Font Exploit Analysis, Further probing of the code Options

[Grospolina]

I've been spending quite a bit of time trying to find out exactly what makes the font exploits tick. I've read the explanation at Phoenix's (Pheonix's?) site (Technical analyses of Free-X’s “Bert & Ernie” exploit), and it's helped a lot. I'd like to go further than that and explain the differences between the different font hacks we have available now.

For the most part, BERT.XTF remains the same. It is the file that takes advantage of the buffer underrun and causes an exception that jumps to the code in the other font file.

Note that the name of the font is stored in the XTF file itself. Apparently, this the is the name that the Xbox looks at, and it doesn't care if it matches the actual filename (which it ignores).

Also note that the actual code is very small (around 500 bytes), and the bulk of the big file is the exception catcher, which is the same jump statement repeated over and over. That's why it compresses so easily.

Free-X's original dayX

Features:
- Loads C:\default.xbe
- XBE must be font-signed
- Makes LED flash red

Bert.xtf

The exploit jumps to location 0xC04141.

Ernie.xtf

This is the original hack that is covered by the Phoenix article above. For reference, the program order is as follows:

1. Exception net. This large section of code (several megs) catches the exception and does multiple jumps in order to reach the exploit code. It is designed such that it will work whether the program jumps to an even or an odd address (since each jump is two bytes long). It jumps down 16 bytes at a time.
2. End of net. There are a bunch of increment and decrement operations that effectively do nothing. They are placed there so that the exception net jumps to the right place.
3. Grab the address of INT2 from the interrupt descriptor table.
4. Search backwards from this address to find the start of the kernel.
5. Search forward to find the export table.
6. Get the base pointer for our data area.
7. Find the exports for HalWriteSMBusValue and XePublicKeyData and store them in our data area.
8. Check the code at the address of XePublicKeyData. If it matches, we're good. If not, search the entire kernel to find it.
9. Modify the public key to make it easily factorable.
10. Modify the user exponent.
11. Change the LED color using HalWriteSMBusValue.
12. Find the code in the dashboard that runs a new program.
13. Execute it using the path and filename stored in our data area.
--

Bert is Cheating on Ernie

Features:
- Loads C:\default.xbe
- XBE must be font-signed
- Makes LED flash red (I think)
- Patches kernel 4034 to enable F:, patch media checks, and turn off ROE

Bert.xtf

The exploit jumps to location 0xC04141. This is identical to the dayX version.

Snuffleupagus.xtf

This is almost the same as Ernie.xtf, except that it does a few code modifications beforehand (right after the exception net). I've only made a cursory look at this one, but from the NFO, it's apparent that it patches the kernel in order to enable the F: drive, patch media checks, and turn off reset-on-eject. This will only work on the kernel it was designed for (4034), since it uses known memory locations (instead of searching). It also skips the patching of the public key and user exponent that dayX does, because it is already done in the kernel patch.

These kernel patches aren't needed if you're using the Phoenix BIOS Loader.
--

Ernie and Bert Reloaded

Features
- Loads C:\default.xbe
- XBE must be font-signed
- Makes LED flash red
- Always sets date/time to 6:00am, July 4, 2003

Bert.xtf

The exploit jumps to location 0xC02020. Otherwise, it is identical to the dayX version.

Ernie.xtf

Ernie is based on dayX and only has one change. At the beginning of code (after the exception net), it manually modifies the date to July 4 in an effort to fix the clock reset problem. Nothing else is changed, except that the exception net has increased by about 2 megs.
--

Bigfonts 07-25

Features
- Loads C:\default.xbe
- XBE must be font-signed
- Does not make LED flash red
- If the clock has been reset, sets date/time to 12:00am, January 1, 2001

Bert.xtf

The exploit jumps to location 0xF02020. The extraneous bytes EBFE 4141 4141 4141 have also been removed.

Ernie.xtf

This one has more changes than Reloaded. The exception net has been blown up to 15 megs. Also, instead of jumping downwards by 16 bytes, it jumps upwards by 4 bytes. When it reaches the top, it jumps down to the exploit code. I assume that this is an effort to speed up the jumping, since the exception seems to land close to the top (under normal circumstances).

At the beginning of the exception code, it first modifies the instruction before it to cause an infinite loop. That way, if another exception is generated, the Xbox will hang instead of trying to run the exploit again.

After step 6 (above), it checks a flag in the data area. If the flag is set, it hangs the Xbox. If not (default), it sets the flag and then proceeds. I'm not sure what use this has.

When it searches for the exports, it searches for three more. I think these are: KeQuerySystemTime, KeDelayExecutionThread, and KeEnterCriticalRegion. After finding the exports, it immediately calls the third one (KeEnterCriticalRegion?). All instructions to set interrupts hereafter are removed.

The two calls to HalWriteSMBusValue have been removed. This prevents the LED color from being changed. However, they have left in the stack pushing of the parameters for these calls. Messy!

After step 11, there is a new snippet of code. Here's what it does: It calls KeQuerySystemTime to check the clock. If the clock is within a certain range, skip down to step 12. If not, it finds a subroutine in the dashboard and calls it. This sets the clock to 12:00am, January 1, 2001 (I think that's the right time). It then calls KeDelayExecutionThread.

From then on, the code is the same.
--

MechInstaller 1.0 - MechAssault Linux Installer

Features:
- Loads XBE from one of several locations (I'm not sure what they are)
- XBE must be habibi-signed
- Checks that the XBE has the string "TUX!" in the header
- Checks that linux files (vmlinuz, linuxboot.cfg) exist
- Brings up dashboard with "Linux" in place of "Xbox Live" tab
- Brings up dashboard clock-setting screen if the clock has been reset
- Requires original fonts to be renamed to C:\fonts\Xbox.bak and C:\fonts\XBox Book.bak

Bert.xtf

The exploit jumps to location 0xD02020. There is one other byte changed (0x03 to 0x0D), but I don't know what it does. It's some kind of field, and if it's set too big, the exploit doesn't work.

Ernie.xtf

Yes, MechInstaller comes with a font hack that gets installed on your hard drive. Since the original font is so huge that it wouldn't fit on a memory card, they've reduced it to 6 KB (yes, kilobytes).

The installer program expands and decrypts Ernie.xtf to 15 MB. The exception net looks like the one from Bigfonts. The exploit code itself is about 6 KB, as opposed to all font exploits, which are below 1 KB. The code is obfuscated to guard against potential pirates. They claim that the clock looping issue is fixed.

The code has been de-obfuscated and now we know how it works. Basically, it modified the public key, and then edits the dashboard in RAM and reloads it. The dashboard is edited to use the .BAK files instead of the .XTF files, to replace the "Xbox Live" tab with "Linux", and to load Linux itself. I believe that it can load Linux from several different locations.

I think that it will also boot from the DVD-ROM drive if a disc is inserted, without going to the dashboard.
--

Hacked MechInstaller fonts (various)

Features:
- Loads XBE from one of several locations (I's not sure what they are)
- XBE must be habibi-signed
- Brings up dashboard with "Phoenix" or "EvoX" in place of "Xbox Live" tab
- Brings up dashboard clock-setting screen if the clock has been reset
- Requires original fonts to be renamed to C:\fonts\Xbox.bak and C:\fonts\XBox Book.bak

Bert.xtf

Same as MechInstaller fonts (I assume).

Ernie.xtf

The MechInstaller fonts have been hacked so that Linux files are no longer needed, and so that it displays something else besides "Linux" in place of the "Xbox Live" tab. Also, the boot locations may have been changed. The one that I have lists the following locations (must be habibi-signed):

D:\default.xbe
E:\Debian\default.xbe
E:\default.xbe
C:\evox.xbe

The "catfish fonts" are hacked MechInstaller fonts and use the following boot locations instead:

D:\catfish.xbe
E:\Hakurs\default.xbe
E:\default.xbe
E:\Phoenix\default.xbe

--

So there you have it. Personally, I've done a little experimenting in order to try to speed up the code and clean it up a bit. I haven't tried it on the clock problem yet, but I don't think it would fix it. I noticed that dayX has a little piece of redundant code that could be fixed to make the code a little nicer, but it doesn't have much effect either way (the code space saved is trivialized by the size of the exception net).

v1.1: Small addition about the flag in Bigfonts.
v1.2: Added more info on MechInstaller, as well as jump locations for all Bert files.
v1.3: "Features" part added. More definite info about clock resetting.
v1.4: Added another check that th MI fonts do, and added info about catfish fonts.

This post has been edited by Grospolina: Apr 12 2004, 01:39 PM

[Zak0]

QUOTE

At the beginning of the exception code, it first modifies the instruction before it to cause an infinite loop. That way, if another exception is generated, the Xbox will hang instead of trying to run the exploit again. After step 6 (above), it checks a flag in the data area. If the flag is set, it hangs the Xbox. If not (default), it proceeds. I'm not sure what use this has.

I'm currently using bigfonts to launch the Phoenix BIOS loader on my box... About one in three times I boot the box, it locks up before the Phoenix logo appears. From the work you've done so far, do you think it's possible to modify bigfonts to remove this lock-up-on-purpose behavior? Or do you think that's even my problem?

All I know is it's pretty annoying to have to reboot the box multiple times...

Thanks!
-Zak

[Grospolina]

I don't think it's a problem with Bigfonts. I've had this happen with the other font hacks (including my own, which doesn't have the Bigfonts mods). It just seems that it doesn't like to behave all the time. I think it has to do with the Xbox not being reset to the same state all the time, especially after resetting from another program. I just press eject and it usually works.

[underthebridge]

this is a very good post, thanks alot

[Vermin]

By far the most interesting post yet in this section of the forum. Keep up the good work

[NeoLojik]

Agreed, an excellent post, very informative

Thanks

[bull]

yep, very interesting, it may be a good idea to pin it, then maybe more people will add information.

[Grospolina]

Thanks. I've made some edits to the MechInstaller description. I'll have to actually install it later in order to see how it really works.

Edit: Bah, I can't get it to install.


This post has been edited by Grospolina: Aug 28 2003, 04:42 AM

[Grospolina]

I've gotten MechInstaller to install, after using a different copy. I've added the information on it to the first post.

[Hajaz]

Zak0: do you have an old dash with no fonts folder by any chance?
I had my fonts in the C root, and had the exact same problem as the one u described.;; updating with live so that my fonts were in a fonts folder solved that problem for me.
Dont forget to return your box to its virgin state before updating the dash tho

[AGamer]

QUOTE (Hajaz @ Sep 9 2003, 11:02 PM)

Zak0: do you have an old dash with no fonts folder by any chance? I had my fonts in the C root, and had the exact same problem as the one u described.;; updating with live so that my fonts were in a fonts folder solved that problem for me. Dont forget to return your box to its virgin state before updating the dash tho

I have the same problem as the one metioned by Zak0. Yes, Bigfont25 + dash 4034(fonts in C root). Before I used bigfont25, I had been using Bigfont22 which came with the Loader package. I don't remenber Bigfont22 has this problem on my Xbox. Maybe I should switch back to Bigfont22.

[AGamer]

QUOTE

They claim that the clock looping issue is fixed

If the clock looping issue is really fixed by those font files from MechInstaller. Can we use them to boot Phoenix loader? The only thing we need right now is a highly reliable clock looping fix, isn't it?

[speedbump47]

QUOTE

If the clock looping issue is really fixed by those font files from MechInstaller. Can we use them to boot Phoenix loader? The only thing we need right now is a highly reliable clock looping fix, isn't it?

true, but apparently they've made the code really hard to debug (for the purposes of keeping non-Linux users from using it). People are trying to break it down now, but it's proving difficult.

[sega27]

With all the data you have gathered from the diffrent fonts, which one would u say is the best.. small size and least problems.

[Grospolina]

Size isn't really an issue. I only mentioned that as a difference between the fonts.

For now, I'd go with the hacked MechInstaller fonts (which are not mentioned above, because it hasn't ben updated). However, I've been using them and I still get the clock loop.

The ones I'm using are the hacked MI ones posted by catfish. Are there any other versions? Those were the only ones I've seen, but I have a feeling there might be others.

One interesting thing I found was that when I was looping with catfish's fonts (I couldn't get out after several tries), I plugged in my old hard drive, which still had the "official" MechInstaller fonts, and it got out almost right away (2-3 reboots). That's why I think there may be other versions.

I'd say the next best are Reloaded.

Right now, I'm trying a blended version of Reloaded and BigFonts that I've hacked up. I'll try unplugging my Xbox every night for a week and see how they fare.