Print

[kevinlekiller]

I have a jtag'd 360 if you guys need someone to try to connect to for testing ( if it helps ).

[SoLovely]

Forgot to post :3

Anyways, yeah, probably doable through nand modification and it'd be good to get that up and running even if everyone can't do it; packet manipulation method will inflict some lag, more so if your computer isn't that fast or you're arp cache poisoning to get packets.

But back to packet manipulation. Happened upon some information as I had said. Outdated but probably still applicable. All I need to COMPLETE the program is two keys. The first key is in the nand, perhaps going by something like LAN key, should be the same across every xbox console, not really sure about length. The second key is on whichever game disk that we decide to use (Oh, and for testing's sake, what game should we use? Any preference? PGR3 is like five bucks used at most gamestops but I think most everyone owns a copy of halo 3).

So...
uh...
yeah...

 Get me those keys and I could probably have a working prototype for people with two nics up in about two weeks with source for improvements seeing as I'm not really a programmer.

[kevinlekiller]

I've got halo 3 , but can buy pgr3 if testing both would help.

[SoLovely]

Eh, h3 is good. Doesn't really matter, we'll have to have some kind of list of every key for every game at some point anyways.

[warwolf]

I don't think the keys are all the same m8...LAN encryption uses the Dffie-Hellman key exchange, which isn't sent through the network, it's calculated given some numbers, and I can't think of a better way of finding the key other than bruteforcing the hell out of it, by giving it values from 1 to p(which is pretty big), or you can think about it a little more and see what values it can take and lower the number of options, but I think bruteforcing should only be used in a one in a lifetime experimental use

[SoLovely]

Read back a few pages. DH is susceptible to MITM attacks, and there's no way for the xbox to authenticate to another because, on system link, the two consoles are only able to see each other. To counteract this, the xbox generates a key based off of a universal xbox key and a per game title key. Every xbox playing the same game will generate the same symmetric key. This key is used to encrypt and authenticate the DH exchange packets, which makes MITMing, which would otherwise be pretty easy, impossible without knowing those shared keys.

[InvidiousDemise]

so basically we need to find what mechanism creates these keys and circumvent it?

[thesonandheir]

QUOTE(SoLovely @ May 15 2010, 06:15 AM)

I'll break it down mad simplified for you.

Xbox sends message to host Xbox. Message contains g^x mod p value for DH and some other information needed for the connection (nonces, addresses, nothing you need to worry about). This packet is authenticated with a key created from another key located locally on the xbox (henceforth LAN key) and a per-game title key. Every xbox game console running the same xbox game will generate the same key.

The host Xbox receives validates the request packet using the aforementioned key, generates its g^y mod p value and derives the secret key for the session from the DH value sent. It then creates and authenticates its own (similar) response and sends it back to the other xbox.

The other xbox receives and checks the validity of the response, and then derives the secret key from the DH value sent.

I was going to explain how the attack was going to work, but I believe I wrote all of that on another page and it's pointless to expand upon that area now because all I need is the LAN key and I can finish this whole thing by my lonesome. So, could anyone work on getting me that key?

Please?

:3

Can I just refer you to this thread on XBH?

http://www.xboxhacke...?topic=14581.20


Post by xxANTMANxx

QUOTE

enum IMAGEKEYS {
    ResourceInfo                = 0x000002FF,
    BaseFileFormat              = 0x000003FF,
    BaseReference               = 0x00000405,
    DeltaPatchDescriptor        = 0x000005FF,
    BoundingPath                = 0x000080FF,
    DeviceId                    = 0x00008105,
    OriginalBaseAddress         = 0x00010001,
    EntryPoint                  = 0x00010100,
    ImageBaseAddress            = 0x00010201,
    ImportLibraries             = 0x000103FF,
    ChecksumTimestamp           = 0x00018002,
    EnabledForCallcap           = 0x00018102,
    EnabledForFastcap           = 0x00018200,
    OriginalPEName              = 0x000183FF,
    StaticLibraries             = 0x000200FF,
    TLSInfo                     = 0x00020104,
    DefaultStackSize            = 0x00020200,
    DefaultFilesystemCacheSize  = 0x00020301,
    DefaultHeapSize             = 0x00020401,
    PageHeapSizeAndflags        = 0x00028002,
    SystemFlags                 = 0x00030000,
    ExecutionID                 = 0x00040006,
    ServiceIdList               = 0x000401FF,
    TitleWorkspaceSize          = 0x00040201,
    GameRatings                 = 0x00040310,
   LANKey                      = 0x00040404,
    Xbox360Logo                 = 0x000405FF,
    MultidiscMediaIDs           = 0x000406FF,
    AlternateTitleIDs           = 0x000407FF,
    AdditionalTitleMemory       = 0x00040801,
    ExportsByName               = 0x00E10402
};

struct OptionalHeaderEntry {
    IMAGEKEYS ID;
    DWORD     Data; // Data or Offset to Data
};

[SoLovely]

Sorry about being so lazy guys. I'll get started on making the program; even without the needed keys, I have enough get well over ninety percent of it done and hey, APs are done with, so I have about four periods a day to work on it on paper.

@kevin: Nope, I'm actually good at this point. I really do appreciate the enthusiasm though

@thesonandheir: I don't really know what all of that means I started this project (well, a general online manipulation project) about a year back with absolutely no knowledge on the subject, and I've just read up on C++ over spring break so not very good on the programming side of things. But Anthony said that those are optional headers for xex files, so maybe that's the per title lan key?

[twinillusion]

QUOTE(SoLovely @ May 15 2010, 09:50 PM)

Sorry about being so lazy guys. I'll get started on making the program; even without the needed keys, I have enough get well over ninety percent of it done and hey, APs are done with, so I have about four periods a day to work on it on paper.

@kevin: Nope, I'm actually good at this point. I really do appreciate the enthusiasm though

@thesonandheir: I don't really know what all of that means I started this project (well, a general online manipulation project) about a year back with absolutely no knowledge on the subject, and I've just read up on C++ over spring break so not very good on the programming side of things. But Anthony said that those are optional headers for xex files, so maybe that's the per title lan key?

so i spent today learning about xkai and lanning xbox's online and whatnot and ran into the 30ms problem and then came here to read the 8 pages before us.  i created an account on here just to say thanks and i'm looking forward to seeing the end result of your endeavor.

[twinillusion]

SoLovely,

You still working on this?  Any way I can help?

[theninjaway]

You guys are moving along nicely, you're doing a good job, keep it up!

[BrooksyX]

QUOTE(theninjaway @ May 19 2010, 07:59 PM)

You guys are moving along nicely, you're doing a good job, keep it up!

Yeah this is some interesting stuff. Looking forward to see how this project turns out.

[ssneeky]

umm xex tool should show you the LAN key for each title

[SoLovely]

Checking in.

Right now I'm making a sort of... well, dichotomous key I guess for the packets based on the Netmon parser that comes with releases of the 360 SDK and the packet layouts given in the original xbox SDK. Essentially, this breaks down packets and decides what to do with them, discerning between the actions to execute on an exchange packet versus a basic UDP packet. Simple as it sounds really, but kind of required some planning to get started right. I need to get everything ready for the final product now, which I really should have been doing months ago since I've know most of this part of the program for ages. It's kind of up to me to get this done at this point. And we'll see if my hypothesis on the keys is right or wrong (and, if it's wrong, we can still reuse most of the program anyways).

Still need that console key though I found this on XH, and I guess what I'm looking for would probably be in the KV, one of the three keys common to all boxes? I'm really terrible at any inside-of-the-xbox stuff; if I knew PPC assembly, I could have just reverse engineered the key exchange process without doing tons of abstract research and speculation. Thanks for your support and any help guys. Off to work on the program, be back with any progress and feel free to ask questions about anything.