Topic: Ping Limit Bypass (Read 1782 times)

NLA · « **Reply #60 on:** February 26, 2010, 02:11:00 PM »

QUOTE(x_redentor @ Feb 25 2010, 02:19 PM)

bad company 2

archive config.zz
http://www.megaupload.com/?d=PUWC1XM4

i am spanish

Neat. I have some time later when I won't be JTAG'ing a Falcon, I'll give this a look. I have.. many games.. I'll look for some ping-related information.

Also, from the picture someone posted earlier, those look like commands to be entered into MW's console to change server variables.. I'll take a look at that as well.

Rubens87 · « **Reply #61 on:** March 05, 2010, 07:09:00 PM »

if this would be made, i would play resident evil VERSUS MODE all the day

henno88 · « **Reply #62 on:** March 11, 2010, 01:17:00 PM »

i dont think the ping limit is in the game it must be in xbox system somwere in the nands data.
I spend mutch time to find a way to bypass this limit but in all games with syslink there is nothing to find.

so i think it goes like

gametype set to system link
xboxs itself does manage the connection and knows if gametype is systemlink use pinglimit true

Rubens87 · « **Reply #63 on:** March 11, 2010, 05:43:00 PM »

ye then its because the question is in the game, so if the game says Yes, then it blocks de conection with a ping limit, we've to patch the game then. is it easier than patch the nand?

henno88 · « **Reply #64 on:** March 12, 2010, 02:33:00 AM »

no i think we cant patch the game!
Cause you want to play system link so you cant chance it.
Xbox manage the connection so xbox must be patched.
Also i think you want to play more then one game so it is easyer to patch xbox/nand then 100 games

Rubens87 · « **Reply #65 on:** March 14, 2010, 07:18:00 PM »

yeh then.. how can we crack the nand protections?

SoLovely · « **Reply #66 on:** March 15, 2010, 06:33:00 PM »

Will provide a simple C++ software bridge and some information later in case anyone is looking to bypass the ping filter via packet manipulation. I wish someone knew a bit more about how exactly the ping is found; I've only heard speculation and making a program to beat the ping filter is too much work to go to waste over speculation.

Do you lag out if your connection begins below the limit but spikes slightly above? Or is it only really a problem while finding and joining games?

ledjohnnyboy · « **Reply #67 on:** March 16, 2010, 03:01:00 PM »

the ping only has to be under 30 ms when joining the ping can get as high as it wants after connected so we would only have to set it under 30 for 10 seconds

SoLovely · « **Reply #68 on:** March 16, 2010, 08:03:00 PM »

In that case a ping limit bypass via packet manipulation should be relatively easy to achieve (in theory).

The way I see it, the connection times out somewhere during the initial broadcast/exchange packets (if anyone could upload some captures from netmon or wireshark of both successful and unsuccessful joins we could establish exactly when it happens). The best way to beat this is a man in the middle program on both ends of a connection. Allow me to demonstrate

Xbox1 = Computer1 = (internet) = Computer2 = Xbox2
(assume each computer is running our hypothetical program)
Bored User1 is sitting at home and decides he wants to play some games over the web. Unfortunately, he just lost his job, so no xbox Live service, and consequently he had to downgrade his internet package to the point that his ping between nearly everyone makes him unable to connect. So he boots up his Xbox1 and the Computer1 which is connected to his xbox and launches our software. The software is, in essence, a software bridge that receives data on one nic, either leaves it untouched or edits it somehow, and forwards it out of the other. After the program fires up and User1 has chosen his two nics, he goes into the system link lobby and searches games, which causes Xbox1 to begin sending out some boadcast packets seeking a game and Computer1 forwards these packets as they come. Just as it happens regularly, these packets go across the virtual lan network and all available hosts respond, ect, ect up until the point that User1 decides to join one of the games now populating his screen. As User1 joins User2s game (what a coincidence!), Xbox1 creates a key exchange packet and sends it out. The software on Computer1 receives this packet but does not forward it, instead creating a generic packet that requests a connection to Computer2. Quickly, the software on Computer1 creates a fake key exchange response and sends it to Xbox1, establishing the secret key between them (DH, the algorithm used in key generation, is extremely susceptible to MITM which makes this possible). Upon receiving the generic connection request packet, Computer 2 does the same for Xbox 2. Each computer has established an encrypted and hashed connection between it and its respective xbox, and in a time far faster than would be regularly possible by sending the exchange packets over the network, so the connection passes the ping limit. Now to communicate, Xbox1 sends out a packet which is received by Computer1, stripped of its hash and decrypted using Xbox1s negotiated key, sent over the network to Computer2 where it is hashed and encrypted using Xboxs2s negotiated key, and sent out to Xbox2 (this process is done both ways).

Its not perfect, and definitely just a simple outline, but it pans out conceptually and you get the idea. The hashing and encrypting seem like they would take a lot of time but Im predicting no more than 20 m/s overhead. Still working on that bridge

not very good at programming and didn't know C++ till this morning. Once that's set up we'll have a platform to manipulate packets from.

The only really glaring problem is that the exact way the broadcast and exchange packets work is somewhat blurry at this point; specifics are not mentioned in the xbox or 360 sdk, there's not any particularly useful information the winsockx.h file, and the netmon parser can only tell us packet layouts and not implementation. Either someone reverse engineers... well, whatever controls the xbox's network security, or we're left to do a lot of guess and check work based on what very little we know, and that is, in all honesty, extremely unlikely to succeed.

Anyways just my perspective on the issue. Tell me if you see any other problems.

InvidiousDemise · « **Reply #69 on:** April 03, 2010, 05:34:00 AM »

The technicalities of this are beyond my means but I do have something I think a lot of people don't have. I have the ability to test independently. If anyone wants to get with me and give me instructions on tests to run, please don't hesitate. 318-277-9343 is my google number.

I have 2 separate internet connections in the same room with 2 separate computer/xbox setups.

1 of my consoles is jtagged, the other is not.

I just got kai running on both computers and managed to get to a point where I could see the lobby for a game of halo 3. I think my ping was too high to play unfortunately(i'm trying to setup kai for my university but that's another topic).

Rubens87 · « **Reply #70 on:** April 06, 2010, 05:04:00 AM »

its nice how ideas are coming everyday, i hope someday we all can play games without paying live of shit!

SoLovely · « **Reply #71 on:** April 11, 2010, 12:53:00 PM »

New developments kind of.

QoS packets aren't really important, but are actually hashed and encrypted with some preshared key that every xbox must know, since there's no exchange preceding it. They contain state data for the available session (IE: number of players, room status, gametype, map, etc).

A comparison of key ex request packet payloads looks like this:

IPB Image

I'll post more later

10camaross · « **Reply #72 on:** April 13, 2010, 01:44:00 PM »

any progress is good progress.

theninjaway · « **Reply #73 on:** April 17, 2010, 10:00:00 AM »

new release of freeboot has memory editing, is that going to help efforts?

SoLovely · « **Reply #74 on:** April 20, 2010, 10:06:00 PM »

I have an English paper and a Government project due tomorrow, so procrastination dictates that I must now come and write up a length paragraph detailing what we know thus far. Let's get into it.

The 360's SDK comes with a netmon parser for the Xbox's Secure Protocol (henceforth, XSP). This gives us a good bit of insight into how everything works, far deeper than the intentionally sheltered and cryptic 360 whitepapers and the outdated but more liberal original Xbox whitepapers (it looks like the person making the parser didn't get the don't-reveal-things-important-to-security memo).

I think I laid out the attack in an earlier post so I won't go into it much here. Pretty much you're setting up a MITM between the client and the host on a local machine. This MITM acts as a bridge between the two connections, but spoofs two key exchanges on either side of the wire, so the exchange appears to have "transvered the network" in no time at all to your console. This is assuming the ping limitation is dependent on the DH exchange itself. Someone told me that. If they're wrong, blame them. Alternatively, someone could just check it; make a capture of a game that doesn't connect. If the data in the last packet after you try and join begins with 00 00 00, we're all good. But I think we're all good. So no worries.

So this key exchange, exactly what the fuck is in it you ask? What do we need to do? Isn't DH mega exploitable to MITM? Shouldn't this be easy? Good questions. I dont really know the answers. What do we know so far? We know that from the exchange, at least two keys are decided upon; the DES key for encryption and the HMAC Sha-1 key for authentication. We know that the exchange is Diffie Hellman. We know what the exchange packets look like and the data fields they contain. We dont exactly know how the keys are decided. We think there is a universal key that all xboxs already know when on lan, which would explain encrypted state data sent during QoS probing on sys link. We also think there may be some kind of per title key (according to the sdk), though were not sure why or its relevance in all of this. We know what a regular XSP packet looks like and, if we can obtain the keys, how to encrypt and hash the data (laid out in original sdk article secure sockets I believe). We have a simple software platform ready for future development. It probably sucks pretty bad.

Oh well. With all of that said, all we need to do is figure out how to get keys out of the exchange to get this up and running.

The Exchange packet fields go about like this for anyone trying to figure this out (direct from parser):

Spi //presumably security parameter index, used to decide what the packet is

Key Ex V1 Request To Xbox Using System Link
>Type
>Size
>Version
>Retry
>Flags
>Key ID
>>Systemlink Xnkid //Xbox key ID, kind of gives a name to the session if I remember correctly
>SpiInit
>SpiResp
>NonceInit
>NonceResponse
>Time
>InitVector
>XnAddrInit: Encrypted Xnaddr //xbox address optimized for xbox I think. Pretty clearly laid out in whitepapers if you really want to know
>XnAddrResp: Encrypted Xnaddr

Diffie Hellman G^x Value
>Type
>Size
>GXValue

HMAC Sha Value
>Type
>Size
>HMACSha

So, if you have any insight as to how all of this should work given this data, feel free to share. Frankly, I dont right now. Of course, I havent put very much time into it, so thats not really surprising. Ill do some research after APs I guess. If you need anything else, just say the word. Happy manipulating.

Author Topic: Ping Limit Bypass (Read 1782 times)