Print

[SoZi_TvsX]

Hi all (sorry 4 my bad english)

The 360 ID is not crypted.

Me, Team TvsX and Gx-Mod, have discovered that xbox 360 ID is not crypted, so it can be possible to change this ID in real time.

(I have volontary change the 4 last number of my ID because this ID came from my not opened 360 (so not banned)
The verification of this ID is doing at all connections or connection test, it's the proof that the ID are blacklisted into M$ server and that the 360 do not have a trace of the ban in the nand flash, just the M$ server stop the live access and send back to 360 the ban error code. If we modify the ID in real time, the 360 will theorically be unbanned.    
It remains has to know if 2 identical ID not banned can be connected in the same time, or if the modification of the ID can not be detected, ...


This test has been made with the tool WireShark (Freeware) and is at the level of the answers given to TGS-REQ and the reponse contain the not crypted ID:

TGS-REP:

0000   00 12 5a 97 f6 58 00 15 f2 67 b2 bc 08 00 45 00  ..Z..X...g....E.
0010   04 f0 86 67 00 00 6f 11 d3 46 41 3b ea a3 c0 a8  ...g..o..FA;....
0020   00 c8 00 58 04 e9 04 dc 40 11 6d 82 04 d0 30 82  [email protected].
0030   04 cc a0 03 02 01 05 a1 03 02 01 0d a2 82 01 a6  ................
0040   30 82 01 a2 30 82 01 9e a1 04 02 02 00 d3 a2 82  0...0...........
0050   01 94 04 82 01 90 30 82 01 8c a0 03 02 01 17 a1  ......0.........
0060   03 02 01 01 a2 82 01 7e 04 82 01 7a a7 d0 91 57  .......~...z...W
0070   54 a0 b3 fb 3c e9 61 ca 5a f2 dc cd 5e 07 ec 5c  T...<.a.Z...^..\
0080   b5 fb 9e 5b f3 0a 2b 4a af 98 eb 18 8b 24 d9 56  ...[..+J.....$.V
0090   f0 34 6e 52 1a 5a 48 3e e4 60 81 0d 2c b6 10 dd  .4nR.ZH>.`..,...
00a0   f4 30 5b 06 3f 29 bc bf d0 fc 20 ae 55 35 73 65  .0[.?).... .U5se
00b0   84 8c 40 0e f1 77 6f 75 a1 33 24 27 b3 aa 6e 90  [email protected]$'..n.
00c0   19 21 29 8b d5 d0 ca 6c 0e 5e ee 8f 6d 78 e6 4b  .!)....l.^..mx.K
00d0   15 a4 46 8d c6 ad 7e bd 99 6a 39 cc 95 05 a8 53  ..F...~..j9....S
00e0   c3 6f e4 c4 51 30 6f 35 bd d2 8a db 3b 63 dd 71  .o..Q0o5....;c.q
00f0   c4 79 de cb d0 3a e1 d6 df 99 e9 c7 9c cd 27 86  .y...:........'.
0100   55 d0 43 e5 85 fd b9 c7 25 ff e4 29 a9 e7 17 bb  U.C.....%..)....
0110   d4 2f a2 aa 5a e3 c3 07 2e ad 88 e0 fc 1c 45 80  ./..Z.........E.
0120   dc 2a 2b 59 cb 56 3e 7e eb bd 2e 66 05 93 eb 05  .*+Y.V>~...f....
0130   0b c0 d2 28 75 20 a5 d8 c6 2c 55 90 02 d8 84 ce  ...(u ...,U.....
0140   d2 f1 85 a0 e2 68 a2 b4 23 7c bc 91 e5 d9 10 e3  .....h..#|......
0150   6a e6 97 55 5f 44 af 6b 84 0c 96 f9 9c e3 d1 80  j..U_D.k........
0160   09 31 7f 9b 17 65 00 7b a2 5b d6 a2 68 4f 95 06  .1...e.{.[..hO..
0170   80 9e 77 e8 55 1a b7 39 12 0c d0 a1 02 38 73 07  ..w.U..9.....8s.
0180   30 0a f8 cc 9a a4 13 22 dc 9d 76 ca 67 0c 47 94  0......"..v.g.G.
0190   60 16 1a 7a 8d 8f 09 2f 07 92 8b 7d c7 d2 e2 aa  `..z.../...}....
01a0   43 58 75 fb 41 f1 24 cb 57 3d e9 34 77 68 54 1f  CXu.A.$.W=.4whT.
01b0   8b b0 22 ba 0e 6c 78 8f 48 28 27 82 4c 6a f3 40  .."..lx.H('.Lj.@
01c0   e5 84 d6 54 dd 69 e1 29 ba 15 6e aa 62 a3 69 b9  ...T.i.)..n.b.i.
01d0   92 b5 3a fe a5 97 8d 48 7a 30 d7 3e 93 13 87 d9  ..:....Hz0.>....
01e0   15 6b 08 22 66 a3 a3 0e 1b 0c 50 41 53 53 50 4f  .k."f.....PASSPO
01f0   52 54 2e 4e 45 54 a4 2a 30 28 a0 03 02 01 02 a1  RT.NET.*0(......
0200   21 30 1f 1b 0f 58 45 2e 30 30 35 36 33 36 30 37  !0...XE.00563607     <--- ID of mother
0210   31 32 38 38 1b 0c 50 41 53 53 50 4f 52 54 2e 4e  1234..PASSPORT.N      <--- board.
0220   45 54 a5 82 01 fd 61 82 01 f9 30 82 01 f5 a0 03  ET....a...0.....
0230   02 01 05 a1 0a 1b 08 58 42 4f 58 2e 43 4f 4d a2  .......XBOX.COM.
0240   19 30 17 a0 03 02 01 02 a1 10 30 0e 1b 02 73 67  .0........0...sg
0250   1b 08 73 69 74 65 39 39 39 39 a3 82 01 c5 30 82  ..site9999....0.
0260   01 c1 a0 03 02 01 17 a1 03 02 01 01 a2 82 01 b3  ................
0270   04 82 01 af 4f b1 e5 67 d6 d8 27 1f 14 9f e9 1b  ....O..g..'.....
0280   50 03 8e 26 ef 3d 89 38 4f d4 bf 17 25 05 c9 2e  P..&.=.8O...%...
0290   79 ea 99 b4 46 8d ab 5e 97 6d b8 4d f9 ca 43 b3  y...F..^.m.M..C.
02a0   dc af 49 f7 4f eb 68 cf f1 10 04 c1 cd 29 ea 8a  ..I.O.h......)..
02b0   ac 4a 13 72 6a 12 a3 3f 76 9c cd 6b 4e 82 2c dc  .J.rj..?v..kN.,.
02c0   a0 45 28 62 84 29 40 63 ae fa f9 ed cc ae 00 60  .E(b.)@c.......`
02d0   32 22 18 2b e1 c2 c5 58 6b 4e 6a dc aa 17 96 7f  2".+...XkNj.....
02e0   17 26 42 c6 49 99 47 8d 2a 42 bb 10 8c ac 7f 1c  .&B.I.G.*B......
02f0   72 57 10 ef 37 84 70 fd c4 eb 9f 73 46 25 b9 1f  rW..7.p....sF%..
0300   98 f8 6a c1 d5 33 b2 68 16 e2 59 f5 c4 44 bb 57  ..j..3.h..Y..D.W
0310   1c f1 f5 6f 0d 7e 56 cf f8 1a 01 e0 7d 2b dc 31  ...o.~V.....}+.1
0320   c0 ed 1f 7a 85 f8 eb 8d bc 9c 08 de e5 31 af fe  ...z.........1..
0330   de fa ec ab 34 95 22 a8 2e d4 eb 79 c7 cf b3 a7  ....4."....y....
0340   20 76 fb 6e 02 cd f8 c5 46 bf 92 65 7f 37 20 4b   v.n....F..e.7 K
0350   f6 bc 31 c4 c2 f7 b1 e2 43 0d 3f 60 f2 bf 4e 4f  ..1.....C.?`..NO
0360   b7 d4 a8 5a b3 ff a3 e3 52 b6 0b 3b a6 81 a5 18  ...Z....R..;....
0370   75 d8 b4 19 2e ed 5c 77 99 6c f9 b3 92 e7 04 39  u.....\w.l.....9
0380   e2 ca 84 74 90 57 6a 77 d2 c6 96 1a 7f c5 72 80  ...t.Wjw......r.
0390   25 12 f6 1a 67 32 fe b0 dc 37 bd 45 d2 13 bd 74  %...g2...7.E...t
03a0   bf 90 97 13 bb 34 df f6 45 9b 4e 4f b1 0e 85 0c  .....4..E.NO....
03b0   12 6f 4f 14 a4 10 4f 35 f5 3e 2a 1a 6d 0d fa 60  .oO...O5.>*.m..`
03c0   4c 7a 84 46 b2 e6 02 d4 42 f8 fd e8 4a 8b 5d a7  Lz.F....B...J.].
03d0   89 eb df ef 66 16 a6 20 52 bb 1c cc 59 0b 35 1b  ....f.. R...Y.5.
03e0   b1 98 e0 11 bf 04 f2 a2 cb b1 b9 b2 f4 57 67 35  .............Wg5
03f0   0b a3 da d8 4f 82 b8 d2 03 8b e5 c3 30 14 0b 16  ....O.......0...
0400   22 3f 63 ed ac 13 d7 2c 9e 3a 91 4d 35 62 a5 7f  "?c....,.:.M5b..
0410   0e 67 0c d0 93 5f 62 ac 33 9e e6 e9 00 4c 00 aa  .g..._b.3....L..
0420   7d fe 53 a6 81 d8 30 81 d5 a0 03 02 01 17 a2 81  }.S...0.........
0430   cd 04 81 ca ac 0c c4 f2 59 2a 36 4a bc 52 be d9  ........Y*6J.R..
0440   41 70 e5 a2 a3 e1 f9 e3 92 f8 79 12 08 a6 c7 27  Ap........y....'
0450   cd 0c 07 70 aa d2 89 c2 25 b7 d3 dc ed 2e 33 21  ...p....%.....3!
0460   22 22 91 ff a0 6e 90 9a 12 f1 04 9c 85 e1 fe e9  ""...n..........
0470   ed 51 c1 4c 92 eb ab b8 5e 8f bc ef 87 75 ed 43  .Q.L....^....u.C
0480   a0 44 fd c3 cb 4e ce 50 b0 3d 7e 13 eb ca b4 93  .D...N.P.=~.....
0490   50 ce 71 75 6d 51 05 62 7a 98 b5 61 74 bd 1e ac  P.qumQ.bz..at...
04a0   70 72 75 40 38 8a 20 57 cc a1 02 da f8 d6 4b ac  pru@8. W......K.
04b0   e1 c1 3f e4 c2 87 86 b0 d0 4c b6 af 0b 02 70 2e  ..?......L....p.
04c0   2f af 6d 59 67 fb 37 ac af 4e d6 c6 d7 c1 0c 28  /.mYg.7..N.....(
04d0   66 91 03 4a a5 e0 96 65 51 8d 25 55 4b 47 d7 e1  f..J...eQ.%UKG..
04e0   67 27 c9 85 70 8c 61 20 fa a8 63 69 d3 d9 68 5f  g'..p.a ..ci..h_
04f0   14 b9 a6 c0 15 fc 12 ff a9 de b8 f1 6c 54        ............lT

I hope that you will have understood me in spite of my bad translation. Here is my post original:

http://gueux-forum.net/index.php?s=&sh...t&p=1088392

that's all, and thank to all people that contribute to the scene, ... (IMG:style_emoticons/default/wink.gif)

[YxxRavenxxY]

This is very interesting. yet 2 questions need to be answered besides how is it done. the 1st being does it have to be a valid system ID once changed to be able to access live, and secondly if it does can two 360's have the same ID and be on live at the same time. I hope we have answers to this soon.

[zouzzz]

Salut SoZi_TvsX,
très interressant. Je ne pense pas que Gary, TS et les autres ne soient pas au jus mais c'est cool de nous l'avoir dit à nous les spectateurs.

L'Infectus permettrai permet de reflasher la Nand, mais c'est beaucoup de boulot :
- posé une Infectus sur une bécane non bannie (avec ROD par exemple)
- récupérer la NAND
- modifier la NAND
- poser l'Infectus sur la bécane à "débannir"
- reflasher la Nand de cette dernière.

Ca fait tout de même plus de 40 point de soudure à faire (et des costauds).

Sinon, peut être aussi une autre soluce, en passant par un "flash" à la volée... si l'écriure est permise.


En tout cas : merci pour l'info.

QUOTE

Hello [ b]SoZi_TvsX[/b ],
very interressant. I do not think that Gary, TS and the others are not with the juice but they is cool to have said it to us to us the spectators.
Infectus will allow allows reflasher Nand, but it is much of job:
- posed Infectus on a not banished bike (with ROD for example)
- to recover the NAND - to modify the NAND
- to pose Infectus on the bike "to be débannir"
- reflasher Nand of the latter.
All the same more than 40 point of welding make (and of the strapping men).
If not, can be also another soluce, while passing by a "flash" with stolen... if the écriure is allowed.
thank you for information.  

[KaMbiOkIkA]

Hi all,

You'll probably hate me after my post but are you really thinking M$ is so stupid to paste this kind of information uncrypted ?
Otherwise, if it's the case, aren't you ask yourself if they (M$) don't paste crypted id in the bytes around this uncrypted id ? and of course use this one instead ?
It would be have 1 chance on 1.000.000 or certainly more that this works by this method.
So now, it's not very difficult to test this possibility. Simply save hex dump of network card transit to XBox Live. Change ID banned number by an ID not already banned, and write a simple program that open socket on XBox Live server, send hex network card transit modified in this socket, and simply get response from XBox Live server.
If it results what you think it'll be, then play national lottery, you'll certainly win   , but don't expect this to work  
There's too much points that aren't clarify on XBox Live server/client exchange to be simple as that way. And of course, no one exactly know atm in wich manner M$ bans modified X360.

So, don't expect this to work, but continue to make good job on this subject.

In my opinion, this way isn't the best to investigate. It should be more interesting to get how your X360 send to XBox Live server that she's modified, and then modify on the fly network packet to always send to XBoxLive that you console isn't modified.

Thanks.

++

[The Prankster]

1.  M$ isn't stupid, that's just a packet yes, I was in a thread a few days ago on almost the exact same theory, I logged some packets coming to & from the xbox 360, the fact is that M$ has logs of all the console ID's and why would you want to do that anyway, if indeed you're going to change the console ID to one that is unbanned... which in fact like the above poster said, has a VERY MINIMAL chance of working, I'm going to go with it and say it won't work, because this is just too farfetched. If all the stars and planets all happened to line up just right, with the sun at peek 12' noon on the other side of the earth with an eclipse from the earths 2nd moon lol, and while all the wolfs were howling at the moon outside your house/apartment, and george bush also somehow admitted to being a baffoon, then just maybe... just MAYBE, this might work.

And if you did get an unbanned ID, what would be the point? Either you have another 360, play on that you bimbo, or you are being a faggot and looked at and wrote down a friends. Though this won't work and has no sustinance for the future.

2.  And that specific packet doesn't get sent until at least 100-200 packets have gone to/from the live server already which are almost ALL encrypted.

3.  And also on a sidenote, just because you found the console ID, doesn't mean that is the only time it is reported to live. I'm betting they actually encrypt it when they need too. Also in that same packet notice how it says passport.net and xbox.com, that's probably just signing into your .net passport at xbox.com and sending your console ID with it just for verification with xbox live, a banned ID report is probably done encrypted and you wouldn't even know it is being sent to xbox live.

4.  Is it possible to stop all these ridiculous 'Spoof xbox live' or 'Fake xbox live' into thinking I'm unbanned crap, once you're banned you're banned, deal with it that's just another crappy aspect of your life that you're going to have to get used to.

This post has been edited by The Prankster: May 26 2007, 04:41 PM

[toshtiger]

Hi All,

Had my modded xbox banned just like the rest of the world which has lead me into doing abit of research into the network traffic between the microsofts servers and my 360.
using the network monitoring software from the ms.com site (http://www.microsoft.com/downloads/details.aspx?familyid=AA8BE06D-4A6A-4B69-B861-2043B665CB53&displaylang=en) you can clearly see the packets of data and their contents. I have check this data with another 360 logging into xbox live with the same results.I am no network expert, but looking through the data you can basically see the data handshake pattern :-

(IMG:http://finditwinit.com/upimage/capture_2.jpg)

 (IMG:http://finditwinit.com/upimage/capture.jpg)

 

An initial start-up from my box to Microsoft
A membership report back from Microsoft

My 360 then sends my xbox360 serial number ( in the image – USN: uuid: 52255276-**** which matches the serial number on the 360 dashboard under ‘system info’) to Microsoft along with what I think is a reference to my gamer-tag. Also in here is a reference to my current dashboard version ( in the image – 2.0.5759.0)

A few more packets are transferred
My login is finally rejected (modded box)

From these tests, it is clear that Microsoft are using the serial number of my machine to decide weather the 360 is banned or not, probably in the last forced 360 update adding to the 360 a firmware test on the dvd drive which Microsoft can test at there will. There doesn’t seem to be any reference to the 360 consoles ID, just the serial number of the machine.

Would it not be possible to use a pc on my network to receive data (buffered from a fixed xbox360 ip address) from my xbox360, and modify the serial number being sent to Microsoft (http:/1.1..HOST:239.255.255.250:1900 ), sending a non-banned serial number, and hence give a false login to xbox live.

Also would it be also be possible to detect from the Microsoft server the dashboard version test and stop any future updates of the xbox360 dashboard.

The only problem I can see would be the extra lag time in data transfer with a pc doing the transfers between the two. I don’t think Microsoft are using any rocket science to log-in my xbox to xbox live and I am sure someone with the right programming skills could write the pc software which acts as a ‘go between’ with the server and the 360.

[Xplic1T]

Very interesting, so i guess the ultimate test would be to revert back to origional fw and try to pull off this console id switch. If you are still banned that will show that the console is really keeping tabs on your modified f/w and remembers and bans you again on your new console id, if you dont then this will be very interesting indeed.

[toshtiger]

HI,

One of my theories is that in the last update to the console M$ have added the facility to probe the firmware of various parts of the 360 and report back the checksum values of the hardware e.g. dvd drive, hd etc. M$ know what these values should be as they have only released about 20 different firmware’s for the dvd,hd. A simple check when the 360 powers up and M$ could collect this data from the 360, compare values with a database of checksums on there server and decide whether to ban a 360 ( banning just the serial number and not the gamertag). They could in theory also put this check on a  game disc (stopping the game from working if firmware changes were detected), which would mean patching game discs. M$ using a method like this would mean that no matter what hackers tried to modify on the firmware of the dvd/hd the modified firmware checksums would always be different from what they should be and could be detected.

Cheers Tosh

[rss112]

to be truthful people not every1 is going to get hold of a xbox with a working serial to replace there old one we all need to work together and make firmware that cud replace this ban and maybe build a step by step guide to help people to do this at home.....if this can not be passed every 1 will have to use xbox connect!  

[36dee]

QUOTE(rss112 @ May 28 2007, 03:08 PM)

to be truthful people not every1 is going to get hold of a xbox with a working serial to replace there old one we all need to work together and make firmware that cud replace this ban and maybe build a step by step guide to help people to do this at home.....if this can not be passed every 1 will have to use xbox connect!  

That'd be helpful but not the easiest solution.

[foogrrr]

QUOTE(toshtiger @ May 27 2007, 11:26 PM)

Hi All,

Had my modded xbox banned just like the rest of the world which has lead me into doing abit of research into the network traffic between the microsofts servers and my 360.
using the network monitoring software from the ms.com site (http://www.microsoft.com/downloads/details.aspx?familyid=AA8BE06D-4A6A-4B69-B861-2043B665CB53&displaylang=en) you can clearly see the packets of data and their contents. I have check this data with another 360 logging into xbox live with the same results.I am no network expert, but looking through the data you can basically see the data handshake pattern :-



 

 

An initial start-up from my box to Microsoft
A membership report back from Microsoft

My 360 then sends my xbox360 serial number ( in the image – USN: uuid: 52255276-**** which matches the serial number on the 360 dashboard under ‘system info’) to Microsoft along with what I think is a reference to my gamer-tag. Also in here is a reference to my current dashboard version ( in the image – 2.0.5759.0)

A few more packets are transferred
My login is finally rejected (modded box)

From these tests, it is clear that Microsoft are using the serial number of my machine to decide weather the 360 is banned or not, probably in the last forced 360 update adding to the 360 a firmware test on the dvd drive which Microsoft can test at there will. There doesn’t seem to be any reference to the 360 consoles ID, just the serial number of the machine.

Would it not be possible to use a pc on my network to receive data (buffered from a fixed xbox360 ip address) from my xbox360, and modify the serial number being sent to Microsoft (http:/1.1..HOST:239.255.255.250:1900 ), sending a non-banned serial number, and hence give a false login to xbox live.

Also would it be also be possible to detect from the Microsoft server the dashboard version test and stop any future updates of the xbox360 dashboard.

The only problem I can see would be the extra lag time in data transfer with a pc doing the transfers between the two. I don’t think Microsoft are using any rocket science to log-in my xbox to xbox live and I am sure someone with the right programming skills could write the pc software which acts as a ‘go between’ with the server and the 360.

Hi toshtiger,
   I have done packet captures and analysis for the XBL service.  The packets you have posted are multicast requests for uPnP devices ie. media players, computers.
239.255.255.250 = multicast subnet address space.

These packets are in no way related to the XBL service.

The reason you see your serial number in the packets above is so your computer (media service) so it can connect and authenticate with your xbox (ie. if you have 2 xboxs using media on the same computer, you would need diffrent uuid's (unique universal identifiers) to distribute media to specific xbox's.


The packets you are interested in (the actual serial number transfer to XBL) is in 2 Kerberos sessions.
KRB-TGS (REQ) and KRB-TGS (REP) x2

your uuid /serial is sent to authenticate against the kerberos authenticating server, and is sent in plain-text although the private key is encrypted using a hash of the users password etc.

its actually a two step encryption process, which you can find more info on if you google "kerberos authentication".

Hopefully that points you into the right direction a bit.

[Amnitrix]

Wow, this blows my mind I swear.  I'm only 16 so don't flame me for asking, but when the console ID is sent to the server it is verified and then a response as to whether it is true or false depends on if you are banned or not?  This is over my head highly. (IMG:style_emoticons/default/blink.gif)  The ID is then checked for true or false, and when I say true or false I mean retail ID or fake ID, after this is pulled from the ID the response is sent as to whether the console will be claimed banned or not banned form Live.  As such a banned console currently can be added to the database as a fake ID therefore making it false.

This post has been edited by Amnitrix: May 29 2007, 08:24 PM

[foogrrr]

thats pretty much it.  

In a kerberos authentication session The KDC (Key Distrobution center) hold all valid login/passwords,
login being the console ID, and the password being unknown.  I would assume that after the manufacturing of the console, the Console ID (login) is added to the KDC, Therefore making it an XBL accessable console.
This remains true, until the Console ID (login) is removed/disabled from the KDC for whatever reason (ban).  

The KDC will not respond to any non-valid login, If im not mistaken it drops the session, rather than waiting for it to timeout.  My assumption is, if M$ manufactured a console, and didn't add it to the KDC, it would react the same way as a banned console (prolly without the error code), and the session would be dropped.

hope this helps.

[telo{+}]

QUOTE

(prolly without the error code)

Give MS a little credit, I bet they have a least a few error codes for that



I have an 'idea', we simply 'hack' into the KDC and 'change' all the 'passwords' to 1234........


Not really, I was just saving some noob the trouble of posting that as a new thread.

[Wilhelm_I]

I changed my consoleid using ettercap and I am now getting a weird errorcode I have never seen before...
Probably it is because I have just randomly edited some of the numbers...
I will get a new 360 in a few weeks and I will chenge it to this id then so it will probably work then..
Your Emperor
Wilhelm I