Double dashboard exploit Options

[devz3ro]

Pinned as promised, hopefully this will be developed enough to replace all font hacks released to date. I would like to see this use 100% of its potential. Great idea, and great work.

Keep it up

-devz3ro

http://sh0x.tk/

[Angerwound]

[debeautar]

I'm quite happy that this method is being explored as heavily as has been the case lately. Logic has been swimming in my brain throughout my entire day at work, and I've been trying to think of methods in which this would work...

a) The old, pre-live dash is a requirement... because it reads the font files from C, and not from C:\fonts ... okay, I got that. So does that mean that the newer, xlive xboxdash.xbe is hardcoded to search for ROOT:\fonts\*.* ... instead of, per se, *\fonts\*.*? (I hope that made sense... another way of saying it is, is the path defined, or is it left open? if it's left open, why couldn't a newer dash be used, and a font folder be placed in the live's folder?)

<ignore>b) Because we're signing the old dash with the habibi key anyway, wouldn't it be plausible to edit the heck out of that file, so that it reads the font files we want it to read?</ignore>

EDIT: GOD, I'm an idiot! Just read the part about putting the original dash back, and letting bert and ernie do their job. I'm sorry if you read my orig.

c) This seems like it's a great step forward... but if you have to actually warm up any particular xboxdash to make it work, would all of this effort in the end make it the clear alternative? Or are we only having to warm it up until someone packages the thing and stamps the X-S seal of approval on the thing?

Not a newb, just not normally a heavy-handed hacker. Don't flame me, I clearly admit I don't know what the hell I'm talking about.

Yeah.

edit: files and folders were interchangable in my first draft. Stupid me.

This post has been edited by debeautar: May 5 2004, 02:58 AM

[rmenhal]

I've got the reset-on-eject issue as well. Dash 4920 has the nonsecure-mode media type flag. Dash 3944 doesn't. If I sign Dash 3944 with the habibi key using xbedump (it'll automatically set the nonsecure-mode flag 0x80000000), do the keypatching audio and then Live tab, the reset-on-eject goes away. This is interesting however:

1) at step 13 of readme.txt when the led blinks red, reset-on-eject is not enabled.

2) I put a test into the memory allocation function (look at the comment in bert.asm to figure out the memory location) to test when the overwrite of the SEH pointer happens, and when it happens go into infinite loop. The reset-on-eject is now enabled.

Can anyone confirm this? If this is correct then there is a away to disable reset-on-eject and we're going to find it.

Update: I won't confirm it. Sorry about that one. Actually my comment in bert.asm is a bit incomplete. There's another pair of the same mov instructions nearby and execution can take that path aswell. So I thought that in 2) I was spinning in an infinite loop while in reality execution was in ernie trying to find the key (loop which I probably forgot to bypass that time). I don't think reset-on-eject was really enabled anymore. Observation 1) is not useful either. It's because media type has flag 0x80000000 set, by xbedump.


This post has been edited by rmenhal: May 5 2004, 02:59 PM

[krayzie]

Now this is awesome. So if there is a posibility to trigger the hack from any dashboard we won't ever have to downgrade again and we can scrip for instance evox to restore to original state so we can play live all we want and later use some scripted evox gamesave to get back to our friends bert and ernie and get the hack working again. or am I thinkin to far ahead.

[zorxd]

[mkjones]

[krayzie]

[xb0xb0y]

Can someone give me a hand and possibly point me to what I'm doing wrong? I have re-installed a backup of my old dash 4034 that came with my xbox, kernal is the same 4034. I had upgraded my dash to 4920 to use a modified Morden Audio exploit (modified as in integrating it with the Splinter Cell exploit and Fat Finger Fix).

So installing the old dash and renaming the 4034 xboxdash to xonlinedash.xbe and placing it in the xodash directory works fine. I can launch the old dash from the new dash.

Now when I rename the two .xtf font files to .bak and upload the bert and ernie fonts (the new big bert font posted here), when I try to launch the old dash, I get a service error 21. It says in the instructions to test at this point. I'm a suppose to tune the bert font first before this will work? At first I thought it was cuz I didn't have a habibi signed e:\default.xbe. So I signed and renamed evoxdash.xbe and placed it in e:, but I still get the service error 21.

I've only been using the audio exploit and never tried the font exploit, so please bare with me. Any help would be appreciated, thanx!

[ldots]

Let's not drift too far off track speculating on future applications of this hack everybody. At the moment the "reset-on-eject" issue is the main concern. No point in making this another 40 page thread on the double-dash exploit .

I redid the test of rmenhal - running a xbedumped 4034 dash from the live-tab. No reset since xbedump sets the media flags in the 4034 header. Same when re-running an unmodified 4920 dash.

[YoshiKool]

Besides the reset on eject thing, are there any other problems with the doubledash exploit? TIA...

[rmenhal]

[ldots]

[Angerwound]

Based on some testing I've been doing, I think maybe this was caused by it being disabled before as well. I could be wrong but it does seem like the reasonable explanation for this odd occurence.

[debeautar]

Wait... it might be possible for me to actually have an applicable, not-so-far-fetched, knowledgable offering!

Check this action out.

Okay... so, once all of the kinks are worked out of this process, and the double-dash method indeed works with all features asked for (no reset-on-eject, easy-working-yay)... would it then be possible to pre-train different bert files for each separate version of pre-live dash? Or, does EVERY single dash have its own unique quirks, like an eeprom to an xbox hard drive?

this way, once we're in the packaging phase (cart before horse, I know)... most everyone would be covered.

I will be forced to wait for progress, as I apparently suck rocks with a hex editor... tried following instructions, and couldn't find the right offsets, NOR could I find particular values for editing.

I leave the fate of exploitation in all of your capable hands. I am but a yutz.

Yeah.