Print

[gprime]

I was sniffing around and noticed that everything downloaded from xbox live arcade is done as a .xcp file (xbox control panel ? *shrug*). It's done so over an HTTP (unencrypted) protocol on port 3074. I was excited when I first saw this, but after taking a look at a bunch of example files, it looks as if they are all encrypted.. d'oh.

Here are some example packages if anyone is interested

Call of Duty 2 Avatar (really small file)
http://65.59.234.165:3074/content/415607d1...ac14f6934de.xcp

Bejewled 2 (game):
http://65.59.234.165:3074/content/584107d2...fa865426d52.xcp

A video trailer: (huge download)
http://68.142.127.15:3074/content/fffe07c4...1d1b0534f87.xcp

Zuma (game):
http://65.59.234.165:3074/content/584107ef...3fbe4df716d.xcp


It could end up to be a popularing packaging scheme, but probably not.

This post has been edited by gprime: Nov 24 2005, 09:45 PM

[tjfontaine]

what is know so far about these xcp files can be found at free60's xcp page (free60.org)

[gprime]

QUOTE(tjfontaine @ Nov 25 2005, 08:33 PM)

what is know so far about these xcp files can be found at free60's xcp page (free60.org)

awesome, thanks

[gprime]

This is probably useless to you guys, but I noticed in your IRC room it says you're looking for tcp dumps. I dug up the originals. They are just http requests though, nothing exciting:

Avatar:
Sent:

QUOTE

GET /content/415607d1/1dda96f83713102a0e063a1b3a7bdac14f6934de.xcp HTTP/1.0
User-Agent: Xbox Live Client/2.0.2241.0
Host:65.59.234.165

Received:

QUOTE

HTTP/1.1 200 OK
Content-Length: 37775
Content-Type: application/octet-stream
Last-Modified: Thu, 17 Nov 2005 23:20:09 GMT
Accept-Ranges: bytes
ETag: "5847e273cdebc51:26f"
Server: MS-IIS/6.0
X-Powered-By: ASP.NET
Date: Thu, 24 Nov 2005 20:22:15 GMT
Connection: close

Bejeweled:
Sent:

QUOTE

GET /content/584107d2/c708eca18922addc4737061d8e6fcfa865426d52.xcp HTTP/1.0
User-Agent: Xbox Live Client/2.0.2241.0
Host:65.59.234.165

Received:

QUOTE

HTTP/1.1 200 OK
Content-Length: 23012699
Content-Type: application/octet-stream
Last-Modified: Sat, 19 Nov 2005 02:29:50 GMT
Accept-Ranges: bytes
ETag: "2984c21db1ecc51:26f"
Server: MS-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 22 Nov 2005 08:43:19 GMT
Connection: close

Video:

Sent:

QUOTE

GET /content/fffe07c4/61a3d817bde2caf405dfcde581a7a1d1b0534f87.xcp HTTP/1.0
User-Agent: Xbox Live Client/2.0.2241.0
Host:68.142.127.15

Received:

QUOTE

HTTP/1.0 200 OK
Content-Length: 142690838
Content-Type: application/octet-stream
Accept-Ranges: bytes
ETag: "146093dbaefc51:26e"
Server: MS-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 22 Nov 2005 05:27:18 GMT
Last-Modified: Tue, 22 Nov 2005 02:17:16 GMT
Connection: close

Zuma (file resume):

Sent:

QUOTE

GET /content/584107ef/90226b760a840a3afc759094668da3fbe4df716d.xcp HTTP/1.0
User-Agent: Xbox Live Client/2.0.2241.0
Host:65.59.234.165
IF-UNMODIFIED-SINCE: Tue, 22 Nov 2005 00:36:50 GMT
RANGE: bytes=3543579-

Received:

QUOTE

HTTP/1.1 206 Partial Content
Content-Length: 22067188
Content-Type: application/octet-stream
Content-Range: bytes 3543579-25610766/25610767
Last-Modified: Tue, 22 Nov 2005 00:36:50 GMT
Accept-Ranges: bytes
ETag: "9f70d7d3fceec51:26f"
Server: MS-IIS/6.0
X-Powered-By: ASP.NET
Date: Tue, 22 Nov 2005 07:39:02 GMT
Connection: close

---------------

And something else I tried was forwarding the IP that the xbox was requesting to a local IP of my webserver  (apache running on 3074). I downloaded the zuma .xcp file and renamed it to the bejeweled file / location. Then on the xbox I went to download  "Bejeweled" (what was actually Zuma..), and it actually fetched the file off my webserver. Cool. But after it finished downloading, it said that something had gone wrong and I should try to redownload the file. So even if it downloads a proper .xcp file, it seems that it has a checksum somewhere of what it's expecting. If it doesn't match, it won't run it.

Just to test that my webserver was sending the file properly, I downlaoded the originally zuma file, and placed it in the same path on my server. It then went into marketplace and tried to download Zuma. It fetched it from my server... and it ran just fine.

So now the question is.. where is that checksum coming from?

[stanneh]

i done a lil searching for ibm xcp files and came accross this article from back in 2003 hope it explains how xcp is used to you guys its no good for me :S

QUOTE

April 7, 2003
IBM's xCP Puts a Twist on Content Protection
By Ryan Naraine
IBM Corp. (Quote, Chart) on Monday lifted the veil of secrecy surrounding xCP (eXtensible Content Protection), the digital rights protection architecture that promises to solve the riddle of portability for content creators.

Big Blue used the spotlight of the National Association of Broadcasters (NAB) annual conference to showcase the goodies from its Digital Media Factory and finally unveiled the xCP initiative which puts a twist on content protection by allowing access to DRM-protected media on and off the PC.

The new technology, which builds on Big Blue's existing CPRM and CPPM digital rights management technologies, requires little or no Internet connectivity and works by allowing all of the devices within a "home" network to establish common media keys. The unique IDs distinguish each device in the network from other devices, preventing use (viewing or listening) of the content by devices outside the network, the company explained.

For content producers, xCP releases the noose on media content beyond the PC and extends content to network devices. It allows "fair use" mobility within a household network and, at the same time, prevents unauthorized digital content distribution from one household to another.

The xCP technology, based on IBM's Cluster Protocol, works by assigning a key within each household that's embedded into devices like MP3 players, DVD players, cell phones, PDAs, televisions and entertainment systems in vehicles. They key then unlocks copy-protected content on all the devices.

Big Blue said xCP can be linked with IBM Web Services technology to provide a platform to physical media and the necessary network architectures to enable commerce on any platform. xCP supports plug-n-play functionality for a limited number of devices. For example, the company said, a user might play content seamlessly on his home theater in one room of a house. When a wireless audio player, for example, is purchased for use in another room in the house, this new device automatically joins the domain and has access to the existing content.

Even as it unlocks DRM beyond the PC, the protection technology lets content owners retain control over the distribution of content. "If a user's friend were to download some of the user's files, the content would not work on the friend's player without first acquiring an additional license," an IBM spokesperson explained.

http://www.internetn...cle.php/2176781

[stanneh]

Also just found this great PDF some whitepaper released by IBM i think that explains everything about the Xcp system
http://www.the-conne..._Whitepaper.pdf

[tjfontaine]

Thanks everyone for the updates and finding more info, this is exactly what we need. the more data we mine the better picture we can have of what really makes the Xbox360. One of my personal goals is to help keep the info learned about the 360 as transparent as possible

I updated the page with more info folks have sent me

gprime when you're in the irc channel make sure to drop me a note, as for the tcpdumps I'm interested in finding the transaction of the backward compat update, for a comparison of the two .xex's. Careful that any tcpdumps don't leak any information

[xcollection]

isn't .xcp 'XBOX Content Package'
that's what they are on the original xbox anyways.

[Angerwound]

I just wanted to note here that these .xcp files are the same format as the ones used on the XBOX1 Content System. Basically, they are an encrypted .cab file. XBOX1 downloads these from MS to the cache partitions and then extracts/installs the content. The reason yours failed could be because it was requesting to install an application with TitleID: 4d530001 and the package it recieved was an application containing a different TitleID. Thus, complaining to you to redownload the application.

There are a few SDK applications that create these archives such as 'BuildOffer' or 'XLast'. I'm sure some research into those applications would result in how to extract these little packages.

[dalezer]

Is there any way of loading these .xcp file onto your xbox360?

[gprime]

QUOTE(Angerwound @ Nov 26 2005, 02:29 AM)

I just wanted to note here that these .xcp files are the same format as the ones used on the XBOX1 Content System. Basically, they are an encrypted .cab file. XBOX1 downloads these from MS to the cache partitions and then extracts/installs the content. The reason yours failed could be because it was requesting to install an application with TitleID: 4d530001 and the package it recieved was an application containing a different TitleID. Thus, complaining to you to redownload the application.

There are a few SDK applications that create these archives such as 'BuildOffer' or 'XLast'. I'm sure some research into those applications would result in how to extract these little packages.

Wow, thanks.

See.. I havne't been following any of the earlier "scene" stuff. I was just bored and starting snooping around out of curiosity. Somehow this made front page... cool.

QUOTE(dalezer @ Nov 26 2005, 02:43 AM)

Is there any way of loading these .xcp file onto your xbox360?

If you have something between your xbox360 and your modem, such as a router that you can play with (preferably a *nix box) you can do anything with the requested / received packets that you like.

As said in an earlier post, I sent my own .xcp file to the xbox360 (the "zuma" package, pretending to be be "bejeweled") but it was rejected by the downloader. If Angerwound is right and you  just need to change the title of the package to have the download verified.. then that's at least a start (meaning we could put any xcp package we like onto the hard drive).

This post has been edited by gprime: Nov 26 2005, 02:49 AM

[chinmas]

There's also something else to consider however.  If what the wiki says is true about the processor (it does it's own internal checksum at the core) then there will be a major problem getting any old .xcp file to run.  The problem lies in that each file's checksum will vary, and as far as I know (and that's not really that much), there's no way to spoof an MD5 check.  You would have to be able to match everything from the hex code fingerprint, filesize, etc...  It wouldn't be easy.

What could be happening is that when the file is requested from the Live server, it matches the MD5 code from the M$ servers at the processor level, before ever executing the code itself.  If there's no way to spoof the MD5 check, there's no way to run the file in question.  The program will be killed there.

Plus, we don't know how much of the actual OS itself is residing in the memory at any given moment, let alone where any part of it resides in the memory on the processor itself (which is why this is going to be a lot trickier to uncover).  If there was a way to trick the processor to think that a portion of the OS is somewhere else in the memory (different hex location), it might provide a hole in the security of the system...   However, based on the assumption that not one processor is the same as another - and that the rumors stating "even if someone is able to crack the xbox360, the same method won't work on a different machine," it leads me to believe that somehow there is a checksum at the hardware level itself, matching something with the processor to the firmware or even hardware of the motherboard.  (which may be a problem if you ever wanted to swap out a dead processor from another xbox360)...

That could also help find a clue as to where the check occurs, and how/if it's possible to bypass or manipulate the machine in any way.

The kind of knowledge required to understand the electronic, and logistical aspects of a virtually unknown or barely studied piece of hardware could take years to reverse engineer, and that's if you know what you're doing.

This post has been edited by chinmas: Nov 26 2005, 05:23 AM

[tjfontaine]

Finding MD5 collisions is well documented, and likely why most things use SHA1 see Wikipedia

Also it's more likely that the checksum/hash of the downloaded file is in the description of the content before you download it, so I doubt the check is in the 'cpu' but that's only speculation on my part, the same as it is on yours.

I'm not particularly fond of posts or comments regarding the doubt of onlookers as to the likelyhood of an exploit for the 360. Such comments are only a waste of my bw everytime I want to see what's new in a thread.

[biosehnsucht]

It would be interesting if it is possible to add support for Divx/Xvid codecs etc via some sort of marketplace spoofing, but this would pretty much require devkit access and who knows what all else. I noticed there was an update to add support for AAC files from the iPod "provided by Nellymoser" on live..

if there was some sort of way to add codecs to the media center extender's abilities, then I would be very happy..

[Dameon]

The hashes/checksums have to come from somewhere and are not known before the package is released. Therefore, we must determine from where the package hash/checksum is determined and merely replace that with the actual hash/checksum of the different/modified file. According to Free60, the packages are symetrically signed...I find that odd, because by definition that would mean that the key used by the Xbox to decrypt the package could be used to make our own.

This post has been edited by Dameon: Nov 27 2005, 02:16 AM