Hacking the Xbox
Hacking the Xbox
Hacking the Xbox
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
138<br />
<strong>Hacking</strong> <strong>the</strong> <strong>Xbox</strong>: An Introduction to Reverse Engineering<br />
A Commentary on Naming<br />
Conventions<br />
<strong>Hacking</strong> communities often invent <strong>the</strong>ir own terminology<br />
for important concepts, which can vary from community to<br />
community and from industry standard terminology. The<br />
following is <strong>the</strong> list of terminologies accepted by <strong>the</strong> <strong>Xbox</strong>-<br />
Linux community. Any deviations from <strong>the</strong> terminology I use<br />
in this book are noted.<br />
• X-code: Jam table opcodes; <strong>the</strong> opcodes<br />
used by <strong>the</strong> secret Southbridge (MCPX) boot<br />
ROM to initialize <strong>the</strong> <strong>Xbox</strong> hardware<br />
• 2BL: Second boot loader. This is <strong>the</strong> code that is<br />
decrypted by <strong>the</strong> secret boot ROM. It is called<br />
<strong>the</strong> second boot loader because this code’s<br />
primary responsibility is to decrypt and<br />
decompress a kernel image.<br />
• Flash Boot Loader: In version 1.1 security, this is<br />
an intermediate boot loader in between <strong>the</strong><br />
secret boot ROM and <strong>the</strong> 2BL. The FBL is verified<br />
by a lightweight hash against a hard-coded<br />
value within <strong>the</strong> secret boot ROM. As a result,<br />
<strong>the</strong> FBL cannot be changed without changing<br />
<strong>the</strong> MCPX silicon. The FBL is responsible for<br />
verifying <strong>the</strong> digital signature on all critical<br />
portions of <strong>the</strong> FLASH ROM.<br />
• Kernel: The <strong>Xbox</strong> kernel code. It is stored<br />
compressed and encrypted in <strong>the</strong> FLASH ROM.<br />
• Version 1.0 security: The original <strong>Xbox</strong> security<br />
system using RC-4 encryption on <strong>the</strong> 2BL.<br />
• Version 1.1 security: The second <strong>Xbox</strong> security<br />
system using <strong>the</strong> TEA hash to verify regions of <strong>the</strong><br />
FLASH ROM. The earliest manufacturing date<br />
seen on boxes with version 1.1 security is around<br />
August 2002.<br />
The previous chapter described my eavesdropping attack on <strong>the</strong> <strong>Xbox</strong><br />
security mechanism that eventually yielded <strong>the</strong> RC-4 key hidden in a block of<br />
secret code. This chapter describes a few of <strong>the</strong> o<strong>the</strong>r attacks available on <strong>the</strong><br />
<strong>Xbox</strong> that were devised by my colleagues, as well as <strong>the</strong> attack that was<br />
mounted on <strong>the</strong> revised <strong>Xbox</strong> security scheme, herein referred to as security<br />
version 1.1.<br />
Back Doors and Security Holes<br />
A class of back door attacks on <strong>the</strong> <strong>Xbox</strong> leverage a fundamental<br />
weakness in <strong>the</strong> way <strong>the</strong> hardware is initialized by <strong>the</strong> secret boot code.