Unfortunately it’s not quite that simple.
You have an unmodifiable XBE that runs from a burned DVD. If you change the XBE it will void the digital signature.
But the data files aren’t signed. Okay, it probably wouldn’t be too hard to buffer overflow the video codec or something. But this isn’t an x86 arch: the stack isn’t executable here.
Okay, so we dump exploit code onto the stack, then set the return address and some pointers so we call memcpy() to move our exploit code into place and end up jumping to it. Sorry, the executable pages aren’t writeable pages.
Alright, let’s try using the stack to exploit the kernel then. Nevermind that the program code is probably encrypted anyway and we can’t poke around in it but suppose we find a hole and Microsoft hasn’t pushed down a patch via Live yet. We’ve taken over the kernel, we’re running priviledged code, the system is ours and oh SH-…
Hypervisor kicks your ass. A certain segment of the address space is mapped to a ROM embedded within the CPU itself. In this ROM is a program that’s periodically executed to scan the kernel and check that everything is aok. If it isn’t, the entire system grinds to a screeching halts before you can say “running ‘backups’ lol nudge nudge wink wink”
Hijack the boot process? Can’t, the bootloader is also on-die and encrypted with a key unique to your CPU. There’s some sort of CPU-level DRM in this thing. Solder to the DRAM pins and hijack the memory bus? There’s no point, the hypervisor renders this irrelevant even if you did have some extremely high speed logic that could keep up with DRAM and fake a chunk of the address space (your POS Xilinx that you see on most modchips ain’t gonna keep up with the system bus).
Hate to say it but it looks like they know what they’re doing with this one. It’s really quite beautiful in a way… then again, the Hypervisor may be just a rumour. I can’t imagine how somebody would have just cracked open a CPU and found some stealth program code in there.
The Xbox360 is hard to mod January 22, 2006