Xbox is a well-known video game console designed by Microsoft. It has been equipped with more and more security features after design flaws and weaknesses became public. The main motivation for attackers is to play illegally copied games or run Linux. At the same time, Microsoft is trying to prevent users from running unsigned code. Only authentic code signed by Microsoft is allowed to run. But many mistakes made by Microsoft enabled attackers to gain arbitrary code execution and run unsigned code.

❗No Hypervisor
A hypervisor is just a small piece of code running in a privileged CPU execution mode. This highly-privileged code serves as a minimal trusted computing base. It is responsible for memory protection and signature verification. In earlier versions, there was no hypervisor at all. All code was running in kernel mode incl. Windows kernel and games. And all external data received via peripheral devices was processed by kernel code. A single software bug could lead to a fully compromized system.

❗Vulnerable Hypervisor Code
In later versions, a hypervisor was introduced. But it came with a critical vulnerability in its system call handler. It got exploited by attackers to run unsigned and malicious code in privileged hypervisor mode. An integer value provided by kernel code was used as an index into its system call table to determine an address for a handler function. Due to an improper check, it was possible to redirect code execution to a system call handler under attacker's control. The hypervisor code simply fetched code from unprotected memory area.

❗Broken Chain of Trust
A secure boot mechanism is often implemented to ensure system integrity. Each boot stage usually performs a signature verification check of a next boot stage and executes only if successful. Such a chain always requires a trust anchor rooted in hardware. After a signed game was loaded by a trusted Windows kernel, there were no further checks performed. A game was simply loading unsigned and untrusted savegame files from hard disk or USB stick without any further verification. Attackers were able to inject specially crafted malicious saved game files to exploit vulnerable games. They managed to redirect code execution in kernel mode.

❗Block Cipher as Hash Function
Despite many warnings from crypto researchers, Tiny Encryption Algorithm (TEA) was used as a hash function. It was known for not being collision resistant. By just flipping some bits, it was possible to produce the same hash value. A jump instruction inside its boot loader was easily patched as a result.

❗No I/O MMU
By performing DMA operations, peripheral devices were able to write to arbitrary physical locations in RAM. Attackers bypassed main CPU and all other countermeasures. They injected code into unprotected memory locations and got it executed.

❗No Protection Against Fault Injection
Attackers performed a glitch attack on a reset pin for a short period of time. They were able to run their own code from flash memory by skipping security checks. Similar targets are clock pins and voltage pins. A gaming console has to be resistant against physical attacks.

❗Exposed Bus System
A small ROM was embedded into the southbridge chip incl. a decryption key. ROM code was responsible to decrypt and verify flash image before execution. Almost all credentials were stored, and critical operations were carried out in external insecure RAM. And confidential data was transmitted over an exposed bus system. A sniffer was built to intercept traffic between dedicated ICs and extract the decryption key.

❗Exposed LPC Interface
A modchip was connected to exposed LPC pins to boot from it. A bootloader that was able to boot another OS.

❗No Downgrade Protection
Attackers were able to downgrade to vulnerable and exploitable firmware versions. eFuse technology can be used to burn a counter into silicon.

❗Unprotected Optical Disk Drive Firmware
The DVD drive's firmware was responsible for checking whether an inserted disc was authentic or not. The result was reported to the main CPU for further processing. And the drive firmware was not protected from being modified. Attackers were able to install a custom firmware to make the CPU think that everything is fine.