| HN Mirror

Y	Hacker News new \| ask \| show \| jobs

by spencerflem 541 days ago

Found it! I misremembered, it was making a slightly different claim

"The Xbox 360 hypervisor is probably the most secure piece of code Microsoft has ever written." from the excellent article Tony Hawk's Pro Strcpy

https://icode4.coffee/?p=954

1 comments

landr0id 541 days ago

The Xbox 360 was overall a very, very secure device. While we don't know exactly how the folks who discovered the hypervisor syscall handler bug were able to get plaintext, it's theorized that it came from development kit and SDK leaks. With an SDK and dev kit someone could dump boot loaders and the HV.

Otherwise on a retail console you can't do much. The hard drives are not encrypted but all content that can possibly contain code / save data is signed. Save data cannot contain code but introduces scripting engine / save parsing attack surface, but you can't modify it without first dumping keys from a retail console.

To dump keys from a retail console you have to get code exec in the hypervisor. To attack the hypervisor you have be able to dump the hypervisor to audit it.

To dump the hypervisor you have to be able to read its contents or dump it from flash. The flash is encrypted with a per-console key (and I don't think you can sniff the bus?) and RAM is encrypted.

Realistically if it weren't for the original syscall handler bug and dev kits getting into researcher's hands, the Xbox 360 may have never been hacked.

link

markus_zhang 541 days ago

Stupid question, is the reason that people cannot simply dump the ROM as they do with say routers is that the rom is encrypted? But if they have the SDK they can decrypt it?

link

landr0id 540 days ago

The flash chip is encrypted with the console's CPU key, and the CPU key is unique per-console and encoded in efuses. So even if one person manages to dump keys they're mostly useless for hacking other consoles. The exception to this is the "keyvault" which is the console's own private key used for signing save games. You can take save games from console A and load them on console B, so console B is able to verify console A's signature based off the public key certificate embedded in the save. Microsoft had a revocation process for revoking keyvaults if they ever leaked but they just gave up once too many were in the wild.

Dev kits are keyed differently and most of the console's keys for signing / encryption are in various SDK DLLs that if you reverse engineer you can find.

link

markus_zhang 540 days ago

Thanks, MS did take a lot of efforts on the security. Searching for X360 keyvault gives a lot of webpages. I'll read a bit.

link

landr0id 540 days ago

https://free60.org/ probably has all the information you need.

link

markus_zhang 539 days ago

Thank you! Now I need to buy a used XBox 360...

link