Slashdot Mirror

← Back to Stories (view on slashdot.org)

Xbox 360 Kiosk Demo Spurs Hackers

Posted by Zonk on from the i-wish-i-had-that-kind-of-free-time dept.

An anonymous reader writes "Those hackers from team PI have released the Xbox 360 experience kiosk demo disc as an ISO. They say this demo contains no media protection and therefore it will run on the Xbox 360 when burned to a DVD-R disc. The disc contains playable demo's on the disk such as Call of Duty 2, which could also be hackable, as PI speculates."

30 of 229 comments (clear)

  1. Not suprising... by Ruff_ilb · · Score: 5, Insightful

    But -

    Won't we have demo disks released soon enough? I doubt OXM, among other publications, will pass up on making demo disks.

    Besides, can't demos and media be downloaded from Xbox Live as is? I didn't get my hands on a 360, but this is what I've heard.

    --
    http://www.TheGamerNation.com/Forums
    1. Re:Not suprising... by pjh3000 · · Score: 3, Informative

      They're out now! The January 2006 issue of OXM has a demo disk that works on both the original Xbox and the new Xbox 360. Probably possible because they both use different file extentions for the default file.

    2. Re:Not suprising... by SScorpio · · Score: 5, Informative

      From what I saw on the magazine rack, OXM is already offering a disk with playable Xbox 360 demos. What is getting the hackers excitied is that the files on the demo disk are not encrypted, and they are signed to boot from seemingly any type of media. This disk can is going to be used by hackers to determine how the 360 authorizes a game to be booted and with what kind of media. They can know figure out what signals are different and produce a modchip that will allow backups to run. This is the second step in opening up the 360 to run any code. The first was figuring out the format files are laided out on the disk with, and this was cracked and reported on earlier.

    3. Re:Not suprising... by matth1jd · · Score: 5, Informative

      There have been demo disks circulating for sometime (also media check free). So while these demo discs may have no media checks that doesn't mean that the executables are not signed.
       
      As I understand it the media check basically lets the 360s hypervisor know what media the executable is allowed to run from. Demos do not have these media checks as they may be downloaded and run from the hard disk, or run from DVD.
       
      Obviously only signed code was intended to be run on the machine, the absence of a media check does not mean the executable isn't signed. In fact anyone would be incredibly naive to think that the executables were not unsigned.

      All in all I don't think we're any closer to modding the 360. This hacker group also released an Xbox 360 iso extraction tool which amounted to nothing. It turned out that any of the existing Xbox iso extraction tools could do the exact same thing. It's just alot of smoke and no fire.

    4. Re:Not suprising... by irc.goatse.cx+troll · · Score: 3, Interesting

      All you need is a buffer overflow in some signed code and you can jump to your unsigned-loader. There are ways around this of course, but gaming hardware cant really take that kind of speed hit on execution time.
      I think phantasy star online for the dreamcast was the first major buffer overflow, which persisted in the gamecube version. Then there were the memory card savegame buffer overflows, and many more.

      --
      Pain lasts, kid. Its how you know you're alive. Sometimes I think this growing up thing is just pain management-TheMaxx
    5. Re:Not suprising... by alienw · · Score: 4, Insightful

      Not to mention, if the disk is not signed or encrypted, it would be trivial to make the xbox run arbitrary code. It is then possible to do just about anything. Of course, it is most likely that Microsoft will fix this exploit with a software update/hardware revision.

    6. Re:Not suprising... by ianpatt · · Score: 4, Interesting

      Microsoft actually supports this method of running executables - the xbox emulator update for the 360 can be installed just by downloading a default.xex from their website and burning it to a DVD. Nothing special there.

      http://www.xbox.com/en-US/games/backwardscompatibi lity.htm

  2. And let the games begin by EvilGoodGuy · · Score: 5, Interesting

    Now they just have to figure out how the demo disk becomes playable, use it as a boot disk, and poof, free games for everyone. :) I might be buying a 360 sooner than I thought...

  3. Re:Lucky for Microsoft... by Ruff_ilb · · Score: 4, Interesting

    And this is where the online capabilities become a mixed blessing. Just as users can download media, MS may be able to sneak in a DRM-esque update without the users knowing it. I'd be suprised if that didn't happen, in fact.

    --
    http://www.TheGamerNation.com/Forums
  4. Quite an achievement... by Anonymous Coward · · Score: 5, Funny

    Quite an achievement making an ISO of an unprotected DVD.

    We all bow down to the superiority of the hacking skillz of said release group. I am composing some ASCII art of a very large penis in your honor that you can use in your nfo file.

    1. Re:Quite an achievement... by b1t+r0t · · Score: 4, Insightful
      The achievement is not the ripping of the ISO. The achievement is finding out that this disk will boot when burned to a plain DVD-R.

      The first step in breaking the Dreamcast was finding a loophole that let it boot from plain CD-R.

      --

      --
      "Open source is good." - Steve Jobs
      "Open source is evil." - Microsoft
    2. Re:Quite an achievement... by yottabite · · Score: 3, Funny

      You still have to hand it to them, they did, after all, commence dumping the discs to ISO's a lil while ago all on their lonesome. Also they had the kindness to let us all know of the slip-up, and publish the ISO for people to play with. That said, this isn't really a flame-war I'm trying to start. I don't even HAVE a penis :D

    3. Re:Quite an achievement... by lysergic.acid · · Score: 3, Funny

      No penis? Well, since there are no girls that read Slashdot, there's only one other possibility... you must be one of those eunuchs I've been hearing so much about.

    4. Re:Quite an achievement... by TeknoHog · · Score: 4, Funny
      you must be one of those eunuchs I've been hearing so much about.

      This is a eunuchs site after all, if you pardon the misspelling... and with the evil proprietary eunuchs systems, it's time someone started developing a free clone.. we could call it Girls Not Eunuchs or something.

      --
      Escher was the first MC and Giger invented the HR department.
    5. Re:Quite an achievement... by SyncNine · · Score: 5, Interesting

      Urban Legend. Gamecube discs do not default to being read from the outside in -- depending on the game and manufacturer/producer of said game, the game's bootstrap code or loader or whatever you want to call it can be as far as 3/4 of the way to the end of the disc. But it still doesn't read from the outside in. It pops the end of the disc on boot to get the game's boot code, then hits back to the center like any other CD/DVD reading device.

      To address the entire topic of this conversation, this 'achievement' doesn't mean crap. There is no *exploit* that allows this disc to boot. Whoever pressed it intentionally left off the media check -- thus allowing it to be played as downloaded from Live or on DVD. Not a big deal. It's still encrypted and signed -- the hypervisor still won't run it if a single bit has been altered.

      I don't know about you, but I don't think my computer has enough spare CPU cycles in the next 100 years to crack the digital signing.

      An exploit would be these people releasing the same DVD image that self-boots but has different content. But they can't. Because the 360 won't run it.

      Just think about what people are inferring here. Microsoft, tremendous software goliath, pioneers new Xbox360 system that they claim is 'unhackable'. They have learned from their mistake with the Xbox and have actually taken many steps to make sure the system is as hard to hack as possible. 20 days after its release, they accidentally post an un-protected ISO on their website, allow production facilities to produce un-protected DVDs, and allow hackers to have full reign over their console.

      Does this sound odd to anyone else? They wouldn't release these things if they didn't think (whether or not they're correct) that it had absolutely no gain to the hacker community. They're not going to help the hackers crack this system -- they have absolutely no gain from doing so. They lose money on each console, do you really think that's all they want you to buy? It doesn't work that way. This wouldn't have been released the way it was unless MS approved it -- there is a 99.95% chance that if they approved it, there is no way of hacking it.

      I'd like to be proved wrong here, but until someone makes a DVD iso for the Xbox360 that opens up to a picture of a horse's ass and an arrow pointing to it that says 'SyncNine', I'm going to have to think I'm correct.

      --
      To the darkened skies once more, and ever onward.
  5. Re:No DRM == license to copy freely? by CableModemSniper · · Score: 4, Informative

    The DMCA makes it illegal to circumvwent the protection. Copyright infringement is still illegal on top of that. Creating/using DeCSS violates the DMCA, but copying the DVD is copyright infringment. The DMCA is "evil", but just because people don't protect something technologically doesn't mean you should have the right to copy it willy nilly.

    --
    Why not fork?
  6. Re:No DRM == license to copy freely? by nwbvt · · Score: 4, Insightful

    Does the existence of hate crime laws means I am free to kill other white guys?

    --
    Mathematics is made of 50 percent formulas, 50 percent proofs, and 50 percent imagination.
  7. No exploit here... move along by rminsk · · Score: 5, Interesting

    The executables as still signed. It is common for supporting data files to be un-signed. The executable usually does a hash check on its datafiles to make sure they haven't been messed with. It seems like everyone jumps on every little thing about the inner workings of the XBox 360 as a major exploit. The sensationalism is just getting boring.

  8. Re:No DRM == license to copy freely? by taskforce · · Score: 5, Insightful
    No, it just allows you the fair use you were originally granted before the DMCA was put in. Copyright law still applies to everything you get, it's just that unlike making a backup of a CSS protected Video DVD, you can make a backup of this unprotected demo disk beucase you didn't have to break encryption.

    However, becuase of the very nature of this disk (restricted kiosk) it is unlikely that 99% of people will be able to make backup copies of it under fair use.

    --
    My 3D Texturing Skinning work (under construction)
  9. Re:No DRM == license to copy freely? by Rude+Turnip · · Score: 3, Funny

    Sure! Of course, IANAL.

    --
    Bill Clinton: Pimp we can believe in. - The Shirt!!!
  10. Does Microsoft fund these guys? by Animats · · Score: 4, Funny

    They're redistributing Microsoft marketing materials. Usually, you have to pay a PR firm to do that.

  11. You still dont get it do you guys? by AzraelKans · · Score: 3, Interesting

    MS doesnt make their money just out of selling games (and I seriously doubt they LOSE money on each Console sale as they claim) they make a lot of money out of selling XDK's and licenses to publishers, the more people owning the console, the more publishers will want to port their games to it. Piracy and hacking is a surefire way to make the console available to those who cant afford or are unwilling to buy the games at their current price (not just in America but worldwide) besides they CANT clone the console just the games themselves so they have to buy the console anyway and MS knows that, thats why they have never been too severe with piracy or hacking (contrary to sony who is basically sinking PSP by doing the oposite.. and not releasing too many games either), do you actually believe they havent noticed there are groups doing great dashes and even homebrew games on their console using warezed xdks? entire companies dedicated to mod chips?

    Do you think is just a big coincidence they released UNPROTECTED demos and games, which can easily be compared to PROTECTED ones by pro hackers?

    They are not stupid you know? (at least not that stupid)

    Yet IMO it would suck to own a modded or hacked xbox 360 since you wouldnt be able to log to xbox live which is a big part of the 360 deal.

    --
    Go ahead MOD my day!
    More opinions here
  12. Hey, y'know by FryingLizard · · Score: 5, Interesting

    Will someone here with a 360 and a spare half hour go get the aforementioned warez, and burn two copies - one with a single byte modified in one of the executable files?

    Actual results posted here would be oh so welcome.

    --
    [FrLz]
  13. No breakthrough here by Smarty2120 · · Score: 5, Insightful

    If you try the 360's demo downloading capability, you know that it can run downloaded content. I haven't sniffed the data stream myself, but encrypted connections slow servers down quite a bit and it's doubtful that xbox live servers even use them for content download on the order of a 500MB demo. Those binaries are signed just like the demos on the discs which can be burned. By signing the binaries, they don't need to worry about how the code got on the xbox. DVD-R, download, remove hard drive->write binary->reinstall hard drive, iPod, it doesn't matter a bit. If it doesn't execute binaries that aren't signed by microsoft's private key, it doesn't matter how you give it the binary, it won't run it. This is a non-story. Unless someone steals or or breaks microsoft's private key, this is gonna need a hardware hack at minimum.

  14. HEY MODS, mod up parent. by numbski · · Score: 4, Interesting

    This is a good question. Hex edit one of the binaries. Heck, run strings on it, change some text someplace and burn it.

    If it still runs, good things be ahead.

    --

    Karma: Chameleon (mostly due to the fact that you come and go).

  15. Pointless by evilgrug · · Score: 4, Insightful

    To reiterate what others have said, the executables are still signed AND demo discs with no media checks have been around for months. So that rules out modifying the executables.

    As far as gamesave exploits and the like...On the original Xbox, gamesaves were signed, but they used a key stored in plaintext in the executable. Meaning if you found a way to crash the game and run your code, it was trivial to get the game to accept it. I suspect on the Xbox 360 the key will be secret.

    Secondly, games on the Xbox run in kernel mode. I suspect this is NOT be the case on the Xbox 360.

    The Xbox 360 does not use an off-the-shelf CPU. Microsoft licensed it and built its own. The original Xbox was first hacked because it used an off-the-shelf Mobile Celeron and thus its secret information had to be built into the Xbox-specific southbridge and travel down the HyperTransport, which could be sniffed. Since the Xbox 360 used an MS-made CPU, I would wager that the key is on the CPU itself.

    If we presume that gamesaves are signed with a secret key in the CPU, and applications do not run in kernel mode, we can rule out gamesave exploits in addition to executable modifications.

    In short, this "news" is pointless. MS ship an executable with a few different bits allowing DVD-R playback and people suddenly think that we have a new Dreamcast on our hands. The disc will undoubtedly be subject to much scrutiny, but we're not really any closer to hacking the Xbox 360.

  16. Just tried it. No go. by THESuperShawn · · Score: 5, Informative

    I just changed one digit with a hex editor and re-burned the iso. The change was in Call of Duty. It no longer plays. The other demo's play just fine. No error message, it just locks up with a blank screen.

    I am going to try again to verify. I will know in about 20 minutes.

    --
    Repant. Thy end is sheer.
    1. Re:Just tried it. No go. by THESuperShawn · · Score: 4, Informative

      Same result with King Kong. It will not load the game, it just freezes. Everything else (non modified) still works.

      --
      Repant. Thy end is sheer.
    2. Re:Just tried it. No go. by THESuperShawn · · Score: 4, Informative

      Last one..getting tired...

      I was able to remove three files and everything still boots.

      Draw your own conclusions from these three tests. I guess the only other thing I left out was trying to replace a movie file. Maybe tomorrow, I have lost my enthusiasm tonight.

      In other news, I finally finished the war in Call of Duty 2.

      --
      Repant. Thy end is sheer.
  17. Cracking the executable is NOT the point here by Rolman · · Score: 4, Interesting

    People here talking about the executable still being signed and thus not hackable are terribly missing the point.

    Team Pi notes that the DATA FILES are not protected. That means that content can be changed and thus the signed executable could be hijacked into loading unsigned code.

    This is nothing new. It's exactly what happened in the old Xbox and the game 007: Agent Under Fire. Someone hacked a savefile, which exploited a buffer overrun on the PERFECTLY SIGNED executable from the game and enabled unsigned code (Linux, or a backup game if that's your intention) to run WITHOUT ANY MODCHIP.

    You just need a Memory Card to load the hacked savefile from, and the original, signed, protected game.

    Team Pi is suggesting that the same idea is possible here, and that's the reason why this ISO is being distributed.

    --
    - Otaku no naka no otaku, otaking da!!!