Retail XBEs signed for weird media types

Anyone seen any retail-signed XBEs that're signed for media types besides hard drive and DVD-X2 (Xbox disk)? I've only ever seen three such executables, the ones on the Xbox Live Arcade launcher disk, and I'm curious whether anyone's seen others.

The Xbox Live Arcade launcher was a CD rather than a DVD-X2, and it had Ms. Pac-Man on it. Ms. Pac-Man was installed to the hard drive as a hard drive-signed XBE. The disk's three executables signed for CD use were default.xbe, dashupdate.xbe, and update.xbe.

Yes, if you copy this disk to CD-RW, it works on an unmodded retail system. However, the XBEs were designed very carefully such that the three XBEs were the only files on the CD - all their data was embedded as sections, whose hash gets validated at load time, and the list of hashes is incorporated into the RSA signature. Ms. Pac-Man was embedded as one of the sections in default.xbe. This meant that all you could do is copy the disk -- you wouldn't get any benefit but a pirated Ms. Pac-Man I suppose. Another interesting tidbit is that the filesystem is UDF instead of GDFX. They could've used GDFX, but since the Xbox kernel accepted either filesystem for all purposes, it didn't matter.

Certificate Details
----------------------------------
Xbox Live Arcade
** Certificate size is unusual!
Certificate Size: 0x000001EC (492 bytes)
Title ID: 0x4D5300C8 (MS-00200)
Allowed Media: 0x00000008 (unknown)
Game Region: 0x00000007 (unknown)
Game Rating: 0x00000004 (Everyone)

Here's is caustik's media type list. Type 4 (DVD_CD) means basically "any of the below"; any CD or DVD format other than DVD-X2 will match that type. "Dongle" is what the pseudo-XBE header on the DVD video infrared receiver DLL uses as its media type, and I assume "media board" is for Chihiro games. "Nonsecure mode" means that the executable is allowed to run without forcing a reset to occur if the user ejects the disk. The nonsecure flag is set on the Dashboard and XOnlineDash; it's also set on at least one game, Xbox Music Mixer, to allow you to swap it out and insert music CDs.

"Nonsecure hard disk" means that the XBE is allowed to run on retail firmware even if the hard disk is not locked and the region code is not 0x80000000 (manufacturing). Kernel 3944 did not understand this flag, but later ones do. My educated guess is that the lack of this flag was causing problems for refurbishing, because if the hard drive had to be replaced when the EEPROM still had valid data, there was no way to boot anything. They would've had to clear the EEPROM first somehow. This new flag looks like Microsoft's solution to that problem for later kernels.

#define XBEIMAGE_MEDIA_TYPE_HARD_DISK 0x00000001
#define XBEIMAGE_MEDIA_TYPE_DVD_X2 0x00000002
#define XBEIMAGE_MEDIA_TYPE_DVD_CD 0x00000004
#define XBEIMAGE_MEDIA_TYPE_CD 0x00000008
#define XBEIMAGE_MEDIA_TYPE_DVD_5_RO 0x00000010
#define XBEIMAGE_MEDIA_TYPE_DVD_9_RO 0x00000020
#define XBEIMAGE_MEDIA_TYPE_DVD_5_RW 0x00000040
#define XBEIMAGE_MEDIA_TYPE_DVD_9_RW 0x00000080
#define XBEIMAGE_MEDIA_TYPE_DONGLE 0x00000100
#define XBEIMAGE_MEDIA_TYPE_MEDIA_BOARD 0x00000200
#define XBEIMAGE_MEDIA_TYPE_NONSECURE_HARD_DISK 0x40000000
#define XBEIMAGE_MEDIA_TYPE_NONSECURE_MODE 0x80000000
#define XBEIMAGE_MEDIA_TYPE_MEDIA_MASK 0x00FFFFFF

 

I found another one: Star Wars Battlefront demo DVD, which is signed as booting from DVD-ROM. A DVD+R disk burned by a burner supporting "bitsetting" will pass this check.

 

I believe the movie Robots had a demo on it as well.

 

I have a save file to that, I was puzzled when I saw it though...

 

The Battlefront demo is the one that gets passed around as being a "Beta." It is indeed an early demo though.

 

It's something to look out for, that's for sure. Some demos though are usually considered betas since a lot of them have early features, always pay to do research

 

Eh most demos will have something different in them just due to the fact that at some point in development, someone had to branch off and make it. I don't like calling a demo anything other than a demo, as it leads to confusion (not that I mind noting the differences in content), which has been seen with the Battlefront demo (omg beta, where is this from, why does it say demo, all that ). There are occasions where demos have different features on purpose, which still leads people to speculate without evidence that something is early content, rather than specially-designed content. Slippery slope and all that

 

The demo has saves? It would be funny if they were copyable saves. Find an exploit in the save file and you have an Agent Under Fire-like exploit that works without needing a commercial game.

I'd like to try it out, but my LG Blu-ray burner doesn't support DVD+R bitsetting (not even with the LG-specific command).

I remember being the first to discover that the Chrono Trigger prerelease demo had songs in it that weren't in the final version.

 

Well it's not really, it seems to create a block on the drive just like any other game.

 

Hulk had something like a demo on the movie DVD I believe. Too long ago to remember.

Back when games had updates on the original Xbox, which were HDD signed, I would the updated xbe to the C: partition and name it xboxdash.xbe. You would still have to have the disc, but it didn't have to be retail. Backup worked fine as long as the game had an update. I don't remember if this was patched but it was definitely detectable as those xbox's ended up banned on Live

 

It does

 

Eric Bana or Edward Norton?

That sounds like one of the motivations they had for adding the newer certificate field in the second half of the Xbox's life that has a flag that caused the XAPI libraries in the game XBE to validate that the inserted disk is a DVD-X2 with a matching title ID. That and breaking all existing pirate kernels of the time.

 

No, he is Bill Bixby

 

I found this interesting list of movie DVDs with embedded Xbox demos when searching around.

http://www.amazon.com/DVDs-with-Xbox-Demos/lm/1MHSND54KR8AO

 

My Hulk just came in the mail, and the bonus disk has a default.xbe "demoloader" as usual, but what's crazy is that it has a DVD+r-signed xboxdash.xbe. It's a longshot, but if that can load the fonts off the DVD, the font exploit could turn this into the holy grail of Xbox hacking...a decade too late.

 

Even if it's a decade too late, it's still a good breakthrough if you ask me.

 

If you can make that work that'd be absolutly crazy... Great find!
//Edit: They probably would have blacklisted that XBE very soon if you found this a decade earlier
But just think of the possibilities this would have had.. - Stuff like Bleemcast would probably have been around even more!

 

I took a look at a copy of the hulk DVD I acquired and the xboxdash.xbe on mine has media flags of XBEIMAGE_MEDIA_TYPE_DVD_5_RO | XBEIMAGE_MEDIA_TYPE_DVD_9_RO only. Perhaps there are different versions of the media floating around?

 

That's the same as mine. But...keep in mind that if you have a DVD+R burner out there that is capable of "bitsetting", burning a DVD+R (on most drives, must be +R not -R) with bitsetting as DVD-ROM ought to pass that check. My current Blu-ray drive doesn't support bitsetting, so I have no way to verify this at the moment, but reading the Xbox kernel disassembly, it ought to work.

If you'd like to try it, it's pretty simple. Use ImgBurn:

1. Use "Write files/folders to disc" easy picker mode.
2. Options tab: data type = MODE1/2048, filesystem = UDF, UDF revision = 1.02, no preserve, yes recurse.
3. Insert a DVD+R blank. Must be +R, or +RW, not -R or -RW.
4. On menu bar, Tools/Drive/Change Book Type.
5. Select the brand of drive - you might have to look up who actually makes your drive.
6. Select Change For: "Drive (for DVD+R media)" or whichever matches.
7. Select New Setting: "DVD-ROM".
8. Click the "Change" button.
9. If that succeeds, click OK.
10. Add whatever files, including default.xbe, to the Source area and click the burn icon (big icon in bottom left).

 

Interesting. I'll poke around at the DVD burners I have hanging around to see if any can do that.

I did check out the Doom, King Arthur, Robots, Van Helsing, and Riddick DVDs. They all seem to be set up identically with default.xbe (demoloader) and dashupdate.xbe on the disk both with the XBEIMAGE_MEDIA_TYPE_DVD_5_RO | XBEIMAGE_MEDIA_TYPE_DVD_9_RO media flags. Doom has an additional update.xbe ("Online Updater Application").