How a Mini drill tool defeated security on the Xbox 360 | MVG

Video Statistics and Information

Video

Captions Word Cloud

Reddit Comments

Microsoft went through a lot of great lengths and measures to stock hackers from cracking into their Xbox consoles but always failed. What's funny was, their best defense, with the Series X|S is letting the hackers have their way to some extent. Let them have the Dev mode on the system, crack into it and dabble in them.

The Series systems are probably the best console based modern Rom and Emulator systems out on the market just because of the free space we have in dabbling on our consoles. There isn't a harsh leash to try to stop people. No matter what shield, or barrier is placed on the consoles, if there is a way to do something hackers are going to find a way to do it no matter what protection is in place.

👍︎︎ 104 👤︎︎ u/VagrantShadow 📅︎︎ Aug 09 2021 🗫︎ replies

[removed]

👍︎︎ 46 👤︎︎ u/[deleted] 📅︎︎ Aug 09 2021 🗫︎ replies

its fascinating seeing the history of how people hacked the consoles made by million dollar companies, cant wait for the story of how a clip defeated the security of the switch.

👍︎︎ 6 👤︎︎ u/andresfgp13 📅︎︎ Aug 09 2021 🗫︎ replies

Captions

[Music] back in 2019 i made a video series about security and the xbox 360. in part one we covered dvd security and to summarize microsoft would invest heavily to secure the xbox 360 after the failures of the original xbox its custom hardware hypervisor efuses and encryption keys would be a significant step up from the pc based original xbox motherboard design but hackers realized the challenge to defeat the hypervisor would be significant so they initially focused on the dvd drive with the goal if we can make the drive believe that a backup copy of an xbox 360 game is real then there is no need to defeat the hypervisor in part one of my series i discussed the history of dvd exploits and how they came to be which would become a cat and mouse game between microsoft and developer commodore forever who always seemed to be one step ahead releasing custom dvd drive firmwares that worked around almost every obstacle microsoft presented including stealth media checks xbox live bands newer anti-piracy and dvd formats but inside that timeline there was one hack that we didn't mention specifically and quite possibly the craziest console hack ever and that is 2012's kamikaze hack because microsoft would tighten security on the xbox 360 major components of the hardware would all use per console keys unique to each hardware device and the dvd drive would be no exception microsoft knew that flashing a custom firmware on the dvd drive would expose their security so instead they would encrypt the firmware via the dvd drive keys and flashing a custom firmware required extracting those keys which would also be required to rebuild a custom firmware and re-flashing in order to reflash a firmware the drive would need to be unlocked or in other words putting the drive into a mode where it can be queried and flashed and finally they would also protect the drive from being flashed by setting the flash as read only but unfortunately for microsoft getting access to the drive's flash would be one of the very earliest methods to defeat security dvd drive mods became quite popular because they were easy to perform the dvd drive flash would be on a separate chip on the board and although microsoft tried different methods to obfuscate it including setting the chip in resin so it could not easily have its pins exposed every drive was defeated and custom firmwares were made available but in 2012 microsoft would get creative xbox 360 slim models had replaced the earlier fat models and they knew that they had to do something about the flash chip on the dvd board so in certain drives they would combine the dvd flash chip with the onboard controller or dsp into one package this package would also be right protected which would mean that it would not be possible to flash a custom firmware onto this drive also microsoft thought one of the most popular dvd drives on the xbox 360 slim would be the lyton dg16d4s this drive would contain a mediatek soc which combined the flash and dsp chip into one package the flash chip was pre-installed and its mode set to right only so it couldn't easily be flashed and for good measure the mediatek chip would be encased in epoxy resin microsoft thought that this would be enough to stop the dvd hackers dead in their tracks but they would soon find out the lengths taken to defeat its security the problem would be the underlying security of the xbox 360 dvd drive means that it would always be fairly trivial to extract the dvd key no matter which drive certainly it may have been harder than others but by 2012 there were sophisticated modding hardware tools sold by very popular modding manufacturers like team executor that could easily extract any 360 dvd drive key on the market and when microsoft would announce a new drive the software would be updated and a hardware guide provided to walk through how to extract that key the dg16d4s drive would present a new challenge as mentioned it's still very easy to extract the dvd key by using tools such as jungle flasher it's also fairly trivial to put the drive into vendor mode this is the mode that's required to flash a dvd firmware but remember we can't flash a new custom firmware back onto the drive thanks to the right protected flash that's embedded in the mediatek chip the spi status register is always set to right protected and there would be no known method in software to open up the drive for flashing and this is where the kamikaze hack would come into play the term kamikaze in this instance is used for this method because it requires drilling a hole in the mediatek chip precisely at the right location to disable the right protection spi status register and enable the flash for riding essentially you have one chance and if you screw it up you've completely hosed your drive and by drilling at the exact location with a little force can indeed unlock the drive it's a proven method that's worked time and time again but the question is how is this method even discovered in the early 2010s decapping of chips was becoming cheap and a very popular method to better understand the internals of a custom soc and looking closely at a decapped view of the mediatek chip it was quickly identified that these two lines would be the right protection and ground line and by gently drilling a hole at this point would essentially knock out this line and allow for flashing note that although these pins are available externally on the die package it's simply not possible to lift one of the pins itself as the mediatek chip is four layers and microsoft knew that this would constitute as a possible weak point even with all this information the kamikaze hack sounds risky as mentioned you have one shot and if you mess it up you've quite possibly destroyed your drive many hardware modding resellers initially took advantage of people's fears and offered a complete drive board replacement complete with the kamikaze hack usually for inflated prices the main concern was where to drill and the size of drill bit that you needed user guides were made to walk through this but the element of risk would always be there first versions of the hack would require you to strip away the epoxy resin and drill the hole based on the offset of pins both across and down later on you could buy a simple tool on amazon or ebay that would show you exactly where to drill this meant that most people with a steady hand could get the job done it wouldn't be long before so-called kamikaze kits appeared on ebay this would simply be a set of tools that could be used to perform the hack yourself there would also be hardware modding tools like the maximus lizard that would provide you an exact status report of when you needed to drill when the right protection was disabled and when you needed to stop drilling this was extremely useful as it was not always obvious when you needed to stop essentially the guide tells you to drill very slowly then rinse and repeat but unfortunately not everyone would know how to perform the hack here's one example that didn't work out so well but the end result would be a successful drive unlock and then you could flash commodore forever's custom light touch firmware and play burned dvds on your xbox 360. the kamikaze hack while risky was a surefire method to unlock the drive the hack itself became so infamous that microsoft's tony chen in 2019 would discuss it in some detail during his presentation guarding against physical attacks the xbox one story to draw to figure out exactly where they need to drill the hole and then and then you you took this thing to this pin that was supplied and you drill a hole at that exact position although i was supplying uh power uh to to vcc uh to this and there's an led light also so you keep on drilling drilling drilling until the light led light lights up that means you hit this right enable pin on the flash chip okay after you hit it then you just connect this entire side of drive to your pc and you program the write enable is now is now enabled so you can write to this flash in the end the kamikaze hack showed the lengths that hackers would go to to defeat security if there was a will there would be a way they knew that the flash would be obfuscated and right protected but with the right tools and a steady hand meant that even a brute force approach could get the job done so there you have it that is the infamous kamikaze hack from 2012 for the xbox 360. and i gotta say there's been a lot of different archive material that i've used in this episode and a lot of different youtube videos going back to 2012 and i'm going to leave links to everyone in the description below and everyone that's been in this video i've credited appropriately but if there's any stories that you have to tell about your experience with a kamikaze hack i'm sure some of you folks out there have some stories to tell let me know them in the comments below because i definitely want to hear what you guys have to say about that i've heard some people say that they could do them pretty much in their sleep and i've heard some failure stories as well some horror stories about things gone bad so let me know your experiences in the comments below but as always guys we are going to leave it here for this episode thank you so much for watching if you liked it don't forget to put a like on it and i'll catch you guys in the next video bye for now [Applause] [Music] you

Info

Channel: Modern Vintage Gamer

Views: 448,309

Rating: 4.970376 out of 5

Keywords: xbox, xbox 360, microsoft, 360, x360, dvd drive, lite on, kamikaze hack, modding, mvg, modern vintage gamer, mistakes were made, drill, dremel, how security was defeated, drive hacks, xbox one, screw hack, team xecuter, commodore4eva, c4e

Id: RyW0lXnoFOA

Channel Id: undefined

Length: 10min 33sec (633 seconds)

Published: Mon Aug 09 2021