Copy Link
Add to Bookmark
Report

Security Attacks to Run Your Code on the Xbox

xbox's profile picture
Published in 
xbox
 · 10 months ago

written by Michael Steil, 2 May 2002 (Updated 1 July 2002)

The Xbox designers were very careful preventing to run non-licensed and non-game software on the console, since Microsoft sells the machine for less money than the individual components cost and can only make money by selling games. Of course they don't want people to buy Xboxes and run Linux on it. This document points out some possible attacks at Xbox security.

Of course it is not only important to find a security hole - it has to be hard or impossible to fix it, so that hacks will work with future versions of the Xbox, too.

Replace the ROM

The Xbox contains a 1 MB ROM chip, which can be replaced, if you have very good soldering skills. The ROM chip contains four identical copies of the 256 KB software, the startup animation and the Xbox kernel. Apparently the encrypted ROM contents get decrypted by some hardware (although there is some plain-text decryption code in the ROM, which never gets run).

Chances: Replacing the kernel in ROM would make it possible to run anything, for instance by loading some other software from the hard disk, but replacing the chip is a lot of work and the encryption is still a topic to work on.

Possible fixes: Microsoft can change the encryption of the ROM in future versions and integrate ROM into custom chips (as done on GameCube).

Replace the Main Program on Hard Disk

After its initialization, if there is no game in the DVD drive, the kernel loads xboxdash.xbe from hard disk into memory, which starts the audio player, the DVD player or, if there is no disc in the drive, the "Dashboard" main menu.

Chances: Modifying this program could make it possible to run our code, but xboxdash.xbe is signed with a 1024 bit key, so the kernel would need a bug somewhere.

Possible fixes: Microsoft can start shipping new Xboxes with a fixed kernel.

Replace Components of the Main Program on Hard Disk

All x86 code outside xboxdash.xbe is in the file settings_adoc.xip, which is (despite its name) an XBE file, so only a faulty kernel would permit us to modify it. All other files on the hard disk are not signed, but they contain no x86 code.

Chances: If there is a bug in the kernel, both the main program and settings_adoc.xip can be modified, but it would make more sense to modify the main program.

Possible fixes: Fixed kernel.

Data Structures on Hard Disk

Most internet server software volatility is caused by string buffer overflows: The hacker sends an invalid input to a program, which causes the software to overwrite its own code and run the code in the user data.

Chances: We could either modify the FATX file system, so that the kernel crashes, or some data in the *.xtf, *.xip and *.wav files to make xboxdash.xbe crash. Since all software on the Xbox runs in kernel mode (ring 0), this would immediately give us full control on the machine. Disassembly of the kernel and xboxdash.xbe might help a lot.

Possible fixes: Microsoft could fix the kernel or xboxdash.xbe and make it impossible to exchange xboxdash.xbe with the old faulty version by changing the signature the new kernel expects.

Create a Bootable Disk

Another possibility might be to make our code run that we supply via the DVD drive. The kernel can start software on DVDs and CDs (note that the DVD drive laser cannot read most CD-Rs, but CD-RWs are okay).

Chances: Creating a bootable CD might be possible, but again, we would need a signed executable. A faulty CD filesystem structure could make the kernel crash (putting the kernel in an infinite loop with a faulty CD has already been done).

Possible fixes: Fixed kernel and.

Replace Components of a Game

A game could store some executable code in unsigned external files or crash on invalid data.

Chances: Although the copy protection would probably prevent us from running a signed game executable on a different CD, this file could become the key for starting our code, as soon as it is known how to run a game binary on a different CD or on hard disk. Using the game executable as a replacement for xboxdash.xbe is another idea. Perhaps we can change the cached data on hard disk instead of creating a modified CD/DVD.

Possible fixes: It is impossible for Microsoft to change the Xbox software, so that it won't run this game executable any more, because all media with this game would have to be exchanged then. But they could make the loader checksum parts of the DVD of this specific game so that the faulty game can only be executed on the unmodified DVD.

Network

Many games make use of the network connection. Faulty game software might crash on invalid data.

Chances: Just as with data on the hard disk or DVD, invalid data from the network connection might permit us to transmit our code. Bugs found in the Windows 2000 TCP/IP stack might also be in the Xbox software.

Possible fixes: Bugs in the kernel can be fixed, but bugs in software are, as already said, hard to fix.

USB hardware

The infrared receiver of the DVD remote control kit, which gets plugged into one of the USB ports, contains some ROM.

Chances: Modifying the ROM of the infrared receiver might make it possible to execute our code. Building our own (faulty) USB device might crash xboxdash.xbe. Both approaches are complicated and expensive, though.

Possible fixes: Unclear, since it is not known how exactly the ROM works.

LPC Port

It is possible to connect LPC hardware to the 15 LPC pins onm the board. Microsoft's internal version of the Xbox had a Super I/O chip with a serial port connected to it.

Chances: By connecting a device to the LPC port, we might be able to replace the ROM this way, or influence the Xbox kernel in another way (the first (US) kernel version included detection routines for a Super I/O chip at the LPC, and routines to access the serial port, but these are now removed).

Possible fixes: Microsoft might remove the debug pins or disable the corresponding kernel functions (they already have?).

Conclusion

There are many possible attacks. Most of them only work if there are bugs in the system software. Since Microsoft has had severe security problems with its software in the past, there might be a good chance to successfully hack the Xbox.

← previous
next →
loading
sending ...
New to Neperos ? Sign Up for free
download Neperos App from Google Play
install Neperos as PWA

Let's discover also

Recent Articles

Recent Comments

Neperos cookies
This website uses cookies to store your preferences and improve the service. Cookies authorization will allow me and / or my partners to process personal data such as browsing behaviour.

By pressing OK you agree to the Terms of Service and acknowledge the Privacy Policy

By pressing REJECT you will be able to continue to use Neperos (like read articles or write comments) but some important cookies will not be set. This may affect certain features and functions of the platform.
OK
REJECT