Xbox 360 Kiosk Demo Spurs Hackers

An anonymous reader writes "Those hackers from team PI have released the Xbox 360 experience kiosk demo disc as an ISO. They say this demo contains no media protection and therefore it will run on the Xbox 360 when burned to a DVD-R disc. The disc contains playable demo's on the disk such as Call of Duty 2, which could also be hackable, as PI speculates."

Not suprising...

[Ruff_ilb]

But -

Won't we have demo disks released soon enough? I doubt OXM, among other publications, will pass up on making demo disks.

Besides, can't demos and media be downloaded from Xbox Live as is? I didn't get my hands on a 360, but this is what I've heard.

Re:Not suprising...

[pjh3000]

They're out now! The January 2006 issue of OXM has a demo disk that works on both the original Xbox and the new Xbox 360. Probably possible because they both use different file extentions for the default file.

Re:Not suprising...

[SScorpio]

From what I saw on the magazine rack, OXM is already offering a disk with playable Xbox 360 demos. What is getting the hackers excitied is that the files on the demo disk are not encrypted, and they are signed to boot from seemingly any type of media. This disk can is going to be used by hackers to determine how the 360 authorizes a game to be booted and with what kind of media. They can know figure out what signals are different and produce a modchip that will allow backups to run. This is the second step in opening up the 360 to run any code. The first was figuring out the format files are laided out on the disk with, and this was cracked and reported on earlier.

Re:Not suprising...

[matth1jd]

There have been demo disks circulating for sometime (also media check free). So while these demo discs may have no media checks that doesn't mean that the executables are not signed.
 
As I understand it the media check basically lets the 360s hypervisor know what media the executable is allowed to run from. Demos do not have these media checks as they may be downloaded and run from the hard disk, or run from DVD.
 
Obviously only signed code was intended to be run on the machine, the absence of a media check does not mean the executable isn't signed. In fact anyone would be incredibly naive to think that the executables were not unsigned.

All in all I don't think we're any closer to modding the 360. This hacker group also released an Xbox 360 iso extraction tool which amounted to nothing. It turned out that any of the existing Xbox iso extraction tools could do the exact same thing. It's just alot of smoke and no fire.

Re:Not suprising...

[matth1jd]

Obviously only signed code was intended to be run on the machine, the absence of a media check does not mean the executable isn't signed. In fact anyone would be incredibly naive to think that the executables were not unsigned. That should read : In fact anyone would be incredibly naive to think that the executables were not signed.

Re:Not suprising...

[apoc06]

yes the executables were probably signed, but in making copies you still have a copy of the signed exe, what stops media from directly running is the media check. normally, if its not the official format, if the dummy sectors are absent and the filesystem is correct, or if its not the official media of MS, it still doesnt run the code. its traditionally a three way check. thats not the case here though. here two parts of that are missing.

whats really important here, is to know that games can be run from different sources; its not limited to a certain form of media. therefore you can run from a backup copy of your disk, or possibly even a harddrive. microsoft probably enabled the drive to accept any form of media disk [at least for certain titles like this] just in case they DO decide to move ahead with the HD-DVD drive. by the time they started manufacturing x360s the HD-DVD spec wasnt even done; thus they probably enabled this to future-proof the console, if they ever decided to change their minds and release hd-dvd versions of games or interactive media.

Re:Not suprising...

[irc.goatse.cx+troll]

All you need is a buffer overflow in some signed code and you can jump to your unsigned-loader. There are ways around this of course, but gaming hardware cant really take that kind of speed hit on execution time.
I think phantasy star online for the dreamcast was the first major buffer overflow, which persisted in the gamecube version. Then there were the memory card savegame buffer overflows, and many more.

Re:Not suprising...

[Ruff_ilb]

They probably thought someone ELSE was trolling by correcting the parent's post.

Re:Not suprising...

[alienw]

Not to mention, if the disk is not signed or encrypted, it would be trivial to make the xbox run arbitrary code. It is then possible to do just about anything. Of course, it is most likely that Microsoft will fix this exploit with a software update/hardware revision.

Re:Not suprising...

[ianpatt]

Microsoft actually supports this method of running executables - the xbox emulator update for the 360 can be installed just by downloading a default.xex from their website and burning it to a DVD. Nothing special there.

http://www.xbox.com/en-US/games/backwardscompatibi lity.htm

Re:Not suprising...

[Myria]

Actually, Phantasy Star Online had a back door, not a buffer overflow. A packet that Sega called RcvProgramPatch could be sent to the client containing assembly code that the game would then execute. This allowed Sega to patch holes in the game and check for cheats, but it eventually led to the downfall of the Gamecube security system. (Dreamcast PSO had this feature as well, but Dreamcast had other security problems =) )

Melissa

And let the games begin

[EvilGoodGuy]

Now they just have to figure out how the demo disk becomes playable, use it as a boot disk, and poof, free games for everyone. :) I might be buying a 360 sooner than I thought...

Re:Lucky for Microsoft...

[Ruff_ilb]

And this is where the online capabilities become a mixed blessing. Just as users can download media, MS may be able to sneak in a DRM-esque update without the users knowing it. I'd be suprised if that didn't happen, in fact.

HDLoader!

[gcnaddict]

Well with the successes the hacking community has had lately, I wouldnt be surprised if we see an HD loader for the 360...

I want HDLoader!

Quite an achievement...

Quite an achievement making an ISO of an unprotected DVD.

We all bow down to the superiority of the hacking skillz of said release group. I am composing some ASCII art of a very large penis in your honor that you can use in your nfo file.

Re:Quite an achievement...

[b1t+r0t]

The achievement is not the ripping of the ISO. The achievement is finding out that this disk will boot when burned to a plain DVD-R.

The first step in breaking the Dreamcast was finding a loophole that let it boot from plain CD-R.

Re:Quite an achievement...

[yottabite]

You still have to hand it to them, they did, after all, commence dumping the discs to ISO's a lil while ago all on their lonesome. Also they had the kindness to let us all know of the slip-up, and publish the ISO for people to play with. That said, this isn't really a flame-war I'm trying to start. I don't even HAVE a penis :D

Re:Quite an achievement...

[pswayze]

Perhaps you're thinking of the gamecube. The Xbox spun the normal way (unless maybe you lived in Australia?) and didn't require any custom dvd firmware.

Re:Quite an achievement...

[lysergic.acid]

No penis? Well, since there are no girls that read Slashdot, there's only one other possibility... you must be one of those eunuchs I've been hearing so much about.

Re:Quite an achievement...

[jcnnghm]

What software are you using to perform the backup. Last time I checked (well over a year ago) it still was not possible to read and copy disks without downloading files from the xbox, then using GDFIMAGE to create the ISO. You could use UDF, but the end result could be any number of bad things. If you are doing direct copies, how are you dealing with the media checks?

As I recall, it has always been possible to create a backup of a backup.

Re:Quite an achievement...

[TeknoHog]

you must be one of those eunuchs I've been hearing so much about.

This is a eunuchs site after all, if you pardon the misspelling... and with the evil proprietary eunuchs systems, it's time someone started developing a free clone.. we could call it Girls Not Eunuchs or something.

Re:Quite an achievement...

[SyncNine]

Urban Legend. Gamecube discs do not default to being read from the outside in -- depending on the game and manufacturer/producer of said game, the game's bootstrap code or loader or whatever you want to call it can be as far as 3/4 of the way to the end of the disc. But it still doesn't read from the outside in. It pops the end of the disc on boot to get the game's boot code, then hits back to the center like any other CD/DVD reading device.

To address the entire topic of this conversation, this 'achievement' doesn't mean crap. There is no *exploit* that allows this disc to boot. Whoever pressed it intentionally left off the media check -- thus allowing it to be played as downloaded from Live or on DVD. Not a big deal. It's still encrypted and signed -- the hypervisor still won't run it if a single bit has been altered.

I don't know about you, but I don't think my computer has enough spare CPU cycles in the next 100 years to crack the digital signing.

An exploit would be these people releasing the same DVD image that self-boots but has different content. But they can't. Because the 360 won't run it.

Just think about what people are inferring here. Microsoft, tremendous software goliath, pioneers new Xbox360 system that they claim is 'unhackable'. They have learned from their mistake with the Xbox and have actually taken many steps to make sure the system is as hard to hack as possible. 20 days after its release, they accidentally post an un-protected ISO on their website, allow production facilities to produce un-protected DVDs, and allow hackers to have full reign over their console.

Does this sound odd to anyone else? They wouldn't release these things if they didn't think (whether or not they're correct) that it had absolutely no gain to the hacker community. They're not going to help the hackers crack this system -- they have absolutely no gain from doing so. They lose money on each console, do you really think that's all they want you to buy? It doesn't work that way. This wouldn't have been released the way it was unless MS approved it -- there is a 99.95% chance that if they approved it, there is no way of hacking it.

I'd like to be proved wrong here, but until someone makes a DVD iso for the Xbox360 that opens up to a picture of a horse's ass and an arrow pointing to it that says 'SyncNine', I'm going to have to think I'm correct.

Re:No DRM == license to copy freely?

[CableModemSniper]

The DMCA makes it illegal to circumvwent the protection. Copyright infringement is still illegal on top of that. Creating/using DeCSS violates the DMCA, but copying the DVD is copyright infringment. The DMCA is "evil", but just because people don't protect something technologically doesn't mean you should have the right to copy it willy nilly.

Re:No DRM == license to copy freely?

[nwbvt]

Does the existence of hate crime laws means I am free to kill other white guys?

No exploit here... move along

[rminsk]

The executables as still signed. It is common for supporting data files to be un-signed. The executable usually does a hash check on its datafiles to make sure they haven't been messed with. It seems like everyone jumps on every little thing about the inner workings of the XBox 360 as a major exploit. The sensationalism is just getting boring.

Re:No exploit here... move along

[b1t+r0t]

The executables as still signed. It is common for supporting data files to be un-signed. The executable usually does a hash check on its datafiles to make sure they haven't been messed with.

All it takes is one buffer overflow in an executable reading a corrupted data file (which will probably be verified with something less than MD5), and this could be turned into a "boot key" allowing the loading of arbitrary code... at least until Microsoft uploads a patch to everybody locking out the executable if you don't have a demo unit. Since this is a demo disc, that means a lot less people can complain if it stops working. Only the few who never hook their 360 up to the network, and never run games which force an upgrade, may have a chance of running hacks in the future.

Re:No exploit here... move along

[matth1jd]

That would cause the executable to no longer be signed, and the system would not allow it to run.

Re:Lucky for Microsoft...

[pjh3000]

Yeah, just wait 'til Sony puts an Xbox compatible rootkit on the latest crap-rock CD.

Of course they'd probably ge sued out of existance...

Re:No DRM == license to copy freely?

[taskforce]

No, it just allows you the fair use you were originally granted before the DMCA was put in. Copyright law still applies to everything you get, it's just that unlike making a backup of a CSS protected Video DVD, you can make a backup of this unprotected demo disk beucase you didn't have to break encryption.

However, becuase of the very nature of this disk (restricted kiosk) it is unlikely that 99% of people will be able to make backup copies of it under fair use.

Re:Lucky for Microsoft...

[Ruff_ilb]

Sony V. Microsoft: DRM rootkits on a MS console. Would be an interesting clash.

Of course, that's if they WEREN'T working together.

Re:No DRM == license to copy freely?

[Rude+Turnip]

Sure! Of course, IANAL.

Does Microsoft fund these guys?

[Animats]

They're redistributing Microsoft marketing materials. Usually, you have to pay a PR firm to do that.

Not that exciting

[lord_sarpedon]

The media protection and signing are very different things. The executables are still signed and from that cannot be modified. However, they can be played on a variety of media, burnable media included. The files themselves, to my knowledge, are not signed or checked. That would open the door for simple map mods or similar as seen with the Halo series. As for code execution, not likely. The hypervisor as well as other checks are in place to prevent the most common forms of attack. It would take some clever doing to get the good old fashioned gamesave exploits of yesteryear on this new platform ;) Realize also that there isn't much anything preventing authors of demo discs from setting the media flags...this was more likely than not a mishap.

Re:Here's the video...

[Predius]

They don't show the xbox booting that DVD, but reading from it after a hot swap while the system is running...

You still dont get it do you guys?

[AzraelKans]

MS doesnt make their money just out of selling games (and I seriously doubt they LOSE money on each Console sale as they claim) they make a lot of money out of selling XDK's and licenses to publishers, the more people owning the console, the more publishers will want to port their games to it. Piracy and hacking is a surefire way to make the console available to those who cant afford or are unwilling to buy the games at their current price (not just in America but worldwide) besides they CANT clone the console just the games themselves so they have to buy the console anyway and MS knows that, thats why they have never been too severe with piracy or hacking (contrary to sony who is basically sinking PSP by doing the oposite.. and not releasing too many games either), do you actually believe they havent noticed there are groups doing great dashes and even homebrew games on their console using warezed xdks? entire companies dedicated to mod chips?

Do you think is just a big coincidence they released UNPROTECTED demos and games, which can easily be compared to PROTECTED ones by pro hackers?

They are not stupid you know? (at least not that stupid)

Yet IMO it would suck to own a modded or hacked xbox 360 since you wouldnt be able to log to xbox live which is a big part of the 360 deal.

Re:You still dont get it do you guys?

[ClamIAm]

MS doesnt make their money just out of selling games

Bullshit. This is how every console manufacturer makes money. Sure, they make some money by licensing developers, but the amount of money the games industry makes is not being paid for by SDKs and such. Even if it was, the developers would have to offset this by the income they make from games. This would mean that the console makers would, transitively, be making money from selling games, not developer kits. And if your groundless assertion was correct, why did Atari and Nintendo sue unlicenced game makers?

and I seriously doubt they LOSE money on each Console sale as they claim

Then why do we have two different 360 consoles available? And never mind all the analysis we've seen that concludes MS is losing money right now on their systems.

Re:You still dont get it do you guys?

[Anthony+Liguori]

MS doesnt make their money just out of selling games (and I seriously doubt they LOSE money on each Console sale as they claim)

People really don't understand this well at all. Developing the Xbox required a very large up front investment. To justify the investment, Microsoft will analyze how much they expect to sell, and amortize that cost over the consoles and games.

Clearly, there business model is such that if they only sold consoles, and not games, they would not recoop their costs. This makes sense because the relative profit margins on games are going to be much higher than on the consoles. This is how they "lose" money on the Xbox. The sum of the components, however, are not worth more than what they sell it for. Otherwise, people would just buy a bunch and sell it for scrap. If you buy Xbox's, Microsoft does not lose money. It's quite the opposite, every Xbox and game they sell gets them closer to recooping the original investment and eventually making quite a profit.

Re:Lucky for Microsoft...

[TommydCat]

How's that any less significant than Sony rootkitting a business-class operating system? Liability to consumers versus liability to Big Business would be much less, plus on a controlled environment such as console, MS could update and wipe it clean.

I think the big question is why hasn't MS done as much as make a statement about Sony's ploy and how it affects security of machines that have access to "secure" information...

Hey, y'know

[FryingLizard]

Will someone here with a 360 and a spare half hour go get the aforementioned warez, and burn two copies - one with a single byte modified in one of the executable files?

Actual results posted here would be oh so welcome.

No breakthrough here

[Smarty2120]

If you try the 360's demo downloading capability, you know that it can run downloaded content. I haven't sniffed the data stream myself, but encrypted connections slow servers down quite a bit and it's doubtful that xbox live servers even use them for content download on the order of a 500MB demo. Those binaries are signed just like the demos on the discs which can be burned. By signing the binaries, they don't need to worry about how the code got on the xbox. DVD-R, download, remove hard drive->write binary->reinstall hard drive, iPod, it doesn't matter a bit. If it doesn't execute binaries that aren't signed by microsoft's private key, it doesn't matter how you give it the binary, it won't run it. This is a non-story. Unless someone steals or or breaks microsoft's private key, this is gonna need a hardware hack at minimum.

HEY MODS, mod up parent.

[numbski]

This is a good question. Hex edit one of the binaries. Heck, run strings on it, change some text someplace and burn it.

If it still runs, good things be ahead.

Pointless

[evilgrug]

To reiterate what others have said, the executables are still signed AND demo discs with no media checks have been around for months. So that rules out modifying the executables.

As far as gamesave exploits and the like...On the original Xbox, gamesaves were signed, but they used a key stored in plaintext in the executable. Meaning if you found a way to crash the game and run your code, it was trivial to get the game to accept it. I suspect on the Xbox 360 the key will be secret.

Secondly, games on the Xbox run in kernel mode. I suspect this is NOT be the case on the Xbox 360.

The Xbox 360 does not use an off-the-shelf CPU. Microsoft licensed it and built its own. The original Xbox was first hacked because it used an off-the-shelf Mobile Celeron and thus its secret information had to be built into the Xbox-specific southbridge and travel down the HyperTransport, which could be sniffed. Since the Xbox 360 used an MS-made CPU, I would wager that the key is on the CPU itself.

If we presume that gamesaves are signed with a secret key in the CPU, and applications do not run in kernel mode, we can rule out gamesave exploits in addition to executable modifications.

In short, this "news" is pointless. MS ship an executable with a few different bits allowing DVD-R playback and people suddenly think that we have a new Dreamcast on our hands. The disc will undoubtedly be subject to much scrutiny, but we're not really any closer to hacking the Xbox 360.

Just tried it. No go.

[THESuperShawn]

I just changed one digit with a hex editor and re-burned the iso. The change was in Call of Duty. It no longer plays. The other demo's play just fine. No error message, it just locks up with a blank screen.

I am going to try again to verify. I will know in about 20 minutes.

Re:Just tried it. No go.

[THESuperShawn]

Same result with King Kong. It will not load the game, it just freezes. Everything else (non modified) still works.

Re:Just tried it. No go.

[THESuperShawn]

Last one..getting tired...

I was able to remove three files and everything still boots.

Draw your own conclusions from these three tests. I guess the only other thing I left out was trying to replace a movie file. Maybe tomorrow, I have lost my enthusiasm tonight.

In other news, I finally finished the war in Call of Duty 2.

Cracking the executable is NOT the point here

[Rolman]

People here talking about the executable still being signed and thus not hackable are terribly missing the point.

Team Pi notes that the DATA FILES are not protected. That means that content can be changed and thus the signed executable could be hijacked into loading unsigned code.

This is nothing new. It's exactly what happened in the old Xbox and the game 007: Agent Under Fire. Someone hacked a savefile, which exploited a buffer overrun on the PERFECTLY SIGNED executable from the game and enabled unsigned code (Linux, or a backup game if that's your intention) to run WITHOUT ANY MODCHIP.

You just need a Memory Card to load the hacked savefile from, and the original, signed, protected game.

Team Pi is suggesting that the same idea is possible here, and that's the reason why this ISO is being distributed.

Running unsigned code

[PaladinAlpha]

Given that the data files are unsigned, freely modifiable, and given MS's history of exploits in pure data (and MS-made code-data hybrid) formats, it seems likely a buffer exploit will be relatively easy to insert into the datastream. Heck, given the Windows-autolaunch mentality it wouldn't suprise me if you could just replace the video file with an executable by the same name. *grin*