Print

[haze420]

indeed. Not only the graphis are 100 times better i can assure you that the security is to. but all in a madder of time befor there is some kinda of mod chip for the 360 but not any time soon

[pcsxdc]

In theory, even if the copy protection is built into the hardware, it could still be defeated.  The thing which sucks is that you would have to create a jump instruction for everytime a security check is put in. That would be VEERY time consuming

[steblublu]

QUOTE(Shadowlaw @ Nov 24 2005, 05:40 PM)

... Who cares about writing the TSOP if the box will not execute the code anyway. (And believe me, it won't)...

If/when the TSOP flash encrypt key is found (reports have it placed directly inside the CPU), I could only see 2 reasons why any changes we make to the TSOP flash code would not run:

1) because code is signed, and the system expects it to be so.
2) because there is a checksum on the data.

now, if there is a checksum for code contained on the TSOP flash, then that checksum value must also be stored in writable non volitile memory somewhere.   This would be the only way that Dashboard updates recieved over xbox live could work.
...unless the checksum IS a fixed value and any data stored in the TSOP flash is padded.
 
Either way, if the code on the TSOP is checked by the CPU against a checksum, then I would expect the checksum value to be traceable and updatable.

[TheSpecialist]

QUOTE(steblublu @ Nov 25 2005, 10:23 PM)

If/when the TSOP flash encrypt key is found (reports have it placed directly inside the CPU), I could only see 2 reasons why any changes we make to the TSOP flash code would not run:

1) because code is signed, and the system expects it to be so.
2) because there is a checksum on the data.

now, if there is a checksum for code contained on the TSOP flash, then that checksum value must also be stored in writable non volitile memory somewhere.   This would be the only way that Dashboard updates recieved over xbox live could work.
...unless the checksum IS a fixed value and any data stored in the TSOP flash is padded.
 
Either way, if the code on the TSOP is checked by the CPU against a checksum, then I would expect the checksum value to be traceable and updatable.

I'd be REALLY surpised if M$ didn't sign the TSOP contents ...

[Sleeve]

There are topics on this thread that cross into my day job, so while I don't know a Southbridge from a NAND, I have thoughts about the security.  Smartcard chips that are cropping up on US credit cards and have been on European ones for years contain several secured and unsecured containers.  They also contain all the logic to perform all the necessary (typically RSA) algorithms for decryption.  Because the private key and the decryption code are on the same chip, the decrypted private key never travels off the smartcard.  People on this thread have said that it is possible that the key is on the CPU.  If that's possible, it's also just as possible that the RSA logic is also on the CPU, forcing all crypto operations to route directly through the CPU, including the decryption of the encrypted parts of the BIOS on the NAND that are accessed once the CPU and its crypto are POSTed by cleartext BIOS code.

It is feasible that each 360 has a public and private key pair, with the public key wrapped by a digital certificate that is accessible by MS's manufacturing partners in real time during the assembly process with a secure LDAP connection.  RSA algorithms provide that when content is encrypted using a device's public key, only that device's private key can decrypt the data.  The final box assembly manufacturers would be able to use the public key to encrypt the BIOS without ever knowing or handling the private key.

I hate to oversimplify in such a technically competent audience, but this is the fundamental security behind SSL and every secure transaction on the internet on which the world's economy relies.

So MS has a copy of every Xbox's digital certificate in an Active Directory.  Buying premium content over Xbox Live means the content has to be signed with your unique digital certificate so you can't share it with your friends who haven't paid.  Same with BIOS updates, if any.  They have to be signed with your public key so that the private key on your CPU can decrypt the encrypted parts of the BIOS during the last stages of the POST.

Great, rock solid concept if everyone has XBox Live.  Falls to crap as soon as MS has a critical patch they must release to all customers including those with no internet access.  It would be logistically unreasonable to ship each customer a unique update DVD.  It would also make no sense to put the device's public key on the box because modders could simply use it to create legitimately signed alternate BIOS code.  

However, if now and forever security will trump field upgrades for people without internet, all of this works and it is as easy to defeat without hardware mods as the security that keeps our economy intact.  Including hardware mods, it's as easy as replacing the PowerPC and whatever miscellaneous baggage and clothing it happens to be carrying and wearing.

There are as many other ways to do this as people that post on this thread, so while MS has proven they are public key crypto aware in their operating systems, this is all a load of uselessness until someone proves MS used mainstream RSA crypto and CPU-based hardware security.

[lordvader129]

QUOTE

So MS has a copy of every Xbox's digital certificate in an Active Directory. Buying premium content over Xbox Live means the content has to be signed with your unique digital certificate so you can't share it with your friends who haven't paid. Same with BIOS updates, if any. They have to be signed with your public key so that the private key on your CPU can decrypt the encrypted parts of the BIOS during the last stages of the POST.

similar to the way xbox content was signed to the eeprom serial, but i think all that was done locally, so upgrades could be issued without having to connect to Live, im sure thats the same concept used in 360, stuff gets signed locally in the CPU, and probably locked to the hard drive it gets installed to

[BCfosheezy]

QUOTE(Shadowlaw @ Nov 28 2005, 03:32 AM)

Well then you already admit we're defeated at this point... if the TSOP flash key is really in the CPU maybe 5 skilled people can extract it, but it will be useless to anybody else. And even for those 5, after decrypting it will probably still be signed with MS' private key and you can forget about changing it. This is what I would have done myself anyway, and I imagine the security engineers at MS must be smarter than me. Our only hope is that those 5 people who do get to see the decrypted flash contents will be able to understand what's inside and find other potential security leaks.

Bottom line is we're all speculating on something we know very little to nothing about. We have little data given to us by some reputable people who specialize in reverse engineering but nothing concrete. I agree that all of the things discussed are in place but we don't really know. Until someone does some investigative work on the bootup process we won't know any more. That's the first step is understanding what we're dealing with. Then we can start figuring out ways to circumvent protection. I know I don't have these capabilities to probe the hardware and even if I did I don't have the necessary knowledge but someone is going to have to do this before anything is done. We can speculate until we're blue in the faceplate because that's the only modding we're going to be doing if someone with the equipment and knowledge doesn't step up to the challenge.

[lordvader129]

the installer xex can run on any xbox, but the files it installs to the HD might be signed to work only on that specific HD, supporting my theory of local signing

all of this is pure speculation though, until we can rip the contents of an HD and write it to another HD

[lordvader129]

QUOTE(globe_guyx @ Nov 28 2005, 11:51 PM)

This probably falls into the "duh" category for those contributing to this thread, but either the key which we assume to be in the cpu is common to all 360's, or it is transmitted across open tappable lines, albeit in an encrypted state..  I'm hoping for the former..
This idea dismisses the possibility that M$ actually stores the individual key for each 360 in an open directory as stated earlier..   Thereby allowing them to sign individually at update time by merely transmitting an ID rather than the actual key..  Partially because this would seriously tax servers at upgrade time, and also because it would SUCK REALLY BAD!!!!
I also find it laughable that they intend to force 16MB flash updates..  There would inevitably be enough bricks to build a subdivision..  I wouldn't care during the first 90 days, but I'm wondering what legalities they'd face forcing ppl to risk their box instantaneously..  I'd risk playing on Live during a thunder-storm, but if it wanted to reflash at that moment I'd be shitting my pants..  There is no other chip that could work as a backup as far as I know, and ram deafeats the purpose..  Any of us who have flashed our 1MB tsops realize that roughly 16x that duration leaves alot of room for BS..
Now, does the dash dumbfound anybody else?  Granted machine code is more efficient than C++, but xbox dashes are > 100MB..  Wouldn't surprise me if there was a well disguised larger flash memory onboard somewhere..

the 16mb chip isnt a flashrom, its flash memory, it can be written partially, more like a memory card, ive been told the 360 dashbaord only takes about 3mb on the chip

[Gobelet]

Well if you can check your K: and D: numbers (I don't know where they are, stupid stores told me they didn't know when they'll have one for me (I'm in Europe btw)), you'll see a value called BK:, which means Backup Kernel. I think that this backup is somewhere on a non-writable chip. This way, you still can boot your console with a fucked TSOP.

This is only pure speculation (BK:, K: and D: apart).

[lordvader129]

QUOTE(globe_guyx @ Nov 30 2005, 02:52 PM)

I recently discovered the backup kernel, but what about backup dash assuming they plan to update that..  I suppose a repair cd could easily be mailed out..

im certain the 360 doesnt have the clock setting issue xbox had, so i would it can function indefinately without a dashboard, until it can be repaired from a game, or sent out through Live (there might even be anough code in the kernel to connect to Live and restore the dash)

[zX_Storm]

QUOTE(BCfosheezy @ Nov 19 2005, 04:43 PM)

I know we're all speculating which is stupid to begin with... but here's my speculation. I don't think the bios/kernel exists on the tsop. There is no need to upgrade for future hardware revisions since they have proven that they are willing to change during production in the past. I'm asking you to remember the 1.6 for two reasons. One to prove my last point in that the change the bios for a hardware change (different video encoder) and they also use the xyclops chip instead of a tsop. If you read a little about the r520 (I think that's the name of the ati northbridge/gpu) it has built-in video encoding on-chip. There is no need for a video encoder. Also, if you look you will see a chip that says xbox360 on it that looks strikingly like the xyclops chip from the original xbox but it is located in a place that might make observers think it is the video encoder.  I believe most, some or all of the bios is stored on that rom. Again this is only speculation but I think it is very logical. Again please remember when the bios WAS stored on the tsop in the original xbox it's write-enabled points were disabled. Since the tsop is significantly larger in xbox360 and there's no other place to store the dash and they NEED to be able to upgrade the dash for live or possibly other things it HAS to be write-enabled. They would not put the bios on this chip. It is in another location and a likely location is the xbox360 chip.

I just would like to point out that the TSOP does NOT have to be write-enabled. The dashboard on the TSOP could very well look to see if the dashboard update (which is more than likely downloaded to the harddrive), just executes it from there. So really, the TSOP never changes. Again, a spectulation, but a possibility. (MS did say that you have to have XBL to get updates, or am I wrong?)

P.S. Sorry is somebody else stated this, I only looked at the first page, no time to read it all  

[lordvader129]

QUOTE(zX_Storm @ Dec 1 2005, 03:48 PM)

I just would like to point out that the TSOP does NOT have to be write-enabled. The dashboard on the TSOP could very well look to see if the dashboard update (which is more than likely downloaded to the harddrive), just executes it from there. So really, the TSOP never changes. Again, a spectulation, but a possibility. (MS did say that you have to have XBL to get updates, or am I wrong?)

P.S. Sorry is somebody else stated this, I only looked at the first page, no time to read it all  

not everyone has the hard drive though

its been determined the bootloader/kernel is not on the TSOP, only the dashbaord and maybe some other system software, MS has nothing to lose by leaving it write enabled, theres no critical component on the flash

if someone has gotten a dash update from Live they should check the versions with and without the HD, then we will know for sure if the dash is updated on the flash or just the HD (im 99.9999% sure its updated on the flash)

[mandrake001]

True the k and d and bk are the same when i remove the hd also video settings are not stored on the hd .. looks like the hd just holds the accounts and savegames