• United States



Hackers released Xbox One SDK, claimed unreleased games may be leaked

Jan 04, 20154 mins
Data and Information SecurityMicrosoftSecurity

A group going by H4LT leaked the Xbox One SDK and claimed unreleased games may be leaked if “protection” is provided by Lizard Squad, which had two alleged members arrested.

Microsoft suffered from a holiday double-whammy as Lizard Squad took down the Xbox One network on Christmas and the group H4LT celebrated the end of 2014 by leaking the Xbox One SDK (Software Development Kit).

The group H4LT, using the Twitter name notHALT, leaked the November 2014 Xbox One SDK while claiming the release of the development tools, documentation and firmware might result in homebrew apps for Xbox One.

Xbox One SDK leak @notHALT

Se7enSins first reported getting its hands on the Xbox One SDK; it “works in tandem with Microsoft Visual Studio 2012 and only works on 64-bit computers.”

Microsoft Xbox One SDK install notHALT via Se7enSins

As others dug into the SDK, they discovered that Microsoft now allows developers to tap into seven out of eight cores. Microsoft previously only allowed developers to utilize six cores as the last two cores were reserved for OS processes running in the background. Microsoft made that change in October as the company rolled-back background processes so that game makers can access 50-80% of the seventh core.

Although game-specific voice commands are disabled and Kinect’s infrared and depth cameras are not available when games access the seventh core, Eurogamer suggested the ability to tap the seventh core “may partly explain why a small amount of multi-platform titles released during Q4 2014 may have possessed performance advantages over their PS4 counterparts in certain scenarios.”

WinBeta added that access to the seventh core may explain why Ubisoft’s Assassins Creed Unity ran smoother on the Xbox One than the PS4; (unlike the AC Unity PC version, which was a frustrating glitch-fest nightmare upon release.)

Using Twitter DMs, H4LT told TheTechGame:

Once the SDK is out, people who have knowledge or has in the past reversed files related to the Windows (8) operating system should definitely have a go at reversing some files in there. Why? Well, the Xbox One is practically a stripped Windows 8 device and has introduced a new package format that hasn’t had much attention. This format is responsible for updating the console and storing applications (Games are under the category of ‘Applications’ on the Xbox One) and is a modification of Virtual Hard Disks. There is no definite ‘exploit’ but from what we have studied and tested, this simple Packaging format could possibly lead us to creating Homebrew applications for the Xbox One.

If you are interested in giving it a go, then there is a discussion on Se7enSins about “where to start now that Xbox One SDK has been leaked.” However, don’t count on a batch of homebrew Xbox Live games anytime soon, as Eurogamer reported:

In terms of the leak itself, there have been suggestions that the release of the SDK could pave the way to Xbox One ‘homebrew’, with the implication that the console’s security has been in some way compromised. In particular, the documentation’s detailing of Windows-specific code containers has been singled out. The truth is that Xbox One is just as secure now as it was before the leak. Developers have zero access to the encryption technologies used to prevent console piracy, and while the documentation includes instructions on how to turn retail consoles into development hardware, the process doesn’t work without server-side authentication which homebrew enthusiasts are unlikely to get from Microsoft. In short, while the SDK will allow developers to write code and compile it, they will have no target hardware to run it on without a comprehensive hack of the Xbox One console itself.

H4LT also told The Independent that it may leak builds of unreleased games. Microsoft’s Halo 5 was given as an example of what games might be leaked. Microsoft owns 343 Industries, the creator of Halo 5, but The Independent said it is not believed the account belonging to 343 Industries was compromised to gain access to the files. (It’s potentially worth nothing that Halo 5 multiplayer beta was recently opened.)

The alleged hold-up before leaking “unreleased” games was allegedly due to H4LT seeking “protection” from Lizard Squad, the group that launched DDOS attacks on Xbox Live and the PlayStation Network on Christmas. H4LT asked “Lizard Squad to help with protection and stress testing of its systems for when the rest of the data is leaked.”

On the same day that was reported, two alleged members of Lizard Squad were arrested. UK police arrested a 22-year-old Britain and Finland’s National Bureau of Investigation took 17-year-old “Ryan” into custody; “Ryan acted as spokesperson for the group in the aftermath of the Christmas attacks.”

ms smith

Ms. Smith (not her real name) is a freelance writer and programmer with a special and somewhat personal interest in IT privacy and security issues. She focuses on the unique challenges of maintaining privacy and security, both for individuals and enterprises. She has worked as a journalist and has also penned many technical papers and guides covering various technologies. Smith is herself a self-described privacy and security freak.