[HN Gopher] Exploring the Halo 1 System Link Protocol
___________________________________________________________________
Exploring the Halo 1 System Link Protocol
Author : nhellman
Score : 163 points
Date : 2023-09-18 17:53 UTC (2 days ago)
(HTM) web link (hllmn.net)
(TXT) w3m dump (hllmn.net)
| loeg wrote:
| "age in a bot" might be a truncated form of "message in a
| bottle."
|
| The PRNG exponentiation scheme is essentially Diffie-Hellman.
|
| > Modifying the fire duration does not seem to have any effect
|
| Including, e.g., plasma pistol?
|
| Very cool investigation and writeup.
| nhellman wrote:
| > "age in a bot" might be a truncated form of "message in a
| bottle."
|
| Yeah, that makes sense, it is a very odd sentence otherwise.
| Truncating on "bot" might be a play on words for game AI/NPC.
|
| > The PRNG exponentiation scheme is essentially Diffie-Hellman.
|
| Ah, of course, yes, I was thinking it reminded of public-key
| cryptography.
|
| > Including, e.g., plasma pistol?
|
| Yeah, it seems so, that was the first weapon I was thinking it
| to be used for. I tried e.g. setting the duration to zero and
| charging the plasma pistol. It still shoots like normal and
| does not seem to affect visual effects, audio or damage for
| neither host nor guest. It is still possible that it is used
| for something else that I have not noticed. Modifying the
| host's fire duration does not cause a desync so it might not
| affect the game state.
|
| > Very cool investigation and writeup.
|
| Thanks!
| coldpie wrote:
| > Yeah, that makes sense, it is a very odd sentence
| otherwise. Truncating on "bot" might be a play on words for
| game AI/NPC.
|
| I wonder if you could dig into the game code and see where
| the string is coming from.
| monocasa wrote:
| Yeah, it's straight up diffe-hellman, even using the First
| Oakley Default Group as it's prime.
|
| https://github.com/XombieOnline/xombie/blob/7a1ef08045271437...
| Sxubas wrote:
| Loved it, thanks for being so thorough and document the train of
| thought.
|
| I want to ask about one thing I could not understand completely
| on the final section: If there was a client that sent arbitrary
| values for selected weapon, forward, left, etc; would the host
| count them as valid? (I understood this is essentially what the
| MITM allowed to do)
|
| Also, a little feedback, my immersion broke when the video did
| not show Howard and Ghost anymore. Something like Howard1 and
| Ghost1 would've helped understand a little bit more.
| nhellman wrote:
| > Loved it, thanks for being so thorough and document the train
| of thought.
|
| Glad to hear! I was hoping to make the whole process easy to
| follow without any large skips or prior knowledge. It is more
| or less my process but with a lot of dead ends removed.
|
| > I want to ask about one thing I could not understand
| completely on the final section: If there was a client that
| sent arbitrary values for selected weapon, forward, left, etc;
| would the host count them as valid? (I understood this is
| essentially what the MITM allowed to do)
|
| Yes, it appears so. The host seems to accept more or less
| arbitrary values (at least for forward, left, actions) and also
| just re-broadcasts them to everyone. The guest client then also
| ignores what it sent and just uses what it receives from the
| host. This allows us to modify the inputs/speed of any guest
| client players without desyncing the clients.
|
| > Also, a little feedback, my immersion broke when the video
| did not show Howard and Ghost anymore. Something like Howard1
| and Ghost1 would've helped understand a little bit more.
|
| Good idea, I could have made it clearer which perspective the
| video was taken from (the guest client). Might be able to re-
| record or simply mention it in the text.
| monocasa wrote:
| So that's basically most of the lowest layers of the Xbox Live
| protocol as well. Simply game discovery happens over local
| broadcast instead of through the Live servers. There's some other
| specifics that change, such as logging into a host xbox doesn't
| diffie-hellman anymore but instead key sets are distributed by
| the server backends with the session information. Additionally
| the auth side is basically non existent on system link.
|
| Great RE work!
|
| Disclaimer: I created a proof of concept implementation of the
| Xbox Live server infrastructure here:
| https://github.com/xombieonline/xombie
| nhellman wrote:
| > So that's basically most of the lowest layers of the Xbox
| Live protocol as well. Simply game discovery happens over local
| broadcast instead of through the Live servers. There's some
| other specifics that change, such as logging into a host xbox
| doesn't diffie-hellman anymore but instead key sets are
| distributed by the server backends with the session
| information. Additionally the auth side is basically non
| existent on system link.
|
| Ah, cool, there has been some similar work done before! Is
| there any documented resources or write-ups of the Xbox Live
| protocol somewhere?
|
| > Great RE work!
|
| Thanks!
|
| > Disclaimer: I created a proof of concept implementation of
| the Xbox Live server infrastructure here:
| https://github.com/xombieonline
|
| That is a really cool project! How does one make sure the
| console connects to the server instead of the (now shutdown)
| Xbox Live servers? Does it e.g. have a hardcoded domain so one
| can simply add a DNS entry?
| monocasa wrote:
| > Ah, cool, there has been some similar work done before! Is
| there any documented resources or write-ups of the Xbox Live
| protocol somewhere?
|
| I talked at defcon a bit last year.
| https://www.youtube.com/watch?v=HLyZfZMu-5E Otherwise I've
| been a "source is documentation" kind of guy so far. Could
| definitely use a high level walkthrough as good as you've
| done here; I should probably get on that.
|
| > That is a really cool project! How does one make sure the
| console connects to the server instead of the (now shutdown)
| Xbox Live servers? Does it e.g. have a hardcoded domain so
| one can simply add a DNS entry?
|
| Yeah, they bootstrap off of a set of hardcoded domains. The
| config screens on the boxes let you specify a DNS server, so
| the project runs it's own DNS server that's basically when
| obi-wan says "of course I know him, he's me". Then the
| relative lack of any public/private crypto lets us take over
| as long as we know the preshared key in the individual xbox's
| eeprom.
| reidjs wrote:
| This is a well written, in depth analysis of the system. Why do
| you think the packets are encrypted?
| zootboy wrote:
| Probably for the reason the author speculates about in the
| article:
|
| > For example, would it not be cool if there was a game with a
| stack buffer overflow bug that allowed us to run arbitrary code
| remotely? That could potentially enable us to softmod an Xbox
| over the network, without the need of any special hardware.
| nhellman wrote:
| Thanks, I was initially surprised that they were encrypted but
| I can speculate on a few potential reasons:
|
| - The Xbox was designed to be able to play online via Xbox Live
| (e.g. with Halo 2 that came out later in 2004), and they might
| have simply reused the network stack for System Link over LAN.
| I looked a little bit at Halo 2 system link, it uses the same
| system calls from the kernel but the protocol seems to be more
| complicated (e.g. the IV is never sent in plaintext, the two
| consoles derive it somehow). I haven't looked at Xbox Live, but
| Halo 2 could potentially use the same for System Link and Xbox
| Live.
|
| - The Xbox also really tried to lock down its security in order
| to prevent game piracy and homebrew games. This might have been
| another attempt to reduce the attack surface.
|
| - They also might have just wanted to keep their game protocols
| secret for trade secrets or simply avoiding scrutiny. In this
| case, we were able to create a kind of cheat, which they might
| have also wanted to avoid. Even though it is rarely an issue at
| LAN parties, it might have simply looked bad for the brand.
| monocasa wrote:
| From what I've heard from microsofties over beers, it was
| really the second one. They didn't expect developers to write
| network code in ~2001 that didn't have memory safety
| vulnerabilities and wanted a barrier there between simple
| overflows and system security.
| mywittyname wrote:
| Makes total sense, especially recalling the zeitgeist of
| the era. IIRC, this was during the height of worms which
| propagated via vulnerabilities in code that handles network
| traffic.
| willis936 wrote:
| The child in me from 20 years ago dreams of a software tool
| downloaded from a questionable website that jailbroke an
| xbox just by putting in the IP address.
| monocasa wrote:
| I hear that; I wish I was cool enough back in the day to
| release a tool on xbins. I'll have to settle for retro
| computing.
| rasz wrote:
| There are cheats for certain online games that just listen to
| traffic. Sometimes games use bad encryption (static key) and
| cheats decrypt on the fly.
| PawBer wrote:
| The LAN code is probably the same code as the online
| multiplayer.
| ClassyJacket wrote:
| Halo 1 on original Xbox does not have online multiplayer. It
| launched before Xbox Live did.
| monocasa wrote:
| As someone who's written replacement backend Xbox Live
| server infra, I can confirm that system link is very nearly
| the same base protocol set as is used by Live. They must
| have had that nailed down pretty close to launch, and were
| mainly working on support services that live needs but
| system link doesn't up until Live actually launched.
| msk-lywenn wrote:
| They were probably already working on it
| rafark wrote:
| The game was actually close to ship without multiplayer,
| it was an afterthought. Some devs have talked about this
| (iirc, Marty O'Donnell was one of them).
| thomastjeffery wrote:
| The game being an FPS was an afterthought, too.
| Originally, they were working on an _RTS_.
| monocasa wrote:
| I wouldn't call it an afterthought per se, more a pivot
| with a lot of work. It was already an FPS when it was
| shown off at MacWorld'99.
| notnaut wrote:
| I've heard this was also the case for Goldeneye on the
| N64
| ravenstine wrote:
| Goldeneye is one of the best case studies for why
| companies should give their engineers room to experiment.
| If I remember correctly, the multiplayer mode was
| originally a side project of one of the engineers and was
| added near the end of development.
|
| This isn't to say the campaign mode isn't good, but the
| ability for boys to play a shooter game against each
| other on the same console is what made that game.
| nmstoker wrote:
| I recall the game recording feature feeling pretty cutting edge
| at the time, as you could pause it and rotate/fly round the
| scene, it felt really fluid and responsive. I guess now it would
| be common place but back then it definitely seemed a little
| magical.
| nhellman wrote:
| Are you thinking of Theater mode that first appeared in Halo 3?
| Unfortunately it was slimmed down in later Halo games and it is
| rarely seen in other games at all, especially not console
| games.
| kmeisthax wrote:
| Tangential point: the weirdest part about the Xbox was the system
| name. As far as I'm aware that was never configurable by users,
| but certain games would set your system name as an easter egg.
| Any reason why it was built that way?
| dinartem wrote:
| Nice work! Always fun to see something I wrote long ago reverse
| engineered. The packet format was indeed inspired by ESP over
| UDP, and I named it XSP. After system link shipped with the
| original launch of the console, I also worked on Xbox Live
| networking, including the client/server interactions and the
| design and implementation of the front-end Security Gateways that
| all Xboxes would talk to, first to authenticate themselves to the
| service, and then to maintain a heartbeat connection to the
| service (to keep NAT ports open during idle time), and to
| facilitate NAT traversal.
| sosodev wrote:
| Very cool. Have you written a blog or anything about these
| experiences? I would love to read it.
| monocasa wrote:
| Nice! You did a great job on the protocol. Probably my only
| complaint on the XSP side of things is the fact that you have
| to do relatively complex parsing of the XSP packets before you
| can get to the point of verifying the signature of the packet.
| Seems like all of the corner cases were handled well in the
| implementation on the boxes, but as someone who does
| auth/cryptography in my day job, it kind of gives me the
| heebie-jeebies.
|
| Do you know if the auth side was carried into deeper parts of
| the backend? So like, did the SG decorate incoming connections
| with the auth information as they made their way to the
| different services? There seemed to be more auth information
| than I expected in headers on some of those HTTP calls into
| services like matchmaking.
| dinartem wrote:
| That's a valid point about complex parsing. I remember being
| very concerned about adding unnecessary overhead to each
| packet during encapsulation.
|
| As for the SG, it primarily authenticated the Xbox machine
| account using Kerberos and then maintained a security
| association, accepted heartbeats, authenticated and decrypted
| incoming ESP-UDP packets into IP packets that it forwarded to
| the backend servers. Responses from the backend would be
| encrypted, authenticated, and encapsulated before sending
| back to the Xbox. I don't think the SG had any knowledge of
| higher level connections running through it, such as TCP or
| HTTP, so it would not have manipulated HTTP headers as they
| passed through.
| nhellman wrote:
| Heh, what a coincidence!
|
| Does XSP stand for anything?
| dinartem wrote:
| Xbox Security Protocol. We liked to add X to things back
| then.
| cglong wrote:
| It's a shame it's proprietary, but there's a neat service[1]
| that's been around for over a decade that reverse engineered
| System Link and similar protocols to make them Internet-enabled.
|
| [1]: https://www.teamxlink.co.uk/
| nhellman wrote:
| I haven't tried this out, I wonder how well the Halo 1 net
| protocol works over a less reliable connection. I encounter
| issues as soon as I momentarily minimize the emulator and it
| does not recover without starting a new game.
|
| I wonder if it is enough for XLink to simply send the packets
| through a networked tunnel or if it actually needs to modify
| the packet payload somehow. The consoles might be able to
| handle everything as long as they are able to communicate with
| each other?
| paulryanrogers wrote:
| My friends tried it back in the day and it seemed pretty
| laggy, like 100ms, even with broadband cable. Hosts
| definitely had the advantage.
| monocasa wrote:
| They don't really need to reverse engineer the underlying
| protocol for that service. It's enough to simply bridge the
| networks in a way that local broadcast still gets through.
___________________________________________________________________
(page generated 2023-09-20 23:00 UTC)