 Welcome, everybody. Yeah, so I'm going to be talking about kind of my journey the past few years reverse engineering Xbox live It was sort of my COVID project for lack of a better word So I'm trust in also go as a monocasa on the internet when I have Hot takes of questionable veracity. So that's what I'm using today So yeah today, we're gonna be going I'm gonna kind of go over a background We're gonna go kind of deep into what the protocols are themselves a bit Or look at kind of how I took a look at reverse engineering it Kind of if somebody wanted to Repeat this work, you know what what you'd have to do to do that I'm gonna kind of talk about a little bit about the replacement server architecture. I've built up so far where it's going What exists at the moment? and then I'm kind of going to go into a brain dump of Discussing you know as I've gone through this and I have very strong feelings about how to Support people in a very How about this? What what's the ethical way to support abandoned software in a increasingly networked world? and then We're gonna go into questions unfortunately the demo gods weren't with us today my Xbox actually got the click of death Literally last night So I'll put up a video tonight But sources up too so you can go take a look at that So starting off who am I I'm Monocasa Tristan I'm an engineer. I've got a lot of experience. I've got with binary versing firmware development cloud-based device and identity management and Experience with custom tunneling of IP. So these are all sort of a perfect storm for taking a look at Xbox live taking it apart There's a sort of the skill sets you would need to take a look at other video game networks If you want to get in touch with me, I'm Monocasa at zombie.org so zombies the name of my particular Replacement Xbox live infrastructure. It was live then it died for original Xboxes and now it's back again I thought I was a cute play of words Before we get much farther I wanted to just kind of give a shout-out to the Other people kind of working in the same space There's m. Borgeson who has put in a ton of work into the emulators for Xbox Called Zemu XEMU. There's also a guy by the name of Luke Usher who's working on similar replacement server architecture called insignia For Xbox live. I think they both have patreons. I'm sure they both would love some support I've got nothing but love for both those people and Interestingly for a talk about 2000 early 2000s era Microsoft code like I am gonna rag on them a little bit, but I was actually kind of surprised looking back on this with sort of historical context with all of the Of mo or at least most of the obvious flaws Microsoft It actually makes sense in context and there's actually a pretty good protocol set and from what I've tell can tell other than you know, it's 20 years old, but other than upgrading The crypto primitives a lot a lot of the basics are still here and a lot of the structure still here and a lot of it Still continues to make sense so Yeah So like I've taught we're Talking about Xbox live today my focus has really been on for the original console That's the only system that Microsoft so far has shut down access for So that was from new November 2002 until April 2010 There were some people that managed to keep their in-game sessions going for like a month later, which was really interesting Because ultimately is kind of we'll see a lot of Xbox live is ultimately the signaling pathway and then they generate Once you have like an in-game session that's For most games doesn't actually communicate that much with the back end So it's kind of like WebRTC in that regard for a more modern context I'm also kind of trying to stay away from systems that are Still online and kind of give Microsoft some space What where they're still making their money There's been You know in the Xbox hacking scene there was Some people who didn't quite Live by that same standard and I don't think anybody won that game So Yeah, so kind of going back Xbox live is really kind of the first modern video game network in a lot of ways There's a lot of other ones before it You know it obviously took a lot of inspiration from second net But I mean video game networks actually go really far back There was this really cool network called X band in the mid 90s. That was like a Game genie and like a modem stuck on it and then they would like ROM hack More or less in real time to add online multiplayer to like SDS cartridges, and then this was like a commercial product that I didn't even hear of at the time Super cool But like I said Xbox live is sort of the first modern video game console network and by that we mean There's a cohesive service sort of across the games otherwise These previously these networks have sort of been Will provide network services, but otherwise, you know each game is sort of a island unto itself At release it could have expected broadband to exist They did try to sort of support modems. It looked like in development But they didn't actually release with that and so it's kind of set a standard of Bandwidth of You know you essentially have to have been able to stream a simple Netflix, which is a nice very very nice baseline for These sorts of services we expect out of modern systems the Xbox Shipped with a hard drive on the console, which was one of the I might have been the first to ship with a hard drive was definitely the first to like Expect that kind of large amount of storage That gives you enough local storage to be able to like update games make sure everybody's consistent It brought up DLC, which is you know, I've got mixed feelings about But you know it can be used for good and can be used for bad It it was actually moderated for one of the first times So you can attempt to have a Pleasant experience sort of despite the other people you're playing with So these are all sort of new features and these are all sort of table stakes now for a video game network so it's really interesting to At least in my mind take a look at the first stab of how these got created So we're gonna jump right in the Base protocols it uses it's all IPv4 So if anyone has a slash 24, they want to give me for free. I'd appreciate that but Probably not gonna happen Uses DNS then to actually bootstrap up to the different services ends up using Kerberos to Work as sort of the off Z and off end component Which is kind of actually really core to the security infrastructure And then there's always been this mysterious UDP port 3074 which is a custom VPM protocol and that's really the core of Honestly all Xbox networking including system link, but is also the core of how boxes communicate to Xbox live and each other is this VPN that uses the Cryptographic attestations of identity from the Kerberos to connect and communicate with each other So crypto primitives, this is where that historical context kind of comes in This is a great who's who of Part of crypto primitives. You really shouldn't really use anymore MD5 shot one for hashing RC4 for Symmetric encryption and DS and 3ds for symmetric symmetric encryption on the VPN Yeah, you shouldn't use any of these anymore Microsoft agrees with you. That's probably why Xbox original Xboxes aren't allowed on live anymore that combined with there there were some of the other constraints and the Xboxes themselves The all these Xbox live libraries are statically compiled into each game on original Xbox That's something they fixed in the 360, but they would have to go back and update release updates for literally every original Xbox title to allow it so That sort of explains why they ended up cutting them off, but still allow 360s which are pretty old So DNS we actually hit three different DNS targets There's max which we'll get into AS and TGS are fairly standard Kerberos servers and then SG012N is The security gateway that is the VPN itself And then all other communications go through that VPN other than talking to other boxes There's also if you get into the binary reversing you'll see hints of partner net which is Microsoft's Private instances of all this stuff used for testing so it'll be AS dot part dot Xbox live If you see that that's that's what that stuff is That's Microsoft's they can have that I don't want to touch that or piss them off. So Sweet so What once you you know are up and talking to these servers Like we said, we're using Kerberos for off the Z off n it's If you've played with a woth It's very similar ideas from a very 1980s perspective We use uses this thing called ASN dot ASN dot one specifically the DER version instead of Json and for Their communications and particularly they use tickets instead of Jots or tickets instead of tokens ASN one is this it's actually really interesting. It's a sort of if Proto buff had a ton of different possible encodings Where so DER is sort of a fairly Bite packed encoding that kind of makes sense You'll also see that too in like exit 509 tickets are DER encoded if you care about every bit there's a PM encoding if you care about But there's also like a Json encoding. There's an XML encoding. It's it's really from the 80s and has picked up a A new encoding every time somebody cared It's also sort of a Been a thorn in the side of security You know particularly like blue team kind of people I guess a been really nice for red time and a red team kind of people It's an extremely complex spec and a lot of our encoding for security purposes these days sort of takes ASN one in context and tries to not be that and tries to be a lot simpler because pretty much until the advent of memory safe languages and There weren't safe ASN one parsers as it up through the 90s up through the early 2000s ASN one was Really easy to find buffer overflows in for a very long time So that's why we don't use it anymore but This is you know the sort of Was what you used at the time Super interestingly it doesn't you even though it's off C off N. It doesn't use public private crypto. There's no you know Signed by a private key that could be validated by a public search all although that was technically added as a extension to the RFC, I think it came out in the The newer RFC that's an option But it's not like the core of how it works and it's all about pre-shared keys and Having a key here and having a key here means I can encrypt and HMAC different pieces and then I can use that to then Negotiate sort of the next key of the process in private This is all ultimately the underlying piece of how Windows domain log ends work. So your pre-shared key in that case is your Your actual like password you type in on the Xbox it ends up being keys that Sort of were Pre added to the console at manufacturing time And so it ends up sitting on there's an e-prom on every console that has all sorts of Manufacturing time information and there's a little online key It's a heavily extensible protocol as well. So there's these kind of arbitrary dumping ground of pre-off the data fields Microsoft ends up using these very very heavily So we sort of skipped over max originally Which is the machine account creation service but max Uses Kerberos, but arguably to the point of not even being Kerberos anymore and is Just using those pre-off data fields to communicate Not tokens, but other information that we'll sort of get to Right now so yeah, so max is the machine account creation service So original Xboxes, I haven't quite figured out why this is the case They have a key Available in the e-prom that was that was put there at manufacturing time then an Xbox will use the Kerberos to convert That secret on the e-prom into a full account for the box itself and then However that account that key has exactly the same key length That was negotiated so it turns a 16-byte key into another 16-byte key For reasons. I'm not totally clear with clear about Maybe they were still figuring out how the Xbox Maybe they're still figuring out live and they just wanted to Get all those pieces together you know So that when they release live later, they'd have something I'm not really sure but We'll move on so it ends up using just standard Kerberos as rex as reps to Verify that shared secret create an account and then from then on the machine uses that account to Present itself to the security gateway So like we were saying there's a bunch of extra pre-offs There's a client version that you sign with secrets which basically tells you what What executable is being used here? So it ends up a lot of times ends up looking like If it's just the machine itself and just trying to bootstrap this thing it ends up looking like the The Xbox's dashboard You've got this thing that they call the pre pre off that I don't really understand It's just hashes the console serial and secrets in an interesting way The only thing that makes any sense to me is It helps some look up that they have But it's not really necessary and doesn't really add anything to from from a security perspective that I can see Then there's this 131 that's a constraint on user data in a way. That's sort of meaningless it's a MS Kyle thing, which is another extension to Kerberos and Then the current time stamp and otherwise it sort of looks like a normal AS request Then the max service comes back to the console it gives it a ticket So like we said is sort of like a o-off token that doesn't make sense and gets thrown away In my case I set the expiration to UNEX epoch just to make sure that it can't be used anything for anything And then it gives it a account creation pre off which contains the whole machine user identity And the box then ends up storing all this on this unpartitioned space on the hard drive I haven't really figured out why so There's this I want to say like a half meg space on the hard drive that isn't in any partition And I haven't really been able to figure out why Information gets stored there the the best theory I have is that The underlying Storage there was originally supposed to be on a flash and they migrated it because they didn't have an extra flash Or didn't want to touch the flash or something But it's not really hiding that much because it's Very clear from the binary what's happening because it's the only thing that's opening the raw Partition pretty much on the system So it's not really even a good obfuscation technique I mean, maybe if you were Looking at it, but they're already using weird partitions and weird partitioning scheme. So these any so you Know it never really made sense, but it's that's where it is That's what that partitioned space is Ultimately all of that unpartitioned space is cached information so anybody who is super concerned about preservation of that unpartitioned space and like afraid that you know if they modded their console and Dump and never restored that piece. You can still get on live all that information isn't there isn't Necessary to get on live re-implementations Which is good news a lot of people were very scared that They had written their way out of being able to be on live So users uses really interesting concept in Xbox live and this is probably one of the cooler things that made me want to talk In front of Defcon So so a user on Xbox live is a very broad concept The machine itself is a user in addition to what you think of as you know people sitting there with controllers and their hands in each controller port so the It's a really interesting take of kind of one of the first stabs of like IOT security and this idea of the machine itself being given a full identity rather than Like for a lot of off-the-off end systems you see What device they're on end up being like meta data for the user as opposed to Combined in like like a user in its own sense and then Smearing users together into a combined authorization So Yeah, so boxes have their own ID of their own full they have their own gamer tags and ends up being like SN dot serial number ends up being a I Ended up sticking them in a different Kerberos realm, but I haven't dug Haven't been able to find an original machine account. So I don't know what Microsoft originally does Just like regular users machine users they both have a 16-byte shared secret. That's the ultimately the bootstrapping of Kerberos they have Domains and realms which are just basically namespaces So you can think you know at blah blah blah dot com at blah blah blah net Everyone's got a X2 ID, which is a 64-bit user ID Everything on original Xbox seems to be start with zero zero zero nine for some reason. I don't know why that is but The boxes don't seem to care And then not machine users will have flags and a passcode so there's this flags if you ever There has two different concepts one is For guest accounts if you ever wondered how that worked you have the same XU ID as your Host user you just have different bits in the flags that say I'm a guest account of this user Then the rest of the flags are things like I was a shithead and therefore I am completely banned from speaking on everything globally And those sort of cross communications Black marks on the user are sort of put in there and Also in the user account. They've got the passcode, which is a pretty simple Keeping your little brother from Getting on your account. So it'll just be you know a ABB up down or something Cool So that brings us to the actual authorization flow at this point at this point your Xbox is Sending to max it's gotten a full account then it moves into You know actually trying to connect and so This is a pretty standard Kerberos flow for the most part we end up creating a ticket granting ticket that gives you a Cryptographic proof of identity of the pre-shared key and Gives you a ticket that you can print present to the next Piece it's sort of like a Oath Bearer token. It lets you Essentially lets you prove that you are who you think you are to other other entities It can be a very multi-step process So this is this is sort of kind of what I was getting at where it'll first build up a ticket granting ticket with the The machine's account and then it does this Combined identity thing where it starts layering all of the other users on top of it and Sort of smears all of the identities together into this one cryptographic version of Identity which is a really interesting concept and one I haven't seen used very much these days Cool so from there we Talk to TGS, which is the ticket granting service. So you give it a ticket granting ticket. It gives you back a service ticket Pretty simple. So this will be a little bit Shorter Timeframes this will also you'll Tell it to that you want Certain back-end services and it will give you a ticket for those back-end services for those users So at the end of the day, this is sort of another really interesting part and probably one of the cooler parts of Xbox Live is Even before you're fully connected you have this cryptographic attestation of identity that is combined with which back-end services You can talk to That's sort of the mid-level of their back-end system Which is really really neat. It sort of reminds me of how Facebook Has added to their TLS connections on their back-end the They really try to tag the identity of the user that was the cause of the request to everything so that they can really track it through their systems very well This could give you the same way to do that kind of information to track user identities through requests to Restrict users on a per game basis per per user basis And kind of handle it all very holistically all underneath the individual Game protocols and what all the other protocols will kind of what they expect So you know it kind of brings it back to our other pre-offs. They've got 201 202 so we have a service request Which is basically the game saying hey I want to talk to matchmaking. I want to talk to stats and then the service address you'll get a Address of which Security gateway you can talk to and which underlying ports to talk to for Both for the security gateway. Well, so third security it was gonna be on 30 74, but also for the Once you've connected into the VPN, which ports you can talk to and which services they're kind of connected to it's almost It has very almost SDN kind of underlying components, which for Something that was created in 2002 is kind of nutting to me So brings us to the security gateway that's on that's that port 30 74 This is a custom VPN It really looks like IP sec Also really looks like a wire guard, which looks like IP sec a lot It signs and encrypts pretty much all traffic. It sits at layer two It smears TCP and UDP sort of into itself in a way That you also kind of see an IP sec To a degree It's very very very very focused on saving bytes wherever it can I think some of that probably relates to trying to get this thing running on modems originally like it seemed like they were doing Because they go to absolutely heroic Ways to save a bite here save a bite there Yeah Here's the underlying packet format So you have First byte contains padding and an opcode the padding tells you so the encryption for the actual payload ends up being The padding for the actual payload ends up being eight byte aligned because that's the block cipher size So the padding tells you how much of the payload How much of the block cipher goes past the payload You've got an opcode so zero ends up being control packets Then you've got three each for TCP UDP and another protocol called VDP You've got three bytes for a spy That is security parameters index. That's essentially a session identifier You've got payload Which when we talked about that can just kind of be anything so that'll be For things like TCP that'll be the actual Fragment data. It won't be the headers or that kind of information for The control packets it'll be just kind of arbitrary data Diffie Hellman it'll be You know all those sort of pieces that need to be negotiated Pretty arbitrary lots of data for TCP UDP and VDP you have Like a footer which contains what would normally be their header information in a really cool but one of those Ways Microsoft is going to heroic ways to save bytes if there's padding The so the protocol footer doesn't need to be encrypted. It'll be signed but if there's padding it can Be stored up It can basically be optionally encrypted if that helps you save bytes Because the encryption step will happen Before trying to parse the protocol footer We'll have two bites a sequence number then there's also Sequence number there's also an additional two hidden bites of sequence number where you just have to understand You just have to remember where you were you start at zero once it rolls over each side will bump up their Their higher bytes, but they don't actually communicate that That I think that's also true of IPsec though That's not like a super crazy thing Then there's also a signature which is 10 bytes of a truncated shot one of everything Including the hidden sequence bytes With keys that were negotiated at the same time as the Diffie Hellman So one thing I am gonna rag on a little bit is the way the signature check is computed here It ends up being you You do it over the protocol footer Then the header then the refs of the payload then the sequence number or something something like that it it pulls them all out Which means that you have to do a significant amount of Processing of this packet Understand where the boundaries of these different pieces are before you've validated the signature If I mean don't roll your own crypto is kind of rule one and two and three and five But if we're at rule six and you are implementing your own crypto Just keep it simple and sign everything in a linear way. Don't don't force somebody to To interpret something before they've been able to verify the signature on it It looks like Microsoft did it right I didn't find any bugs in it. It's just Hard to get right and I wouldn't trust myself to get it right basically cool So, yeah, we've got the control packets. So it's opcode zero a lot of Diffie Hellman parameter negotiation If you're shutting down the VPN to talk to it, there's a piece for that there's kind of keep a lives that keep the connection going and The service will kill it off if it doesn't see keep a lives in a while. There's also Interestingly, there's this Event queue to that sits at this at this protocol layer where a Lot of server-side events happen sort of at this Layer two sitting underneath The TCP and all that where so if you've ever seen You know your friend wants to invite you to a game or They started playing another thing and it sort of pushes an event to your console and you know, it makes a little pop up it ends up the That ends up that event ends up getting pushed down at that layer two, which is really interesting to me. There isn't like a Equivalent of like a web socket or something that they have. I mean obviously they didn't have web sockets in 2002, but there isn't some higher-level protocol that's being kept together, but it's All sort of negotiated at this low level that these events are taking place Which is really interesting There's also a bunch of throttling and QoS management that happens Negotiating at this layer The other op codes We have UDP and TCP, but they remove a bunch of stuff if every packet is signed then you don't need checksums I Think they removed the urgent bit out of the tea out of their TCP stack, which is Awesome urgence awful. I wish everybody could remove urgent each of these has actually three op codes because they do a cute scheme where if your port 1024 then you have You don't actually have to list the ports if you're within like a hundred and twenty seven of that port then you can List the ports as just single byte offsets But if you're one of the other ports you do normal two byte ports like you'd expect There's also VDP, which I've kind of hinted at and so that's UDP But with part of the payload that is outside of the encrypted segment and that's where it stores voice Which means that voice in Xbox live is unencrypted in the air and that is ostensibly for lawful intercept so that You know the cops can get a wire and trace you and look at everything you're saying So that is where that is Don't plan a Insurrection over Xbox live. I guess is the point there Cool and then at that point you have a full Connection into the VPN you have a cryptographic attestation to your identity you have that identity also contains Which services on the back end you're allowed to talk to there's about 20 of them at least on the original I haven't checked in recently There's this one called presence that always gets used That essentially that's where you end up pushing your event that you are in a game and it ends up kind of being a dumping ground for a lot of Pieces of the Ancillary pieces of Xbox live as well Games can have custom services. So if you think like a classic ones are MMOs We'll have custom services for their back ends. So they'll just negotiate a different one and they'll Connect to there Even if you're an MMO and you're running your own servers All of these communications still end up initially hitting this VPN Everything is kind of encrypted through and through And is this one protocol stack? Unfortunately as I've been Reimplementing this stuff I played a lot of Halo 2 as a teenager. I kind of joke that I am doing this So that when I hit my midlife crisis, I have what I want to do when I was a teenager as well but Halo 2 uses a custom service as well. So it doesn't come for free But we'll have to I'm sure we'll get there These back-end services actually tend to be HTTP. They're tend to be with custom binary payloads kind of on a per-service basis but I Wasn't really expecting something as forward-looking Really really strong inclinations that they're primarily written in C-Sharp ASP.net servers. There's a lot of like dot ASHX endpoints Which in context would have been like a beta version of ASP.net I think Which is Really really really forward-looking for what at least in my mind for what You know how to release internet connected service for 2002 and really have you know once you have TCP up to just kind of treat everything as HTTP for 2002 era was Quite forward-looking So kind of going through it presence like we said or it always exists That's where client push events come from. So like we said there is that event queue where for server pushed events This is where the client push events for the most part end up coming from matchmaking says a matchmaking service that will for games that aren't ranked For the most part But you're just trying to find somebody close to you somebody, you know, maybe somebody close to your geo IP or somebody with you know Low ping for whatever reason ends up going through matchmaking service There's a strings service that I think does internationalization and maybe sanitization for moderate for moderation so they can update These are the words. You're not allowed to say and query There's feedback which is This guy called me a slur So like moderation requests end up going through there Stats there's leaderboards I go through there. You also The So I figured out a couple more of these since I wrote up these slides that also goes So for ranked matches That's where it ends up building up your yellow and or whatever algorithm Is off of the stats information. There's also a arbitration service that looks like a lot like matchmaking But it ends up generating sessions for ranked play Messaging You can send users messages pretty clear auto update This is you know one of those key pieces that was like I said kind of newer to Xbox live because they had the Storage on each console necessary to do this making sure that everybody's playing the same version of the game And then there's you know team management is a team service Let's see. Oh, and there's also a nat detection service that will let you do you know Nat punching and at least Nat understanding a lot of the the Nat stuff is actually interesting because by sticking everything on that per port 30 74 You get a lot of Nat punching sort of for free because you've already communicated to the external services and So therefore any incoming game requests can also come in on that ports because you've already done 80% of Nat punching So it's kind of a nice way to do that Sweet so then we have Match or just joining a game session. What does it look like? So you end up using the matchmaking service to query for or sort of create a session that session information ends up containing a host and a lot of the like random parameters of like what a game will contain So there'll be a session identifier. There'll be a Key exchange key which lets boxes talk to each other without Diffie helming to each other Once a box gets a list of potential hosts to join a game in They end up logging into that host with more or less the same VPN protocol. So this That VPN is ultimately the kind of base layer of even that piece and System link as well Yeah, and we're recovered Nat punching System link yes, the system links about the same You'll they'll throw out a broadcast packet encrypted with essentially the same key But we'll So it'll be like a per game key that's on the disk So they can see each other's game announcements and then The ultimately the host box will set up a VPN server and the other boxes will VPN into it And that's how system link ends up working And it looks like actually games don't have a TCP stack other than based on this to this VPN protocol so they couldn't even do anything if they wanted to Cool, how do you go about reversing this stuff a lot of staring at Ghidra? There's a really I want to give a shout out to whatever Contractor had to add Xbox executable support to Ghidra It probably didn't need to happen at that point anymore, and he probably was wondering what he was doing with his life But I really appreciate it. It's probably one of the best uses of my defense dollars Go on looking at it gauntlet dark legacy ships with a PDB just on the disk. It doesn't have the Online capabilities, but you can kind of get your Bearings about like what an Xbox game looks like red star is an online game that ships with the full symbol map including the online shared libraries Jedi Knight Jedi Academy is GPL'd Their Xbox version and that includes All of the online components Not the Microsoft code directly about how to call it And then in every executable X online and X net is broken out Into separate sections X online is the online Component X net is what you just need for a system link And contains the the VPN stack essentially all crypto is cleanly exported by the kernel so you can see that on the import list You can go here get hub.com slash zombie online zombie is a GP old source for a re-implementation very proof of concept PRs are welcome zombie.org whenever I end up updating DNS entries will be where you go to sign up for an alpha to get at it back online and Yeah, I mean I kind of want to move the industry towards a theory of software security harm reduction when it comes to network services where And so kind of where I'm at there is People are gonna use software now online that they can't update anymore, which is I Mean, you know rule one is don't do that but people are gonna do that So I've got it. I'm open sourcing a lot of this stuff to really start thinking about how we can protect people even in these very unsafe conditions and very like start opening things up and Shine, you know doing so by shining a light and then sort of adding knowledge and I don't think we have time for the demo as given and I think it's gonna work. Yeah So sweet