AddThis Bookmark

AddThis Social Bookmark Button

Saturday, August 25, 2007

Xbox 360 security partially broken again


Hackers will never stop hacking the 360 until it’s open for use to everyone, an ongoing cat-and-mouse game between Microsoft and the hackers. This time the hackers succeeded to downgrade the dashboard version. By downgrading the dashboard it is possible again to go back to the exploitable dashboard that got fixed last February.
The hack is really technical, and because of that we won’t go into it in too much detail. Every bit in the Xbox 360 is secured with a key, which is unique for every Xbox 360. Hackers already found a way to extract that with the old exploitable dashboard, but the main problem was that Microsoft patched this leak before it was made public. The following from quotearnezami will explain the hack:
It would be foolish to try to break SHA1-HMAC (ed: the core security hash key). However the output of a hash usually has to be checked against something that is stored. Thats usually the point of it. This takes (a tiny bit of) time. The thing is many memcmp (ed: data comparison) functions use a byte-wise compare: “as long as no difference in the current byte is detected go to the next byte, but if this byte is different stop”. In other words: it might take (a fraction of a second) longer if the output is similar at the beginning (to the stored value) as opposed to completely different 16-byte values. If it is possible to measure this time difference you could change the first stored byte (up to 256 times) until it takes this fraction longer for the Xbox360 to detect the (16 byte) values are not entirely the same. And you can go on with this until all bytes have been figured out this way.
In other words: When the Xbox boots up the dashboard, the uber SHA1-HMAC key from Microsoft is used for decrypting the kernel for the Xbox360 dashboard. A hash is used between the SHA1-HMAC key and the kernel to check if the data still is intact. The hash compares bytes between the cpu-key and the SHA1-HMAC key. Microsoft used memcmp to compare the bytes. But when memcmp compares the bytes, and the value that’s stored is wrong it will take a few milliseconds longer to continue depending on the first incorrect byte. This way it is possible to try out all the different combinations. This is 256 different combinations for each byte, so this will make 256 combinations times 16 bytes, reducing the possible values that need to be checked from 2 to the power 128 (a number with over 40 digits) possibilities to about 4000 worst case. After you successfully extracted the key, it’s possible to sign and old dashboard update with the extracted values and this way it’s possible to downgrade to an older dashboard.
It’s important to note that the Xbox 360 core security is still intact, so for example it’s still not possible to boot up copied games from the hard drive. The only interesting part about this hack is that they found a way to downgrade again to the old vulnerable dashboard, allowing them to explore other ways to get in control more structurally. The Xbox 360 hackers still have a long way to go, to get the same functionality found in hacked Xbox 1s. Microsoft will probably publish a patch in the coming weeks for fixing this security issue, until then we’ve got approximately 10 million vulnerable Xbox 360s in the world.

No comments: