emma Profile picture
Jun 10 10 tweets 3 min read Read on X
some info about the xbox hacking news that is starting to be shared bc i want to make sure everyones expectations are set appropriately: my goal is to release (probably early next month) an exploit for xbox one/series consoles which will allow full kernel read/write in systemos.
this is NOT a "jailbreak". systemos is the virtual machine where apps run, its the environment you get control over when you enable dev mode on your console. this exploit will allow full control over this vm homebrew on retail consoles without dev mode. it will NOT allow piracy.
the exploit consists of two pieces: a user mode part which gains native code execution in the context of a uwp store app (). i've posted a proof-of-concept here which demos mapping and executing new code using this app's language apps.microsoft.com/detail/9pb1gw7…
gist.github.com/carrot-c4k3/10…
once user mode code exec has been achieved, the second part starts, which is to exploit the kernel. this part uses a kernel vulnerability to achieve arbitrary kernel read/write and elevate the process's privileges.
full transparency: this part isnt done yet 🙃 i have exploited this bug on standard windows from medium il, but the environment where we get user mode code exec here is a uwp app, which is more locked down. i have poc'd the kernel bug from uwp on xbox to verify it is accessible.
BUT the difficulty at the moment is... kaslr! my medium il exploit is reliant on the classic NtQuerySystemInformation leaks, which are not available to uwp apps 🥲 so i'm being forced to work around this.
loyal readers of will recognize this as a difficulty i discussed in the last post () when attempting to exploit 24h2 insider preview and solved using a timing side channel.exploits.forsale
exploits.forsale/24h2-nt-exploi…
my current plan is to do the same here, but xbox is amd and i only really got the side channel reliable on intel, so i have lots of timing and number crunching ahead of me 🫠
ANYWAY thats the status of things. hopefully soon i will have an exploit to share with everyone! if you'd like to play around with it using this then i recommend updating a console to the latest dash, downloading the game script app, running it, and taking the console OFFLINE :^]
(also if anyone has a uwp accessible kaslr bypass they wanna give me that would be greatly appreciated <3)

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with emma

emma Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

Did Thread Reader help you today?

Support us! We are indie developers!


This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

:(