I know I'm only asking for wild speculation, but why didn't they disable the serial port? Why hasn't each new drive completely fixed the previous one's vulnerability? Are they trying and just not as good at securing as others are at cracking?
Besides disabling the serial on the liteon, why on earth does the liteon even spit out it's key over serial at all? It doesn't need to send it to the console, in fact it can't over serial anyway. If there's not a technical reason, it seems like a big programming mistake. All I can think of is for MS's own repair facilities, so they can change out a broken dvd-rom without replacing the motherboard as well, with minimal effort. (Save time and money)
Ya I think Microsoft either did it for repair purposes, or just forgot to take the key over serial feature out, it might have been in debug firmwares or something, and they forgot to take it out.
I would presume it is used for 1 of 2 things.
1. Initial programming. Initially, maybe the chip is programmed over TX and RX, and then the two resistors are removed to disable the functionality (well the hookup to the power connector at least) And the RX is used to confirm the firmware flash. (But then why does the drive still able to read out the key over RX?)
2. Think of it like this, Microsoft gets a console for repair, it is a LiteOn DVD drive, and it is shot, they need the key out of it to program a new drive....I don't know if Microsoft can, but they probably can extract the DVD key from the NAND thru the 360's software or something...I don't know, but anyways, it would probably be easier to hookup to the RX point of the drive and get the key that way, so I think it is for the ease of Microsoft in repairing that the key over serial is still enabled.
Look at it this way though, even if the key goes out over serial, and we can get the key and spoof other drives to LiteOn, there are still things in the LiteOn firmware (something about SS spoofing or something that is different for the LiteOn) so that if you have a drive with iXtreme 1.4 (at the time 1.4) and spoofed as LiteOn, that Microsoft can detect your drive. So the key over the serial isn't THAT big of a problem. So while you can get the key, and spoof another drive with 1.4, they can still detect it and ban you.
I think Microsoft/Mediatek/whoever messed up in not embedding the SPI flash on the die of the Mediatek chip. Since it is just on top of it and removable, (with decapping the chip) it can be soldered up to and read out...if they implemented the SPI flash onto the die, there would be no wires to solder to it, and no way to read it out...Currently, we still can't read out the LiteOn fw, (except right after you flash it, but that is pointless because you have to erase the flash to flash it so we can never read out the original LiteOn firmware.) so Microsoft/Mediatek did get something right, it is impossible via software (at least so far) to read out the LiteOn firmware. You have to erase the chip, then you can write something to it, but you can only read it out right after you write to the chip, I think after rebooting the drive you can't ever read out the firmware again, which is very smart, write the firmware, read it back to confirm it, then of course the drive gets powered off, someone buys the 360 with the drive, and can't read out the firmware, I like it. You can still erase the flash and write a new firmware to it, if you were to repair the drive and hook it up to a new motherboard or something, but hackers can't (via software) read out the firmware. But you still need to be able to read out the key somehow (for repair purposes)...maybe via the drive, or via the 360 NAND which I'll comment on later.
So in conclusion, I think if Microsoft/Mediatek embedded the SPI flash on the die of the Mediatek chip, the key over serial wouldn't be that big of a problem, because we could have never extracted the LiteOn firmware, (decapping would have just found one die, not a die and a spi chip with wires attached) analyzed it, found how the LiteOn SS authorizing (or whatever it is that was different) was different from other drives, and implemented the spoofing support in 1.5 So Microsoft could have detected any drive spoofed to LiteOn (because 1.4 didn't react to SS the way that a true LiteOn did) and banned them. I really don't think reading the key over serial was a bad thing, it was good for Microsoft to implement for repair purposes. Just the way they did the SPI flash chip was stupid.
Also, it could have been a mistake. I don't know much about the Wii's drive security, but I did watch the 25c3 video on the Wii Fail. From what I remember, the Wii's DVD firmware doesn't accept normal DVD's, but there is a DVD mode apparently in the firmware...that is never used...just sitting there...(why not remove it if it is never used?) and apparently a modchip or a softmod of the Wii can enable that DVD mode (ya I don't know how it is enabled but I know somehow it is) and enable Wii game piracy. So...maybe Microsoft had the key over serial for debugging purposes in the firmware, and just forgot to take it out like Nintendo did.
So maybe Microsoft just forgot to take that feature out? I mean they could have, I would assume Microsoft has some way to change the DVD key through the 360 as I stated before, they could using some type of signed software or an API or something, get the 360 to spit out the DVD key it has already on it, so they know the LiteOn's dvd key, and then just replace the motherboard of the 360 and write the same DVD key to the NAND, or replace the LiteOn drive with one and flash that one with the motherboard DVD key, depending what is wrong with the system. So Microsoft probably could have taken out the DVD key over serial all together, and still be able to repair systems (granted they have access to teh NAND unencrypted but I am sure they can do that.)
So Microsoft could have done 1 of 2 things to make the LiteOn unhackable.
1. Implement the SPI flash on the die of the Mediatek chip. No way to read out the firmware (the firmware still might of been able to be extracted optically, but a lot more difficultly and more expensive than decapping the chip and soldering the SPI flash to a reader, which is what I am assuming that C4E and those guys did.) no way to analyze the LiteOn's different way of SS spoofing. So if Microsoft did this, the key over serial would still be there, you could spoof a 1.4 drive at the time to LiteOn but it would be detectable on XBL and bannable, because it wouldn't do SS the way a LiteOn did, because we wouldn't know how the LiteOn did SS because we never got the firmware.
2. Take out the key over serial. Sure, repairing consoles would be more difficult, Microsoft would have to get the key from the NAND or something, but it would prevent people from getting their keys from their drives. Sure, you could decap the chip, and read out the firmware to get the key, but getting a system with a flashable DVD drive would be easier and probably less expensive, sure the firmware probably would have been extracted and analyzed, and 1.5 would be released...but the problem would be, that LiteOn drives could be flashed with other keys, and work on other consoles that started out with a flashable drive, but they could never work in the console they originally came in because there would be no way to get the key from it.
So in doing one of the two things, they could have severely crippled the LiteOn hacking possibilities, but they did neither...so...ya that is why piracy is still possible on the 360...and until Microsoft learns, piracy will always be possible.
Wow I just re-read my post, I repeated myself like a million times, but hopefully you get my drift of what I am saying.
Dilber MC Theme by HarzeM