Xbox Linux Made Possible Without a Modchip 996
An anonymous reader writes "Free-X have released an exploit for the Xbox that will let you get Linux on the machine without any hardware mods at all... Microsoft is already threatening them with legal action. Here's the Free-X statement. Free-X say they had been trying to contact MS for a month but were ignored, which is why they've released the exploit. Should be interesting to watch this one."
Full text of article in case of /. effect (Score:2, Informative)
Dear Public,
Today is a very said day for Microsoft.
One month ago, we began an attempt to make contact with Microsoft, we did this because the first software only mod-chip solution was developed and proved working. This solution meant that there was no need to open the XBox anymore.
The modification only needs to be installed once and all existing XBox consoles are able to be modified to use this exploit, only new consoles with an updated Firmware could lock out this exploit.
After discovering this exploit a Team was formed known as the "Free-X (box)" team.
Members of this team have made many attempts to initiate discussions with Microsoft by various means including:
1. Contacting certified XBox game developers requesting that they contact Microsoft to facilitate discussions about our discoveries.
2. Contacting major web-based news sources requesting that they contact Microsoft on our behalf.
3. Direct contact with various Microsoft departments globally.
4. Direct contact with Authorised XBox distributors globally.
Since our attempts to contact Microsoft have become public knowledge our team has been accused of attempting to extort or blackmail Microsoft, this is not true as we have made every attempt possible to make contact with Microsoft to offer the following:
- A complete summary of all hacking technologies (many of these technologies have not been released).
- Source Codes.
- All attacks which have been developed but not yet released.
- To sign a Non-disclosure Agreement regarding our discoveries.
- Further research on exploits, which would be exclusive to Microsoft.
- Full names of all hackers involved upon agreement of legal protection from Microsoft.
- Assistance in the development of future security for the XBox by working with Microsoft.
For the exchange, we were requesting but not demanding the following:
- Complete access to all documentation (chipsets, video etc.) to assist in developing a better Linux for the XBox.
- A signed Linux loader.
- Protection from Microsoft or support if any organisation/government attempted to prosecute members of our team.
- Refunding of the cost occured during the agreement period.
To prove our discoveries we offered to make available an exploited dashboard for Microsoft to validate our claims.
Our team was more than willing to co-operate with Microsoft and would have most likely accepted most of the terms of agreement coming from our discussions.
If Microsoft had agreed to sign Linux then it would have been possible to generate a signature for the Linux, which would only work on current XBox consoles and able to be stopped in future revisions. It would also be possible to prevent the illegal use of pirated software.
Our team was of the belief that our attempts to initiate discussions with Microsoft would have been welcomed.
Members of our team contacted Microsoft quickly, but then suddenly Microsoft ceased responding to our enquiries. Third parties contacting Microsoft on our behalf also proved to lead to a dead end, is the giant Microsoft's reaction just incompetence or intentional??
Following the public release of this request for communication on the ZDNet/CNet network, Microsoft promised a formal response and as yet we have not seen one.
Is it possible that Microsoft's lack of co-operation in this matter could be because they believe that:
1. Mod-chips are good for business as they increase the sales of the console hardware and that they see them as an important part of there business model.
2. The Exploit can be fixed in future software updates.
3. This is purely a hoax.
A team member called a Microsoft representative again (Mr. Thomas Kritsch of Austria) and offered a presentation.
This presentation was scheduled for 20th June, but Microsoft cancelled it on 19th June. During a phone discussion on this day Mr Kritsch a
Same as this exploit? (Score:2, Informative)
http://archives.neohapsis.com/archives/vulnwatc
This is also an exploit dealing with the X-Box dashboard.
This was initially posted in replies to another story in the gaming section by another AC.
XBOX Security
-= Security Advisory =-
Advisory: XBOX Dashboard local vulnerability
Release Date: 2003/07/04
Last Modified: 2003/07/04
Author: Stefan Esser [senopiracy.de]
Application: Microsoft XBOX Dashboard (up to today)
Severity: A vulnerability within the XBOX Dashboard allows to
totally compromise the security features of the XBOX.
Risk: Critical
Vendor Status: Vendor is not willing to talk about XBOX vulnerabilities.
Overview:
The XBOX Dashboard is what appears when you turn the XBOX on without a
disc in the DVD drive. It will let you adjust system settings, manage
your save games, play and rip audio CDs and configure your XBOX Live
account. It is the heart of the XBOX and its most vulnerable point,
because it lacks several security restrictions which are enforced on
games. This includes the lack of the reboot-on-eject-button "feature",
which is obligatory for all games.
The existance of an exploitable vulnerability within the dashboard could
totally compromises the XBOX security system. It will make the box
independent from Microsoft signed code and therefore this information is
released to the public now on the 4th of July 2003, the day of the XBOX
Independence.
They provide what they claim is working code to exploit the vulnerability.
Re:Why don't they fix the exploit? (Score:3, Informative)
At least this is my understanding (and yes the Live stuff does play around with the dir structure on the Xboxes I have seen.)
Re:what a "habibi exploit"? (Score:5, Informative)
This can be used, for example, to boot Linux, or flash the BIOS.
The reason that this didn't win Mike Robertson's 100 large is because you still need to rip the lid off the box and solder a pair of jumpers (or use conductive pen) in order to enable 'write' on the flash rom.
Re:You can already put linux on PS2.. so why not x (Score:2, Informative)
Re:Just wondering... (Score:5, Informative)
Integer Underflow: (Score:5, Informative)
Underflow is the same, but opposite, making it so you wrap from near zero to a very big number... You say the font size is 0x0003, and the X-Box subtracts 0x0004, and ends up thinking it needs to read in 0xffff more data from the font file...
Both just involved wrapping around the maximum/minimum values a variable can hold.
Re:After reading the articles... (Score:5, Informative)
Re:isn't this already possible? (Score:4, Informative)
The ability to write to the bios is a physical restriction which is very unlikley to ever be overcome without some solder. The compononents simply _can't_ write to the bios without the wired connection.
Re:What the.. ? (Score:4, Informative)
Three minor problems:
1) What the US calls a shrimp, Australians call a prawn.
2) Australians, on the whole, don't put prawns on a barbie. Barbies are Snaggers and Chop territory.
3) Nobody - and I mean Nobody - drinks Fosters. Seriously. An Australian psycopath wanting to perform torture wouldn't force his victim to drink Fosters.
So, the only role played by the phrase "Pass the fosters, throw a shrimp on the barbie" is to identify an american who wants to sound Aw-stralian.
Russ %-)
Download this while you can. (Score:5, Informative)
You don't know when someone will laywer their way into taking this thing offline. Make it as available as you can.
No DMCA in Austria (Score:5, Informative)
If the DMCA continues to be used to shut down what used to be considered fair use, we'll see more and more open source endeavors moving out of the US. Here's to fervently hoping the MPAA/RIAA doesn't manage to implement DMCA clones in all countries on this planet. They seem to be doing a pretty good job at it in Europe.
To prevent being sued (Score:3, Informative)
Re:After reading the articles... (Score:5, Informative)
It looks at the file. The first four bytes are how big the file is, including its own size. So if the file is 16 bytes long, that is 4 bytes of the header and 12 bytes of data. That first four bytes reads 16.
So the XBox reads in the first four bytes (16), takes 4 away and then knows to look for 12 more bytes (16-4).
Apparently it uses those first four bytes (16) to allocate the memory. It then takes 4 away from that value (4 from 16 is 12) and reads those bytes (next 12) into memory.
Well, if you feed it 0..3 instead of 16 in that example, you get an underflow. It sees those first 0..3, takes away 4, and gets a very large number (whatever the maximum is, assume 8^4). So it then writes large amounts of YOUR data to memory even when only 0..3 bytes are allocated (or it is smart and will only do 4). So now you have YOUR own code/data in memory that isn't for that file.
I think. Fuck if I really know.
-Eyston
Re:After reading the articles... (Score:5, Informative)
It's too bad they probably won't get the 100k. In order to get the files onto the xbox, you need to use a prior exploit that DOES require something(007 save, swapping HDD etc)
Not at all. You do not need to make any modifications to the hardware to use the 007 hack. If you have a memory card with the savegame on it, then you can simply copy that to the HD and load the game. This boots linux with an ftp server. You do NOT need to open the box or solder the pins; you only need to do that if you want to flash the TSOP and effectively mod the bios. Once you use the 007 trick you have temporary ftp access to the box - you can ftp over and replace the font files. Now the box is as good as modded and no one will know the difference. In addition this is safer than flashing the TSOP because the BIOS is simply intercepted in hardware.
So in short - you can have a completley modded xbox without ever opening the cover.
Re:Why don't they fix the exploit? (Score:3, Informative)
Of course, even beyond all that is the fact that every time you activate a connection to Xbox Live, it checks the XBL software and updates it if there have been any changes. It would be a trivial matter for them to use this feature to either incorporate a check to detect/disable the hack and /or implement a security fix to do the same even if the hack isn't already in use.
The moral of the story? Probably not a good idea to use Xbox Live if you intend on using this particular exploit.
The secondary moral? Microsoft really was thinking ahead when they decided to go with their own closed service for "all" (quotes added to acknowledge XBConnect, Gamespy Tunnel and the rest which use the system link functionality to get people hooked up over the net) online games.
Re:The linked article is confusing (Score:2, Informative)
Re:Download this while you can. (Score:4, Informative)
Re:What the.. ? (Score:3, Informative)
I agree with your sentiments about local Fosters; it's shite. VB is likewise shite, however; most of the people I know drink either Boags or Cascade, as it is plentiful and relatively cheap (3 bucks odd for a pot, about 5 for a stubbie, bar prices.)
Apparently export fosters is quite good. I'll have to go to america one day just to try it.
I've barbequeued prawns before, the result is not worth the expense. I have no idea how prawns are meant to be cooked, but barbequeueing em just made black, crispy, carcinogenous prawns that tasted like arse.
in case MS makes /. remove this (Score:5, Informative)
As seen before [slashdot.org] microsoft does not like people who publish exploits. So I have made an off-US mirror [deck.dk] in a country where releasing exploits to the public is still legal [slashdot.org]...
Re:what a "habibi exploit"? (Score:1, Informative)
Geography anyone? (Score:4, Informative)
Austria [austria.gv.at]
Australia [australia.com]
Re:After reading the articles... (Score:5, Informative)
(f) Reverse Engineering. -
(1)
Notwithstanding the provisions of subsection (a)(1)(A), a person who has lawfully obtained the right to use a copy of a computer program may circumvent a technological measure that effectively controls access to a particular portion of that program for the sole purpose of identifying and analyzing those elements of the program that are necessary to achieve interoperability of an independently created computer program with other programs, and that have not previously been readily available to the person engaging in the circumvention, to the extent any such acts of identification and analysis do not constitute infringement under this title.
Re:what a "habibi exploit"? (Score:4, Informative)
INTEGER UNDERFLOW for dummies (Score:5, Informative)
Here's a completely non-technical explanation:
Think of it like a clock. The XBOX loads a number expecting it to be something like 10 minutes. It then subtracts 5 minutes and uses the number. But instead of giving it a number like 10 minutes you give it a number like 2 minutes. Then when the XBOX subtracts 5 from 2 it gets an underflow. It doesn't know about negative numbers. So what is does is it wraps around like a clock. If you look at the 2 minute mark on a clock, then count backwards 5 minutes where do you end up? You end up 3 minuts before the 12. That's 11 hours and 57 minutes. So XBOX thinks that 2 minus 5 equals 11 hours and 57 minutes.
So by giving the XBOX a smaller number than it expects, and letting the XBOX make the number even smaller, it underflows - wraps around - to a really big number. That really big number tells the XBOX to load a HUGE amount of information. More than it's supposed to load. That means you can feed the XBOX any program you want and the XBOX will suck it up and run it.
-
Re:Wilkins' "universal" language is English? (Score:2, Informative)
Re:Full text of article in case of /. effect (Score:2, Informative)
full-disclosure [scrubbybubbles.com]
zdnet [scrubbybubbles.com]
statement [scrubbybubbles.com]
Be kind. Rewind.
Laren
Re:Integer Underflow: (Score:3, Informative)
Re:After reading the articles... (Score:5, Informative)
Re:Woops, too late (Score:4, Informative)
Microsoft is already doing this. One of the guys I used to work with in the security realm is now at Microsoft, checking for exploitable code & paths in Palladium. I expect he'll to see this & prevent it in any Trusted system release.
"not negotiating with terrorists" (Score:5, Informative)
Re:honestly... (Score:4, Informative)
Re:And the floodgates open.. (Score:3, Informative)
The first hack allowed you to run unsigned code. You do this by loading a comprimised save game in one of the vulnerable games. ("007 Nightfire" or "Mechassult") This requires a memory card which has been altered on a PC, or that you have removed the HDD of the XBox which you want to compromise. (Obviously the memory card is easier, but they cost a few bucks.)
In the compromised save game you put code you want to execute. In this case you could have it open an FTP server on the XBox. (This is the old hack.) After this you hook up the box to a PC and copy the files over using the FTP server. (This is the new hack.)
Now reboot and you have a compromised XBox. (The first hack would require you to redo the hack each time you wanted access to the "backdoor".)
Xbox-Linux Team confirms the exploit (Score:5, Informative)
Re:Woops, too late (Score:5, Informative)
They did not "blackmail", as the last Slashdot article ad-libbed in its summary, Microsoft but gave them every opportunity to cooperate in creating a signed Linux loader.
As well the released code by X-Free does not allow you to pirate games. (Although by modifying their release and using their same technique it could be.)
As well it must be remembered that there is no EULA for hardware, we are freely able to use hardware we bought anyway we choose to. As well, people are legally able to reverse engineer the hardware, much the same way that other game consoles (NES, SNES, N64, PSX) were reverse engineered to create emulators like BLEEM.
P.S. Remember that it is likely the computer you are using now (IBM-CLONE) would not be here without the work of people reverse engineering the original IBM desktop computers.
now they respond (Score:2, Informative)
Periodically we hear people say they tried to contact Microsoft about a product or service vulnerability and that Microsoft didn't respond.
We are concerned that people may not know how to report security vulnerabilities to Microsoft.
The Microsoft Security Response Center investigates all reports of security vulnerabilities affecting Microsoft products. If you believe you have found a security vulnerability affecting a Microsoft product, we'd like to work with you to investigate it.
You can contact the Microsoft Security Response Center by emailing secure@microsoft.com directly, or you can submit your report via our web-based vulnerability reporting form located at https://www.microsoft.com/technet/treeview/defaul
Sincerely, Microsoft Security Response Center
IP in the EU rights charter (Score:2, Informative)
And even if you are convicted of some sort of made up IP crime, you can always take the matter to the European Court of Human Rights, which pretty much always finds for the individual, because the EU Convention on Human Rights is a very broad and generous document.
If the EU Convention on Human Rights is anything like the UN Universal Declaration of Human Rights [un.org], it includes something about copyright. Article 27 of the UDHR guarantees at least some semblance of copyright to adhering nations.
Article 17 of the Charter of Fundamental Rights of the European Union [eu.int] states bluntly: "Intellectual property shall be protected."
Broaden Your Horizons, People (Score:3, Informative)
The XBox isn't the only product with issues like this. Remember the EV-1 electric car? They wouldn't sell them to people, even though people wanted to buy them. They would only lease them, and they insisted on taking them back.
Remember when Ma Bell owned your phone?
Surely there are other examples of "lease only" hardware too.
The real question is, "to what extent should lease-only hardware be permitted"? not "how do we stop this one company from releasing lease-only hardware?".
Personally, I think there should be no such thing as lease-only hardware at the consumer level. It probably makes more sense at the corporate level, like, if you're leasing a drilling rig or something.
OTOH, there are other less clear-cut cases. For example, is your credit card "hardware"? Not in the traditional sense, but the card is owned by the bank, and they can take it from you any time they like. How is that different from, for example... MS disabling your XBox remotely if you violate their TOS?
We could make lease-only illegal by default and carve out exceptions for things like credit card issuers. Or, we could make lease-only legal by default and carve out exceptions for companies like MS.
Actually, a more effective, and less ad-hoc reform might be to prohibit *any* legally declared monopoly from selling *any* product at a loss or under lease-only terms.
Re:Closed Platform as Mixed Blessing (Score:3, Informative)