Posted by crtasm 6 hours ago
The Xbox uses a very advanced variant of the same technologies that also exist on smartphones, tablets and Secure Boot enabled PCs. When fully operational the Xbox security system prevents any unsigned code from running, keeps all code encrypted, proves to remote servers (Xbox Live) that it's a genuine device running in a secure state, and on this base you can build strong anti-piracy checks and block cheating.
The Xbox has several processors and what follows applies to the Platform Security Processor. When a computer starts up (any computer), the CPU begins execution in a state in which basically nothing works, including external communication and even RAM. Executions starts at a 'reset vector' mapped to a boot ROM i.e. the bytes are hard-wired into the silicon itself and can't be changed. The boot ROM then executes instructions to progressively enable more and more hardware, including things like activating RAM. Until that point the whole CPU executes out of its cache lines and can't use more memory than exists on-die.
Getting to the state where the Xbox can achieve all its security goals thus requires it to boot through a series of chained steps which incrementally bring the hardware online, and each step must verify the integrity of the next. The boot ROM is only 19kb of code and a few more kb of data, and can't do much beyond just activating RAM, the memory mapping unit (called MPU on the Xbox), and reading some more code out of writeable flash RAM. The code it reads from flash RAM is the second stage bootloader where much more work gets done, but from this second stage on it can be patched remotely by Microsoft. So if bugs are found there or in any later stage, it hardly matters because MS can issue a software update and detect remotely on Xbox Live servers if that upgrade was applied, so kicking out cheaters and pirates. The second stage boot loader in turn loads more code from disk, signature checks and decrypts it, sets up lots of software security schemes like hypervisors and so on, all the way up to the OS and the games.
Therefore to break Xbox security permanently you have to attack the boot ROM, because that's the only part that can't be changed via a software update. It's the keys to the kingdom and this is what Markus attacked. Attacking the boot ROM is very, very hard. The Xbox team were highly competent:
• Normally the bringup code would be written by the CPU or BIOS vendors but MS wrote it all in house themselves from scratch.
• The code isn't public and has never leaked. To obtain it, someone had to decode it visually by looking at the chip under a scanning electron microscope and map the atomic pictures to bits and then to bytes.
• Having the code barely helps because there are no bugs in it whatsoever.
So, the only way to manipulate it is to actually screw with the internals of the CPU itself by "glitching", meaning tampering with the power supply to the chip at exactly the right moment to corrupt the state of the internal electronics. Glitching a processor has semi-random effects and you don't control what happens exactly, but sometimes you can get lucky and the CPU will skip instructions. By creating a device that reboots the machine over and over again, glitching each time, you can wait until one of those attempts gets lucky and makes a tiny mistake in the execution process.
Glitching attacks predate the Xbox and were mostly used on smartcards until the Xbox 360, which was successfully attacked this way. So Microsoft knew all about them and added many mitigations, beyond "just" writing bug free code:
1. The boot ROM is full of randomized loops that do nothing but which are designed to make it hard to know where in the program the CPU has got to. Glitching requires near perfect timing and this makes it harder.
2. They hardware-disabled the usual status readouts that can be used to know where the program got up to and debug the boot process.
3. They hash-chain execution to catch cases where steps were skipped, even though that's impossible according to program logic.
4. They effectively use a little 'kernel' and run parts of the boot sequence as 'user mode' programs, so that if sensitive parts of the code are glitched they are limited in how badly they can tamper with the boot process.
And apparently there are even more mitigations added post-2013. Markus managed to bypass these by chaining two glitch attacks together, one which skipped past the code that turned on the MMU, which made it possible to break out of one of the the usermode 'processes' (not really a process) and into the 'kernel', and one which then was able to corrupt the CPU state during a memcpy operation, allowing him to take control of the CPU as it was copying the next stage from flash RAM.
If you can take control of the boot ROM execution then you can proceed to decrypt the next stage, skip the signature checks and from there do whatever you want in ways that can't be detected remotely - however, the fact that you're using a 2013 Phat device still can be.
So, the only way to manipulate it is to actually screw with the internals of the CPU itself by "glitching", meaning tampering with the power supply to the chip at exactly the right moment to corrupt the state of the internal electronics. Glitching a processor has semi-random effects and you don't control what happens exactly, but sometimes you can get lucky and the CPU will skip instructions. By creating a device that reboots the machine over and over again, glitching each time, you can wait until one of those attempts gets lucky and makes a tiny mistake in the execution process.
Considering that the PSP is a small ARM processor that presumably takes up little die space, would it make sense for it to them employ TMR with three units in lockstep to detect these glitches? I really doubt that power supply tampering would cause the exact same effect in all three processors (especially if there are differences in their power circuitry to make this harder) and any disrepancies would be caught by the system.
Also I just thought of this but it should be possible to design a chip where the second processor runs a couple cycles behind the first one, with all the inputs and outputs stashed in fifos. This would basically make any power glitches affect the two CPUs differently and any disrepancies would be easily detected.
I was going to say I disagreed but the rest of your comment reminded me that I've accumulated a lot of domain-specific knowledge.
The hard work comes after this though. There are lots of software level mitigations MS could use to keep the old devices usable with Xbox Live if they really wanted to. Just because you can boot anything you want doesn't mean you can't be detected remotely, it just makes it harder for MS to do so reliably. You'd be in a constant game of catch-up.
https://github.com/exploits-forsale/collateral-damage
What's new here is that this compromises the entire system security giving access to the highest privilege level.
I didn't ask but Emma -- who wrote the kernel-mode exploit -- and I would probably agree that Collat is not really what we would consider a proper hack of the console since it didn't compromise HostOS. Neither of us really expected game plaintext to be accessible from SRA mode though.
I think it was tuxuser, Torus, and Billy(?) who accomplished that. Hopefully not forgetting anyone critical.
People in the know find it pretty offensive for Lander to continue to attack these systems or do so much as speak to anyone who is. They should work on remorse and seek forgiveness rather than repeating a variant of the same behavior that defined their past. Maybe learn from the other person involved who avoided ‘issues’ and went to the other side of this exact security equation.
I guess harassing War Thunder players is not compatible with that more respectable lifestyle or something.
I also enjoy their earlier HN posts. Especially the one about how the initial system compromise happened, where they pretend to speculate about how the HV dump happened/how it could have happened/how important it was when they know full well exactly who obtained and sold the internal prototype hardware that was used to extract that plain text.
They aren’t responsible for that, they weren’t involved in that, but they know.
For something like a game console, that’s annoying, for a phone or laptop, that’s highly desirable if something like a TPM bug is fixed, without efuses the system would forever be vulnerable.
Secure boot that can't be controlled by the user should be illegal, though. You should get some secret code along with a device, that allows you as the buyer to tamper with it. So much hardware out there can just serve as something else, or can be supported by people on a voluntary basis, sans the completely arbitrary lockdown of ability to install your own code to the device.
This talk about some of what went into it is fascinating: https://youtu.be/quLa6kzzra0
In many cases the truth is simply that its not worth the time/effort to hack it, so only the most dedicated perverts(with a positive connotation) keep trying.
Pedantic: I'm sure somebody would have snickered about "unsinkable" if the Titanic sank after 10 years. Pragmatic: if the "unsinkable" Titanic lasted 10 years (or at least to profitability) before being sunk by people intending to sink it, that might certainly count as being "unsinkable" for the time it hadn't sunk.
Hubris: Titanic was claimed to be unsinkable before it was launched.
Obviously nothing is ever unhackable, not even Fort Knox, given infinite time and resources, and Microsoft never made such claims, this is just media editorializing for clicks and HN eating the bait, but Xbox One was definitely the most unhackable console of its generation. Case in point, it took 13 years of constant community effort to hack a 499$ consumer device from 2013. PS4 and iPhones of 2013 have also been jailbroken long ago.
Therefore, even the click-bait statement with context in relative terms is 100% correct, it truly was unhackable during the time it was sold and relative to its peers of the time.
Literally unhackable? XD
Secondly, this is HN, not some generic town corner shop newspaper. It's assumed the readers who come here often and comment with no green profiles, have at least some basic technical know-how that nothing is ever unbackable, least of all a console from 2103, and therefore process information through that context lens, instead of feigning complete ignorance and arguing from the false pretext they gobbled up from editorialized titles created by slop journalists.
Can you attempt to quantify this effort in comparison to other game consoles? I'm not very familiar with the Xbox scene, but I would assume that there was a lot less drive to achieve this given that Xbox has never really had many big exclusive titles and remains the least popular major console (with an abysmally tiny market presence outside of the US).
As an aside, I wonder if Microsoft's extra effort into securing the platform comes from their tighter partnership with media distributors/streaming platforms and their off-and-on demonstrated desire to position the Xbox as a home media center more than just a gaming console.
The person who hacked the original Xbox wrote a book on the topic, which they've since made free: https://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf
TF are you on about? The xbox one of 2013(competitor of the PS4 who got hacked long before) had a ~46% market share in the US and ~35% globally. Hardly insignificant. And any Microsoft Product, even those with much lower market share, attracts significant attention from hackers since it's worth a lot in street-cred, plus the case of reusing cheap consoles as general PCs for compute since HW used to be subsidized. And of course for piracy, game preservation and homebrew reasons.
I again tap the sign of my previous comment, of uring people to stop jumping the gun to talk out of their ass, without knowing and considering the full context.
Eventually Fort Knox will succumb to the unrelenting arrow of time and some future visitors will simply step over the crumbling wall and into the supposedly "secure" area.
a) this was a security win. millions and millions of people had physical access to the device for over a decade
b) as others have said, security is not all-or-nothing. the xbox one is extremely secure, despite not being perfectly secure.
c) just because something eventually gets hacked does not mean security was pointless. delaying access is a perfectly reasonable security goal. delaying access until the product is retired and the successor is already out on the market is a huge win.
This console went completely unhacked for 12 years, with this coming a solid 4 years after the hardware was discontinued. They kept piracy off the console for its whole lifespan, which was the entire point of these security measures. This is a massive success for the Xbox security team.