Xbox 360 controller authentication workarounds?


#1

I got a Teensya couple months back and finally have some free time and motivation to build something with it. I’m undecided at the moment, but I think that I’m either going to gut out one of my old Sega Saturn controllers and turn it into a PS3/PC controller, or make a PS3/PC hitbox or stick from scratch. I’m not too worried about this part. I could probably have a hacked together prototype for the Saturn version together tomorrow, but I want to do a bit more research first.

But anyway, on to the question… I’d love for it to be Xbox 360 compatible as well, but I’m having a really rough time finding any information on the 360 controller authentication. Has anybody found a way to use generic usb controllers on the Xbox 360 without controller spoofing using GIMX? I’d rather not tear apart a 360 controller for the PCB.

Please note: I am not looking for information on breaking the Xbox 360 cryptography, as that is illegal. Please don’t respond with anything related to breaking cryptography. Thank you.


#2

Unfortunately cryptography is what you going to be getting into if you want to fabricate your own Xbox 360 controller encoder.
Also cryptography is not illegal, it is a actual respected area of study. Breaking the Xbox 360 Cypto is not illegal, what is illegal is what you do with your knowledge. As in selling bootlegs for example.

No one stateside is able (or admit to) decoding the Xbox 360 authentication.

So far only the Asian “Grey Market” manufacturers are able to make a 3rd party Xbox 360 PCB with out Microsoft’s aid.
So far Qanba, Pawewang, and Sun Ga. The last one Sun Ga is hard to find int he west.


#3

It uses a security chip designed to prevent you from doing exactly what you want to do.
Basically MS put in a security chip so secure that well funded and staffed 3rd party game peripheral corporations cannot crack it to make bootleg controllers.
This was to force them to pay a $10 licensing fee per controller for the security chip and to have a final say for what kind of controller can be plugged into the system.
They are also selective of who is allowed to make controllers for the Xbox 360, so even if you are willing to pay the fee, they might not grant you a license anyway.
The only way you will figure out how to crack it is to get break into infineon and M$ steal the information needed to crack the security chip whose sole purpose is to prevent hackers doing what they do.

There have been a few companies that have cracked it, like some asian arcade stick makers, but I have a feeling that if they get really big, lawyers will be jumping out of trees like ninjas.


#4

Good to know. I wasn’t positive on the legality of it. It seemed like a really gray area in the forum’s terms and conditions, and I figured I would play it on the safe side. I didn’t want to get banned for my first post, heh.

Really interesting article. Thanks for that.

Would you happen to know anything else about the security chip? I’m still not even sure if it actually encrypts any data, or if it just handles authentication. I’ve been reading a lot of mixed information.

I’m thinking authentication spoofing might be my best bet aside from ripping out a 360 PCB. I think I might be able to cobble together a XIM3 replacement using a raspberry pi and a UART to usb converter for about 30$ in addition to the Teensy. I’d love to have an excuse to play around with one of those anyway.


#5

No PS3 button love from Teensy HID for Joystick.
Feel free to use this open source PS3 with magic byte for PS3 button (it is specifically for ATMEGA32U4)
https://sparky.svn.beanstalkapp.com/sparky/trunk/Arduino%20Files/DEV/SparkyPS3/gamepad.hex

enjoy


#6

http://www.free-photos.biz/images/consumer_products/electronics/tssop_rqfp_so_ssop_qfn.jpg

the security chip is an 8 pin SSOP (shown on the right) that handles the challenge and response. the console sends a challenge, the security chip in the controller sends a response. notice how on every xbox 360 PCB the security chip is connected only to the main microcontroller and power. the microcontroller that interfaces USB only passes the challenge to the security chip and passes the response back to the console. all the button pressing stuff is sent to the xbox 360 totally unencrypted. the security chip does nothing after you have a good handshake.

get a good logic analyzer like this one http://www.saleae.com/logic then just watch what goes in and out of the 2 chips. that should give you enough information to harvest the security chip from cheap or broken controllers on ebay.

get a SMD hot air machine. then get a board made for the 32UA4 and the 8 pin SSOP. or you could use an 8-pin SSOP to DIP8 adapter and use header pins to mount everything on perf board or even breadboard.

kinda off-topic but you might want to just see what microcontrollers have UART instead of getting a USB to UART that only does one thing.


#7

Have you read rtdzign’s post, and this article http://www.theregister.co.uk/2010/02/17/infineon_tpm_crack/

You need more than a Logic analyzer, It took a top computer expect, formerly of the US army a fotrune to crack, 2500 Electron Microscope (used), some 50 some encoder chips ruined in the process. Unless OP is a multi millionaire it is not cost productive.


#8

On a semi-related note, is there any practical use for saving the encoder chip from busted controllers? For example, hypothetically speaking, to connect/mount it onto something Cthulhu-like (or similar PCB) to enable Xbox360 authentication?


#9

you don’t if your not cracking the chip. you can recycle them from broken pads and use it with the teensy no problem. you just need to know a a little bit about the speed of the data so you can code the software on the main microcontroller to pass the information in both directions.

I was not suggesting it in my first post but there actually is a way to defeat that security without doing what that guy did. you don’t need to spend a billion dollars to do it but you might want a billion dollar computer to parse the data faster. that article explains one way of doing it. there is another way that is harder than that but theoretically possible. you just need to aggregate enough challenge/response data to reverse engineer the algorithm used. this is exactly how they broke the elliptical cypher used to secure save files on the wii. some guy made a lot of identical save files on his wii and copied them over to the SD card, then on the computer he noticed that each one was different even though they were the same when unencrypted. on the xbox it is harder because the challenge is different every time and the challenge is probably 128bit or more. you would need to aggregate enough data to have the complete set or get lucky and find a pattern sooner. there are 2^128 = 3.40282367 × 10^38 possible challenges in a 128bit system.

watch this video of Tarnosky aggregating data http://www.wired.com/politics/security/news/2008/05/tarnovsky?currentPage=all#

yes that is exactly what I am saying here. save them and maybe I will buy them. maybe the OP wants one for the breadboard.


#10

Thanks for the clarification on that. Would you happen to know if the authenticator uses any sequential logic? Or has nobody even bothered testing (or published any testing) to that extent?


#11

I don’t think there is any public information on it. it has been reversed by some companies but not by hobbyists.


#12

I would recommend you hold onto them, they could prove very useful.


#13

would that work? just desoldering the infineon chip off an official xbox 360 controller and using it on another pcb? i would love to get a teensy++ and having it work as a multi console controller pcb for a stick. are there any information/datasheets for the specific infineon chip used on xbox controllers?