Games Consoles Security and Forensics Challenges

Social, Economic and Legal Topics:

5. Emerging Threats (e.g. social network security, embedded systems security, mobile security,
online banking security)

Ghadrdanizadi, Alireza
BSc 2nd Year Student- Computer Networks
University of East London, School of Computing, IT and Engineering

Prof. Hamid Jahankhani, Associate Dean of School

School of Computing, IT and Engineering
University of East London

Abstract: The new generation games consoles have proved that human imagination is unlimited.
Millions of kids, teenagers many adults are entertained by these advanced and amazing games.
Apart from providing fun to game lovers, these gadgets have also captured the interests of
hobbyists, hackers and crackers and cyber criminals. The high processing power and the ease of
modification have attracted such users in modifying these devices to do things that the
manufacturers never intended. Today Xbox, PlayStation, Wii game consoles and their successors
are the most powerful processing devices in a household. Among them Xbox and Xbox 360 have
been the mostly modified devices to date. These devices can be hardware and/or software modified
to run as personal computers, FTP servers, Web servers, etc. This has led to the rise of an alternate
storage device for people cybercriminals to hide their illicit data as suspicion rarely arises of data
storage on such devices. This research paper aims to discuss Xbox security and forensics
challenges.

1. Introduction
With the expansion of broadband internet technologies to rural areas, the world has shrunk and
become a global village. Information and Communication technologies (ICT) in the current world
have brought people far away in different continents. ICT has improved the quality of human life
significantly and it is evident in our day to day activities. But at the same time, the facilities
provided by the advancement of ICT are also considerably subject to misuse.
Today, the new generation game consoles have become the most powerful processing devices in
any home. Their high end processing power along with internet connectivity has made these
devices eye-catching to many cybercriminals. Such a community have explored the Xbox, its
successor Xbox 360, Nintendo Wii and Sony PlayStations in order to modify them to do things that
they were not intended to do [1]. They have modified such devices using Modchips and software
exploits to run as powerful computers by installing customized software and operating systems.
Among these devices which are mostly subject to modification are Xbox and Xbox 360. This is due
to their close resemblance to personal computers with a processor, hard drive, DVD drive, Ethernet
and USB (through a connector) and the most easiest to modify [1].

A modified XBOX has the potential to be used as a personal computer, file server, web server, etc
[2]. There are a wide range of Linux distributions that can be deployed on Xbox game consoles.
This has lead to the rise of an alternate storage device and an invisible computer (though a visible
game console) for people involved in illegal activities in order to use it for malicious purposes and
hide their illicit data.
Even though Microsoft has stopped the production of the original Xbox games consoles, the
cumulative sales of 24 million game units scattered all around the world [3] and the lack of
knowledge on Xbox forensics make this a serious issue in the perspective of law and order. There
have been incidents where evidential information was found on game consoles [5, 6]. Little has
been published, however, on the proper forensic procedures to determine whether an Xbox has been
modified and, if so, how to create a forensic duplicate and conduct a proper digital forensics
investigation [1]. This was the motivating factor to choose Xbox Forensics as the subject of this
research.

1.1 Nintendos Wii

Wii is Nintendos fifth game console and its seventh generation game console competing with
Xbox 360 and Play Station 3. It was first launched in December 2006 Wii is the lightest seventh
generation game console, weighing only 1.2 kg and it leads on the total number of units sold
against play station and Xbox with an accumulative sale of 52.62 million units all over the world by
June 2006, [6]. Wii comes with a remote controller which detects its pin point movements in 3D
and sends it to the screen through Bluetooth or Infrared. Nintendos Wii console specifications are
as follows [8, 9, 10].

729 MHz IBM PowerPC Processor

88MB Main Memory
512 MB built-in NAND flash memory
Supports 2 512MB SD Flash Memory Cards
Built-in 802.11b/g WLAN capability- compatible with USB 2.0 to Ethernet
2 USB 2.0 ports

1.2 Play Station 3

Play Station 3 also known as PS3 is Sony Computer Entertainments third home video game
console and also its seventh generation game console. It was initially released in November 2006.
PS3 was the first game console to support Blu-ray 2.0 in the market. By August 2009 24.9 million
PS3 units had been sold all over the world [10]. Apart from games PS3 comes with an optional
application named Photo Gallery which allows creating, viewing and grouping photos in various
ways. It also has an operating system called XrossMediaBar. Play Station 3 specifications are as
follows [12, 13, 14].
3.2 GHz PowerPC-base Cell Processor
256MB RAMBUS XDR RAM
20GB 160GB Hard Disc
Supports Blu-ray Disc, CD, DVD
Wired Ethernet and Wi-Fi IEEE 802.11 b/g connectivity
6 USB 2.0 Ports

1.3 Xbox and Xbox 360

Xbox and Xbox 360 are Microsofts sixth and seventh generation game consoles. Xbox 360 is
Xboxs successor. The release of Xbox was Microsofts entry into the game industry. Xbox was
initially released in November 2001 and Xbox 360 in May 2005. Even though Xbox was
discontinued in the latter part of 2006, the last game for Xbox was released in August 2008. By
May 2006, 24 million Xbox units were sold [3] and August 2009, 31 million units of Xbox 360
were sold [14]. Xbox 360 has superior capabilities when compared to its predecessor and a different
file system as well. Xbox front end user interface is called dashboard. Both game units support
Internet gaming. Following is a list Xbox [16, 17, 18] and Xbox 360 [19, 20, 21] specifications.
 Xbox
733MHz Custom Intel Pentium III
64MB RAM
8/10 GB Hard Disc
10/100BASE-TX wired Ethernet
USB Support Available through custom connector

Xbox 360
Custom IBM PowerPC-based CPU with three Symmetrical Cores at 3.2 GHz
512 MB RAM
20 250 GB Upgradable Hard Disc
100 Mbit Ethernet and Wi-Fi 802.11a/b/g
3 USB 2.0, IR port

From the above discussions about the, it is evident that seventh generation devices processing
power and other capabilities overwhelm the other processing devices in the household. Amongst
the four game consoles discussed above, it is obvious that Xbox and Xbox 360 strongly resembles a
personal computer. Besides being the easiest game consoles to modify, it is no wonder why they
are modified more often.

2.0 Xbox security and forensic challenges

Xbox forensics is an area where there has been little research conducted and published. This paper
is only concentrating on Xbox. Till this date there is very few research papers published with regard
to Xbox forensics. These papers were analysed and the challenges faced during the four stages of
Xbox forensics analysis were discovered and summarised in this paper.

Microsoft implemented certain security measures to ensure that Xbox could only be used for its
sole purpose; playing games and nothing other than that. However, Michael Steil [23] detailed
some of the weaknesses in an article 17 Mistakes Microsoft Made in the Xbox Security System.
Steil [23], indicated that the security mechanism is implemented as a chain of trust that could be
outlined as follows;
The CPU starts execution of code stored in the secret ROM.
The secret ROM decrypts and verifies the second boot loader.
The second boot loader decrypts and verifies the Windows kernel.
The Windows kernel checks the allowed media bits and the RSA signature of the game.

Xbox has a very secure encryption mechanism that prevents from executing random codes. All
Xbox executable files (.xbe files) are signed with 2048 bit RSA algorithm. Even if a single bit is
altered it would reflect a change in the signature. Therefore only code signed by Microsoft could be
run and all other code that doesnt match the signature would be rejected by Xbox kernel. So the
modification community began to look for vulnerabilities to exploit rather than trying break the
RSA security.

2.1 Buffer Overflow Vulnerability

Xbox file signature checks do not include checking audio (.wav) and font (.xtf) files. So the
modification community looked deep into this vulnerability. Attempts to modify files loaded by
games were not successful. But it was discovered that gamesaves loaded by games could be
modified and games also had buffer overflow vulnerabilities in font and wave files in their
gamesave handlers.
Buffer overflow vulnerabilities are a result of poor programming practices. A buffer overflow
condition takes place when a user or process tries to store more data into a buffer or a fixed array,
than it can hold [24]. This allows executing random code to take control over a system. This was
the key to modify Xbox through software exploit.

2.2 ATA Security

Another security feature of Xbox is its hard disc locking capability implemented through ATA. The
ATA password protection mechanism restricts access to hard disc through a hardware implemented
lock [25]. The key for this lock is a 32-bit password generated in a two step process which involves
extracting a key from the EEPROM on Xbox and then using this key and, the model and the serial
number of the hard disc to combine and create the final key [26]. Since the key extracted from
EEPROM is unique as well as the serial number of the hard disc, the final key is dependent on the
Xbox unit. Therefore Xbox hard discs cant be swapped and Xbox doesnt work on an unlocked
hard drive.

This is particularly an issue for the forensic investigators as an unlocked Xbox hard disc would
generate errors when attempted to image, whereas generally a working condition hard disc could be
acquired without any problems.

An Xbox hard disk can be removed like an ordinary computer hard disk, however, when imaging in
a locked state, the drive would not be detected [21]. Chris Vaughan [22], proposed four methods to
overcome this problem. One of them is hot swapping the Xbox hard disc to a forensic workstation
for imaging once it is booted without any disc in the DVD ROM, so that the hard disc would be
unlocked.

But this poses the risk of making a permanent modification on the hard disc or destroying hard disc
data. Craiger [1] proposed a forensically sound procedure to acquire the hard disc, which is to boot
the Xbox using Xebian bootable disc and acquire the image of the hard disc from a Linux computer
networked to the Xbox. The basic idea is to image the Xbox hard disc using dd and acquire it
through a Secure Shell (SSH) connection. But it is highly recommended that one needs to use
multiple types of CD-RW, DVD-R and DVD-RW to boot Xbox since the DVD ROM of XBOX
might not detect some discs.

2.3 Proprietary File System

Xboxs FATX file system is a proprietary file system; therefore no official documentation is
available about FATX. Even though the modification community managed to reverse engineer and
uncover certain information. Yet full documentation about FATX is not available. But drivers for
FATX have been built to allow Linux kernels to support and to be installed on Xbox game units.
Xbox Linux project is a community of people deeply involved in exploring Xbox and running
various Linux distributions on it. The obstacle caused by FATX during forensic analysis is partially
cleared, but still no major forensic suite supports FATX analysis.

2.4 Software Modification (Soft Mod)

Software modification or the so called Soft Mod of the Xbox could be said the easiest one as any
person with basic computer knowledge could modify Xbox to run Linux distributions or alternative
dashboards. It is not possible to just boot Linux into Xbox by inserting a bootable disc to Xbox
DVD ROM. Soft Mod is based on the buffer overflow vulnerabilities.
Following is a list of games that have been tested and found with buffer overflow vulnerabilities
that could be exploited to modify Xbox [27].

1. Splinter Cell (Any versions except PANDORA TOMORROW or CHAOS THEORY)

2. Mech Assault (With Serial Number MS02301L)
3. 007: Agent Under Fire (Original)

In addition to any of these games a USB memory stick with a USB to Xbox connector/ Xbox
memory card and Action Replay software are needed. In this research a USB memory stick was
used and Splinter Cell game was chosen as this is the most recommended one. The Krayzie Ndure
exploit was downloaded from the internet. Next step was to load the game exploit to the USB
memory stick. This needed some modifications to USB stick. It is important to specify that some
game exploits apply only to certain versions of Xbox, but Krayzie Ndure exploit applies to any
Xbox regardless of its kernel version [28].

Xbox works on FATX file system. Therefore there is a need to convert the USB memory stick to
FATX file system. To do this the USB stick was connected to an Xbox through a connector. Inside
the dashboard, in memory an error message was displayed indicating that the memory unit wasnt
working properly and was formatted. So now the USB stick is formatted to FATX file system.

Thereafter the USB stick was connected to a personal computer. Next step was to install Action
Replay Software. It is this software that is used to copy the gamesave exploits to our USB stick. It
is not possible to directly copy it because it is now in FATX which is not recognised by Windows
XP or any other operating system. So Action Replay was downloaded and installed. Thereafter a
small hack was done to convert our USB stick compatible to Action Replay Software. The
following was done to make it compatible.

USBView was installed on a XP machine. In USBView the USB stick was selected and its
idVendor and idProduct values were copied. Next a file named xbreader.inf in the Action
Replay software installation directory was opened and its VID_ and PID_ values were replaced by
idVendor and idProduct values respectively. The xbreader.inf file was saved and closed. Figure
below,
 Figure 1 USB to Action Replay Memory Card Conversion step 1

Next a driver that supports Xbox memory sticks was created. Figure below,

Figure 2 USB to Action Replay Memory Card Conversion step 2

Figure 3 Game Exploit Copied to USB stick

Thereafter Action Replay software was installed and the game exploits were copied to the USB
stick as in Figure 3. Then the USB stick was again connected to the Xbox. Both the game saves
were copied to Xbox Hard disk. Next Splinter Cell game was loaded and the Linux profile was
chosen to load. Then after few seconds of screen going blank the Unleashed X screen comes up.
EEPROM was backed up and installed Evolution X dashboard on the Xbox.

When the Linux gamesave was loaded, it exploited the buffer overflow vulnerability and ran the
hacking code to take control over the system and started Unleashed X dashboard. That is, the stack
was overwritten by the input data and eventually code execution pointed to the code embedded in
the gamesave. The installed Evolution X dashboard supports FTP, Audio Songs and even custom
applications can be installed on to it. But even though Evolution X was installed the option to load
the original Xbox dashboard exists and still works. So now the Xbox could even boot any Xbox
Linux DVDs while playing games as well, Figures 4, 5 and 6.

Figure 4 Game Save Copied to Xbox

Figure 5, Evolution X Welcome Screen

 Figure 6, Evolution X FTP Settings

With Evolution X or Unleashed X dashboard installed on Xbox, can be used as a file server to
upload and download files through FTP or it can even be modified to install a Linux distribution
and use it as a Linux computer or even use it as a web server, etc. Once the original Xbox is
modified through a soft mod, Xbox Linux distributions can be installed, just like installing them on
a personal computer. Xebian, Gentoox, Gentoo, XFedora, xUbuntu are some of the Linux
distributions that can be installed on Xbox [29] .It can also be used to hide files. For example a
person can upload illicit files to Xbox through FTP connection in order to hide data in Xbox.

2.5 Hardware Modification (Hard Mod)

It is not possible to just insert Xbox Linux CD into Xbox and boot Linux. Because every time a
game CD is inserted, Xbox checks to see if it is a game produced with an official Microsoft license.
If the boot information; the region specific code is missing, Xbox will not boot the CD [30].
Hardware modification involves replacing the original EEPROM in the Xbox with a modified
ROM that makes the Xbox kernel to discard boot information and run anything and everything on
the disc. So after replacing the EEPROM, a modified operating system that supports FATX could
be installed. Hard Mod is least used as software method is much easier.

Conclusions
Xbox forensics is still in its preliminary stages. More research has to be conducted in the
identification and analysis stages. Major forensic suites should develop support for FATX file
system. Technology is evolving at a rapid speed with newer and superior powered game consoles
introduced to markets everyday. The more powerful these game consoles are released, the more
high capabilities they possess, the more they are subject to modification and misuse.
It will not be long for ordinary game users to uncover the potential of these devices and attempt to
modify them. With Xbox 360 already in the market for more than four years, still there is a lack of
research in the field.

References

[1] Xbox Hacked, http://news.bbc.co.uk/1/hi/sci/tech/2067045.stm, Last Visited Nov. 2010

[2] Burke, K, P. and Craiger, P. (2007) Xbox Forensics, Journal of Digital Forensic Practice, 1:18
pp 275- 282

[3] 24 Million Xbox Units Sold World Wide, http://www.xbox.com/zh-

SG/community/news/2006/20060510.htm, Last Visited Nov. 2010

[4] Evidence on Xbox,

http://www.forensicfocus.com/index.php?name=Forums&file=viewtopic&t=2087 Last visited Nov.
2010

[5] Evidence found on Xbox,

http://www.f3.org.uk/modules/news/article.php?storyid=73&keywords=xbox, Last visited Nov.
2010

[6] 52.62 Million Wii game consoles sold all over the word,
http://www.nintendo.co.jp/ir/pdf/2009/090730e.pdf, Last visited Nov. 2010

[7] Wii game console specification, http://reviews.cnet.com/consoles/nintendo-wii/4507-10109_7-

31355104.html, Last visited Nov. 2010

[8] Wii game console specification, http://www.whatconsole.co.uk/wii.php, Last visited Nov. 2010

[9] Wii game console specification, http://www.pcvsconsole.com/features/consoles/wii/, Last

visited Nov. 2010

[10] 24.6 Million PS3 game consoles sold all over the world,
http://news.softpedia.com/news/PlayStation-3-Will-Catch-Up-to-the-Xbox-360-in-2011-
118402.shtml, Last visited Nov. 2010

[11] PS3 game console specification, http://reviews.cnet.com/consoles/sony-playstation-3-

slim/4507-10109_7-33765068.html?tag=mncol;psum, Last visited Nov. 2010

[12] PS3 game console specification, http://www.pcvsconsole.com/features/consoles/ps3/, Last

visited Nov. 2010

[13] PS3 game console specification, http://www.whatconsole.co.uk/ps3.php, Last visited Nov.

2010

[14] 31 Million Xbox 360 game consoles sold all over the world,
http://uk.gamespot.com/news/6216343.html?tag=recent_news;title;5, Last visited Nov. 2010
 [15] Xbox game console specification, http://reviews.cnet.com/consoles/xbox-video-game-
system/4507-10109_7-7853769.html?tag=mncol;rnav, Last visited Nov. 2010

[16] Xbox game console specification, http://www.pcvsconsole.com/features/consoles/xbox.php,

Last visited Nov. 2010

[17] Xbox game console specification, http://www.whatconsole.co.uk/Xbox.php, Last visited Nov.

2010

[18] Xbox 360 game console specification,

http://www.pcvsconsole.com/features/consoles/xbox360/, Last visited Nov. 2010

[19] Xbox 360 game console specification, http://www.whatconsole.co.uk/Xbox360.php, Last

visited Nov. 2010

[30] Xbox 360 game console specification, http://reviews.cnet.com/consoles/microsoft-xbox-360-

elite/4507-10109_7-32390552.html?tag=mncol;psum, Last visited Nov. 2010

[21] Collins, D. (2009) XFT: a forensic toolkit for the original Xbox game console, International
Journal of Electronic Security and Digital Forensics 2(2) pp 199 205

[22] Vaughan, C. (2004) Xbox Security Issues and Forensic Recovery Methodology, (Utilising
Linux), Digital Investigation 1 pp165172.

[23] 17 Mistakes Microsoft Made in the Xbox Security System, http://www.xbox-

linux.org/wiki/17_Mistakes_Microsoft_Made_in_the_Xbox_Security_System
Last visited Nov. 2010

[24] McClure, S. Scambray, Joel. and Kurtz, George. (2005), Hacking Exposed: Network Security
Secrets and Solutions, Fifth Edition, pp 218 222

[25] ATA Security: Roadblock to Computer Forensics,

http://www.eevidencelabs.com/article/ATA_Security_Roadblock_to_Computer_Forensics.pdf,
Last visited Nov. 2010

[26] ATA Security in Xbox, http://www.xbox-

linux.org/wiki/Xbox_Hard_Drive_Locking_Mechanism, Last visited Nov. 2010

[27] Games used to soft mod Xbox, http://www.techfreaks.org/articles/modxbox.shtml, Last visited

Nov. 2010

[28] Krayzie Ndure exploit, http://www.biline.ca/xbox_ndure.htm, Last visited Nov. 2010

[29] Linux distributions installable on Xbox, http://www.xbox-linux.org/wiki/Download, Last

visited Nov. 2010

[30] Harbour, J. (2004) The Black Art of Xbox Mods, Sams pp 70