The XboxTM video game console from Microsoft® is an exciting piece of hardware, and not just because it can play the latest video games. The powerful and cheap Xbox has the potential to be used as a PC, an all-in-one media player, or even a web server. Unfortunately, there is a dearth of books that can teach a reader how to explore and modify modern electronic hardware such as the Xbox. Most electronics textbooks are theory-oriented and very focused, whereas real hacking requires a broad set of practical skills and knowledge. Also, the few practical books on hardware hacking that I had as inspiration as a child have long been outdated by the fast pace of technology. This book is intended to fill the need for a practical guide to understanding and reverse engineering modern computers: a handbook for a new generation of hackers.
The ultimate benefit of hacking the Xbox is its educational value, or as the saying goes, “Given a fish, eat for a day; learn to fish, eat for a lifetime.” Hence, this book focuses on introducing basic hacking techniques — soldering, reverse engineering, debugging — to novice hackers, whileproviding hardware references and insight that may be useful to more seasoned hackers. The Xbox has served to educate both the security community and the hacking community: not because it is an outstanding example of security, but because it is a high profile, high volume product made by a large company whose focus was recently defined to be security by its chairman.1 The Xbox experience shows that building trustable clients in a hostile user environment is hard, even for a large, well-funded company. One observation is that this risk and difficulty of building cheap, trustable hardware clients places an upper bound on the importance of the secret that can be trusted to such client hardware. In addition, the Xbox provides a consistent teaching example, with almost 10 mil ion nearly identical units out there at the time of writing. The similarity of the Xbox’s architecture to a vanilla PC adds even more educational value to Xbox hacking, since much of the discussion in this book also applies directly to the much broader subject of PCs.
Another interesting aspect of Xbox hacking is the underground society of hardware hackers following the Xbox. The people who hacked the Xbox and the expertise they attained will be relevant long after the Xbox has become a dusty yard sale piece. Hence, there is a conscious social focus to this book. I have included profiles of a sampling of Xbox hacking personalities. The hope is to inspire people, through role models, to pick up a screwdriver and a soldering iron and to start hacking. Instilling this sort of exploratory spirit in the younger generations will be important in the long run for preserving the pool of talented engineers that drove the technology revolution to where it is today. Many of today’s engineers got their start hacking and tinkering with ham radios, telephones and computers which, back in that day, shipped with a complete set of schematics and source code. This pool of engineering talent is essential for maintaining a healthy economy and for maintaining strong national security in the computer age.
2002 was a year marked by turmoil, not only abroad, but also in the technology marketplace; PC sales flattened, the server business shrank, and the telecommunications market, with a few exceptions, looked dismal. Despite the bear market for technology, the video game hardware, software and accessories market had a landmark year, hitting a total dollar sales of $10.3 billion — a 10% increase over 2001.2 This is comparable to the recording industry’s sales of $13 billion in the US in 2001.
Even though the market for video games is large, running a profitable console business is a daunting challenge. Video game customers are picky, trendy, and frugal. They demand high-performance, sexy console hardware at the price of a fancy family dinner or a visit to the doctor. This combination of frugality with an expectation for high performance game hardware forces console vendors to sell their hardware at a loss. As a result, a “closed-console” business strategy is used by console vendors: the console is sold as a loss leader, and profits come from future sales of video game titles. This business strategy requires a large amount of up-front investment in console hardware and in advertising. It is the console manufacturer’s responsibility to create a market for their hardware so that game developers feel comfortable investing their time and money in the platform.
The Catch-22 is that nobody wants to buy a console that has few game titles. Thus, the risk of building and deploying millions of units of hardware, and the hundreds of millions of dollars of up-front losses taken on the hardware, is shouldered almost entirely by the console manufacturer. As a result, there are currently only three players in the game console business today: Sony, Nintendo, and Microsoft. Of these three, Sony has a head-and-shoulders lead in the console market, while Nintendo has cornered the handheld market with its Gameboy line of products. Microsoft is the new player in the game console market. The race for second place is yet undecided. In early 2003, Gamecube sales were leading Xbox sales in Japan and Europe, while the Xbox maintained a sales lead over the Gamecube in the huge North American market.
Crucial to the success of the closed-console business model is the idea of locking consumers into buying only approved, royalty-bearing game titles. In other words, piracy and unapproved game titles can destroy the profitability of the business. Hence, a console must employ security mechanisms that hamper game copying and unapproved game development and distribution. The failure of the Sega Dreamcast is a salient example of what happens when security mechanisms fail.
The Dreamcast was launched in Japan on November 1998. Production problems with the NEC PowerVR2 DC chip, the graphics accelerator used by the Dreamcast, limited initial shipments. The following three years were a rollercoaster ride for the Dreamcast. Popular games such as Soul Caliber, Dead or Alive 2, Resident Evil, Crazy Taxi and Shen Mue buoyed the Dreamcast’s popularity, while Sony’s Playstation2 launch ate away at the Dreamcast’s sales and ultimately the confidence of software developers. Ironically, the quality of the Dreamcast graphics was equivalent or superior to quality to early Playstation2 titles, such as Dead or Alive 2, despite the extra horsepower packed by the Playstation2. (The Playstation2 is difficult to program, and it took a couple of years for developers to realize its full potential.)
The final nail in the Dreamcast’s coffin was hammered in the spring and summer of 2000. A German hacker group, Team Utopia, discovered a back door inside the Dreamcast’s mask-ROM BIOS that allowed the Dreamcast to boot from a standard CD-ROM. Nominally, the Dreamcast uses a proprietary format called the “GD-ROM” for game distribution. The GD-ROM format cannot be copied using standard CD or DVD burners. However, the back door in the Dreamcast’s ROM BIOS enabled pirates to eventually create monolithic CD-ROM images of video games that were bootable without any need for hardware modification. Who was going to pay for a game when it could be downloaded for free on the internet? The resulting rampant piracy diminished game sales, discouraging game developers from developing for the console and damaging Sega’s business. Six million units sold, and about three years after its launch, the Dreamcast was pulled from the market. Now, Sega is exclusively in the game development business, and even makes games for their former competitors Sony and Nintendo as well as Microsoft.
While there are many lessons to be learned from the Dreamcast experience, this message is clear: the ability to run code from near-free sources such as CD-Rs, DVD-Rs, or the network, without significant hardware modifications, is the kiss of death for any console business based on the closed-console model. This is a brutal problem for the Microsoft Xbox, since it is built from standard PC hardware originally designed to be open and to run code loaded from numerous sources. Hence, Microsoft’s fate in the console market is intimately linked to the success and robustness of theXbox security system. The security system has held up fairly well so far: all of the weaknesses found require at least a solderless, warranty-voiding modification to be installed. The need for hardware modifications limits the practical impact of these weaknesses, since most users are afraid to take the cover off their appliances. However, there is an intense desire from multiple groups, legitimate and illegitimate, to get the Xbox to run code from arbitrary sources without hardware modifications.
The Xbox is a victim of its own design: the choice to use standard PC hardware vastly increases the value of an “opened” Xbox to hackers and pirates alike. The Xbox is a rather satisfying target for weekend hackers and hobbyists for the same reason Microsoft adopted the PC architecture for the Xbox: existing PC programs are easily ported to the Xbox. In addition, there is a wide and deep knowledge base about PC hardware, so the learning curve for hacking the Xbox is not as steep as for other consoles. On the other hand, the Playstation2 and the Gamecube have a steep learning curve and they also have architectural limitations that hamper the porting of most PC applications. The Xbox is also a popular target for pirates because of the ease of porting legacy game emulators, and because of its high profile and ease of obtaining compatible debugging and testing hardware.
Additionally, the similarity of the Xbox architecture to the PC architecture makes the Xbox a good educational vehicle. The knowledge gained from this book applies to more than than just embedded hardware or game consoles; you should be able to apply most of the knowledge in this book directly to PCs. Too, vast documentation resources applicable to the Xbox, inherited from the PC world, are conveniently indexed by web search engines. The ready availability of documentation will assist motivated readers to build upon the knowledge contained in this book.
The Xbox is also a more appealing educational example than the run-of-the-mill PC. There is too much variation between the hardware details of PC implementations to make useful step-by-step hacking guides for the PC, whereas step-by-step guides for the Xbox are guaranteed to be accurate across millions of units that are conveniently available for purchase in almost any mall or electronics retailer.
This is a book about hacking in the traditional sense: about the process and methods of exploration. Some may be surprised that this book doesn’t have chapters devoted to ripping games and patching specific security checks — after all, isn’t that what hacking is all about? In reality, the term “hacker” has evolved quite dramatically over the years as the public’s awareness of technology has increased and as a sensationalist mass media continues to color the public’s opinion of hackers.
In the beginning, a hacker was someone who worked passionately for the sake of curiosity and exploration. There were hardware hackers who took it upon themselves to remove the covers from computers to optimize their design (early computers were built out of discrete components, so they could be modified in meaningful ways with simple tools), and there were software hackers who labored to make the most compact and elegant code, since computational resources were scarce and slow. There were hackers who explored the ins and outs of the phone system, and those who explored the roofs and tunnels of buildings of university campuses. Quite often, early hackers engaged in all of these activities. Hackers would share their findings or results (hacks) with each other freely, as their rewards were not financial, but came from satisfying their intellectual curiosity and from the enthusiasm of their peers. As a result, hackers tended to form into meritocratic groups where membership and advancement were based entirely upon a person’s ability to hack.
As technology evolved and computers became faster and more integrated, hackers found that the effort involved in hardware hacking was not worth the benefits. The interesting pieces of computers were quickly becoming buried deep within hermetically sealed ceramic packages, etched into silicon structures that were difficult to see even with a good microscope. A difficult hardware hack that might double the performance of a computer was made moot within months by Moore’s Law.
On the other hand, software hacking was beginning to focus more on applications and less on algorithms or optimization. The compactness or elegance of a program was no longer directly important as memory and processor power became cheap and plentiful. Besides, compiler technology had also improved to the point where compiled code ran almost as fast as hand assembly. By the late 80’s, the term “hacker” had grown to imply someone who could write volumes of C code in their sleep and create brilliant applications overnight. The old hardware hackers were either converting to software hackers, or retreating to university labs and corporations that could afford to support their expensive hobbies.3
The term “hacker” at that time was increasingly associated with people who cracked passwords and programs to gain access to machines and software that was otherwise off limits. Hollywood was partly responsible for this stereotype, with a slew of movies that portrayed teenagers bringing the world to the brink of nuclear annihilation with a few keystrokes, or closet geniuses creating artificially intelligent cybermonsters in their basement.4 Unfortunately, the hyberbole of these movieplots was lost on the general public, and this dark impression of hackers eventually became a dominant part of the hacker stereotype. The inaccuracy of this stereotype contributed to the creation of a term for hackers that focuses primarily upon cracking systems and programs — “crackers.”
Technology shapes the contemporary hacker as much as hackers have shaped technology. New generations of hackers have to work hard to penetrate the “friendly” user interfaces and the media and marketing glitz that surrounds computer technology today. Everybody uses computers and expects them to perform flawlessly and intuitively, but few really understand what’s going on underneath the hood.
The technology of computation has grown so complex that beginners are increasingly like the parable about the seven blind men and the elephant. Some beginners will start their hacking journey by exploring the Internet. Others will start by exploring the operating system on their computer. Still others will start by looking underneath the covers of their computer. Each individual could spend a year exploring their facet, yet each will have a distinctly different view about computer technology at the end the day.
The cultural rift between the young hackers and the old guard was made apparent to me when a self-proclaimed hacker hot-shot freshman at MIT scoffed, “Where are all the Windows[98] computers? . . . all you have are these lame Sun computers that don’t even have AOL! I thought MIT would have good Internet access.” He seemed to have no comprehension of the fact that the “lame Sun computers” were quite powerful worksta-tions running one of the most robust operating systems in the world, and that there is Internet beyond AOL — moreover, that the MIT campus was one of the birthplaces of the Internet, with rights to more IP addresses than most ISPs and a direct connection to the backbone of the Internet.
The penetration of computer technology into every corner of everyday life intensified the hacker stereotypes. In particular, the media’s portrayal of hackers as modern-day Robin Hoods has somehow irrevocably tied hacking to aspects involving security or access to computer resources. Now, the stereotypical hacker is responsible for warez, Code Red and ping floods, while “developers” are responsible for Linux and BSD. Hackers are 31337 d00ds that 0\/\/n jh00r b0x0r, and a hardware hacker overclocks and mods their computer case with neon lights. Hacking has become trendy, and many are striving to fit the stereotype created by the media. It is very difficult today to convince people that I hacked the Xbox solely because it was there to be hacked: it was challenging, and it was new. Likewise, it is difficult for people to understand why I haven’t worked on the Xbox since. After hacking the security on the Xbox, all that is left is a standard PC — which, to me, is not that interesting to work on, and definitely not worth the risk of a lawsuit from Microsoft.
The introduction of the Digital Millennium Copyright Act (DMCA) in 1998 took cryptography out of the hacker’s domain — the law now spells out that only researchers “engaged in a legitimate course of study, is employed or is appropriately trained or experienced”5 are allowed to investigate cryptographic methods for protecting access rights to works. As a result, Xbox hacking has been a politically charged topic. It is a battle between hackers and lawmakers to keep cryptography within the legal rights of hackers.
Microsoft’s laudable reaction to Xbox hackers — that is, no persecution or attempt so far to shut down Xbox hacking projects — will hopefully serve as a role model to others thinking about using the DMCA to stop hacking activities. Despite all of the Xbox hacks out there, Microsoft still enjoys robust sales of games. All of the interest and buzz generated by Xbox hacking may have increased Microsoft’s sales more than piracy has hurt them. (Of course, I am sympathetic with the hackers, so my interpretation of the situation is biased. A more subjective and informed legal analysis of reverse engineering can be found in Chapter 12, “Caveat Hacker,” by Lee Tien of the Electronic Frontier Foundation.)
The most alarming aspect of the DMCA for hackers is that it embodies the fallacy that the only sources of innovation of benefit to society lie within the halls of research institutions and corporations. Suddenly, it is a crime to explore, in the comfort of your own home in pursuit of your hobby, the cryptographic methods used to secure access rights. Restricting the research of such technology to only established institutions disallows the possibility of technology development by unaffiliated individuals. Without the freedom to research and develop technology in their own garage, where would the likes of Bill Hewlett and Dave Packard, or Steve Jobs and Steve Wozniak be today? Would we have Linux and netBSD if the right of hackers to express themselves freely in code was regulated?
For every copyright protection scheme that is defeated by a hacker, there is someone who learned an important lesson about how to make a better protection scheme. To pass laws that regulate the research of technological measures that protect copyrights and the dissemination of such results is to concede that copyright technology is broken and can never be improved — that the only possible outcome of allowing common people to understand copyright control technology is the demise of the technology. I offer a counter to that mindset: some of the best peer review that I received on my Xbox hacking work did not come from the academic community. It came from individual hackers around the world — especially in foreign countries — who have been free to explore and understand access control technologies. The stricter laws in the U.S. and the litigious nature of corporations has already negatively affected the U.S.’s standing in electronic security, and this is just the beginning.
The societal impact of the DMCA is being felt by hacker communities around the world. During the course of my work on the Xbox, I had the good fortune of meeting brilliant hackers across the globe. Hackers in America were some of the most fearful of the group, and even though they were talented engineers, they were loath to apply their skills to such problems for fear of persecution. The result is that some of the most interesting results in Xbox hacking are garnered by European and Asian hacker communities. Significantly, these results are not well known in America, as these hackers have little motivation to make the effort to share their findings with Americans. In fact, many foreign hackers make a conscious effort to keep their findings from leaving their communities, for reasons including a fear of retribution by American corporations. This “brain drain” does little to strengthen America’s competency in a technology as important as fair and effective digital copyright control. And in today’s global economy, American corporations cannot survive by pretending to do business in a vacuum.
One may point to the successful publication of my paper on the Xbox security system as an example of how the DMCA works to protect both free speech rights as well as economic interests in copyright control technology. My situation was not typical for most hackers in the US. Since I was a graduate student at the time, I had no family to worry about or significant assets to lose if I were to get involved in a lawsuit over my work. I also had the generous legal assistance of the Electronic Frontier Foundation (EFF) to help guide me through the legal minefield. The EFF helped position my paper in the most legal light possible, informing me of my rights and obligations under the DMCA.
For example, I am required to “make a good faith effort to obtain authorization [from Microsoft] before the circumvention.” 6 (Note that authorization is not required, but the good faith effort is.) The EFF helped me draft such a letter for research. I also had to fight MIT to allow my research to be published as an affiliated entity. All of the direct effort of reverse engineering the Xbox security was funded out of my own pocket, conducted in my apartment, and done after-hours on my own time. MIT initially took advantage of this fact to separate themselves from my work, forcing me to seek out the counsel of the EFF. MIT finally capitulated and allowed me to publish my paper as a student of MIT after much cajoling by sympathetic professors and after I had received a constructive, non-threatening letter from Microsoft about my research.
Freedom of speech should not require a lawyer, and free thought should not involve letters of authorization for research. I fought to publish my paper because I had nothing to lose, and because I believed in making a statement about my rights as a hacker. Unfortunately, there is a silent majority of hackers out there who have families to feed and jobs to lose, and not everyone can be so fortunate as to have the EFF helping them out.
This book you are reading is yet another example of how the DMCA has a chilling effect on free speech. Originally commisioned by the technical publisher, John Wiley & Sons, Ltd., this book was cancelled in the last hour over fears of lawsuits and backlash from Microsoft. Such censorship is frustrating and discouraging, and perhaps some authors would have stopped there and allowed their voice to be silenced by fear. I am taking the legal and financial risk of self-publishing this book to make a statement about my right to free and unimpeded speech as a hacker. Even this path is not free of impediments, however. The book pre-order process was suspended on its second day because the original e-commerce provider, Americart, “declined to offer [me] cart service for selling hacker materials . . . $15 per month doesn’t pay for us to take the risk of being named in a DMCA suit.”
I must emphasize that this book does not infringe on Microsoft’s copyrights, and the knowledge presented in this book cannot be directly applied to copyright circumvention. To perform an infringing act, one would have to hone their skills and apply a substantial amount of additional art and know-how aimed specifically at copyright control circumvention. To claim that this book is a circumvention tool would be tantamount to claiming that all books about circuit boards, embedded software or cryptography are also circumvention tools.
The scope of the DMCA with respect to the “fair use” of hardware is another important political topic with enormous economic repercussions. Is it illegal to modify or circumvent a cryptographically secured boot sequence for the purpose of running alternate, legitimately purchased or created, software? This question may be decided in part by the fate of Xbox hackers. A strict interpretation of the reverse engineering exemption of the DMCA7 reveals strong arguments for making such acts of circumvention illegal.
In particular, reverse engineering is only allowed for interoperability, where interoperability means “the ability of computer programs to exchange information, and of such programs mutually to use the information which has been exchanged.” But this definition contains two potential land mines: First, circumventing hardware-based security measures is arguably different from circumventing a program’s (software) security measures. It may not be a very strong argument technically, but the clause has yet to be legally tested, to the best of my knowledge. Second, the purpose is not really to exchange information with the hardware security measures — it is to bypass them.
The final argument against allowing the reverse engineering of the hardware security mechanisms is incidental copyright circumvention. The information gained through the process of reverse engineering can be applied equally to create copyright circumvention devices. In other words, the basic research that enables interoperability, at least in the case of the Xbox, may also be applied indirectly to those wishing to construct circumvention devices. As it turns out, some very specific design flaws in the Xbox enable boot security circumvention without necessarily enabling copyright circumvention, though these flaws may be patched in the near future, bringing us face to face with our original question.
There are significant economic implications if it turns out that “fair use” does not cover the reverse engineering of Xbox security for the purpose of running alternate applications. The most significant implication is that Microsoft can sell legally restricted hardware to end users, locking users into their software base. This can be used to create an unbreakable monopoly over computer hardware and software. For example, Microsoft could offer subsidies to vendors that elect to secure their hardware to run Microsoft’s operating system. This financial incentive will be transferred to customers, who will be motivated to buy the discounted hardware. Once a significant portion of the installed base of hardware is locked into Microsoft’s operating systems, Microsoft can set prices for their products in a competition-free market, since it would be illegal for anyone to run any other operating system on locked hardware.
In reality, this scenario might be difficult for Microsoft to execute even if the DMCA did restrict the fair use of hardware, since government and civic bodies are closely monitoring Microsoft’s activities for monopolistic behavior. However, in other emerging markets, such as smart cell
The author at his workstation.
phones, PDAs and set-top boxes, it may not be unrealistic for a vendor to try to gain an edge over the competition through such low-ball tactics. At least, such tactics can be used to stall competition for the duration of the court proceedings, which may be long enough to cause irreparable harm to the competition’s market position. It is because of these concerns that many Xbox hackers have been consciously acting to express their political beliefs through their engineering efforts.
Throughout this book, I include profiles of various hackers who have agreed to be interviewed. This set of hackers is by no means the only set of hackers; in fact, it is a self-selecting group, since many hackers work in secrecy for fear persecution or because they are employed by companies with strong connections to Microsoft. The goal of these interviews is to introduce a little bit about the people behind the hacks, and to introduce their motivations and methods to promote understanding and to inspire new hackers to join our ranks.
Let me start the process by introducing myself. I’m Andrew “bunnie” Huang; most people call me bunnie. As of this writing, I was 27 years old, the son of Andrew C. and Margaret Huang. I was born and raised in Kalamazoo, Michigan, but I currently live in San Diego, California, with my wonderful fianceé, Nikki Justis. I recently graduated from MIT with a PhD in Electrical Engineering. One of the reasons I was selected to write this book about Xbox Hacking is because I discovered and published the first known weakness in the Microsoft Xbox’s security system.
In general, I hack because it is quite satisfying to know that somebody’s life was made better by something I built. I feel it is my obligation to apply my talents and return to society what it has given me. I also enjoy the challenge of exploration. I want to understand electronics as deeply as I can. Black boxes frustrate me; nothing gets my curiosity going more than a box that I’m not allowed to open or understand. As a result, I have a fiduciary interest in cryptography and security methods.
I hack hardware because I enjoy the aesthetics of electronics; there is something satisfying about having a tangible artifact at the end of the day, as opposed to ephemeral bits of software code. It may sound a little bit silly, but one of my pastimes is taking apart electronic devices and “reading” the circuit boards. There is something exciting about the smell of brand new electronics equipment, fresh out of their anti-static bags; I think it is the smell of a new adventure unfolding. It is inviting, like a stack of blank paper: I wonder what I will do with those blank pages. A stack of blank, white paper stands there and challenges me to fill it with useful information.
My inquisitive nature stems from my childhood. When I was about seven years old, my father bought an Apple II clone. He bought just the motherboard, so it didn’t have a case. I still remember when he first took it out of the box – the green circuit board, the shiny chips, and all the colorful resistors and capacitors. I wanted to play with it! Curious as I was about the Apple II, I was not allowed to touch the motherboard. Of course, this meant that whenever my parents weren’t looking, I was taking the chips out of their sockets on the motherboard and doing silly things like putting them in backwards to see what would happen.
After nearly destroying the computer a few times, my parents bought me a 200-in-1 electronics experimenter kit from Radio Shack and my first electronics book, Get ing Started in Electronics, by Forrest Mims, III. These were a great introduction to electronics for me, as they satisfied my desire to play with circuits and components. My uncle also gave me his old copy of the Art of Electronics by Horowitz and Hill, along with a couple of books about microprocessors. I subscribed to Byte magazine, which back in the day included regular columns about hardware projects, complete with schematics and pictures.
Eventually, I developed enough of a sense of electronics to begin understanding the schematics and the ROM listings included in the Apple II user manuals. (I stil believe that computers should ship with full schematics and source code.) By the eighth grade, I had developed just enough understanding to be able to build my own add-in card for the Apple II. The card had a General Instruments SPO-256 speech synthesizer that I had purchased from Radio Shack. I also added an analog to digital converter to my Apple II and wrote an application that turned my Apple II into a talking voltmeter. I continued to build hardware, and before I was admitted to MIT I had built my own working embedded computer using an 80188 microprocessor.
During my undergraduate years at MIT, I dodged the drudgery of schoolwork by building fun little projects, such as a remote controlled light switch and music-responsive party lights for my fraternity, ZBT. It was during these years that I was first introduced to affordable prototyping services and PCB CAD tools, such as those discussed in Appendix C, “Getting Into PCB Layout.”
The rise of circuit board fabrication services to fit a college student’s budget is a landmark event for hardware hackers. Finally, the wire-wrap tool can be put away, and surface-mount components and complex circuits are within the reach of everyday hobbyists.
Over the years, I have made a point of writing up my projects on my webpage (http://www.xenatera.com/bunnie) so that everyone can benefit from my experiences. Many of my projects are available with schematics, Gerber files and source code, although some of my more recent projects have been consulting jobs so I unfortunately cannot share those results with the world.
While I have your attention, I would like to set one thing straight. I did not get my PhD thesis at MIT for hacking the Xbox. Hacking the Xbox was actually a diversion from my thesis that was tangentially related, but not central to my thesis topic.
My thesis on supercomputers 8 focused on an architecture for efficient code and data migration. My interest in video game consoles stems from my natural curiosity about all hardware combined with the encouragement of my thesis adviser, Dr. Tom Knight. Video game consoles represent the pinnacle of performance per cost, and cost is a significant issue for supercomputers today. Hence, I was encouraged to look at all video game consoles to see what I could learn about building cost effective hardware. The fact that the Xbox also had an interesting security system was a bonus; since government agencies have a great interest in supercomputer technology, the security of supercomputers is always a topic for consideration. (In fact, a very interesting paper about building trustable computers9 was written by colleagues in my research group; I recommend reading it if you are curious about alternatives to cryptographically secured trusted computing platforms, such as Palladium and TCPA.)
My best advice to aspiring hardware hackers is to be persistent and to be thorough. Significantly, persistence and thoroughness come naturally if you love what you are doing. Also, part of being a hardware hacker is being a pack rat. Buying new equipment is prohibitively expensive, so I accumulate broken and depreciated equipment and tools habitually, even if I don’t know exactly what I might do with them, or if I can fix them. It turns out that trying to fix test equipment is a learning experience in itself, and can be quite rewarding even if the conclusion is to junk the darn thing for spare parts.
To quote former Apple Evangelist and current Executive of Garage Technology Ventures Guy Kawasaki, “eat like a bird, poop like an elephant.” Kawasaki points out that a hummingbird eats the equivalent of 50% of its body weight every day. Hence, eating like a bird means that you should have an endless appetite for information. Subscribe to free electronics trade magazines, browse the web (but be selective about the sites you browse — you are what you eat), go to free trade shows and sign up for every catalog and periodical you can get your hands on; take apart every piece of electronics that you own and your friends,’ and try to learn all you can from their design.
In hardware hacking, half of your most difficult problems can be solved or made easier by just using the right selection of components or techniques. “Poop like an elephant” refers to sharing your information and discoveries with your fellow hackers. No matter how much information you digest, you can never know it all. Sharing your findings freely invites the advice and good will of fellow hackers and leads to a synergy of minds. Especially in hardware hacking where all results have a basis in tangible artifacts, hiding your techniques and results only means that other people will eventually re-invent your work without your help. On the other hand, do exercise some judgment in what you say or share; people only have so much bandwidth and they will listen more closely if you share results that are new or interesting in some way.
That being said, pick up a screwdriver, and let’s start hacking!
1 “Trustworthy Computing” by Bil Gates, http://www.microsoft.com/mscorp/execmail/2002/07-18twc.asp
2 source: NPDFunworld
3 The good news is that hardware hacking technology has been catching up with Moore’s Law lately, leading to a hardware hacking renaissance. Affordable circuit board fabrication services have spring up, and the birth of the Internet has simplified the process of acquiring components. In addition, services such as the Mosis chip foundry service and FIB (focused ion beam) services have started to bring integrated circuit hacking into the realm of financial possibility for individual hardware enthusiasts.
4 Rodney Brooks, the Director of the Artificial Intel igence lab at MIT, once said that the Hollywood idea of a crackpot inventor making an artificially intelligent being in their basement was about equivalent to someone building a 747 jumbo jet in their backyard.
5 17 U.S.C § 1201(g)(3), Factors in determining exemption. Of course, the meaning of “appropriately trained or experienced” is not defined. I think that the best training for applied cryptography research should involve some practical hands-on experience hacking real cryptosystems.
6 17 U.S.C. § 1201(g)(2), Permissible acts of encryption research
7 17 U.S.C § 1201(f), Reverse Engineering
8 The text of my PhD thesis can be found at http://www.xenatera.com/bunnie/phdthesis.pdf
9 “A Minimal Trusted Computing Base for Dynamically Ensuring Secure Information Flow” by Jeremy Brown and Tom Knight can be found at http://www.ai.mit.edu/projects/aries/Documents/Memos/ARIES-15.pdf