liveblock, pingpatch, og xbox, poland · invoxiplaygames.uk/FreeMyXe@007bba1

+24 -8

README.md

··· 3 3 by Emma / InvoxiPlayGames 4 4 5 5 Xbox 360 executable designed to apply freedom-unlocking patches from xeBuild 6 - to the kernel and hypervisor at runtime. For use with 7 - [Xbox360BadUpdate](https://github.com/grimdoomer/Xbox360BadUpdate). 6 + to the kernel and hypervisor at runtime. For use with Grimdoomer's 7 + [Xbox360BadUpdate](https://github.com/grimdoomer/Xbox360BadUpdate) hypervisor 8 + exploit. 8 9 9 10 Nowhere near finished or ready or stable or anything, but might be good enough 10 11 for some. ··· 33 34 * Allows more homebrew be able to be launched without erroring back to 34 35 dashboard. 35 36 * Fixes the ring of light / controller syncing bug after using BadUpdate. 36 - * Allows launching XeLL if you have `xell-1f.bin` in the 37 - BadUpdatePayload folder. 37 + * Patches the <30ms ping check for System Link. 38 + * Allows launching XeLL if you have `xell-1f.bin`, `xell-2f.bin` or 39 + `xell-gggggg.bin` in the BadUpdatePayload folder. 38 40 * Patches USB controller authentication check (a-la "UsbdSecPatch") to let 39 41 certain compatible controllers and adapters work. That's for you, Mario. 42 + * (**beta4 and above only**) Disables connecting to Xbox Live. *You **MUST** 43 + still disconnect before you start running the exploit!* 44 + 45 + ### Original Xbox support 46 + 47 + The patches made by FreeMyXe are not fully compatible with running Original Xbox 48 + games. Before starting any Original Xbox title, you **must** launch 49 + "OGXboxPrep.xex" first, and after you're done you must launch it again. 50 + This is included in FreeMyXe beta4 and above. 40 51 41 52 ## TODO 42 53 43 - * Actual patch loader 44 54 * Daaaashlaaaaaaunch? 45 55 46 56 ## Credits ··· 51 61 https://www.xbins.org/nfo.php?file=xboxnfo2431.nfo) 52 62 * RGLoader 53 63 64 + Greets to the Free60 project! 65 + 54 66 (let me know if I got anything wrong!) 55 67 56 68 ### Translations 69 + 70 + Thank you to everyone who helped translate FreeMyXe! 57 71 58 72 * Spanish - by [lexd0g](https://github.com/lexd0g) 59 - * French (CA) - by [needsmorepaper](https://github.com/needsmorepaper) 60 - * Portuguese (PT) - by [Animadoria](https://github.com/Animadoria) 61 - * Portuguese (BR) - by [Xyozus](https://github.com/Xyozus) 73 + * French (Canadian) - by [needsmorepaper](https://github.com/needsmorepaper) 74 + * Portuguese (Portugal) - by [Animadoria](https://github.com/Animadoria) 75 + * Portuguese (Brazilian) - by [Xyozus](https://github.com/Xyozus) 62 76 * German - by [tuxuser](https://github.com/tuxuser) 77 + * Polish - by [chackAJMCPE](https://github.com/chackAJMCPE) and [DoruDoLasu](https://github.com/DoruDoLasu) 63 78 * Russian - by [eversiege](https://github.com/eversiege) and [veselcraft](https://github.com/veselcraft) 64 79 * Korean - by [Helloyunho](https://github.com/Helloyunho) 80 + * Chinese (Simplified) - by [Mez0ne](https://github.com/Mez0ne)

+67

extras/OGXboxPrep/Makefile

··· 1 + # OGXboxPrep Makefile 2 + 3 + # the source code files to compile from 4 + SRC_DIR := source 5 + SOURCES := $(wildcard $(SRC_DIR)/*.c) 6 + INC_DIR := include 7 + 8 + # output filename for final XEX file 9 + OUTNAME := OGXboxPrep 10 + 11 + # definitions for compilation 12 + DEFINES := NDEBUG 13 + 14 + # build directory 15 + BUILD := build 16 + # .obj object files 17 + OBJECTS := $(subst $(SRC_DIR),$(BUILD),$(patsubst %.c,%.obj,$(SOURCES))) 18 + # executable tool path 19 + TOOLPATH := $(XEDK)/bin/win32 20 + COMPILER := "$(TOOLPATH)/cl.exe" 21 + LINKER := "$(TOOLPATH)/link.exe" 22 + IMAGEXEX := "$(TOOLPATH)/imagexex.exe" 23 + XEXTOOL := $(XEXTOOL)/XexTool.exe 24 + # include directories 25 + INCLUDES := "$(XEDK)/include/xbox" 26 + # library directories 27 + LIBDIR := "$(XEDK)/lib/xbox" 28 + # library includes 29 + LIBS := xapilib.lib xboxkrnl.lib 30 + # compiler flags 31 + CFLAGS := -c -Zi -nologo -W3 -WX- -Ox -Os -D _XBOX -D RB3E_XBOX $(patsubst %,-D %,$(DEFINES)) \ 32 + -GF -Gm- -MT -GS- -Gy -fp:fast -fp:except- -Zc:wchar_t -Zc:forScope \ 33 + -GR- -openmp- -FI"$(XEDK)/include/xbox/xbox_intellisense_platform.h" \ 34 + -Fd"$(BUILD)/" -I "$(INC_DIR)" 35 + # linker flags 36 + LFLAGS := -ERRORREPORT:PROMPT -INCREMENTAL:NO -NOLOGO $(LIBS) \ 37 + -MANIFESTUAC:"level='asInvoker' uiAccess='false'" -DEBUG \ 38 + -STACK:"262144","262144" -OPT:REF -OPT:ICF -TLBID:1 -RELEASE \ 39 + -XEX:NO 40 + # xex generation flags 41 + XEXFLAGS := -nologo -config:"xex.xml" 42 + # xextool flags 43 + XEXTOOLFLAGS := -e e -c c -m r -r a 44 + # ================= 45 + 46 + .PHONY: all 47 + all: $(OUTNAME).xex 48 + 49 + .PHONY: clean 50 + clean: 51 + @rm -rf $(wildcard $(BUILD) $(OUTPUT)) 52 + @rm -f $(OUTNAME) 53 + 54 + $(OUTNAME).xex: $(BUILD)/$(OUTNAME).exe 55 + @echo "Creating XEX..." 56 + @mkdir -p $(@D) 57 + @$(WINDOWS_SHIM) $(IMAGEXEX) $(XEXFLAGS) -out:"$@" "$^" 58 + @$(WINDOWS_SHIM) $(XEXTOOL) $(XEXTOOLFLAGS) $@ 59 + 60 + $(BUILD)/$(OUTNAME).exe: $(OBJECTS) 61 + @echo "Linking EXE..." 62 + @mkdir -p $(@D) 63 + @LIB=$(LIBDIR) $(WINDOWS_SHIM) $(LINKER) $(LFLAGS) -OUT:"$@" -PDB:"$(BUILD)/$(OUTNAME).pdb" -IMPLIB:"$(BUILD)/$(OUTNAME)" $^ 64 + 65 + $(BUILD)/%.obj: $(SRC_DIR)/%.c 66 + @mkdir -p $(@D) 67 + @INCLUDE=$(INCLUDES) $(WINDOWS_SHIM) $(COMPILER) $(CFLAGS) -Fo"$@" -TC $<

+2

extras/OGXboxPrep/include/xboxkrnl.h

··· 1 + extern void DbgPrint(const char *s, ...); 2 + extern unsigned int MmGetPhysicalAddress(void *buffer);

+61

extras/OGXboxPrep/source/OGXboxPrep.c

··· 1 + #include <xtl.h> 2 + #include <stdint.h> 3 + #include <string.h> 4 + #include "xboxkrnl.h" 5 + 6 + uint64_t __declspec(naked) HvxGetVersions(uint32_t magic, int op, uint64_t source, uint64_t dest, uint64_t length) { 7 + __asm 8 + { 9 + li r0, 0x0 10 + sc 11 + blr 12 + } 13 + } 14 + 15 + uint64_t GetHVTargetAddress(uint32_t address) 16 + { 17 + if (address >= 0x00000 && address < 0x10000) 18 + return 0x8000010000000000 | address; 19 + else if (address >= 0x10000 && address < 0x20000) 20 + return 0x8000010200000000 | address; 21 + else if (address >= 0x20000 && address < 0x30000) 22 + return 0x8000010400000000 | address; 23 + else if (address >= 0x30000 && address < 0x40000) 24 + return 0x8000010600000000 | address; 25 + else 26 + return 0x8000030000000000 | address; 27 + } 28 + 29 + void ReadHypervisor(void *userland_data, uint32_t hv_address, size_t length) 30 + { 31 + // get the hypervisor address to patch 32 + uint64_t hv_target = GetHVTargetAddress(hv_address); 33 + // allocate some physical memory for the memcpy to copy to 34 + uint8_t *data_buf = (uint8_t *)XPhysicalAlloc(0x1000, MAXULONG_PTR, 0, PAGE_READWRITE); 35 + uint64_t data_addr = 0x8000000000000000 | MmGetPhysicalAddress(data_buf); 36 + // decide which syscall to use 37 + HvxGetVersions(0x72627472, 5, hv_target, data_addr, length); 38 + memcpy(userland_data, data_buf, length); 39 + XPhysicalFree(data_buf); 40 + } 41 + 42 + void __cdecl main() 43 + { 44 + uint32_t test_inst = 0; 45 + 46 + ReadHypervisor(&test_inst, 0x154C, sizeof(uint32_t)); 47 + DbgPrint("Instruction = %08x\n", test_inst); 48 + 49 + if (test_inst == 0x38800007) 50 + { 51 + DbgPrint("Disabling memory protections...\n"); 52 + // disable memory protections 53 + HvxGetVersions(0x72627472, 3, 0, 0, 0); 54 + } 55 + else 56 + { 57 + DbgPrint("Re-enabling memory protections...\n"); 58 + // re-enable memory protections 59 + HvxGetVersions(0x72627472, 2, 0, 0, 0); 60 + } 61 + }

+10

extras/OGXboxPrep/xex.xml

··· 1 + <?xml version="1.0"?> 2 + <xex> 3 + <format> 4 + <compressed/> 5 + </format> 6 + <mediatypes> 7 + <allpackages/> 8 + </mediatypes> 9 + <titleid id="0xFFFE07D1"/> 10 + </xex>

+1 -1

include/version.h

··· 1 - #define FREEMYXE_VERSION L"beta-dev" 1 + #define FREEMYXE_VERSION L"beta4"

+1

include/xboxkrnl.h

··· 9 9 extern unsigned int XexLoadImage(LPCSTR szXexName, DWORD dwModuleTypeFlags, DWORD dwMinimumVersion, PHANDLE pHandle); 10 10 extern void HalSendSMCMessage(LPVOID pCommandBuffer, LPVOID pRecvBuffer); 11 11 extern void KeSweepIcacheRange(PVOID Address, DWORD cbBytes); 12 + extern void KeFlushEntireTb();

+49 -1

source/FreeMyXe.c

··· 37 37 L"L'hyperviseur et le noyau sont corrig\u00E9s!\n\nVotre cl\u00E9 de l'unit\u00E9 centrale est :\n%S\n\nLe code source pour FreeMyXe :\ngithub.com/InvoxiPlayGames/FreeMyXe\n\n" 38 38 }; 39 39 40 + // translation provided by chackAJMCPE and DoruDoLasu 41 + LocalisationMessages_t polish = { 42 + L"Konsola gotowa na \u0142atanie HV i j\u0105dra...\n\nTw\u00f3j klucz CPU to:\n%S\n\nZapisz go gdzie\u015b i trzymaj w bezpiecznym miejscu!", 43 + L"OK", 44 + L"Jupii!!", 45 + L"Zamiast tego uruchom XeLL", 46 + L"XeLL nie wystartowa\u0142?! No trudno, w takim razie za\u0142atamy HV i j\u0105dro...", 47 + L"Hiperwizor i j\u0105dro zosta\u0142y za\u0142atane!\n\nTw\u00f3j klucz CPU to:\n%S\n\nKod \u017ar\u00f3d\u0142owy FreeMyXe:\ngithub.com/InvoxiPlayGames/FreeMyXe\n\nMi\u0142ej zabawy!" 48 + }; 49 + 40 50 // translation provided by Xyozus 41 51 LocalisationMessages_t brazilian_portuguese = { 42 52 L"Prestes a come\u00E7ar a aplicar patches no HV e no Kernel...\n\nSua chave de CPU \u00E9:\n%S\n\nEscreva isso e guarde em algum lugar seguro!", ··· 85 95 L"XeLL \uC2E4\uD589\uD558\uAE30", 86 96 L"XeLL\uC744 \uC2E4\uD589\uD558\uB294\uB370 \uC2E4\uD328\uD588\uC2B5\uB2C8\uB2E4?! \uBB50, \uC81C\uAC00 \uC9C1\uC811 \uD558\uC774\uD37C\uBC14\uC774\uC800\uC640 \uCEE4\uB110\uC744 \uD328\uCE58\uD560\uAC8C\uC694...", 87 97 L"\uD558\uC774\uD37C\uBC14\uC774\uC800\uC640 \uCEE4\uB110\uC774 \uD328\uCE58\uB418\uC5C8\uC2B5\uB2C8\uB2E4!\n\nCPU \uD0A4:\n%S\n\nFreeMyXe \uC18C\uC2A4 \uCF54\uB4DC:\ngithub.com/InvoxiPlayGames/FreeMyXe\n\n\uC88B\uC740 \uD558\uB8E8 \uB418\uC138\uC694!" 98 + }; 99 + 100 + // translation provided by Mez0ne 101 + LocalisationMessages_t chinese_simplified = { 102 + L"\u5373\u5C06\u5F00\u59CB\u4FEE\u8865 Hypervisor \u548C\u5185\u6838...\n\n\u4F60\u7684 CPU \u5BC6\u94A5\u662F\uFF1A\n%S\n\n\u628A\u5B83\u8BB0\u4E0B\u6765\u5E76\u59A5\u5584\u4FDD\u7BA1\uFF01", 103 + L"OK", 104 + L"\u8036\uFF01", 105 + L"\u542F\u52A8 XeLL", 106 + L"\u672A\u80FD\u542F\u52A8 XeLL\uFF1F\uFF01\u597D\u5427\uFF0C\u4E0D\u7BA1\u600E\u6837\uFF0C\u6211\u90FD\u4F1A\u4FEE\u8865 Hypervisor \u548C\u5185\u6838...", 107 + L"Hypervisor \u548C\u5185\u6838\u5DF2\u88AB\u4FEE\u8865\uFF01\n\n\u4F60\u7684 CPU \u5BC6\u94A5\u662F\uFF1A\n%S\n\nFreeMyXe \u7684\u6E90\u4EE3\u7801\uFF1A\ngithub.com/InvoxiPlayGames/FreeMyXe\n\n\u73A9\u5F97\u5F00\u5FC3\uFF01" 88 108 }; 89 109 90 110 LocalisationMessages_t *currentLocalisation = &english; ··· 299 319 case XC_LANGUAGE_FRENCH: // would be nice to get fr-FR ong 300 320 currentLocalisation = &canadian_french; 301 321 break; 322 + case XC_LANGUAGE_POLISH: 323 + currentLocalisation = &polish; 324 + break; 302 325 case XC_LANGUAGE_RUSSIAN: 303 326 currentLocalisation = &russian; 304 327 break; ··· 311 334 else 312 335 currentLocalisation = &portuguese; 313 336 break; 337 + case XC_LANGUAGE_SCHINESE: 338 + currentLocalisation = &chinese_simplified; 339 + break; 314 340 default: 315 341 currentLocalisation = &english; 316 342 break; ··· 489 515 HypervisorClearCache(MmGetPhysicalAddress(pdwFunction)); 490 516 } 491 517 518 + // flush the tlb so we can write to data segments now 519 + KeFlushEntireTb(); 520 + 521 + DbgPrint("Applying XAM patches...\n"); 522 + 523 + Sleep(50); 524 + 525 + // block xbox live by poking these domains to something that'll never be real 526 + strcpy((void *)(0x815ff238), "XEXDS.XBOX.INVALID"); 527 + strcpy((void *)(0x815ff250), "XETGS.XBOX.INVALID"); 528 + strcpy((void *)(0x815ff268), "XEAS.XBOX.INVALID"); 529 + strcpy((void *)(0x815ff27c), "XEMACS.XBOX.INVALID"); 530 + 531 + // patch calls to XexCheckExecutablePrivilege(6) to allow insecure sockets everywhere 532 + POKE_32(0x817450d4, LI(3, 1)); 533 + POKE_32(0x8174c174, LI(3, 1)); 534 + POKE_32(0x81774590, LI(3, 1)); 535 + POKE_32(0x81810084, LI(3, 1)); 536 + 537 + // syslink ping patch - 30ms check in CXnIp::IpRecvKeyExXbToXb 538 + POKE_32(0x81754230, NOP); 539 + 492 540 //ApplyXeBuildPatches(xebuild_17559_hvkern_patchset); 493 541 494 542 DbgPrint("Done\n"); 495 543 496 - Sleep(500); 544 + Sleep(450); 497 545 498 546 buttons[0] = currentLocalisation->yay; 499 547 wsprintfW(dialog_text_buffer, currentLocalisation->patch_successful, cpu_key_string);