Michael Steil has an interesting article about the trusted security requirements Microsoft implemented in the XBox to prevent unauthorized code (ie. non-Microsoft such as Linux) from running - and how in 512 bytes of code there's at least 2 attacks to gain control of the XBox and run any software.
My favourite is the Visor trick they describe which is borderline hilarious:
"...The roll over of the instruction pointer from FFFF_FFFF to 0000_0000 is supposed to generate an exception. Since no exception handlers are installed, this is supposed to halt the machine. But in reality, no exception is generated. Execution just happily continues at 0000_0000 - in RAM! Apparently the i386 CPU family throws no exception in this case, Microsoft's engineers only assumed it or misread the documentation and never tested it.
By adding Xcodes to write a jump to some Flash ROM address, like FFF0_0000, into memory at location 0, and causing the decryption check to fail by just not including the 32 bit check value into the Flash ROM, one's own code will be run right after the RC4 decryption..."
Even Schneier had a comment about it as well. More details described in the article.
Posted by crafterm at August 11, 2005 12:24 PM | TrackBack