Slashdot Mirror
New "Secure" Xbox Cracked In Under A Week
ilsie writes "Numbnut says it all in his post at xboxhacker.net. To quote his post, 'On behalf of the Xbox Linux Team, I am proud to announce that at 10:45BST the 'v1.1' secure version of the Xbox was proven to be running arbitrary BIOS code in a normal 256KByte modchip - with no additional hardware required. In short, in under a week we were able to normalize the new box to enable it to interoperate with Linux properly.'"
It brings me to this following tought: You can't protect anything that user has physical access to. Same situation is observable amongst CD 'copy (mis)protection' . Smart lads crack it in one week session. Maybe people should stop wasting money on copy proections and focus instead on actual product?
Lone Gunmen crew.
Here's a thread you need to study.
it's in my head
Disclaimer: I am numbnut.
The 1.1 version of the Xbox is certainly designed to be Palladium Lite. The concept is that no code is executed unless it matches a one way hash signature. The only exception is the boot ROM (512 bytes) which lives in the nVidia-designed MCPX chip; this is used to validate the next code to execute, which validates the next code to execute and so on.
Unfortunately for MS (and perhaps nVidia), they chose a hashing algorithm which already had a known flaw. The hash, which works on QWORDS (64-bit quantities) is completely insensitive to b31 and b63 of a QWORD both being inverted.
Doubly unfortunately for MS, the VERY FIRST DWORD of the hashed region is the entry point, and contains a long relative jump. The effect of flipping b31 and b63 on this QWORD is to retarget the jump to RAM.
Triply unfortunately for MS, they have a small interpreter built into their ROM code, whose instruction set is capabel to to IO amd memory r/w before the bootrom is validated and executed. It was trivial to add some memory writes to the interpreted code stream to prep the memory targetted by the modified jump with a jump back into the flash.
The end result is perversion of the hashed region in a way invisible to the hashing algorithm, and execution flow jumping to arbitrary code in the flash.
I urge anyone interested in both the technical detail and the larger issues raised by this to read the threads on http://www.xboxhacker.net as this is a much larger issue than simply another Xbox crack.
I would recommend you read up on the legal issue of reverse engineering because it is under attack and it is not at all obvious that it will survive. I believe the latest issue of ACM Communications has an excellent article on the topic. Recent US Government laws are very disconcerting.
AMD had some fantastic processes for -- at the time -- incredibly fine micron CMOS fabrication. Intel had dink to show in the fab department. In order to build a 386 faster than 16 MHz, that wouldn't require raised-floor equipment to keep cool, they needed a license on AMD's fabrication technology.
AMD exchanged this license, in exchange for a license on 286 and future technologies. The grounds for what these future technologies were comprised of were the grounds for the Intel/AMD legal battles of the '90's. The courts agreed this was inclusive of the i386 microcode, and the rest... is history
"Flyin' in just a sweet place,
Never been known to fail..."
While there is actually some logic to that position, there is some history that shows this is a bad approach for MS to take. Way back when, in 1997 Ian Goldberg presented a talk on (amoung other things) how in Europe incremental changes to the security of GSM networks lead to a whole "generation" of well trained hackers. I don't think MS is really looking to do that for the community.
That was the BASIC, which was based on a listing of Dartmouth BASIC which they found in the trash. All MS did was port it to a different processor. They bought MSDOS from another company.
That's right, MS's original flagship products weren't written by MS. They started as they meant to continue.