Print

[ledjohnnyboy]

nice pic reveals alot about info sent out and received if you want you can sniff the packet from us if you want i have a feeling that the arrival time means something and it might say something like end time on the connecting part add me as a friend on x-link ledjohnny

[neo8222]

ok i took a even bigger reading getting almost 100 packets since it's so big i just saved the file file in a generic .cap format that windows NetMon or wire shark can open and read. destination 255.255.255.255 seem to be only sent when looking for games while destination 0.0.0.1 are sent when attempting connection. heres the link for the DL! Packet.cap  

also one things to note is each packet sent has a checksum and a identification hex code that are different each time so im thinking it's the "key" for de-encrypting the code. i'd hope that the relation could be found between them. onces that's done it should be easy to script/write a program to intercept the packets on port 3074 (the only one the 360 uses for connection) and "spoof" the proper reply in under 30ms. if it can be done it'd be a major step in the right direction, true?

oh and the "frame xx" area is from wireshark, it stamps the capture or arrival time for that packet and some header data.

This post has been edited by neo8222: Jan 20 2010, 08:51 PM

[ledjohnnyboy]

yea if we can find out the encryption method we just have to spoof a reply with the same used encryption and im currently looking at the download

[neo8222]

i would assume it's one of the more common encryptions, i don't think microsoft would have a team put together just to make a new encryption protocol for a xbox... it's possible the checksum is the key to it, tells the other xbox how to decrypt the data. im no expert but it judging by checksum length if it is the key it should be a fairly small bit level and easy for a program to intercept, read and repackage a response in the time limit. my guess would be it uses a Merkle–Damgård system because it works with hash codes and checksums which if the case would have a standard block cipher and could be loaded into a separate program.

edit: now that i think about it the block cipher should be contained in the nand chip, someone that can get in and dump the nand should start looking for a block cipher. i would fdo it but i got a 8955 kernel and can't get in (IMG:style_emoticons/default/sad.gif)

This post has been edited by neo8222: Jan 22 2010, 02:13 PM

[Mr-Woo]

This should give you a insight in how the Local game play is done on a xbox360

http://v3.espacenet.com/publicationDetails...DB=&locale=

Please read it fully and it is directed to the xbox360 because of the wireless connection
and it explains the 3 stages of key exchange

Phase I: Generate Shared Secret Keys

Phase II: Session Discovery

Phase III: Key Exchange


[0054] The hash digest is placed in the "Hash" field of the key exchange packet. The response packet now has the following contents:

KeyExResp: [NonceInit, NonceResp, g<Y>, NKID, NADDR, Time, HashResp].



(IMG:style_emoticons/default/ph34r.gif)

This post has been edited by Mr-Woo: Jan 22 2010, 03:07 PM

[ledjohnnyboy]

Yea I can't dump my NAND as well thanks to the latest update but danked can so I'll pm him and get a bin if possible
ledjohnny

[neo8222]

ok well i've been talking to a professor at my college and he's telling me next step he would do is create a rainbow table for the encryption ciphers and use trial and error. i guess my next course of action will be create a rainbow key or attempt to create a rainbow table for the Merkle–Damgård system run it and see what happens. if it becomes workable data then good if not well then... on to the next cipher key.

[danked]

ygpm's    yeah I have a few nand dumps

[InvidiousDemise]

If anyone needs me to, I am available to setup my box for kai if you want to have me sniff packets or something. I have a jtagged box and am willing to perform guinea pig tests.  I don't know much about deciphering the packets or anything but I have played around with packet sniffing a few times.

I am willing to setup a constantly running server/ test box for while I'm away if necessary also.

[vb_encryption_vb]

QUOTE(tactical @ Dec 6 2009, 09:19 AM)

Unless we get xbox-scene and xlink to do a HARD PUSH by putting it on front page and talking it up, we will not get the masses to play on xlink.

This room is practically DEAD.  Now if a ping bypass was found, that really could change everything because more people would be on xlink 1,000's playing cod mw2 just like they used to play halo on xbox1.

To hell with xlink to many mods going on in that garbage ass shit

[danked]

QUOTE(vb_encryption_vb @ Jan 22 2010, 07:13 PM)

To hell with xlink to many mods going on in that garbage ass shit

wow that was very insightful,  

[iPryoR]

any new info on this?  keep going !!

[toybox]

Wouldn't it help to monitor a running game with something like textchat to search for it to bruteforce the encryption?

[toybox]

I also took a look into the transfered data, to test it i opened in MW2 the gamesearch and i saw the name of
the running server, so we can get known values for decryption. I am not good at coding, so thats all i can do
for now. I strongly believe, thats enough data to get around the encryption  

[x_redentor]

QUOTE

game.cfg - ejemplo

// Internet simulation (only active in multiplayer)

Server.IsInternetSimulationEnabled true

Server.MinLatency                 0.025

Server.MaxLatency                 0.100

Server.PacketDrops                0.005

Server.DropSpikeChance            0.001

Server.MinDropDuration            0.100

Server.MaxDropDuration            0.300

Server.ReorderingChance           0.005

Server.DuplicationChance          0.005

Server.CorruptionChance           0.001

Server.UnrestrictedUnlocks        false

http://www.megaupload.com/?d=PUWC1XM4

i am spanish