Mistakes Microsoft made in the Xbox security system (2005)

43 davikr 13 7/17/2025, 12:23:12 AM xboxdevwiki.net ↗

Comments (13)

mjg59 · 2h ago
The fundamental problem was that x86 had no mechanism for verifying first instruction at the time (Boot Guard and Platform Secure Boot provide that now), and the only way to try to deal with this was by adding immutable storage - but given where they put it, that was expensive, so small. And that led to making poor tradeoffs, influenced by having what was clearly not a great level of adversarial security analysis, but even implementing that perfectly they'd still have been fucked by the gate A20 thing which is maybe the absolute funniest legacy design failure that perpetuated well into the 21st century.

(The Intel/AMD difference on IP rollover is also funny but given the number of other ways to circumvent things...)

I actually use this as a teaching example - it's a great way to talk about how CPUs actually work and interact with other hardware, and a good understanding of this gives a lot of insight into low level platform design

Scaevolus · 2h ago
Microsoft clearly learned from their Xbox and Xbox 360 mistakes, leading to unhacked (?) Xbox One and Xbox Series X consoles: https://www.platformsecuritysummit.com/2019/speaker/chen/
ChocolateGod · 33m ago
The Xboxes after the 360 have developer mode built in to allow people to run their own user space software (including emulators) so the attraction to look for exploits is reduced.
spookie · 2m ago
Yup, it's just a compuper.
zaptheimpaler · 1h ago
Yeah, the hackers had a good run on jailbreaking every device for decades but the corpos won in the end. Most of the latest iOS devices/versions and consoles no longer have any meaningful jailbreaks. The end of an era..
samplatt · 1h ago
A big part (I feel) of that for both iPhones and xbox is their ecosystems finally arriving at a point that's "good enough"; the store offers enough games with enough security with low barriers to "fun" that few people WANT to hack it.

Same with Android - from 2008 to ~2018 I was rooting and putting custom ROMs on my phone before I'd even got it home. These days I rarely bother because the functionality that I required is finally provided out-of-the-box.

john01dav · 1h ago
The features that you use may be there, but I don't want all of my everything getting hoovered up to Google. On Apple some functionality (termux and ad blockers in native apps come to mind) isn't even available in the closed ecosystem.
gonzalohm · 1h ago
In exchange for less control of your device though... The other day my phone updated without my permission and replaced Google assistant with Gemini, also without my permission.

It's no longer my phone If I can't decide what gets installed and what shouldn't

maxloh · 1h ago
Both Gemini and Google Assistant are parts of the Google App. They were introduced or deprecated with app updates.

It is possible to reject the update. Just disable automatic updates of the Google App in the Play Store. You could even return to Google Assistant by reverting Google App to an older version.

dang · 31m ago
Discussed once (and I do mean once):

17 Mistakes Microsoft Made in the Xbox Security System - https://news.ycombinator.com/item?id=781036 - Aug 2009 (1 comment)

userbinator · 1h ago
Alternatively: Paths to Freedom.
munchler · 3h ago
This is from 2005.
dang · 31m ago
Added above. Thanks!