Forgot your password?
typodupeerror
XBox (Games)

Xbox 360 Kiosk Demo Spurs Hackers 229

Posted by Zonk
from the i-wish-i-had-that-kind-of-free-time dept.
An anonymous reader writes "Those hackers from team PI have released the Xbox 360 experience kiosk demo disc as an ISO. They say this demo contains no media protection and therefore it will run on the Xbox 360 when burned to a DVD-R disc. The disc contains playable demo's on the disk such as Call of Duty 2, which could also be hackable, as PI speculates."
This discussion has been archived. No new comments can be posted.

Xbox 360 Kiosk Demo Spurs Hackers

Comments Filter:
  • Not suprising... (Score:5, Insightful)

    by Ruff_ilb (769396) on Tuesday December 27, 2005 @04:26PM (#14347238) Homepage
    But -

    Won't we have demo disks released soon enough? I doubt OXM, among other publications, will pass up on making demo disks.

    Besides, can't demos and media be downloaded from Xbox Live as is? I didn't get my hands on a 360, but this is what I've heard.
    • Re:Not suprising... (Score:3, Informative)

      by pjh3000 (583652) *
      They're out now! The January 2006 issue of OXM has a demo disk that works on both the original Xbox and the new Xbox 360. Probably possible because they both use different file extentions for the default file.
    • Someone could modify the code on the demo executables themselves and get an exploit in that way. Any thoughts?
      • Regardless of where the demo comes from, it's going to be hacked.

        Also - Is there protection on the OXM demo disk?

        Although - We all know this is a moot point. The Xbox 360 will be hacked, cracked, modded, etc, no matter what happens. This is simply expediting the inevitable.
        • I later read that the executables themselves are probably signed...so I guess it won't happen any time soon!
          • Re:Not suprising... (Score:4, Interesting)

            by irc.goatse.cx troll (593289) on Tuesday December 27, 2005 @05:22PM (#14347683) Journal
            All you need is a buffer overflow in some signed code and you can jump to your unsigned-loader. There are ways around this of course, but gaming hardware cant really take that kind of speed hit on execution time.
            I think phantasy star online for the dreamcast was the first major buffer overflow, which persisted in the gamecube version. Then there were the memory card savegame buffer overflows, and many more.
            • Re:Not suprising... (Score:3, Informative)

              by Myria (562655)
              Actually, Phantasy Star Online had a back door, not a buffer overflow. A packet that Sega called RcvProgramPatch could be sent to the client containing assembly code that the game would then execute. This allowed Sega to patch holes in the game and check for cheats, but it eventually led to the downfall of the Gamecube security system. (Dreamcast PSO had this feature as well, but Dreamcast had other security problems =) )

              Melissa
    • Re:Not suprising... (Score:5, Informative)

      by SScorpio (595836) on Tuesday December 27, 2005 @04:32PM (#14347309)
      From what I saw on the magazine rack, OXM is already offering a disk with playable Xbox 360 demos. What is getting the hackers excitied is that the files on the demo disk are not encrypted, and they are signed to boot from seemingly any type of media. This disk can is going to be used by hackers to determine how the 360 authorizes a game to be booted and with what kind of media. They can know figure out what signals are different and produce a modchip that will allow backups to run. This is the second step in opening up the 360 to run any code. The first was figuring out the format files are laided out on the disk with, and this was cracked and reported on earlier.
    • Re:Not suprising... (Score:5, Informative)

      by matth1jd (823437) on Tuesday December 27, 2005 @04:36PM (#14347346)
      There have been demo disks circulating for sometime (also media check free). So while these demo discs may have no media checks that doesn't mean that the executables are not signed.
       
      As I understand it the media check basically lets the 360s hypervisor know what media the executable is allowed to run from. Demos do not have these media checks as they may be downloaded and run from the hard disk, or run from DVD.
       
      Obviously only signed code was intended to be run on the machine, the absence of a media check does not mean the executable isn't signed. In fact anyone would be incredibly naive to think that the executables were not unsigned.

      All in all I don't think we're any closer to modding the 360. This hacker group also released an Xbox 360 iso extraction tool which amounted to nothing. It turned out that any of the existing Xbox iso extraction tools could do the exact same thing. It's just alot of smoke and no fire.
      • Re:Not suprising... (Score:2, Informative)

        by matth1jd (823437)
        Obviously only signed code was intended to be run on the machine, the absence of a media check does not mean the executable isn't signed. In fact anyone would be incredibly naive to think that the executables were not unsigned. That should read : In fact anyone would be incredibly naive to think that the executables were not signed.
      • Re:Not suprising... (Score:3, Interesting)

        by apoc06 (853263)
        yes the executables were probably signed, but in making copies you still have a copy of the signed exe, what stops media from directly running is the media check. normally, if its not the official format, if the dummy sectors are absent and the filesystem is correct, or if its not the official media of MS, it still doesnt run the code. its traditionally a three way check. thats not the case here though. here two parts of that are missing.

        whats really important here, is to know that games can be run from dif
        • Yeah, but making [backup... right?] copies of signed programs (e.g. commercial games) is only half the battle. They need to figure out how to run unsigned code anyway, because that's what allows community-written software (e.g. Xbox Media Center) to run.
        • by AoT (107216)
          It seems Microsoft was in such a hurry to get this stuff out
          that they forgot to set the media protection on this disc.
          This leaves hackers with the posibility to hack around with
          this disc that load from a normal DVDR5 backup! - *Team Pi
          also notes that the all datafiles on this disc isn't signed in
          any way*, and will allow for extensive modification for producing
          exploits to further our efford to hack this box!
          • Data != executables. This of course still might leave some opportunity for a buffer overflow attack by modifying that data, but as the 360 actually normally runs with some memory protection (compared to the original "everything is friends down at ring 0" in the Xbox), the route into loading arbitrary code of arbitrary size may still be quite complex.
          • thank you, but realize that my point still stands. the xbox /should/ be looking for signed code, and /should/ NOT play any code that is NOT signed. so actually now what youre saying is that there are no parts of the threeway check present...?

            prob not the case here. chances are that the binaries are in fact signed and the release group jumped the gun; OR they meant that the data itself is unsigned; and the exes are the only thing signed. same as on the original xbox... which is why people were able to import
      • Re:Not suprising... (Score:5, Interesting)

        by ianpatt (52996) on Tuesday December 27, 2005 @06:08PM (#14348055)
        Microsoft actually supports this method of running executables - the xbox emulator update for the 360 can be installed just by downloading a default.xex from their website and burning it to a DVD. Nothing special there.

        http://www.xbox.com/en-US/games/backwardscompatibi lity.htm [xbox.com]
    • Can anyone who has a 360 tell me if the Full Auto demo is available in the market place? Why don't they have all the released demos on Live for free?
      • because the only reason OXM (the Official Xbox Magazine) exists is that people are willing to pay $5-$10 a month to get xbox/xbox 360 demos.

        So, if every demo is available on live MS would effectively be shutting down one of their best sources of good press.

        And yes, I know they claim to be "independent".
        • I used to be a subscriber to OXM for exactly this reason- the demo disks. I passed on, or bought, a lot of games based on the demos. It was always good to get through the hype of the previews and see what the game was actually like.

          So far, I plan on relying on the downloadable demos (which are huge) to do this for me. If not enough demos are released, I guess I'll have to re-subscribe to OXM.

          I believe the subscription price was like $17 per year...much better than paying $9.99 retail per issue.
  • by EvilGoodGuy (811015) on Tuesday December 27, 2005 @04:27PM (#14347253)
    Now they just have to figure out how the demo disk becomes playable, use it as a boot disk, and poof, free games for everyone. :) I might be buying a 360 sooner than I thought...
    • Now they just have to figure out how the demo disk becomes playable, use it as a boot disk, and poof, free games for everyone. :) I might be buying a 360 sooner than I thought...

      Exactly. I have a feeling that this may be the first leak in the XBOX DRM 'dyke'...

      hehe... dyke...
    • Any code on the disc is digitally signed, it just doesn't care what type of media it's loaded from. Hell, Microsoft already released a burnable disc image that updates the bios firmware and system software. If they trust their security system enough to do that, then burnable game demos are probably going to be common. Why bother media protecting a demo anyway? They might as well let people copy it.

      The only sliver of hope is that there is some flaw in the signed software which is exploitable by chang
  • ... no media protection and therefore it will run on the Xbox 360 ...

    A bug or a feature? You can never be sure with Microsoft...
    • microsoft has made absolutely NO attempt to deny how they are closely following their competitions strategies. to that end... if they see potential to copy a concept im sure they will. they are highly aware that the ability to easily use swap methods with the ps1 and ps2, the mod and gamesave exploits for the original xbox, and the homebrew potential of the psp are major reasons for sonys' systems to sell like hotcakes, maybe this could be an underhanded effort to get "the scene" interested in cracking the
  • HDLoader! (Score:2, Insightful)

    by gcnaddict (841664)
    Well with the successes the hacking community has had lately, I wouldnt be surprised if we see an HD loader for the 360...

    I want HDLoader!
  • by Anonymous Coward on Tuesday December 27, 2005 @04:30PM (#14347289)
    Quite an achievement making an ISO of an unprotected DVD.

    We all bow down to the superiority of the hacking skillz of said release group. I am composing some ASCII art of a very large penis in your honor that you can use in your nfo file.
    • by b1t r0t (216468) on Tuesday December 27, 2005 @04:37PM (#14347359)
      The achievement is not the ripping of the ISO. The achievement is finding out that this disk will boot when burned to a plain DVD-R.

      The first step in breaking the Dreamcast was finding a loophole that let it boot from plain CD-R.

    • You still have to hand it to them, they did, after all, commence dumping the discs to ISO's a lil while ago all on their lonesome. Also they had the kindness to let us all know of the slip-up, and publish the ISO for people to play with. That said, this isn't really a flame-war I'm trying to start. I don't even HAVE a penis :D
  • by rminsk (831757) on Tuesday December 27, 2005 @04:32PM (#14347307)
    The executables as still signed. It is common for supporting data files to be un-signed. The executable usually does a hash check on its datafiles to make sure they haven't been messed with. It seems like everyone jumps on every little thing about the inner workings of the XBox 360 as a major exploit. The sensationalism is just getting boring.
    • The executables as still signed. It is common for supporting data files to be un-signed. The executable usually does a hash check on its datafiles to make sure they haven't been messed with.

      All it takes is one buffer overflow in an executable reading a corrupted data file (which will probably be verified with something less than MD5), and this could be turned into a "boot key" allowing the loading of arbitrary code... at least until Microsoft uploads a patch to everybody locking out the executable if you d

    • Creating a boot disc is the first step into a much larger world. Thus is was with the Dreamcast, so it appears to be with the Xbox. The major difference is the fact that the Xbox' BIOS is malleable at MS's whim so even if an exploit works for a while, there are certainly no guarantees with a software solution like this.

    • You are not supposed to be able to rip *any* 360 game and play it off a burt DVD

      The fact that you can do this means with this demo DVD means that all any group has to do is figure out *why* this is (what the relevant section of bytes is), rip out the needed bytes, and use it to bootstrap the 360 to run any burnt game or app they please.

  • by Animats (122034) on Tuesday December 27, 2005 @04:53PM (#14347495) Homepage
    They're redistributing Microsoft marketing materials. Usually, you have to pay a PR firm to do that.
  • Not that exciting (Score:2, Insightful)

    by lord_sarpedon (917201)
    The media protection and signing are very different things. The executables are still signed and from that cannot be modified. However, they can be played on a variety of media, burnable media included. The files themselves, to my knowledge, are not signed or checked. That would open the door for simple map mods or similar as seen with the Halo series. As for code execution, not likely. The hypervisor as well as other checks are in place to prevent the most common forms of attack. It would take some clever
  • by AzraelKans (697974) on Tuesday December 27, 2005 @05:33PM (#14347752) Homepage
    MS doesnt make their money just out of selling games (and I seriously doubt they LOSE money on each Console sale as they claim) they make a lot of money out of selling XDK's and licenses to publishers, the more people owning the console, the more publishers will want to port their games to it. Piracy and hacking is a surefire way to make the console available to those who cant afford or are unwilling to buy the games at their current price (not just in America but worldwide) besides they CANT clone the console just the games themselves so they have to buy the console anyway and MS knows that, thats why they have never been too severe with piracy or hacking (contrary to sony who is basically sinking PSP by doing the oposite.. and not releasing too many games either), do you actually believe they havent noticed there are groups doing great dashes and even homebrew games on their console using warezed xdks? entire companies dedicated to mod chips?

    Do you think is just a big coincidence they released UNPROTECTED demos and games, which can easily be compared to PROTECTED ones by pro hackers?

    They are not stupid you know? (at least not that stupid)

    Yet IMO it would suck to own a modded or hacked xbox 360 since you wouldnt be able to log to xbox live which is a big part of the 360 deal.
    • MS doesnt make their money just out of selling games

      Bullshit. This is how every console manufacturer makes money. Sure, they make some money by licensing developers, but the amount of money the games industry makes is not being paid for by SDKs and such. Even if it was, the developers would have to offset this by the income they make from games. This would mean that the console makers would, transitively, be making money from selling games, not developer kits. And if your groundless assertion was corre

    • Are you serious? Something like $10 out of every $50 game goes straight to MS' wallets. Game licenses are where nearly all of their income from the console market is from.
    • Look guys, I dont want to start a conspiracy theory, this is just my opinion. I just think is too much of a coincidence, but It could be just about anything (simple incompetence or PR policies perhaps). And about the Xbox price, a huge company like MS cant get good prices in buying hardware in large scale sales and therefore have to sell at a loss? Sorry but I wont buy that for a second. Believing MS PR reports? yeah right! They are still claiming the xmas shortage was just a lucky misunderstanding! "Seri
    • MS doesnt make their money just out of selling games (and I seriously doubt they LOSE money on each Console sale as they claim)

      People really don't understand this well at all. Developing the Xbox required a very large up front investment. To justify the investment, Microsoft will analyze how much they expect to sell, and amortize that cost over the consoles and games.

      Clearly, there business model is such that if they only sold consoles, and not games, they would not recoop their costs. This makes sense b
  • Just because there are some copyable discs doesnt mean squat.

    The actual .exe files still have to be digitally signed before the CPU will accept them.

    Changing one bit of the .exe will break the digital signature's validity.

    So this isnt a way to sneak fresh code onto the 360.

    Sorry.

  • Hey, y'know (Score:5, Interesting)

    by FryingLizard (512858) on Tuesday December 27, 2005 @06:17PM (#14348121)
    Will someone here with a 360 and a spare half hour go get the aforementioned warez, and burn two copies - one with a single byte modified in one of the executable files?

    Actual results posted here would be oh so welcome.
  • by Smarty2120 (776415) * on Tuesday December 27, 2005 @07:02PM (#14348439)
    If you try the 360's demo downloading capability, you know that it can run downloaded content. I haven't sniffed the data stream myself, but encrypted connections slow servers down quite a bit and it's doubtful that xbox live servers even use them for content download on the order of a 500MB demo. Those binaries are signed just like the demos on the discs which can be burned. By signing the binaries, they don't need to worry about how the code got on the xbox. DVD-R, download, remove hard drive->write binary->reinstall hard drive, iPod, it doesn't matter a bit. If it doesn't execute binaries that aren't signed by microsoft's private key, it doesn't matter how you give it the binary, it won't run it. This is a non-story. Unless someone steals or or breaks microsoft's private key, this is gonna need a hardware hack at minimum.
  • Pointless (Score:4, Insightful)

    by evilgrug (915703) on Tuesday December 27, 2005 @09:50PM (#14349401)
    To reiterate what others have said, the executables are still signed AND demo discs with no media checks have been around for months. So that rules out modifying the executables.

    As far as gamesave exploits and the like...On the original Xbox, gamesaves were signed, but they used a key stored in plaintext in the executable. Meaning if you found a way to crash the game and run your code, it was trivial to get the game to accept it. I suspect on the Xbox 360 the key will be secret.

    Secondly, games on the Xbox run in kernel mode. I suspect this is NOT be the case on the Xbox 360.

    The Xbox 360 does not use an off-the-shelf CPU. Microsoft licensed it and built its own. The original Xbox was first hacked because it used an off-the-shelf Mobile Celeron and thus its secret information had to be built into the Xbox-specific southbridge and travel down the HyperTransport, which could be sniffed. Since the Xbox 360 used an MS-made CPU, I would wager that the key is on the CPU itself.

    If we presume that gamesaves are signed with a secret key in the CPU, and applications do not run in kernel mode, we can rule out gamesave exploits in addition to executable modifications.

    In short, this "news" is pointless. MS ship an executable with a few different bits allowing DVD-R playback and people suddenly think that we have a new Dreamcast on our hands. The disc will undoubtedly be subject to much scrutiny, but we're not really any closer to hacking the Xbox 360.
  • by Rolman (120909) on Tuesday December 27, 2005 @11:22PM (#14349747)
    People here talking about the executable still being signed and thus not hackable are terribly missing the point.

    Team Pi notes that the DATA FILES are not protected. That means that content can be changed and thus the signed executable could be hijacked into loading unsigned code.

    This is nothing new. It's exactly what happened in the old Xbox and the game 007: Agent Under Fire. Someone hacked a savefile, which exploited a buffer overrun on the PERFECTLY SIGNED executable from the game and enabled unsigned code (Linux, or a backup game if that's your intention) to run WITHOUT ANY MODCHIP.

    You just need a Memory Card to load the hacked savefile from, and the original, signed, protected game.

    Team Pi is suggesting that the same idea is possible here, and that's the reason why this ISO is being distributed.

"In order to make an apple pie from scratch, you must first create the universe." -- Carl Sagan, Cosmos

Working...