Commodore4eva Explains Stealth Media Options

[jtom617]

thanks for the update, this explains many things to me! thanks again man, great explanation.

[Bradl3y]

I'd like to know the answer as well. Everybody has been weary of flashing their drive because "it's just stealth backups, not stealth firmware." Well, does this prove that incorrect? Is this why MS hasn't been able to block the firmware hacks? Maybe we've had stealth firmware all along and nobody realized it? That's what I interpreted, or was I wrong?

If you read his posting, you would see that your interperetation is wrong. Why skim, and then ask if your interperetation of the bits and pieces is correct? It says plain and clear that the firmware itself cannot stop the firmware from being read (if it can be read it can be detected), however, the simple call that just asks the firmware for a checksum is circumvented.

The only way for true stealth would be an on the fly middleman type chip that would return the expected responses for what the firmware is uncapable of returning, such as requests to read the firmware.

[Textbook]

If you read his posting, you would see that your interperetation is wrong. Why skim, and then ask if your interperetation of the bits and pieces is correct? It says plain and clear that the firmware itself cannot stop the firmware from being read (if it can be read it can be detected), however, the simple call that just asks the firmware for a checksum is circumvented.

The only way for true stealth would be an on the fly middleman type chip that would return the expected responses for what the firmware is uncapable of returning, such as requests to read the firmware.

FYI, I didn't skim, I read the entire article. What you said I already knew. I guess my question is more along the lines of can MS dump the firmware and read it?

[KUNFUCHOPSTICKS]

lol who gives, just dont go online!

[kowrip]

lol who gives, just dont go online!

It might not be that simple. If a hot new game comes out, it might require a dashboard update that will add a firmware dump/verify step. As another person mentioned, the only way the firmware hack would be TRULY undetectable is if the DVD drive uses the hacked firmware but returns authentic firmware data when the console requests it. This would almost certainly require a hardware modification.

[stbennet]

The "don't go online" strategy is fine for those who want to sacrifice Xbox live, but in all likelihood, when M$ implements whatever method they're going to go with to stop the modification, they would coordinate a required dash upgrade for the newer games.

So, there's merit in the previous line of question, is all I'm saying. The "who cares" attitude is a little short-sighted.

EDIT: Yeah, exactly, see above post.

This post has been edited by stbennet: Aug 15 2006, 03:30 PM

[Textbook]

Meeks and I were discussing this in #fw yesterday. Like C4E said, the firmware is edited, there's no getting around that. So if MS decides to do a full dump/read of the firmware, they'll be able to see the hacked firmware no questions asked. That's IF they can dump the firmware, but that's another story so let's just assume that they can.

Meek's idea (apart from some other hardware mod) was to only load the hacked firmware when the disc is first inserted, then after a certain timeout period, revert back to original firmware. I'm guessing this would require hardware, as I don't think it would be possible with code alone. We already know that once the DVD drive reads the signature, it's all good and it plays the media without checking for signatures again. This was proven early on when somebody (and later Geuex) used the "hotswap" method. Basically, you use an original disc, let the Xbox 360 read the signature and it begins playing. Return to the Xbox 360 Dashboard and swap the disc with an identical backup without ejecting the drive tray. Launch the game from the dashboard and it plays fine, no problems. The signature was checked from the original disc and the Xbox 360 doesn't look for it again. Could we not do something similar with the firmware hacks? Why can't we load hacked firmware, load backup (sig read to memory), boot back to dash, load original drive firmware, and play?

If the current patchmods can "patch on the fly" why wouldn't they also be able to "unpatch on the fly"?

I think it's a good idea, but of course it all depends on WHEN the 360 would dump the firmware. We would need to time it right so that we could have the original firmware loaded when the 360 dumps it.

[_8ight]

it's obvious this isn't some random yahoo with some programming knowledge that stumbled upon this. this cat knows his shit. kudos to you c4e! impressive.

[krayzie]

The problem is that the check for the firmware might be implemented in the bootroutine of the dashboard ór the bootroutine of the game itself. This might cause the game to not boot or to not boot the xbox at all.
We first need to wait till MS unleashes this check and then we can anticipate on it. If we can find out when exactly the check is performed we could posibly fool the check with a retail firmware (hardwarewise) and then switch back to hacked one.
Main conclusion is we have to wait. This hack was never 100% safe to begin with even though a lot of the users didn't/don't ever realized it (especially with all those dual firmware mods and their false hopes)

[infamous_Q]

and thats where these ideas could come in:

on-the-fly mods-
if someone coudl find a way to add the media stealth implementation into a chip like this. i don't think detection would be a problem. it starts on the fly right, when it detects a backup. thus no matter when they check (unless they find a way to trick the mods, in which case you could just make them upgradeable/programmable) it will always be the retail firmware. PLUS then media checks couldn't be made because they appear exactly the same as retail. the big question then is: is it even possible to do this from an external on-the-fly chip? not to mention that people would have to re-rip their games (due to the fact that media stealth is fairly recent), but if you want to stay on live then that shouldn't be a biggy.

extra firmware chip-
we know how its possible to setup multiple firmwares on the board, but can we switch firmwares while the xbox is on? meaning...if you had 1 chip with the retail firmware, and 1 with the hacked firmware, would it be possible to hookup an extra chip that tried to check for the signals that request a firmware dump (kinda would work like an on-the-fly chip except its looking for something different), and then when it gets it, switches the hacked fw chip off, the original fw chip on (switch one power source off, and the other on) send it the message to dump the fw, which sends the original fw back to the xbox as requested, and then switches back to the hacked fw to play the game. make sense? it's not like they'd constantly be checking the fw...from what i know it could be in a few places: connecting to live, switching profiles (just to get tricky), at boot, and at game boot.

provided one of these works, we're pretty well set.

This post has been edited by infamous_Q: Aug 15 2006, 06:22 PM

[shizzyraw585]

Ok,

I understand that the reading of the firmware is a low level hardawre function that can't be controlled by the firmware.

But, than he goes on to say that the firmware check routine has been modified to always return the correct value of the unmoddified firmware. To me, this sounds like MS added an easy to work around security measure at the last minute (probably when the specialist hacked the Xbox1 firmware) that commodore4eva hacked back in V1. This, combined with stealth backups should make it damn near impossible for the big M to find us. Unless they do something drastic like rewrite and update the kernell on us. But, that's just the way I read it.

That clicking noise was the CAT 5 getting plugged back in

Shizz

[OriginalCompGeek]

Well, one thing I am 99% sure on is that whatever measure MS takes, they will not flash your firmware back, they'd have too many failed attempts and killed consoles. Not to mention possible false detections.

[krayzie]

Unless they do something drastic like rewrite and update the kernell on us. But, that's just the way I read it.

Yeah that's what they will do most likely. the Kernel gets updated with every dash/live update and a kernel routine check at a certain point could make the hack useless or at least blacklist that console for xbox live.

[kowrip]

and thats where these ideas could come in:

on-the-fly mods-

extra firmware chip-

I can envision one way that this firmware hack would be undetectable. We would need 2 firmware banks, a write protect switch and a change to the firmware controller logic. Bank 1 contains the authentic firmware. Bank 2 contains the Extreme firmware. When the write protection switch is OFF, you can dump/flash bank 2. When the write protection switch is ON, you can only dump/flash bank 1. Any requests from the console to dump or update the firmware go to bank 1. However, the DVD drive never uses bank 1 for its internal logic. It always uses bank 2. This would be completely undetectable. MS could dump/verify or update the firmware as much as they want as the console would always be accessing bank 1. The drive would never use this firmware for its operation. Still, this is a very complicated thing to do since the firmware controller logic would need changes.

[infamous_Q]

wait a sec...is media stealth JUST the way the disk is burnt? if so then that with an on-the-fly chip should be enough shouldn't it?