Print

[Xbox-Scene]

Unique 16 bytes in Xbox 360 DVD Firmware-- Posted by XanTium on January 18 03:26 EST
From MacDennis on xboxhacker.net:

Some new firmware facts! A little birdie told me some information about a second dump of a Toshiba/Samsung TS-H943 DVD-ROM drive. In comparison with the dump made by darkfly, only 16 bytes are different. The difference is at offset 0x401A - 0x4029. Thanks little birdie for your great effort! A 16 byte difference was also the case with the GDR-3120 dumps.

All clues indicate that each Xbox 360 DVD-rom firmware contains an unique key. I couldn't match the key to a console id / serial or drive serial. It's probably an unique key used in the AES routine to encrypt/decrypt communication between console and drive. Something which is new for the Xbox 360.

[Hack_Bird]

 Another backup plan from MS ... Hope its only for productionline purpose and not for the Xbox360 to check if the original Dvd drive is inside.

Note, Someone already swaped the Dvd drives? from Premium and Core ?

[PedrosPad]

QUOTE(Xbox-Scene @ Jan 18 2006, 10:33 AM)

From MacDennis on xboxhacker.net:
All clues indicate that each Xbox 360 DVD-rom firmware contains an unique key. I couldn't match the key to a console id / serial or drive serial. It's probably an unique key used in the AES routine to encrypt/decrypt communication between console and drive. Something which is new for the Xbox 360.

So the 30 second test of exchanging same manufacture DVD-Rom drives between 2 X360s would appear to be all that's necessary to proof/disproof the per-box encryption theory!
Oh the irony – M$ stock shortages so far have been it’s greatest defense.

This speculation sounds unlikely to me as it'd make provision/control of spare parts a bitch.

Whether it matches the stickered serial number or not, if unique on every drive, it sounds like a serial number to me.

It may contribute to an X360-console unique machine/configuration hash/digest (which, in turn, may be a component of some XBOX!Live authentication procedure – like the old XBOX1 HDD key), but “drive-to-console encryption”?  I think very unlikely.

[Antioch]

Well, I guess this puts a damper on the custom firmware idea to get around the media check. However, I suppose it is still possible, it just takes more work on the end-user's side. Perhaps you would need to dump your own drive's info, find the code, patch a custom firmware with the code, and flash. I'm sure someone could make a tool to do all of that - but Im not experienced with firmware so I dont know if thats a viable solution.

Anyways, theres always the modchip for the drive idea to fallback on...

[MacDennis]

QUOTE(PedrosPad @ Jan 18 2006, 10:33 AM)

So the 30 second test of exchanging same manufacture DVD-Rom drives between 2 X360s would appear to be all that's necessary to proof/disproof the per-box encryption theory!

Read the firmware hacking thread. This has actually been tried already and it simply does not work.

QUOTE(PedrosPad @ Jan 18 2006, 10:33 AM)

Whether it matches the stickered serial number or not, if unique on every drive, it sounds like a serial number to me.

The drive firmware contains an AES encryption routine. Which uses this 'key'. It also looks like a (256-bit) key and not like a simple serial number. The firmware also contains routines which can write to the region which contains this 'key'. These facts are also mentioned in the firmware hacking and thread and were discovered by others. The 'key' is probably written to the drive when a x360 is setup for the first time by using a setup disc or something similar. The same 'key' is probably also written to the firmware of the console kernel.

QUOTE(PedrosPad @ Jan 18 2006, 10:33 AM)

It may contribute to an X360-console unique machine/configuration hash/digest (which, in turn, may be a component of some XBOX!Live authentication procedure – like the old XBOX1 HDD key), but “drive-to-console encryption”?  I think very unlikely.

Unlikely? Well, all clues/facts seem to tell a different story ..

[PedrosPad]

Wow! A response form the source  I’m very happy to be corrected.

But I still wonder about the spare parts distribution?  Ok X360 may only be repaired at M$ authorized repair shops, and they may have access to specialised/X360-unique equipment/utilities, but the administration of what would be required if your conclusions are true doesn't sound cost effective.  Remember that the X360 is a comparatively low cost consumer item - there's not a lot of margin in the price for a complicated spare part control and administration system.

Just thinking of the logistics/practicalities.

[MacDennis]

QUOTE(PedrosPad @ Jan 18 2006, 11:47 AM)

Wow! A response fomo the source (IMG:style_emoticons/default/smile.gif)  I’m very happy to be corrected. (IMG:style_emoticons/default/smile.gif)

Well, I didn't make any dumps, I simply made some conclusions based on several facts. All credits go to the little birdie.  (IMG:style_emoticons/default/wink.gif)

QUOTE(PedrosPad @ Jan 18 2006, 11:47 AM)

But I still wonder about the spare parts distribution?  Ok X360 may only be repaired at M$ authorized repair shops, and they may have access to specialised/X360-unique equipment/utilities, but the administration of what would be required if your conclusions are true doesn't sound cost effective.  

Remember the HDD in the XBOX1? It was also locked to the console. So, an authorized repair shop needs a utility or something to setup the new HDD. And this time around, the drive seems to be locked to the console. In theory, the console could detect a new drive without a key and write a new key to the drive, which then basically locks the drive to the console ..

[PedrosPad]

The X360 game dumps are plain text.  Is that because the data is plain text on the media, or is it because it's ripped using an X360 drive?

IIRC any PC DVD-Rom drive can be used (using the no-eject swap trick), which leads me to believe the data on the media is plain text.

With encryption/decryption routines built into the X360 DVD-Rom drive firmware, why print the media in plain text? (IMG:style_emoticons/default/uhh.gif)

This post has been edited by PedrosPad: Jan 18 2006, 12:44 PM

[MacDennis]

QUOTE(PedrosPad @ Jan 18 2006, 12:12 PM)

With encryption/decryption routines built into the X360 DVD-Rom drive firmware, why print the media in plain text? (IMG:style_emoticons/default/uhh.gif)

Well, the content of a disc isn't and probably doesn't need to be encrypted. That's up to the developer. It's also not very practical. Let's say you have a 500meg encrypted data file, where are you going to store and use the decrypted version?

Only the communication (data transfer) between console and drive seems to be encrypted. This prevents anyone eavesdropping on the communication.

[bourke]

Exactly, but why would they care about the communication being intercepted en-route to the console?

Surely this means we can still patch the media type flag before it gets encrypted?  Or do you think there is code that hashes the drive firmware?  Maybe we could patch any routine like that as well.


Cheers,
Bourkie

QUOTE(MacDennis @ Jan 18 2006, 12:35 PM)

Well, the content of a disc isn't and probably doesn't need to be encrypted. That's up to the developer. It's also not very practical. Let's say you have a 500meg encrypted data file, where are you going to store and use the decrypted version?

Only the communication (data transfer) between console and drive seems to be encrypted. This prevents anyone eavesdropping on the communication.

[MacDennis]

QUOTE(bourke @ Jan 18 2006, 01:01 PM)

Exactly, but why would they care about the communication being intercepted en-route to the console?

Surely this means we can still patch the media type flag before it gets encrypted?  Or do you think there is code that hashes the drive firmware?  Maybe we could patch any routine like that as well.
Cheers,
Bourkie

The whole talk about a media type flag is only relevant for XBE/XEX files. And we all know that we can't change those files. The media flag is in the XBE/XEX file itself. The whole drive authentication procedure is much, much more complicated than a simple 'flag'. The complete XBOX1 authentication procedure is explained in the firmware hacking thread. It isn't a matter of simply patching a few bytes in the firmware. The drive is 'locked' and needs to be unlocked by using a challenge/response procedure between console and drive. The data involved is different for each drive / disc.

Why encrypt communication? Simple. Authentication seems to be based on the XBOX1. A simple but effective way to hide this fact is to encrypt the communication this time around. Security through obscurity ..

And about the hashing of the drive firmware. Some drives / manufacturers use (simple) checksums. Some use scrambling techniques. Same story as the XBOX1 drives.

This post has been edited by MacDennis: Jan 18 2006, 01:58 PM

[SharkUW]

QUOTE(MacDennis @ Jan 18 2006, 06:22 AM)

A simple but effective way to hide this fact is to encrypt the communication this time around. Security through obscurity ..

Here's to hoping they thought obscurity is actual security again  

[Odb718]

Sounds like good ol' fashionesd capitalism to me. I think M$ got jealous of all the eBaying of dvd drives
Hopefully it's not locked to each individual 360 because I know a couple peole who all ready need replacements. Im supprised no one with two 360s has tested this yet.

[PedrosPad]

QUOTE(Odb718 @ Jan 18 2006, 03:54 PM)

Sounds like good ol' fashionesd capitalism to me. I think M$ got jealous of all the eBaying of dvd drives
Hopefully it's not locked to each individual 360 because I know a couple peole who all ready need replacements. Im supprised no one with two 360s has tested this yet.

From above:

QUOTE(MacDennis @ Jan 18 2006, 12:27 PM)

This has actually been tried already and it simply does not work.

I agree with you Odb718 - with the current generation of X360 DVD-Rom drives reputedly scratching the media disks, I can foresee a lot of replacement drives being required.  (The XBOX1 PSU replacement program all over again? )

[MacDennis]

QUOTE(Odb718 @ Jan 18 2006, 02:54 PM)

Sounds like good ol' fashionesd capitalism to me. I think M$ got jealous of all the eBaying of dvd drives
Hopefully it's not locked to each individual 360 because I know a couple peole who all ready need replacements. Im supprised no one with two 360s has tested this yet.

Did you actually read my replies? A swap has already been tested and does NOT work.
And what I was trying to say, it seems that each drive IS actually locked to an individual console. That's why a swap does not work.