New "Secure" Xbox Cracked In Under A Week

ilsie writes "Numbnut says it all in his post at xboxhacker.net. To quote his post, 'On behalf of the Xbox Linux Team, I am proud to announce that at 10:45BST the 'v1.1' secure version of the Xbox was proven to be running arbitrary BIOS code in a normal 256KByte modchip - with no additional hardware required. In short, in under a week we were able to normalize the new box to enable it to interoperate with Linux properly.'"

This actually _is_ funny.

[TrueKonrads]

It brings me to this following tought: You can't protect anything that user has physical access to. Same situation is observable amongst CD 'copy (mis)protection' . Smart lads crack it in one week session. Maybe people should stop wasting money on copy proections and focus instead on actual product?

Re:This actually _is_ funny.

[ekrout]

Yeah, security's pointless.

Banks should just focus on hiring prettier, more friendly tellers rather than ensuring their online banking systems and ATM transactions are secure.

And while they're at it they should replace those cheap little lollipops with Tootsie-Pops or something...

Re:EULA changes?

[Anonymous Coward]

Stop being anal with EULAs. If you violate an EULA, you're just voiding the warranty.

Re:EULA changes?

[Anonymous Coward]

AMD didn't reverse engineer Intel's CPUs. They used to work together on processors.

Re:This new xbox not really done for 'security'

[Troed]

Oh, so you mean the totally new chain of trust, hashing and public key crypto they put in between the MCPX and the BIOS wasn't a security upgrade?

Here's [xboxhacker.net] a thread you need to study.

Re:This actually _is_ funny.

[Bishop]

You can't protect anything that user has physical access to

I think that the designers of the IBM 4758 [ibm.com] cryptographic coprocessors might disagree. The IBM4732 is supposed to be tampre proof [rutgers.edu].

Ofcourse if you were to say that you can't protect anything that users have access to at a reasonable price. Then you would be correct. You would also be correct to say that security is hard and must be integrated into the system from the first design stages and not hacked on later.

Some Background

[warmcat]

Disclaimer: I am numbnut.

The 1.1 version of the Xbox is certainly designed to be Palladium Lite. The concept is that no code is executed unless it matches a one way hash signature. The only exception is the boot ROM (512 bytes) which lives in the nVidia-designed MCPX chip; this is used to validate the next code to execute, which validates the next code to execute and so on.

Unfortunately for MS (and perhaps nVidia), they chose a hashing algorithm which already had a known flaw. The hash, which works on QWORDS (64-bit quantities) is completely insensitive to b31 and b63 of a QWORD both being inverted.

Doubly unfortunately for MS, the VERY FIRST DWORD of the hashed region is the entry point, and contains a long relative jump. The effect of flipping b31 and b63 on this QWORD is to retarget the jump to RAM.

Triply unfortunately for MS, they have a small interpreter built into their ROM code, whose instruction set is capabel to to IO amd memory r/w before the bootrom is validated and executed. It was trivial to add some memory writes to the interpreted code stream to prep the memory targetted by the modified jump with a jump back into the flash.

The end result is perversion of the hashed region in a way invisible to the hashing algorithm, and execution flow jumping to arbitrary code in the flash.

I urge anyone interested in both the technical detail and the larger issues raised by this to read the threads on http://www.xboxhacker.net as this is a much larger issue than simply another Xbox crack.

Re:any chance?

[Anonymous Coward]

Just do a custom install and choose the right package so it is on your hard drive.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Reverse engineering NOT a given

[m11533]

I would recommend you read up on the legal issue of reverse engineering because it is under attack and it is not at all obvious that it will survive. I believe the latest issue of ACM Communications has an excellent article on the topic. Recent US Government laws are very disconcerting.

Re:All Right!!

[Student_Tech]

Most every modern PC already does component out, in the form of an RGB signal. For reference (some of it from what people were doing to run VGA monitors off of the XBox...)
640x480 = 480p
1280x720 = 720p
1920x1080 = 1080i
(I borrowed the 720p and 1080i from some site, so I'm not sure if they will work)

(and I can't remember any others, but there are)
On http://www.epanorama.net/ [epanorama.net] if you look you can find something like:
(From http://www.epanorama.net/links/videocircuits.html)

Do-it-Yourself VGA ro PPrPb Cable - This circuit is designed to convert 60Hz VGA (480p) from a computer's VGA port and drive progressive-component outputs to an HDTV (or similar display device).

You can also find links for going component to RGB if you want to run an Xbox (or PS2 or DVD player).

FWIW this is a starting reference, don't try something unless you are willing to take a chance that it might screw something up really bad.

Re:EULA changes?

[Jeremiah Cornelius]

AMD didn't reverse engineer Intel's CPUs. They used to work together on processors

Well, I wouldn't say "work together"... :-P

AMD had some fantastic processes for -- at the time -- incredibly fine micron CMOS fabrication. Intel had dink to show in the fab department. In order to build a 386 faster than 16 MHz, that wouldn't require raised-floor equipment to keep cool, they needed a license on AMD's fabrication technology.

AMD exchanged this license, in exchange for a license on 286 and future technologies. The grounds for what these future technologies were comprised of were the grounds for the Intel/AMD legal battles of the '90's. The courts agreed this was inclusive of the i386 microcode, and the rest... is history

Mod Chips DO give access to protected content.

[Kelmenson]

Pretty much every mod chip out has always made the systems skip their "authentic CD/DVD" check, so a backup (or illegal copy...) of a game will work. Now, with XBox Linux, there are definitely legitimate and legal uses for a modded XBox, which in a reasonable legal system would mean that DMCA wouldn't have an effect here. But we all know that DMCA and reasonable don't belong in a sentence together...

Re:The Xbox is Microsoft's test of Palladium

[cschieke]

While there is actually some logic to that position, there is some history that shows this is a bad approach for MS to take. Way back when, in 1997 Ian Goldberg presented a talk on (amoung other things) how in Europe incremental changes to the security of GSM networks lead to a whole "generation" of well trained hackers. I don't think MS is really looking to do that for the community.

Re:EULA changes?

[starling]

That was the BASIC, which was based on a listing of Dartmouth BASIC which they found in the trash. All MS did was port it to a different processor. They bought MSDOS from another company.

That's right, MS's original flagship products weren't written by MS. They started as they meant to continue.

ACM Communications

[BlueboyX]

It is in the latest issue. It says 'reverse engineering under siege,' It doesn't attempt to predict who will win the legal matters, but explains what the threat is and how it will cause extreme harm to the tech industry if reverse engineering is taken away. Most slashdotters probably know most of that, but it is an interesting read.