Information request about secruity on xbox 360

Discussion in 'Xbox 360 - Hacking & Homebrew' started by monkeyman4412, Apr 19, 2018.

  1. monkeyman4412
    OP

    monkeyman4412 Gbatemp's moronic trash

    Member
    8
    Jun 16, 2016
    United States
    Darn, I can't come up with something edgy
    So there are a few things that I would like to know. Such as how the hypervisor works, and detailed, up to date documentation if possible (dump maybe? if we are going to talk about that, direct message me) And how microsoft signs their applications/games. That's all I would like to know, I'm primarily interested in how the hypervisor works as of the latest version.
     
    Last edited by monkeyman4412, Apr 19, 2018
  2. FAST6191

    FAST6191 Techromancer

    pip Reporter
    24
    Nov 21, 2005
    United Kingdom

    Old but mostly how it still works. The offhand comment about SMC not being useful (it being the thing that eventually gave us JTAG and RGH, as indeed the earlier announcements of things in that world made light of) being the main thing of note there.
    You can have a bit more http://free60.org/wiki/SMC_Hack#Technical_details and http://free60.org/wiki/Hypervisor

    Signing wise I don't know the algos offhand and most are more concerned with the types of format LIVE (XBLA, DLC and such), CON (saves/profiles/user stuff basically) and PIRS (kind of like LIVE but freely installable on all 360s), all of which fall under the banner of STFS http://free60.org/wiki/STFS .

    The only other real differences were in the DVD arena where the boards were made harder to flash and retrieve keys, drive firmwares for all revisions (certainly all the desirable ones) got updated by MS at one point to handle slightly larger discs, a few move-counter move things went on (see AP2.5) and a few times the DVD firmwares were caught short/needed updates to tweak their own security.

    If you are looking for the really hardcore and up to date technical stuff I am not even sure where to point you these days -- a lot of the old forums for such things have long since gone and things were never especially centralised. Equally people here might be able to tell you how to hack your system and what approaches certain goals will require but the number that are down with the kernel/hypervisor/whatever to the levels you seek are a bit thin on the ground around here.
     
    brickmii82 and DinohScene like this.
  3. DinohScene

    DinohScene Feed Dino to the Sharks

    Moderator
    23
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Oct 11, 2011
    Antarctica
    Восторг
    brickmii82 likes this.
  4. monkeyman4412
    OP

    monkeyman4412 Gbatemp's moronic trash

    Member
    8
    Jun 16, 2016
    United States
    Darn, I can't come up with something edgy
    I'm surprised that not all the utility functions have been listed. It says within the tabel 0x00000000 add more later...
     
  5. DinohScene

    DinohScene Feed Dino to the Sharks

    Moderator
    23
    GBAtemp Patron
    DinohScene is a Patron of GBAtemp and is helping us stay independent!

    Our Patreon
    Oct 11, 2011
    Antarctica
    Восторг
    Free60 hasn't been updated for a long time, mostly due to the Xbone.
     
  6. brickmii82

    brickmii82 GBAtemp Maniac

    Member
    9
    Feb 21, 2015
    United States
    I saw this reply yesterday and watched that video. After some thought, I wonder how the Switch will measure up to the 360 in terms of HW security aside from Nvidia missing the Tegra flaws that’ve been found. Once the new patched version comes out, I suppose that other entry points will be explored and a definitive answer to that question will be found. You’ve been in this scene for a very long time, what’s your take on that Fast?
     
  7. FAST6191

    FAST6191 Techromancer

    pip Reporter
    24
    Nov 21, 2005
    United Kingdom
    I have yet to see that C3 presentation on the Switch and thus don't have the greatest knowledge base to draw from here. Leaving aside the Tegra stuff it seems where MS will presumably allow you to flash back if the efuses are wrong then Nintendo seems to set a brick flag which caught my attention.
    I will get around to watching that presentation, however I keep finding stuff like https://www.youtube.com/channel/UC22BdTgxefuvUivrjesETjg which takes up my fun video watching time.
     
    brickmii82 likes this.
  8. Peluki

    Peluki Member

    Newcomer
    1
    Jul 8, 2018
    United Kingdom
    Hi ...

    Don't know whether or not you are still interested? as I don't frequent the Forum very often, and came across you posting from April. I did quite a lot of work on the XB360 including writing a number of articles and programs especially concerning the STFS, regarding Rehashing and Resigning game saves etc, and although I still have my original 360, I did in fact buy one of the last production runs of the 360, although it just sits on top of my PS4 and have probably not switched it on more than a couple of times since I unpacked it! I never actually thought anybody would still be interested in the the 360 after all this time!

    I have possibly 10-12TB of archives of old computer related information from my days of Assembler for the Zilog Z80, Motorola 6502, 6800 and 68000 CPUs and the Old Xbox, and even kept my exploit disks such as Splinter Cell and Agent Under Fire etc which enabled Linux Loading etc. Unfortunately all this information sits somewhere amongst these archives, but, in the main was just generally dumped into archive from Floppy Disks, Tape Streamers, Zip Disks, Syjet Cartridges, HDD's, CD's and DVD's etc, but unfortunately, in no particular order! and although I was of little value to me now, I didn't want to just throw it all away, so just dumped it all to a number of pocket sized 2TB drives ...

    If you are still interested ... I will see what I can come up with!

    Information below might just Wet your appetite! or indeed may just put you off! ... and was something I just managed to find, and was the complete article that I posted as a response to an enquiry in 2012, may have been on my own BB can't remember!

    +----------------------------+
    | The STFS Security Primer |
    +----------------------------+

    The STFS (Secure Transacted File System) is a package type file format used for storing Game Saves and various other content for the Microsoft Xbox 360 Console. The Package size is always on a 4096 (0x1000) Boundary ...

    The Header for an STFS package consists of a 0x4 Byte Magic/ID Value (Padded, and contains CON/PIRS/LIVE), a X.509(PKI) Certificate which holds console specific information, including the Certificate Owners Console ID[1], as well as the RSA Assymetric Public Key Exponent and Modulus (Signed with PKCS1 (1024 bit) RSA signature) and a PKCS1 RSA signature that is generated from a SHA1 Hash taken from the Overall Header Extension. A series of 16 Licenses 0x10 long with 0x8 Reserved for the License; 0x4 for the Flags and 0x4 the for Info Bits. The Header also holds an SHA1 content ID Hash, followed by an Int32 (Big Endian) Value indicating the Base Hash Block, and also the STFS Type (Calculated by: Value + 0xFFF & 0xF000) ...

    A Content Type Enum is written out (Indicating what the package contains and how the Data is to be Handled, and which also indicates the corresponding folder the package should be placed in). After that it's Metadata Type 1/2 for the Package (Including all the Descriptors, IDs, Game Title, Save Name/Number, Position etc, and also an SHA1 Hash of the Top Level Hash Block, a Count of Valid/Old Data Blocks and a Descriptor for the STFS) followed by an Icon for the Package and an Icon for the Content ...

    Hashes - 0xA000/0xB000 are Reserved as the Base Hash Blocks (which one is used, is dependant on the Base Hash Block value in the Header), these blocks are also considered level 0 of the Hash Tree (Level 1 is determined depending on the Base Block in the Descriptor). Each Hash Block can contain up to 170 (0x1000/0x18) 0x18 Byte Blocks (0x14 for the Hash itself, 0x1 for info, and 0x3 for corresponding Data Block Status (Normally Contiguous)) NB. I'm not going to go into pointer positioning or recursive loading on the levels regarding the Hash Tree or Block Status, and will require you to provide the necessary positioning and processing code. Many people use an unecessarily complicated EndianIO - Thereby Hangs a Story! - which is totally unecessary, and a simple BaseStream positioner will suffice, Endianess can be catered for in the limited code processing. It is much better and faster to check the calculated SHA1 Hashes against the stored values when the blocks are being processed, and do a quick comparitor check for equality, and only write out if necessary ...

    Files - 0xC000 is Reserved as the Base File Table. Each File Table Entry is 0x40 Bytes in length and each file table can hold up to 64 (0x40) Entries. Each entry consists of an ASCII FileName, FileName Determinate, Flags, Reserved Block Count, Allocated Block Count, Block Offset, Folder Specifier, File Size, Creation TimeStamp, Modified TimeStamp [Both written in FAT(X) Format] Many people appear to have issues here! but the date/time is easily coded by a little bit shifting logic...

    Signature - After all the Hashes haves been calculated, the overall security hashes processed and checked, the File is Signed using the Consoles own Unique Key ...

    Re-signing is achieved by creating a new instance of the RSA Crypto Service Provider, and importing the RSA Parameters from an available KeyVault, which pulls in the Modulus, Exponent etc, checks and/or calculates/stores the overall security hashes generated from the Hash Tree, and the Signature processed and written out using the SHA1 Hash described above, finally the Public Key Data is written out to complete the process ...

    Reference:
    [1] This gets changed to the Certificate Owners Console ID if the file gets resigned, and if a game checks both ID's - I think one of the Forzas' is one - then Only your own console Keyvault Data will satisfy the Signing Process ...

    PLEASE NOTE: I have recounted this Data hopefully to be of some assistance, and provide a starting point, not to get involved a never ending questions and answers session, most, if not all of the tabular data/offsets can be got from Free60/STFS ...

    EOF
     
    monkeyman4412 and DinohScene like this.
  9. monkeyman4412
    OP

    monkeyman4412 Gbatemp's moronic trash

    Member
    8
    Jun 16, 2016
    United States
    Darn, I can't come up with something edgy
    thank you. I'm extremely interested in the other information you have. I'm genuinely surprised you managed to even see this, let alone, have any information on the system on this thread. (I kind of expected this thread to have no real indepth stuff, or any good responses.)
     
  10. Peluki

    Peluki Member

    Newcomer
    1
    Jul 8, 2018
    United Kingdom
    Hi again ...

    Heavily involved with the PS4 (and some Gaming) at the moment, but after making the post, I thought I would better keep an eye on things just to see if you was still around, or indeed still interested! because there would have been little point in digging through my archives if your interest had diminished somewhat! - It would also appear my STFS primer hasn't put you off at all! - you would be surprised at how many it did originally when I was involved! certainly not what you could call child's play!

    Firstly it would be of interest to know exactly what your intention is concerning the 360, although it isn't exactly dead and gone, the requirement for any in depth analysis of any aspect of it has surely diminished considerably, with the possible exclusion of a handful of die hard developers, and I certainly don't mean that in any disrespectful way! - I think it's a little mountaineering, it's all about the challenge! - but, I do believe that the newer models are even more complex as regards newer inclusions, and I certainly haven't kept up with any developments in many years! I have all the games that I have ever wanted, and are now so cheap anyway, I can't imagine even piracy being an issue anymore, but, even so I don't play any that I already have anymore!

    Over the years I have built all manner of interfacing hardware - getting a bit old for that level of interest now! - but once you get into hypervisors and private key crypto signing, the reward to challenge ratio becomes increasingly off-putting, certainly did in my case. The early XBox models were a relative breeze in comparison! and provided a good Multi-Media Box. One of the reasons I got involved was because of the 360 Save Strategy, certainly as regards stage game saving, and indeed never forgave Microsoft for introducing a Transacted Secure System based on the MS-DOS FAT for GAMEPLAY SAVES!! A level of Secrecy and Complexity that had no real place in reality, and thus preventing a User from maintaining adequate stage back-ups of on-going Gameplay, especially when a user was presented originally with a simple MU back-up facility (another MS money-making exercise!) and the PC interfacing problems associated with that! To add insult to injury and to cap it all off, the original USB starategy initially introduced even more complexity with XTAF (So named after its Little-Endian XTAF Magic Identifier in the Header), which I believe was dropped in the later USB interfacing developments. These things prompted writing several programs, the first a simple STFS Container Analyser with extraction rehashing and resigning facilities, the second a more in depth STFS Analyser with Account Profiling and GPD Analysis, and finally an XTAF Device Explorer.

    As a programmer I have never had any problems with manufacturers protecting their interests, or preventing piracy, but certainly did have major problems with the afore mentioned situation! with the STFS Game Play Strategy, and vowed I would never again go the Microsoft route, hence NO Xbox One, and there never will be! and as far as I'm concerned thay have nothing anyway even remotely as good as 'The Last of Us' in any case!

    If the above wasn't enough, if you could enlighten me to exactly what you are intending to do, I will do all I can to help - that's if I can!? ... But having just downloaded and rehashed the [Guide] How To Hack Your 360 by DinohScene above - so I could read it off-line as a matter of interest - I cannot think that I will be able to add anything much that isn't already covered in that in depth article, which appears to pretty well up to date in every respect!

    I may not be back for a few days, but will keep an eye on the Post ...
     
    DinohScene likes this.
  11. monkeyman4412
    OP

    monkeyman4412 Gbatemp's moronic trash

    Member
    8
    Jun 16, 2016
    United States
    Darn, I can't come up with something edgy
    Yah I do own you an explanation. So as of late, I've been looking into, potential, theoretical exploits. (Not really because the lack of indepth information. Read more) I don't expect (all though I do hope) to find potential holes with the 360.
    But with the recent modding of the ps3 it really does make me wonder if there was something that was missed. Because while a lot of time has passed. Many of the people who worked in the homebrew scene of the 360 had left.
    that's when I had some interest in the 360. I was thinking that by now something may have been extremely missed. No system is "Unhackable" sure, there is the fact that with each layer of secruity and how well it's implemented. But I was hoping that age may have brought on some new developments that could be used.
    But, I immediately hit a brick wall. And that was information, or the lack there of, in regards to the entirety of Microsoft security for the 360. Which to be truthful. I was rather disapinted in the lack of any indepth or detailed information on the systems security. Something that I guess you could say I was "privileged" because of the other hacking scenes. (3ds specifically. And yes I'm aware, 3ds and 360 are extremely different. Specifically on how well they handled security. Which it would make sense a computer OS manufacture whos main goal is to give a functional and secure operating environment)
    Back on point. 3ds was practically documented front and back. And how everything was handled.
    A bulb went into my head for a moment, and then immediately went out.
    Internet explorer isn't exactly... secure to say the least. Granted ms probably has been throwing patches here and there into IE for the 360. But that's when it hit me. The 360 is previous gen. And games for the 360, or should I say apps. Aren't updated near as often when it was alive. (right now let's just call the 360 a ghost. Since lack of new games for it. But Microsoft undying support for it with gold.)
    So theoretically, IE can be exploited.
    But again, hit a brick wall. Once again, being information. Sure, if I found a exploit for IE it wouldn't really mean anything. Because the hyper-visor dictates whether not code can be executed or not. Unless there was some accidental mistake MS made that is a service that lies between game/app/user land and the hypervisor .. But I can't really say anything about that. Since again, lack of information. So i cannot even make a "reasonable" idea if it's possible.
    With what I only know, it really does sound impossible for a software exploit.
    And pretty much repeated the same damn loop of. "Right... no information." For each idea I came up with.
    And then also philosophy and possibility questions came into play making things more frustrating for me. (since I'm pretty bad about getting myself stuck within my own thinking.)
    And it's just that tiny minuscule possibility that microsoft has missed something that can be exploited without a hard mod has been driving me insane. So to summarize.
    I'm looking for information in regards to the xbox 360 in regards to how security is implemented, and information that is up to date. To either finally put my doubt to rest, or, to finally act and try something. (that being even more research and learning.) It's kind of like a situation where you want to go to two different locations at once, and so your body is fighting you and so your stuck in a endless limbo asking if you should or shouldn't for both choices.
    (But it's something of a guilty pleasure, learning how things operate. Which does fascinate me.)
    As a side note. I'm also the kind of person who really dislikes the idea of physically tampering with the console.
     
    Last edited by monkeyman4412, Sep 26, 2018
  12. godreborn

    godreborn GBAtemp Guru

    Member
    12
    Oct 10, 2009
    United States
    there's a lack of interest in the 360. since almost all systems can be rgh'd, there's no reason to look any further. the hack exists.
     
    aadz93 likes this.
  13. Peluki

    Peluki Member

    Newcomer
    1
    Jul 8, 2018
    United Kingdom
    Hi ...

    Completed my project successfully, so available to see if anything more had been put forward ... having read the contents of your post several times, the bulk of it I'm sorry to say leaves me at a total loss! and therefore as a consequence, I feel I will not be able to help with what you appear to be trying to do! ... But ... Good Luck ...
     
  14. Peluki

    Peluki Member

    Newcomer
    1
    Jul 8, 2018
    United Kingdom
    monkeyman4412 ... I do hope you return to read this ...

    First and foremost I don't usually return to something when I have already made a decision, but, I felt in this case I must clarify my reasoning behind why I came to the conclusion that I did! as I don't like to try and offer a promise of help and then go back on it!

    Your post lacked any clarity, indicating to me your knowledge of programming and/or electronics was very limited to say the least. There is a whole world of difference in wanting to do something, and having the skill or ability to do it! I remember years ago a friend coming round to look at my first Fender Stratocaster, and on listening to me play, and after having a go themselves wondered why they couldn't play as well as me, and appeared quite shocked when I told them - it's the twenty or so years of experience and playing that makes the world of difference!

    You appear to be trying to enter a subject that can and does in some cases flatten even accomplished programmers and electronic engineers, and to enter that field you would have needed to indicate that you do indeed have the necessary skills to enter it, which from your to and fro comments I very much doubt is the case! - but, I may be wrong - and am always prepared to be proved wrong, but certainly only by deed and not warm words!!

    I set a few things out in my post - hence the length - that would hopefully try to give me a clue in what I would be up against in trying to help someone such as yourself, and I have helped many people over the years. The STFS Primer was included to hopefully produce a reaction from you, and programmed my first STFS Analyser from not much more information than was contained in that primer ... your comments ... none!

    If I have read the situation incorrectly then perhaps you will enlighten me further!
     
  15. aadz93

    aadz93 Hypavisah

    Member
    4
    Jan 29, 2008
    United States
    South Carolina


    the actual hardware talk begins @ about 5 min in, lays out the the hardware pretty much down to the block assembly-level......luckily only because the actual cpu cores are just off the shelf,(with the mmu and 1bl rom -ram/hypervisor support added) they were probably just able to get easier(easy is a relative term in this scope) access to the ppc64 instruction set used (its great to know how to tell the cpu to do something or tell it something period... or know wtf it's saying in response), be in mind this is when the jtag was released, so the timing attack was is/not = RGH, it was hardware downgrade hack, so you can do kingkong. people should call him felix danke tbh lmao, this stuff is very difficult and really does take some determination and at times your wallet....nowadays they try to build the hardware to a point that most people do not have the hardware necessary to reverse engineer, or at-least make it expensive for the average person ("modder") to try and shoo them away. you have to think/work from the pov of the hardware manufacturer.
     
    Last edited by aadz93, Nov 4, 2018
Quick Reply
Draft saved Draft deleted
Loading...