evox directly, without PBL, the xbox resets imidiately when pressing the eject button.

Though not perfect, this exploit can still be used for running backups though as the exploit can be executed with the tray left open before hitting the 'live-tab'.

Also as I suggested on the original double-dash thread, someone with a 5713 kernel should check if an older dash can be executed from the live-tab (just with original fonts initially). It's not entirely impossible the this new kernel only check for the right dash-version on bootup, but not on a subsequent lauch on xonlinedash.

#15 Code-X

Code-X

    X-S Senior Member

  • Members
  • PipPip
  • 195 posts
  • Xbox Version:v1.1
  • 360 version:unknown

Posted 04 May 2004 - 07:20 PM

Halfway then reset.
Nice that the Author included the ASM Source to bert, ernie, st.db and the offset finder, should be much more simple to edit and fix reset on eject.




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users