How the Xbox 360 knows if your hard-drive is genuine
Discussion links: Hacker News
The Xbox 360 was launched in 2005 with 2 models – a “Core” model and a “Pro” model. The idea behind the Core was to provide a lower-cost model so gamers could play their games from disc, while the Pro included a 20 GB hard-drive, which was plenty for the limited amount of downloadable content and other extras at the time. The hard-drive has always been an optional accessory, but it quickly became a necessity for gamers who wanted to save their profiles and download content from Xbox Live. The downside is that the Xbox 360 branded hard-drives were expensive. The 20 GB at launch was $99! Looking at an old AnandTech price guide from November 2005, for $57 you could get an 80 GB hard-drive for your PC. Xbox 360 storage came at a large premium.
Instinctively, modders explored the possibility of using custom hard-drives in order to get lots of storage on a budget. Unfortunately, they quickly found it was impossible.
Kernel-mode Authenticity Check
Every genuine Xbox 360 hard-drive has a unique piece of data in sector 16 called the “security sector” that contains the following information:
The security sector data is processed in a kernel function named SataDiskAuthenticateDevice. It looks like this in IDA:
The decompiled version:
The function is relatively simple. It starts by calling IoSynchronousFsdRequest. This is a function carried over from the original Xbox, and you won’t find it on Windows. It basically executes an asynchronous IO request, and then waits for it to complete. In this case, it is a read request for sector 16:
After that function runs, Buffer will contain the security sector data, or, if the read failed, the console will display an E69 error screen. That will only happen if the disk is very loosely connected, or if the disk is failing.
When the security sector is in memory, the authenticity check takes place. All hard-drives report a serial number, firmware revision, and model number as part of the IDE_COMMAND_IDENTIFY_DEVICE command. The data the disk firmware reports is compared against what is stored in the security sector. It does this using a dedicated helper function named SataDiskEqualAuthenticationStrings, which basically works like memcmp (a function that checks if bytes are equal).
If any of those 3 strings do not match, the check fails. You might be thinking, it should be trivial to just change the security sector to match the data the disk firmware, reports, right? Unfortunately, the entire security sector is RSA-signed using a private key only Microsoft possesses. This means that if you modify the security sector to match the disk firmware information, it will fail the cryptographic check. Here is the RSA signature verification:
If you do not want to buy the genuine Microsoft Xbox 360 hard-drive, there are 2 workarounds
Since the security sector cannot be modified to match the disk firmware information, the only possible workaround is to change the disk firmware so it will match the security sector. HDDHackr was created – an MS-DOS app that updates the firmware on Western Digital drives to impersonate another. For example, if a security sector says the disk is a Hitachi, HDDHackr would change the disk firmware to report Hitachi information.
There are still a few limitations to the HDDHackr workaround:
- It’s not maintained anymore and only works on older PC hardware.
- There are reports it doesn’t work well on newer Western Digital drives.
- It cannot make drives larger than 500 GB work. The security sector limits the amount of addressable sectors, and 500 GB is the biggest hard-drive size Microsoft officially released.
2. Modded Console
When modding Xbox 360 consoles became possible through the JTAG and RGH hacks, the hard-drive authenticity check and size limitations were one of the first things patched out. With the checks removed, any hard-drive up to 2 TB in size could be connected, formatted on the dashboard, and be ready for use. These hacks require hardware modifications though, and you give up Xbox Live access in the process.
Microsoft knows about your hacked/custom hard-drive
If you use the HDDHackr workaround, you would download a valid security sector from the internet to use for your hard-drive. For example, when the 500 GB HDD came out in 2014, the community quickly uploaded the security sector so others could make their own, custom 500 GB HDDs. What most people do not realize is that Microsoft has been collecting your hard-drive info this entire time. Specifically, while connected to Xbox Live the following information from the security sector is sent to Microsoft periodically as part of a security challenge response:
- Serial number
- Firmware revision
- Model number
- User addressable sectors
Microsoft knows about every Xbox Live-connected console that has a HDDHackr’d drive connected, since it will see tens of thousands of consoles using the same hard-drive. Security sectors are unique and can be used to uniquely identify a hard-drive. Xbox 360 hard-drives can be used on different consoles, so Microsoft seeing a few consoles using the same hard-drive won’t be a red flag, but when potentially hundreds or thousands of consoles are reporting the same hard-drive info at once, it’s pretty clear they are using a hacked/custom hard-drive.
Microsoft could have banned consoles for using a non-genuine hard-drive, but there is no evidence this has ever occurred.
If you looked closely at the HDD_SECURITY_BLOB structure at the beginning, you may have noticed the LogoBitmapDigest. Right after the security sector, in sector 17, a PNG image of the old Microsoft logo can be found:
Fun fact: Based on metadata embedded in the image, it was created in Macromedia Fireworks MX 2004 on July 19, 2005. The Xbox 360 launched later that year on November 22. After looking at a few early and late security sector samples, I believe this exact same image is used in every security sector on every hard-drive sent to retail.
The logo is used when viewing the storage on the Xbox 360 dashboard:
Microsoft cared enough about their logo to SHA1 hash it. That hash is RSA-signed in the security sector, so you cannot change the hash or the logo.
It’s possible Microsoft considered allowing third parties to sell their own branded hard-drives for Xbox 360, much like how Seagate exclusively sells the Xbox Series X|S expansion cards today. Presumably, the Microsoft logo would have been replaced with their own. This is all just conjecture and it’s possible the answer boils down to Microsoft wanting you to feel good knowing you purchased a genuine accessory.
With a modded console it is possible to change the logo to any other image you want, since the cryptographic checks are no longer enforced. Some fun images are below. Note that while the HDD is named Retail, changing the logo is only possible on a modded console. These are also screen captures from the console – not photoshops!
The security sector is located at the beginning of the disk. If you connect the disk to Windows and open Disk Management, it will show up as “Not Initialized” since Windows doesn’t recognize the Xbox 360 partitioning scheme. A popup will also appear asking you to initialize the disk in MBR or GPT format, to get it set up for Windows partitioning.
Unfortunately, the consequences of clicking OK are devastating. The security sector will be overwritten with Windows partition tables. Unless you made a backup of it, the hard-drive will never work in an unmodded Xbox 360 again. I get emails about this all the time and it pains me to tell people there is no way to save the hard-drive. The problem became so common that I added automatic security sector backups to FATXplorer back in 2015. When it starts, it will immediately back up any valid security sector on all hard-drives it finds. Unfortunately, up to the time this post was published, it has not saved a single hard-drive. Everyone accidentally initializes their disks before opening FATXplorer the first time, rendering the life-saving feature useless. If you still play on your Xbox 360, consider backing up your security sector!