invoxiplaygames.uk / x360-research
my research and reverse engineering notes/utilities relating to the Xbox 360 (Mirrored from https://github.com/InvoxiPlayGames/x360-research)
fork atom

Update security_overview.md

authored by invoxiplaygames.uk and committed by

GitHub b6dd0f5e 290105d4

+25 -8
unified split
+25 -8
official-software/system/security_overview.md
··· 12 12 As of 2024, every console manufactured before 2011 is subject to trivial 13 13 piracy, and cheating online in many games is possible with savegame exploits, 14 14 patched game files on burned DVDs, or network exploits. 15 - The last method to run homebrew without soldering was patched in 2007. 15 + The last method to run homebrew without soldering a modchip was patched in 2007. 16 16 17 17 ## Security Features 18 18 ··· 32 32 the hypervisor never allocates executable virtual memory to the kernel 33 33 that has the execute permission *and* write permission. 34 34 * New memory when loading new executables can't be marked as executable 35 - unless all signature checks have been passed. 35 + unless all signature checks have been passed by both the kernel and 36 + hypervisor. 36 37 * Games for the most part run in the same privilege ring as kernel, for 37 38 performance. Certain software uses a "user-mode" but that doesn't act 38 39 as much of a security barrier, rather a memory management mode. ··· 43 44 preventing hardware DMA attacks or kernel-land software exploits from 44 45 tampering with it or its state, even in uncontrollable ways. 45 46 * The encryption is AES-128 with a slightly customised algorithm. Encryption 46 - is done per cache line. 47 - * The encryption and hashing is done transparently to the kernel by the L2 48 - cache. 49 - * Random AES key chosen at startup by 2BL, with help from hardware RNG. The 50 - 2BL also checks to make sure there's sufficient randomness so the RNG 51 - can't be rigged or disabled. 47 + is done per every 0x10 bytes (AES block size) with a random key. 48 + * The hashing is a custom variation of CRC16 by IBM. Hashing is done per 49 + every 0x80 bytes (cache line size) and is done using a random key generated 50 + at startup. 51 + * The encryption and hashing is done transparently to the kernel by the MMU 52 + and L2 cache. 53 + * Random AES keys are chosen at startup by 2BL, with help from hardware RNG. 54 + The 2BL also checks to make sure there's sufficient randomness so the RNG 55 + can't be rigged or disabled in hardware. 52 56 53 57 ## Security Pitfalls 54 58 ··· 66 70 * XGD3 seemed to have partially fixed this problem. 67 71 * While various system applications are compiled with stack canaries enabled, 68 72 plenty of games are not, as was standard for the time for performance reasons. 73 + * Games can be patched when the system is connected to Live, but being 74 + offline and clearing cache makes the system vulnerable again. 69 75 * Due the kernel running under a 32-bit address space, despite being a 64-bit 70 76 platform, none of the more advanced security features such as ASLR and PAC 71 77 could be used effectively, and in fact weren't used at all. This, combined 72 78 with the lack of stack canaries, makes exploiting userland trivial. 79 + * System management controller / SMC / Southbridge firmware is not signed, 80 + meaning it can be replaced to modify the behaviour or be used to attack the 81 + CPU (see: SMC Hack, RGH3 - as well as all other RGH variants rebooting rather 82 + than RRoD on failed boots) 83 + 84 + ## References 85 + 86 + * Memory encryption/hashing: 87 + https://github.com/GoobyCorp/Xbox-360-Crypto/blob/master/MemCrypto.py 88 + 89 + I must've got some more of this info from other places, but I can't remember.