Do you know if the auth side was carried into deeper parts of the backend? So like, did the SG decorate incoming connections with the auth information as they made their way to the different services? There seemed to be more auth information than I expected in headers on some of those HTTP calls into services like matchmaking.
As for the SG, it primarily authenticated the Xbox machine account using Kerberos and then maintained a security association, accepted heartbeats, authenticated and decrypted incoming ESP-UDP packets into IP packets that it forwarded to the backend servers. Responses from the backend would be encrypted, authenticated, and encapsulated before sending back to the Xbox. I don't think the SG had any knowledge of higher level connections running through it, such as TCP or HTTP, so it would not have manipulated HTTP headers as they passed through.
Does XSP stand for anything?
Great RE work!
Disclaimer: I created a proof of concept implementation of the Xbox Live server infrastructure here: https://github.com/xombieonline/xombie
Ah, cool, there has been some similar work done before! Is there any documented resources or write-ups of the Xbox Live protocol somewhere?
> Great RE work!
Thanks!
> Disclaimer: I created a proof of concept implementation of the Xbox Live server infrastructure here: https://github.com/xombieonline
That is a really cool project! How does one make sure the console connects to the server instead of the (now shutdown) Xbox Live servers? Does it e.g. have a hardcoded domain so one can simply add a DNS entry?
I talked at defcon a bit last year. https://www.youtube.com/watch?v=HLyZfZMu-5E Otherwise I've been a "source is documentation" kind of guy so far. Could definitely use a high level walkthrough as good as you've done here; I should probably get on that.
> That is a really cool project! How does one make sure the console connects to the server instead of the (now shutdown) Xbox Live servers? Does it e.g. have a hardcoded domain so one can simply add a DNS entry?
Yeah, they bootstrap off of a set of hardcoded domains. The config screens on the boxes let you specify a DNS server, so the project runs it's own DNS server that's basically when obi-wan says "of course I know him, he's me". Then the relative lack of any public/private crypto lets us take over as long as we know the preshared key in the individual xbox's eeprom.
The PRNG exponentiation scheme is essentially Diffie-Hellman.
> Modifying the fire duration does not seem to have any effect
Including, e.g., plasma pistol?
Very cool investigation and writeup.
https://github.com/XombieOnline/xombie/blob/7a1ef08045271437...
Yeah, that makes sense, it is a very odd sentence otherwise. Truncating on "bot" might be a play on words for game AI/NPC.
> The PRNG exponentiation scheme is essentially Diffie-Hellman.
Ah, of course, yes, I was thinking it reminded of public-key cryptography.
> Including, e.g., plasma pistol?
Yeah, it seems so, that was the first weapon I was thinking it to be used for. I tried e.g. setting the duration to zero and charging the plasma pistol. It still shoots like normal and does not seem to affect visual effects, audio or damage for neither host nor guest. It is still possible that it is used for something else that I have not noticed. Modifying the host's fire duration does not cause a desync so it might not affect the game state.
> Very cool investigation and writeup.
Thanks!
I wonder if you could dig into the game code and see where the string is coming from.
https://github.com/CYRiXplaysHalo/XboxHaloGameLogger/blob/ma...
This is officially my favorite thread on HN, ever. Just waiting for rothgar to show up, sorry @rothgar, I should've hit you up for some Halo while I was in Seattle (and the k8s space).
- The Xbox was designed to be able to play online via Xbox Live (e.g. with Halo 2 that came out later in 2004), and they might have simply reused the network stack for System Link over LAN. I looked a little bit at Halo 2 system link, it uses the same system calls from the kernel but the protocol seems to be more complicated (e.g. the IV is never sent in plaintext, the two consoles derive it somehow). I haven't looked at Xbox Live, but Halo 2 could potentially use the same for System Link and Xbox Live.
- The Xbox also really tried to lock down its security in order to prevent game piracy and homebrew games. This might have been another attempt to reduce the attack surface.
- They also might have just wanted to keep their game protocols secret for trade secrets or simply avoiding scrutiny. In this case, we were able to create a kind of cheat, which they might have also wanted to avoid. Even though it is rarely an issue at LAN parties, it might have simply looked bad for the brand.
> For example, would it not be cool if there was a game with a stack buffer overflow bug that allowed us to run arbitrary code remotely? That could potentially enable us to softmod an Xbox over the network, without the need of any special hardware.
I wonder if it is enough for XLink to simply send the packets through a networked tunnel or if it actually needs to modify the packet payload somehow. The consoles might be able to handle everything as long as they are able to communicate with each other?
The same advantage existed on LAN, with competitive tournaments setup to trade host advantage for team color advantage. The last in person CE lan I attended, we were playing on modded Xboxes with a patched version of the game that allowed a third box as a neutral host, and added an on screen timer. Happy to expand on the details if anyone is interested.
So many hours of my life spent playing that game. Even recently I re-discovered an old Halo (x)ISO I mastered in high school containing a multitude of map packs that the community had made for it (NMP, NMPv2, CXE, +??). I even hacked them to change their internal map IDs to prevent cache conflicts when switching packs. My friend dug it out of his collection, copied the ISO and I fired it up in XEMU. Wild to see some of those maps, that some random people made with hacked together tools, and wild to read this now, and the comment from /u/dinartem. Even wilder that it's playable emulatable now. Especially given the way MCC massacred Halo1 with the horrendous Halo 1 PC port back to Xbox, and then later to PC again.
I'm horrified to see someone comment that multiplayer almost didn't launch with Halo 1. My life would be so unimaginably different.
So many memories, this comment doesn't mean much, but what a thing to see on HN.
lol, I'm almost tempted to drop my XBConnect Forum name here. I remember when I thought Todd was an absolute god among humans. Oh man, thank you HN for the dose of nostalgia. If anyone remembers a huge block-letter forum signature that was briefly animated ;). The era of sprawling PHP file upload sites. Wow. The internet before it became truly cursed.
edit: shout out if anyone knows what I mean by "clear walls". Oh man, what a world.
editN: oh wow, "cross over cables" is a phrase I haven't thought of in a long time.
editLast: there was a glitch that was supposedly reproducible that caused a tertiary console's player to override the inputs of another console player. Afaik it was never widely discussed, despite repeated claims that it was reproducible on demand. If anyone has any details, you'd make this a truly magical thread for me. <3.
MCC launched in a terrible state, but it's had a crazy amount of deep improvements over the years and I think all of the big known issues of the original Halo PC port have been addressed since a few years ago.
I mean hell, when they first launched MCC, fall damage jumping off the base in BG was wrong. You can feel the effect of the Gearbox port to this day. I mean, did they even fix the pistol spread issue? Not that that would be important or anything.
You're speaking my language friend, and honestly half of this reads like I could have written it myself. I was obsessed with video games and knew I wanted to be a programmer before CE, but H1 on XBC, combined with LANs in high school and thousands of hours of split screen in college truly laid the passion for "how does all this work" and my current career.
I don't play CE as much, my doubles partner and I still hop on MCC every few months for a little nostalgia hit, but we're admittedly not the types that felt that Halo completely died after CE (although nothing ever felt as good after), so these days we generally play BTB Reach/H3, or 4s or Squad Battle on Infinite.
You just put the absolute biggest grin on my face. HN was all worth it, somehow. And wow, am I not surprised to hear Squad Battle is your favorite. Somehow I'm sure we've played some games over the years.
I want to ask about one thing I could not understand completely on the final section: If there was a client that sent arbitrary values for selected weapon, forward, left, etc; would the host count them as valid? (I understood this is essentially what the MITM allowed to do)
Also, a little feedback, my immersion broke when the video did not show Howard and Ghost anymore. Something like Howard1 and Ghost1 would've helped understand a little bit more.
Glad to hear! I was hoping to make the whole process easy to follow without any large skips or prior knowledge. It is more or less my process but with a lot of dead ends removed.
> I want to ask about one thing I could not understand completely on the final section: If there was a client that sent arbitrary values for selected weapon, forward, left, etc; would the host count them as valid? (I understood this is essentially what the MITM allowed to do)
Yes, it appears so. The host seems to accept more or less arbitrary values (at least for forward, left, actions) and also just re-broadcasts them to everyone. The guest client then also ignores what it sent and just uses what it receives from the host. This allows us to modify the inputs/speed of any guest client players without desyncing the clients.
> Also, a little feedback, my immersion broke when the video did not show Howard and Ghost anymore. Something like Howard1 and Ghost1 would've helped understand a little bit more.
Good idea, I could have made it clearer which perspective the video was taken from (the guest client). Might be able to re-record or simply mention it in the text.
