the ping limit is probably fairly easy to modify when we find the file that contains it and is modified i know one thing the ping limit is stored on the game itself because when you boot an original Xbox game you can use xlink without a limit. if anyone is interested reply please!

Do you have the money to pay someone to spend countless hours going through the code of each game.

ITS NOT GOING TO HAPPEN!

Some of us have been around here for long enough to avoid saying "it's not going to happen!"

As some guy said in another thread (think its boxxdr)

If its possible to make some kind of a software or a proxy site that can report a fake ping it will be much more easier

I think its a lot harder then all of you think. You really think that ping gets "reported" ? Of course not, it gets measured...so using a proxy will only increase the ping.

Unless someone finds the coding in a few games and can determine that it is located in the same spot on every game, so that a patcher can be created, Its going to be alot of work to do on every game. Ping is measured and the only way it can be fixed or lowered is to get a faster up speed, better ISP, or be able to bypass ISP barriers and filters that restrict your bandwidth, which are pretty much the same thing.

The ping limit can easily be avoided if we had more users. Problem is, we don't! People are still too busy trying to unban, uncripple and whining about the same to realize we are trying to get some games going. Games they can easily be playing if the got on Xlink.

Unless we get xbox-scene and xlink to do a HARD PUSH by putting it on front page and talking it up, we will not get the masses to play on xlink.

This room is practically DEAD. Now if a ping bypass was found, that really could change everything because more people would be on xlink 1,000's playing cod mw2 just like they used to play halo on xbox1.

yea the ping limit bypass was really a wish but really the only way around it is if we push it make the mass of readers who are banned discover Xlink and figure out how to port forward.

I would gladly make a donation to the first person to get this working. You guys think we could get a large enough initiative going to make this work? I think we could- it's all about advertisement to get someone with the knowledge to do it. I don't have much time right now to start that initiative but I might work day by day and see what we can do. I think the first best thing to do would be to make this thread bigger by going on Xlink's forums and getting this thread some exposure.

Iv spent quite a bit of time today messing around with halo3. It looks like iv been able to remove the ping limit in the game but it apares there is also another limit in the console. Its a bit more laxed as I can play with my friend in Austrilia which I have a ping of 120ms to. But still cant get the game with my mate in the UK to show up. My ping to him is 305ms.

Also you need XBR or Freeboot because the game has been modifyed so its running in dev mode.
Ill investigate it more before doing a tutorial.

I have an idea that has been thrown around a bit but never really fully explored...now that we can run homebrew on xbox 360, and patch xex files, couldn't someone create a custom dashboard that tricks the xbox into thinking it is signed into xbox live but it will actually be signed into a private server. With something like this you could emulate xbox live..even allowing downloadable content if you could some how trick the box into thinking that the server is the actual xbox live..you could download free xbla games and map packs and what not...Im sure if a bunch of the right people get together this could work....We could call it XBOX ALIVE.....make it free and it would bypass any ping limits...I mean for the games we play on xbox there is always a host so the hosting would still be done the same way...but this would give you access to content and cool dashboard apps and hacks it could be done would just take a massive amount of time..but i've seen some of the things that the scene has come up with and I think this is 100% within the realm of possibility....stay tuned it's gonna happpen

good news, I would love to help out as well if I had any idea of were to look

nice progress with your friend in Australia keep up the good work i knew it was just a process of deletion or some sort if you don't mind posting information on witch file you edited if any and i will look into it as i would love to get Xlink moving! idea with Xbox Alive is very valid as home brew approaches! i love this feeling!

Sweet! I look forward to a tutorial and seeing more progress made.

hi im trying to do this on mw2 and need help on which value to edit I found one that says maximum ping for the client but its had to tell if there talking about system link or xbox live
thanks please help!

ok i have compiled many xex non have worked with two testers and was wondering if some one could clear this up

"Now open default-hack.xex in a hex editor and find where the basefile starts.
You can search for the "MZ" present in the exe header to find this.
(Often its around the 0x2000 byte offset mark.)
Now copy the contents of default.exe into default-hack.xex over the top of
the basefile that is inside default.xex. It should exactly fill the rest of
the default-hack.xex file from where you start inserting default.exe."

i don't understand fully all i need to do is compile and have it run correctly
thanks

ok after searching for localhost i think i found the line of code that sends the packet now i need to figure out how to use it heres a picture of it http://rapidshare.com/files/320167420/ping_pic.jpg.html please help me in disabling this command

can you upload the pic on imageshack or any other that is not rapidshare?
Tnx

http://img94.imageshack.us/img94/2290/pingpicjpg.jpg

Rehosted the "rapidshare" picture to maintain forum sanity.

-NHN!

HAHA thanks

Did anyone know what that coding meant? Lol so many lines of code! And if someone
could explain repacking the xex that would help alot! Then if someone wants
to test it I could send it. One last question what does the output xex have to be? Devkit, unencrypted, uncompressed? Thanks for all your help!

The xex file contain the same exe file you have extracted with xextool, so if you make a modification to the exe file to repack the xex you need to paste the default.exe file into the default-hack.xex you have previously created, using an hex editor.
If you are looking at deafault_mp.xex from MW2 the deault_mp.exe baseline start at addr 0x4000 (see the "MZ").

So I past the default_mp.exe at the beginning of the default-hack.xex starting with default_mp.exe at 0x4000? One last question what do you think I should change in that last pic? Maybe I'll try ffing out the sending packet part. Thanks for the quick reply!

ledjhnny are u close to bypassing it. I reall want to play on xlink!
anyways good luck

Well hopefully this value works but I cannot test this as I have a 8955 xbox but my theory is only the people joining the host needs it. My xtag is ledjohnny

Man i have no idea what you should change, i've tried searching too for something to change in it, but there is not anything like "maxping=30".

yea im unable to tell the difference between xbox live ping limits and system link limits so i think localhost means system link

almost done with my homework than im gonna take a serious look at the coding also if i haven't got it ill have more than enough time over winter break!

this is what i mean by unable to tell the difference



iv found max ping and maximum ping allowed by the server

LMAO it says what percetage of clients need to have ping higher than happypingtime

on my default_mp.exe it doesnt have MZ at ox4000 MZ starts at the very first line

can someone explain how i add ppc support to IDA?

Look at offset 0x4000 of default_mp.xex not "exe".
Idapro already have support for ppc.

you just downloaded yours from hex rays right because when i try to load the idc i am unable to load it or do i have to install the xex tool plugin?

I have just looking for , it appear that all all frames follow the same structure.
The first 34 bytes are system link hearder:
- 4 bytes : CMD
- 2 bytes : option, .....
We can see a sequence number, a answer number ...

The CMD for ping is 00:00:00:00 00:58 and the answer 00:00:00:00 01:58.

But all bytes after 0x34 are encrypted, if we can found how is this bytes encrypted, we can fake a echo-replay.

so when you are talking about the line of code you found is this in the xex or packets the xbox sends out? thx

hi,

this CMD come out from packets the xbox sends out.
All system link use the same, and are generated by the M$ API.

Not exactly ALL, because some all game don't have this "ping limit", but use the same API.

I see now two possible solutions:
- Found in the nand the key used to encrypt the daya after 0x34 and than fake a echo-reply (the best because no need to have a hacked xbox).

- compare the API call in this old game and a new one. Than modify the XEX to disable this "ping test".

Ledjohnnyboy , you have make a good search, if you found now the call to this API, for sure you can disable this limit.

your idea of the NAND modifying sounds great that way we can just flash with a modified NAND and never worry about changing each XEX hopefully the key that has to be decrypted and sent back is exactly the same for all Xbox's (I think it is). by the way what method are you using to read the NAND data?
thanks for your help guys!

This is great stuff

Iv'e said for ages someone needs to crack this ping limit in system link. It would be like the old days - xbox, xlink & halo 2...... rock on.

I would love to help but don't know enough but you guys rule, keep up the good work I'm sure you'll crack it.

full support given

Looking at these kind of threads always makes me smile

YESSS guys keep going
I got now frigging idea to what you are saying but i think you are close
u have my support

Cant wait to play with those european guys

Hi, is it just possible to intercept that packets that the 360 game sends so we can fake reply to those packets? Why make it so hard? It seems that it would be possible to just intercept, and send reply packets so the 360 thinks its getting a good connection under 30ms. Anyhow that is just a general idea as i know there is a lot involved. A good example of this can be found from Hak5 episode: http://www.hak5.org/episodes/episode-405.

By the way, the episode basically shows how a device responds to windows computers that send a request out for their particular network. I was thinking if it was possible to use a device such as that, or simply a computer to sorta do the same concept. Basically the xbox game sends a packet with certain data to a host, and we just intercept the packet and send a reply packet that shows we are that particular host.

Yes this is also another idea that could work although this packet that is sent out may/may not be encrypted. ill look at it if it is encrypted the encryption may be a simple data scramble.

http://img109.imageshack.us/img109/9454/maxping.jpg

Take a look of the data in that blue selection, obviously those are variables for determining or storing the host name, now maybe by analyzing other files we might be able to find some examples of these Hosts. In my opinion if we can figure out what the packets being sent contain and what the packets being received contain, then we can send a reply packet that duplicates the reply packets being sent by a actual xbox server.

anything new to bypass ping limit?

I was just going to suggest this as I was reading this thread. This has to be the easiest thing to do. Just have the PC intercept ICMP packets, find out the source information, drop the packet, spoof the reply; you're done.
http://diablohorn.wordpress.com/2008/12/06/icmp-spoof/

Am I missing something more complicated?

I feel this would be much more easier than targetting each game.

last i checked all the network traffic to and from the 360 is encrypted. Ever try pinging a 360? They don't ping back. Because your ping is not encrypted.

Good luck though. This thread had me laughing. There is more people saying "i don't what is going on, but I support this" than any relevant information.

I am hoping someone will recommend bruteforcing the encryption. That always makes me laugh

Judging by your response, it sounds like it is not sending out traditional ICMP packets. The console could have a simple firewall rule to block ICMP traffic, doesn't mean the consoles 'PING' requests are encrypted though. Although, it could be encrypting TCP/UDP packets at L4 and the console is just timing the other console's response (or sending it out unencrypted). I'm curious on how the boxes do key agreement, and whether or not it's built into the individual games, or consoles.

I can't image typical gameplay traffic being encrypted and decrypted at a software layer. Best way to see what's going on is to sniff the traffic I guess.

im not sure if it will help but i sniffed the packet sent when searching for a system link game
PIK-A-TURE!
next time someones online for the games i have ill sniff the packets sent when attempting connection.

nice pic reveals alot about info sent out and received if you want you can sniff the packet from us if you want i have a feeling that the arrival time means something and it might say something like end time on the connecting part add me as a friend on x-link ledjohnny

ok i took a even bigger reading getting almost 100 packets since it's so big i just saved the file file in a generic .cap format that windows NetMon or wire shark can open and read. destination 255.255.255.255 seem to be only sent when looking for games while destination 0.0.0.1 are sent when attempting connection. heres the link for the DL! Packet.cap

also one things to note is each packet sent has a checksum and a identification hex code that are different each time so im thinking it's the "key" for de-encrypting the code. i'd hope that the relation could be found between them. onces that's done it should be easy to script/write a program to intercept the packets on port 3074 (the only one the 360 uses for connection) and "spoof" the proper reply in under 30ms. if it can be done it'd be a major step in the right direction, true?

oh and the "frame xx" area is from wireshark, it stamps the capture or arrival time for that packet and some header data.