The Hidden Boot Code of the Xbox

Device666 writes "In order to lock out both copied games as well as homebrew software, including the GNU/Linux operating system, Microsoft built a chain of trust on the Xbox reaching from the hardware to the execution of game code, in order to avoid the infiltration of code that has not been authorized by Microsoft. The link between hardware and software in this chain of trust is the hidden "MCPX" boot ROM. The principles, the implementations and the security vulnerabilities of this 512 bytes ROM will be discussed in this wikipedia article entitled How to fit three bugs in 512 bytes of security code."

Dupe

[dkf]

Thanks for not reading your own site, CmdrTaco

Re:Dupe

[nitio]

Posted by CmdrTaco on Friday August 12, @10:32AM
from the stuff-to-read dept.

Oh the irony...

Re:Dupe

[dr_dank]

These stories aren't the same you see: one is a crazy modern teenager while the one is the sophisticated identical cousin from England.

What a crazy pair, two of a kind!

We'll call it the Patty Dupe Show!

Re:Dupe

[b1t r0t]

That's the fourth bug in 512 bytes of code.

Re:Dupe

[ari_j]

I suspect that they spend most of their time finding all the non-duplicate, insightful articles that have been submitted so that they can reject them.

Re:Dupe

[Momoru]

I've noticed a decent amount of code changes that appear to be implemented, and then rolled back. (Testing in production i suppose?) One I noticed a month or two ago that was gone a day or two later was an "Alter Relationship" link instead of seeing the friend/foe bubbles. Another change they rollout and rollback seems to be allowing Anonymous cowards posting from proxies...sometimes i can post as anonymous at work, sometimes not (mostly not...with the "Slowdown cowboy, Its been 15 minutes since you last

Re:Dupe

[Metasquares]

"Alter Relationship" is the alt text for those buttons. The image might not have loaded :)

Re:Dupe

[Skye16]

http://www.google.com/search?hl=en&lr=&q=site%3Asl ashdot.org+dupe&filter=0 [google.com]

Re:Dupe

[Deagol]

Shouldn't that be "site:slashdot.org intitle:xbox intitle:boot"?

Sounds like....

[wgray8231]

The title of a seminar held on the Redmond, WA campus.

Not Wikipedia

[c0l0]

Just because some text is available on a Wiki, it's not automatically so on Wikipedia, y'know?

Re:Not Wikipedia

[Zeinfeld]

The article is completely wrong when it says that the article is on Wikipedia, it is in a Wiki. Which is probably why a lot of people will do what I did and visit the site thinking 'massive NPVO violation'.

Of course what is really going on here is a massive competence violation on the part of Commander Buritto

Re:Not Wikipedia

[ari_j]

Not to mention that the article itself sucks. It's informative, yes, but I really can't imagine anyone but Mort or Neil Goldman (from Family Guy) writing it.

Re:Not Wikipedia

[maxwell demon]

I guess he just got confused because the Wiki is a MediaWiki, which is the Wiki developed and used for Wikipedia (and all other Wikimedia Wikis), and it's obviously also using the default stylesheets (or an only slightly modified version of them), and therefore has the same look and feel as Wikipedia (which is clearly different from the look and feel of most other Wikis).

Deja Vu is just...

[SynapseLapse]

the slashdotrix adjusting itself... Pay no attention to that cat.

Re:Deja Vu is just...

[Dr.Opveter]

Well at least your post in this topic helped me remember the title of a game i used to play on the Apple, Deja vu! Thanks :-)

Wikipedia

[mnemonic_]

The principles, the implementations and the security vulnerabilities of this 512 bytes ROM will be discussed in this wikipedia article entitled How to fit three bugs in 512 bytes of security code.

So it seems someone doesn't know the difference between a page with wiki technology and Wikipedia [wikipedia.org].

This is not a wikipedia article...

[afabbro]

...otherwise, the domain would be wikipedia.org. Not every site that runs MediaWiki is the Wikipedia.

You'd expect "editing" to catch something like that...

Re:This is not a wikipedia article...

[Philmeeh]

Ahh yes but I wouldn't expect editing to occur on Slashdot

*frwooomp*

[Akardam]

Neeeeeeoooooobody expects the Slashdot editors! Our chief weapons are laziness, laziness and corporate shilling, our *two* weapons are laziness and corporate shilling...

oh, I give up.

Re:This is not a wikipedia article...

[doublem]

"editing" on slashdot????

Are we reading the same site?

What is this "editing" of which you speak. I see it elsewhere, but I thought it was banned here or something.

Shouldn't the editors at least RTFA?

[hunterx11]

Not only is this a dupe, but the summary claims that the link is a Wikipedia article. Guess what--not every site running MediaWiki is WIkipedia. In fact, I'm pretty sure that only Wikipedia is Wikipedia.

Re:Shouldn't the editors at least RTFA?

[someonewhois]

You know the irony? Browsing at +3 threshold right now shows two posts in a row:

1. http://hardware.slashdot.org/comments.pl?sid=15882 1&cid=13303204 [slashdot.org]
2. http://hardware.slashdot.org/comments.pl?sid=15882 1&cid=13303209 [slashdot.org]

I love how they have the EXACT same sentence of "not every site running mediawki is wikipedia".

Howto fit 2 stories in the same

[bigdady92]

512b of space. NExT ON SLASHDOT!

Ah, slashdot

[EvilMonkeySlayer]

The thing everyone needs to remember is that slashdot is akin to Norman Bates, a lot of them are confused, a lot of them crossdress and are very often psychotic.

So, the next time you see a dupe.. remember, be quiet.. or you could be murdered by a crossdressing psychopath.

Re:Ah, slashdot

[doublem]

You say that like it's unusual in IT. Do you mean to say you never interviewed a job candidate named Phred, whose gender could not be determined, and was a source of debate office for weeks afterwards?

(Note, despite the fact that I wanted to hire him/her, the company owner tossed the resume when he saw that he/she had listed web sites for Gay and Lesbian groups among those she/he had designed, and was giving as resume examples.)

Re:Ah, slashdot

[yamla]

I'm curious, is that legal in the U.S.? That is, tossing out a resume because the applicant designed sites for gay and lesbian groups? It certainly isn't in Canada.

Re:Ah, slashdot

[Gordonjcp]

I can't see why it *would* be illegal. You're not under any obligation to hire someone.

Re:Ah, slashdot

[yamla]

You are under an obligation not to discriminate against certain protected groups. Having a policy of never hiring black people would be illegal, for example.

Re:Ah, slashdot

[Gordonjcp]

And? You're discriminating because you don't like the work someone has done. What's the problem?

Re:Ah, slashdot

[yamla]

Oh, I'm sorry, I misunderstood. I thought your boss was discriminating against them not because of their work but because the work was done for gay and lesbian groups. In any case, we are pretty far off-topic here, so I'll drop it.

Re:Ah, slashdot

[Gordonjcp]

Well for one thing, it's not *my* boss. For another, you are (as I already said) under no obligation to hire someone. If I don't hire you because I just plain don't like you, tough shit.

Re:Ah, slashdot

[Cerv]

Equal oppertunity laws perhaps.

Re:Ah, slashdot

[Simon Brooke]

I can't see why it [not hiring someone because of their age, gender, race or sexual orientation] *would* be illegal. You're not under any obligation to hire someone.

In Europe, while you're under no obligation to hire someone, you cannot legally use considerations of e.g. race or sexual orientation in deciding not to hire them, and if they can prove you did decide not to hire them on such grounds you're in serious shit. This seems to me, on the whole, fairly reasonable.

Re:Ah, slashdot

[MysteriousPreacher]

Even if it is illegal in the US, the difficult thing though would be proving it unless the recruiter were stupid enough to say something like "We don't really want any of your people here."

Re:Ah, slashdot

[doublem]

It depends on the state. It's discrimination of the first order, but sexual orientation isn't consistently protected across the board. The company's habit of tossing resumes based on "foreign sounding names" was highly illegal, but doing so because the applicant was gay, bisexual or androgynous may not have been.

Re:Ah, slashdot

[jericho4.0]

Sexual orientation is not protected in the US, and it's quite a recent addition here in Canada, also.

On a side note, I did some work years ago with a web design firm that had a lot of lefty gigs. Greenpeace, David Suzuki Foundation, etc. This fact undeniably lost me (and the company) other work.

Re:Ah, slashdot

[doublem]

You know, I hadn't thought of that. That guy was so over the top homophobic, that it wouldn't surprise me if he was repressing a burning need for some man love.

BTW: This was at a previous job. The company that routinely discarded resumes because of "foreign sounding names" or implied sexual orientation has since been bought out by a larger firm. The owner who tossed the applicant's resume got a few million in the buyout, and most of the rest of the staff got pink slips.

I changed jobs before getting a pi

Wait, isn't that a Fark cliche'?

[larsoncc]

Everytime you masturbate, a Slashdot dupe is posted.

So, basically, A LOT.

Re:Wait, isn't that a Fark cliche'?

[Fulcrum of Evil]

Everytime you masturbate, a Slashdot dupe is posted.

Nah, there'd a whole lot more dupes then.

But one editor...

[doublem]

I don't know. From what I've been told, one editor named after a mexican dish looks smashing in a cocktail dress and red garters.

Re:Ah, slashdot

[mmkkbb]

A taff? Google says: The plain of Karbilá in which vicinity Imám Husayn was martyred.

So that's six bugs per kilobyte?

[mikeophile]

Is that over or under Microsoft's par?

Re:

[account_deleted]

Comment removed based on user account deletion

Curses, foiled again.

[doublem]

Well, there goes my plan of using a fleet of Xbox2s as a render farm to compete with Wetta.

I guess I'll have to go back to scrounging parts from the MIT Flea.

Re:So that's six bugs per kilobyte?

[MrHanky]

Neither, really. 3840 bugs should be enough for everyone.

Slashdotted or what?

[lofoforabr]

Anyone able to RTFA? Fatal error: Call to a member function on a non-object in /home/groups/x/xb/xbox-linux/htdocs/w/includes/Obj ectCache.php on line 409

How to fit 3 bugs in 512 bytes of security code

[CSHARP123]

Easy. Just put one bug in every 170.666666666666667 bytes and you will be done.

What about hardware?

[AltGrendel]

I haven't finished RTFA yet, but I wonder if this will work with that "MS Appproved Hardware" initiative that I've read about.

Microsoft Consistency

[Blindman]

At least Microsoft provides the same level of security to it own hardware as its does yours. You can't accuse Microsoft of playing favorites.

Sensationalist trash.

[AceJohnny]

Wow. Was it something in the coffee this morning?

First of all, it a dupe with another article [slashdot.org] in the games section.

Then it's wrong. The article isn't from wikipedia.

Finally, nice sensationalist terms:
- Oh noes, this code locked out GNU/Linux! Bad Microsoft!
- Hah, Microsoft can't even write 512 bytes of code without bugs!

Oh, and that last part was only the subtitle of the article, not the real title. But no thanks for pointing it out.

Read the interesting linked article, or the comments on the original post on games.slashdot, but this article here is exactly what I don't like seeing on Slashdot.

Interesting Read

[Shads]

That was really interesting, and while it's a dupe it's the first time I've come across it.

I hadn't really tinkered in my x-box's internals just due to lack of time (I had previous tinkered with my ps1 and n64 a bit.)

I'm an amateur when it comes to assembly but the way that was presented made it pretty much easily readable for anyone. Kudos to the peeps who made it available.

Re:Interesting Read

[jandrese]

The original was in the games section, it never made it to the front page. That's probably why you have never read it.

Re:Interesting Read

[interiot]

And yes, quadruple kudos to the author for taking the time to make all the technical details very accessible for a first-time reader.

Nice to read...

[AchilleTalon]

Microsoft has managed to include only three bugs, after all, they had a whole 512 bytes to include much more.

I wonder

[bornyesterday]

how many times slashdotters can say both "dupe" and "just because it's wiki doesn't mean it's wikipedia" for the same article.

Re:I wonder

[jpetts]

Meta-whining: coming soon to a Slashlog near you...

Re:I wonder

[Idarubicin]

how many times slashdotters can say both "dupe" and "just because it's wiki doesn't mean it's wikipedia" for the same article.

At least once more, apparently....

Re:I wonder

[lawpoop]

I wonder how much metacommentary there will be about these issues...

For best results...

[raehl]

Use small bugs, like gnats.

Internal ROM is cheap!!

[mrm677]

The article explains how having lots of internal ROM in an IC is expensive.

The is absolutely false. I worked on a cellphone product in which the main IC (DSP, MCU, etc) had 4k of internal ROM. The cost of the entire part was less than $15 and remember, this included _all_ of the digital circuitry.

You can easily have more than 512 bytes of internal ROM.

An actual on-topic comment

[kurtkilgor]

So, I have a question actually relevant to this article. The article says that the CPU was supposed to jump to address FFFF_FFFF, turn off the ROM, then roll over to 0000_0000, where the CPU would throw an exception thus halting the CPU. However, says the article, the CPU does not in fact throw an exception in this case.

So my question is, how did the hackers who reverse engineered this code conclude that it was supposed to trigger an exception? It seems hard for me to believe that the MS engineers would base their entire security mechanism on a feature of the CPU that didn't actually exist.

Re:An actual on-topic comment

[Geoffreyerffoeg]

Just a theory...IIRC, the Xbox processor is slightly customized, right? It's not the generic off-the-shelf Celeron? So I suppose that when MS was asking Intel to make Xbox processors, Intel asked the MS guys, "Do you need it to throw an exception when the instructioon pointer overflows? We can make the chip slightly cheaper by removing that feature." MS thought for a second and said, "We're putting security on all the code that goes in, so we can watch for that feature. Besides, the users can't do anything if the CPU halts in a commercial game; it may as well overflow and crash that way. So no, we don't need that feature." And they forgot to ask their security team itself, who was relying on that feature, which was present in the development systems only.

From the article:
Apparently the i386 CPU family throws no exception in this case, Microsoft's engineers only assumed it or misread the documentation and never tested it.

Does anyone know which CPUs actually throw exceptions? I have a feeling the security team tested their code on one that did.

Why?

[Locke2005]

512 bytes is a very small amount of code (it fits on a single sheet of paper!), compared to the megabytes of code contained in software like Windows, Internet Explorer or Internet Information Server. Three bugs within these 512 bytes compromised the security completely - a bunch of hackers found them within days after first looking at the code. Why hasn't Microsoft Corp. been able to do the same? Why? Uh, maybe because they simply don't give a shit?

Re:dupe

[moonbender]

Not only that, it's also certainly not a Wikipedia article. Not every Wiki is Wikipedia, for crying out loud.

Re:dupe

[RealityMogul]

Challenge to Perl geeks -

Write a dupe checker in 512 characters.

Re:Hey now...

[FireFlie]

It would seem that this article has nothing to do with wikipedia either (except mentioning the name). Correct me if I'm wrong, but wiki != wikipedia.

Re:Hey now...

[1u3hr]

In all fairness, the previous posting of this had NOTHING about Wikipedia in it. Perhaps that was the intended news to spread?

Duplicate story, duplicate link.

The previous article [slashdot.org] linked to the same page on xbox-linux.org, which is a wiki; not part of "The" wikipedia. [wikipedia.org] Taco is asleep at the switch again.

Re:chain of trust?

[WhatAmIDoingHere]

Maybe the chain of Anti-Trust?

Re:chain of trust?

[MCraigW]

Actually, "distrust".

Re:Why?!

[Agret]

Spoken like a true person who hasn't seen a modded xbox.

MOD PARENT UP INSIGHTFUL

[th0mas.sixbit.org]

If I had the points, I would. Precisely what I thought when I read the GP's comments.

Until you see xbox media center play media off a remote samba share, or you sit down and enjoy playing all your old console games in similiar environment (tv/couch).. you would say things like the GP. Afterwards you would shut your mouth and learn to mod your xbox.

Re:Why?!

[brokenarmsgordon]

What is morally wrong about doing whatever you want with something you paid for and own?

What's morally wrong is anyone arbitrarily dictating what you can and cannot do with your personal property.

Re:Why?!

[Have Blue]

The Xbox lockdown was always about pirated games. MS knows that only a small fraction of the audience cares about homebrew or Linux.

Re:Why?!

[jedrek]

I dunno... My XBox is modded to hell and back and I can't remember the last time I actually played a game on it, not to mention I own all the games I've played. All 15 titles are on my hard drive, along with a bunch of movies and TV shows. See, the main thing I used it for is viewing media. XBMC is the first position on my EVOX dashboard.

Re:Why?!

[mprinkey]

Maybe you should just boot XBMC as your dashboard instead of EVOX. It works pretty well.

Re:Why?!

[HD Webdev]

What is morally wrong about doing whatever you want with something you paid for and own?

What's morally wrong is anyone arbitrarily dictating what you can and cannot do with your personal property.

I'm pretty sure that sheep wouldn't agree with you.

Re:Why?!

[Hoplite3]

I see no philosophical problem with Microsoft locking their BIOS down, using trusted computing to prevent unauthorized code.

What I have a problem with is the law that says I can't try to break the lock on something I own. I have a problem with the law that says I can't talk about this activity.

Now, I prefer to buy robust, user-modifiable devices. I will spend my dollars on my preference. I worry about the marketplace being dominated by TCPA devices, but I don't have a philosophical objection to those things existing.

The DMCA is just beginning to effect our lives. Give it another ten years to poison "intellectual property". If people own ideas, enforcement can only come in the form of thought control.

Re:Why?!

[AnalogDiehard]

The Xbox is the loss leader for M$, they get their profit back on the games you play on the box.

If you just want an Xbox for a cheap linux box and you don't buy games, M$ loses. This move is just to protect their return on investment. I'm not a fan of M$ but this is a legitimate business decision.

Sort of like Macrovision filing patents on circumvention methods of their own systems, that way if a third party sells a circumvention box then Macrovision can put them out of business citing patent infringem

Re:Why?!

[MCraigW]

What is morally wrong about doing whatever you want with something you paid for and own?

What's morally wrong is anyone arbitrarily dictating what you can and cannot do with your personal property.

Lets see, I bought this nice music CD, I paid for it, so I own it, or do I? Can I share it with a few friends?

Re:Why?!

[TCM]

Lets see, I bought this nice music CD, I paid for it, so I own it, or do I? Can I share it with a few friends?

I dunno about you, but I still remember a time where it was perfectly legal to give a copy to your friends.

Re:Why?!

[TorKlingberg]

Killing people is wrong. If you do it with a gun or not doesn't matter.

Playing with electronics is not wrong. And as long as it is your there is no problem.

Re:Why?!

[rindeee]

Are you serious? Put down the kool-aid for a sec and consider this. If I buy something (a physical something), I own it. It's mine. If I buy and X-Box and am of the ilk that likes to know what makes things tick, it's my prerogative (and certainly within the bounds of morality) to tear it apart and put it back together. If I can make my X-Box boot Linux (which, contrary to your implication can have a very significant and useful purpose) then more power to me. I will certainly share my knowledge with others who wish to do the same. When it comes to stealing games (copyrighted works of "art"), you are dealing with an entirely different issue. That is akin to me being able to throw my buddy's X-Box into a replicator, push a few buttons and voi lah! 2 X-Boxen. Don't confuse the two concepts. Now, commence kool-aid drinking.

Re:Why?!

[LWATCDR]

"But damn can't we at least brand the people who are breaking the EULA's and such for these "hacks." "
What EULA? When I bought my XBox I did not sign anything?

"At least I am not the unscrupulous individual who is taking the time and effort into doing something that is morally wrong."

Okay why is it unscrupulous to hack a product I own to do what I want to do with it? If I guy a house is it immoral to add on a room or to tile the floor? If I buy a book is it wrong for me to make notes in the margin? If I buy a CD is it wrong to skip the tracks I really do not like? If I buy a model kit and us those parts to make a different model is that evil? If I buy a car and then put in a new stereo system and better shocks am I dammed to hell? Just how is any of this unscrupulous or immoral?
If their is a bug in that boot code that has security issues then how bringing it to light any more immoral than reporting that flaw in a car publicly?

Your concept of what is moral and what is not is odd at best. If you just want to play games on your XBox then to play some games.

Re:Why?!

[FurryFeet]

If I guy a house is it immoral to add on a room or to tile the floor?

Dude, I don't know what "guying a house" is, but I'm quite sure it should be immoral.

Re:Why?!

[Lumpy]

Why cant people cook over fire like ogg instead of hacking it?

I build fire, I cook over fire. But Ugg over there has to mess up fire by changing it and adding stone cover over fire and slate door in front of fire to make fire do things it was not intended to.

now Ugg is spreading this evil change to fire and giving away this really evil "bread" he cooks in his "oven" that is against the EULA of fire.

Cooking over fire is quite simple and those chaging fire are only making it more difficult for others wanting

Re:Why?!

[Not_Wiggins]

Dude... don't pick on ogg; it's having a hard enough time trying to kick mp3's ass to worry about how to improve fire.

Re:Why?!

[interiot]

Well, EULAs are contracts, and in a country that follows the rule of law, following contracts is one of the keys to a stable society.

On the other hand, what manufacturers seem to be doing is clearly somewhat abusive, and even though they're not cooperating with each other, most EULAs will probably contain abusive language, so consumers aren't likely to have a choice about which contract they enter into.

On the other hand, quotes like this [cbronline.com] give me a little hope that more and more people are seeing the val

Re:Why?!

[Eivind Eklund]

Why can't people just play the XBox instead of hacking it? I mean seriously, you don't see me hacking my XBox. I buy a game, I play a game. It is quite simple. [...] If they had three freaking bugs, whoopy do. At least I am not the unscrupulous individual who is taking the time and effort into doing something that is morally wrong.

That's debatable. By buying XBox games, you're giving financial support a convicted monopolist. To me, there are some moral issues with that. I resolve them by using neither

Re:Why?!

[Eivind Eklund]

Yeah, it does, or at least did. The normal cycle for consoles is subsidy for the first year or so and then very slight profit per console, making the rest up in games.

However, knowing myself and my friends: Without the hardware it's much easier to avoid the temptation of buying, being given as gifts, or pirating those games ;)

Eivind.

Re:Why?!

[Locke2005]

WTF? It's "morally wrong" to try to figure out how things actually work, then tell other people? So science is morally wrong then, we should just beleive what are leaders tell us, and never question anything? Well, at least you and Al Queda agree on something! Man, people making assinine statements like that about things being "morally wrong" is the best argument I've seen yet why creationism should NOT be taught in the schools... you've got it backwards; intentionally remaining ignorant is the most morally

Re:Why?!

[Intron]

That's why I always rub bacon on the shrink-wrap and let my dog open it. Then he's bound by the EULA, not me.

Re:Why?!

[b1t r0t]

Or you could just rub Beggin' Strips on the shrink wrap, and your dog would still open it because he can't tell it isn't bacon!

Re:Why?!

[mfrank]

What, you don't have (or know anybody that has) a child? Or just have a neighbor do it.

I bet you drawer full of CDs smells...interesting.

Re:Why?!

[justforaday]

Your homework had an EULA? *confused*

Re:Why?!

[mrRay720]

Well you may have a valid point about your ability to turn the XBox into a better media player, but your describing this this as "hacking out of necessity" is completely laughable. You need a media modded XBox to live or something?

Re:Why?!

[FinestLittleSpace]

Please send me torrent links for hardware as I require a new GFX card.

K kewl thx omg!!!!!!1111ONEONE!

Re:Why?!

[xs650]

It's a long tradition. Children have been getting more enjoyment playing with the boxes their Xmas gifts came in than the gifts themselves for decades.

That's because the boxes are often more interesting and allow more use of their minds.

Re:3 bugs?

[chrismcdirty]

Please show me where they trounced Nintendo in the market place. And when I say market place, I consider the entire world where Nintendo and Microsoft have basically been neck and neck in hardware sales since their respective releases. Sure, Microsoft is doing surprisingly well in NA, but Japan is a different story.

Re:Pointless

[Nightspirit]

What are you talking about? The security stops everyone who does not have a modded xbox from playing copied games. Infact, the security is decent enough that you can't copy Xbox DVDs on your computer, you have to ftp from the DVD drive on the Xbox (which you can only do on a modded xbox). Sure, with a modchip you can bypass the protection, but what percent of xbox owners have a modchip or softmod? Likely the number is low enough to be insignificant. So it accomplishes exactly what they want it to do: stop