The Hacker Behind "Hacking the XBox"

Most authors can blame an editors' questionable taste for rejecting their books, but Andrew Huang has the dreaded DMCA (Digital Millennium Copyright Act) to explain why his book got turned down. Hacking the Xbox, as the title of Huang's tome sums up, details how-tos for modifying your Xbox, and provides various insights into the security and other inner-working code of Microsoft's game console. John Wiley & Sons was originally set to publish the book, but the company became concerned over the legality of hacking and reverse engineering—practices that have since been muddled by the DMCA—and dropped it.

Huang (who goes by the hacker moniker "Bunnie") decided to publish the book himself in limited quantities and sell it online, for the time being until another publisher steps forward. The 28-year-old studied at MIT, focusing mostly on computer architecture when he wasn't poking around with his Xbox. His hobbies include embedded systems and computer security issues, both relevant to his formal studies. He resides in San Diego, California, and describes himself as "gainfully unemployed".

The past couple of months saw Huang focusing mostly on shipping books. "Normally I do a lot of technology development and consulting, primarily in the areas of embedded/portable systems, hardware, security, reverse engineering, and computer architecture," says Huang. "I am finally getting a chance to focus once again on technical work, thankfully."

He took some time in his present busy state ("I got inundated with the whole book shipping/ordering thing") for this interview in which he discussed the DMCA's effect on his book and his impressions of the Xbox hacking scene.

O'Reilly Network: What specific reasons did the publisher give you for deciding to not publish your book? They really felt that the DMCA could be effectively used by Microsoft against its publication?

Bunnie Huang: Wiley was not very specific, even after I had asked for specifics. Generally, they felt that the risk of a lawsuit—and the legal fees and court time associated with it—was not worth the benefit of publishing my book. While they were originally on board with the book when they first approached me, turnover in their legal department caused them to change their minds.

ORN: Did you try to get another publisher to take on the book, perhaps O'Reilly Books? If so, what was the response?

BH: Yes. In fact, O'Reilly has approached me about carrying the book. They are currently doing a thorough legal review of the book, and I am awaiting their feedback. Another publisher, No Starch Press, also approached me and has been extraordinarily supportive and helpful. NSP would probably take the book without any questions today, I think. I am planning on turning the book over to one of the two publishers reasonably soon. There are also print-on-demand type of places that I am considering.

I'm just waiting for someone to scan the book in and put the book on the Net in free electronic form. The book is Creative Commons Licensed, so you're free to do that. I'm not releasing the book on my own in an electronic format, at least for now, because I get better legal protections shipping real paper books than selling electronic books.

ORN: Why did you ultimately decide to take the risk in publishing the book yourself?

BH: I felt that if I did not publish the book myself, then it was quite possible that nobody would publish the book. It would be a waste of months of my effort, plus my right to free speech would be silently impeded, which really bothered me. If my books were going to be censored on account of the DMCA, I was not going to go along with it silently.

Another reason why I decided to risk publishing myself is that the time required for any legal review process, which any large corporation would require before taking on a book like mine, would be on the order of months. Months is something that I don't have for a book on hacking the Xbox; in a few months time, the Xbox might be off the market, at least in its current incarnation.

ORN: Was there any specific material that you elected against putting in the book, over legal or similar reasons?

BH: Yes. There's quite a large body of interesting material that would be helpful as an educational case study, but could be construed as fairly intrusive upon Microsoft's intellectual property under conventional copyright laws, as well as the DMCA.

For example, I think it'd be great to talk about the specifics of the XBE file format or the "jam table" opcodes or how early ROM images were encrypted using Microsoft's secret boot key. But these are all fuzzy areas. I was very selective about choosing salient, relevant examples from the Xbox that carried the least amount of risk of contributing to copyright control circumvention.

My concerns about free speech censorship were particularly acute, because I had already gone through a sort of self-selection process on the material. I felt the book is quite reasonable in terms of its content. So why would anyone be afraid to publish it?

ORN: So, tell us, what does your book offer in terms of "hacking" the Xbox? I mean, just install a mod chip and that's it, right? What more is there?

BH: As the saying goes: "Given a fish, eat for a day; learn to fish, eat for a lifetime." Using a mod chip is like being given a fish. There is little art or challenge in installing a mod chip. Of course mod chips are expressly designed to be easy to install; that's why they are popular. This book offers the reader a deeper look into how to think about hacking, how to approach the problem. It discusses techniques and methodology, alongside examples and simple projects. Hopefully, a reader of this book will have gained some insight, or at least some courage, to go and start playing with hardware.

Incidentally, I feel that one of the biggest roadblocks people have toward hardware hacking is a fear of hardware. Courage to hack, and potentially break what you're working on, is important. It is like riding a bike or like skydiving: looks scary at first, but once you get going, it is a lot of fun and fairly intuitive.

ORN: Like the Dreamcast before it, the Xbox has become the game console to hack and mod. What do you think is its appeal to the mod community? You think it has anything to do with the fact that it's a Microsoft product (the Dreamcast itself booted off a version of Windows CE, for example)?

The Dreamcast was popular to hack and mod probably because it was so modifiable. It had a very nicely laid out interior, and eventually a significant security hole was found that allowed games burned onto convention CD-Rs to be playable.

The Xbox is the box to hack and mod because it is so familiar. It's a PC; hackers understand PCs; they can realize its potential quite quickly through well-understood and popular tools. The GameCube, on the other hand, is a bit more of a quagmire to understand. It uses the less popular PowerPC architecture, and even then, a slightly modified PowerPC core. The memory architecture is also novel and, incidentally, quite commendable as well. The GameCube will probably get a few extra months with the "no-mod" status, because so many hackers were drawn to the Xbox instead of the GameCube.

ORN: Of all the Xbox hacks out there, which one do you think is the most significant or, perhaps, the most "damaging" to Microsoft's control over the console?

BH: The "007 Agent Under Fire savegame" hack is the most significant. It is the first non-mod chip, non warranty-voiding hack. Currently, it is used only by the Xbox-Linux community, but I think it is only a matter of time before people figure out how to upload whole system RAM snapshots into memory through the exploit and boot copied Xbox games.

The 007 hack is technically significant because it shows that, despite Microsoft's attention to hardware security mechanisms, the whole thing can still fall apart due to third-party software bugs. It gives some indication of how hard it is to make a truly secured system, using purely cryptographic techniques.

Related Reading Linux Server Hacks 100 Industrial-Strength Tips and Tools By Rob Flickenger Table of Contents Index Read Online--Safari Search this book on Safari:   Only This Book All of Safari Code Fragments only

ORN: How secure would you say the Xbox is? Does this system have a particular Achilles' heel?

BH: The Xbox is not secure. It's better than a Windows PC, but that's like saying you've got more security than a pair of toy handcuffs. The Xbox's Achilles heel is that it comes from the PC lineage. The PC was evolved over the decades as an open, non-secured architecture. All software on the PC was evolved in a similar manner. Retrofitting the PC with a few crypto secure mechanisms is kind of like trying to turn an old college campus into Fort Knox. Colleges are designed to be open, accessible, and have plenty of back doors and steam tunnels that have been forgotten or overlooked by the administrators.

ORN: What about Xbox Live and the console's networking capability? Anything specific about these two things that would be of special interest to a hacker?

BH: The fact that the console comes out of the box with 100 Base-T [Ethernet] makes it quite useful as a Linux machine or as a Web server in a pinch.

Xbox Live is not interesting to me as a hacker because it's Microsoft's own service. It is their prerogative to make money through that service and to set the rules of the service. If you don't like it, don't use it. If you have a better idea, make your own service. There's no rule that says you couldn't develop your own version of Xbox Live and distribute free games that run on mod'ed Xboxes and then make money by offering an Xbox Live alternative. It's a free market; and, in fact, anyone who takes up that business model would probably end up making more money that Microsoft does because you'll lose less money giving a game away for free than you would selling an Xbox at the sub-$200 price point.

ORN: So what do you think about the Xbox's overall design? Its strengths? Its flaws?

BH: The overall design is pretty uninteresting. It's just a PC. Compared to other PCs, it is not very good. The integration level is pretty low. The first-generation box had some pretty ugly warts—i.e. the USB daughtercard—and, overall, the design has been fairly flaky. There have been overheating issues with the Xbox design. The second-generation Xbox does not have a GPU heat sink fan. Instead, they used a stamped aluminum bulge to try and shape the airflow over the heat sink. It works okay, but people have been frustrated by crashes and freezes. It's clearly the work of a company that does not know hardware, but is dying to pour a billion dollars into a hole to try and get into that market.

On the other hand, the Xbox does have a fairly powerful graphics chip. I've always liked the nVidia chips, and the chipset they use is pretty respectable. Too bad you can buy a graphics accelerator card for your PC today for less than the cost of an Xbox that totally beats the pants off of the chipset used in the Xbox.

Probably the biggest strength of the Xbox is that it's an easy porting target for PC-based games. The same reasons hackers love the Xbox is the same reason developers would like the Xbox: it's familiar, and there are a lot of good tools that are compatible with the architecture.

ORN: What's the most surprising thing about the Xbox which the hacker community discovered?

BH: I think in general the most surprising thing was the extent and depth of the software security deployed in the Xbox. Microsoft tried very hard to seal off all of the common software security holes. It is unusual for a video game console to be so locked down, but the necessity for it is pretty clear if you consider Microsoft's business model. The irony is that despite their best efforts, there are still holes.

ORN: What's your personal favorite Xbox hack?

BH: I like the jam table hack. It's a combination of four separate subtle bugs, none of which are really security flaws, but when chained together creates a hole that you could drive a truck through. Really clever stuff.

ORN: What kind of hacks for the Xbox do you see on the horizon? To put it another way, what are some of the "wish list" hacks that that Xbox mod community hope to achieve in the near future?

BH: The biggest wish is to be able to run software on an unmod'ed Xbox using just a standard CD-R or DVD-RW image. There are other wishes of the community as well, but this is probably the "holy grail".

ORN: How about homebrew games booting on an Xbox that doesn't have a mod chip? For example, you put a Linux game on DVD+R, then insert the disc into the Xbox, which boots up Linux on it and runs the game. Not possible at all?

BH: It's definitely possible. Likely? I think maybe not. The most likely attack right now on the Xbox of this form would be on the CD/DVD-ROM file system itself, something that could trigger a buffer overrun error, or the like, based on a malformed record on the DVD-ROM. I don't know how much people have looked into this.

Another likely attack would be through the network port on the Xbox, but in general, the security scheme observed on the network port indicates that MS was fairly hermetic about its network security policies. The general cryptographic approach—creating hash collisions or factoring the public key used to sign games—is unlikely, but I would not say impossible.

ORN: Honestly, what kind of affect do you think an increasing interest in hacking and modifying the Xbox would have on its standing in the game console market? To Microsoft's financial bottom line? Do you see any negative possibilities?

BH: I think that the increased interest in hacking the Xbox console has probably been nothing but positive for Microsoft's bottom line. The Xbox gets a ton of publicity off of people hacking it. The hacker association with the Xbox gives it a bit of a 1337 appeal, which also lines up well with their target market of males aged 16-to-24.

The only really negative thing that could happen to Microsoft from all this hacker activity is if someone found a way to copy games using a common CD-R or DVD-R burner, without need for a mod. The current schemes—even the savegame-based attack from 007 Agent Under Fire—are probably too complex to be considered a true piracy threat for the Xbox. For a hack to be really detrimental to Xbox sales, it would have to be very easy to execute and use only hardware found in common PCs, such as network cables and CD-Rs.

I might add to the above comment that the pirate community would probably not put a lot of effort into developing such an easy and cheap hack. A cheap and easy hack would put modchip vendors and pirates out of business (as well as the Xbox, eventually); hence there is very little financial incentive for commercial piracy groups to develop and refine totally free and easy piracy-enabling hacks.

ORN: So what have you been playing lately on your Xbox?

BH: Linux. I don't use my Xbox to play games.

I used to own a copy of Dead or Alive 3, but I gave that to a friend after I got bored of it. I also tried Halo once and bored of it pretty quickly. I tend to play the Nintendo GameCube the most; its games are the most fun. I am still working on beating the new Zelda.

ORN: Maybe somebody will develop a GameCube emulator for the Xbox.

BH: Writing a GameCube emulator could be challenging, but I wouldn't discount the possibility. I'm always surprised by the creativity and talent of hackers around the world.

Howard Wen is a freelance writer who has contributed frequently to O'Reilly Network and written for Salon.com, Playboy.com, and Wired, among others.

Return to the Linux DevCenter.