Hacking the Xbox
Hacking the Xbox
Hacking the Xbox
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
132<br />
<strong>Hacking</strong> <strong>the</strong> <strong>Xbox</strong>: An Introduction to Reverse Engineering<br />
seems like a fine idea, however I originally incorrectly assumed that <strong>the</strong><br />
HyperTransport bus is reset only once upon <strong>the</strong> application of power. In<br />
reality, <strong>the</strong> HyperTransport bus is reset a second time following <strong>the</strong> jam table<br />
initialization step. Thus, when I first started looking at traces, all I saw was<br />
<strong>the</strong> encrypted data plus a smattering of code, none of which could really be<br />
lined up in any logical fashion with a boot vector.<br />
Imagine how disappointing that was! I took a step back and observed <strong>the</strong><br />
HyperTransport bus events on an oscilloscope with <strong>the</strong> time scale set at<br />
<strong>the</strong> milliseconds per division. I observed that <strong>the</strong>re was an earlier reset<br />
pulse, and after adjusting <strong>the</strong> trigger mechanism to catch only <strong>the</strong> first<br />
pulse, <strong>the</strong> boot instruction was easy to identify. The sixteen bytes at<br />
0xFFFF.FFF0 in <strong>the</strong> secret ROM happened to be identical to <strong>the</strong> same<br />
sixteen bytes in <strong>the</strong> FLASH ROM. From that point, I tracked <strong>the</strong> current<br />
value of <strong>the</strong> program counter by performing a lot of grungy tracing and<br />
disassembling with bookkeeping, so that I could place each instruction<br />
block at <strong>the</strong> correct location in memory. Every cache line fetch consisted<br />
of 16 or 32 consecutive bytes of memory, resulting in a distinctive data<br />
logger time stamp pattern which aided <strong>the</strong> reverse engineering process.<br />
After a few hours of sifting through traces looking for cache lines, I had<br />
More Tools of <strong>the</strong> Trade: Software<br />
Analysis Tools<br />
Inevitably at some point in your hacking experiences, you<br />
will come across a need to disassemble some assembly<br />
language code. I was introduced to an excellent tool for<br />
this job by some fellow software hackers in January 2002<br />
while I was reverse engineering <strong>the</strong> <strong>Xbox</strong> security. The tool is<br />
called “IDA Pro” by Ilfak Guilfanov, sold by DataRescue Corporation<br />
(http://www.datarescue.com/idabase/). IDA Pro is capable<br />
of disassembling not only x86 code, but a huge variety<br />
of embedded processors’ code as well. The quality of<br />
IDA Pro’s output is also very high: Code segments are automatically<br />
annotated and organized for readability. IDA Pro<br />
also features a vast array of useful and fun tools. Some of my<br />
favorites include <strong>the</strong> ability to automatically pattern match<br />
code library signatures to function calls, and <strong>the</strong> ability to<br />
follow jumps at <strong>the</strong> press of a key.<br />
Ano<strong>the</strong>r tool that was quite handy during <strong>the</strong> code analysis<br />
was HackMan. HackMan is freeware from<br />
TechnoLogismiki Corporation (http://www.technologismiki.com/<br />
hackman/). It is nominally a “hex editor,” i.e., a file editor that<br />
allows you to manipulate binary data directly, but it has a<br />
lot of unique capabilities that go far beyond simple editing.<br />
For example, HackMan has a built in disassembler. The<br />
disassembler is not as powerful as IDA Pro, but it is interactive<br />
with <strong>the</strong> hex editor. This allowed me to rapidly test candidate<br />
cache lines for valid code while tracing through <strong>the</strong><br />
data logs, while assembling <strong>the</strong> final binary image of <strong>the</strong><br />
secret ROM.