After all the confusion of the last week over the Xbox 360 DVD firmware hack, people started launching the wildest theories on the internet about the implications of what has been achieved. The problem was mainly one of proof and solid information: there was only a video and huge heaps of incomprehensible technical mumbojumbo to work from, nothing the lesser gods amongst us could actually get a solid grip on. Xboxic met up with Robinsod, one of the 6 hackers that worked for months to perform the hack, to sort out once and for all what has been done and what it means for the Xbox 360, and all of this in understandable language anyone with some basic technical insight should mostly be able to understand.
For those too lazy to read the entire interview, the very short summary is:
- The hack is completely unfit to be applied to a modchip.
- Anyone selling a modchip based on this is a scammer.
- Trying to replicate the hack without having multiple years of experience at this kind of thing will most certainly brick your 360.
- Microsoft will quite probably be able to detect fake firmwares very soon as the cat/mouse game commences so you will get your ass kicked out of Xbox Live for the rest of your life.
- Watch out for brickware. Some moron will release one probably.
If you are interested in the full details read on. We just skipped all the who-are-you and how’s-life bullshit because he wouldn’t tell anyway, so no useless chitchat here. Enjoy the interview, and many many thanks to Robinsod and TheSpecialist for answering all our pesky questions! If you consider this interview a worthwhile read, digg it too: spread the word, not the disc!
Xboxic: Big question for everyone ofcourse is “why?” Why would anyone bother screwing around for 4 months to break a console’s security if you have no intention to do the thing it facilitates: running illegal software?
Robinsod: Because I am naturally inquisitive, I want to understand how things work. I dont actually play video games much, if at all. Of course waving a big sign saying ‘forget it boys, you won’t break in this time’ is just going to encourage me. Ok, lets see if I’m good enough. In short the usual hacker motivations.
Xboxic: How long have you been into hacking, and what was your reason to specialise in this expertise? Do you have a related job or just doing this for the fun and the challenges?
Robinsod: I have been interested in hacking for a long, long time. I followed TheSpecialist’s Xbox1 hack in the XBH forums since it began and just started to dig around. Really it started as an idle interest but as I started to make more progress in understanding the firmware and share information & ideas with other people it became more & more important to finish the hack for it’s own sake. I dont work in the games industry or anything, this is just for fun.
Xboxic: You guys claim you will not be releasing the hacked firmware, foremost reason being Microsoft’s legal department and hacker ethics a close second. Do you personally know of any cases where hackers got into trouble with console manufacturers? And like many people claim, haven’t you already sold the hack to the highest bidder? Or received a huge payment from MS itself to keep the code to yourself?
Robinsod: We will not be releasing a hack, we won’t sell it and no-one from Microsoft has approached me either to pay me off or shut me up with legal threats (this may change of course). I want to polish this hack a little more for my own satisfaction and then I will consider it done. All the information needed to implement this hack is available and I have no interest in doing further research. I know of cases where thieves have been prosecuted for selling duplicated copyright material but I am not aware of hackers being prosecuted for being interested. I could of course just be ignorant about that.
Xboxic: There are people out there that think the released video is a fake, because it doesn’t exclude the possibility of a second 360 connected to the back of the TV to fake booting the PGR3 backup. For the people unable to understand the technical evidence in XBH forums, do you plan to release “better” evidence?
Robinsod: The video evidence is quite compelling if you know what is happenening. As TheSpecialist pointed out, the laser of the DVD drive does NOT behave like that if you simply insert a backup. The video shows a crude version of the hack, the drive is still reading some of the authentication data from the ‘middle zone’ of the disk. Maybe a better video could be filmed but why bother? I don’t really care if people believe me or not: all the ‘proof’ is there in the XBH forums and the drive firmware. Also you will never satisfy everybody that it’s not a fake no matter what you do.
Xboxic: The skeptics might still say you did succeed in hacking the firmware to behave like booting but the TV was running from another one. ICE modchip taught people to be cautious.
Robinsod: It would be impossible to convince them all, and yeah, sure, there are a lot of scammers out there. So scepticism is healthy.
Xboxic: Even though Xboxic in its original article on the upcoming hack made sufficiently clear that this hack is unusable by the general public, many people predict this breakthrough will cause a modchip to be released in a matter of weeks. How do you see chances of a modchip happening anywhere soon?
Robinsod: The hack is a modification to the DVD drive’s firmware, which is stored in a flash memory chip inside the drive. IF I was to release this hack, which I am most certainly not going to, I would release it as a Windows drive programming package, exactly the same as used to upgrade a PC’s DVD drive. Anyone who tries to sell you a chip is a scammer and is trying to cheat you. This hack is useless to the public in it’s current form, it has not been ‘weaponised’ and currently requires that the flash chip is removed from the drive circuit board and inserted into a special flash programming device. And I want to stress that if you don’t know what you’re doing you can easily destroy your 360 - don’t do it.
Xboxic: You have seen the sites on the internet though that more or less provide a step-by-step guide to recreate this hack. People will try.
Robinsod: I have seen some compilations of the many posts made by many talented people on XBH over the last few months. They should not be considered a guide, but a great set of notes containing useful stuff about interfacing to the drive. Trying to use that info without knowing every little detail will probably destroy your 360.
Xboxic: Using the current hack the system cannot detect the modification, because the firmware can lie about its authenticity because of the cracked challenge/response protocol. Is it still possible for the system to softflash the drive should it want to? And if so, isn’t the hack completely useless should Microsoft decide to simply reflash the drive’s firmware every reboot, or every week, or every dashboard update?
Robinsod: Well there are several parts to the answer. This is a consumer device and really you dont want to have a reflash fail and brick the device. I don’t know if the Toshiba-Samsung drive has a fall back position to recover from a bad flash, the Hitachi-LG has a ‘recovery’ mode if the main application is corrupted, restoring an empty firmware with only softflashing capabilities. If this feature, or something like it, does not exist then I doubt Microsoft would want to risk it, all those angry customers coming in with bricked 360’s. The drive could be softflashed from the kernel, but the firmware controls the process, so it could just say that the flash succeeded any time even though it didn’t do anything.
Xboxic: Is your analysis of the used challenge/response protocols complete or does it just cover a subset of possible challenges? Would Microsoft be able to detect the hack if they send out a dashboard update sending different challenges to trigger erroneous behaviour from the firmware?
Robinsod: Yes, I believe there’s a reponse modifier but I haven’t seen it used yet. Sure, then the game becomes how accurate an emulation can the hacker create? It becomes a game of cat and mouse…. The challenges themselves are actually on the game disc: the kernel reads an encrypted table from the disk, decrypts it and issues the challenges contained in it. Malformed challenges from the console could trigger correct responses from the hack and be detected, but we could probably reuse the existing code to factor this into the equations.
Xboxic: Say Microsoft releases a mandatory dashboard update tomorrow that installs a new firmware with a completely different challenge/response protocol on every 360 in the world, will it take you guys another four months or can Microsoft strenghten the protocol sufficiently to ward off further breaches until the release of their next console?
Robinsod: They can make life dificult by validating the disk with greater accuracy. If they do, someone else will have to continue improving the hack, since I’m done with it now we’ve proven it can be done with the current Xbox 360.
Xboxic: Following the previous question: people are claiming that Microsoft forgot to sign the firmware on purpose and left the debug routines in there to make it an attractive target, a honeypot to attract the bees. This way they bought over 4 months of time in which the best hackers of the world would try to hack the easily replaceable and patchable firmware, time they didn’t spend on hacking the really dangerous parts of the system. Do you consider this theory credible?
Robinsod: No, not really. Why leave any chink in the armour? People were going to attack the system anyway, why make it so easy with the debug routines that it only cost us 4 months? They could’ve made it much harder and we’d have attacked the firmware anyway because that’s what TheSpecialist did on the Xbox1.
Xboxic: Is there going to be an Xbox 360 revision soon containing a signed firmware in the drive? Ofcourse with the public key embedded in the DVD’s ROM to avoid any future tinkering with the firmware?
Robinsod: No idea, but unless the flash is inaccessable or properly encrypted any signature can be spoofed. I suppose if there was a bootloader in ROM that was packaged with the drives micro, that could check the flash’s signature. The problem then is it pushes up costs, the drive uses standard components which don’t have security features.
Xboxic: $5 extra cost per drive to avoid 500k Linux boxes sold at $125 loss seems an easy equation.
Robinsod: Then perhaps its a good thing the hack came so early and the cost of custom LSI can be spread over a larger number of consoles, and before too many ‘pirate capable’ systems were sold.
Xboxic: In a forumpost TheSpecialist literally said “I doubt youâ€™ll see some kind of OTHER hack soon, that lets you boot unsigned code for example. MS did a very good job on the 360 itself this time.” Does this mean you guys don’t see homebrew or other unsigned code being run anywhere soon, like within the current console’s lifecycle?
Robinsod: Hmmm, well given the complexity of the software (and MS’s reputation for secure software) it seems unlikely that there’s no way in. The problem is finding it… Another motivation for this hack is to see if there is any possibility of an attack via unsigned modified files (no idea if there are any or if it is - thats the next area of research). But again, any successful attack opens the door to piracy. If MS would sell me a home developers XDK that allows me the opportunity to write code for what is a fantastic piece of kit then I would have no reason or excuse for doing this.
Xboxic: Devkits cost over $22k indeed. I remember my Amiga days pushing the machine to its limit until 7am squeezing the last bit of performance out of a superb system, all with a $10 shareware assembler program.
Robinsod: Yeah, but I doubt a copy of VC++ and a key to sign homebrew for execution from DVD+R needs to be expensive. Lots of devs creating quality homebrew…… Lots of new cool things to download from Live. It could make MS as happy as it would make us.
Xboxic: Do you have any other hacking projects running related to the 360 or do you consider your job with this machine done now you’ve proven that the “CIA-level security” wasn’t all that much?
Robinsod: No, when this is done I might well sell my 360 and do something else. Get a girlfriend possibly? Chicks love nerds.
Xboxic: Can I quote you on that so one of our interested female readers could pay you a visit on XBH forums?
Robinsod: As long as ’she’ doesn’t turn out to be a 47 year old male management consultant or something.
Xboxic: Got anything else you want to add that we didn’t specifically ask about?
Robinsod: Unfortunately, there is a good chance some malicious **** will put together a â€˜brickwareâ€™ package, just like they did for the PSP, and using it will erase the unique key in you drive and destroy your 360. This is also one of the reasons I am probably not continuing work on the hack. Apart from that I think I’m done.
Xboxic: Thank you very much for your time.