Xbox 360 Kiosk Demo Spurs Hackers

An anonymous reader writes "Those hackers from team PI have released the Xbox 360 experience kiosk demo disc as an ISO. They say this demo contains no media protection and therefore it will run on the Xbox 360 when burned to a DVD-R disc. The disc contains playable demo's on the disk such as Call of Duty 2, which could also be hackable, as PI speculates."

Not suprising...

[Ruff_ilb]

But -

Won't we have demo disks released soon enough? I doubt OXM, among other publications, will pass up on making demo disks.

Besides, can't demos and media be downloaded from Xbox Live as is? I didn't get my hands on a 360, but this is what I've heard.

Re:Not suprising...

[Ruff_ilb]

They probably thought someone ELSE was trolling by correcting the parent's post.

Re:Not suprising...

[alienw]

Not to mention, if the disk is not signed or encrypted, it would be trivial to make the xbox run arbitrary code. It is then possible to do just about anything. Of course, it is most likely that Microsoft will fix this exploit with a software update/hardware revision.

HDLoader!

[gcnaddict]

Well with the successes the hacking community has had lately, I wouldnt be surprised if we see an HD loader for the 360...

I want HDLoader!

No media check doesn't mean the code isn't signed

[Shaolyen]

Although this is interesting news, the lack of a media check certainly doesn't mean the code isn't signed.

Re:No DRM == license to copy freely?

[nwbvt]

Does the existence of hate crime laws means I am free to kill other white guys?

Re:No DRM == license to copy freely?

[taskforce]

No, it just allows you the fair use you were originally granted before the DMCA was put in. Copyright law still applies to everything you get, it's just that unlike making a backup of a CSS protected Video DVD, you can make a backup of this unprotected demo disk beucase you didn't have to break encryption.

However, becuase of the very nature of this disk (restricted kiosk) it is unlikely that 99% of people will be able to make backup copies of it under fair use.

Re:Quite an achievement...

[b1t+r0t]

The achievement is not the ripping of the ISO. The achievement is finding out that this disk will boot when burned to a plain DVD-R.

The first step in breaking the Dreamcast was finding a loophole that let it boot from plain CD-R.

Re:No exploit here... move along

[b1t+r0t]

The executables as still signed. It is common for supporting data files to be un-signed. The executable usually does a hash check on its datafiles to make sure they haven't been messed with.

All it takes is one buffer overflow in an executable reading a corrupted data file (which will probably be verified with something less than MD5), and this could be turned into a "boot key" allowing the loading of arbitrary code... at least until Microsoft uploads a patch to everybody locking out the executable if you don't have a demo unit. Since this is a demo disc, that means a lot less people can complain if it stops working. Only the few who never hook their 360 up to the network, and never run games which force an upgrade, may have a chance of running hacks in the future.

Re:No exploit here... move along

[matth1jd]

That would cause the executable to no longer be signed, and the system would not allow it to run.

Not that exciting

[lord_sarpedon]

The media protection and signing are very different things. The executables are still signed and from that cannot be modified. However, they can be played on a variety of media, burnable media included. The files themselves, to my knowledge, are not signed or checked. That would open the door for simple map mods or similar as seen with the Halo series. As for code execution, not likely. The hypervisor as well as other checks are in place to prevent the most common forms of attack. It would take some clever doing to get the good old fashioned gamesave exploits of yesteryear on this new platform ;) Realize also that there isn't much anything preventing authors of demo discs from setting the media flags...this was more likely than not a mishap.

Re:Good or bad...?

Microsoft loses money on the consoles. Ergo, there is no reason for them to care about console sales in situations that are less likely to generate game sales. i.e. homebrew uses

Re:You still dont get it do you guys?

[ClamIAm]

MS doesnt make their money just out of selling games

Bullshit. This is how every console manufacturer makes money. Sure, they make some money by licensing developers, but the amount of money the games industry makes is not being paid for by SDKs and such. Even if it was, the developers would have to offset this by the income they make from games. This would mean that the console makers would, transitively, be making money from selling games, not developer kits. And if your groundless assertion was correct, why did Atari and Nintendo sue unlicenced game makers?

and I seriously doubt they LOSE money on each Console sale as they claim

Then why do we have two different 360 consoles available? And never mind all the analysis we've seen that concludes MS is losing money right now on their systems.

No breakthrough here

[Smarty2120]

If you try the 360's demo downloading capability, you know that it can run downloaded content. I haven't sniffed the data stream myself, but encrypted connections slow servers down quite a bit and it's doubtful that xbox live servers even use them for content download on the order of a 500MB demo. Those binaries are signed just like the demos on the discs which can be burned. By signing the binaries, they don't need to worry about how the code got on the xbox. DVD-R, download, remove hard drive->write binary->reinstall hard drive, iPod, it doesn't matter a bit. If it doesn't execute binaries that aren't signed by microsoft's private key, it doesn't matter how you give it the binary, it won't run it. This is a non-story. Unless someone steals or or breaks microsoft's private key, this is gonna need a hardware hack at minimum.

Pointless

[evilgrug]

To reiterate what others have said, the executables are still signed AND demo discs with no media checks have been around for months. So that rules out modifying the executables.

As far as gamesave exploits and the like...On the original Xbox, gamesaves were signed, but they used a key stored in plaintext in the executable. Meaning if you found a way to crash the game and run your code, it was trivial to get the game to accept it. I suspect on the Xbox 360 the key will be secret.

Secondly, games on the Xbox run in kernel mode. I suspect this is NOT be the case on the Xbox 360.

The Xbox 360 does not use an off-the-shelf CPU. Microsoft licensed it and built its own. The original Xbox was first hacked because it used an off-the-shelf Mobile Celeron and thus its secret information had to be built into the Xbox-specific southbridge and travel down the HyperTransport, which could be sniffed. Since the Xbox 360 used an MS-made CPU, I would wager that the key is on the CPU itself.

If we presume that gamesaves are signed with a secret key in the CPU, and applications do not run in kernel mode, we can rule out gamesave exploits in addition to executable modifications.

In short, this "news" is pointless. MS ship an executable with a few different bits allowing DVD-R playback and people suddenly think that we have a new Dreamcast on our hands. The disc will undoubtedly be subject to much scrutiny, but we're not really any closer to hacking the Xbox 360.

Running unsigned code

[PaladinAlpha]

Given that the data files are unsigned, freely modifiable, and given MS's history of exploits in pure data (and MS-made code-data hybrid) formats, it seems likely a buffer exploit will be relatively easy to insert into the datastream. Heck, given the Windows-autolaunch mentality it wouldn't suprise me if you could just replace the video file with an executable by the same name. *grin*