Open Source Xbox Live?

I've been doing some research aswell and found a few interesting articles. http://xboxlivehacking.blogspot.com/?m=1

 

You really don't need to setup kerberos realms for this. In fact, I would advise against it for two main reasons.

1. There are 3 domain controllers that share trust relationships with each other using unique private kerberos keys, one for MACS.XBOX.COM, PASSPORT.NET, and XBOX.COM. If you really want to setup three domain controllers and create trusts between them, go ahead. But you can easily get away with only using a single domain controller as long as you keep track of which realm the client is from and which realm it is targeting.
2. The kerberos AS and TGS requests the xbox will send to the server use custom pre-authentication data, so you will have to write custom code somewhere to allow the kerberos realms to decrypt and interpret the custom pre-auth data. It would be much easier to just spoof the functionality of the kerberos realms since they really only grant the client a ticket after the back end domain controller authenticates the user. The xbox doesn't do anything with the ticket data other than cache it locally and send it back to the xbl servers so they can process it. Just make sure you handle compound identity requests properly, and you can put what ever data you want in the ticket.

 

I have found some interesting code in the kernel source, packet formats and kerberos related functions. When I manage to get BFM working I'll be pulling all the code out and hard coding some things into the image. I intend to cut out all of the authentication and have a game believe the console is connected to live to the point where it will start spewing out data. As everything beyond the initial authentication is done by the application itself, everything needed to simulate at least basic account information will be in the XDK (data formats, request ID's etc). I can build my own test application which just tries some requests in sequence and retries until it gets a correct response.

 

have you figure out how live server is working .. can you emulate it?

 

Nowhere near that stage yet. Still not worked out the encryption or kerberos password generation, never mind authentication and decryption

 

Any new updates guys?

 

Installing windows server 2003, *zucht*. I need to understand some MS authentication stuff. But if im correct, I might see some way to "describe" how it works this year*, so a "opensource" live could be made.
People who setup a kerberos server themselves on for example ubuntu, the preshared key the xbox is using, thats probably because the machine has a "Machine-account", make backups, remove the machine account and try making that first with your own server, maybe you then have a preshared key and go on from there.

always make backups. Machine-account is stored on HDD, encrypted using your xbox hdd key somehow, so good luck with storing that somewhere save (file-system knowledge required I asume)
At the factory, they save a few details of every box, once the xbox connects online for the first time, it gets its own Machine account (like passport.com) and this is what MS sees as secure ( more secure than your own User-account, because you can transfer it on a MU) these info from the factory go in a geology-server db. we can make our own (Devkits are "special" )

Its posible a xbox may lose this machine account (and so the preshared key) so they build a way to create a new one again. we skip the securities they build in their software, bacause we dont like Banning people but still, a virgin xbox will need a machine account.

*I have no idea yet how or how deep, but keeping it legal is a deathtrap im afraid. gonna try and dont expect "me" to a whole lott, got enough work and ... well, hobbies, wife, house, finding a job.

 

Just a FYI/PSA. Once you get passed all 3/4 steps of the kerberos authentication, you then need to handle the xbox live "services", ex presence, billing, messaging, content, etc. Obviously some of these can be skipped or just spoofed to always fail, etc. However, as soon as the kerberos authentication is done you are then presented with another layer of authentication you must pass, the security gate. You can't just skip this either, it sets up handshakes for all of the services the title is requesting, and some encryption stuff on the XNet API layer.

Like I've said in previous posts, I would highly recommend that you skip setting up a kerberos server and trying to setup the cross realm trusts. It will save you a lot of time setting up an overly complex environment, not to mention you will also have to modify some sort of open source kerberos backend (probably MIT implementation). You guys keep mentioning spoofing, why not try to spoof the kerberos handshakes rather than trying to use a real kerberos server......

 

I've not really had much time to look any further into this after setting up a sane and working build environment. Currently developing an extremely low cost 3D printer with my brothers, I think the total parts cost without a few parts such as wiring, connectors and screws so far is about £120

 

I'd really like seeing this come to fruition. My gaming hobby in itself is based around old consoles/games that have went offline, and had their servers restored. I find the process of all that very interesting to follow. Considering there's still 500+ concurrent people always on Halo 2 on Kai this would be a big deal

But even if an open source xbox live is created 100%, doesn't that mean we'd still have to reverse engineer servers for every game from that point? Or were xbox live game servers essentially a node within the grand spectrum that all shared similar characteristics? I'm curious how that works, though it's probably been asked and answered here already (tl;dr)

 

anybody who is serious about this project we would like to see how we can succeed and see packet research and packet logger from Xbox original and 360 and much much more I've got a basic login emulator for both Xbox original and 360 do not have party chat working but you can connect I also have a basic login emulator that emulates Xbox login on the PC which will show how to connect to the live servers and more
if you are truly interested in this project during my IRC
irc ip = nerdhacks.net:6667
room #openXBL

please join me and make this dream a reality

 

xbox 360 packet logs
http://gh05tn3t.net/logs/XBOX360/

 

Id like to see that login emulator working. Is it only during the dashboard?

 

right now it's only a client-side emulator I'm still working on the server side

 

here are some encryption algorithms

Code:

       
         private static byte[] ComputeKdcNoonce(byte[] Key, int keyLen)
        {
            byte[] buffer = new byte[]
            {
                115,
                105,
                103,
                110,
                97,
                116,
                117,
                114,
                101,
                107,
                101,
                121,
                0
            };
            HMACMD5 hMACMD = new HMACMD5(Key);
            byte[] key = hMACMD.ComputeHash(buffer, 0, 13);
            byte[] array = new byte[4];
            byte[] inputBuffer = array;
            array = new byte[4];
            array[0] = 2;
            array[1] = 4;
            byte[] inputBuffer2 = array;
            MD5 mD = new MD5CryptoServiceProvider();
            mD.TransformBlock(inputBuffer2, 0, 4, null, 0);
            mD.TransformFinalBlock(inputBuffer, 0, 4);
            byte[] hash = mD.Hash;
            HMACMD5 hMACMD2 = new HMACMD5(key);
            return hMACMD2.ComputeHash(hash);
        }

        private static byte[] GenerateTimeStamp()
        {
            byte[] array = Misc.HexStringToBytes("301aa011180f32303132313231323139303533305aa10502030b3543");
            byte[] bytes = Encoding.ASCII.GetBytes(DateTime.Now.ToUniversalTime().ToString("yyyyMMddHHmmssZ"));
            Array.Copy(bytes, 0, array, 6, 15);
            return array;
        }

        private static byte[] RC4HMACDecrypt(byte[] key, int keyLen, byte[] data, int dataLen, int Idk)
        {
            HMACMD5 hMACMD = new HMACMD5(key);
            byte[] bytes = BitConverter.GetBytes(Idk);
            byte[] key2 = hMACMD.ComputeHash(bytes, 0, 4);
            byte[] array = new byte[16];
            Array.Copy(data, array, 16);
            byte[] array2 = new byte[data.Length - 16];
            Array.Copy(data, 16, array2, 0, data.Length - 16);
            hMACMD.Key = key2;
            byte[] key3 = hMACMD.ComputeHash(array);
            Security.RC4(ref array2, key3);
            return array2;
        }

        private static byte[] RC4HMACEncrypt(byte[] key, int keyLen, byte[] data, int dataLen, int Idk)
        {
            HMACMD5 hMACMD = new HMACMD5(key);
            byte[] bytes = BitConverter.GetBytes(Idk);
            byte[] key2 = hMACMD.ComputeHash(bytes, 0, 4);
            byte[] sourceArray = Misc.HexStringToBytes("9b6bfacb5c488190");
            byte[] array = new byte[data.Length + 8];
            Array.Copy(sourceArray, array, 8);
            Array.Copy(data, 0, array, 8, data.Length);
            hMACMD.Key = key2;
            byte[] array2 = hMACMD.ComputeHash(array);
            byte[] key3 = hMACMD.ComputeHash(array2);
            Security.RC4(ref array, key3);
            byte[] array3 = new byte[dataLen + 24];
            Array.Copy(array2, 0, array3, 0, 16);
            Array.Copy(array, 0, array3, 16, array.Length);
            return array3;
        }
    }

 

how to get the Xmacs keys
XmacsLogonKey
XmacsLogonKey
XmacsLogonKey
GetXmacsLogonKey
GetXmacsLogonKey

Code:

        private static byte[] GetXmacsLogonKey(string fileName)
        {
            string str = AppDomain.CurrentDomain.BaseDirectory + "\\files\\";
            RSACryptoServiceProvider rSACryptoServiceProvider = Program.LoadXmacsKey();
            byte[] array = new byte[16];
            new Random(Environment.TickCount).NextBytes(array);
            byte[] array2 = rSACryptoServiceProvider.Encrypt(array, true);
            Array.Reverse(array2);
            byte[] array3 = File.ReadAllBytes(str + "XMACSREQ.bin");
            Array.Copy(array2, 0, array3, 44, 256);
            EndianIO endianIO = new EndianIO(fileName, EndianStyle.BigEndian);
            endianIO.Position = 176L;
            byte[] array4 = endianIO.Reader.ReadBytes(12);
            endianIO.Position = 2504L;
            byte[] sourceArray = endianIO.Reader.ReadBytes(424);
            endianIO.Position = 668L;
            byte[] exponent = endianIO.Reader.ReadBytes(4);
            endianIO.Position = 680L;
            byte[] keyParams = endianIO.Reader.ReadBytes(448);
            endianIO.Position = 2506L;
            byte[] consoleId = endianIO.Reader.ReadBytes(5);
            endianIO.Close();
            byte[] sourceArray2 = Program.ComputeClientName(consoleId);
            RSACryptoServiceProvider key = Program.LoadConsolePrivateKey(exponent, keyParams);
            byte[] bytes = BitConverter.GetBytes(DateTime.UtcNow.ToFileTime());
            Array.Reverse(bytes);
            byte[] array5 = Program.GenerateTimeStamp();
            byte[] sourceArray3 = Program.RC4HMACEncrypt(array, 16, array5, array5.Length, 1);
            byte[] inputBuffer = SHA1.Create().ComputeHash(array);
            SHA1CryptoServiceProvider sHA1CryptoServiceProvider = new SHA1CryptoServiceProvider();
            sHA1CryptoServiceProvider.TransformBlock(bytes, 0, 8, null, 0);
            sHA1CryptoServiceProvider.TransformBlock(array4, 0, 12, null, 0);
            sHA1CryptoServiceProvider.TransformFinalBlock(inputBuffer, 0, 20);
            byte[] hash = sHA1CryptoServiceProvider.Hash;
            RSAPKCS1SignatureFormatter rSAPKCS1SignatureFormatter = new RSAPKCS1SignatureFormatter(key);
            rSAPKCS1SignatureFormatter.SetHashAlgorithm("SHA1");
            byte[] array6 = rSAPKCS1SignatureFormatter.CreateSignature(hash);
            Array.Reverse(array6);
            Array.Copy(bytes, 0, array3, 300, 8);
            Array.Copy(array4, 0, array3, 308, 12);
            Array.Copy(array6, 0, array3, 320, 128);
            Array.Copy(sourceArray, 0, array3, 448, 424);
            Array.Copy(sourceArray3, 0, array3, 992, 52);
            Array.Copy(sourceArray2, 0, array3, 1072, 15);
            UdpClient udpClient = new UdpClient();
            udpClient.Connect("XEAS.XBOXLIVE.COM", 88);
            udpClient.Send(array3, array3.Length);
            File.WriteAllBytes("XEAS_Send1.bin", array3);
            IPEndPoint iPEndPoint = new IPEndPoint(0L, 0);
            byte[] sourceArray4 = null;
            int num = 0;
            byte[] result;
            while (true)
            {
                try
                {
                    Thread.Sleep(10);
                    if (udpClient.Available > 0)
                    {
                        sourceArray4 = udpClient.Receive(ref iPEndPoint);
                        File.WriteAllBytes("XEAS_Receive1.bin", sourceArray4);
                        break;
                    }
                    Thread.Sleep(500);
                    num++;
                    if (num == 10)
                    {
                        result = null;
                        return result;
                    }
                }
                catch (Exception var_25_2C8)
                {
                }
            }
            byte[] array7 = new byte[108];
            Array.Copy(sourceArray4, 53, array7, 0, 108);
            byte[] key2 = Program.ComputeKdcNoonce(array, 16);
            File.WriteAllBytes("XEAS_key2.bin", key2);
            byte[] sourceArray5 = Program.RC4HMACDecrypt(key2, 16, array7, 108, 1203);
            File.WriteAllBytes("XEAS_Receive1_Decrypt.bin", sourceArray5);
            byte[] array8 = new byte[16];
            Array.Copy(sourceArray5, 76, array8, 0, 16);
            result = array8;
            return result;
        }

 

and more http://gh05tn3t.net/code/

 

Still, would be useful to try to get past the login screen on a prototype that I have

 

if you are interested in helping with the project you can to add me on Skype or join the irc and we can get things done in tested
skype: currentmods.Dan

 

what version is your prototype using for the dashboard if you're not on the newest version I can spoof your dashboard version so we can get logs from live