Secrect 360 Death Switch?

Last edited:
The Xbox uses these blowable fuses to stop downgrading your kernal so theyre nothing new in that respect. One that can kill your whole machine is worrying since theyve already made mistakes when they ban people from xbox live.
 
I doubt it's even possible to be honest. Imagine a disgruntled Microsoft employee flicking that switch, an error somewhere, a bug, and the sheer challenge of hackers around the world attempting to break in and do damage.

Or even Sony/Nintendo entering the espionage arena claim the ultimate goal.

Nope, personally think it's nadgers.
 
These things have existed for ages. They're very commonly used to prevent firmware roll-backs on devices like the 360.
 
that was a very interesting fact.

these big company's with so much power over something they have sold...made me laugh.
 
Surely if it makes your 360 RROD then you send it back for another one? It has that E3 smell of bull about it lol.
Regaurding efuses
post here to clarify a few things about efuses and their possible use.

The technology of efuses is not new, they were the basis of old one time programmable rom chips (OTP-ROMs), the predecessors of today's eeproms and flash chips. You could write these chips once once, by burning out bits with the writing voltage. When you were done with the programming, you could burn the write enable fuse and make the otp-rom a true rom. Until the write enable bit was burned you could erase the memory by burning all fuses of an already written address. (either to all zeros or all ones depending on the design) This technology is still in use in pic microcontrollers with one time programmable memory, but slowly gets pushed out by cheap flash based ones. But even some flash based ones have a write disable bit in their configuration range, that allows full write or even external read protection. The technology is good enough to be used as memory but the size of a classical efuse comes from the 20 year old process that was first employed them, so they are quite large compared to today's transistor sizes. The programming is usually done with a serial programming interface and once completed, it can not be undone.

Now for the uses of such circuits. They are used on today's intel cpus to disable certain features, lock clock frequencies and allow higher yields by allowing redundancy in certain circuits. On the normal ibm power cores, they are used to disable broken cache lines and activate the reserved backup lines. They can be used to deactivate certain computing elements too and to allow for a microcode patch. The ibm cell cpu has 8 i/o processors but only 7 of them are active. One is a manufacturing reserve, so if one of the 7 cores blow during manufacturing they can use the reserve one and still sell the cpu as a fully working one.

Another use for efuses is the secure storage of serial numbers and enrcyption keys. Once programmed the only way to read them would be to cut the chip and use an electron microscope to scan them in. This was reportedly done by some eastern european nations during the cold war.

What is needed for a secure cpu? A public/private keypair that is unique for every cpu, and the public part of the manufacturer key so they can issue bulk software. According to the ibm documentation, there is a possiblility that some parts of the cpu cache are never swapped out. The graphic chip reportedly uses this area for communication with the cpu. The so called hypervisor can reside in this memory area too. During the boot process, the cpu reads in a flash chip and decrypts it's contents with it's private key. The chip is encrypted with the cpu's public key, so only the cpu could read it. All normal memory contents that gets swapped out of the cpu's l2 cache into the system memory will also get encrypted with the same key or some faster symmetric block ciper based on the private key. The os that later gets loaded into the system can't decrypt data signed by the manufacturer. For this it has to ask the hypervisor. So the encryption is double, everything in ram is encrypted by the cpu key and every data that is on an inport media is encrypted by the manufacturer key. The os can't break the cpu key since it never sees it and can't break the manufacturer key, because the hypervisor never let's the os touch it. The hypervisor can even check the os and even every data file for consistency and refuse to boot it if it's not signed with the right key.

For secure network communications we need two keypairs. A private/public pair on each side and the other side's public key, so man in the middle attacks can be deteced. For normal public key exchange there is a fingerprint, but it has to be validated on a different channel, this is what certificate providers are for. If the public keys are exchanged during manufacturing there is no need for that. This model also allows device locked downloads, where the content is encrypted with the public cpu key, only allowing the content to be played back on the hardware that has the right key embedded. This technology is already in use by some mobile phone manufacturing companies like sony ericsson, but its usage is currently not enforced by network operators.

In the end, some speculations and some advice. First there is a high chance that the new cell chip, also made by ibm will have a similar strategy, since the hypervisor can allow unsigned content or even a full os (linux) to be run on a system, even along with trusted content. For the xbox360, a good example of this is the possibility of external flash connectivity for the playback of unsigned mp3s.
Click to expand...
 
Kreeeee said:
There are many more uses for efuses, they are just the oldest uses.
Click to expand...

Really? I didnt know that ;) I was just trying to show that its nothing scary or big brother esque. More of a case of dont worry about it, its something that has been in plenty off electronic equipment for years, never heard of it being used to shut something down in commercial use.
The bit about scanning ICs my company, being involved withend comms, avionics and defence, used to use efuse to create a false die as such so it couldnt be read correctly this way.
 
Last edited:
Reminded me straight away of the old pic:

computerbomb.jpg
 
a lot of technology supports this Sky and cable used to use this method if they knew someone had illegal box many years ago I witnessed it when I was on holiday in Spain 10 years ago so it's nothing new.

If anything is connected to the internet it can be taken out with the right skills but I don't think someone like ms would ever do this without a lot of evidence to backup there case.

If you read it it does say he was laid off so I think that hints they would be holding a grudge.
 
You must log in or register to reply here.
Back
Top Bottom