Hacking DVD Drive Vulnerability

[Andrei1744]

Hi everyone. I think that everyone knows how people used to play pirated games on the xbox 360. They would simply modify the dvd-drive's firmware to boot backup dvd's. What's stopping us from doing the same for the xbox one? Can someone explain this to me?

 

[BigOnYa]

I would also like to know more info about this or any potential exploits for the xbox one, if anyone knows. I'm now mostly curious because MS has stopped making them, and I have a one original collecting dust now, since getting a series x.

 

[Andrei1744]

I would also like to know more info about this or any potential exploits for the xbox one, if anyone knows. I'm now mostly curious because MS has stopped making them, and I have a one original collecting dust now, since getting a series x.

Exactly! I have an original XB1 too. I heard that the xbox 360 also had a supervisor, but it didn't interfere with the custom dvd drive firmware loading backup dvd's. I think that there might be a way to pull this off. And with access to dev mode, couldn't we extract the DVD Drive keys to overwrite it's firmware?

 

[lisreal2401]

It's not a Xbox - Xbox 360 deal where the security hardly changed. For reference, the final Xbox 360 DVD drives are not even hackable unless you get the key with a RGH - and this is just assuming they'd use the same security methods

 

[Donnie-Burger]

It's not a Xbox - Xbox 360 deal where the security hardly changed. For reference, the final Xbox 360 DVD drives are not even hackable unless you get the key with a RGH - and this is just assuming they'd use the same security methods

The final models winchester boards were never possible.

 

[lisreal2401]

The final models winchester boards were never possible.

Can't flash those at all because of this - any slim made around late 2011 and later also require RGH and a unlocked PCB to get DVD hacks.

 

[Andrei1744]

Thanks for explaining it to me everyone. If Microsoft didn't add the bounty feature, we would surely have a hacked xbox one. I think that most of the hackers report the vulnerability to Microsoft because they offer a huge amount of money. Could we make something like that? A site where people put bounties. Everyone could add some money to the bounty, and if someone makes the vulnerability work, they would get all the stashed money. I would add probably 250$ to get it started.

 

[MrQQ]

The problem based on my own research is we have no way of working out the deviation angles on the disc geometry. The arm cpu on the dvd drive can be accessed I have found via spi and a bus pirate but I cannot interact with the chip at all but its still progress I have slowly been making. If anyone has the time i'd love someone to collaborate on this as I have way more research and progress that I am unwilling to share here for obvious reasons

 

[Andrei1744]

The problem based on my own research is we have no way of working out the deviation angles on the disc geometry. The arm cpu on the dvd drive can be accessed I have found via spi and a bus pirate but I cannot interact with the chip at all but its still progress I have slowly been making. If anyone has the time i'd love someone to collaborate on this as I have way more research and progress that I am unwilling to share here for obvious reasons

May I collaborate with you? Not here of course. And I am very interested in the progress that you've made.

 

[MrQQ]

May I collaborate with you? Not here of course. And I am very interested in the progress that you've made.

Sure if you have some knowledge regarding this subject feel free to PM me if you like

 

[TomChaai]

The challenge/response sequence hasn't changed drastically, Xbox still makes the characteristic seeking sounds when authentciating a disc.
The problem is the drive controller. MS used to not care about it and the drive vendors just used generic chips, then the 360 drive got hacked real bad and MS realized any generic ASICs won't work. They teamed up with MTK to custom design the drive controller chip.
It's still mostly based on existing MTK drive controllers but now it properly encrypts its firmware and controls flash access/booting securely. Reverse engineering the chip becomes much harder compared to when the 360 drives were originally being reverse engineered. Those Samsung drives are almost wide open.

 

[MisterTea]

Because they took a different stance since the one:

 

[MrQQ]

It actually has based on my own research AP 3.0 is mentioned in the code dumps I have and XGD4 has a wildly different geometry on the disc despite is being blu-ray. I have spent a year pouring over this. Yes they did use custom MTK chips but i have managed to interact with one via a spi bus pirate. Its all work in progress but trust me when I say the disc challenges/responses and very complex now. The 360 dvd drive was hacked mostly down to failures on the classic model. Sure they tried to improve with liteons etc. The xbox one uses secure fw crc checking on boot. Slims also did this...phats didnt. The firmware is also checked on boot to see if it is stock which also slims did. The decryption of the tool for the MTK chipset should be straight forward as I already have the maketools that were part of the xbox one leak and have figured out how to use firmcrypt for those and its all good but understanding the new PSN layer and disc AP 3.0 structure will take time. Finding a blu ray drive with an analogue controller so we can dump every bit with security sector's is what I have been doing. Tmbinc did this back in the day its actually how we understood how the 360 disc structure worked and allowed us to make 360 backup creator etc. As I say this is all work in progress but I have been researching this hard for the past year. Of course the video you posted is designed to make people like myself and other feel deterred... I wont be but you did reference some interesting stuff there I have been looking into

 

[linuxares]

You know the BD-J bug also works on Xbox One and Xbox One Series apparently

 

[sombrerosonic]

You know the BD-J bug also works on Xbox One and Xbox One Series apparently

So we got hb on the Xbox One now? Neato

 

[DinohScene]

So we got hb on the Xbox One now? Neato

We've got Dev mode, which is homebrew execution.

 

[linuxares]

Yeah it's been there a while

 

[TomChaai]

I actually found a patent MS submitted, it involves burning two overlapping data tracks on the security region of the disc during glass mastering, the mechanical imperfections guaranteed true random results that couldn't be replicated reliably twice even in the mastering factory.
The overlapping tracks created intermittently unreadable regions that the patent stated to be measured for AP checks.
The patent number is EP 3 201 922 B1 if you are interested.

 

[firke_the_one]

no one really bothered to exploit xbox one/series because you have game pass and dev mode

 

[MrQQ]

I actually found a patent MS submitted, it involves burning two overlapping data tracks on the security region of the disc during glass mastering, the mechanical imperfections guaranteed true random results that couldn't be replicated reliably twice even in the mastering factory.
The overlapping tracks created intermittently unreadable regions that the patent stated to be measured for AP checks.
The patent number is EP 3 201 922 B1 if you are interested.

you are absolutely correct - they earned well from XGD3 protection