Hi. I was trying some things to try and get unsigned code to run once you push the Xbox Live button. This is much better because, as you know, no dreaded clock problem like font hack and tons easier than audio hack. There would also be no risks involved with its installation.

What if we tried to exploit files loaded by xonlinedash.xbe and update.xbe found in C:\xodash . For one thing, live.xmv and liveloop.xmv in \xodash\media are not hashchecked and thus are exploitable files . The files in \xodash\media\xbg, \xodash\media\xbx or \xodash\media\content may also be manipulated. Ideally, we want to take advantage of a file that is loaded the VERY first by xonlinedash.xbe and use it to run unsigned code.

My attempt at running unsigned code thru xblive:

UPDATE: Read my post at the bottom (I ALMOST DID IT! )

In C:\xodash , if you replace xonlinedash.xbe with any other ms-signed xbe named the same, then pressing "Xbox Live" will run it. I've succeeding in rerunning the ms dashboard named as xonlinedash.xbe. Then what I tried to do is to ONLY run bert+ernie once this second dash copy is loaded, but it wouldn't work since the font files are stored as absolute paths directing to the "fonts" folder. So changing the fonts there affects ALL dashes spawned.

Thoughts :)

could u maybe change the path of the loaded xbe?
place all the C: files on the DVD and load from there.
If M$ uses relative paths as opposed to fixed paths, u could place all the exploits on removable media and never have to change the files on your HD. (except maybe 1 file)

unfortunately, it does not use relative paths. The location of the font files in xboxdash.xbe is hardcoded, pointing to Partition2 (C:). I tried surrounding it with the xploit, but it still requests those on the root and [fonts] folder.

Now, if I I had an old dashboard version perhaps I could take advantage of the fact that it does not use a [fonts] folder... I would love to experiment!

underthebridge, you are thinking along the exact lines that I have been for the last few days. I have been fidleing around attempting to get it to look elsewhere (to no avail yet).

ahhhh
have u tried running the duplicate dash from E:?

maybe u can clarify this for me...
I've seen the font hack and can't understand how they work if the font location is fixed, as all the tutorials say that renaming ernie and bert is not needed. that leads me to believe that M$ is using a relative path, IE ../fonts/*.xtf

Originally posted by catfish
ahhhh
have u tried running the duplicate dash from E:?

maybe u can clarify this for me...
I've seen the font hack and can't understand how they work if the font location is fixed, as all the tutorials say that renaming ernie and bert is not needed. that leads me to believe that M$ is using a relative path, IE ../fonts/*.xtf

Xboxdash.xbe first looks for Xbox.xtf and Xbox book.xtf in \fonts, if it does not find these then it tries \fonts\*.xtf.

Reason I know is because:
(1) xboxdash.xbe contains the font filenames
(2) If you put bert+ernie but don't rename the original fonts, xploit will not be applied

But anyway, knowing this does not help much. We need to find a way to change the font path if a second instance of msdash is spawned, thereby applying the exploit. Old version of msdash might be the way out as it doesn't look in [fonts]

I personally beleive that it would be easier to change in the live dash because it looks to the /fonts/ dir. This could mean that it is easier to manipulate.

yea manipulating is easy-- i changed it so that it worked with /fontz folder (yes, with a "z"). But this unsigns the dash so I can't run it from xblive anymore...

how about using the audio exploit to load the hacked dash?

this would be for testing purpouses, as using an exploit to load another exploit is redundant, but u can test the relative path theory with it.

well i could do that catfish -- you mean see if the font exploit runs off E: -- but I doubt it will work, and if it did there would be no way to run it using xblive button.

yeah, but I mean to have the audio exploit load the dash that u hacked from E:, instead of linux.xbe from C:

UPDATE: I got ahold of old msdashes (ver. 4817). These look for fonts on C:\ and no other place. New msdashes (ver. 4920) as you know look in C:\fonts.

First, I made it so that when you push xbox live from dash 4920, dash 4817 loads up. This works perfect, no exploit has been utilized at all up till now.

Then all I would then have to do is replace the fonts of 4817 with bert+ernie on the root, and the exploit should run whenever I wish by pushing xblive.

Well I did that, turned on the box, and it booted 4920. I then pushed xblive button, got a bit excited it was gonna work, but there was a problem: The box crashes when running the font exploit in any other way than on bootup. I don't know why, it just does.

4817 dash is fully capable of running the exploit on bootup - I verified this. But for some reason when the xboxdash.xbe is called in any other way -- through xblive or from evox -- the box crashes.
I have reason to believe the font exploit was written with ONLY bootup in mind, it doesn't work if you run it any other way. I please ask phoenix to see if they can help me or modify bert+ernie for this purpose. I (and I'm sure others as well) would REALLY like this method of running the xploit.
I'm ALMOST there, I solved the path-changing problem for the font files, but now if only that xploit would work properly

This is killin me I tell ya. Thx :)

that's great news, keep up the good work!
here's some thoughts that may help:
how does the original dash handle audio CD?
does the original dash run from only C: or can u place it on any partition, perhaps mem cards too
if u rename bert and ernie to the names the original dask looks for, does it affect anything differently?
could u use the original dash to launch the new one? I thought the font exploit only worked with the Live-enabled dash???

Originally posted by catfish
that's great news, keep up the good work!
here's some thoughts that may help:
how does the original dash handle audio CD?
does the original dash run from only C: or can u place it on any partition, perhaps mem cards too
if u rename bert and ernie to the names the original dask looks for, does it affect anything differently?
could u use the original dash to launch the new one? I thought the font exploit only worked with the Live-enabled dash???
Thanks for the thoughts. To answer your questions:

I haven't tried it since I don't know what it would accomplish, but I'm pretty sure if you put the msdash on a CD and pop it in, it will run granted that it has all the files it needs on C:\ .

Here's how font looking goes:
OLD (pre-live) xboxdash.xbe first looks for Xbox.xtf and Xbox Book.xtf on C:\ , if it doesn't find these then it tries C:\*xtf. The exploit works perfectly on pre-live dashboards, the ONLY difference is that the fonts are located on the root.

Right now my only problem is the fact that bert+ernie only do their thing on bootup. When I try to run the same xboxdash.xbe from evox or xblive, it doesn't work :confused:
Maybe it's because they need their privacy :p

OK it appears this is the problem:

Normally, when the bios loads xboxdash.xbe the RAM is empty. So B&E knows where the overflow address is.

When trying to load a child dashboard from a parent one, the RAM has been altered. Now the address is different, and so the exploit doesn't perform as it should.

Can anybody from phoenix team please step in? :)
I would love to hear something from the experts

Why not just put a copy of the old dash in a DVD. The Xbox automatically loads default.xbe off the DVD right? Well if its signed it should work fine, and because the links are hardcoded it would have the same effect as loading it off the HD besides having the parent-child issue.

You'd need to cold-boot though...

Just a thought.

Originally posted by RiceCake
Why not just put a copy of the old dash in a DVD. The Xbox automatically loads default.xbe off the DVD right? Well if its signed it should work fine, and because the links are hardcoded it would have the same effect as loading it off the HD besides having the parent-child issue.

You'd need to cold-boot though...

Just a thought.
nice idea! will get to it right now (crosses fingers)

I thought of it a few days ago and I forgot it, but today I remembered it and thought of it for awhile...why wouldn't it run off the CD? Its signed, its standard media, and I don't think its checked for any special runtime flags or anything, so, it could work!

:D If it does I want some credit!

No go...
The HD just keeps on thinking when I try to boot 4817 off CD, and this is with my modchip turned on.
When I turn my mod off the xbox doesn't recognize it. True it is MS-signed, but the signature for something run off the HD is different than one for media.

It's too bad..

Dammit...that sucks...

Hmm I wonder if the XBox Live updation disk or anything uses fonts or something that can be exploited.

Either way, looks like a new font hack would have to be created for this...

How come no one is looking at the game save live makes on partition1 ????

If you going to kill the live option anyway why not just alter it?