While the new-generation Xbox One consoles have been out for a while, until recently there weren’t any softmods (software modifications to make a system behave differently) for users. That has seemingly changed, as an individual has revealed the existence of a Kernel-level exploit along with a limited proof of concept.
The method uses an easily-available app called ‘Game Script’ present on the Microsoft store.
‘Game Script’ Xbox Console Kernel-Level Exploit
carrot_c4k3, the individual behind the discovery, disclosed on X that the exploit, which is not a jailbreak, works against the System OS software that exists on newer Xbox consoles such as the Xbox One. System OS exists to enable developers to run a wide variety of applications on these consoles through the use of virtualization technology. Applications downloaded from the Microsoft Store run on this layer.
Xbox users can typically gain access to this environment by enabling developer mode on their consoles. However, carrot_c4k3 stated that while the exploit allows full control over vm homebrews on retail Xbox, it did not enable the use of pirated software upon usage. The method currently relies on the Game Script UWA application available on the Microsoft Store, which allows users to run and execute custom languages on the devices.
The exploit consists of two components:
User mode: Initial steps where the user gains native code execution in the context of UWP (Microsoft Store) applications.
Kernel exploit: In this step the user exploits a Kernel vulnerability on these devices to gain full read/write permissions, which would then enable them to elevate the privileges of a particular running process.
The proof of concept exploit shared on Github is currently limited within the context of UWP apps, which are more ‘locked down.’ However, carrot_c4k3 shared their intent to release another exploit for Xbox one/X series consoles by next month that would allow for full Kernel-level access over read/write permissions within the System OS environment.
The full exploit is stated to rely on leaks within the ‘NtQuerySystemInformation’ component, which are not available on UWP apps. Hence, the user is developing an alternative exploit that does not rely on UWP apps.
The exploit allows users to bypass the fees required to enable the developer mode on Xbox consoles, as well as grant them the ability to modify game save data on the devices, but does not allow for the modding of the actual games themselves. The modder also discussed the possibility of using the exploit to allow the usage of ‘simple emulators’ meant to emulate games intended for older devices.
carrot_c4k3 admitted that the exploit could potentially be detected by Microsoft, recommending to perform it on a dedicated offline console instead.
Exploit Might Have Been Patched In Newer Xbox Firmware Versions
A set of steps to be performed for the hack was shared on the Xbox One Research Github page:
Ensure your Xbox Live account Login-Type is configured as “No barriers†aka. auto-login with no password prompt
Set your console as “Home Console†for this account
Download the App Game Script
Start the app (to ensure license is downloaded/cached)
Take your console offline! To make extra sure it cannot reach the internet, set a manual primary DNS address of 127.0.0.1
Get a device/microcontroller that can simulate a Keyboard (rubber ducky or similar) – otherwise you have to type a lot manually 😀
The page states that the exploit is “likely to be patched soon (in next System Update).” A thread on GBAtemp.net, a forum for discussing various video game platforms, stated that the latest firmware update for the Xbox One console has reportedly already patched the exploit, making the firmware 10.0.25398.4478 the last exploitable version.
While the full consequences of this exploit and the one that will be shared are unknown, it highlights the interest that console players have in bypassing manufacturer-intended device limits.
Media Disclaimer: This report is based on internal and external research obtained through various means. The information provided is for reference purposes only, and users bear full responsibility for their reliance on it. The Cyber Express assumes no liability for the accuracy or consequences of using this information.
Source: Read More