Wally
Retired Admin
- Joined
- 19 Ιαν 2006
- Μηνύματα
- 25.801
- Αντιδράσεις
- 4.315
Ειναι η συνεντευξη του Specialist,του πρωτου που "χακεψε" το 360
Μεγαλο αλλα οσοι γουσταρουν tech-talk θα τους αρεσει...
Μεγαλο αλλα οσοι γουσταρουν tech-talk θα τους αρεσει...
* Xlife.nl:To start with you'll find a quote from TheSpecialist explaining some details of the Xbox 360 security* TheSpecialist: All executables on the Xbo60 have a signature. This signature is checked by the hypervisor. If we can modify the hypervisor, we can run homebrew.
However the hypervisor is also signed.
The bootsequence is as follow. The first thing that will happen when you power on the Xbo
So if you want to run unsigned code you should be able to get around the 1bl. Then you could install your own bootloader that will not check the signature of the 2bl and then you patch the 2bl so it doesn't check the signature of the kernel/hypervisor which would allow you to patch this to remove all checks on signature of executables. Basically it's a chain of signature checks: 1bl checks signature of 2bl, 2bl checks signature of kernel and hypervisor and hypervisor checks the signature of executables. So if you can break the start of the chain, you can change all the rest like you want.
But to get around the 1bl is not easy as it's located on the CPU ... but nothing is impossible.
* Xlife.nl: The DVD Firmware hack has been out for more than 1 year now, tell us what happened and what you have been up to since then.
* TheSpecialist: After the disclosure of the DVD FW hack I didn't do any hacking for a few months. Once you start with which a project you really put lots of time in it and it's often hard to stop certainly if you are constantly making progress. It's a bit like watching series like '24' or 'Lost': if you have all episodes it can be very hard to stop because you just want to know what happens next. It's just the same with hacking, you keep progressing and it's hard to take a minute of rest. Thus when the DVD FW hacking was done, I think it was time to do 'nothing' for a while.
But after some time it started to itch again and then I started working on the HDD resulting in 'HDDHackr'. Just after I released that the 'Hypervisor Exploit' got released which opened tons of new possibilities. Then we started researching the flash encryption which resulted in the release of the 'Flash Dump' tool that allows you to decrypt the whole Flash NAND, dump the kernel and keyvault and the latest version even allows you to downgrade your kernel IF you know your CPU key.
Now that these tools start to work great, we started working on a new tool that will allow you to unpack and decrypt XEX files. That tool got finished too in meantime and we can finally decrypt and analyze ALL code found on the Xbo
* Xlife.nl: So you managed to dump the Xbox 360 kernel. On the DVD FW hack you worked with 6 other hackers, how many people are you working with on this new project?
* TheSpecialist: I work a lot with Robinsod of XBH. But we of course also talk a lot with with other hackers like tmbinc, who found the hypervisor exploit. And there are of course also lots of discussions on XBH.
* Xlife.nl: What do you think of the security Microsoft implemented to protect their kernel?
* TheSpecialist: Very good! Microsoft has often been in the news about the lack of security in Windows, but I can only have respect for the security on their Xbo
The idea of the hypervisor and certainly the fuses is simply genius. Putting the bootrom in the CPU was also a real good idea. All communication is encrypted as it should be. Even now we can dump and decrypt all program code and nothing is really 'secret' anymore we still can't run unsigned code on the new kernels. I think that says a lot.
On the other side there's now a huge amount of program code we can analyze. That will just take a lot of time. With the release of the newest info and tools I think it won't take so long until a new hack comes out.
* Xlife.nl: You told me that while decrypting the 4552 kernel you found stuff related to DVD FW detection/bans. Is this protection any good? Or does it look better than it really is?
* TheSpecialist: I didn't do any direct research on that, since the disclosure of the DVD FW hack I didn't do any research on it and I also don't plan to do this in the future. The biggest goal of the DVD FW hack was to help find a way to run unsigned code, which also happened. Without the DVD FW hack there would still be no way to run unsigned code on the exploitable kernels.
However I did notice a few things while analyzing the kernel, like the clear text names and types of the DVD drives which weren't found in older kernels. It's obviously used to recognize the type of DVD drive connected with your Xbo
* Xlife.nl: Now that we are talking about bans, what's your opinion on the subject?
* TheSpecialist: It's of course not fun for end-users that they can or have been banned. But you have to look at this from the 2 point of views. I'm pretty sure Microsoft has been thinking about a way to motivate people not to play backups. Sony did the same and recently came in the news saying they want to hit hard on users with hacked PS3s, with lawsuits and more. I can imagine what they want to achieve, but if you look at it this way I think Microsoft is doing it in a 'friendlier' way, and thus I have more respect for the way Microsoft is handling it than how Sony wants to do it. And of course ... the Xbox 360 is way better than that stupid PS3, haha
* Xlife.nl: Did Microsoft ever try to contact you after the DVD FW release?
* TheSpecialist: No
* Xlife.nl: If you manage to hack the kernel (and I have full faith you will) and get total control over the console, will it get distributed like the DVD FW hack, or with it only be announced?
* TheSpecialist: If someone is trying to force the front door of your house, you can call the cops. I think there will only be few people that won't do this, no matter if the person actually manages to get in your house. Microsoft could have chosen for such a strategy too and send their lawyers against the hackers. No matter if that actually leads to any result, these type of lawyers can destroy you.
Luckily they never did that (unlike Sony who's currently threatening with lawsuits for PS3 hacks). Instead they even invited tmbinc and Bunnie after the hypervisor exploit to come to them to talk about the hack. There was lots of criticisms from 'the scene' about this, but I think it was very 'clean' and I have a lot of respect with the way Microsoft currently handles hackers. I think people should not forget that if Microsoft would start threatening with lawsuits many hackers might give up and there might be no new hacks at all.
So in the end I'm very happy with this strategy. As 'counter-payment' I think it's only normal that the hacking scene plays it 'clean' too and talks with Microsoft before releasing a new hack. On the other side, by now everyone knows that they have to remove the R6T3 resistor [which prevents MS from blowing new fuses during kernel upgrades] and I think that everyone that has any interest in running unsigned code already did this. So concerning that I don't think it will make a lot of difference for the end-users and they will still be able to enjoy the hack.
