A group of independent programmers says it has managed to crack a new security system in Microsoft's Xbox gaming console, less than a month after the reconfigured consoles hit the market. Breaking the new system took less than a week, the hackers said.
Using a complicated method for analysing the new configuration, along with some unexpected help from Microsoft, the hackers said on Saturday that they are now able to run their own software -- including the Linux operating system -- on the newer consoles.
Microsoft said it reconfigured the hardware in order to cut down manufacturing costs, but it also changed the way security was implemented at the same time. The newer units, which began to arrive on store shelves about three weeks ago, made obsolete the 'mod chips' used to run unauthorised software on the Xbox.
Some mod chips can be reprogrammed, however, and will be able to take advantage of the new hack to regain control of the console. Hackers also say that, with the right equipment, the system's Flash memory can be reprogrammed to allow the console to run non-Microsoft software, without the need for hardware modifications.
The Xbox hackers said that their success was founded on a known weakness in the security system that Microsoft uses in the reconfigured consoles, which have been unofficially dubbed Xbox v1.1. The console contains a Flash memory chip which contains, in an encrypted "kernel", the Xbox's BIOS (basic input-output system) -- instructions governing basic functions such as interacting with a television and controlling the machine's hardware. This kernel is launched by an unmodifiable ROM (read-only memory) chip called the MCPX, which is made by Nvidia, the company that also makes the machine's graphics processor.
After using a complicated trick to analyse the contents of the MCPX ROM, and decoding the encrypted kernel, the hackers discovered that the new hardware uses a complex encryption method to ensure the validity of the Flash memory contents before executing them.
According to Andy Green, a UK-based programmer who was part of the effort, the Flash memory is signed with a cryptographic hash -- a method of summarising a large amount of data with a short random sequence that is very sensitive to any changes in the original.
However, there is a known weakness in the algorithm used to create the Xbox's hash, an algorithm called TEA. "In every group of 64 bits, it cannot detect a change when the 32nd and 64th bit both change together," explained Green.
The Xbox Linux group that Green works with, along with a group working for the mod chip company Xecuter, both managed to exploit this weakness to gain control of the machine. "It turned out that flipping the 32nd and 64th bit of the very first 64-bit block of the protected area caused the Xbox to begin executing from RAM (random-access memory)," Green said. It was then a simple matter of embedding a command in RAM that allowed the user to control the machine.
Green said that it took him less than a week to pull off the successful hack.
Green said he expects Microsoft to begin using a still more sophisticated security system in the next revision of the Xbox, which will probably require more expensive and difficult methods of hacking. With the current model, "we were frankly lucky" that Microsoft chose the buggy TEA algorithm, Green said.
Green and other Xbox hackers have noted that the methods Microsoft is using to secure the Xbox appear to be a warm-up for a longer-term project called "Palladium" to embed copy protection into the hardware and software of future PCs. This would theoretically make it impossible to, for example, copy CDs and digital videos on a PC without authorisation.
The Xbox v1.1 configuration is "a new concept in secure code that we will soon be seeing everwhere, as it is the method used in Palladium," Green said.