App Horizon

[Community Research] Xbox One & Modding


Isn’t mine, found it while researching, haven’t looked at it myself just posted it.


I’ve been sniffing through the network traffic and all the traffic goes through https :confused: Need a way to decrypt it with Wireshark. So I’m mostly going through the API traffic of SmartGlass which also goes through https but that isn’t a problem with Fiddler.

They use XML & JSON for the API which is difference per item requested. The platform of the Xbox One is still called Durango :laughing:

Through SmartGlass you can get allot of details of the user. Most requests except for a few require authorization. The Authorization is made using OAuth and Microsoft’s Account system after initial authorization it’s changed to use their own XBL3.0 Authorization Scheme.

When going through the json for the achievements I’ve noticed that all the urls are pretty long and all start with the same string. Which means that there is information in it referencing to the game it belongs to. Here is a JSON dump of Achievement stuff.

In each Achievement it’s listed what the reward is which can be Gamescore, Art and Clothing. Gamerscore is only given for Persistent achievements and not Challenges. Each game can now also track additional information like the amount of kills made, gold earned.

mediaAssets contain information about the achievement icon. Containing a name and url. I don’t know what is used to generate the image url. The URL is static and doesn’t change.

When looking at the game details of the store you notice that it’s XML instead of JSON (Dump). I have a feeling that the long urls of the achievements are actually resize urls because they are similar to the resize urls in the image list of the details. The beginning of them doesn’t match up, even if they are the same game. I think they are generated with the multitude of ID’s that get send with them.

You can go through the source of SmartGlass using any .NET Reflector because almost all DLLs use .NET.
AchievementV2 is for the Xbox One. The X360 and X1 both have different formats for the achievements which is the reason why the X1 achievements are displayed as 1 game on the X360.

Here is a list of environments, there are much more than the X360

  • [S]Storax[/S]
  • [S]TestNet[/S]
  • [S]INT2[/S]
  • [S]StressNet[/S]
  • [S]PartnerNet[/S]
  • Production
  • [S]Dev[/S]
  • [S]CertNet[/S]
  • [S]VINT[/S]
  • DNET

EDIT: The environments with a strike through are old X360 Environments (Thanks @Eaton)

The SmartGlass files also contain a file called which is in XDBF format: (Link)

Edit: Anyone has a full dump of the HDD & NAND which they can send me? (PM if not allowed on forums)


Excellent research frankie.


After looking through the image url’s again I noticed that the resizeUrl of the Game Details is a bit longer than the achievement urls. Both urls have the same starting string length (106 chars).



I also found this Imgur link in the source code (dem creative skills)

Open Me

Here is a list of different API Endpoints. There are more endpoints.

ProfileServiceBatchEndpointFormat = "https://profile{0}";
ProfileServiceEndpointFormat = "https://profile{0}{1}/profile/settings?settings=GameDisplayPicRaw,Gamerscore,Gamertag,AccountTier,XboxOneRep,PreferredColor";
PeopleFollowingServiceEndpointFormat = "https://social{0}{1}/people";
PeopleFollowingEditServiceEndpointFormat = "https://social{0}{1}/people/{2}";
PeopleFollowerServiceEndpointFormat = "https://social{0}{1}/followers";
PeopleSummaryServiceEndpointFormat = "https://social{0}{1}/summary";
PeopleFavoriteServiceEndpointFormat = "https://social{0}{1}/people/favorites/xuids?method={2}";
MessageSummaryServiceEndpointFormat = "https://msg{0}{1}/inbox?maxItems=100&continuationToken={2}";
MessageDetailServiceEndpointFormat = "https://msg{0}{1}/inbox/{2}";
MessageSendServiceEndpointFormat = "https://msg{0}{1}/outbox";
TrendingEndpointFormat = "https://socialdiscovery{0}{1}/{2}/popularitems/current/community/{3}?channellineupid={4}&channellineupcountry={5}&maxitems={6}";
ActivityFeedEndpointFormat = "https://avty{0}{1}/Activity/history?platform=XboxOne";
PeopleActivityFeedEndpointFormat = "https://avty{0}{1}/Activity/People/People/Feed?pollingToken={2}&numItems={3}";
PresenceServiceBatchEndpointFormat = "https://userpresence{0}";
BlockedListServiceEndpointFormat = "https://privacy{0}{1}/people/never";
TitleHistoryV1ServiceEndpointFormat = "https://achievements{0}{1}/history/titles?platforms=1,2,15,16,17&types=1,3&maxItems={2}&continuationToken={3}&orderBy=unlockTime";
TitleHistoryV1ForTitlesServiceEndpointFormat = "https://achievements{0}{1}/history/titles?maxItems={2}&titleId={3}&orderBy=unlockTime";
TitleHistoryV2ServiceEndpointFormat = "https://achievements{0}{1}/history/titles?maxItems={2}&continuationToken={3}&orderBy=unlockTime";
TitleHistoryV2ForTitlesServiceEndpointFormat = "https://achievements{0}{1}/history/titles?maxItems={2}&titleId={3}&orderBy=unlockTime";
FullAchievementsForTitleEndpointFormat = "https://achievements{0}{1}/titleachievements?titleId={2}&maxItems={3}&continuationToken={4}";
EarnedAchievementsForTitleEndpointFormat = "https://achievements{0}{1}/achievements?titleId={2}&maxItems={3}&continuationToken={4}";
AchievementV2ForTitleEndpointFormat = "https://achievements{0}{1}/achievements?titleId={2}&maxItems={3}&orderBy=EndingSoon&continuationToken={4}";
BatchStatsEndpointFormat = "https://userstats{0}";
FeaturedChallengeEndpointFormat = "https://achievements{0}{1}/featured?maxItems={2}&orderBy=EndingSoon";
AchievementV2DetailEndpointFormat = "https://achievements{0}{1}/achievements/{2}/{3}";
UserGameClipServiceEndpointFormat = "https://gameclipsmetadata{0}{1}/clips?maxItems={2}&continuationToken={3}";
TitleUserGameClipServiceEndpointFormat = "https://gameclipsmetadata{0}{1}/titles/{2}/clips?maxItems={3}&continuationToken={4}";
TitlePublicGameClipServiceEndpointFormat = "https://gameclipsmetadata{0}{1}/clips?maxItems={2}&qualifier=created&continuationToken={3}";


They’re using imgur to host stuff?!


No. The imgur url was just a test from a developer and he/she forgot to take it out.


Are you sure? Pretty sure it is just Production and DNet.:wink:
Those others are 360 environments, and might have remained in the place you are looking for compatibility with 360 code.


I just took them out of a enum I found in the source. I also think you are correct with it only being Production and DNet because I never saw any of the other environments show up in the code unlike those two.

The D in DNET, DApp, DGame, etc seems to stand for Durango. DApp & DGame can be found in certain API responses.


Nice, someone whos already looking into the “Xbox One Smartglass” App :slight_smile:
I was already looking at the smali-code
Really nice work @sgt frankiebox


Can anyone upload and post/PM me some XVD files?



Thanks. I had looked online but only seen two other links that they took down.


Could you (or someone else) possibly upload a XVD file, with as much information as possible. I want to look into some Xbox One stuff, but unfortunately cannot fund it.

EDIT: I’m an idiot, didn’t read the whole thread. Thanks, Eaton.

For those who don’t want to download over a gigabit of data, here are a couple smaller ones (unmodified, 55 MB):


Eaton just posted a link to download the files.


What a disapointment. They seem to be fully encrypted. This is no good without a homebrew-enabled console.


Yup, this is like an encrypted version of STFS. Probably going to take a long time to figure out the decryption, and to figure out where the keys actually are.


Also doesn’t help that they’ve changed to SHA-2 encryption, which is very different to SHA-1.


You downloaded both files when they first released the Offline Updates ?

I downloaded both files from here:
They both dont have the “args.txt” file and nearly all files from both packages are identical, except the “updater.xvd”.


SHA2 isn’t an encryption, it’s a hashing algorithm. Hashes are easy to fix, but are almost-always signed by an RSA signature.
There appear to be multiple SHA2 hashes in the header, not sure what they hash exactly.
And, if you look at the format, the first 0x200 bytes before “msft-xvd” look like an RSA signature to me, so it’s probably signing this hash table.


I believe the value found at 0x34C is a SHA-2 hash(if what you say is true, that they moved on), and 0x3AC being a key encryption.