MIT grad student shows how to read Xbox security key

He did it legally too, apparently. Isn't that clever?

  • alert
  • submit to reddit

An MIT graduate student has successfully dismantled Xbox's security system and published (after what appears to have been some discussion with Microsoft and EFF lawyers) the results. Bottom line - Xbox security relies on a "chain of trust" built on a "seed of trust" key that is included in a physically secure, secret boot block and which is identical in all shipped hardware.

So if you've got one, you've got them all and Andrew "bunnie" Huang's paper explains how he was able to get them. You can get full details of what he did here, in the academic version submitted to MIT, and bunnie also publishes an entertaining and knockabout history of his Xbox activities here. The Register is particularly taken with his happy announcement "hey! I'm finally done with my PhD thesis on supercomputer architecture...I can finally spend some more time playing with the Xbox" before he gets down to tearing it apart. Most definitely, a crazy guy.

Where Microsoft goes wrong in the Xbox security system is that although it camouflages the existence of the secret boot block via a not secret boot block, and makes it very difficult and expensive to access the secret block (it's hard coded into the southbridge system ASIC, which is built in 0.13 micron), the block itself is sent in clear over the HyperTransport northbridge-southbridge bus. Thus, by monitoring and analysing this traffic (bunnie tells how, it involves a belt sander, don't ask) you get the key.

It doesn't take expensive hardware to do so, matter of fact it can be done with the kind of hardware an MIT grad student has lying around after doing his PhD thesis on supercomputer architecture. Once you've done so you then have the ability to investigate the bootloader and kernel further, as bunnie says he's doing, and opening out the Xbox for standard peripherals and other operating systems. As he says, "if you ship your secrets in your hardware, it is a good assumption that the users will eventually - and perhaps quickly - know your secrets."

On an individual console basis his work suggests that it will be simple enough to be able to run what you want on Xbox hardware as currently constructed, and there are obvious implications for Microsoft as it begins to turn Xbox into a connected device. Xbox machines each have a unique ID, you could no doubt get access to these if you circumvented the security, so there is both a privacy issue and a threat to Microsoft's revenues from online services.

The paper offers Microsoft some suggestions as to alternative and more viable security approaches, and no doubt The Beast is working on updates even as you read. As for you conspiracy theorists about to mail us suggesting it's all a plot to get you to buy Xboxes before they put on a better padlock - just don't, OK? ®

Less academic Xbox hacks:


Cloud and hybrid-cloud data protection for VMware
Learn how quick and easy it is to configure backups and perform restores for VMware environments.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Three 1TB solid state scorchers up for grabs
Big SSDs can be expensive but think big and think free because you could be the lucky winner of one of three 1TB Samsung SSD 840 EVO drives that we’re giving away worth over £300 apiece.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.