1 / 12

Table Of Con tents

Table Of Con tents. H i story Hardware & Technical specification Security Xbox Hardware Cryptosystem overview Security Issues Conclusion. Develoment.

magar
Download Presentation

Table Of Con tents

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Table Of Contents • History • Hardware & Technical specification • Security • Xbox Hardware Cryptosystemoverview • Security Issues • Conclusion

  2. Develoment • within Microsoft by a small team that included game developer Seamus Blackley (an agent with Creative Artists Agency representing video game creators). • Originally named "DirectX-box • launch price was pretty high ( Europe 479.99 € in2002; North America 299 $ in 2001; Oceania 699 AU$ in 2002). With a price-dropped PlayStation 2 (more then 100 €or $ cheaper)

  3. Hardware& Technical Specification • CPU: 32-bit 733 MHz Coppermine-based Mobile Celeron in Micro-PGA2 package. 180 nm process. ( 32 KB L1 cache 128 KB on-die L2 "Advanced Transfer Cache". ) • Shared memory subsystem • 64 MBDDR SDRAM at 200 MHz; 6.4 GB/s • GPU and system chipset: 233 MHz "NV2A" ASIC. Co-developed by Microsoft and NVIDIA. • Similar to the GeForce 3 and GeForce 4 PC GPUs. • Storage media • 2x – 5x (2.6 MB/s – 6.6 MB/s) CAVDVD-ROM • 8 or 10 GB, 3.5 in, 5,400 RPMhard disk. Formatted to 8 GB. FATXfile system. • Optional 8 MB memory card for saved game file transfer. • Audio processor: NVIDIA "MCPX" (a.k.a. SoundStorm "NVAPU") • 64 3D sound channels (up to 256 stereo voices) • Monaural, Stereo, Dolby Surround, Dolby Digital Live 5.1, and dts Surround (DVD movies only) audio output options • Integrated 10/100BASE-TX wired ethernet • DVD movie playback • A/V outputs: composite video, S-Video, component video, SCART, Optical Digital TOSLINK, and stereo RCA analog audio • Resolutions: 480i, 576i, 480p, 720p and 1080i • Controller ports: 4 proprietary USB ports

  4. XboxHardwareCryptosystemOverview • The Xbox crypto protocol presents a strong defense in the face of unsecured FLASH ROM-based modifications (boots from a 512-byte secret boot blockthat is hard-coded into the southbridge system ASIC ) • The bootloader is encrypted with RC-4 using a 128-bit key • having an external (reprogrammable) 1 MB Flash ROM chip (models since 2003 have only 256 KB) • Microsoft stored 512 bytes of code in the Xbox' Southbridge, the MCPX (Media and Communications Processor for Xbox), which is manufactured by nVidia

  5. Xcode

  6. the interpreter, rewritten in C, looks roughly like this: struct { charopcode; int op1; int op2; } *p; intacc; p = 0xFFF00080; while(1) { switch(p->opcode) { case 2: acc = *((int*)p->op1); break; case 3: *((int*)p->op1) = p->op2; break; case 4: outl(p->op1, 0x0CF8); outl(p->op2, 0x0CFC); break; case 5: ... case 0xEE: goto end; } p++; } end:

  7. POKEPCI mov eax, 80000880h mov dx, 0CF8h out dx, eax add dl, 4 mov al, 2 out dx, al This code sets bit #1 in the PCI config space, device 0:1:0, register offset 0x80 (coded in 0x80000880).

  8. POKEPCIcont. cmpebx, 80000880h  ; ISA Bridge, MCPX disable? jnzshortnot_mcpx_disable ; no and ecx, not 2  ; clear bit 1 not_mcpx_disable: moveax, ebx movdx, 0CF8h outdx, eax  ; PCI configuration address add dl, 4 moveax, ecx outdx, eax  ; PCI configuration data jmpshortnext_instruction

  9. Halt mov eax, ds:95FE4h cmp eax, 7854794Ah jnz short bad_checkcode mov eax, ds:90000h jmp eax  ; jump to decrypted second bootloader in RAM bad_checkcode: mov eax, 80000880h  ; prepare MCPX ROM disable mov dx, 0CF8h out dx, eax jmp far ptr 8:0FFFFFFFAh ;jump to end of ROM, wraparound [...] FFFA: ; this is address FFFFFFFA add dl, 4 mov al, 2 out dx, al ; ------ this is address 00000000 ------

  10. VISOR TRICK POKE 0x00000000, 0x001000B8 ; store "mov eax, 0xFF001000; jmp eax" POKE 0x00000004, 0x90E0FFFF ; at 0x00000000 in memory END ; now we can place our code at 0x1000 in Flash

  11. Conclusion • Thedesign of first MCPX was wrong and implementation was catastrophic • Thedesign of second version was a lot better, buttheimplementation was not. • With workinghashfunction and without various security holes, the system would be pretty secure.

More Related