New "Secure" Xbox Cracked In Under A Week 337
ilsie writes "Numbnut says it all in his post at xboxhacker.net. To quote his post, 'On behalf of the Xbox Linux Team, I am proud to announce that at 10:45BST the 'v1.1' secure version of the Xbox was proven to be running arbitrary BIOS code in a normal 256KByte modchip - with no additional hardware required. In short, in under a week we were able to normalize the new box to enable it to interoperate with Linux properly.'"
This actually _is_ funny. (Score:5, Informative)
Re:This actually _is_ funny. (Score:0, Informative)
Banks should just focus on hiring prettier, more friendly tellers rather than ensuring their online banking systems and ATM transactions are secure.
And while they're at it they should replace those cheap little lollipops with Tootsie-Pops or something...
Re:EULA changes? (Score:2, Informative)
Re:EULA changes? (Score:4, Informative)
Re:This new xbox not really done for 'security' (Score:5, Informative)
Here's [xboxhacker.net] a thread you need to study.
Re:This actually _is_ funny. (Score:4, Informative)
I think that the designers of the IBM 4758 [ibm.com] cryptographic coprocessors might disagree. The IBM4732 is supposed to be tampre proof [rutgers.edu].
Ofcourse if you were to say that you can't protect anything that users have access to at a reasonable price. Then you would be correct. You would also be correct to say that security is hard and must be integrated into the system from the first design stages and not hacked on later.
Some Background (Score:5, Informative)
The 1.1 version of the Xbox is certainly designed to be Palladium Lite. The concept is that no code is executed unless it matches a one way hash signature. The only exception is the boot ROM (512 bytes) which lives in the nVidia-designed MCPX chip; this is used to validate the next code to execute, which validates the next code to execute and so on.
Unfortunately for MS (and perhaps nVidia), they chose a hashing algorithm which already had a known flaw. The hash, which works on QWORDS (64-bit quantities) is completely insensitive to b31 and b63 of a QWORD both being inverted.
Doubly unfortunately for MS, the VERY FIRST DWORD of the hashed region is the entry point, and contains a long relative jump. The effect of flipping b31 and b63 on this QWORD is to retarget the jump to RAM.
Triply unfortunately for MS, they have a small interpreter built into their ROM code, whose instruction set is capabel to to IO amd memory r/w before the bootrom is validated and executed. It was trivial to add some memory writes to the interpreted code stream to prep the memory targetted by the modified jump with a jump back into the flash.
The end result is perversion of the hashed region in a way invisible to the hashing algorithm, and execution flow jumping to arbitrary code in the flash.
I urge anyone interested in both the technical detail and the larger issues raised by this to read the threads on http://www.xboxhacker.net as this is a much larger issue than simply another Xbox crack.
Re:any chance? (Score:1, Informative)
Comment removed (Score:2, Informative)
Reverse engineering NOT a given (Score:5, Informative)
Re:All Right!! (Score:2, Informative)
640x480 = 480p
1280x720 = 720p
1920x1080 = 1080i
(I borrowed the 720p and 1080i from some site, so I'm not sure if they will work)
(and I can't remember any others, but there are)
On http://www.epanorama.net/ [epanorama.net] if you look you can find something like:
(From http://www.epanorama.net/links/videocircuits.html
You can also find links for going component to RGB if you want to run an Xbox (or PS2 or DVD player).
FWIW this is a starting reference, don't try something unless you are willing to take a chance that it might screw something up really bad.
Re:EULA changes? (Score:5, Informative)
AMD had some fantastic processes for -- at the time -- incredibly fine micron CMOS fabrication. Intel had dink to show in the fab department. In order to build a 386 faster than 16 MHz, that wouldn't require raised-floor equipment to keep cool, they needed a license on AMD's fabrication technology.
AMD exchanged this license, in exchange for a license on 286 and future technologies. The grounds for what these future technologies were comprised of were the grounds for the Intel/AMD legal battles of the '90's. The courts agreed this was inclusive of the i386 microcode, and the rest... is history
Mod Chips DO give access to protected content. (Score:2, Informative)
Re:The Xbox is Microsoft's test of Palladium (Score:5, Informative)
Re:EULA changes? (Score:5, Informative)
That's right, MS's original flagship products weren't written by MS. They started as they meant to continue.
ACM Communications (Score:3, Informative)