QUOTE(santium @ Oct 20 2005, 10:13 AM)
I was looking through my EEPROM. There's 2 keys. (Well, there's more, but I'm concentrating on these 2) One is the LAN key which syslink uses. (Games send the signature to the host box before signing packets.)
And the other is called a Live key. I intercepted Halo 2 packets. The first packet it sends is the key telling Xbox Live that Xbox's signature. After that every other packet is signed using this key.
I hope this research helps.
Not quite.
The first packet sent by a client to a server in a syslink connection contains nothing more than a nonce (a random unique ID). The server (who receives the nonce) generates the public parameters for the DH authentication and sends that to the client. I have to look at this again, but I'm pretty sure that is the order.
Definitely true:
The key is generated using diffie hellman algorithm between the two xboxes. It's different every session. If we could modify these packets, then we could set up a man in the middle attack on system link. live is a whole other story.
However, the first thing we need to do is figure out how every packet is authenticated. The last 10 bytes of every packet is the XHash of the packet, which is a cryptographically signed hash. Who knows what it is.
As well, when the client and server agree on a key with DH, they use it to generate a table of keys (not just one), and then in the header of each packet it gives an index to the table for which key to use for encrypting the packets. Who knows how they generate these keys, it might be something as simple as, given key1, key2 = des(key1), key3 = des(key2).. etc.