diff --git a/.gitignore b/.gitignore index b3dd06a..b501f6a 100644 --- a/.gitignore +++ b/.gitignore @@ -6,6 +6,7 @@ Thumbs.db # mkdocs build dir +.cache/ site/ # Python venv diff --git a/docs/NAVIGATION.md b/docs/NAVIGATION.md index f7c4ba9..f117fdf 100644 --- a/docs/NAVIGATION.md +++ b/docs/NAVIGATION.md @@ -1,5 +1,6 @@ - [Home](index.md) - Hardware + - [SKU List](retail-xone-skus.md) - [Codenames](codenames.md) - [Console revisions](console-revisions.md) - [CPU](cpu.md) diff --git a/docs/codenames.md b/docs/codenames.md index 2ebc50d..d5e1a30 100644 --- a/docs/codenames.md +++ b/docs/codenames.md @@ -4,10 +4,20 @@ This page contains a list of known internal codenames for hardware, software, ac | Codename | Product / App Name | Category | Description or Comments | |----------|-------------|------|------| +| Arden/Sparkman | Codename(s)? for the Xbox Series S/X secure AMD enclave | Hardware | N/A | +| Keystone | Unreleased Xbox Streaming platform / hardware device | Hardware | N/A | +| Cordova | Codename for one of the Xbox One ODD hardware revisions | Hardware | N/A | +| Lancaster | Codename for one of the Xbox One ODD hardware revisions | Hardware | N/A | +| Monterey | Codename for one of the Xbox One ODD hardware revisions | Hardware | N/A | +| Argos | Codename for the [Zebra prototype controller](https://x.com/TorusHyperV/status/1690416005564993536?s=20) hardware | Hardware | N/A | +| Geneva | Presumably, codename for some uncertain controller prototype hardware | Hardware | N/A | | Nui / nuisensor | Kinect | Hardware | Internal name for Kinect, still used in official APIs and drivers | | Petra | Presumably, a codename of an earlier Kinect prototype hardware version | Hardware | N/A | | Nazca | Presumably, a codename of an earlier Kinect prototype hardware version | Hardware | N/A | | Ameri | Presumably, a codename of an earlier Kinect prototype hardware version | Hardware | N/A | +| Graybull | Codename for the retail Xbox One PHAT day One mainboard revision | Hardware | N/A | +| Silverton | Codename for a retail Xbox One PHAT mainboard revision | Hardware | N/A | | Zurich | [Xbox One Digital Tv Tuner Adapter](https://www.amazon.de/Xbox-One-Digital-TV-Tuner/dp/B00E97HVJI) | Hardware | N/A | | Brittlebush | [XDK Transfer Device](xdk_transfer.md) | Hardware | N/A | +| Xiphos | Codename for the GIP (Gamepad Input Provider) service in SystemOS | Software | N/A | diff --git a/docs/exploits.md b/docs/exploits.md index 479b9ed..39c9571 100644 --- a/docs/exploits.md +++ b/docs/exploits.md @@ -11,6 +11,7 @@ - [Browser access while offline](exploits/browser-access-while-offline.md) ### Development mode +- [SystemOS Elevation of privileges via Artifice (automation tool) using vulnerability in OpenSSH service](exploits/artifice-devmode-elevation.md) (10.09.2023) - [SystemOS Read/Write overlay for System.xvd](exploits/devmode-systemxvd-read-write.md) (31.07.2019) - [SystemOS Elevation of privileges via UnattendedUtilities](exploits/devmode-unattended-utilities.md) (11.06.2019) - [SystemOS Elevation of privileges via VSProfiling account](exploits/devmode-priv-escalation-vsprofiling.md) (09.09.2018) diff --git a/docs/exploits/artifice-devmode-elevation.md b/docs/exploits/artifice-devmode-elevation.md new file mode 100644 index 0000000..e1fea71 --- /dev/null +++ b/docs/exploits/artifice-devmode-elevation.md @@ -0,0 +1,24 @@ +# Name / description of vulnerability + +## Metadata +| | | +|-----------------------------|-----------------------------------------------------| +|Release date | 10.09.2023 | +|Author | Kudayasu | +|Classification | Devmode SystemOS privilege escalation | +|Patched | No (as of October 1st 2023) | +|Patch date | - | +|First patched system version | - | +|Source | https://kudayasu.github.io/an-autopsy-of-artifice/ | +|Download | https://github.com/Kudayasu/Artifice/releases/tag/v.1.1.0 | + +## Info +A completely privilege escalation exploit for Devmode, granting an admin account in SystemOS. + +## Prerequisites +- Windows host computer +- Console in devmode (UWP devkit or superior) + +## Instructions +Download the artifice release, make sure your console is reachable from the host computer, run the program and type the console IP. Then launch the exploit. +If it succeeds, an account called `admin` with password `admin` will be created in SystemOS. You can ssh to this account. diff --git a/docs/hardware/X887998-010/back.jpeg b/docs/hardware/X887998-010/back.jpeg new file mode 100644 index 0000000..0d93123 Binary files /dev/null and b/docs/hardware/X887998-010/back.jpeg differ diff --git a/docs/hardware/X887998-010/front.jpeg b/docs/hardware/X887998-010/front.jpeg new file mode 100644 index 0000000..29f00cb Binary files /dev/null and b/docs/hardware/X887998-010/front.jpeg differ diff --git a/docs/hardware/X902472-006/back.jpeg b/docs/hardware/X902472-006/back.jpeg new file mode 100644 index 0000000..33e897b Binary files /dev/null and b/docs/hardware/X902472-006/back.jpeg differ diff --git a/docs/hardware/X902472-006/front.jpeg b/docs/hardware/X902472-006/front.jpeg new file mode 100644 index 0000000..256bb96 Binary files /dev/null and b/docs/hardware/X902472-006/front.jpeg differ diff --git a/docs/retail-xone-skus.md b/docs/retail-xone-skus.md new file mode 100644 index 0000000..1112632 --- /dev/null +++ b/docs/retail-xone-skus.md @@ -0,0 +1,92 @@ +# Retail Xbox One Motherboard SKU listing + +This page aims to become an exhaustive list of every different motherboard models / SKUs out there. **It is currently Work In Progress.** + +At the moment, the following identificators are collected, and where to find them: + +For Xbox One Phat: + +- PCB Label Number: This is the number, starting with X, that appears on the motherboard's label, in the front layer. + +- PCB Soldermask Number: This is the number, starting with X, that appears on the bottom right corner, in the front layer. + +- Hardware description / differences: relevant changes in components, etc. + +- Owned by / Contributed by: who discovered the board revision. + +- Pictures. + +For Xbox One S/X: + +- Same as above. Update this page with where to find the identificators on the boards. + +## Contributing models and pictures + +Upload your PCB pictures to the directory */docs/hardware/*. + +Use the following guidelines: + +* Create a subdirectory with the name of the soldermask SKU (The one on the front side of the motherboard, in the bottom right corner, starting with X. NOT THE ONE ON THE LABEL) + +* Upload at least two pictures: front and back + +* Make sure they are high resolution, such that the SKUs are visible when zooming in. + +* Update the SKUs page accordingly. + +## Xbox One Phat + +### Durango Revisions + + +* **PCB Label Number**: +* **PCB Soldermask Number**: +* **Hardware description / differences**: +* **Owned by / Contributed by**: public domain +* **Pictures**: + +Not available yet + + +### Silverton Revisions + + +* **PCB Label Number**: X933919 - 001 Rev. C +* **PCB Soldermask Number**: - +* **Hardware description / differences**: Reduced eMMC/Southbridge voltage regulator with unknown voltage divider. +* **Owned by / Contributed by**: Anonymous +* **Pictures**: + +Not available yet + + +--- +* **PCB Label Number**: X900499 - 001 Rev. C +* **PCB Soldermask Number**: X887998-010 +* **Hardware description / differences**: Reduced eMMC/Southbridge voltage regulator with unknown voltage divider. Does not contain data lines on the bottom layer of the PCB, under the HDMI ports. +* **Owned by / Contributed by**: TorusHyperV +* **Pictures**: + +![X887998-010 Front](hardware/X887998-010/front.jpeg) +![X887998-010 Back](hardware/X887998-010/back.jpeg) + + +--- +* **PCB Label Number**: X940636 - 001 Rev. A +* **PCB Soldermask Number**: X902472-006 +* **Hardware description / differences**: Reduced eMMC/Southbridge voltage regulator with known voltage divider. Dark green soldermask, instead of light green. +* **Owned by / Contributed by**: TorusHyperV +* **Pictures**: + +![X902472-006 Front](hardware/X902472-006/front.jpeg) +![X902472-006 Back](hardware/X902472-006/back.jpeg) + + +## Xbox One S +_Your help is needed to complete this page! Fork this repo and make a Pull Request to contribute_ + +## Xbox One S - all digital +_Your help is needed to complete this page! Fork this repo and make a Pull Request to contribute_ + +## Xbox One X +_Your help is needed to complete this page! Fork this repo and make a Pull Request to contribute_ diff --git a/docs/xcrdutil.md b/docs/xcrdutil.md index b796215..c5b4787 100644 --- a/docs/xcrdutil.md +++ b/docs/xcrdutil.md @@ -138,4 +138,7 @@ xcrdutil -delete_blob [XUC:]\targetPackage.xvd |0x80070002 | File/path not found | This error appears whenever an invalid path to a file is used (either XCRD, native \\??\\ path, or SystemOS path). | ```xcrdutil -m [XUC:]\idontexist.xvd``` |0x80070570 | Possible permission error |This error appears when an operation is denied due to insufficient permissions. Examples include trying to mount host.xvd. | ```xcrdutil -m \??\F:\host.xvd``` or ```xcrdutil -QueryInfo \??\F:\host.xvd 3``` |0x8007048F | Path not found |This error appears when trying to create/access a file in a XCRD path that does not exist. | ```xcrdutil -c [XE0:]\someinvalidpath``` -|0x80070032 | Unknown | Possibly meaning the passed XVD does not have region information | ```xcrdutil -Specifiers [XUC:]\someXvdYouveMounted``` +|0x80070032 | Unknown | Possibly meaning the passed XVD does not have region information | ```xcrdutil -Specifiers [XUC:]\someXvdYouveMounted``` +|0x80070005 | Unknown | Unknown | ```xcrdutil -read_blob \??\F:\host.xvd D:\DevelopmentFiles\host.xvd.dmp``` (as elevated admin account) + +NOTE: It is possible that error codes have changed over time with newer xcrdutil versions, and the table might not be completely accurate.