New "Secure" Xbox Cracked In Under A Week

ilsie writes "Numbnut says it all in his post at xboxhacker.net. To quote his post, 'On behalf of the Xbox Linux Team, I am proud to announce that at 10:45BST the 'v1.1' secure version of the Xbox was proven to be running arbitrary BIOS code in a normal 256KByte modchip - with no additional hardware required. In short, in under a week we were able to normalize the new box to enable it to interoperate with Linux properly.'"

EULA changes?

[KernelHappy]

By any chance, has anyone checked to see if Microsoft modified the EULA when they released the new version of the Xbox? It would be interesting if they stuck anything in there that would strengthen their ability to prosecute and/or seek damages for circumvention of the protection scheme.

Re:EULA changes?

[afidel]

Sorry but reverse engineering is pretty well established, if it wasn't then modern pc's wouldn't exist as Compaq would not have been able to reverse engineer the IBM bios and AMD would not have been able to reverse engineer the Intel CPU. Now they could try to come after them with the DMCA, but AFAIK these mod chips do not allow access to any protected content, but rather allow you to run arbitrary software on the hardware

Re:EULA changes?

[Shelled]

It never occurred to me until reading the last sentence of your post, doesn't this in essence give Microsoft (and others) the power to create law? By standing behind EULAs it could be argued that governments give corporations a blank cheque to create legislation. "Put it in your EULA and we'll enforce it." (My EULA: IANAL)

Re:EULA changes?

[interiot]

Yes, that's definitely a desired attribute of contract law. Since laws that are on the book won't ever be able to cover everything or be able to keep up with the variety of private interactions that can occur that would need legal coverage, private parties can both agree to specific terms that go beyond what's explictely on the books. There is a limit to how extreme contracts can get (eg. you can't say that if you don't hold up your end of the agreement, that the other person gets to kill you), but there's a wide area there for "creating law".

Re:EULA changes?

[alienw]

The reason modchips don't fall under the DMCA is because they don't bypass access controls. The dmca defines protection devices as something that "effectively controls access to a work". Since you can't access data on a game CD any better with a modchip, it doesn't bypass anything. IANAL, though, so I might be wrong.

Re:EULA changes?

[dattaway]

If I remember right, Mr. Gates himself related the story of reverse engineering MSDOS by dumpster diving for source code. There was also the incident of disk compression technology that was lifted from another company. To say that common people can not raise the hood of their own car to see how it works or put in a new engine might be called hypocritical.

Re:EULA changes?

[Jeremiah+Cornelius]

AMD didn't reverse engineer Intel's CPUs. They used to work together on processors

Well, I wouldn't say "work together"... :-P

AMD had some fantastic processes for -- at the time -- incredibly fine micron CMOS fabrication. Intel had dink to show in the fab department. In order to build a 386 faster than 16 MHz, that wouldn't require raised-floor equipment to keep cool, they needed a license on AMD's fabrication technology.

AMD exchanged this license, in exchange for a license on 286 and future technologies. The grounds for what these future technologies were comprised of were the grounds for the Intel/AMD legal battles of the '90's. The courts agreed this was inclusive of the i386 microcode, and the rest... is history

Re:EULA changes?

[mbogosian]

Sorry but reverse engineering is pretty well established....

Here, here! (Of course it's not legal anymore, but that's splitting hairs....)

Whatever happened to legitimate forms of deterrance? If I crack open my TiVo, I void the warranty. I can dick around all I want, but if I screw something up, I have to pay to have it fixed. This is enough to deter most of the technology-ignorant public from screwing with their hardware, and it's a method which has been around for years. Has everyone forgotten about this?

Re:EULA changes?

[Galvatron]

I think the reason Shelled is trying to draw a distinction is that arguably, EULA's are not contracts. There is no meeting between the two parties, no chance for negotiation, no signature, the EULA is perpetual, and a price is paid for a physical good (making it look very much like a sale, covered by first sale doctrine rather than contract law). Of course, IANAL, but from the articles that get on Slashdot every now and again, it sounds like the courts haven't quite settled on an answer as to whether EULA's are legitimate contracts or not.

Re:EULA changes?

[DragonMagic]

Problems I find with your argument:

1) You assume a person reads an EULA. Even though a contract can still hold up if you don't read it, you're still required to sign it. If you never read an EULA or agree to it through a click, then how are you agreeing to it? Simply because they say "By using this product, you agree to our terms"?

2) Another problem with EULAs are many of the corporate ones are too one-sided. They're not responsible for anything, but you're fully responsible to follow all their rules. Some even say you can't even talk about the product or take pictures of it or anything without permission, but that they can use your information for their company's marketing research without your permission to do so. (that is, they can use it to market you magazines whether or not you asked for them)

3) You don't need to be 18 to buy many EULA products, and to have a contract valid, either a person 18 or older must agree to it, or the parent or guardian of that under-18 person must agree to have that person agree. When a 17 year old purchases an Xbox and takes it home, goes through the licensing agreements on his own, then starts playing, how can Microsoft say the EULA can still affect him?

4) There are many people who play video games who cannot read, or cannot read English. So EULAs written in English are still valid even though the other party cannot understand them? I do believe that contracts have to be signed by parties that understand them, and if it's in another language, the translator must sign off on them. I could be wrong, of course.

But again, EULAs are hardly contracts in the sense of contracts, but more of agreements that you won't do bad things to the company issuing the product. I can't wait until EULAs are struck down and normal copyright laws apply to the products (or patents to hardware).

Re:EULA changes?

[starling]

That was the BASIC, which was based on a listing of Dartmouth BASIC which they found in the trash. All MS did was port it to a different processor. They bought MSDOS from another company.

That's right, MS's original flagship products weren't written by MS. They started as they meant to continue.

If you secure it, they will come...

[LowAmmoWarning]

and crack it.

This actually _is_ funny.

[TrueKonrads]

It brings me to this following tought: You can't protect anything that user has physical access to. Same situation is observable amongst CD 'copy (mis)protection' . Smart lads crack it in one week session. Maybe people should stop wasting money on copy proections and focus instead on actual product?

Re:This actually _is_ funny.

[lars_stefan_axelsson]

I think that the designers of the IBM 4758 [ibm.com] cryptographic coprocessors might disagree. The IBM4732 is supposed to be tampre proof [rutgers.edu].

And yet, an application on the IBM4732 was hacked a little under a year ago. Granted it wasn't the processor as such, but a very important application that is delivered with the processor. Getting the whole system right is hard.

If you want more material on why tamper proofing is difficult; Ross Anderson's team at Cambridge is a good resource. (And they have performed a number of nice hacks Markus Kuhn's optical eavesdropping for example).

Re:This actually _is_ funny.

[Henry+V+.009]

It is not tamper proof. The vulnerability is the enivronment sensors, which can be neutralized. The worst design flaw is that the IBM4732 doesn't have a block of thermite sitting on top that destroys the hardware in case of tampering. That wouldn't be fool-proof, but would mean that your lab would destroy a number of them in the initial 'figuring out how it works' stage. (Even better than thermite is a larger bomb that kills your scientists along with destroying the device. But scientists are replacable, so all you are really doing is raising costs.) Without the thermite, your lab only needs to procure one extra, take it apart, find all the tamper sensors and figure out a method to neutralize them. After that, you can take apart all the IC's with impunity. And really at this point your work is done. You duplicate the RAM contents, figure out the private keys (they have to be stored somewhere), and you have all the information. Very expensive process, but doable.

A very interesting historical parallel is the British bomb defusers, who worked on defusing failed German bombs. At first it was dangerous, but still relatively easy. Afterwards the Germans starting figuring out ways to booby-trap the bombs just in case they didn't go off right away. This was defeated. And finally they engineered bombs specifically to kill bomb defuse teams. Even this was defeated. A very interesting history that includes many of the greatest acts of bravery during the war.

Re:This actually _is_ funny.

[Bishop]

Very expensive process, but doable.

Cost is always part of the doability [sic]. When designing a secure system part of the equation is how hard it would be to crack the system. It is possible to brute force RSA, but that does not make RSA any less secure. The same concept applies here. If it would cost more to crack the system then it would to buy an insider, then the system is, for most purposes, secure.

This new xbox not really done for 'security'

[falzbro]

It seems that everyone is considering this new xbox revision to be a security upgrade, which it really doesnt seem to be. A few things on the PCB have changed, such as the USB header now being integrated on the main mobo, and few other things.

It seems to me (and others) that MS did a slight revision to cut costs. While they were at it, they did a few (very minor) changes to the BIOS to deter hackers. It's kind of gotten out of hand how people are calling this the 'new version that MS created just to not be hackable'.

--falz

Re:This new xbox not really done for 'security'

[Troed]

Oh, so you mean the totally new chain of trust, hashing and public key crypto they put in between the MCPX and the BIOS wasn't a security upgrade?

Here's a thread you need to study.

Betcha Nvidia's Pissed

[Jason+Earl]

Didn't Nvidia have to write off a bunch of hardware that became obsolete when Microsoft changed the XBox?

The Xbox is Microsoft's test of Palladium

[jjh37997]

Don't you get it? The Xbox is Microsoft's test case for Palladium. They try their best to secure the Xbox and wait for the hackers to bust it. They keep on doing this until they find a way to lock it down to the point were nobody can hack it. Then they role out Palladium with all the safe-guards in place and hacker tested. You XBox hackers are just a tool of Microsoft!

Re:The Xbox is Microsoft's test of Palladium

Ah - Microsoft's agents are modding the parent funny.

Re:The Xbox is Microsoft's test of Palladium

[cschieke]

While there is actually some logic to that position, there is some history that shows this is a bad approach for MS to take. Way back when, in 1997 Ian Goldberg presented a talk on (amoung other things) how in Europe incremental changes to the security of GSM networks lead to a whole "generation" of well trained hackers. I don't think MS is really looking to do that for the community.

Some Background

[warmcat]

Disclaimer: I am numbnut.

The 1.1 version of the Xbox is certainly designed to be Palladium Lite. The concept is that no code is executed unless it matches a one way hash signature. The only exception is the boot ROM (512 bytes) which lives in the nVidia-designed MCPX chip; this is used to validate the next code to execute, which validates the next code to execute and so on.

Unfortunately for MS (and perhaps nVidia), they chose a hashing algorithm which already had a known flaw. The hash, which works on QWORDS (64-bit quantities) is completely insensitive to b31 and b63 of a QWORD both being inverted.

Doubly unfortunately for MS, the VERY FIRST DWORD of the hashed region is the entry point, and contains a long relative jump. The effect of flipping b31 and b63 on this QWORD is to retarget the jump to RAM.

Triply unfortunately for MS, they have a small interpreter built into their ROM code, whose instruction set is capabel to to IO amd memory r/w before the bootrom is validated and executed. It was trivial to add some memory writes to the interpreted code stream to prep the memory targetted by the modified jump with a jump back into the flash.

The end result is perversion of the hashed region in a way invisible to the hashing algorithm, and execution flow jumping to arbitrary code in the flash.

I urge anyone interested in both the technical detail and the larger issues raised by this to read the threads on http://www.xboxhacker.net as this is a much larger issue than simply another Xbox crack.

Re:Some Background

[Ektanoor]

These reminds me of one program supposedly protected by a well known hardware key. The thing was roughly this:

IF (there is key on parallel port) AND (The key is working) {FORGET THE ... KEY AND RUN PROGRAM}

A few NOPS and some correction on jump point and the program was running without the key. For an Assembler old timer, it took nearly 15 seconds to Veni Vidi Vici (Julius Cesar phrase - I came, I saw and I won).

Considering that these hacks are slightly similar and that the hack I described is more than ten years old, then one can take an estimation on the level of security in XBox...

Re:If they cant secure an Xbox.

[vinyl1]

Actually, the paddalium is what Bill Gates will shortly be applying to the bottoms of these naughty hackers.

Reverse engineering NOT a given

[m11533]

I would recommend you read up on the legal issue of reverse engineering because it is under attack and it is not at all obvious that it will survive. I believe the latest issue of ACM Communications has an excellent article on the topic. Recent US Government laws are very disconcerting.

Re:Question for you.

[handsomepete]

Please show me the $199 PC that has a DVD drive, onboard NIC, decent video and sound that I can run into my TV and, while on, is pretty much noiseless that also plays Xbox games. Provide links, if possible, and I'll go buy one instead of the Xbox I was planning on buying (refurb on sale for $159.99 at Electronics Boutique!) today. If you could, please hurry as the sale ends this weekend.

I'm not being entirely sarcastic (if there really is a place that sells comparable $200 PCs, I would buy one), but I am tired of this whole "you can get PCs for the price of an Xbox" argument. My motherboard cost almost that much by itself. My video card cost more than that. Just because I can get a crappy Microtel or whatever at Wal-Mart for $200 bucks doesn't mean it's just as good.

Anyways, all of this hacking stuff is over my head, but I would assume that the challenge is kind of interesting and being part of the group that is a watchdog to the predecessor to Palladium must be at least part of the intrigue. But what do I know. *shrug*

What contract did I sign?

[Inoshiro]

I don't recall the EB guys hounding me to sign some sort of contract when I bought my Xbox. In fact, I don't recall any sort of contract in the box with it that I signed.

The closest thing I could find was the ABOUT XBOX in the dashboard, which talks about how the softvare on the Xbox is protected by copyright law. Since I have no intention of pirating the Xbox dashboard, I think I'm legal.

Plus, once I own something, it's mine. As I've said before, I could rip off the top of my Xbox, put all my night soil in there, and grow flowers from the rich loam. Microsoft can't say anything to me about the use of it, because I own it.

Some damn idea

[Ektanoor]

I know this is a little bit unscientific, and rather illusory but...

Xbox is small, nitty and costs only $200. It possesses a 3D chip, a not so bad 733MHz processor, ethernet connection and an hard drive. Frankly it is not so bad for a cheap cluster... Sincerly, I have seen a few clusters for which the cluster units were a little worse than XBox...

Maybe the chance for M$ to reach Top 500? Imagine, an horde of penguins helping up Redmond to reach the heights of computer industry...

Re:Some damn idea

[MyHair]

Um, did he just say "imagine a beowulf cluster of these" (albeit with different wording) and get modded to +4 interesting?

Re:We need to bring back Guilds..

[Windcatcher]

The fact that we're being called "consumers" instead of "customers" sadly illustrates the cynical attitude of many corporate types. "Shut up and buy our stuff, you nose-picking, beer-guzzling sheep!"

To paraphrase someone else, most people, according to them, "are a bunch of pathetic hamsters who only know to press the pellet bar and chitter excitedly to one another about the size of the pellet they received."

I'm a customer, Mr. Gates, and as far as I'm concerned, entropy will claim the universe before I pay one red cent for another of your products.

Re:You should be ashamed of yourselves.

[JungleBoy]

No. I think he means these