[HN Gopher] Hardware Security Exploit Research - Xbox 360
___________________________________________________________________
Hardware Security Exploit Research - Xbox 360
Author : nazgulsenpai
Score : 60 points
Date : 2024-12-19 20:26 UTC (2 hours ago)
(HTM) web link (github.com)
(TXT) w3m dump (github.com)
| Lammy wrote:
| > So - here is a hopefully informative write up of my Journey to
| figuring out how these guys were running unsigned code in 2011 on
| a XBOX 360
|
| > XBOX 360 Security defeated - 2011
|
| I realize this post is more about hardware security than software
| security, but if the benchmark is unsigned code execution then
| the author should at least mention the 2007 (King Kong shader
| exploit) and 2009 (SMC hack -- same root flaw but executed
| automatically at boot) methods of achieving the same:
|
| - https://github.com/Free60Project/wiki/blob/master/docs/Hacks...
|
| - https://github.com/Free60Project/wiki/blob/master/docs/Hacks...
| PaulHoule wrote:
| Back in the day I really liked my 360 whereas my ONE seems like
| a mistake.
| dinartem wrote:
| Good times. I was the developer at Microsoft who designed the
| Xbox 360 hardware security, wrote all the boot loaders, and the
| hypervisor code.
|
| Note to self: you should have added random delays before and
| after making the POST code visible on the external pins.
| spencerflem wrote:
| Congratulations, haven't had a reason to mess with it myself,
| but I've heard it described online as the most secure piece of
| consumer hardware before or since
| SteveNuts wrote:
| I'm curious how it fares against a modern iPhone or similar,
| has that ever been compared?
| liamwire wrote:
| I have a hard time believing the 'since' part of that
| description. Intuition suggests the latest iPhone would take
| that crown each year.
| jsheard wrote:
| I think you might be mixing up the Xbox 360 with the Xbox
| One, the former was ultimately compromised in several ways,
| but the latter's security has held up _extremely_ well for 11
| years and counting. The Xbox One and its successor are easily
| the most secure consoles ever made.
|
| Obligatory: https://www.youtube.com/watch?v=U7VwtOrwceo
| notavalleyman wrote:
| What are the reasons for why Microsoft wanted to lock down
| consoles to only run signed code? As a games console
| manufacturer, what are the business reasons for doing so?
| Thanks
| treyd wrote:
| They sell the consoles at a loss, so if you could port your
| own games to the consoles instead of buying the games that
| they could take a royalty from then they lose money. It
| doesn't have to be an _effective_ circumvention to trigger
| the DMCA making it illegal.
| Lammy wrote:
| A games console provided a platform where they could more
| effectively argue that "their" works """needed""" to be
| protected so they could farm us (people who want to run their
| own code on hardware they purchased) for digital-jail
| technologies which would never otherwise have reason to
| exist. Then those technologies can metastasize fully-formed
| over to general-purpose computing in a way that's harder to
| argue against. They learned with Clipper and Palladium that
| trying to develop jail tech on PC would be vehemently
| opposed.
| nemothekid wrote:
| Limiting piracy is the ongoing reason, but there is also the
| historical reason of the Video game crash of 1983 which led
| to Nintendo's Seal of Quality.
|
| Essentially as the platform owner, you want to ensure games
| sold for the platform "just work", and if you have a bunch of
| third parties running bad software, consumers would lose
| faith in the platform altogether.
| brokenmachine wrote:
| They are rent seekers.
| vlovich123 wrote:
| I feel like random delays would make the glitch attack harder
| but it would still be possible given enough attempts. Seems
| like the bigger issue is that you can glitch the CPU reset line
| which corrupts the processing rather than having no effect or
| resetting the CPU.
| kaoD wrote:
| I assume those are probably very hard to fix since (again, I
| assume, I'm just a hobbyist in the hardware space) that sort
| of glitch relies on propagation delays (e.g. a short burst
| triggering some latches but not others, or triggering the
| latches in some specific synchrony).
|
| Can anyone confirm if I'm on the right track with my guess?
| liamwire wrote:
| Can you speak to some of the harder or more interesting
| challenges you faced during that time?
| dinartem wrote:
| One challenge was that while I started working on the Xbox
| 360 about three years before it would ship, we knew that the
| custom CPU would not be available until early 2005 (first
| chips arrived in early February). And there was only supposed
| to be one hardware spin before final release.
|
| So I had no real hardware to test any of the software I was
| writing, and no other chips (like the Apple G5 we used as
| alpha kits) had the custom security hardware or boot sequence
| like the custom chip would have. But I still needed to
| provide the first stage boot loader which is stored in ROM
| inside the CPU weeks before first manufacture.
|
| I ended up writing a simulator of the CPU (instruction
| level), to make progress on writing the boot code. Obviously
| my boot code and hypervisor would run perfectly on my
| simulator since I wrote both!
|
| But IBM had also had a hardware accelerated cycle-accurate
| simulator that I got to use. I was required to boot the
| entire Xbox 360 kernel in their simulator before I could
| release the boot ROM. What takes a few seconds on hardware to
| boot took over 3 hours in simulation. The POST codes would be
| displayed every so often to let me know that progress was
| still being made.
|
| The first CPU arrived on a Friday, by Saturday the electrical
| engineers flew to Austin to help get the chip on the
| motherboard and make sure FSB and other busses were all
| working. I arrived on Monday evening with a laptop containing
| the source code to the kernel, on Tuesday I compiled and
| flashed various versions, working through the typical bring-
| up issues. By Wednesday afternoon the kernel was running
| Quake, including sound output and controller input.
|
| Three years of preparation to make my contribution to
| hardware bring-up as short as possible, since I would
| bottleneck everyone else in the development team until the
| CPU booted the kernel.
| fragmede wrote:
| damn, that's bad ass. did that simulator run on a Windows
| system or was it something more esoteric?
| bananaboy wrote:
| Amazing! Thanks for sharing! What sort of things are you
| working on now?
| kridsdale1 wrote:
| This is the coolest HN post I've read in months.
|
| Cheers.
| kaoD wrote:
| > Note - Newer revisions of XBOX 360 has no access to CLK and you
| must use Matrix oscillator
|
| If there's no CLK line on the mobo, does this mean newer X360s
| have everything that might be clocked (I assume at least CPU, GPU
| and V/RAM?) in a single chip, SoC-like?
___________________________________________________________________
(page generated 2024-12-19 23:00 UTC)