Back to the news-page
Xlife.nl Interview with TheSpecialist
>> Ducth website xlife.nl posted a new interview with TheSpecialist - mostly known for this work on the DVD FW hack and HDDHackr(info) tool.
Here's a quick translation I made (sry if there are any mistakes):
* To start with you'll find a quote from TheSpecialist explaining some details of the Xbox 360 security
* TheSpecialist: All executables on the Xbox360 have a signature. This signature is checked by the hypervisor. If we can modify the hypervisor, we can run homebrew.
However the hypervisor is also signed.
The bootsequence is as follow. The first thing that will happen when you power on the Xbox360 is loading the bootloader (=1bl). This is a very small file because it's extremely expensive put store huge files on the CPU. So the bootloader doesn't do much more than load a 2nd (bigger) bootloader (2bl). This one is found on the Xbox360 flash (which you can decrypt/dump with our tool). Also this 2bl has a signature checked by the 1st bootloader (1bl) located in the CPU ROM. The 2bl will then start a sequence to put together the kernel (with the 'base' kernel (1888) and the patches) and the hypervisor. Once done it will start both kernel and hypervisor.
So if you want to run unsigned code you should be able to get around the 1bl. Then you could install your own bootloader that will not check the signature of the 2bl and then you patch the 2bl so it doesn't check the signature of the kernel/hypervisor which would allow you to patch this to remove all checks on signature of executables. Basically it's a chain of signature checks: 1bl checks signature of 2bl, 2bl checks signature of kernel and hypervisor and hypervisor checks the signature of executables. So if you can break the start of the chain, you can change all the rest like you want.
But to get around the 1bl is not easy as it's located on the CPU ... but nothing is impossible.
* Xlife.nl: The DVD Firmware hack has been out for more than 1 year now, tell us what happened and what you have been up to since then.
* TheSpecialist: After the disclosure of the DVD FW hack I didn't do any hacking for a few months. Once you start with which a project you really put lots of time in it and it's often hard to stop certainly if you are constantly making progress. It's a bit like watching series like '24' or 'Lost': if you have all episodes it can be very hard to stop because you just want to know what happens next. It's just the same with hacking, you keep progressing and it's hard to take a minute of rest. Thus when the DVD FW hacking was done, I think it was time to do 'nothing' for a while.
But after some time it started to itch again and then I started working on the HDD resulting in 'HDDHackr'. Just after I released that the 'Hypervisor Exploit' got released which opened tons of new possibilities. Then we started researching the flash encryption which resulted in the release of the 'Flash Dump' tool that allows you to decrypt the whole Flash NAND, dump the kernel and keyvault and the latest version even allows you to downgrade your kernel IF you know your CPU key.
Now that these tools start to work great, we started working on a new tool that will allow you to unpack and decrypt XEX files. That tool got finished too in meantime and we can finally decrypt and analyze ALL code found on the Xbox360. However that's a HUGE job. So we are now working on new tools to make analyze all this code a bit easier, for example by recognition and labeling of standard functions in code and stuff like that.
* Xlife.nl: So you managed to dump the Xbox 360 kernel. On the DVD FW hack you worked with 6 other hackers, how many people are you working with on this new project?
* TheSpecialist: I work a lot with Robinsod of XBH. But we of course also talk a lot with with other hackers like tmbinc, who found the hypervisor exploit. And there are of course also lots of discussions on XBH.
* Xlife.nl: What do you think of the security Microsoft implemented to protect their kernel?
* TheSpecialist: Very good! Microsoft has often been in the news about the lack of security in Windows, but I can only have respect for the security on their Xbox360. The Xbox360 was announced as the most secure console ever. Of course they made a huge mistake on the security of the DVD FW, but the security in the core is really really good.
The idea of the hypervisor and certainly the fuses is simply genius. Putting the bootrom in the CPU was also a real good idea. All communication is encrypted as it should be. Even now we can dump and decrypt all program code and nothing is really 'secret' anymore we still can't run unsigned code on the new kernels. I think that says a lot.
On the other side there's now a huge amount of program code we can analyze. That will just take a lot of time. With the release of the newest info and tools I think it won't take so long until a new hack comes out.
* Xlife.nl: You told me that while decrypting the 4552 kernel you found stuff related to DVD FW detection/bans. Is this protection any good? Or does it look better than it really is?
* TheSpecialist: I didn't do any direct research on that, since the disclosure of the DVD FW hack I didn't do any research on it and I also don't plan to do this in the future. The biggest goal of the DVD FW hack was to help find a way to run unsigned code, which also happened. Without the DVD FW hack there would still be no way to run unsigned code on the exploitable kernels.
However I did notice a few things while analyzing the kernel, like the clear text names and types of the DVD drives which weren't found in older kernels. It's obviously used to recognize the type of DVD drive connected with your Xbox360. But like I said earlier I'm mostly working on finding a way to run unsigned code now.
* Xlife.nl: Now that we are talking about bans, what's your opinion on the subject?
* TheSpecialist: It's of course not fun for end-users that they can or have been banned. But you have to look at this from the 2 point of views. I'm pretty sure Microsoft has been thinking about a way to motivate people not to play backups. Sony did the same and recently came in the news saying they want to hit hard on users with hacked PS3s, with lawsuits and more. I can imagine what they want to achieve, but if you look at it this way I think Microsoft is doing it in a 'friendlier' way, and thus I have more respect for the way Microsoft is handling it than how Sony wants to do it. And of course ... the Xbox 360 is way better than that stupid PS3, haha
* Xlife.nl: Did Microsoft ever try to contact you after the DVD FW release?
* TheSpecialist: No
* Xlife.nl: If you manage to hack the kernel (and I have full faith you will) and get total control over the console, will it get distributed like the DVD FW hack, or with it only be announced?
* TheSpecialist: If someone is trying to force the front door of your house, you can call the cops. I think there will only be few people that won't do this, no matter if the person actually manages to get in your house. Microsoft could have chosen for such a strategy too and send their lawyers against the hackers. No matter if that actually leads to any result, these type of lawyers can destroy you.
Luckily they never did that (unlike Sony who's currently threatening with lawsuits for PS3 hacks). Instead they even invited tmbinc and Bunnie after the hypervisor exploit to come to them to talk about the hack. There was lots of criticisms from 'the scene' about this, but I think it was very 'clean' and I have a lot of respect with the way Microsoft currently handles hackers. I think people should not forget that if Microsoft would start threatening with lawsuits many hackers might give up and there might be no new hacks at all.
So in the end I'm very happy with this strategy. As 'counter-payment' I think it's only normal that the hacking scene plays it 'clean' too and talks with Microsoft before releasing a new hack. On the other side, by now everyone knows that they have to remove the R6T3 resistor [which prevents MS from blowing new fuses during kernel upgrades] and I think that everyone that has any interest in running unsigned code already did this. So concerning that I don't think it will make a lot of difference for the end-users and they will still be able to enjoy the hack.
Discuss this news item on our forums: forums.xbox-scene.com
Back to the news-page