App Horizon

[Community Research] Xbox One & Modding


#1

This will require intelligence or at least it will require people to use their brains and actually research things for themselves, but since its gaming oriented I think the mods will allow it.

So far, there’s a few things I’ve found out about the xboxONE and it’s security relating to its file system, perhaps a huge research thread (this thread) could help members and the developers out in the long run, post anything you find thats factual about the xboxONE’s file system and the security that comes with it.

The xboxONE’s Operating Systems

  • Tiny Host OS, boots the machine and loads two other hard-partitioned OS’s.

  • The Shared Partition, which runs an environment for apps (Skype, Live TV, Netflix, etc), and helps to provide processing power for the kinect sensor and its gesture and voice controls.

  • The Exclusive Partition, this is where games run, because of the way memory is apportioned in the shared partition, you can switch between apps with little to no load times, and even snap them into another app or game to use both at the same time.

Paul Thurrott has said that the xboxONE was built on-top of the Windows 8 core. I’d guess that the shared partition is based on the Windows NT kernel.

The NT “core” is what’s shared across Windows 8, Windows RT, Windows Server 2012 and Windows Phone 8. It includes a shared file system (NTFS), networking stack, security elements, graphics engine (DirectX), device driver framework and hardware abstraction layer (HAL).

In an under-the-hood architecture panel following the Xbox One reveal, Boyd Multerer, Director of Development for Xbox, confirmed that the team started with Microsoft’s Hyper-V hypervisor in building the Xbox One operating system. Multerer said the team stripped out all the general-purpose “goop” to create an OS that allowed two virtual machines to run in side-by-side partitions. One of the partitions runs apps; the other runs games.

So far this is all I’m able to discover relating to the file system of the xboxONE. However, I did find this interesting quote made by Albert Penello:

“Save game files (and Upload Clips) are not user manageable. In order to prevent save-game collision across different consoles and different states, we manage the sync between the local save game and the cloud. A copy of your save game is stored locally and synced to the cloud automatically in the background. If you loose internet connectivity, you can play offline and keep saving no problem. Once you reconnect everything syncs again.”

You can read the full article here. He does mention that external storage is something they will implement in the future, but that isn’t going to stop your save from syncing back with the cloud, this COULD cause problems with save game modding but it could also (maybe) be easy to get around.

He claims that if you play offline, when you reconnect, your save games are re-synced with the cloud, but no mention of any security checks, so there is the possibility that when external storage is made available, that offline save game modding will be a possibility, it all just depends on what happens when you reconnect your xboxONE to the internet and the data re-syncs with the cloud, if security is in place to check for obvious modifications to the files then it won’t be difficult for their enforcement team to start banning people who’ve been modding.


For anyone wanting to brush up on the older standard for the 360, I suggest reading through this, I found it a great read and very informative. It goes through the different file specifications for the 360 such as: XFAT, STFS, XDF and more.

http://www.arkem.org/xbox360-file-reference.pdf


xboxONE DevKit Mode

  1. Go to the “Settings Menu”
  2. Go to “System”
  3. Enter the following button combination:
LB - RB - LT - RT


#2

Good info, this is my post from the other thread:

The Xbox One uses regular NTFS for the Hard Drives. It is a SATA II drive and can be connected to your computer, from there you can access the Xbox’s partitions which have all of the files stored on it. However, the files are mostly XVD’s (Xbox Virtual Disk) which is the format we are looking into. This format is the successor to STFS packages from the 360, is much more complex and is also more protected. That’s the hurdle we have to jump before we can mod save files.

Also, the save syncing feature is just something they implement for the Xbox One so if you sign into another console you will have access to your saves, like the Cloud saving on the 360. If you do not connect to Xbox Live, your save data will still be stored locally and you can access it there. This means that the feature will not interfere with save modding since it still stores the data locally. At worst, it might mean that before you can mod a save, you would have to first play and save while disconnected from Xbox Live.


#3

From the offline update they provided, I’ve also found these files:

18/11/2013  22.17             2.334 args.txt
18/11/2013  19.07        41.496.576 host.xvd
18/11/2013  19.03        38.035.456 SettingsTemplate.xvd
18/11/2013  19.07        24.784.896 sosinit.xvd
18/11/2013  19.01        65.040.384 sostmpl.xvd
18/11/2013  19.14       891.490.304 system.xvd
18/11/2013  19.04       280.449.024 systemaux.xvd
18/11/2013  19.28        35.926.016 updater.xvd

The dates are in italian, the month and day are inverted.

Opened a few up in hex workshop, and I found this string multiple times “msft-xvd

With all the hardware I’ve seen inside the xboxONE, basically it seems like a PC dressed up as a console, and from the Call of Duty Ghosts dump that someone posted not so long ago, there was this file: package1.xvc so it seems as though .xvd/.xvc are packages, if it was possible to extract those packages (obviously there will be security) then I think we’ll find most likely a normal windows OS (normal but ARM windows).

Maybe .XVD is the new .XBE? I tried changing the file extension and using an XBE extractor, but that didn’t work (I didn’t expect it to as there is no mention of XBEH in the .XVD’s hex)

updater.xvd has major differences and args.txt has slight differences.

The rest of the xvd files are byte wise identical.

After further research (I’ve been looking into this since the launch of that offline update). My theory is that xvd is a modified wim or esd.


#4

The console is Windows 8-based so the operating system would look like your regular Windows, although not ARM, but x64.

XVD is not an executable format (like XBE for Xbox1 or XEX for the 360), it is a container/package format, the successor to STFS (CON, PIRS, LIVE) packages.


#5

Ahhhhhh, that makes sense (x64 not ARM). And yeah I think I said that, I believe the xvd is a package, any light on my theory that XVD’s are a modified version of wim/esd? Or am I completely wrong in that area?


#6

Wow nice research guys

Let’s hope XboxMb can be the first site to mod the Xbox One.


#7

For the last section of your post, I guess that can be trialed and errored through the creation of multiple profiles/accounts on your xboxONE? I’m guessing you’re able to create more than one account like the 360, and each account will have its different SP save games that are stored locally (and to the cloud) so it wouldn’t be too difficult to see if modding was mandatory before playing the game and connecting to xbox live? (when modding is actually a reality and not just research).


#8

It’s more than likely a brand-new, custom format. Microsoft likes to make things from scratch so we have zero references to go off.


#9

I’ve considered that possibility but wouldn’t that be too much work? Surely a modified version of wim/esd with some thrown in encryption would be the easier and yet still effective route?


#10

When do you think the first save mods will be done?


#11

When decryption is figured out and signing keys are discovered for the XVD packages.
It is likely the signing keys are heavily protected and will require a full exploit to obtain, much like the CPU key on the Xbox 360. It might be easier to obtain, but it’s still too early to say.

On another note, you guys should be aware that they deprecated SHA1 on Xbox One due to security concerns, so get used to looking for SHA2 hashes in file formats.


#12

This is actually really exciting. I wasn’t around when the 360 was first modded.


#13

Again it was expected of them to change their encryption method, being “next gen” and all that jazz.

Something I’d like to ask (as I’m incapable of testing myself due to not having an xboxONE yet) is, like unknown v2 said, the xboxONE HDD is a Sata II drive with an NTFS file system which you can connect to your PC and browse through the file system, won’t it be easier to find an full exploit for the OS/Kernel considering you can litearlly just link it straight up to your PC as if it was an external hard drive? (again I may be completely in the wrong I’m speculating as I haven’t got the console myself yet).

For anyone interested, SHA-2 has quite a few changes from its predecessor SHA-1. SHA-2 consists of a set of four hash functions with digests that are 224, 256, 384 or 512 bits.

Example of an SHA-2 hash:

e674be32d4e5b921f4135052f959c6bbde388a856a9263925a830da4369df675

#14

The full OS is not on the hard-drive, there is an 8 GB NAND chip on the motherboard that likely contains the bootloaders and possibly the kernel/hypervisor.

If the HDD is removed from the console, the console will hang on the boot animation, so the bootanim.xex equivalent probably resides on that chip with more boot-related/secure components.


#15

thats my theory of developing a kernel exploit out of the window, I guess like the old 360 kernel exploit, it will involve the requirement of a chip modification. I think the guy who did it first on 360 was a french man under the handle of “GliGli”.


#16

Be careful not to assume too many similarities to 360
It could be designed that what was one item on 360 is now 2-3 or one main requiring constant referencing to others.

The security is most likely designed into this tri-OS with cloud syncing system.

No matter how similar it may appear to a PC …it is designed to perform as a medium whereby you can use all xbox related services but lacks the freedom of a pc and Microsoft are not stupid…the modding community may have learnt alot about how M$ approach console security but that works both ways…M$ wont have underestimated modders…not after being slapped repeatedly by people like c4eva.

That said…goodluck Xboxmb modders…we await whatever you may conjure up :thumbsup:


#17

In another news Xbox One NAND (size 4.9gb) has been succesfully dumped.


#18

The Nand the Xbox One is 4.9 GB in size and can be as in the 360 dump with an SD card reader. J-runner may not be used for Dumping because it reads out the maximum of 3.5 GB of Corona. The quartz must be disabled as in the Corona V2.

C4eva has confirmed that the first Xbox One games has already been read successfully. This is certainly a first step in the right direction, but much heist not yet at this time. If the Xbox One is protected with similar protections as the Xbxox 360, then the reading brings in itself is not much. A firmware flash similar solution, it is not this time give secure as Blue Rays are relatively safe. This is already clear on the PS3, where there is no solution for playing games on BD-R media to this day. If most games really need about 40GB space, the 500GB could be quickly running out.

My own two cents, the NAND being dumped isn’t a “big breakthrough” because it’s still fully encrypted, and so far, nobody has been able to bypass or crack it.


#19

Also an xboxONE HDD dump incase anyone wants to just have a look through, doubt you’ll find anything interesting though.

https://mega.co.nz/#!AQdHAZ6b!W0ED2Gk4YiE2wjLJlJAK8jw9ev8LMZc9W2KwiMJ71Wc


#20

HDD dump? It’s just a file with literally nothing.