Xbox One/Series Devkit System OS Escalation Walkthrough

Getting Admin:

1. Download Artifice.
2. Extract it and copy only the publish directory to the desktop (~/desktop/publish/artifice.exe); otherwise, it will fail during run.
3. Run artifice.exe.
4. Press start, type IP address, then wait.
5. Once complete, restart the console and SSH into it with PuTTY or the SSH command (e.g., ssh 192.168.0.10 -l admin).
   • Username: admin
   • Password: admin

You now have systemOs admin access. To further elevate to a shell that can give you firmware/flash access, continue below.

Getting Elevated Telnet: Referencing: Xbox Research Wiki - DevMode Priv Escalation

1. From the admin shell you ssh'd into earlier run:

Quote

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "telnetd.exe cmd.exe 23" /f 

Quote

sc start bootsh

2. Wait 10 seconds then run the following to revert the registry:

Quote

REG ADD HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\Bootsh\Parameters\Commands /v Xrun /t REG_SZ /d "xrun.exe SystemBootTasks" /f

3. Now telnet to the console IP on port 23 (e.g., telnet 192.168.0.10 23).

This shell has higher privileges in systemOs and can access the flash.

Common Tools: Referencing: Xbox Research Wiki - Installing Compatible Software Deploy the following tools to the console:

• Python 3.7: Python 3.7.3
• PowerShell: PowerShell 6.2.0
• .NET Core 7 Runtime: .NET 7 Runtime
• Sysinternals
• .NET 5
• .NET 6
• Java Development Kit

Download the desired tools and SFTP them to D:/DevelopmentFiles/.

If using FileZilla, switch to the D drive by typing /D: in the directory bar. Create the directories you want and copy the apps into their own directories.

Dumping Flash: Use QuantumTunnel: QuantumTunnel GitHub You'll need to build it using .NET 7.

1. Download .NET 7 installer from here.

2. Also, download and extract the source code for QuantumTunnel.

3. Once installed, navigate to the Quantum Tunnel folder and run dotnet build.

4. Navigate to the build directory: QuantumTunnel-main\bin\Debug\net7.0\.

5. SFTP all files in this build directory to the Xbox at D:/DevelopmentFiles/QuantumTunnel/.

6. From the elevated telnet shell, navigate to the .NET directory:

Quote

d:
cd D:/DevelopmentFiles/dotnet/

7. To dump a single file from flash such as certkeys.bin, run:

Quote

dotnet D:/DevelopmentFiles/QuantumTunnel/QuantumTunnel.dll certkeys.bin

8. To dump the entire flash to a bin file, run:

Quote

dotnet D:/DevelopmentFiles/QuantumTunnel/QuantumTunnel.dll --rawdump -o dump.bin

9. Use your SFTP client like FileZilla to navigate to the .NET directory and retrieve the files you dumped.



Links and special mentions:
Xbox Research Wiki: Xbox Research Wiki
Artifice Dev Mode Escalation: Artifice GitHub