Xbox Hypervisor Security Protection Hacked

ACTRAiSER writes "A recent Post on Bugtraq claims the hack of the Xbox 360 Security Protection Hypervisor. It includes sample code as well." From Bugtraq "We have discovered a vulnerability in the Xbox 360 hypervisor that allows privilege escalation into hypervisor mode. Together with a method to inject data into non-privileged memory areas, this vulnerability allows an attacker with physical access to an Xbox 360 to run arbitrary code such as alternative operating systems with full privileges and full hardware access."

Yes.

[TJ_Phazerhacki]

All well and good, but....

Will it run DOOM?

huh?

[User+956]

A recent Post on Bugtraq claims the hack of the Xbox 360 Security Protection Hypervisor.

Is that like some primitive version of what Geordi Laforge wears?

Attacker??

this vulnerability allows an attacker with physical access to an Xbox 360 to run arbitrary code such as alternative operating systems with full privileges and full hardware access.

Wait. Don't you mean this allows an Xbox 360 user to run arbitrary code such as alternative operating systems with full privileges and full hardware access on the machine they rightfully own ?

How is this an attack, except in the eyes of MS?

Re:Attacker??

[Overly+Critical+Guy]

It's just security flaw terminology. You're taking something personally that's not meant to be read that way.

Re:Attacker??

[TheRealMindChild]

See my comment here

You might think you own it, but SUPRISE, you are licensing it. You probably could have found the completely abiguous statement on that little postcard you threw away.

Re:Attacker??

You are hacking your own system - cancel or allow?

Re:Attacker??

[karmatic]

Quoth the parent: See my comment here.

You might think you own it, but SUPRISE, you are licensing it.

The fact you keep repeating the same wrong information doesn't make it any less wrong.

Adobe made that same claim you are making. It didn't go over well in court. It didn't go over too well for Microsoft either (Microsoft Corp. v. DAK Indus). Novell tried that argument, and got shot down too (Novell, Inc. v. CPU Distrib., Inc., 2000 ).

"...the Ninth Circuit held that the economic realities of the agreement indicated that it was a sale, not a license to use."

"... Like Adobe, CPU argued that it purchased the software from an authorized source, and was entitled to resell it under the first sale doctrine. Novell claimed that it did not sell software but merely licensed it to distribution partners. The court held that these transactions constituted sales and not a license, and therefore that the first sale doctrine applied. 2000 U.S. Dist. Lexis 9975 at *18."

"...The Court finds that the circumstances surrounding the transaction strongly suggests that the transaction is in fact a sale rather than a license. For example, the purchaser commonly obtains a single copy of the software, with documentation, for a single price, which the purchaser pays at the time of the transaction, and which constitutes the entire payment for the "license." The license runs for an indefinite term without provisions for renewal. In light of these indicia, many courts and commentators conclude that a "shrinkwrap license" transaction is a sale of goods rather than a license."

"...Ownership of a copy should be determined based on the actual character, rather than the label, of the transaction by which the user obtained possession. Merely labeling a transaction as a lease or license does not control. If a transaction involves a single payment giving the buyer an unlimited period in which it has a right to possession, the transaction is a sale."

"Raymond Nimmer, The Law of Computer Technology 1.18[1] p. 1-103 (1992). The Court agrees that a single payment for a perpetual transfer of possession is, in reality, a sale of personal proper and therefore transfers ownership of that property, the copy of the software. "

So, at least in the US, a one-time payment for a perpetual use of software is a SALE, regardless of what you call it, and rightfully so. They can't change that with a EULA any more than a car dealership could claim you had a one-time lease payment, with a lifetime use period and the right to transfer the lease for free (thus avoiding legal regulations with regards to sale of vehicles). Any reasonable court would rule that such was a sale, not a lease. What you call it doesn't matter.

Re:Attacker??

[drinkypoo]

the Xbox360 will only use hard drives that have a Microsoft PNG logo stored in a certain location on them. For someone trying to boot Linux off the hard drive, in addition to the technical hurdles of hacking the OS they also have to wrestle with trademark infringement.

Negative. Courts have already ruled this is OK. IIRC it was a case dealing with the Sega Genesis, which had to have a sega copyright notice in the ROM to play the game. They ruled that you could put that notice in there legally because it was required for interoperability.

Re:That's Because...

[TubeSteak]

Oct 31, 2006 - release of 4532 kernel, which is the first version
containing the bug
Nov 16, 2006 - proof of concept completed; unsigned code running in
hypervisor context
Nov 30, 2006 - release of 4548 kernel, bug still not fixed
Dec 15, 2006 - first attempt to contact vendor to report bug
Dec 30, 2006 - public demonstration
Jan 03, 2007 - vendor contact established, full details disclosed
Jan 09, 2007 - vendor releases patch
Feb 28, 2007 - full public release
Patch Development Time (In Days): 6

Does MS force updates for things like this?

Ironically, I might buy one now

[sdo1]

I've been looking to upgrade my media streamer capabilities and the original XBOX can run Xbox Media Center (http://www.xboxmediacenter.com/). I wonder if this means that a 360 version with HD streaming might be forthcoming? I hope so. I've been avoiding getting one because how locked down it is.

-S

Re:Ironically, I might buy one now

[Osty]

I've been looking to upgrade my media streamer capabilities and the original XBOX can run Xbox Media Center (http://www.xboxmediacenter.com/). I wonder if this means that a 360 version with HD streaming might be forthcoming? I hope so. I've been avoiding getting one because how locked down it is.

You do realize that the 360 can act as a Media Center Extender for Windows XP Media Center 2005 and Vista, right? Also, the 360 can stream music and (with the Fall 06 patch) videos from any "compatible" UPnP media server (technically only Windows Media Connect and WMP11 are supported, but there are apps to do the same on OS X and Linux since all the MSFT apps are really doing is acting as a UPnP media server). Yes, there are codec limitations, but you can transcode on the fly easily enough if you have a powerful enough server.

It just seems weird to me that your killer app is media streaming, but you won't buy a 360 that does that out of the box (or close enough, with the Update). Similarly, if you wanted to develop homebrew games the 360 can already do that with XNA. It has some growing to do still, but expect big things from XNA in the coming months/years. Why would you wait until there's a hack to do that when you could build supported homebrew games already?

Re:Sweet

[JebusIsLord]

Weird... i'm using mine for exactly that, and without any hacks! (Yes, it does have to work as an extender, but anyone who isn't impressed by Windows Media Center hasn't used it yet. No I'm not an astroturfer).

The 360 is easily the most exciting console I've owned since the PSX, given all it can do. I don't even have cable hooked up to my 1080p TV - its basically just a monitor for my 360.

No, I guess this wasn't a very informative post... i mostly just wanted to give MS props for doing at least something right. You know; compliment before you criticize.

Re:That's Because...

[Kalriath]

Does MS force updates for things like this? Yes. As soon as your XB360 attempts to connect to Live (which even without you paying, it will do if you signed up for it) it will demand you update or it will disconnect you (which with Live-connected dashboard accounts signs you out of your local XB360 profile too)

How Useless.

[Rdickinson]

"Bug was fixed in version 4552 (released Jan 09, 2007 - not a
Patch Tuesday)."

Fixed already for most people , anyone who's connected to xbox live.

I'm not sure why there still protecting the system like they are though, 'backup' games are already rife due to hacked DVD rom firmware (which they seem to be unable to back fix), so why not let it run arbitary code, didnt hurt the xbox 1?

Re:How Useless.

They need content providers to trust the platform.

Re:How Useless.

[Sycraft-fu]

While I'm sure there are also more draconian reasons, a simple one is cheat prevention. Cheating is always a big problem with online games since you end up having to trust the client to some degree to get reasonable performance. It's a nice idea that everything would e done server side, but you find that the latency and bandwidth of normal Internet connections make such a thing unworkable.

Well, one thing that sure as hell makes cheating hard is requiring signed code and not allowing it to be modified. Have a hell of a time getting around that.

I have a couple friends who are both PC and console gamers and one thing they say they really like about shooters on their 360 is the absence of cheaters. On the PC it seems to be a game of cat and mouse. The cheaters find a way to screw with things, the anti-cheat software is updated, they find a way around that, etc. I remember back in the Quake 2 days it was just continuous. You'd get jerks with the latest, greatest aimbot, then the servers would update the anti-cheat, they'd all disappear, until the next one came out.

Re:How Useless.

[Osty]

Yes they make money on sales - 360 costs about what it sells for now, xbox1 was always a looser(financialy also..:P) - sales they make money on are games, add ons (controlers etc) and live stuff.

That's "loser". And the original Xbox was expected to lose money. It was a mostly-off-the-shelf console built quite quickly (approximately a year from initial design to ship, compared to the 360 that was in design for 3+ years before shipping) in an attempt to break into the market following the Sony-style loss-leader method.

The 360, on the other hand, was designed as a purpose-built console, with contracts in place to allow Microsoft to own the IP of the chips, thus allowing them the opportunity to farm out chip manufacture to lower cost partners, or even consolidate chips at a later date. While it's unclear whether or not the 360 is currently breaking even or making a profit on console sales, it's safe to say that this will happen eventually, and probably sooner than later.

The 360 is [i]already[/i] compromised in its chief money making area, new games, you can play illigal copies with hacked DVD roms, this should have been the primary area of security, but as normal what security is left only hurts the law abiding people (no multie region dvd player, no linux, no arbitary homebrew etc).

Except that hacked consoles are detectable on Live and can be blocked from participating in online gameplay as well as access to the Marketplace (no updates for games, no demos or trailers, no XBLA access, etc). Xbox 360's biggest draw is the pervasive support of Xbox Live. Halo 2 is still selling very well today, over two years later, due to its Live support. Games like Gears of War or Crackdown are fun in single player but are even better when you can team up with a friend and play co-op. Some small percentage of people may be willing to trade off Live support in order to get free games. The bread-and-butter core market isn't going to go there.

From the article...

[non0score]

Sadly, unless you haven't updated your machine in the last two months, this wouldn't matter as MS has already patched it. As for those of you with an "unpatched" kernel, let's just say this is like v1.5 PSPs.

Timelines for Vulnerability Fixes

[lmnfrs]

Timeline:
..
Jan 03, 2007 - vendor contact established, full details disclosed
Jan 09, 2007 - vendor releases patch
..
Patch Development Time (In Days): 6

Interesting to compare timelines affecting Microsoft's users to timelines affecting Microsoft's control schemes.

Re:Timelines for Vulnerability Fixes

[Ent]

I imagine the quick response had more to do with a smaller test/compatibility matrix than anything else.

Re:Sweet

[SP33doh]

under $400?

you have to pay extra for the HD dvd drive...

It's a joke. LAUGH!

[Ungrounded+Lightning]

Wait. Don't you mean this allows an Xbox 360 user to run arbitrary code such as alternative operating systems with full privileges and full hardware access on the machine they rightfully own ?

It's a joke!

The guy who caught the bug is using techie humor in perfect hacker tradition. He's pretending to take things utterly literally and following them to a redicuilous extreme.

In this case he's doing it by publishing a report of how to crack an Xbox and run an arbitrary OS on it - with complete details on how to replicate it - as a bug report. And he went through the entire procedure:
  - Identify and diagnose the problem.
  - Build a proof-of-concept test.
  - Check it against the latest release (and find the bug still there).
  - Notify the vendor (who ignores the report, as usual).
  - Give him time to respond (which he doesn't).
  - Give a public demonstration.
  - Respond in friendly fashion to the vendor-initiated contact (after the public demo lights a fire), giving him the details of the proof-of-concept.
  - Give the vendor some time to generate and publish a patch.
  - Publish the complete details of the exploit.
He did this just as if it were a bug, rather than a "feature".

Now there is "improved" firmware that fixes the hole. And the complete details are out there. If anybody who actually owns an Xbox who doesn't want to "fix" the "bug" and leaves his firmware backdated, so he can "be exploited by himself" by loading Linux, *BSD, or whatever on his own Xbox, well, that's what he gets for not staying up to date on patch levels.

ROTFLMAO!

Meanwhile the "anonymous hacker" has published (on Bugtraq no less) complete details of how to crack the Xbox (with a backdated firmware load) and run an arbitrary OS on it with full privileges. Yet when it comes to the DMCA he's squeaky-clean. The MAFIAAs and Microsoft have absolutely no claim against him if anybody out there happens to "exploit himself" and use this "bug" to break their "trusted" computing platform.

But there's one thing I don't understand:

Why didn't samzenpus use "The Foot" when he approved this article? B-)

Now the MS console

[blahpony]

will run Linux? Man, the Sony PR people just can't seem to get a break. ;)

Blue Pill time.

[Ungrounded+Lightning]

Does MS force updates for things like this?

Yes. As soon as your XB360 attempts to connect to Live (which even without you paying, it will do if you signed up for it) it will demand you update or it will disconnect you (which with Live-connected dashboard accounts signs you out of your local XB360 profile too)

Any bets on whether code running in hypervisor mode can create a virtual machine environment where the updated Microsoft code can think it's running the show when it's actually king of a sandbox?

Re:Blue Pill time.

You realize you can get Linux for the PS3 right? So if you just wanted a Cell processor to play with you don't have to go the MSFT route. Huh? You *can't* go the MSFT route, the Xbox 360 processor *isn't* a Cell.

Re:Blue Pill time.

[hjf]

you don't have to go the MSFT route.

So you don't like to buy products from a monopoly, but you do like to support a corporation that install rootkits, abuses copyright, etc? You, sir, are an idiot.

Re:now i've got a reason too buy a 360

[tlhIngan]

No. The PS3 also uses a hypervisor to keep Linux out of things Sony doesn't want you to touch. They allow basic framebuffer access, including direct YUV video modes at all of the popular HD resolutions. But 3D is reserved for PS3 games who pay their percentage to Sony. Hard drive access is also regulated to keep Linux inside the portion of the drive reserved for it.

Yes, we really need a crack for the PS3's hypervisor. I believe it's similar to VMWare - Linux on the PS3 runs under a highly virtualized environment - not only can Linux not access the RSX, but it can only touch the stuff Sony wants touched (e.g., no wifi). The Linux partitioning is transparent to Linux (i.e., you can't access the "Game OS Partition" - Linux just sees its partition as a blank disk), and the hypervisor presents incomplete SCSI emulation of the 6 storage devices (hard disk, 4MB of flash memory, blu-ray drive, SD, CF and memory stick slots).

The emulation is so incomplete, if you have a bad block somewhere, the hypervisor returns an I/O error without reporting a media error. Makes for interesting times when your filesystem suddenly goes read-only for no apparent reason (you don't get anything logged other than "I/O Error" and "Filesystem is read-only", no media sense errors...). I think this is testing codepaths in Linux that really couldn't be tested since the errors they handled would be caught earlier...

The things that the hypervisor doesn't let you do:
* RSX access, obviously
* WiFi adapter
* Full access to Blu-Ray drive
* Full hard drive access
* Full configuration flash access
* Access to the EE/GS hardware

If you want fun, you can boot into Linux without formatting the hard drive - the hard drive doesn't appear at all.

Re:Modchips?

[romland]

Yes, absolutely. But there are some things that need to be dealt with first, one being how to prevent the efuse from being blown (prevents kernel from being downgraded).

Isn't it all a bit self defeating?

[cliffski]

Forgive my ignorance, but as I understand it, consoles have all this security stuff on them to stop this, because they do not *want* to be used as general purpose computers, partly because the things are subsidised on sale, and the shortfall recouped by games sales?
If that's true, then an all-out war to hack the things will eventually ,lead to console maufacturers giving up.
At which point the price of the next gen of consoles will probably double, as they will be sold at true cost.
Who wants that?

Re:It's a joke. LAUGH!

[Captain+Zep]

> mine is slim and almost impossible to see

I'm sorry to hear that.

Have you tried attaching a flag to aid visibility?

Z.

Re:Yet another reason for better prog languages

[Cheesey]

Actually the system call handler was probably written in PPC assembly. The system call handler is an interrupt service routine: it does the following jobs -

1. Save user mode registers (context switch).
2. Manipulate special purpose registers, e.g. re-enable interrupts.
3. Jump to system call service routine, based on the system call number passed as a parameter. This is where the bug was found - the jump destination was being computed incorrectly.
4. Restore registers.
5. Return to user code.

Even C is too high-level to do most of these operations. Standard C does not allow you to manipulate low-level registers. So assembly is used.

If you are interested, you can find the Linux system call handler for x86 systems in arch/i386/entry.S.

Audio is transcoded automatically

[Kerre]

Even though the 360 only plays WMV and MPEG2 video, audio gets transcoded automatically if you use the 360 an extender. Most of my music is stored as LAME encoded 192/256 kb VBR MP3's and the 360 in the living room plays them just fine. I don't know what the media extender software does internally - you probably do lose some quality as the XP or MCE pc transcodes your music on-the-fly. Video can be transcoded using other apps like Transcode360: http://www.runtime360.com/ I haven't tried this myself though.

Re:oblig

[jedidiah]

This thing is small, quiet and not-ugly. This is something you won't get in a $400 that you just slapped together. Every component in a PC is priced such that you get quickly diminishing returns for any component that doesn't need to be state of the art. So, you end up wasting money on parts that are bigger or more powerful than you may need.

Then you're stuck cooling it all and trying to keep the result quiet.

Then there's the whole "ugly" thing.