A Memoir, Team HyperX. LiteOn Encryption
A overview of the history behind firmware modification & the creation and conclusion of the team formerly 'Team jungle' and the story of an unsuccessful extortion. All views expressed are documented between several members of Team Jungle,THX and the scene and are not opinions expressed by Xbox-Scene.
A great amount of work has been put into the xtreme, and now current ixtreme firmware. commodore4eva, now simply known as 'c4e' came upon the scene to bring changes to the xbox360's firmware that lead to new innovations and progress to a section within the xbox360 hacking scene.
These changes have been for the most part very positive, and in 2009 I formed a group who became known as 'Team Jungle' who spent 8 months working in unison to crack the first LiteOn drive. It was a very very big achievement, and kudos is deserved all around for each member that did their share. It was a very bleak dismal long process that did not look so promising for many many months. The conclusion of Team Jungle/Team HyperX has arrived, and will be documented in this story. It is also my intention to notify everyone of facts previously withheld from the public, and to clear the air with some people unfairly accused of fraud and elitism/heroism with malcontent
With the cat and mouse game of almost all modification scenes, with hackers vs vendors, technologies are constantly updated and secured against new vulnerabilities. As the ixtreme firmware was released for the LiteOn, it was apparent to that specific vendor that they needed to step up their game once their secure platform was defeated. It WAS a very brilliant design, for in the simplicity of basic hardware it becomes difficult to secure a platform without the host being entirely integrated into the overall security. We see the PS3 as a fine example of this: A hardware platform that has proven very secure from top to bottom!
Unfortunately, as the securities increased, known vulnerabilities decreased and new methods needed to be found. Alas, they were
Some of these vulnerabilities were hardware based, and some software. Some were vendor commands (cdb's) that were intentionally placed within the firmware for diagnostic purposes! A large part of firmware 'hacking' is disassembling the firmware and discovering all of the hidden cdb's for alternative usage (piracy, homebrew, etc).
In order to hack the LiteOn, a team was necessary. c4e's talent was the final step to a very long process. You need experts on the physical/hardware side who are capable of extracting the firmware (since known software methods were locked out). Sometimes several hardware guys are needed for different area's of talent. One might be skilled in decapsulation and extraction methods and the other has xray and microscopes and is excellent at detailing
The bottom line is 90% of the work was NOT associated with the firmware and the job preformed by c4e. The firmware modification was the easy part! Of the 8 months spent on that project, only 24hrs was needed by c4e to complete his part of the project
With every release of xtreme and ixtreme firmware different methods of hacking that particular hardware platform became apparent through documentation (tutorials), software (JF, sending cdb's, etc) or specs/technical information released. Speculation is always a key player whether methodology is apparent, released or not.
When the 83850c hit the shelves, the public quickly figured out that there was a flaw: serial output was not working. So the team found a few 83850c's through our usual channels (distributors), purchased them (despite what you think, we usually buy our materials, most dont ever make it back. donations are very 'final'.) and got them shipped to one of our hardware spe******ts that is capable of decapsulating and reading eeprom's. It takes a rather talented and unique skillset to decapsulate and dump eeprom's with microfiber
Infact, the 'micro' is a understatement: Its so small its practically invisible to the human eye! Imagine trying to solder that!
Our hardware genius successfully dumped the firmware. Since our crypto (software) genius already cracked the encryption algorithm of the original drive's firmware (which was one of the most difficult tasks of hacking the drive!!) it was just a matter of having him decrypt it for us. Once decrypted, c4e can start doing his patching routines, aswell as analyze the firmware for security changes. For a month I sat in the dark as c4e and the rest of the group 'worked' on getting the drive to output key/serial data. At the time it was presumed impossible. On the 5th week I was brought full circle and informed that the team had been coordinating decisions outside of my knowledge. Apparently the team came to a decision since there was no way to retrieve the key via software. The only hardware method at the time was full acid decapsulation, with the exception of the pin lift method. I would like to take a moment to explain the following with an analogy:
Sir Alex Ferguson is the manager of the world famous Manchester United football(soccer) club. He does not play soccer (he used to). However, he is essential to the success of the the football team. He uses his managerial experience to bring together players that would not normally play the sport together. When the team starts playing, he uses his decision making skills to combat changes within the field. Without him, the team can still play and successful at that! However, without him the team will eventually die, as they will become stale and not progress or get fresh blood into the roster. I use this analogy for myself. I created Team Jungle, which I renamed to THX due to a fallout between me and one of the developers who I had start the project we now know as 'jungle flasher'. He was not a team player(several incidents), so I removed him from the team. Instead of changing the name of his application to disassociate himself from the team, I decided to change the team name! While I created the team, and organized it and made decisions, the essential process (hacking) can obviously be done without me. The team made that choice when they went outside of my circle to discuss the future of LiteOn in regards to the team.
The decision that the team had come to was to integrate a piece of hardware(a modchip) into the process that would make end users capable of modding the new LiteOn drive without us giving away our only hardware 'dumping' method, the pin-lift method recently disclosed by geremia. We did not want MS and LiteOn/MTK to patch the only known software hole(pin-lift method) as that would defeat our capabilities in the future to dump the firmware. While we can always try to decapsulate, there are methods to combat it, and its a very risky process that destroys the hardware. I am also experienced enough to understand that multiple avenues of hacking must be present in order to secure the *future* of this project! The reason the team did not disclose their decision, or the decision making process to me was simple: Greed. They wanted to bargin with the chinese to get the maximum money possible out of each chip sold, and I was one less pie cut. And hey, im not a hacker right? I dont do any work (other than creating the group and making the ENTIRE process possible!) so why should I get paid? Well, no loss on my end, and only theirs(the groups) because I would have been, and argued very strongly against ANY money-based process.
At that time c4e came to me and told me that they had been meeting behind my back and had come to a decision, however c4e in the 5th week after obtaining the fw found out how the serial key output had changed, with a encrypted key data. He had already contacted foundmy and made the key decryption services a reality. He had already consulted with the other group members who (due to legal risk) said they did not want to be a part of it. Everything was ready to launch by the time I was told about it, and asked whether I wanted to be a part of it.
I did the only thing I felt I could do: I told c4e that what he was doing was wrong. I told him it would destory the team. I told him the legal rammifications was a distaster.I told him that the scene would rebel against it, that this was a FREE hacking scene and that no one would pay. I told him that I wanted him to consult with a lawyer before doing ANYTHING. But, most importantly.....I said yes and joined. Even now, as im getting "Iriez is a thief!" thrown at me left and right, I still do not regret joining the process. The reason is simple: The fundamental choice to join was so that I could gain control of the process, as I had control of the group and it was my natural place to coordinate the process. From within the drivers seat, I had more decision making power. With that power, I could do things such as: LOWER THE PRICE. Before anything became public, before any details were disclosed to me, I voiced not only the opinions above, but also that if he was going to extort money from the end users of this scene, that he would have to do it within reason. I told him that if he absolutely was going to go forward with the process, that it should be *no more* than $10 or $15.
At that time, I asked him the details of the security. How the key encryption worked, at what level, etc. He withheld information from me, such as the fact that it was a meager 128BIT AES. I specifically asked him the key rate, and c4e, typically himself - a socially dysfunctional anti-team player who ignores anything that he does not feel like answering - refused to answer my questions. He knew his security was pitiful and did not want to hear my objections. Im glad he did withhold it. Im glad he didnt make it a higher security, so that we could crack it at a later time.
What I do regret out of the entire process is this: I paraded the entire process for c4e. I chose 'swim' in a sink or swim situation, and tried to make the best out of it. Instead of notifying the public of a grand scheme, infact ...more so, a *extortion* scheme. c4e was the only person who actively was hacking. As far as we knew, the changes he found were irreversible. Yes, he had the decryption key, as he was the person who cracked it in the first place! He had to know the key in order to setup a decryption process for foundmy. Foundmy would then pay c4e (foundmy made a 10 thousand dollar deposit into c4e's bank account. They were projecting millions in $$) for every key sold. The way it was setup c4e handled the decryption process through a advanced and secure remote process. It was not given to foundmy or anyone else.
Since the situation forced every single person who wanted to modify their liteon to pay, I would consider it "extortion". I regret that I tried to convince people to use the service, but there was rationality behind my decision: I completely believed that the key was using the same encryption as the entire base firmware. That encryption scheme is much more advanced, and to this day only 2 people have cracked it. I believed no one could defeat encryption. You must understand, we had tools and extra very important non-public data in regards to previous hacking, such as a pre-liteon hardware with the new LiteOn securities embedded, *without* the encryption! This greatly aided the cracking of the encryption, and is something no one else has! So my belief that it could not be cracked led me to accept c4e's dictatorship, because if it was uncrackable, no one else would be able to defeat it. What else could I do but try as hard as I can to move the situation in a positive direction. To my credit, towards the end I aided several people and groups in the effort to crack the encryption. I did not agree with releasing the decryption process, but I did see that *something* had to be done, and holding the power to crack the process gave leverage to make decisions.
He also was planning ANOTHER pay-for-key licensing program with ixtreme 1.7. Here is logs of some conversation:
1.7 will have new one shot boot and anti ap25, MS has been readying the routine in the new liteons, it is ready to use and is very accurtae
wholesale modders ship new drive pcbs to us, we mod, send back but this can include older liteons if they wish, no fw released ever, no public released, but wholesale modders can sell modded systems or drives
1.61 fw is only for benq and sammy
1.7 will be for liteon only
1.7 has some extra features and the drive key is encrypted
new features are anti-ap25 and one shot boot session (until power off)
in the end their drivekey will not work in 1.7 unless it is our encrypted version
1.7 will be for all liteons
the liteon will have 1.7
it will have an encrypted drive key, customised by us, normal drivekeys wont work
no release to the public for now either
probably never
There he is not only planning on letting 'distributors' *control* the process (which was the problem with foundmy, c4e let FOUNDMY *control* the pricing!!!!), but also saying that the firmware will NEVER be made public (free)!!!!!! How could he NOT learn from the disaster last time???
The release of the decryption process is bad for this reason(this is a shortened timeline of the 360's drive hacking process:
Scene -Xbox360 Drives get dumped, firmwares modified.
Result(MS): After various attempts at vendor changes, new securities, plus the removal of specific vendor commands (cdb's).
Result(scene): All securities bypassed, modified firmware goes public.
Reaction(MS):New vendor, LiteOn. Drives have firmware encryption, no serial security.
Result(Scene): THQ created and Firmware encryption defeated, modified firmware goes public. (12/22/08)
Reaction(MS): Cracks barbed wire whip at LiteOn and likely threatens to nullify contract. Liteon encrypts serial output
Result(scene): c4e creates foundmy agreement, goes public 8/03/09 and geremia releases decryption routine to combat foundmy agreement within 48 hours (08/05/09)
Result(MS): 93450 released, all serial output vendor commands removed.
When you condense the life timeline of the firmware hacking you can clearly see the reaction from Microsoft, and how it affects 'the scene'. The pattern is very clear, and the logic behind business circumstantially proves the facts of the pattern. I did not bother with the samsung hitachi days as it would be alot of typing, and I've surely done enough of that here??
With each release of defeated securities, a new security is added, along with *the removal* of vendor commands specific to each individual process that allowed hackers to modify and publicize the hack. If the vulnerability is not made known to the public, then there is no patching. This is 'guesswork' and it can happen in any scene with regards to security, we do not see any pattern of it in the xbox360! People like c4e and others involved within our former group, or others within the scene who have done similar work (firmware modification). It is a fact that there are several people who modified their hitachi, with security/dmi support - before c4e hit the scene and released his modifications!!
Now that the pin lift method is out of the bag, the next release will have that patched. With serial key data output patched after Geremia released his decryption tool on August 5th, named FreeKey. The 93450's started showing up several months after FreeKey.
RIP THQ, formerly known as 'Team Jungle'. I said straight forward "you are destroying the group" with a foundmy key solution. I was wrong. It was destroyed the moment the topic of LiteOn's needing a hardware addon....a benefit to the chinese! Solutions were found, and if I had been present I would have opted for time and work. That work would have found the software key output that was encrypted, and the decryption, and a system I envisioned: A public encrypted key decryption server(s) that handled users key output requests efficiently, immediately, and free. This would have not required distributors time and labor costs, and would have allowed the public! The "Team Jungle" twitter going on is being done by the developer of Jungle Flasher, who is communicating c4e's progress. While c4e did the firmware mods for THQ, he unfortunately helped push forward the demise of the group and has gone his own way.
At this time I would like to state that I have unfairly accused Geremia with heroism. Just as I cannot expect people to justify my actions regarding foundmy, prior to knowing the complete details as described above, Geremia would have to know the details of our situation in order to do something portraying an antagonist. While I firmly believe the above *evidence* supports my theory of consistent vulnerabilities patching and that his release of FreeKey got the 93450 released, his pin-lift disclosure will cause a new 9xxxx series that, while regardless would have come out, will *now*(key word. context implies change)come with a modified MTK that patches routines that allowed for the pin-lift trick to work.
While in spirit, what Geremia is doing is the most pure positive hacker behavior. His spirit is absolutely commendable. I appreciate this very much from him. What I heavily critisize is his decision making process. If he would work with the former team, instead of against (and this goes both ways c4e!!!! ugh!), then methods would be easily found using what vulnerabilities were still present. With bypasses used, the track record of patching holes that were not publicized is excellent : It doesnt exist!!!! This means MS has to patch bypass first. This gives us much longer lifetime for each series, or the extention of hackable series within that product family. So, to Geremia: Work with! The sky is the limit. This *should* kill all greed and everyone should be on the same side now that the 'gig is up' so to speak!
I would also like to say that regardless of c4e's actions, this scene as a entity should always remember the history and positive efforts of time after time after time of c4e straight forward "following through" with his promises. He is on point for hacking all the new drives, doing his part with lightspeed (alot of time is on the other members tasks!!!) and usually flawless!!!
I have had the pleasure of working with c4e for over 3 years now. As a hacker and using a hackers mentality, was the most positive and selfless of personalities that you could ever ask for. He preformed the duties and spent the time scouring that firmware for each drive that was released, trying to find each and every hole, securities, dangers and featuresa possible and providing the scene time and time again with ixtreme series! If you can take someone with such a incredibly positive personality, who for 3...THREE YEARS...provided for free, what software engineers are doing on a daily basis for their companies. With the exception of *most* of them not doing a boatload of Reverse Engineering
So while c4e and geremia have both done good and bad (relatively speaking!), they are both good people at heart. We know they are very very good programmers
Their work is flawless! Lets all work together and make the decisions with a team mentality! With great minds thinking alike, then there is recourse! Not all is lost on one poor soul's decision!
There is one lesson to everyone that I would appreciate taking the time to learn out of all of this hard work, sweat, and frustrations.
Everyone that is good at heart may eventually be corrupted through the stressful frustrations of repeated lack of appreciation through the expression of verbal complaint, combined with the lack of income for what is realistically long, hard, work.
Asking for donations now might appear as if this was some money making scheme. Therefore I will not propose to do so. However, I will interject that rewarding someone for their efforts over years of a time table, might relieve some of the stress associated with this type of work. A little here and there might prevent the illusion of wealth by a projection of generosity to outweigh the often overwhelming annoyance of apathetic non appreciative people.
-Iriez
Bookmarks