/I'm enjoying reading the discussions on potential 360 hacks and haven't seen mentioned this possability but I'm ready and prepared to be shot down in flames by the first replier

In short I have 2 leading questions

1) Do XBox Demo discs (from mags) need signing by M$ in order to run and if so does each new cover disc each month need (re)submitting to Redmond?

2) If #1 is true, [but it doesn't necessarily need to be so] is there a possability that someone in the software industry may well submit a game/demo to M$ for approval and signing that contains hidden trojan type code in the .xbe (assuming M$ may slip up and miss this 'hidden code') that during the signing phase may be able to somehow capture the private key so that when the disc/code is returned signed by M$ to the developer the "sneaky" developer who inserted the trojan would be able to find out the code?

/its a longshot that someone so trusted by a developer would do such a thing but IF it COULD work in theory it could well happen?

1. Yes.

2. No. Signing can be compared to compressing. You could download every virus/adware/worm you want, and compress it. By compressing these files, you'll get a smaller .zip (or .rar/tar/bz2/etc) file, without executing the downloaded files. Same thing with signing. It only modifies a portion of the file (the portion with the signiture); it doesn't actually load and execute the file.

And if it were possible, a trusted developer *wouldn't* do it. They would lose their job, and taint their reputation. If the person could not be identified, it would be very possible to identify the game that had such an exploit in it, and the whole team could be fired, and have their name shat upon. I don't care how much of a competition people think is going on between Sony and MS, IF a developer for MS were to do such an act, and get fired, Sony would *not* hire that person; nobody would. They obviously would be unable to be trusted.

1: NO

2: No way in hell.. People in development like what thy do for a living. Doing stuff like that leads to companies not exisiting anymore due to lawsuits and fines.

What makes you think demo disks don't need MS to sign them? Isn't there only a few people inside MS who have the private key? That key is needed in order for anything to run on the xbox.

It has been suggested, though it cannot be confirmed, that no single person has the private key.

More likely is that MS used a program to generate a random key, saved to a disk. The signing program sits on a computer not on any network, with layers of physical security. The disk containing the key sits across the facility, with different layers of physical security. It is likely that biometrics are part of this security, and that it requires more than a single person's biometric sig to get through. A series of checks built in to make sure no 1 person gets ahold of any single part of the signing secrets.

Someone has the key... To encrypt commerical products in the USA the US government must hold record of the keys used.

Wow you guys make this look like a top secret military project
MS wouldnt waste that much money byu hiring two fat over payed slobs to get the key in a vault protected by infatred and guns all over and alls kinds of security and biometrics security measures.
I agree it is probably not plugged into network....but it is just in a cubicle i bet labeled DEBUGGING or something to that matter

Ok, for someone who deals with cryptography for a living, let me clue you all in on a few things.
The "Key" you are all talking about is one very complex calculation of two prime numbers that sums out to 516 or so hexidecimal digits. (A*B=C). You try to calculate this on your pc, or 1000 pcs, or 100000, you wont ever get the code.

Now as to someone stealing, finding, or asking some exec for the key and hoping to get it. Well you wont get it becaue no one in the world has it. Anywhere. At all. It is virtually made, virtually delivered, and never, EVER sees human eyes. Encryption is at a level of security that deals with everything from how your credit card tansaction are made to how the launch order for ICMBs to be fired is given.




Actually, its is. RSA Security is one of the most secure corperations in the world. You try to waltz in there without beign invited and presist, two gentlemen with AR15's will greet you in seconds.



Incorect. No record has to be kept. But, decryption can be ordered by a judge, but unless its a case of national secutiry, it would have to make it to the supreme court after several appeals before it is given out. And even after all that, it would be under more gaurd than a 5 year olds ass at Neverland Ranch (wait, thats not too convincing now that I think of it.)

thankyou

Why would someone jepordize their source of income just so a bunch of snot-nosed kids don't have to actually pay for the product they've sweated over during development?

I don't own a 360 yet and I'm just guessing here but...

Doesn't each developer get a unique key to be used in signing? If any of those keys were leaked or if any developer (or employee of) were to insert some sneaky code to do ANYTHING aiding in circumventing the 360's security features they could be sued for breach of contract, leaving that developer in chapter 11 (if they're lucky!) You know M$ would find out anyways; not like they're not surfing the NET just like we are (and prolly reading these forums as well.)

Like I said, I'm not up on the latest security of the 360 so this might not be relevant.

the developers NEVER get the signature key. MS does all the signing themselves.

True. The discs that game companies use are encrypted with the key from MS before they are delievered to the company to burn them.

As to 'breaking/cracking' the key, it's about impossible by today's standards, and if you did, you would have the governement all over you for jeopordizing national security.

Oh the comedy....

I don't know about 360 specifically but I am sure they do the same way as this is the one thing that was never even close to being cracked. The xbox games were signed using a private key system which was stored on a floppy disk. I bet the main disk is under some decently heavy physical security and in order to sign games, you would only need to copy that disk. It only takes a couple minutes to sign a game so it is conceiveable that OXM sends in their xbe each month. Most games go through a certification process that takes time but since the OXM XBEs don't change much at all, there is no need to recertify the thing.

I think a lot of you have misconceptions about how the demo discs work....

The XBE / XEX doesn't have to change at all, it can load the data about the menu structure and what videos to play from a seperate file that doesn't have to be signed. This means that the actual executable only has to be signed once, but they can change the layout on their own as much as they want.

Let me repeat this:

Only the main menu executable and the demo executables have to be signed. The disc itself does not have to be, so more likely than not OXM only has to deal with MS when they release a new version of their demo code, which is not very often. The game demos are are delivered from the developer already signed, so they just need to be added to the disc image and sent off to pressing.

MS does not have to individually sign every month's disc.

ok lets say its some kind of rsa signature/encryption.

m$ signs the files with their private key.

somewhere on the xbox the public key is stored and with this public key the xbox can check if the signature from m$ is ok.

someone has a clue where the public key is stored?

in theory. if you find out where the public key is stored, and there is a way to alter the public key on the xbox360 you could create your own keypair, sign your homebrew software with your own private key and store your public key on the xbox..

but dont think m$ is as dumb as this and store their key in an unsecure writeable part of their xbox

but in theory this would be very nice

yes this is how the xbox 1 exploits were done. however we cannot easily alter the public key in memory without some form of hack.

public key

No, there is code on the Xbox that recognizes the key, but this code isn't the signing key M$ uses. Think about it at this way: 2 + 2 = 4. So 4 is a key m$ uses, and 2 + 2 is the way the Xbox calculates if it is allright to run code, however.... this key is extremely encrypted. So the key of the Xbox isn't the signing key and we will never know how M$ checks this. And maybe M$ uses multiple keys in every Xbox, it takes million years to find the right combination because you don't know how they do it.... creating it is easier then cracking it....

people should stop replying to these threads, use the search function.

I'm sure everything is repeated 30 times on x-s

Lets keep threads like this out of the TECHNICAL sections please

As you are new here you may not know that the search function does not work on this site. Nevertheless It does get old seeing the same questions over and over.

BTW welcome

The google search works fine and it does also not hurt to look around on the xbox 360 pages first cuz lots of the questions are on the same page.

seriously do you think anyone in the right mind would share this key if they ever got hold of it ( impossible )

The release of the encryption key would lead to the demise of the 360, this key would allow anyone to make a backup or write their own software for the 360 that will then be able to run on any 360 in the world.

If this happened no one would buy a retail game for the 360 anymore, as they would be able to just downlaod them, get em from a market etc, the developers would then stop spending thousands making games for the console, because it would no longer be profitable.

MS would then be making no money from the developers, and so would be forced to stop the production of the console, which they currently sell at a loss.

So those of you who are holding out for this encrypion key to be released, start hoping it never does.

Rick

im not exactly new, just been away and cant recover my old account.

i guess it must have been in one of my 'away' periods i missed the search go offline, but still google SITE: search?

someone could just add a google "search this site" bar to the page to save bandwidth


Back to the topic---

Use a bit of the old common sense before posting stupid ideas in tech areas; save your rambling for IRC

no company has ever made a profit on the system, look at neo-geo... that's what happens when you try to get a profit on that stuff....

now back to the discussion, no m$ would never ever be "fooled", unless bunny decides to crack this in 2 days, which he won't because he's undoubtedly been "asked"(read they said help us secure this new one or we will sue you for cracking the old one) and he's most probably signed a confidentiality gag order where bill gates himself will bust down bunny's door and cornhole him for 2 hours, and then pop a cap in his ass (no pun intended).

ROFLMFAO

I think the public release of the key is all part of MS's plan... Once they break even and start making profit/ the price to manufactor the console goes way down and they can start making money off the console it self then they'll want people to buy it - even if it's not used as they intended. Or they'll release an unlocked version (maybe more expensive, possibly revamped - Big HDD, HD-DVD, Pc functionality - AS one version was supposed to be, ect) that they'll sell for more (or it least so they make a profit) $$$....

Makes sense to me...

M$ will probubly never make a profit off the hardware. Where they make there money on the 360 is from the licensing for the games.

Thats obvious. They did it with the xbox, and now with the 360. Didn't really need to drag up a 2 week old thread to state this either.

Friend suggested this already.

here is the reason why not:

Vista, which is MS's most recent OS has somewhere around a billion lines of code.

ALL of the lines of code have to be checked for errors stability issues etc.

game code goes into the millions with lines of code.

ALL of the lines of code are reviewed before they are signed onto discs.

ok so what do you guys think?
m$ signs the dvds used by developers?
m$ signs just the one xex, xbe,exe for the demo's and new games?
you can make a copy of the signed file right?
but the last update stopped letting us edit the kiosk disc right so that would mean for the demo makers too right?
wouldent that be too much of a hassle for m$....to sign every months demo plus every new game plus every update plus every dvd with playable demo (if ever made.... like the robots dvd movie with demo for xbox)

ok well i dont think its in the dvd's.
do you think they would give the sig to the dev's?
someone has to have access to the sig .... millions of xbox's and games rely on that ...to risky to leave it in a computer or virtually somewhere... if it was lost there would be no way to make games... right?

flame me if you wish for i know nothing of encryption and such thus these are just my thoughts and opinions.

i think the dev's have the sig ...didnt they have all the stuff for the xbox? or no?

is there a one in a trill...gazillion chance that if you modify a signed xex the sig it produced might be accepted by the 360?

just some thoughts........

Oh, this takes me back to the days when I lurked watching opjose, heinrich and other people who knew what the hell they were talking about mull over the same things with the first Xbox.

More findings, less speculation please.

http://forums.xbox-scene.com/index.php?showtopic=471320