New "Secure" Xbox Cracked In Under A Week

ilsie writes "Numbnut says it all in his post at xboxhacker.net. To quote his post, 'On behalf of the Xbox Linux Team, I am proud to announce that at 10:45BST the 'v1.1' secure version of the Xbox was proven to be running arbitrary BIOS code in a normal 256KByte modchip - with no additional hardware required. In short, in under a week we were able to normalize the new box to enable it to interoperate with Linux properly.'"

This actually _is_ funny.

[TrueKonrads]

It brings me to this following tought: You can't protect anything that user has physical access to. Same situation is observable amongst CD 'copy (mis)protection' . Smart lads crack it in one week session. Maybe people should stop wasting money on copy proections and focus instead on actual product?

Re:This actually _is_ funny.

[Bishop]

You can't protect anything that user has physical access to

I think that the designers of the IBM 4758 cryptographic coprocessors might disagree. The IBM4732 is supposed to be tampre proof.

Ofcourse if you were to say that you can't protect anything that users have access to at a reasonable price. Then you would be correct. You would also be correct to say that security is hard and must be integrated into the system from the first design stages and not hacked on later.

Re:EULA changes?

AMD didn't reverse engineer Intel's CPUs. They used to work together on processors.

Re:This new xbox not really done for 'security'

[Troed]

Oh, so you mean the totally new chain of trust, hashing and public key crypto they put in between the MCPX and the BIOS wasn't a security upgrade?

Here's a thread you need to study.

Some Background

[warmcat]

Disclaimer: I am numbnut.

The 1.1 version of the Xbox is certainly designed to be Palladium Lite. The concept is that no code is executed unless it matches a one way hash signature. The only exception is the boot ROM (512 bytes) which lives in the nVidia-designed MCPX chip; this is used to validate the next code to execute, which validates the next code to execute and so on.

Unfortunately for MS (and perhaps nVidia), they chose a hashing algorithm which already had a known flaw. The hash, which works on QWORDS (64-bit quantities) is completely insensitive to b31 and b63 of a QWORD both being inverted.

Doubly unfortunately for MS, the VERY FIRST DWORD of the hashed region is the entry point, and contains a long relative jump. The effect of flipping b31 and b63 on this QWORD is to retarget the jump to RAM.

Triply unfortunately for MS, they have a small interpreter built into their ROM code, whose instruction set is capabel to to IO amd memory r/w before the bootrom is validated and executed. It was trivial to add some memory writes to the interpreted code stream to prep the memory targetted by the modified jump with a jump back into the flash.

The end result is perversion of the hashed region in a way invisible to the hashing algorithm, and execution flow jumping to arbitrary code in the flash.

I urge anyone interested in both the technical detail and the larger issues raised by this to read the threads on http://www.xboxhacker.net as this is a much larger issue than simply another Xbox crack.

Reverse engineering NOT a given

[m11533]

I would recommend you read up on the legal issue of reverse engineering because it is under attack and it is not at all obvious that it will survive. I believe the latest issue of ACM Communications has an excellent article on the topic. Recent US Government laws are very disconcerting.

Re:EULA changes?

[Jeremiah+Cornelius]

AMD didn't reverse engineer Intel's CPUs. They used to work together on processors

Well, I wouldn't say "work together"... :-P

AMD had some fantastic processes for -- at the time -- incredibly fine micron CMOS fabrication. Intel had dink to show in the fab department. In order to build a 386 faster than 16 MHz, that wouldn't require raised-floor equipment to keep cool, they needed a license on AMD's fabrication technology.

AMD exchanged this license, in exchange for a license on 286 and future technologies. The grounds for what these future technologies were comprised of were the grounds for the Intel/AMD legal battles of the '90's. The courts agreed this was inclusive of the i386 microcode, and the rest... is history

Re:The Xbox is Microsoft's test of Palladium

[cschieke]

While there is actually some logic to that position, there is some history that shows this is a bad approach for MS to take. Way back when, in 1997 Ian Goldberg presented a talk on (amoung other things) how in Europe incremental changes to the security of GSM networks lead to a whole "generation" of well trained hackers. I don't think MS is really looking to do that for the community.

Re:EULA changes?

[starling]

That was the BASIC, which was based on a listing of Dartmouth BASIC which they found in the trash. All MS did was port it to a different processor. They bought MSDOS from another company.

That's right, MS's original flagship products weren't written by MS. They started as they meant to continue.

ACM Communications

[BlueboyX]

It is in the latest issue. It says 'reverse engineering under siege,' It doesn't attempt to predict who will win the legal matters, but explains what the threat is and how it will cause extreme harm to the tech industry if reverse engineering is taken away. Most slashdotters probably know most of that, but it is an interesting read.