Slashdot Mirror

← Back to Stories (view on slashdot.org)

Behind the Xbox Boot Code

Posted by Zonk on from the bowels-of-the-machine dept.

NiteStar writes "The Xbox-Linux team has up a new article about The Hidden Boot Code of the Xbox. The Xbox console contains a 'chain of trust' to allow only legit Microsoft signed code to run on the Xbox. The hidden 'MCP' boot ROM (just 512bytes) is the link between hardware and software in this chain of trust." From the wiki article: "The Xbox, having an external (reprogrammable) 1 MB Flash ROM chip (models since 2003 have only 256 KB), would normally start running code there as well, since this megabyte is also mapped into the uppermost area of the address space. But this would make it too easy for someone who wants to either replace the ROM image with a self-written one or patch it to break the chain of trust ("modchips"). The ROM image could be fully accessed, it would be easy to reverse-engineer the code; encryption and obfuscation would only slow down the hacking process a bit."

52 comments

  1. Excellent read... by Scorpion_1169 · · Score: 1, Insightful

    best tech. description of the XBOX startup process I have ever seen.

  2. v-chip by Dreamwalkerofyore · · Score: 0

    The code will also include an automatic call to the local SWAT team if any pirate-related activity is detected.

    --
    I am a viral sig. Please copy me and help me spread. Thank you.
  3. remember slashdot, that site that got taken down? by Khyron · · Score: 0, Flamebait

    OH NOES! This article contains a description of how one might circumvent a copyright protection mechanism. WHOOP WHOOP WHOOP! DANGER WILL ROBINSON! DANGER!

    It's funny, I've seen patently illegal topics discussed on Slashdot before but I'm not sure I've seen federal law violated within an article's content. Even the times I've seen DeCSS implementations posted (like the famous one in PERL) it was in comments.

    This really raises the bar in audacity. :)

  4. A guess by interiot · · Score: 4, Insightful
    Three bugs within these 512 bytes compromised the security completely - a bunch of hackers found them within days after first looking at the code. Why hasn't been Microsoft Corp. been able to do the same? Why?
    I can make a guess. I've worked near a similar security feature implemented in hardware, and they wouldn't let anyone ANYWHERE near any documentation that described how it actually worked. My impression was that no matter how much you know about security, the less the employees know about the implementation, the better, to minimize the possibility for internal leaks. I'm sure they got the minimum 4 people together to inspect the code, per our coding standards, but how experienced were those four?

    In Microsoft's case, their 512 bytes are incredibly high-profile. And based on the extensive nature of the hacks, they had to find a couple of VERY experienced security people to inspect their code, and who they trusted 100% to not disclose inside information. My bet is they didn't choose the right people to inspect their code, and after the inspection, any other employees who showed an interest in making sure the code was secure were treated more with suspicion than anything.

    1. Re:A guess by whathappenedtomonday · · Score: 1
      My bet is they didn't choose the right people

      FTFA: After they had learnt their lesson, they designed a pretty good system with the second version of the MCPX - but the implementation still contained at least three security holes

      so, my bet is they just aren't clever enough.

      --
      I hope I didn't brain my damage.
    2. Re:A guess by interiot · · Score: 4, Insightful
      FTFA: After they had learnt their lesson, they designed a pretty good system with the second version of the MCPX - but the implementation still contained at least three security holes

      so, my bet is they just aren't clever enough.

      *shrug* Not necessarily.

      The first shuttle accident was caused by... institutional problems. The engineering issues had already been discovered and discussed, but there were institutional issues that prevented the engineering discoveries to be fully investigated.

      The second shuttle accident was caused by... institutional problems again. Again, the engineering issues had already been discovered and explored as much as the engineers could. Certainly NASA tried to fix their issues the first time, but apparently institutional issues aren't as easy to fix as engineering problems are.

      My bet is that there WERE at least 4 people at Microsoft who were clever enough, they just weren't involved in the code inspections. Even if those four people knew that it was absolutely critical that they be involved in the inspections, they were specifically not permitted to look at the code, because four other people had already inspected the code, and involving more people (especially people who are "eager" to "help") would simply increase the chance of internal leaks. And that's not an engineering problem.

      (on a personal note, at the company I work at, there have been several cases of problems being solved that have well-known solutions, but management puts inexperienced people in charge of the project, and then surround them with many more inexperienced people, ensuring that they never come in contact with someone who can steer them in the right direction. If management doesn't have a process in place to put people with the right knowledge on the problems that really require their expertise (even in an advisory role), then the organization isn't going to perform as well as it otherwise could. (this relates more to the XBox problem... the Shuttle problem is obviously more complex))

    3. Re:A guess by Monkelectric · · Score: 4, Interesting
      Yep. Let me describe the situation at a place I work, posting anonymously because there are only 4 or 5 companies in this industry. We make devices used in the semi-conductor manufacturing industry ... so when theres a problem, it ruins very expensive batches of chips.

      Me: "The software that validates that units are configured correctly is 8000 lines of unauditable if statements. There is no definition of the policy it implements. This madness is going to cause an accident. We must rewrite the software and have lots of very boring meetings."
      Management: "Hmmm...interesting...continue patching the software as issues come up."
      Legal Department, "We're being sued because a configuration error ruined a batch of very expensive chemicals."
      Me: "We must rewrite the software."
      Legal: "We must rewrite the software."
      Management: "hmm...interesting...continue patching the software as issues come up."

      --

      Religion is a gateway psychosis. -- Dave Foley

    4. Re:A guess by Anonymous Coward · · Score: 1, Funny

      Pssst. Check the anonymous box if you want to stay anonymous.

    5. Re:A guess by cornface · · Score: 3, Funny

      Management: Hey, stop posting our dirty laundry to slashdot!
      Monkelectric from monkelectric.com: Don't worry, I posted anonymously.
      Management: We trust you to write software?
      Legal Department: AIIIIIIEEEEEE!
      Management: AIIIIIEEEEEE!
      Monkelectric from monkelectric.com: ...

    6. Re:A guess by brkello · · Score: 5, Funny

      Soo, ummm....I take it there is a position in monk electric that will be opening soon. Should I send my resume?

      --
      Support a great indie game: http://www.abaddon360.com
    7. Re:A guess by Anonymous Coward · · Score: 0

      Hmmm. Good to know you're no longer unemployed due to the Bush recession. Hopefully this won't change that...

    8. Re:A guess by LadyLucky · · Score: 1

      Not likely. Go to the website.

      --
      dominionrd.blogspot.com - Restaurants on
  5. MCP, eh? by Anonymous Coward · · Score: 0

    Does this mean I have to start at my X-Box?

  6. Re:remember slashdot, that site that got taken dow by Anonymous Coward · · Score: 0

    My god, man! You've been here more or less since the beginning and have only posted 41 times? And one of those is something as absurdly moronic as the one above?

  7. Be sure to RTFA...... by HotNeedleOfInquiry · · Score: 2, Insightful

    A brilliant, brilliant piece of stand-up hacking. Perhaps the best that has *ever* appeared in /. I stand in awe...

    --
    "Eve of Destruction", it's not just for old hippies anymore...
    1. Re:Be sure to RTFA...... by HotNeedleOfInquiry · · Score: 1

      And I predict a plethera of clinched sphincters at Microsoft. A perversely amusing mental image.

      --
      "Eve of Destruction", it's not just for old hippies anymore...
    2. Re:Be sure to RTFA...... by rossifer · · Score: 2, Funny

      El Guapo: Would you say I have a plethora of piñatas?
      -long, confused pause-
      Jefe: Yes, El Guapo. You have a plethora.
      El Guapo: Jefe, what is a plethora?
      Jefe: Why El Guapo?
      El Guapo: Well, I would just like to know if you know what a plethora is because you believe I have a plethora
      Jefe: Sorry El Guapo, I, Jefe, do not have your superior intellect or education. Could it be you are angry about something and are looking to take it out on me?
      El Guapo: Like what Jefe?
      Jefe: Maybe it's because you are turning 40 today?

      *sigh* Good times :)

  8. They had some by pnice · · Score: 1

    chink in their chain (of trust)

    --
    My Xbox Live Gamer Card
    1. Re:They had some by CDLewis · · Score: 4, Funny
      chink in their chain (of trust)

      Andrew "Bunnie" Huang, specifically.

    2. Re:They had some by mix_MasterMix · · Score: 1

      Should have called it the "circle of trust"

      --
      http://www.animatednoise.com/ | Free Games
    3. Re:They had some by Krusty+Da+Klown · · Score: 1

      Sad that a joke like this got posted, let alone modded up.

  9. Summary by acaspis · · Score: 5, Informative

    • Due to technical constraints, the Xbox designers had to implement a secure virtual machine in 175 bytes of x86 code, and failed (there are at least two execution paths leading out of the sandbox). But congratulations for trying.

    • They also used a non-cryptographically-secure hash function for authentication (or maybe they didn't have enough space left).

    Nice attempt at a TCPA-like architecture, though. And cheers to the xbox-linux guys for their amazing achievements and enlightening write-up.

    1. Re:Summary by kill-1 · · Score: 1
      They also used a non-cryptographically-secure hash function for authentication (or maybe they didn't have enough space left).

      Even worse:

      • In ther first implementation they didn't even bother to produce a hash over the complete ROM.
      • They made wrong assumptions about the i386 architecture and apparently never tested that case.
  10. How they did it.. by OmgTEHMATRICKS · · Score: 2, Funny

    All they did was digitize themselves into the XBox and destroy the MCP with a Data Disc.

  11. Absolutely stunning... by Anonymous Coward · · Score: 0

    ....write up. Two years ago.
    Y'know, when the first Xbox modchips were coming out and the code had already been hacked. What next? "Sony Playstation able to run unofficial code via use of incredibly complex 'swap trick'! Exclusive!"

  12. OT: Shuttle Failures by cant_get_a_good_nick · · Score: 4, Informative

    Richard Feynman was one of the people who investigated the first shuttle disaster, and as a pain in the ass cantankerous old coot, really didn't care about standard Washington procedures and really got to the core of the matter. He cronicles a lot of it in What Do You Care What Other People Think?, ISBN: 0393320928 (get it from wherever, no Amazon kickbacks here). A very interesting read, I ended up reading it right after the second shuttle disaster, and thought that a lot of the human problems that caused the first blow up could be fingered in the second.

    If you haven't read Feynman before, you'll probably like him. Funny guy, pretty damn smart, and managed with luck, brains, skill and stubbornness to get in the middle of some of the biggest science in the last century.

    1. Re:OT: Shuttle Failures by TheMysteriousFuture · · Score: 1

      It really pisses me off when people complain about referral links.

      As long as you aren't spamming, and I'm interested enough in the book to click the link, why the HELL shouldn't you get a kickback if I purchase the book?

      It doesn't make the book any more expensive for me, and it gives less money to the MAN, so go for it! kthxbye

      --
      .sig
    2. Re:OT: Shuttle Failures by Grym · · Score: 1

      I see your point, and yet, I still don't like referral links or the related Slashdot/Roland debacle.

      Why? Because it makes me question the intentions of the poster. And that makes me question the integrity of his statements. Is he truly being informative--or just trying to make a book description fit the topic at hand (even if only remotely related) in order to make some money?

      I take advertising with a grain of salt. Having watched more than a few infomercials in my lifetime, I've come to regard the vast majority of advertisers as shysters. Fake interview programs, false investment opportunities, "donation" telemarketing calls, and so on have left me bitter. I have no reason to doubt that misleading internet posts are not below them.

      -Grym

    3. Re:OT: Shuttle Failures by Anonymous Coward · · Score: 0

      I really hope you don't buy into that whole "church" thing too then.

    4. Re:OT: Shuttle Failures by bailey34 · · Score: 1

      I see your point, but check out the book(s)! They're excellent...

  13. Re:remember slashdot, that site that got taken dow by thegrassyknowl · · Score: 3, Insightful

    His point is absurd, but it is a point. As much as we all value freedom of speech, there have been cases here when ISPs and Children (yes, children) have lost in court cases becase a web page belonging to said children contains links to pages (belonging to someone else) that linked to a few copyrighted MP3s.

    The GACs (Greedy-Ass Cu..s) are making legitimite technology harder to develop, deploy and use; write a program that can easily share files and someone will load his entire CD collection into it for all to download... then the GACs will come along and take you to court for "developing software with the specific intent to violate copyright" or somesuch.

    The world is in a sad state of affairs when it comes to matters like this. The (in the US and all countries that entered into free trade agreements with it) DMCA makes it illegal to circumvent any form of encryption, copy protection, etc.

    Slashdot linking to an article that clearly describes the flaws in a copy protection implementation and how to get around it is becoming shaky ground. Gone are the days of free information... the GACs that run the world are making sure of that.

    Be afraid, be very afraid.

    --
    I drink to make other people interesting!
  14. Testing PC overflow by Eric604 · · Score: 1
    fta:
    Execution just happily continues at 0000_0000 - in RAM! Apparently the i386 CPU family throws no exception in this case, Microsoft's engineers only assumed it or misread the documentation and never tested it.

    The article says that they assumed or misread the documentation . This is so easy to test I find it hard to believe they wouldn't knew about this. I think they knew it and just accepted it. Too bad the article doesn't mention what code there is at address 0000, if there's an halt or illegal instruction then they knew it.

    1. Re:Testing PC overflow by Anonymous Coward · · Score: 0

      Too bad the article doesn't mention what code there is at address 0000, if there's an halt or illegal instruction then they knew it.

      At address 0 was just the uninitialized RAM. So it would run whatever code was there before, or alternatively you could feed values into the hardware initialization routine (which didn't checksum its data) and it would initialize the RAM with those values - in this way you could load your own code into memory and have it run.

    2. Re:Testing PC overflow by Eric604 · · Score: 1

      Ah yes it appears so. If address 0 would be initilized with a halt instruction, it would ofcourse be done just before the program counter wraps around.

    3. Re:Testing PC overflow by Anonymous Coward · · Score: 0

      Ah yes it appears so. If address 0 would be initilized with a halt instruction, it would ofcourse be done just before the program counter wraps around.

      Yep, that's what Microsoft should have done if they were smart. But they didn't.

  15. N64 had something similar by Anonymous Coward · · Score: 0

    The Nintendo 64 had something similar. There was a 4K boot ROM hidden in the periperal I/O chip. It would checksum the boot code in the cartridge and compare it with a few bytes from the lockout chip. If it matched then it would run it. Like the Xbox, the N64 would disable its boot rom after boot, so you couldn't just run a program to read the data.

    However Nintendo didn't use a cryptographically-strong signature so it got hacked pretty easily.

  16. A history by rocketman768 · · Score: 2, Insightful

    Despite some of the smart-aleck replies, this wiki article is a very good history of how the xbox was hacked. I remember when Bunnie was keeping us up-to-date on a day to day basis back in the heyday of xboxhacker.net. When he pulled the bios off the board and posted it on his website, he immediately got a phone call from Macroshaft which he recorded and put on his site. Funny stuff.

    But, the whole point of the article is to prove that you can never lock anything completely down, from cd's to xboxen--they have to be used somehow don't they? And hey, DMCA, you're a menace to the greatest minds of the US (and no, not the minds at Macroshaft).

    1. Re:A history by Anonymous Coward · · Score: 0

      Dude, where you used "Macroshaft" instead of Microsoft--that's like, funny. You, my main man, are the smartest motherfucker in the world.

    2. Re:A history by Anonymous Coward · · Score: 0

      god i wish i had a Macroshaft. it'd be hyoooge!

    3. Re:A history by TopherC · · Score: 1

      The only thing that bothered me about the wiki is the line: "There are two more approaches for attacks that we do not want to disclose yet, as Microsoft may still offer updated Xboxes in the future."

      How well does this represent our culture of openness? Is this consistent with how we want others to disclose security flaws? Obviously the authors have pegged themselves here as not pro-freedom, but simply anti-Microsoft.

      The text is well-written, but the tone of it all is: "Haha, see how much more clever we are than this evil Microsoft dude!"

      Well, while I'm a little bothered by the smugness of the article, I'll admit that there is no reason Microsoft should have tried to secure the xbox in the first place. I honestly wonder why they did?

      Is it possible that the obvious security flaws are there intentionally? Certainly the hackability of the Xbox has done nothing but improve sales by opening up more uses of it, such as running Linux on it! There's the GTA debacle, but that's not the fault of a hackable xbox. I guess there's also the issue of game cheats, which is a legitimate concern. But probably the security measures in the xbox were just enough (looked good on paper) for M$ to get game developers on board with them.

      I liked the article because I didn't know much about security on a hardware level but I knew just enough about computer architecture to follow it. A worthwhile read even if the tone of it was annoying.

    4. Re:A history by 10101001+10101001 · · Score: 1

      How well does this represent our culture of openness? Is this consistent with how we want others to disclose security flaws? Obviously the authors have pegged themselves here as not pro-freedom, but simply anti-Microsoft.

      I'd say that the XBox is by design anti-freedom. The "security flaws" as you put it are for a security system put in place so that the owner cannot do with their property what they wish. An analogy would be like not pointing out to a dictatorship the various ways their fortress is flawed, such that one can use it later to attack said dictatorship and "free" the country/system. The truth is, I assume that the author isn't interested in helping to make it harder for hisself/herself to write code for their platform of choice; and their decision for platform of choice is of course for the challenge, but not to make it impossible.

      --
      Eurohacker European paranoia, gun rights, and h
  17. This is bad news... by Lemental · · Score: 0

    Just when Bungie managed to kick the majority of the cheaters off Halo 2, this comes around and makes it almost impossible to catch them using a modded Xbox.

    I give it about a month before the modders ruin it for everyone again.

    1. Re:This is bad news... by KillShill · · Score: 2, Insightful

      you mean before CHEATERS ruin it for everyone again.

      having control over your hardware is not a crime and not immoral in any way. but the future is going to be a real nightmare. education is the answer... tell everyone you know about the evils of TCPA/DRM/Insidiuous Computing/region codes/etc and all the other bullshit that they've been foisting on us.

      education is the answer!

      --
      Science : Proprietary , Knowledge : Open Source
    2. Re:This is bad news... by Lemental · · Score: 2, Interesting

      Sorry, I didnt clarify in my post. In the Halo 2 community, a slang word for Cheater, is Modder. Someone who is modifying their console in a way to give them an advantage in the game. I dont mind modifying your Xbox to make it a cheap PC, put in a big HD to store your legally purchased games, or, a media center. I just dont like people who use it for chating a service you pay for. The next iteration of Halo will have built-in modding, I assume. Already Pariah, and a few others have map building software on this generation.

      I just like to lose fairly, the way the game was designed to play without having to resort to modding my Xbox to get that edge. Its a moral question that has been debated before, and, will probably be debated into oblivion. I dont want to get into it now.

    3. Re:This is bad news... by Anonymous Coward · · Score: 1, Funny

      I just like to lose fairly, the way the game was designed to play without having to resort to modding my Xbox to get that edge.

      You need to mod your Xbox to get an edge just to lose fairly? Jeez, you REALLY suck at Halo.

  18. Did I miss that part? by Corngood · · Score: 1

    What does this have to do with Live? Isn't everything in the article stuff that has been in use for ages?

    1. Re:Did I miss that part? by Lemental · · Score: 1

      Well, After reading about it. This would give mod chip makers the ammunition they need to make an undetectable mod chip. Cheaters would be able to modify in game files and gain unfair advantages on Live with the downloaded maps.

      I dont care about people modding Xbox, just the cheates on live who will use this information to ruin a game I enjoy playing. It happened to AA early in its career, a game I enjoyed playing, and, after the cheating became widespread, I hated. Hope that clears things up.

    2. Re:Did I miss that part? by Spy+Hunter · · Score: 1
      What are you talking about? This is ancient stuff. This is how the modchips have already been working for years! And none of it is helpful in making "undetectable" modchips, only in making modchips work in the first place. Making mods undetectable is a whole different problem. The hackers will never be able to create a mod for any game or system that is completely undetectable to an online service; at best they can keep working around the online service's fixes. OTOH the online service can never completely eliminate cheating, but they can make it arbitrarily hard by doing more research into cheating methods and coming out with fixes faster.

      So if you want to blame anyone for cheating in your game, you should really look to the game company which is probably spending very little on combating online cheating, especially when you consider the full budget for creating the game. Blaming the cheaters and hackers might sound nice but it won't get you anywhere; your complaints aren't going to stop people from hacking and you're not going to stop lamers from using the hacks to cheat. The only real fix to online cheating is constant vigilance by the online service and a commitment to regular anti-cheat updates.

      --
      main(c,r){for(r=32;r;) printf(++c>31?c=!r--,"\n":c<r?" ":~c&r?" `":" #");}
  19. Also... by Corngood · · Score: 1

    Modified data files are only a vulnerability if the game doesn't attempt to verify them. When running on live, the executable code is still verified, so the chain of trust is in place. Extending that chain of trust beyond the executable is the developer's responsibility, and really not that difficult.

  20. and a killer by Anonymous Coward · · Score: 0

    read the book about how he blew up a guys engine and killed someone

  21. Comment removed by account_deleted · · Score: 1

    Comment removed based on user account deletion