xboxscene.org forums

Xbox360 Forums => Xbox 360 Hacking Forums => Technical DVD-ROM and Modified DVD Firmware Forum => Topic started by: calloused labia on September 06, 2008, 10:00:00 PM

Title: Possible Spoof Detection?
Post by: calloused labia on September 06, 2008, 10:00:00 PM
It has been mentioned on xboxhacker.net that spoofing Samsungs as BenQs is "detectable".
The member who posted it was asked to elaborate but never did.

After spoofing BenQs as Samsungs and Samsungs as BenQs using Firmtool 1.2 , I ran across something that indicated a Samsung spoofed to a BenQ is detectable. At least by Firmware Toolbox.

   
After spoofing a Benq to appear as a Samsung using Firmtool 1.2  I opened the spoofed firmware in Firmware Toolbox. Firmware Toolbox lists the "ROM version" of a "Samsung Spoofed" BenQ exactly how the original Samsung Firmware is seen. This is good.

=====================================================================
This is the original TS 25 firmware as seen by Firmware Toolbox

(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/orig25.jpg)

=========================================================================

This Benq iXtreme firmware spoofed as a Samsung TS 25 using Firmtool 1.2  . Firmware Toolbox sees the Rom Version as the same.  


(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/ftoolbox.jpg)

The Rom version is identical!

============================================================================
============================================================================


But when I use Firmtool 1.2 to make a Samsung appear like a BenQ, Firmware Tool Toolbox lists the ROM version with strange characters in it. ( I have been able to duplicate it several times ).

=============================================================================
=============================================================================
Original BenQ Firmware

(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/stock.jpg)

===========================================================================

Samsung xtreme Firmware spoofed as BenQ using Firmtool 1.2. Firmware Toolbox has an issue with the ROM Version

(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/wierd.jpg)

Wierd characters
==========================================================================

If Firmware Toolbox can see this difference then could MS?

( Scuba where is Firmtool version 1.3? You told me last month on a separate but another spoofing related scenario that I should use that)

This post has been edited by calloused labia: Sep 7 2008, 05:01 AM
Title: Possible Spoof Detection?
Post by: darkshadow2k8 on September 06, 2008, 10:58:00 PM
see that could be possible but its to hard to tell thats why i dont spoof drives unless it was the new lite on at least until its hacked
Title: Possible Spoof Detection?
Post by: CasioNo15 on September 07, 2008, 04:52:00 AM
No it has nothing to do with this wrong displayed characters.
If you open up an iXtreme firmware with toolbox, for example a benq firmware, it will detect it as iXtreme and go to an specific offset to look which iXtreme version this firmware is.
For Benq this could be 0x5FE0. I don´t know if it´s the same offset for all Benq´s.
Now when you take a MS25 firmware and spoof it as Benq, the toolbox thinks it is a Benq firmware and goes to offset 0x5FE0 and reads out the iXtreme version, but it´s written at a different offset on a MS25 firmware.

As written on xboxhacker, the detection has to do with the SS generation.

Casio

This post has been edited by CasioNo15: Sep 7 2008, 11:53 AM
Title: Possible Spoof Detection?
Post by: calloused labia on September 07, 2008, 05:09:00 AM
QUOTE(CasioNo15 @ Sep 7 2008, 06:52 AM) View Post
No it has nothing to do with this wrong displayed characters.
If you open up an iXtreme firmware with toolbox, for example a benq firmware, it will detect it as iXtreme and go to an specific offset to look which iXtreme version this firmware is.
For Benq this could be 0x5FE0. I don´t know if it´s the same offset for all Benq´s.
Now when you take a MS25 firmware and spoof it as Benq, the toolbox thinks it is a Benq firmware and goes to offset 0x5FE0 and reads out the iXtreme version, but it´s written at a different offset on a MS25 firmware.

As written on xboxhacker, the detection has to do with the SS generation.

Casio


Thanks. I knew about the SS  but I did not know where Firmware Toolbox got the Rom Version from. That makes sense.



Title: Possible Spoof Detection?
Post by: calloused labia on September 07, 2008, 07:03:00 AM
QUOTE(CasioNo15 @ Sep 7 2008, 06:52 AM) View Post


As written on xboxhacker, the detection has to do with the SS generation.

Casio


Wait! I just re-read your post. At first I though you were saying the only way of any type of detection was bad SS on games. But after re-reading it, I realize you mean something completely different.

So spoofing a Samsung as a BenQ is detectable? Is there anybody working on this? Is there any way to work on it?
Title: Possible Spoof Detection?
Post by: podger on September 07, 2008, 10:20:00 AM
5 bytes of the ss are drive specific. So a Sammy spoofed as benq will return a different ss to a benq... I believe this is the case even with originals.... Cross-spoofing has never been considered safe...

Title: Possible Spoof Detection?
Post by: calloused labia on September 07, 2008, 12:03:00 PM
QUOTE(podger @ Sep 7 2008, 12:20 PM) View Post
5 bytes of the ss are drive specific. So a Sammy spoofed as benq will return a different ss to a benq... I believe this is the case even with originals.... Cross-spoofing has never been considered safe...

 


ouch. I am just going to put the drives back in their original 360s then. I guess since the hard drive install update will be released soon, any problems with the Benq load times will be irrelevant.
Title: Possible Spoof Detection?
Post by: podger on September 07, 2008, 02:11:00 PM
Of course you could produce f/w for say a Sammy that is optimal for spoofing as Benq/Lite-On.... but you would need to know what you are doing.... As far as I know C4 is working on this....

But it gets very complicated when it comes to Hitachi, coz there is so many of them... 64 or so variants..... only 4 for samsung

This post has been edited by podger: Sep 7 2008, 09:13 PM
Title: Possible Spoof Detection?
Post by: calloused labia on September 07, 2008, 07:29:00 PM
QUOTE(podger @ Sep 7 2008, 04:11 PM) View Post
Of course you could produce f/w for say a Sammy that is optimal for spoofing as Benq/Lite-On.... but you would need to know what you are doing.... As far as I know C4 is working on this....

But it gets very complicated when it comes to Hitachi, coz there is so many of them... 64 or so variants..... only 4 for samsung


Cool .. then maybe I will wait. What about the other way around. What about a BenQ drive spoofed as a Samsung? Is also detectable? Does it also send back a different response?
Title: Possible Spoof Detection?
Post by: calloused labia on September 09, 2008, 11:50:00 PM
I put both drives back in the original 360s with the latest ix stealth, No more spoofing sad.gif
Title: Possible Spoof Detection?
Post by: Ranger72 on September 10, 2008, 10:43:00 AM
How is Microsoft going to determine what is a spoofed drive from their repair centers and what is a spoofed drive from a hacker? I have received more than a few refurbished 360's that has a different drive in the console than the one that was originally there.

So if Microsoft is spoofing drives themselves when they replace them then how could they use that as a determination of a Live banning without also banning their legit customers?
Title: Possible Spoof Detection?
Post by: Traviss63 on September 10, 2008, 11:33:00 AM
QUOTE(Ranger72 @ Sep 10 2008, 05:43 PM) *

How is Microsoft going to determine what is a spoofed drive from their repair centers and what is a spoofed drive from a hacker? I have received more than a few refurbished 360's that has a different drive in the console than the one that was originally there.

So if Microsoft is spoofing drives themselves when they replace them then how could they use that as a determination of a Live banning without also banning their legit customers?



Yes, I had two..."friends" who both claim to have just got back their console (when they brought them to me) from a M$ repair center. When I read/dumped the firmware with iprep it said it was spoofed, I think it was a Samsung spoofed as a Hitachi for one and I can't recall the other, anyhow this was a first for me. I had never even heard of spoofing until then.

I always assumed M$ didn't need to spoof the drive. I thought they could just reset that shit how they saw fit, but unless my custome... I mean "friends", were BOTH lying about their consoles coming from M$( Why lie?) then this suggest exactly what Ranger says...

How would they tell the difference between drives spoofed at a M$ RC or Hacker spoofed drives?
 (IMG:style_emoticons/default/uhh.gif)
Title: Possible Spoof Detection?
Post by: calloused labia on September 11, 2008, 02:05:00 AM
QUOTE(Traviss63 @ Sep 10 2008, 01:33 PM) View Post



Yes, I had two..."friends" who both claim to have just got back their console (when they brought them to me) from a M$ repair center. When I read/dumped the firmware with iprep it said it was spoofed, I think it was a Samsung spoofed as a Hitachi for one and I can't recall the other, anyhow this was a first for me. I had never even heard of spoofing until then.

I always assumed M$ didn't need to spoof the drive. I thought they could just reset that shit how they saw fit, but unless my custome... I mean "friends", were BOTH lying about their consoles coming from M$( Why lie?) then this suggest exactly what Ranger says...

How would they tell the difference between drives spoofed at a M$ RC or Hacker spoofed drives?
 uhh.gif


I also thought MS could "reset" anything how they wanted. Has anybody dumped the firmware they got back from MS service to see if there are differences? Perhaps their method of spoofing the drives is a little different and when they spoof, the drive returns the right SS responses?




Title: Possible Spoof Detection?
Post by: calloused labia on September 11, 2008, 10:11:00 AM
ERR EDIT

QUOTE(calloused labia @ Sep 11 2008, 04:41 AM) View Post


I also thought MS could "reset" anything how they wanted. Has anybody dumped the firmware from an MS spoofed drive? Perhaps their method of spoofing the drives is a little different and when they spoof, the drive returns the right SS responses?




 
Title: Possible Spoof Detection?
Post by: ghaladream on October 09, 2008, 04:31:00 PM
I would like to know this as well. I just spoofed my old BenQ drive as a Samsung because of the poor BenQ backup load times, and because of another issue I've been having with my BenQ:

http://forums.xbox-scene.com/lofiversion/i...hp/t658021.html

http://forums.maxconsole.net/showthread.php?p=1029558

Also.. about that 5 bytes of the SS being different when cross-spoofing.. Have there been any reports of bannings due to people who have done this?

This post has been edited by ghaladream: Oct 9 2008, 11:36 PM
Title: Possible Spoof Detection?
Post by: caster420 on October 09, 2008, 04:51:00 PM
QUOTE(calloused labia @ Sep 7 2008, 12:00 AM) *


If Firmware Toolbox can see this difference then could MS?

 

This isnt firmware toolbox seeing the difference, it is a bug in firmware toolbox.  Firmtool changes both the inquiry and identify string and 360 firmware toolbox does not.  Compare the two files you created in hex and you'll see exactly what i'm talking about...

Caster.
Title: Possible Spoof Detection?
Post by: caster420 on October 09, 2008, 04:41:00 PM
Here is your example...

(1) Firmware created with firmtool
IPB Image

2) Firmtool created firmware opened with 360 Firmware Toolbox (same error you noted above, plus key is incorrect, as i would assume yours was as well!!!)
IPB Image

3) 360 Firmware Toolbox v4.7 spoofing the same type of firmware...
IPB Image

4) Hex comparison of two generated firmware...

IPB Image

Notice that 360 Firmware Toolbox does not spoof the identify string (one on top).  This is how it 'detects' spoofed firmware.  Since firmtool changes both strings, 360 Firmware Toolbox does not detect it properly and does not find the key properly.  There is nothing wrong with the firmware firmtool created but rather with 360 Firmware Toolbox.

Regards,

Caster.
Title: Possible Spoof Detection?
Post by: ghaladream on October 09, 2008, 05:28:00 PM
Thanks for the info caster
Title: Possible Spoof Detection?
Post by: calloused labia on October 09, 2008, 05:45:00 PM
Thanks for clearing that up Caster.

I didn't notice any discrepancy with the key when I was testing so I decided to go back and open the Samusng spoofed BenQ firmware with FWTB and Firmtool.

Sure enough.. the key in FWTB is wrong!!

(IMG:http://i443.photobucket.com/albums/qq159/callousedlabia/360/WTF.jpg)
Title: Possible Spoof Detection?
Post by: caster420 on October 09, 2008, 08:06:00 PM
No problem.  It appears as though he has fixed my above example (spoofed samsung firmware) with v4.8 but not spoofed benq firmware, as you noted.

Regards,

Caster.
Title: Possible Spoof Detection?
Post by: ghaladream on October 09, 2008, 08:21:00 PM
QUOTE(podger @ Sep 7 2008, 01:20 PM) View Post

5 bytes of the ss are drive specific. So a Sammy spoofed as benq will return a different ss to a benq... I believe this is the case even with originals.... Cross-spoofing has never been considered safe...


So, should I be worried about this?
Title: Possible Spoof Detection?
Post by: test123123 on October 10, 2008, 04:24:00 AM
If I purely used Firmware Toolbox 4.8 to flash Hitachi drive and NOT using the spoof function. Is it OK?
Title: Possible Spoof Detection?
Post by: calloused labia on October 10, 2008, 10:16:00 AM
QUOTE(test123123 @ Oct 10 2008, 06:24 AM) View Post
If I purely used Firmware Toolbox 4.8 to flash Hitachi drive and NOT using the spoof function. Is it OK?


Yes, it should be fine.


QUOTE(ghaladream @ Oct 9 2008, 10:57 PM) View Post


So, should I be worried about this?


I was, I removed the spoofed Samsung from my 360 and but back the BenQ.