Keeping Secrets in Hardware: Xbox Case Study 317
BS405397 writes "Here is the just released MIT whitepaper on the security holes in the MS X-Box, and for those who are interested, opens up the X-Box pretty nicely." Update: 06/04 17:13 GMT by M : The server appears to be down at the moment. There is a copy of the paper mirrored here. Reuters and other news outlets have now picked up the story, two days after Slashdot.
DMCA... (Score:2, Interesting)
Re:DMCA... (Score:5, Funny)
Doesn't everything?
Re:DMCA... (Score:2)
Doesn't everything?
No. Chewing bubblegum doesn't.
Ummm, I don't think.
Uhhhh...
Crap. I'll check with my lawyer and get back to you...
-
Re:DMCA... (Score:1)
No, it's legal (Score:5, Informative)
Reverse engineering is legal under most circumstances. Prohibiting it would create a new form of intellectual property, which, unlike patents, would not have to be disclosed. Trade secrets are limited in scope; trade secret law is mostly about disclosure by people authorized to know the trade secret.
Re:No, it's legal (Score:3, Insightful)
Re:DMCA... (Score:4, Insightful)
Updates? (Score:2)
Slashdotted (Score:1)
Mirror and guys website (Score:5, Informative)
He also has an alternative link [mit.edu] to the paper.
Security holes? In a Microsoft product? (Score:5, Funny)
Re:Security holes? In a Microsoft product? (Score:5, Funny)
Re:You'd like to THINK that, wouldn't you? (Score:2)
Re:Security holes? In a Microsoft product? (Score:2)
well (Score:3, Insightful)
it's just his take on where the security could have been improved. all in all MS looks to have relied on the security through obscurity approach (hiding the true boot loader behind a dummy boot loader), just that their obscurity fails when you monitor traffic over a bus with a simple card.
PS: dreamcasts and playstations have always been hackable, as is the xbox, no real surprise there.
Re:well (Score:2)
Is that what MS uses to load its software? So you get a boat load of bloat... But this is hardly a secret.
Re:well (Score:5, Funny)
This was obviously a typo. I think he meant to say: secret bloat loader.
Re:Security holes? In a Microsoft product? (Score:2)
With Microsoft's permission (Score:5, Informative)
I quote from a posting [siliconice.net] to XBOXHACKER [xboxhacker.net] that quotes "I did the work in february, but it took about three months to get it positioned and cleared with both MIT and Microsoft."
I guess that means the DMCA was not violated although the posting mentions that Microsoft intend on addressing these 'holes' in future revisions of XBOX hardware.
More from author on MSFT (Score:4, Informative)
"To answer some specific questions:
no, I will not publish the encryption key or the boot block. That's Microsoft copyright material, and I respect their copyright.
Microsoft is not particularly happy about the paper, but they seemed to concede that well, reverse engineering is protected by law, so there's nothing they can do about it. Let's hope they don't change their opinion...they've been known to go back on their word before. "
also, from his website [mit.edu]...
"You are actually allowed by law to reverse engineer copyrighted code so long as it is necessary to discover the ideas or functional elements behind the code (still, I'm not allowed to post copyrighted code for free distribution). Hey, microsoft...what are the ideas and functional elements behind your BIOS ROM?
Re:More from author on MSFT (Score:3, Interesting)
Re:More from author on MSFT (Score:2)
Huh? Where'd you get this from? If you can generate a key automatically then you can generate a book like Jurassic Park automatically, so that doesn't sound right to me.
(Besides, it should be short enough for fair use, anyway.)
Length is only one of the considerations to apply when deciding if something falls under fair use. Other factors might tip the scale one way or the other. Besides, I think it's more the percentage of the excerpt that matters, not the absolute length. If you publish the whole key, that's 100%, so fair use probably doesn't apply.
Re:More from author on MSFT (Score:2)
Re:More from author on MSFT (Score:2)
duh!
Intermission (Score:2, Funny)
Let's all go to the lobby,
Let's all got to the lobby,
Let's all go to the lobby...
To get ourselves a drink!
Re:Intermission (Score:2)
A lesson to be learned (Score:1, Insightful)
Re:A lesson to be learned (Score:2)
They sell that protection, along with the engine. If they said someone had figured out how to beat it, it wouldn't be worth much.
But, people have beaten it. There's a patch that makes a server not request checks from connecting clients. It was written to let anyone play but it has the side benefit of reducing that annoying lag that everyone notices when someone connects to a server.
I don't know if anyone has defeated the whole system yet, in such a way as to allow for the creation of a new serial number that is valid, or appears valid. It's fairly likely though, because you could either generate the rest of the numbers (possible if they weren't careful to hash them after generation and used a less than wonderful PRNG) or crack the key server and grab the master list. Or likely one of a few other ways.
Would id even be able to detect this, if it was used by a small (1000-5000) number of people. They get a duplicate-key message all the time, when someone connects to a server, disconnects, and joins another. And I know people who succesfully use one key on multiple computers. As long as they join a server a few minutes apart they're fine, supposedly even on the same server.
But in the end, the system is weak in the worst way. It's VERY easy to DoS it out of service and when the server isn't reachable they servers prevent anyone, anywhere, from playing, instead of allowing everyone. Would you buy a game that would refuse to let you play based on something a master server said? I wouldn't. I've played Q3 a few times at LANs, but I'll never spend money on, or even install, a game that I don't have control over.
Better Ways to Hack it?! (Score:3, Interesting)
And I don't meant the usual Playstation-like hacking. I couldn't care less about not having to pay for games...
What I can't wait for are things like a DiVX player (DivX movies on TV!), Linux -> and with it all those wonderful applications, DVD Movies without the hardware adapter, etc. and all of this for only 200 bucks!
Many Dreamcasts were sold because of their hacking potential...just imagine what an X-Box is capable of! This, more than any reason, is why I'm hoping the X-Box pulls through and "makes it" among the video game platforms...
Re:Better Ways to Hack it?! (Score:2)
Re:Better Ways to Hack it?! (Score:2)
Your computer can already play Divx 3, 4, and 5, as well as play mp3s and MAME roms.
Its just wasteful to go and buy a whole other set for mere convenience.
Besides, you know the software on your computer will work, and I doubt you would want to have to apply numerous M$ 'patches' to get a simple Divx player to work right.
This is what I do;
$200? Heh.
More like $20.
Too bad about the GameCube though, that thing is SO tiny it is amazing, I thought the carrying handle was just for kicks but nope, it is definitely fully functional! Ah, definitely not hackable though, unless somebody finds some way to get it to read minicds or such. ^_^
Re:A little ironic, but... (Score:2)
Well, for $400, you can get a Playstation 2 with hard drive, mouse, keyboard, ethernet, and an adapter to work with SOME vga monitors, and a copy of ps2linux. http://www.playstation2-linux.com/
Mirror (Score:1, Funny)
XBOX probing... (Score:1, Interesting)
It is about searching for magic numbers
Very intresting read!
Bye!
Did somebody say "trustworthy computing"? (Score:1)
Re:Did somebody say "trustworthy computing"? (Score:2)
MIT slashdotted? (Score:2)
Mirror: (Score:4, Informative)
Just in case the guy's web server goes down too...
for those that cant read PDF... (Score:2)
here is a link to convert the paper to HTML
http://access.adobe.com/simple_form.html [adobe.com]
Plenty of people. (Score:2)
The real question to ask, I think, is "who can't read HTML?" Why do people use bloated formats like PDF anyway, to publish things on the WEB? There are those who say HTML doesn't give you as much control over the resulting look & feel of a paper. Thats simply not true, although it may be true that the HTML creation code in MS Word or Frontpage has such limitations.
Re:Plenty of people. (Score:3, Informative)
So, if you don't like the new version of Acrobat Reader, use an old version. If you don't like that, use a different app. I'm not sure what's available on Windows, but Preview on Mac OS X can read PDFs, and I know I've got something other than Acrobat Reader on Linux that can (I have Acrobat Reader too).
The real question to ask, I think, is "who can't read HTML?" Why do people use bloated formats like PDF anyway, to publish things on the WEB? There are those who say HTML doesn't give you as much control over the resulting look & feel of a paper. Thats simply not true, although it may be true that the HTML creation code in MS Word or Frontpage has such limitations.
Of course it's true - HTML was never intended to give ANY control over the resulting look and feel, and all attempts to do so are hacks that may or may not work depending on the browser. Sure, HTML is great, but on this point you're mistaken. HTML generated by Word or Frontpage is crap, though.
Note that PDF is an open , documented, standard file format [adobe.com] that anyone can use. Adobe does have some patents on it, but read their royalty-free licenses [adobe.com].
Re:Plenty of people. (Score:3, Informative)
I do not boycott individual products, but the companies who prove their non-trustworthiness by practicing such machinations. As for the file format itself, I could use xpdf or gnome-gv or something like that, but its still inconvenient, and contrary to the philosophy of the web itself.
Of course it's true - HTML was never intended to give ANY control over the resulting look and feel, and all attempts to do so are hacks that may or may not work depending on the browser. Sure, HTML is great, but on this point you're mistaken. HTML generated by Word or Frontpage is crap, though.
The point of HTML is to "mark up" the content such that a user's browser can make it look good in their environment. It places fewer hard restrictions on graphic capabilities, screen/font size and such. So, in that respect, I can see your point - with PDF files, you know exactly what you're getting. Thats why I wouldn't mind printing documents from PDF, because paper sizes and printer fonts are also fairly standard. (for particular target audiences, that is - printing a "letter" PDF on A4 paper (or vice-versa) is less efficient.)
The whole point of HTML runs contrary to this - it allows you to specify loose rules and have your page look good regardless of what browser is being rendered on. If you set hard limits like column width in pixels, sure you can generate a page that looks crappy on any monitor than yours. But why would you? I submit HTML is a more powerful publication medium, due to the fact that its dynamic. You can't take the same PDF file and have the text rejustified to fit in a column with other content, but with HTML, such things are trivially easy. This is the kind of control HTML gives you, and how I feel it should be wielded. TeX has similarly desirable features, more so in fact, but is rather less deployed.
Because of this, any bad-looking HTML page is either suboptimal HTML or a buggy browser, or both. Though I think some people with buggy browsers may take offense at this =)
The point of my post was (perhaps suboptimally stated) that for web publishing, one should use the standard web markup language. I felt it needed to be stated due to the tone of the original AC post I replied to.
Modularity and excessive code... (Score:2, Funny)
The speaker at this talk also indicated that the kernel on the Xbox is a much-stripped-down Win2k derivative (from 12 MB to around 23kB).
(from their website [mit.edu])
Re:Modularity and excessive code... (Score:5, Funny)
What'd they do, remove IE?
Re:Modularity and excessive code... (Score:2)
This means... (Score:3, Funny)
Some XBox Hacking Links (Score:5, Informative)
Thumbs up? (Score:5, Funny)
I think I'd much rather he post what must've been a very entertaining conversation with a Microsoft spokesperson than the bios to the XBox.
Re:Thumbs up? (Score:4, Funny)
They're building an army of clones. You hadn't heard?
Abstract (Score:4, Insightful)
So no need to worry about DDoS or lost savegames. This is about playing unauthorized games, making a DiVX player etc.
Re:Abstract (Score:2)
Correct. And when did this become a "security hole" - oh, it makes people bash MS. Nevermind, carry on.
Re:Abstract (Score:2)
Re:Abstract (Score:2)
Naturally stuff like this will undoubtedly pave the way for "X-Box" demo's within the demo scene. That would rock! (Because those guys can really do some neat stuff.)
And from his (The guy who wrote the paper.) website it's clear that he has contacted Microsoft and he has been given a go ahead on publishing the paper. So it's unlikely that it will be "foxed" at least at this stage.
very interesting (Score:5, Insightful)
I read that article and found it very interesting. It seems there's always a weakness in any security system, and a clever person with time on their hands can find it.
But then it hits me: this "security" is to keep THE OWNER, the PAYING CUSTOMER, out of the product he bought. This "security" doesn't protect my family, me, or my possessions from absolutely anything. It serves no purpose except to make work for somebody at Microsoft and then somebody at MIT. If they left it out, they'd save both parties a lot of effort. I'm sure someone will build on this article and figure out how to easily run arbitrary code on the Xbox, and so the security will be a total waste. So why is it there?
not quite (Score:5, Interesting)
and to keep developers from building their own executables without real dev kits (and depriving ms of royalties)
and it keeps game hack systems out - like the gameshark and the codebreaker like devices from running.
And before you bitch and moan about MS being a bunch of bastards - almost every game system that ever came along has had some system to keep developers, hackers, and users from explointing the technology inside. Even Atari was that way - mostly through Atari not releasing all the specs for programming it so their games could look better in comparision - and they sued the first company who dared defy them (I think it was sierra).
Site back up (Score:2, Informative)
Not there yet (Score:5, Interesting)
He now understands the boot process, and can mess with it via hardware mods. But he has only the decryption key, which is the public key of the pair. To make a bootable disc, you need the encrypting (private) key, which is nowhere in the XBox. That key probably exists only in a vault in Redmond.
I don't really care all that much about the XBox, but if the RIAA and MPAA have their way, all audio and video equipment will be protected like this.
Re:Not there yet (Score:3, Insightful)
1. The bootloader and kernel are stored in flash.
2. The bootloader is RC-4 encrypted (symmetric, not public/private keypair)
3. The flash can be reprogrammed either by desoldering the flash, like bunny did, or by using what he calls a "bed-of-nails" jig. (I assume this is merely contact points to connect the test points on the board).
The RC-4 key is now known, so it appears to me that a custom bootloader (and kernel) can be flashed on the box that will allow unsigned code to run without soldering or expensive equipment.
Probably the path that will be taken is that a booting linux kernel will be developed using the mod chips that are reported to be on the way, then, once drivers and an xbox kernel are developed, a bootloader will be written to boot it directly off CD-R/RW or HDD. Supposedly the xbox is kinda flakey about reading CR-R's, but DVD+RW won't present a problem.
I wouldn't be surprised to see a bootloader that would either boot into the xbox or off an untrusted CD or DVD.
I expect to see a cheap and easy kit for booting linux on xbox in less than six months. Console DivX/MP3/Mame player, here we come!
Re:Not there yet (Score:2)
You have it backwards. The private key decrypts.. the public key encrypts. He has the private key. And you can derive the public key from the private key.
It is NOT public key (Score:2, Insightful)
You have it backwards.
No, you have it all wrong. The Xbox encrypts the flash with RSA's RC4 symmetric cipher (i.e. not a public key cipher). The remainder of this post is (strictly) off-topic because the Xbox boot process does not use public-key encryption.
The private key decrypts.. the public key encrypts.
In a public-key secrecy scheme, you're correct. But in a public-key authentication scheme, the private key encrypts the hash into a signature, and the public key decrypts the signature for comparison with the hash.
He has the private key. And you can derive the public key from the private key.
No, you can't do that in (for example) RSA.
Why the security on a game console? (Score:3, Interesting)
I used to believe the old saw that compared game consoles to razors; lose money on the console, make up for it on the games. But I read something recently which seemed (to me) to prove that everyone except M$ was making money on consoles too. So although it might make sense for M$ to prevent hacking for use as other than a game console, why would others do so?
Is it to prevent people from playing ill-gotten copies of games?
Is it to prevent cheating while playing a game?
Is it to prevent reverse engineering of a game?
I guess I just don't get it!
None of the above... (Score:2)
Actually, while you're right... everyone (besides MS) does make money off their consoles... they also make a lot of money off something else: licensing. In fact, while you can make a pretty penny off your console, the main draw is that you get an even larger percentage from the license royalties off every game your console sells. You only sell one console per person. You sell lots of games.
Naturally, if everyone could write code for a console and burn their own CDs or DVDs, large game houses would have little reason to buy licensed development kits and publishing contracts with their respective console manufacturer, and thus you lose a lot of your revenue.
Interestingly enough, though, in the old days, unlicensed games happened every so often. I recall that Taito reverse-engineered the NES cartridge and put out their own games...
Re:Why the security on a game console? (Score:2)
1- To prevent piracy
2- To stop you using the system in legal ways but which do not follow their "targeted use".
#2 basically means that they sell at a loss and compensate with overpriced games. But if you want to use it as a web server, their entire "sell hardware at a loss" doesn't work anymore and they have to start charging what the equipment really costs. And then they cannot sell enough consoles and cannot dominate the market (and thus, no good games produced and never a profit).
Re:Why the security on a game console? (Score:2)
More like $450-$475 from everything I've read. Microsoft wasn't even close to breaking even when Xboxes cost $300. At $200, they're losing even more. Amortized development costs and falling hardware costs may have made the consoles a bit cheaper to make, but probably not much. The XBox console itself will never be a profit center for MS.
He's almost correct... (Score:2, Funny)
From the paper:
"...it is an error to assume that a secret, distributed along with the information it guards, is never revealed."I don't know about that. It seems to have worked for the Word file format.
Oh no! (Score:3, Funny)
Booting CDR/DVDR (Score:2, Informative)
That's why Nintendo stuck with cartridges and why they now have a non-standard format for Gamecube games. I am really surprised other console developers haven't done this.... the slight increase in costs to slow piracy is a good trade-off.
Anyone know if it would be possible to burn those mini-dvd's that Nintendo uses?
Re:Booting CDR/DVDR (Score:2, Insightful)
Sometimes, it is just easier (and arguably better) to use the standard equipment rather than have to create something totally new.
-CPM
Read this guy's project list (Score:2)
Re:Read this guy's project list (Score:3, Funny)
Re:Slashdoted already (Score:1)
Really wanted to read this. sigh.
Re:Security holes in a gaming console? (Score:1, Redundant)
Re:Security holes in a gaming console? (Score:3, Interesting)
I have two answers to this.
1) Sure. Would you want some script kiddie to delete a saved game you've spent many hours working on? While it wouldn't be the worst thing in the world, it would be frustrating.
2) Microsoft intends the XBox to be the first of a larger presence in the family home. Imagine when everything in your house runs through the XBox (or similiar device) as MS ultimately envisions. Would you want B1FF to be able to get control over your home security system? Your climate control? Banking info? I wouldn't.
Re:Security holes in a gaming console? (Score:2)
Re:Security holes in a gaming console? (Score:2)
This entire article is a troll! (in a way...) (Score:4, Interesting)
Meanwhile I'm reading posts from people who are nearly soiling themselves afraid to plug their XBox into a network for fear of being r00ted. What a joke. I bet when michael saw the words "XBox" and 'security hole' in the same sentence, he became so excited and nervous that he could hardly move his finger to click the button on the mouse. Sheesh.
In other news, ... (Score:3, Funny)
Re:Security holes in a gaming console? (Score:2, Insightful)
It never has been, because:
a) Most systems only kept data related to the game in a very limited space. (On a memory card say or a cartridge its self in the past) - the X-Box is fitted with a hard drive, so there is access to alot of data beyond the scope of individual games since all the data is likely to be in one place.
b) Once you hook something up to the internet, (Which the X-Box plans to do, or at least a network of some kind) then it opens the door to the data stored on your system. This also means that as well as game data, users are likely to at the very least have emails stored on their systems.
Re:Security holes in a gaming console? (Score:2)
A lot of the security features talk about rom encryption, flashing it with a new bios, accessing the hard drives, etc. All of these thing make it more difficult to turn it into a cheap PC, and supports my theory as stated above.
X-Box unit loss not major (Score:2)
It might not be as much as you think.Microsoft recently told shareholders that the X-Box was just only losing 20% of what Sony was initially losing on the PS2. A friend put that to end up somewhere in the $20-$30 range. ...And the SEC tends to get a bit grumpy with companies that mislead investors...
Re:X-Box unit loss not major (Score:2)
Well, my friends are usually very up on their gaming info, take going to E3 very seriously, have PS2, X-Box, GameCube, PS2 Linux kit, etc. They were doing all their stats carefully, etc. Part of it is probably due to Microsoft planing things, leveraging component manufacturers against each other, and moving production from Mexico to China [flextronics.com] (Aside from having to move their plants to China, Flextronics is getting squezed out of being the exclusive manufacturer).
Of course, there's always the Microsoft mastery of double-speak wich might involve several linguists and legal experts poring over the actual MS statements just to be sure...
Re:Security holes in a gaming console? (Score:2, Insightful)
Security is a huge issue in gaming consoles, particularly as they become similar in capability and more competitve with each other.
It's widely agreed that the making or breaking point for any console is the software library available for it. Console makers therefore spend a lot of time, money and effort attempting to win over software developers to their platform.
And regardless of how enticing an offer the developer receives, developers need to sell software to stay in business. The main advantage of the console market (as opposed to the PC gaming market) is that the platforms are closed and proprietary, and (ideally) make piracy virtually impossible without modifying the hardware. The main problem with the security holes isn't that malicious users can compromise a user's data; the problem is that even casual users will be able to pirate games.
This prospect scares the living hell out of developers, and rightfully so. Witness the demise of the Sega Dreamcast, which occurred a surprisingly short time after someone figured out how to boot CD-R's on the console.
The bottom line is that developers won't produce for a platform that facilitates piracy. That is very bad news for Microsoft, particularly in light of their bleeding money out of each console they sell.
Re:Security holes in a gaming console? (Score:2)
This prospect scares the living hell out of developers, and rightfully so. Witness the demise of the Sega Dreamcast, which occurred a surprisingly short time after someone figured out how to boot CD-R's on the console.
Unrelated. Think of, say, the mod chip for PSX. Sega had other problems.
Re:Security holes in a gaming console? (Score:2)
Gimme a break. You can get it done on a street corner for 20 bucks cash. I don't know a single person with a Playstation who hasn't gotten a mod chip.
Re:Security holes in a gaming console? (Score:2, Insightful)
> issue in gaming consoles.
Security has it's place in THIS gaming console
a) it's intended to be connected to the internet
b) it has a HDD
imagine someone writes a nice virus/worm with evil intentions (e.g. download a tiny linux distro, and then take over your XBox , store child pronography on you HDD or start a DOS on www.microsoft.com
Re:Security holes in a gaming console? (Score:2)
Re:it's a console (Score:2, Insightful)
Second, it should be obvious to anyone with 2 working braincells that the security problem facing the XBox is not network security but instead security against the local user. Particularlly, preventing them from booting non-approved software.
Re:it's a console (Score:2)
XBox != console. XBox == hobbled PC (Score:2)
Basically it's a PC with these specs:
733MHz Celeron
64MB PC100 RAM
GeForce 2.5...halfway between GeForce 2MX and 3.
8GB HD.
cheap 10/100 base T NIC
non-standard USB (based on 1.1 spec) connections for controllers.
However, for all the efforts to try to hax0r the XBox...and I wish them all well...they are going to have to find a way to make a keyboard work with it. With the tweaked non-standard USB it's not gonna be easy.
XBox keyboard: pigs do fly, apparently. (Score:2)
http://www.xbox-scene.com/xbox1data/news-archive-1 7-3-2002.php [xbox-scene.com]
Interact is putting this out. News bite is buried almost at the bottom of the page.
Re:Lame and Dumb (Score:5, Informative)
It's not a gaming system. It's a computer that's been artificially limited to gaming. People want to break into it to remove those limitations, so they can have a very cheap, fairly powerful and flexible computer system.
The article -- the whole console hacking phenomenon -- is not about people breaking into your Xbox of ther internet. If you had read the article, you would have seen that it's about hacking the box to be able to boot custom code. There's no question of "reinstalling a few games" unless someone breaks into your house, reprograms the flash ROM in your Xbox, and turns it into a Linux machine.
-b
Re:Lame and Dumb (Score:2)
Let's face it, who could resist the idea of getting a cool computer while at the same time losing Microsoft money? It's a fab idea!
Re:Lame and Dumb (Score:2)
Yeah, but microsoft only makes money on the games / online service. Mircosoft may hype the sales, but gaming companies are still going to notice that the software isn't selling.
-
Re:Lame and Dumb (Score:2)
I disagree, I expect that if every slashdotter and their dog boycotted it still wouldn't make a dent in the sales figures. Most people couldn't give a shit about whether MS has a monopoly or not, these pwople will buy the xbox if they see it can run shiny new games.
Game producers will jump on the xbox bandwagon when they see the sales figures for the current games, not the sales figures for the xbox. Personally I'd pick up a few xboxes if they could run linux, turn them into a dvd/divx/mp3 player, whatever I felt like at the time. Come to think of it my dad needs a new PC, he's still got a P100
Re:Cool (Score:5, Informative)
Does this mean I can hack into .. and upload a patch to display ... characters as completely nude, full-figured women?
No, but it does mean you can fabricate a little circuit board and solder it to tiny wires on the xbox, connect that to a FPGA and custom-program the FPGA to implement data collecting hardware (including a lot of hand-layout effort to make the FPGA able to collect at 200 MHz). It means you can implement a little state machine also in the FPGA to begin collecting at the right time, ignore a false reset pulse, and tag all collected data with sequence numbers of how many clock cycles elapsed between each data transfer and the CPU reset.
It also means you can spend a lot of time to do statistical analysis on the data and compare to patterns from the flash rom (which you presumably already extracted and read with your EPROM programmer). It means that once you've at least figured out which wires were which bits, you can begin wading through millions of data transfers and try to reconstruct an image of the code the CPU executed.
It means you can disassemble that code (remember, found from analyzing millions of bus transfers) and recognize that it implements RC-4 decryption. It means you can write a "brute force" attack to guess all possible 16-byte patters from the image you extracted and see if any of them decrypts the flash rom data to something other than white noise.
It means that, after all that, you have the algorithm and key used to decrypt the bootloader in the flash rom... and then you can write your own bootloader (by extracting the flash rom chip and changing its contents with an EPROM programmer) and make the xbox run your own code.
The author did mention that Microsoft put test points on the board to access the flash rom, so instead of physically removing the flash rom, you could build a "bed-of-nails" test fixture that you'd just place the xbox circuit board into to reprogram the flash rom (don't forget to design your own EPROM programmer in this process).
But as others have pointed out, the author has been in contact with Microsoft and they are aware of the problem, and they intend to fix it in future revisions to the xbox hardware.
So if you wanna pop up nudie pictures in the middle of someone's game, you'd better get started soldering now. Even after you do all this, you'd barely have your foot in the door. You'll need to do a massive reverse engineering job on the bootloader, and then the rest of the flash rom (which is presumably part of the win2k closed-source kernel). Somewhere along the way, you'll learn about the xbox hardware and MAYBE find a game-independent way to overlay some graphics on the screen. Maybe you'll even find some exploits in the kernel itself, maybe?
But to start, you MUST pull the flash rom chip and reprogram it with your own code. Better hurry before Microsoft changes the secret bootloader or even the hardware itself, now that they know of the weakness.
Re:Cool (Score:2, Funny)
You kinda miss the point. (Score:2)
Hopefully, you are a long way from wanting to do such a thing. For $100 or so, you can have a nice Athlon mobo with a 700MHz processor. Buying a used system would be even cheaper. Of course, any other option would be much less encumbered by silly things M$ likes to put on junk, like the serial number he found.
The point is that stupid M$ and others are working to make hardware that the user has no control over but fail. It's just another proof that Senator Holling's wet dream of control of all digital devices can only be implimented by foolish laws. Inailienable rights are those which require vast expendatures to violate.
Re: (Score:3, Interesting)
Re:This is great... (Score:2)
Why? Because Microsoft looses money on each sale.
I am confident that there will be a mod-chip for the
X-Box long before they are worth less than the $200
I paid for them.
Re:Fluffi Bunni? (Score:2)