Xbox Sphinx Protocol

I’ve gone down the rabbit hole of trying to read the Xbox DVD drive from Linux. Honestly, I’m trying to remember why I even care at this point. Perhaps it’s just my metagame of trying to understand how games and related technologies operate. In my last post of the matter, I determined that it is possible to hook an Xbox drive up to a PC using a standard 40-pin IDE interface and read data sectors. However, I learned that just because the Xbox optical drive is reading an Xbox disc, that doesn’t mean it’s just going to read the sectors in response to a host request.

Oh goodness, no. The drive is going to make the host work for those sectors.

To help understand the concept of locked/unlocked sectors on an Xbox disc, I offer this simplistic diagram:


Xbox locked disc diagram

Any DVD drive (including the Xbox drive) is free to read those first 6992 sectors (about 14 MB of data) which just contain a short DVD video asking the user to insert the disc into a proper Xbox console. Reading the remaining sectors involves performing a sequence of SCSI commands that I have taken to calling the “Sphinx Protocol” for reasons I will explain later in this post.

References
Doing a little Googling after my last post on the matter produced this site hosting deep, technical Xbox information. It even has a page about exactly what I am trying to achieve: Use an Xbox DVD Drive in Your PC. The page provides a tool named dvdunlocker written by “The Specialist” to perform the necessary unlocking. The archive includes a compiled Windows binary as well as its source code. The source code is written in Delphi Pascal and leverages Windows SCSI APIs. Still, it is well commented and provides a roadmap, which I will try to describe in this post.

Sphinx Protocol
Here is a rough flowchart of the steps that are (probably) involved in the unlocking of those remaining sectors. I reverse engineered this based on the Pascal tool described in the previous section. Disclaimer: at the time of this writing, I haven’t tested all of the steps due to some Linux kernel problems, described later.


Xbox SCSI Unlock Protocol

Concerning the challenge/response table that the drive sends back, it’s large (0x664 / 1636 bytes), and not all of the bytes’ meanings are known. However, these are the bytes that seem to be necessary (all multi-byte numbers are big endian):

 bytes 0-1        Size of mode page payload data (should be 0x0662)
 bytes 2-771      Unknown
 byte  772        Should be 1
 byte  773        Number of entries in challenge/response table
 bytes 774-1026   Encrypted challenge/response table
 bytes 1027-1186  Unknown
 bytes 1187-1230  Key basis (44 bytes)
 bytes 1231-1635  Unknown

The challenge/response table is the interesting part, but it’s encrypted with RC4 a.k.a. ARCFOUR. The key is derived from the 44 bytes I have labeled “key basis”– cryptographic literature probably has a better term for it; chime in if you know what that might be. An SHA-1 hash is computed over the 44 bytes.

The resulting SHA-1 hash — the first part of it, to be exact — is fed as the key into the RC4 decryption. The output of SHA-1 contains 160 bits of information. 160 / 8 = 20 bytes of information. To express this as a printable hex digest requires 40 characters. The SHA-1 hash is converted to a hex digest and then the first 7 of the characters are fed into the RC4 initialization function as the key. Then, the RC4 decrypter does its work on the 253 bytes of the challenge/response table.

So that’s why I took to calling this the “Sphinx Protocol” — I felt like I was being challenged with a bizarre riddle. Perhaps that describes a lot of cryptosystems, though you have to admit it sounds kind of cool.

The challenge/response table contains 23 11-byte records. The format of this table is (again, multi-byte numbers are big-endian):

 byte  0     This is 1 if this challenge/response pair is valid
 byte  1     Challenge ID
 bytes 2-5   Challenge
 byte  6     Response ID
 bytes 7-10  Response

Example
It’s useful to note that the challenge/response table and associated key is different for every disc (at least all the ones I have looked at). So this might be data that comes from the disc, since the values will always be the same for a given disc.

Let’s examine Official Xbox Magazine disc #16 (Indiana Jones and The Emperor’s Tomb):


Xbox Magazine #16 featuring Indiana Jones

Before I decrypt the challenge/response table, it looks like this:

   0: 180, 172: 0xEB100059;  66: 0xD56AFB56
   1:  34,  71: 0x8F9BF03A; 192: 0xC32CBDF8
   2: 226, 216: 0xA29B77F2;  12: 0x4474A6F1
   3:  72, 122: 0x9F5ABF33; 255: 0xC5E3C304
   4:   1, 103: 0x76142ADA; 233: 0xDE145D42 ****
   5:  49, 193: 0xA1CD6192; 189: 0x2169DBA5
   6: 182, 250: 0x9977894F;  96: 0x5A929E2B
   7: 148,  71: 0x6DD10A54; 115: 0xF0BDAC4F
   8:  12,  45: 0x5D5EB6FD; 148: 0x84E60A00
   9:  99, 121: 0xFEAED372; 201: 0xDA9986F9
  10: 172, 230: 0xE6C0D0B4; 214: 0x9050C250
  11:  84,  65: 0x95CB8775; 104: 0x550886C6
  12: 210,  65: 0x1ED23619; 171: 0x6DF4A35B
  13:   2, 155: 0xD0AAE1E0; 130: 0x00D1FFCF
  14:  40,   2: 0x172EFEB8; 159: 0x37E03E50
  15:  49,  15: 0x43E5E378; 223: 0x267F9C9A
  16: 240, 173: 0x357D5D1C; 250: 0x24965D67
  17:  80, 184: 0x5E7AF1A3;  81: 0x3A8F69A7
  18: 154, 186: 0x6626BEAC; 245: 0xE639540A
  19: 231, 249: 0xFABAAFB7; 227: 0x4C686A07
  20: 150, 186: 0x9A6D7AA3; 133: 0x25971CF0
  21: 236, 192: 0x5CD97DD4; 247: 0x26655EFB
  22:  68, 173: 0xE2D372E4; 207: 0x103FBF94
there are 1 valid pairs in the list: 4

My best clue that it’s not right is that there is only 1 valid entry (denoted by my tool using ****). The source I reverse engineered for this data indicates that there needs to be at least 2 valid pairs. After running the RC4 decryption on the table, it looks like this and I get far more valid pairs:

   0:   1, 174: 0xBD628255;   0: 0x9F0A31AF ****
   1:   2, 176: 0x3151B341;   2: 0x9C87C180
   2:   3, 105: 0x018879E5;   1: 0xFF068B5C
   3:   2,   7: 0x1F316AAF;   3: 0xF420D3ED
   4:   3,  73: 0xC2EBFBE9;   0: 0x17062B5B
   5: 252, 163: 0xFF14B5CB; 236: 0xAF813FBC
   6:   2, 233: 0x5EE95C49;   1: 0x37AA5511
   7:   1, 126: 0xBD628255;   0: 0x5BA3FBD4 ****
   8:   3,   4: 0xB68BFEE6;   3: 0xA8F3B918
   9:   3,  32: 0xEA614943;   2: 0xA678D715
  10:   2, 248: 0x1BDD374E;   0: 0x8D2AC2C7
  11:   3,  17: 0x0EABCE81;   2: 0xC90A7242
  12:   1, 186: 0xBD628255;   0: 0xC4820242 ****
  13:   3, 145: 0xB178F942;   3: 0x4D78AD62
  14:   3,  37: 0x4A6CE5E2;   2: 0xBF94E1C6
  15:   1, 102: 0xBD628255;   0: 0xFFB83D8D ****
  16:   3, 122: 0xF97B0905;   1: 0x38533125
  17:   3, 197: 0x57A6865D;   2: 0xA61D31EF
  18:   3,  27: 0xC7227D7C;   2: 0xA3F9BA1E
  19:   1,  16: 0xBD628255;   0: 0x8557CCC8 ****
  20:   2,  53: 0x1DA9D156;   3: 0xC9051754
  21:   2,  90: 0x3CD66BEE;   3: 0xFD851D3E
  22:   1, 252: 0xBD628255;   0: 0xB3F22701 ****
there are 6 valid pairs in the list: 0 7 12 15 19 22

So, hopefully, I have the decryption correct.

Also of note is that you only get one chance to get this unlocking correct– fail, and the drive won’t return a valid DVD structure block again. You will either need to reboot the Xbox or eject & close the tray before you get to try again.

Problems Making It Work In Linux
There are a couple of ways to play with SCSI protocols under Linux. In more recent kernels, block devices are named /dev/sda, /dev/sdb, etc. Each of these block devices has a corresponding character device named /dev/sg0, /dev/sg1, etc. ‘sg’ stands for SCSI generic. This character devices can be opened as readable and/or writable and SCSI commands can be freely written with write() and data retrieved with read(). Pretty powerful.

Except that the one machine I still possess which supports 40-pin IDE/ATAPI devices is running Linux kernel 2.6.24 which dates back to early 2008 and it still enumerates the IDE block devices as /dev/hda, /dev/hdb, etc. There are no corresponding /dev/sgX character devices. What to do? It seems that a program can still issue SCSI commands using an ioctl() facility named SG_IO.

I was able to make the SG_IO ioctl() work for the most part (except for the discovery that the Xbox drive doesn’t respond to a basic SCSI Inquiry command). However, I ran into a serious limitation– a program can only open a /dev/hdX block device in read-only mode if the device corresponds to a read-only drive like, for example, a DVD-ROM drive. This means that a program can’t issue SCSI mode select commands to the drive, which counts as writing. This means that my tool can’t unlock the drive.

Current Status
So this is where my experiment is blocked right now. I have been trying to compile various Linux kernels to remedy the situation. But I always seem to find myself stuck in one of 2 situations, depending on the configuration options I choose: Either the drives are enumerated with the /dev/hdX convention and I am stuck in read-only mode (with no mode select); or the drives are enumerated with /dev/sdX along with corresponding /dev/sgN character devices, in which case the kernel does not recognize the Xbox DVD-ROM drive.

This makes me wonder if there’s a discrepancy between the legacy ATA/ATAPI drivers (which sees the drive) and the newer SATA/PATA subsystem (which doesn’t see the drive). I also wonder about hacking the kernel logic to allow SCSI mode select logic to proceed to the device for a read-only file handle.

4 thoughts on “Xbox Sphinx Protocol

  1. Colin

    If I remember correctly back to my Linux SCSI experimentation days, in the 2.x series kernels, you could explicitly set an option to compile ATAPI as SCSI and then enable the SCSI generic interface, which would give you /dev/sgx access to ATAPI devices.

  2. RC

    You can get your /dev/sda device pretty easily. Should just need to pass the kernel a boot option like:

    hdc=ide-scsi

  3. lockecole2

    Have you tried looking at cdrtools’s libscg for generalized SCSI access? Maybe that might have a workaround for your kernel version.

    Not sure if it would make a difference in the library if you’re accessing a read-only device vs. a writer. I don’t think it makes that assumption.

Comments are closed.