Exploring the Halo 1 System Link Protocol

Nice work! Always fun to see something I wrote long ago reverse engineered. The packet format was indeed inspired by ESP over UDP, and I named it XSP. After system link shipped with the original launch of the console, I also worked on Xbox Live networking, including the client/server interactions and the design and implementation of the front-end Security Gateways that all Xboxes would talk to, first to authenticate themselves to the service, and then to maintain a heartbeat connection to the service (to keep NAT ports open during idle time), and to facilitate NAT traversal.

So that&#x27;s basically most of the lowest layers of the Xbox Live protocol as well. Simply game discovery happens over local broadcast instead of through the Live servers. There&#x27;s some other specifics that change, such as logging into a host xbox doesn&#x27;t diffie-hellman anymore but instead key sets are distributed by the server backends with the session information. Additionally the auth side is basically non existent on system link.<p>Great RE work!<p>Disclaimer: I created a proof of concept implementation of the Xbox Live server infrastructure here: <a href="https:&#x2F;&#x2F;github.com&#x2F;xombieonline&#x2F;xombie">https:&#x2F;&#x2F;github.com&#x2F;xombieonline&#x2F;xombie</a>

&quot;age in a bot&quot; might be a truncated form of &quot;message in a bottle.&quot;<p>The PRNG exponentiation scheme is essentially Diffie-Hellman.<p>&gt; Modifying the fire duration does not seem to have any effect<p>Including, e.g., plasma pistol?<p>Very cool investigation and writeup.

Huge fan of Halo 1, and for me, the original (via LAN, XLAN or Xlink Kai) is still the preferred way to play compared to Halo MCC (RIP XBconnect). I dabble in map mods so this is mostly over my head, but interesting read. Don&#x27;t know if would help your research: but are you aware of a mod&#x2F;mappack called Halo 1: NHE (No Host Edition)? It&#x27;s a hacky way of using a third box to host the system link game.<p><a href="http:&#x2F;&#x2F;halo1nhe.com&#x2F;" rel="nofollow noreferrer">http:&#x2F;&#x2F;halo1nhe.com&#x2F;</a>

This is a well written, in depth analysis of the system. Why do you think the packets are encrypted?

It&#x27;s a shame it&#x27;s proprietary, but there&#x27;s a neat service[1] that&#x27;s been around for over a decade that reverse engineered System Link and similar protocols to make them Internet-enabled.<p>[1]: <a href="https:&#x2F;&#x2F;www.teamxlink.co.uk&#x2F;" rel="nofollow noreferrer">https:&#x2F;&#x2F;www.teamxlink.co.uk&#x2F;</a>

Tangential point: the weirdest part about the Xbox was the system name. As far as I&#x27;m aware that was never configurable by users, but certain games would set your system name as an easter egg. Any reason why it was built that way?

Halo 1 + system link + XBConnect is responsible for a huge swath of my career, life, friendships. I remember sitting in my parents basement as a [very young person] marveling at XBC and wondering how it worked. I can still remember the layout of the webpage I found diving into the protocol, how discovery worked, broadcasting discovery packets to 0.0.0.1. I remember opening Ethereal and seeing the packets. I remember, a bit later, hacking together a Java app, failing at a C++ app, many years later trying one in Go and then... pre-drop-@-gc Rust. Wonder if instead of encapsulating packets with src&#x2F;dst mac I could send a map back and forth and index into it to save the whole... 6 bytes?<p>So many hours of my life spent playing that game. Even recently I re-discovered an old Halo (x)ISO I mastered in high school containing a multitude of map packs that the community had made for it (NMP, NMPv2, CXE, +??). I even hacked them to change their internal map IDs to prevent cache conflicts when switching packs. My friend dug it out of his collection, copied the ISO and I fired it up in XEMU. Wild to see some of those maps, that some random people made with hacked together tools, and wild to read this now, and the comment from &#x2F;u&#x2F;dinartem. Even wilder that it&#x27;s playable emulatable now. Especially given the way MCC massacred Halo1 with the horrendous Halo 1 PC port back to Xbox, and then later to PC again.<p>I&#x27;m horrified to see someone comment that multiplayer almost didn&#x27;t launch with Halo 1. My life would be so unimaginably different.<p>So many memories, this comment doesn&#x27;t mean much, but what a thing to see on HN.<p>lol, I&#x27;m almost tempted to drop my XBConnect Forum name here. I remember when I thought Todd was an absolute god among humans. Oh man, thank you HN for the dose of nostalgia. If anyone remembers a huge block-letter forum signature that was briefly animated ;). The era of sprawling PHP file upload sites. Wow. The internet before it became truly cursed.<p>edit: shout out if anyone knows what I mean by &quot;clear walls&quot;. Oh man, what a world.<p>editN: oh wow, &quot;cross over cables&quot; is a phrase I haven&#x27;t thought of in a long time.<p>editLast: there was a glitch that was supposedly reproducible that caused a tertiary console&#x27;s player to override the inputs of another console player. Afaik it was never widely discussed, despite repeated claims that it was reproducible on demand. If anyone has any details, you&#x27;d make this a truly magical thread for me. &lt;3.

I recall the game recording feature feeling pretty cutting edge at the time, as you could pause it and rotate&#x2F;fly round the scene, it felt really fluid and responsive. I guess now it would be common place but back then it definitely seemed a little magical.

Loved it, thanks for being so thorough and document the train of thought.<p>I want to ask about one thing I could not understand completely on the final section: If there was a client that sent arbitrary values for selected weapon, forward, left, etc; would the host count them as valid? (I understood this is essentially what the MITM allowed to do)<p>Also, a little feedback, my immersion broke when the video did not show Howard and Ghost anymore. Something like Howard1 and Ghost1 would&#x27;ve helped understand a little bit more.