Support NeoGAF

[Burger]

http://www.xbox-linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System

A fascinating, if quite technical read.

It describes basically how hackers penetrated the Xbox security, and the failures Microsoft made in securing their console properly.

Some things I did not know:

Decrypting flash memory contents into RAM is a challenge if we are living inside the first few hundred bytes of code after the machine has started up: At this point, RAM might not be stable yet. The reason for this is that Microsoft bought cheap RAM chips; they just took everything Samsung could give them to lower the price, even faulty ones, i.e. chips that will be unstable when clocked at the highest frequencies specified.

The Xbox is supposed to find out the highest clock speed the RAM chips can go and run them at this frequency - this is the reason why some games don't run as smoothly on some Xboxes as on others. So the startup code in the secret ROM has to do a memory test, and if it fails, clock down the RAM, do another memory test, and if it fails again, clock down again, and so on, until the test succeeds or the RAM cannot be clocked down any further.

Modchips appeared: Some of them had a complete replacement flash memory chip on them, others only patches a few bytes and passed most reads down to the original flash chip. All these modchips had to be soldered in parallel to the original flash chip, using 31 wires.

Now other people found out that, if the flash chip is completely missing, the Xbox wants to read from a (non-existant) ROM chip connected to the (serial) LPC bus. This is of course because of the manufacturing process: As it has been explained before, the flash chip gets programmed in-system, the first time they are turned on, using an external LPC ROM chip. Modchip makers soon developed chips that only needed 9 wires and connected to the LPC bus. It was enough to ground the data line D0 to make the Xbox think that flash memory is empty.

Lots of these "cheapermods" appeared, as they only consisted of a single serial flash memory chip. They could be installed within minutes, especially after some companies started shipping chips that used pogo pins, so that no soldering was required.

I knew about D0, but had no idea what it actually did.

The Xbox being a PC, it should be trivial to install Linux on it in order to have a cheap and, for that time, powerful PC. Even today, a small and silent 733 MHz PC with TV connectivity for 149 USD/EUR is still attractive. But this is not the only thing Microsoft wanted to prevent. There are three uses that should not have been possible:

* Linux: The hardware is subsidized and money is gained with the games, therefore people should not be able to buy an Xbox without the intent to buy any games. Microsoft apparently feels that allowing the Xbox to be used as a (Linux) computer would be too expensive for them.
* Homebrew/Unlicensed: Microsoft wants the software monopoly on the Xbox platform. Nobody should be able to publish unlicensed software, because Microsoft wants to gain money with the games to amortize the hardware losses, and because they do not want anyone to release non-Internet Explorer browsers and non-Windows Media Player multimedia software.
* Copies: Obviously it is important to Microsoft that it is not possible to run copied games on the Xbox.

Microsoft decided to design a single security system that was supposed to make Linux, homebrew/unlicensed software and copies impossible. The idea to accomplish this was by simply locking out all software that is either not on the intended (original) medium or not by Microsoft.

On the one hand, this idea makes the security system easier and there are less possible points off attack. But on the other hand, 3 times more attackers have a single security system to hack: Although Open Source and Linux people, homebrew developers, game companies as well as crackers have little common interests, they could unite in this case and jointly hack the Xbox security system.

Of the three consoles of its generation, Xbox, Playstation 2 and GameCube, the Xbox is the one whose security system has been compromised first, the one that is now easiest to modify for a hobbyist, the one with the most security system workarounds, and the one with the most powerful hacks. This may be, because the Xbox security is the weakest one of the three, but also because Open Source people, homebrew people and crackers attacked the Xbox, while the Open Source people did not attack the Playstation 2, as Linux had been officially supported by Sony, so the total number of hackers was lower, buying them time.

Of course, Microsoft are not about to release a Linux kit for the Xbox anytime soon...

 

[atomsk]

ive been looking into building a new computer just to be a linux fileserver. but getting a used xbox and throwing in a bigger hard drive is something i may also consider...

 

[fart]

this is hilarious. A+ comedy reading, guys. seriously, this shit is more ridiculous than the fiasco that is WEP.

coincidentally, it also involves rc4! why is ron so popular with these industry dolts anyways?

 

[Pimpbaa]

The Xbox is supposed to find out the highest clock speed the RAM chips can go and run them at this frequency - this is the reason why some games don't run as smoothly on some Xboxes as on others. So the startup code in the secret ROM has to do a memory test, and if it fails, clock down the RAM, do another memory test, and if it fails again, clock down again, and so on, until the test succeeds or the RAM cannot be clocked down any further.

This would absolutely break some games (those locked at 60fps for example). This would only work if xbox had all varible framerate games. This is a load of bullshit.

 

[Liquid]

Of the three consoles of its generation, Xbox, Playstation 2 and GameCube, the Xbox is the one whose security system has been compromised first, the one that is now easiest to modify for a hobbyist, the one with the most security system workarounds, and the one with the most powerful hacks.

YES LETS FORGET ABOUT THE PS2 BEING OUT BEFORE THE XBOX AND FLIPTOPS WITH SWAP MAGIC. :lol

 

[BlueTsunami]

ive been looking into building a new computer just to be a linux fileserver. but getting a used xbox and throwing in a bigger hard drive is something i may also consider...

Would it be save for the console to leave it on all the time? Or is there some type of standby feature that still alows you to access the files on the HDD?

 

[elostyle]

In order to find out what was wrong, bunnie rewrote the top of flash with his own code, and later even completely erased the upper 512 bytes, but the Xbox still booted! So it was obvious to him that this region gets overridden by some internal code. As it turned out later, the code in the upper 512 bytes of the flash image was a very old version of the secret ROM code, which had been unintentionally linked to the image by the build tools. It seems like nobody had looked at the resulting image at the end, before they shipped the consoles. This mistake was very close to a fatal one, and Microsoft was lucky that they didn't link the actual version of the secret ROM.

That's so funny :lol

It turned out that the cypher used in the old version of the secret ROM as found in flash memory used the RC5 cypher. In contrast to RC4, RC5 does feed the decrypted stream back into the key stream. So they seem to have replaced RC5 with RC4 without understanding that RC4 cannot be used as a hash. Bunnie's theory why they abandoned RC5 is that RC5 was still a work in progress, and that Microsoft wasn't supposed to have it, so they went for the closest relative - RC4.

omg...

Now other people found out that, if the flash chip is completely missing, the Xbox wants to read from a (non-existant) ROM chip connected to the (serial) LPC bus. This is of course because of the manufacturing process: As it has been explained before, the flash chip gets programmed in-system, the first time they are turned on, using an external LPC ROM chip. Modchip makers soon developed chips that only needed 9 wires and connected to the LPC bus. It was enough to ground the data line D0 to make the Xbox think that flash memory is empty.

This is getting better and better..

So when Microsoft switched from AMD to Intel, they apparently forgot to test their security code again with the new hardware, or to read the Intel datasheets.

I'm at a loss of words here....

After reading Bruce Schneier's book on crypto, we learned that TEA was a really bad choice as a hash. The book says that TEA must never be used as a hash, because it is insecure if used this way. If you flip both bit 16 and 31 of a 32 bit word, the hash will be the same. We could easily patch a jump in the second bootloader so that it would not be recognized. This modified jump lead us directly into flash memory.

But why did they make this mistake? Obviously the designers knew nothing about crypto - again! - and just added code without understanding it and without even reading the most basic books on the topic. A possible explanation why they chose TEA would be that they might have searched the internet for a "tiny" encryption algorithm - and got TEA.

Go microsoft.

Loving the A20 bit. Thanks for posting this!

 

[fart]

ps, bruce schneier rocks!

 

[atomsk]

of coarse with the article talking about how they called MS about this stuff, i've got to post:

 

[Raiden]

of coarse with the article talking about how they called MS about this stuff, i've got to post:

:lol

 

[Chairman Yang]

How's the Xbox 360's security? Should we expect a way of modding it within the next 1-2 years?

 

[fart]

this is an extremely good article. there are just a couple points in the analysis that i disagree with:

1. it's not clear that successfully fending off piracy (ie, properly securing a game console) is really the best choice in the game industry. the record has actually shown that, in a crowded market, a certain level of piracy actually helps build critical mass for a console/brand. it's arguable that too much piracy will still kill you (dreamcast), but it's not clear that perfect security is guaranteed to be your best choice in the long run. this is a semantic, non-engineering issue, however.

2. the first lesson in either real-world or theoretical modern security is that perfect security is neither practical, nor possible, for the most part. as butler lampson says "the best is the enemy of the good", and as any theorist will tell you, modern notions of security are based on the relative hardness of breaking a scheme given some assumptions on the resources afforded to an adversary. again, though, this is a semantic point. the radio-edit is just that the article advocates security that is "impossible to break" when it means to advocate security that is provably secure against all reasonable adversaries (the text versus the meaning), and not just kindergarteners and invalids.

 

[GaimeGuy]

How's the Xbox 360's security? Should we expect a way of modding it within the next 1-2 years?

What's known:

* The flash is encrypted with a per-box key
* The key is stored inside the CPU
* The boot ROM is stored inside the CPU
* Also inside the CPU is a hypervisor that verifies the running state of the kernel, making sure there is no modification (RAM checksums), else the Xbox360 panics and blows up!
* The CPU contains RAM inside of it to store the checksums
* All interrupt/exception handling is done by the hypervisor
* All code runs in kernel mode
* The emulator for first generation games can be updated via an official Microsoft download burned to CD by the user, though the CDs' content will be encrypted and signed with public key cryptography.
The Xbox 360's Hard Disk appears to connect to the Xbox 360 via 7-pin SATA, internally the drive connects to the external connector through standard SATA data and power connectors. This should be of some help.