OK this is a theory I have been cooking for the last couple of days.
DVD Key (This is more of a "How to get DVD Key from drive you don't know DVD key to")
Data coming out of the DVD drive is encrypted using the DVD key and then dencrypted using the DVD key in the NAND.
OK sure, sounds good. Now lets say we have a drive that works, but we can't dump it, like the new LiteOn/Phillips
Since we know the data on a the disc (we can explore the contents of any 360 disc, Kreon Drive) can't we sniff the SATA bus somehow?
If we can stiff the SATA bus we can intercept the data. We can intercept it in its encrypted form though. But we know what it is unencrypted, since we have access to the files on the disc with a kreon drive.
So if we could find out what data is sent from the drive to the motherboard starting at point A to point B (Maybe like, IDK, the first 5 seconds of inserting the game) in the unencrypted form, and we could capture the data in the encrypted form, it would be a simple brute force attack. Just generate all of the possible DVD keys, and decrypt the encrypted data with each key, and see which one is equal to the unencrypted data.
Capturing the Encrypted data-How...um...I have NO clue...probably some time of SATA bus sniff or something of the similar.
Capturing unencrypted data-We can change the DVD key using the Infectus modchip and Linux and KK and blah blah, but it is possible. What if we convert the DVD key to something like (these aren't the right length) 000000000000000000000 or 1111111111111111111111 or AAAAAAAAAAAAAAAAAAAAAAAAAA or something very plain in hopes of not encrypting the data at all.
Can we delete the DVD key? Can we have the motherboards DVD just be blank? Same thing with the DVD drive? That way we could get the DVD drive to send unencrypted data across SATA....
So...in a couple of months (if this is possible and pursued) an attack to get the LiteOn drives DVD key would be the following.
1. There would be a game that would be standard (let just use king kong what the hell) that it would be known, the first lets say 512kb data read when launching the game, and we would know EXACTLY what it is unencrypted.
2. Hook up your Lite On drive to a pass thru SATA cable or something and somehow be able to capture all data sent over the cable.
3. Launch King Kong and have some type of system whether it be mod chip or computer capture the first 512kb of data (it is encrypted remember) sent over the SATA cable.
3.5a Hopefully someone will have created a rainbow table or all possible DVD keys.
3.5b Hopefully we will have found out how the motherboard decrypts the encrypted data using the DVD key.
4. Using a brute force program, it will decrypt the encrypted 512kb of data using each and every DVD key (or until it finds a match) until it decrypts the data to an exact match of the unencrypted data that we hopefully captured a while ago when changing the NANDs DVD key to 00000000000 or w/e.
So I am pretty sure this could work seeing as if we could get these couple of things. These things below only need to be done once
Be able to determine how the motherboard uses the DVD key and decrypts the data, without this we can't brute force decrypt X data.
When you launch a game the same exact X number of bits of information is passed thru to the motherboard. Of course it is different on all systems because of the differing DVD key encrypting the data differently, but you understand what I am saying, the same exact X number of bits is accessed in the same order on the DVD with the laser each time the game boots. Therefore we know when launching X game, we know that X data is going to be encrypted and sent, and it is always going to be X data every time on every console. Maybe differnet bits of data are sent over depending on each boot of the system, that would present a problem.
Capturing X data that I talked about above. We need to know exactly what this X data is.
So there can be one game out there, maybe King Kong since a lot of people might have it for the KK exploit. (It would have to be an original game) That someone would have to find out X data will be sent at X time and X data (unencrypted) is "A1 03 F3 D7" (or w/e)
Everyone wanting to get the DVD key would have to do this.
Find someway to sniff the data coming out of your DVD drive.
Sniff the data when launching the X game that we know what X data is.
So we can sniff X data and we know that we exactly have X data but it is encrypted.
Get a brute forcing program to decrypt X data with every single DVD key possibility until we decrypt X (encrypted) data to X (decrypted known pubic) data.
I am sure that this attack is possible seeing as though we can do all of those things, but can we brute force the DVD key within a week or some other feasible amount of time?
CPU Keys
Should be a lot easier, and if we can get the CPU key of a system, we can dump the KV and get the DVD key.
OK, this is how it goes.
I don't have an Infectus modchip, so I have never been able to use that little piece of software that decrypts the NAND, but I know that you need the 1BL key (which is the same for all consoles) and the CPU key to decrypt the NAND dump and then extract the KV and other things.
But it seems like you should be able to do this.
Dump the NAND on a system that you don't know the CPU key to.
Dump the NAND on a system that you DO know the CPU key to.
Now, this hinges on all NANDs being kind of the same, which I don't know if they are. Like for instance, at sector X there is data X unencrypted. Or there is a file dashboard.xex filesize X somewhere in the NAND. The details can be worked out later, but there has to be something that is the same for every unencrypted NAND out there. (file locations or sizes or w/e)
So, someone makes up a gigantic rainbow table of all of the possible CPU keys, and we brute force decrypt the NAND dump you get off of the system until you get a decrypted NAND that complies with the ruleset (the ruleset being the name I am giving to the similarities I talked about earlier) So decrypt with a different CPU key until you get X data at X point or w/e
Seems decently straightforward, except I would like to be able to recover the CPU key before the Xbox 720 comes out. And I am wondering is that possible
My closing statements
So has my 30 minutes of typing been in vain? Will both of these take longer than my life to brute force or is just plain impossible (I think the DVD one is not quite possible but might take less time brute forcing than the CPU key)
Or am I a genius who has possibly opened up the opportunity of buying those 5 dollar set of 2 motherboards off of ebay and making them play games one day?(No lie there is a set of 2 motherboards on ebay for like 5 bucks and like 15 some shipping right now) And I am leaning towards I am not a genius but you never know, my IQ is 136 so maybe I just thought of something no one else has never ever though of....
I don't know, and god bless you if you have read this whole ..
Subscribe to:
Post Comments (Atom)
0 comments:
Post a Comment