Post by: delphaeus on September 22, 2003, 08:12:00 PM
You can sign it with any key, really, but a stock XBox will only load executables signed using MS's private key.Secondly, the header contains a SHA-1 hash (checksum) of every section (code, bundled files, etc) in the XBE. If any of these checksums don't match, the XBox won't load it.
Thirdly, the header also contains a set of flags that say what medium the XBE is allowed to run off of. If it doesn't match, it won't run it. There are flags in there for media types such as DVD-Rs, CD-RWs, the hard drive, network, USB dongles, etc. -- but, of course, all retail games have their flags set to only run off a commercially pressed single or double layer DVD.
(A quick diversion regarding your second question -- the DVD is mostly like a PC CD-ROM, it just won't read CD-Rs. There are three models used -- nearly all will read DVD-R and CD-RW just fine, most will read DVD-RW, and one will read DVD+R if I remember correctly.)
So -- 2048-bit RSA signing is computationally infeasible to crack with present technology, so we can't reverse engineer MS's key with which to sign our own executables. This also means we can't modify an existing XBE (such as one taken from a retail game), because modifying the code section would require updating the hash in the header, and updating the hash requires resigning the XBE. (This is also how MS prevents "easy" piracy -- even if you made a perfect bit-for-bit copy of the Halo game files to DVD-R, the XBE is set to only allow running from a pressed DVD, and you can't change that flag without -- you guessed it -- resigining.)
In order to get around this, we take a copy of the stock XBox BIOS and reverse engineer it so that it ignores the digital signature. (Regarding the legality of this, if a BIOS was made to only run _unsigned_ code, that'd be legal, as are BIOSes that act like an normal PC's BIOS for the purposes of booting Linux. However, most hacked BIOSes out there are set to just ignore it entirely, thus allowing piracy, and therefore are in a gray area of the law thanks to the DMCA.)
The question then is, how do we get that BIOS onto the machine and get it to use it instead of the stock XBox BIOS? There are two ways.
1) Open the XBox and install a modchip. The modchips come in two forms: the early "29-wire" generation are actual EEPROMs/Flash ROMs that go in place of the old ROM chip, and the newer third-gen chips are more complex devices that sit on the LPC system bus used to talk to the ROM, emulating the chip. Both are permanent installations.
But you'd more likely be interested in:
2) Use an exploit (a poorly written part of a retail game or the XBox Dashboard that's vulnerable to attack) to "crash" the XBox and hijack its CPU, allowing you to run your own code. Use that code to write a new BIOS into RAM and warm reboot into it. The XBox remains stock, and the new BIOS disappears as soon as you turn the power off.
This second option is called the savegame exploit, and there's two games that work with it: 007: Agent Under Fire and MechAssault. (You'll hear them referred to as the Habibi and Free-X exploits, named after the people who found them.) The code that's used to do the BIOS write and reboot is called the Phoenix BIOS Loader.
So, you can do it. You'll need to create your recipe manager in XBE format. You'll then take the files needed for Phoenix and for the Habibi or FreeX exploit, and add in a BIOS. Put them together on your PC into a single savegame, and get it on your XBox using a PC-writable memory card such as a Mega-X-Key or an Action Replay. Then just start up the game and load your hacked savegame, the XBox will "crash" and show the Phoenix logo, and then your recipe manager will start. In this case, since you're using it as an alternate purpose for the XBox instead of a method for copyright infringement, it's perfectly legal...
... except for actually creating the XBE. There's a difficulty here. There's two ways to create an XBE. The first is to use MS's XBox Development Kit (often shortened to XDK). The problem is that MS will only sell the XDK to game developers, and they charge a considerable amount for it. So, they likely wouldn't sell it for the purposes of making a recipe manager, and even if they did, you'd be looking at thousands of dollars.
Furthermore, although it may be legal to run unsigned XBEs (that don't in and of themselves break the law by bypassing copyright protection, of course), actually creating an XBE without a valid license for the XDK is illegal. To this end, there's a group of dedicated coders creating the OpenXDK, which allows you to create perfectly legal XBEs. However, they've only gotten the basics done, and to use OpenXDK requires a fairly in-depth knowledge of a PC's internals (i.e. how to use a VGA video buffer, etc.) -- and XBEs produced with the OpenXDK are very picky about how they're run and with what BIOS. So, nearly all homebrew software out there is produced using pirated copies of the XDK and released anonymously through various channels, and no websites will put them up for download; they'll just tell you to get it through "the usual sources."
So, that's your situation. If you want to make it absolutely legal, and completely non-invasive to the XBox, you'll need a copy of Phoenix BIOS Loader, a BIOS that allows running of unsigned XBEs, and a finished copy of your program developed using OpenXDK. If you don't mind skirting the law a little, you can accelerate development and make it more widely usable by finding a pirated copy of the XDK (no, I won't help you) and just releasing the .XBE to the world -- that way, everyone with alternate dashboards like EvolutionX and Avalaunch can run your manager, and you can package it in a savegame for people who just want to swap recipies. Both ways require considerable C/C++ programming experience, and the XDK in particular requires a lot of Win32 knowledge, so if you're new to coding this is probably a lot to swallow all at once. Still, everyone has the capacity for it
Best of luck!
Post by: tandoGreer on September 23, 2003, 02:17:00 PM
One further question do you know how many bits the SHA-1 hashing algorithm uses? (please ignore the typo --- Shamir Hashing Algorithm 1 hashing algorithm)
Alright, to be honest I really have no interest in making a recipe database. (Does anyone catch the reference or is it too obscure?)
I was hoping the XBE ran in the way you describe. Yes a 2048bit RSA is impossible for me to crack. However RC4 is the basis of WiFi security, and is useless because of weak keys. RC4 was developed by Rivest, who worked very closely with Shamir. And there have been some inroads into cracking the SHA-1. If you take a large arbitrary file and wish to assign that file a specific SHA-1, it is possible to do so by changing a small number of weak bits. Then a programmer could use a header from another program. If one were to take the program and imbed it in a large buffer space. It is may be possible to manipulate the buffer space so as to change the SHA-1 to the required value.
I do some work on manipulation of SHA-1 and keep you posted if there is any success.
Post by: tandoGreer on September 23, 2003, 02:32:00 PM
Post by: delphaeus on September 23, 2003, 04:40:00 PM
Caustik has a good overview of the layout of the XBE format (which is fairly close to the standard PE32 format -- in fact, both the XDK and OpenXDK work by letting existing compilers produce EXEs and then relinking them) here.
MS, in their wisdom, hasn't used textbook implementations of RSA nor SHA-1. Notes on it:
* XBE Launch Process -- mentions that the RSA signature is padded
* XBox BIOS Layout and Boot Process -- describes the modified form of SHA-1
The message digests produced by textbook SHA-1 are 160 bits long -- it works in 512-bit blocks, like MD5, and has four rounds. It's also immune to the den Boer collision attack against MD5. MS goes a bit farther and encodes the file size into it, although unneccesarily so.
Post by: delphaeus on September 23, 2003, 04:45:00 PM