What's enforcing the ban on the implementation end?
If this were a brand new console and new controllers, I would've guessed that both the console and controllers have a hardware private key and a pinned public key, but the consoles are up to 3 years old and the controllers are up to 10 years old. Has Microsoft theoretically been able to enforce this for ~10 years and just chose not to? Or if (for example) the 10-year old controllers don't have a hardware private key, doesn't that make them spoofable?
If this were a brand new console and new controllers, I would've guessed that both the console and controllers have a hardware private key and a pinned public key, but the consoles are up to 3 years old and the controllers are up to 10 years old. Has Microsoft theoretically been able to enforce this for ~10 years and just chose not to? Or if (for example) the 10-year old controllers don't have a hardware private key, doesn't that make them spoofable?