MaV3RiCk over @ xboxhacker.net explains the link between the DVD security sector and the XBE.

SS offset ... 4ABh ED10393E Time/date stored in the xbe time/date certificate field too. ... 4CFh 20 bytes SHA1 of the bytes from offset 4 to 4CFh (4CBh bytes).

these unique (per game) info are used in the game code to validate the media:

:0001650D    push ebp
:0001650E    lea ebp, dword ptr [[esp-74]]
:00016512    sub esp, 00000088
:00016518    mov eax, dword ptr [[00010118]]
:0001651D    push ebx
:0001651E    mov ebx, dword ptr [[ebp+7C]]      ebx = pointer dvd SS data
:00016521    mov ecx, dword ptr [[ebx+000004AB]]   ecx = Time/data
:00016527    cmp ecx, dword ptr [[eax+04]]      compare with one in the xbe certificate
:0001652A    je 00016536         same, dvd correct jump.
:0001652C    mov eax, C0000156         not the same set error code and return
:00016531    jmp 000165BC
:00016536    push esi
:00016537    push edi
:00016538    lea eax, dword ptr [[ebp-14]]      sha1 buffer
:0001653B    push eax
:0001653C    mov [[ebp+7C]], 000004CB      Init sha1 for 4CBh bytes
:00016543    call 0001B1E2         XcSHAInit
:00016548    push 00000004
:0001654A    lea eax, dword ptr [[ebp+7C]]
:0001654D    push eax
:0001654E    lea eax, dword ptr [[ebp-14]]      sha1 buffer
:00016551    push eax            update with 4 bytes size
:00016552    call 0001B1DC         XcSHAUpdate
:00016557    push [[ebp+7C]]
:0001655A    lea eax, dword ptr [[ebx+04]]      SS data + 4
:0001655D    push eax
:0001655E    lea eax, dword ptr [[ebp-14]]      sha1 buffer
:00016561    push eax
:00016562    call 0001B1DC         XcSHAUpdate
:00016567    lea eax, dword ptr [[ebp+60]]      final sha1 buffer
:0001656A    push eax
:0001656B    lea eax, dword ptr [[ebp-14]]      sha1 buffer
:0001656E    push eax
:0001656F     call 0001B1D6         XcSHAFinal
:00016574    push 00000014
:00016576    pop ecx
:00016577    lea edi, dword ptr [[ebx+000004CF]]   20 bytes sah1 stored in the SS
:0001657D    lea esi, dword ptr [[ebp+60]]      20 bytes sah1 calculated
:00016580    xor eax, eax
:00016582    repz
:00016583    cmpsb            compare 2 sha1
:00016584    pop edi
:00016585    pop esi
:00016586    je 0001658D         equal, so jmp to verify
:00016588    sbb eax, eax
:0001658A    sbb eax, FFFFFFFF
:0001658D    test eax, eax
:0001658F     je 00016598
:00016591    mov eax, C0000190
:00016596    jmp 000165BC
:00016598    lea eax, dword ptr [[ebp+60]]
:0001659B    push eax            20 bytes sha1 calculated
:0001659C    push dword ptr [[003E529C]]      XePublicKeyData
:000165A2    add ebx, 000004E3
:000165A8    push ebx
:000165A9    call 0001B1E8         XcVerifyPKCS1Signature
:000165AE    neg al            al = 1 signature passed
:000165B0    sbb eax, eax
:000165B2    and eax, 3FFFFE70
:000165B7    add eax, C0000190         eax = 0 media check passed.
:000165BC    pop ebx
:000165BD    add ebp, 00000074
:000165C0    leave
:000165C1    ret 0004

the point is that this code (which use NtDeviceIOControlFile with IOCTL_SCSI_PASS_THROUGH_DIRECT , DVD_STRUCTURE cmd) appeared in a MS xdk lib after some time. So we can say that we had a "first generation games" without this link between the xbe and dvd. for example Halo1 and rallisport1. Then they came these "second generation games" using this link to check the original dvd from inside the xbe code. it's enough checking the certificate size field in the xbe header to spot the difference between first and second generation games.

if the size of this certificate is =< 0x1D8 the xbe game code doesn't care to verify the link with the dvd. Halo1/rallisport1 xbe code don't verify any link with the dvd. try to use TOCA xbe with the halo1 SS even passing through the dvd challenge response you need the toca original SS or the xbe will crashed itself after the link checking.

Retrieved from "http://www.eurasia.nu/wiki/index.php/XboxSecuritySectorLinkToXbe"

This page has been accessed 501 times. This page was last modified 15:54, 13 February 2010.