DobaMuffin Posted July 12, 2023 Posted July 12, 2023 (edited) Writeup of how I did it. - First step is to make the cromwell bios image. This is done by running make at the root of the source code. - Next step is to find cromwell.bin in the image folder. This is the newly built image, and needs to be hex edited. - Open cromwell.bin in a hex editor. Delete the bytes from 0x0 to 0xFFF so that the data at 0x1000 is now at the start of the binary file. - The next step is to jump to the FF padding after the Cromwell kernel and delete everything after the kernel. Save the new binary file. - If everything went well, you should end up with a binary file of about 175.6KiB. This is the new cromwell payload for mcpx-attack. - Now that Cromwell is prepped, the next step is to download mcpx-tools, and build mcpx-attack. - Following this, you should have your cromwell payload and the mcpx-attack tool. You now need to get a copy of your xbox's stock bios, and add it into a folder containing mcpx-attack and the cromwell payload. - the following command should now be run: ./mcpx-attack 1.# ./path_to_stock_bios.bin -i ./path_to_cromwell_payload.bin -o ./final_bios_image.bin where # = (0 or 1 depending on your MCPX rom version) - The resulting bios file can now be flashed onto a modchip (I used an aladdin clone with 256KB of flash) before being placed into your xbox and the xbox turned on. - If everything went well, you should now have the MCPX rom on your screen. You just need to copy it by hand (As a hint, the MCPX roms start with the Hex values 0x33 0xC0 and end with the hex values 0x02 0xEE What it does: RC4 patches a jump instruction to point to 0x1000, and TEA adds X-codes, patches jump instruction for fbl, and I think that was it. ok, so yeah that's all mcpx-attack does. Well apart from inserting whatever payload I wanted at 0x1000 with the -i parameter Links to my github repo for Cromwell is here: https://github.com/DobaMuffin/cromwell/tree/master Link to the MCPX-Tools repo is here: https://github.com/XboxDev/mcpx-tools MCPX MD5sums have been attached in an image to this post, as well as the cromwell payload I used for the exploits. This version of cromwell has the code to disable the mxpc rom removed so that it doesn't hide it after loading it. The need for the MCPX-Attack suite is due to the bootloader of cromwell using the visor hack which diasbles the MCPX secret rom in the process due to how the exploit works. By removing it and using the TEA or RC4 hacks instead, this issue is no longer present. Future plans for this is to save the MXPC rom to a file either on a storage unit plugged into the controller, or onto the hard drive. The other future plan is to have a qr code generated that links to a webpage hosted by the xbox where the file can be downloaded. If anyone has any issues with these isntructions, let me know and I'll try to figure out what the issue is. payload.bin Edited July 12, 2023 by DobaMuffin 2 Quote
DobaMuffin Posted July 13, 2023 Author Posted July 13, 2023 Did some changes to my branches and now the new branch with the correct version of cromwell is here: https://github.com/DobaMuffin/cromwell/tree/MCPX_Dump Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.