Jump to content


Photo

Warning: Consoles Still Connect To Xbox Live Despite Family Settings


  • Please log in to reply
37 replies to this topic

#1 Kiewee123

Kiewee123

    X-S Young Member

  • Members
  • Pip
  • 54 posts
  • Location:UK
  • Interests:Hacking, cracking, breaking, fixing, modding, tweaking... etc.
  • Xbox Version:unk
  • 360 version:v3.0 (falcon)

Posted 29 July 2010 - 08:09 PM

I can confirm that only enabling restrictions 'Xbox LIVE Access' and 'Xbox Live Membership Creation' in 'Console Control' (in Family Settings) is NOT adequate protection for your Jtag flashed console.

I sniffed outgoing connections whilst running an Xbox1 game (this is in FSD if anyone is interested) because I was curious as to why I was greeted with 'you need to update' despite not being logged in to any profile, let alone on xbox live. This message would disappear if I removed the Ethernet cable (used to update FSD + FTP on LAN).

The console successfully connects to 65.55.42.183 using the kerbose service (handshake?), then connecting again afterward on 65.55.42.180 on UDP port 3074. The IP range 65.55.42.* is owned by Microsoft Corp, and is located in Bellevue in the US.

Evidently, despite the suggested precautions, our consoles are still capable of connecting online beknown to us. Microsoft could quite easily pull one off again and 'surprise us', as they did with the Ixtreme banning, with a forced update or such.

I highly suggest you either block all outgoing/incoming WAN traffic on your console's MAC address, or remove the ethernet cable entirely, particular if your console's R3T6 resistor has not been removed/shorted.

Finally, exercise extreme caution in all future updates, 9199 onwards. Microsoft could quite easily not only impose a ban on your Xbox LIVE account and console, but could remove your console's exploitabilty therefore rendering your jtag useless.

I thought I aught to share my findings with the community - please share your thoughts, I hope someone can prove me wrong.

Edited by Ranger72, 01 August 2010 - 09:33 PM.


#2 inspuration

inspuration

    X-S Member

  • Members
  • Pip
  • 131 posts

Posted 29 July 2010 - 08:27 PM

QUOTE(Kiewee123 @ Jul 29 2010, 08:09 PM) View Post

I can confirm that only enabling restrictions 'Xbox LIVE Access' and 'Xbox Live Membership Creation' in 'Console Control' (in Family Settings) is NOT adequate protection for your Jtag flashed console.

I sniffed outgoing connections whilst running an Xbox1 game (this is in FSD if anyone is interested) because I was curious as to why I was greeted with 'you need to update' despite not being logged in to any profile, let alone on xbox live. This message would disappear if I removed the Ethernet cable (used to update FSD + FTP on LAN).

The console successfully connects to 65.55.42.183 using the kerbose service (handshake?), then connecting again afterward on 65.55.42.180 on UDP port 3074. The IP range 65.55.42.* is owned by Microsoft Corp, and is located in Bellevue in the US.

Evidently, despite the suggested precautions, our consoles are still capable of connecting online beknown to us. Microsoft could quite easily pull one off again and 'surprise us', as they did with the Ixtreme banning, with a forced update or such.

I highly suggest you either block all outgoing/incoming WAN traffic on your console's MAC address, or remove the ethernet cable entirely, particular if your console's R3T6 resistor has not been removed/shorted.

Finally, exercise extreme caution in all future updates, 9199 onwards. Microsoft could quite easily not only impose a ban on your Xbox LIVE account and console, but could remove your console's exploitabilty therefore rendering your jtag useless.

I thought I aught to share my findings with the community - please share your thoughts, I hope someone can prove me wrong.


Good job sniffing that out mate.

#3 Inuyasha152

Inuyasha152

    X-S X-perience

  • Members
  • PipPip
  • 419 posts
  • Location:Arizona
  • Interests:Xbox mods!
  • Xbox Version:v1.2
  • 360 version:v4.0 (jasper)

Posted 29 July 2010 - 09:00 PM

Interesting. If people still wanted to download certain things from their xbox (FSD updates, game art etc) cutting off all outgoing access is kind of overkill. I went ahead and added a custom rule to block port 3074 on my Linksys router for my JTAG 360. Wouldn't that accomplish the same thing?

#4 Maximize

Maximize

    X-S X-perience

  • Members
  • PipPip
  • 334 posts

Posted 29 July 2010 - 09:15 PM

is 3074 the port the xbox 360 uses? Id it possible it tries an alternate?


I am testing this out with my router

I am blocking 3074 and 88 tcp and udp

ok I tested and it failed to connect to live, what got me nervous is that there was a status bar moving

but it failed, now Im going to try some ftp, and test FSD2 update


ok third edit, I tested again and it connected to live!!!

I googled port forwarding xbox 360 and was brought here

http://support.xbox..../...4&lcid=1033

it shows the 360 uses 53, 80, 88, and 3074 I blocked all these and it still connected to live

Edited by Maximize, 29 July 2010 - 09:43 PM.


#5 Kiewee123

Kiewee123

    X-S Young Member

  • Members
  • Pip
  • 54 posts
  • Location:UK
  • Interests:Hacking, cracking, breaking, fixing, modding, tweaking... etc.
  • Xbox Version:unk
  • 360 version:v3.0 (falcon)

Posted 30 July 2010 - 11:31 PM

I too tried blocking certain ports, but this is still not safe as Microsoft could easily just chose to use a different port. Not all Microsoft connections are on the 3074 Xbox LIVE port either, as Maximize said port 80 is also one of the used ports and blocking this would disable FSD updates too. This is unconfirmed by me but Maximize also pointed out that despite blocking all these ports, it still connects anyway.

So I came to this conclusion - the best way to be 100% safe, is to block all servers but those that the teamfsd updates come from. So I sniffed out their update server, realized it was on the same server their homepage is hosted on, and came up with the idea of using these commands in my linux based router (dd-wrt) for my firewall.

CODE
iptables -I FORWARD 1 -m mac --mac-source 00:22:48:00:00:00 -d teamfsd.com -j logaccept
iptables -I FORWARD 2 -m mac --mac-source 00:22:48:00:00:00 -j logdrop


This will 'drop' (block) all outgoing and incoming connections from/to your console's MAC address (much safter than using only LAN IP, this could for some reason change at any time whereas the MAC address will not) unless the server is teamfsd.com. It will also add the dropped/accepted results to your log so you can see just what is going on. This is although quite advance and you need an iptables compatible router (you'll need to ssh in). Bear in mind that FSD could start using a different server for its updates, but if this were to happen, I will re-sniff the new server and update you all here. Change your MAC accordingly.

I hope people understand the gravity of this issue.

K

Edited by Kiewee123, 30 July 2010 - 11:35 PM.


#6 stevec25

stevec25

    X-S Enthusiast

  • Members
  • 13 posts

Posted 30 July 2010 - 11:37 PM

Thank you very much for taking the time to sniff all this stuff for us.

As per your last post, how would one go about applying such code to a router running Tomato?

#7 Maximize

Maximize

    X-S X-perience

  • Members
  • PipPip
  • 334 posts

Posted 31 July 2010 - 03:11 AM

Ok I did some more to try to disable my connection to live, and I got the ban notice from being connected to live less than 15 seconds yesterday.

does anybody know the implications for this on freebo 9199, I think nothing since f\/ck live, and 9199 has no hdd corruption. Is there anything I am not aware of?

#8 brandogg

brandogg

    X-S Messiah

  • Members
  • PipPipPipPipPipPipPip
  • 3,091 posts
  • Xbox Version:v1.6
  • 360 version:v4.0 (jasper)

Posted 31 July 2010 - 07:01 AM

Does this only happen if you launch the game from FSD? My guess is since FSD is connecting to the internet, it's disabling (or bypassing) the XBL blockage in the console settings.

#9 Spegs12

Spegs12

    X-S Senior Member

  • Members
  • PipPip
  • 197 posts
  • Location:Pennsylvania
  • Xbox Version:v1.6
  • 360 version:v4.0 (jasper)

Posted 31 July 2010 - 07:12 AM

I thought this was the case. Had an unbanned jtag with xbox live connection blocked and I commonly signed in with a Live profile. Turns out the KV got banned even though the sign-in process was never fully completed. I always just unplug the ethernet cable now unless I'm ftping something and if that is the case I don't sign in.

I think the consoles are still exchanging information with the M$ servers reguardless of family settings. Think about it, family settings blocks you from signing in to Xbox Live, that does not mean it severs all communication with M$.

Edited by Spegs12, 31 July 2010 - 07:16 AM.


#10 Haygar

Haygar

    X-S X-perience

  • Members
  • PipPip
  • 471 posts
  • Location:Australia
  • Xbox Version:v1.1
  • 360 version:v3.0 (falcon)

Posted 31 July 2010 - 09:29 AM

Thats exactly what I feared and stupidly removed the block on my router to update FSD. Even though Live has always been blocked it shows as if its communicating with M$ and thats without signing in. grr.gif

Anyways, whats the worst scenario if were banned? It's not like were ever gonna be able to use the service on a Jtag console.

Edit: I'm meaning for someone who never uses Live at all and would only want it for some desperate download.

Edited by Haygar, 31 July 2010 - 10:15 AM.


#11 Maximize

Maximize

    X-S X-perience

  • Members
  • PipPip
  • 334 posts

Posted 31 July 2010 - 05:49 PM

yeah I pretty sure they have consoles search for a connection trying any port, because it only failed to connect once, second attempt connected quick. I assume the dd-wrt code is the only way for kai xlink and fsd to connect without MicroDick connection

#12 Kiewee123

Kiewee123

    X-S Young Member

  • Members
  • Pip
  • 54 posts
  • Location:UK
  • Interests:Hacking, cracking, breaking, fixing, modding, tweaking... etc.
  • Xbox Version:unk
  • 360 version:v3.0 (falcon)

Posted 31 July 2010 - 09:51 PM

QUOTE(Haygar @ Jul 31 2010, 09:29 AM) View Post

Thats exactly what I feared and stupidly removed the block on my router to update FSD. Even though Live has always been blocked it shows as if its communicating with M$ and thats without signing in. grr.gif

Anyways, whats the worst scenario if were banned? It's not like were ever gonna be able to use the service on a Jtag console.

Edit: I'm meaning for someone who never uses Live at all and would only want it for some desperate download.


If the above mentioned resistor is removed, it would only ruin your flash, probably E79/E74, and you'd have to link the console up and reflash your NAND. If not, it could remove your jtagged console's exploitability entirely.

Microsoft might also be able to come up with some other way to ruin/patch the jtag hack too in the future and push that update, but who knows - this is all speculation.

QUOTE(stevec25 @ Jul 30 2010, 11:37 PM) View Post

Thank you very much for taking the time to sniff all this stuff for us.

As per your last post, how would one go about applying such code to a router running Tomato?


I'm not sure. You'd have to browse the Tomato forums/wiki, or ask for help perhaps on their forums. You may be able to add the commands to the 'firewall' settings if you can find anything like that on your firmware, I don't know I'm afraid, I've never used Tomato.

QUOTE(Maximize @ Jul 31 2010, 03:11 AM) View Post

Ok I did some more to try to disable my connection to live, and I got the ban notice from being connected to live less than 15 seconds yesterday.

does anybody know the implications for this on freebo 9199, I think nothing since f\/ck live, and 9199 has no hdd corruption. Is there anything I am not aware of?


The HDD corruption is indeed still present on 9199 - I can confirm this from my other console being banned (non jtag). I doubt there will be any problems for you now, unless you update (or microsoft find a way to force an update).

QUOTE(brandogg @ Jul 31 2010, 07:01 AM) View Post

Does this only happen if you launch the game from FSD? My guess is since FSD is connecting to the internet, it's disabling (or bypassing) the XBL blockage in the console settings.


No, this is not the case I'm afraid. It's a direct handshake with the Microsoft servers, it's nothing to do with FSD. Plus FSD connects to its own servers and I believe (unconfirmed) microsoft's to fetch artwork - although I'm yet to sniff this. I'm away this weekend, I will when I'm back.

#13 Maximize

Maximize

    X-S X-perience

  • Members
  • PipPip
  • 334 posts

Posted 31 July 2010 - 11:51 PM

ok I can still copy games to hdd, can still play games from hdd god's and not god's, and my saves for borderlands and alan wake are still good, so I am going to say the ban did nothing to my console, and maybe that is because I have the bridged ut61 (or whatever its designation) so I wonder if you could get your hands on a banned xbox and see how the traffic compares

#14 brandogg

brandogg

    X-S Messiah

  • Members
  • PipPipPipPipPipPipPip
  • 3,091 posts
  • Xbox Version:v1.6
  • 360 version:v4.0 (jasper)

Posted 01 August 2010 - 07:19 AM

I've run FSD on my JTAG'ed Jasper, and XBL is blocked in the family settings. This console is connected to my home network 100% of the time - I can still install to NXE the regular way, my profile and HDD work fine on other consoles. I'm pretty sure it's just the dashboard saying, "Hey Xbox Live, are you awake?" and Xbox Live replying "Yep!" I don't think your console is sending any specific information to the service, especially if you don't have any XBL accounts on the HDD at all (I don't), since you have not agreed to the XBL TOS if you don't have a Live account.

#15 old engineer

old engineer

    X-S X-perience

  • Moderator
  • PipPip
  • 405 posts
  • Location:U.K
  • Interests:Xbox Development
  • Xbox Version:v1.0
  • 360 version:v1 (xenon)

Posted 01 August 2010 - 01:03 PM

This should be stickied.

Either way we need to build up a clear picture of what has happened and could happen.

@ Maximize: You say u got banned in 15 seconds. Do u know the entire history of your jtag? Did u mod it yourself/never used it online? ...It's strange that your ban doesn't corrupt saves/achievement's between consoles, a 'normal' ban would corrupt data/not sign off trusted content.

...Have you redumped your NAND and checked the secdata to compare before and after?


What brandogg said makes sense, i.e. the 'yes I'm alive' handshake, but without any h/w or user specific console data going out/in.






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users