Mistakes Microsoft made in the Xbox security system (2005)
14 comments
·July 17, 2025Scaevolus
Microsoft clearly learned from their Xbox and Xbox 360 mistakes, leading to unhacked (?) Xbox One and Xbox Series X consoles: https://www.platformsecuritysummit.com/2019/speaker/chen/
badsectoracula
AFAIK a big reason for this is that the developer mode (as mentioned elsewhere) removed a large incentive for trying - people can run whatever code they want (after paying $20 or so to enable the developer mode, though supposedly Microsoft is planning on making that free now) on their console (with some limits but for things like getting emulators or homebrew to work those weren't important).
However there have been some efforts last year or two to break the security. I remember reading about some exploit some time ago that would work from the original Xbox One to the current Series X devices though it relied on some program on the store that it was removed. However (supposedly, i do not own an Xbox One) the files were archived and one is still able to modify and compile the program (so it wont be caught by whatever automation MS has), use dev mode to put it on the store or device, then use that to apply the exploit.
I expect the Xbox One (and later) to be cracked open pretty much as soon as Microsoft abandons the whole thing as recently their interest in Xbox seems to be waning.
ChocolateGod
The Xboxes after the 360 have developer mode built in to allow people to run their own user space software (including emulators) so the attraction to look for exploits is reduced.
spookie
Yup, it's just a compuper.
zaptheimpaler
Yeah, the hackers had a good run on jailbreaking every device for decades but the corpos won in the end. Most of the latest iOS devices/versions and consoles no longer have any meaningful jailbreaks. The end of an era..
samplatt
A big part (I feel) of that for both iPhones and xbox is their ecosystems finally arriving at a point that's "good enough"; the store offers enough games with enough security with low barriers to "fun" that few people WANT to hack it.
Same with Android - from 2008 to ~2018 I was rooting and putting custom ROMs on my phone before I'd even got it home. These days I rarely bother because the functionality that I required is finally provided out-of-the-box.
john01dav
The features that you use may be there, but I don't want all of my everything getting hoovered up to Google. On Apple some functionality (termux and ad blockers in native apps come to mind) isn't even available in the closed ecosystem.
gonzalohm
In exchange for less control of your device though... The other day my phone updated without my permission and replaced Google assistant with Gemini, also without my permission.
It's no longer my phone If I can't decide what gets installed and what shouldn't
dang
Discussed once (and I do mean once):
17 Mistakes Microsoft Made in the Xbox Security System - https://news.ycombinator.com/item?id=781036 - Aug 2009 (1 comment)
userbinator
Alternatively: Paths to Freedom.
The fundamental problem was that x86 had no mechanism for verifying first instruction at the time (Boot Guard and Platform Secure Boot provide that now), and the only way to try to deal with this was by adding immutable storage - but given where they put it, that was expensive, so small. And that led to making poor tradeoffs, influenced by having what was clearly not a great level of adversarial security analysis, but even implementing that perfectly they'd still have been fucked by the gate A20 thing which is maybe the absolute funniest legacy design failure that perpetuated well into the 21st century.
(The Intel/AMD difference on IP rollover is also funny but given the number of other ways to circumvent things...)
I actually use this as a teaching example - it's a great way to talk about how CPUs actually work and interact with other hardware, and a good understanding of this gives a lot of insight into low level platform design