slide1 n.
Download
Skip this Video
Loading SlideShow in 5 Seconds..
Table Of Con tents PowerPoint Presentation
Download Presentation
Table Of Con tents

Loading in 2 Seconds...

play fullscreen
1 / 12

Table Of Con tents - PowerPoint PPT Presentation


  • 95 Views
  • Uploaded on

Table Of Con tents. H i story Hardware & Technical specification Security Xbox Hardware Cryptosystem overview Security Issues Conclusion. Develoment.

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about 'Table Of Con tents' - magar


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
table of con tents
Table Of Contents
  • History
  • Hardware & Technical specification
  • Security
  • Xbox Hardware Cryptosystemoverview
  • Security Issues
  • Conclusion
develoment
Develoment
  • within Microsoft by a small team that included game developer Seamus Blackley (an agent with Creative Artists Agency representing video game creators).
  • Originally named "DirectX-box
  • launch price was pretty high ( Europe 479.99 € in2002; North America 299 $ in 2001; Oceania 699 AU$ in 2002). With a price-dropped PlayStation 2 (more then 100 €or $ cheaper)
slide4

Hardware& Technical Specification

  • CPU: 32-bit 733 MHz Coppermine-based Mobile Celeron in Micro-PGA2 package. 180 nm process. ( 32 KB L1 cache 128 KB on-die L2 "Advanced Transfer Cache". )
  • Shared memory subsystem
    • 64 MBDDR SDRAM at 200 MHz; 6.4 GB/s
  • GPU and system chipset: 233 MHz "NV2A" ASIC. Co-developed by Microsoft and NVIDIA.
    • Similar to the GeForce 3 and GeForce 4 PC GPUs.
  • Storage media
    • 2x – 5x (2.6 MB/s – 6.6 MB/s) CAVDVD-ROM
    • 8 or 10 GB, 3.5 in, 5,400 RPMhard disk. Formatted to 8 GB. FATXfile system.
    • Optional 8 MB memory card for saved game file transfer.
  • Audio processor: NVIDIA "MCPX" (a.k.a. SoundStorm "NVAPU")
    • 64 3D sound channels (up to 256 stereo voices)
    • Monaural, Stereo, Dolby Surround, Dolby Digital Live 5.1, and dts Surround (DVD movies only) audio output options
  • Integrated 10/100BASE-TX wired ethernet
  • DVD movie playback
  • A/V outputs: composite video, S-Video, component video, SCART, Optical Digital TOSLINK, and stereo RCA analog audio
  • Resolutions: 480i, 576i, 480p, 720p and 1080i
  • Controller ports: 4 proprietary USB ports
xbox hardware cryptosystem overview
XboxHardwareCryptosystemOverview
  • The Xbox crypto protocol presents a strong defense in the face of unsecured FLASH ROM-based modifications (boots from a 512-byte secret boot blockthat is hard-coded into the southbridge system ASIC )
  • The bootloader is encrypted with RC-4 using a 128-bit key
  • having an external (reprogrammable) 1 MB Flash ROM chip (models since 2003 have only 256 KB)
  • Microsoft stored 512 bytes of code in the Xbox' Southbridge, the MCPX (Media and Communications Processor for Xbox), which is manufactured by nVidia
slide7

the interpreter, rewritten in C, looks roughly like this:

struct {

charopcode;

int op1;

int op2;

} *p;

intacc;

p = 0xFFF00080;

while(1) {

switch(p->opcode) {

case 2:

acc = *((int*)p->op1);

break;

case 3:

*((int*)p->op1) = p->op2;

break;

case 4:

outl(p->op1, 0x0CF8);

outl(p->op2, 0x0CFC);

break;

case 5:

...

case 0xEE:

goto end;

}

p++;

}

end:

pokepci
POKEPCI

mov eax, 80000880h

mov dx, 0CF8h

out dx, eax

add dl, 4

mov al, 2

out dx, al

This code sets bit #1 in the PCI config space, device 0:1:0, register offset 0x80 (coded in 0x80000880).

pokepci cont
POKEPCIcont.

cmpebx, 80000880h  ; ISA Bridge, MCPX disable?

jnzshortnot_mcpx_disable ; no

and ecx, not 2  ; clear bit 1

not_mcpx_disable:

moveax, ebx

movdx, 0CF8h

outdx, eax  ; PCI configuration address

add dl, 4

moveax, ecx

outdx, eax  ; PCI configuration data

jmpshortnext_instruction

slide10
Halt

mov eax, ds:95FE4h

cmp eax, 7854794Ah

jnz short bad_checkcode

mov eax, ds:90000h

jmp eax  ; jump to decrypted second bootloader in RAM

bad_checkcode:

mov eax, 80000880h  ; prepare MCPX ROM disable

mov dx, 0CF8h

out dx, eax

jmp far ptr 8:0FFFFFFFAh ;jump to end of ROM, wraparound

[...]

FFFA: ; this is address FFFFFFFA

add dl, 4

mov al, 2

out dx, al

; ------ this is address 00000000 ------

slide11

VISOR TRICK

POKE 0x00000000, 0x001000B8 ;

store "mov eax, 0xFF001000;

jmp eax"

POKE 0x00000004, 0x90E0FFFF ; at 0x00000000 in memory

END

; now we can place our code at 0x1000 in Flash

conclusion
Conclusion
  • Thedesign of first MCPX was wrong and implementation was catastrophic
  • Thedesign of second version was a lot better, buttheimplementation was not.
  • With workinghashfunction and without various security holes, the system would be pretty secure.