Hacking the Xbox

Recommendations

Info

90 Hacking the Xbox: An Introduction to Reverse Engineering First Encounters with a Paranoid Design When the Xbox was announced in the Spring of 2000, excitement rippled through the hardware enthusiast community. The cause for this excitement was not just the Xbox’s gaming potential, but its potential for use as a high performance, network-enabled x86-architecture PC at the affordable price of $300. Price cuts a few months after its introduction have since dropped the cost of an Xbox to below $200. The similarity of the Xbox to an x86 PC meant that a huge base of existing applications and expertise could, in theory, be easily ported to the console. My first look inside an Xbox was in late November 2001 when my girlfriend (now fianceé) gave it to me as an early Christmas gift. I immediately got down to business. In order to take control of the Xbox hardware, the first task is to extract the boot ROM and analyze its contents: Recall from the discussion on Xbox architecture in Chapter 2 that the boot ROM of the Xbox contains all of the code for establishing the Xbox’s operating environment. To Snarf a ROM The type of ROM used in the Xbox is an electrically erasable and programmable variety known as FLASH ROM. FLASH ROM typically comes in one of a few package types, and the Xbox uses one of the most popular packages, the TSOP (Thin Small Outline Package). It is located in sector U7 on the top side of the Xbox motherboard, and the reference designator for the part is U7D1. The TSOP package is very recognizable because it is one of the few chip packages that is rectangular and has pins only on the narrow edges of the package. Most other packages put pins on the long edge or all edges to maximize connectivity, but FLASH ROM has relatively low I/O requirements per silicon area. A quick check on the base part number, 29F080, with a Web search engine verifies that this part is indeed an 8 Mbit FLASH ROM. There are a few techniques that one can use to read out (snarf) the contents of the FLASH ROM. The no-solder approach is to buy a test clip that snaps onto the FLASH ROM, and read out its contents by powering up and controlling the ROM through the test clip, while the rest of the Xbox is powered off. A suitable test clip for this purpose can be purchased from Emulation Technology, www.emulationtechnology.com. (The test clip override approach has a few problems with it, the biggest being the possibility of permanently damaging chips connected to the FLASH ROM that are not receiving power through the test clip. However, in the case of the Xbox, this does not seem to be a problem and those who attempted this approach did meet with success. 1 I did not initially take 1 Andy Green has an excellent page that documents his experiences with the test clip approach at http:// www.warmcat.com/milksop/milksop.html
Chapter 6 - The Best Xbox Game: Security Hacking 91 this approach as I did not want to risk damaging the motherboard, and because I could not afford the $300 test clip required for the job.) Another ingenious approach is to solder wires to the test points around the FLASH ROM to eavesdrop on the Xbox as it reads the ROM’s contents. Eavesdropping can be accomplished by either connecting the wires to a custom board that can interface with the ROM, or by using a logic analyzer to capture the data as it is accessed by the Xbox CPU. The latter approach was used with success as well, and in fact some back doors in the Xbox boot sequence were discovered as a consequence of Figure 6-1: Removing the Xbox FLASH ROM with a tweezer-style soldering iron. this methodology. 2 I chose not to use this approach either, as I did not have a logic analyzer when I got my first Xbox, and because soldering all the wires down can be very tedious, difficult, and error-prone. My approach was more traditional: just remove the FLASH ROM and drop it into a ROM reader. I also placed a socket on the motherboard, so that future removal and programming of the ROM would be very quick and reliable. 2 Visor has written up his experiences with the logic analyzer snooping approach at http://www.xboxhacker.net/visor/ aXventure1.txt
Page 1:
Hacking the Xbox An Introduction to
Page 4 and 5:
The US government is far and away t
Page 7 and 8:
Hacking the Xbox An Introduction to
Page 9:
In memory of Aaron Swartz
Page 12 and 13:
x Hacking the Xbox: An Introduction
Page 14 and 15:
xii Hacking the Xbox: An Introducti
Page 17:
Acknowledgments I would like to tha
Page 20 and 21:
2 Hacking the Xbox: An Introduction
Page 22 and 23:
Page 24 and 25:
Page 26 and 27:
Page 28 and 29:
10 Hacking the Xbox: An Introductio
Page 30 and 31:
Page 32 and 33:
Page 34 and 35:
Page 36 and 37:
Page 38 and 39:
Page 40 and 41:
Page 42 and 43:
Page 44 and 45:
Page 46 and 47:
Page 48 and 49:
Page 50 and 51:
Page 52 and 53:
Page 54 and 55:
Page 56 and 57:
Page 58 and 59: 40 Hacking the Xbox: An Introductio
Page 85 and 86: CHAPTER 4 Building a USB Adapter Ca
Page 87 and 88: Strategy Chapter 4 - Building a USB
Page 89 and 90: Chapter 4 - Building a USB Adapter
Page 91 and 92: CHAPTER 5 Replacing a Broken Power
Page 93 and 94: Chapter 5 - Replacing a Broken Powe
Page 95 and 96: Strategy Chapter 5 - Replacing a Br
Page 101 and 102: Figure 5-6: The final cable assembl
Page 105: Chapter 5 - Replacing a Broken Powe
Page 118 and 119: 100 Hacking the Xbox: An Introducti
Page 137 and 138: CHAPTER 8 Reverse Engineering Xbox
Page 139 and 140: Chapter 8 - Reverse Engineering Xbo
Page 145 and 146: clearance for motherboard component
Page 155 and 156: CHAPTER 9 Sneaking in the Back Door
Page 157 and 158: Chapter 9 - Sneaking in the Back Do
Page 159 and 160:
Chapter 9 - Sneaking in the Back Do
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167:
Note Chapter 9 - Sneaking in the Ba
Page 170 and 171:
152 Hacking the Xbox: An Introducti
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 179 and 180:
CHAPTER 11 Developing Software for
Page 181 and 182:
Chapter 11 - Developing Software fo
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
CHAPTER 12 Caveat Hacker Reverse en
Page 193 and 194:
Chapter 12 - Caveat Hacker 175 tech
Page 195 and 196:
Chapter 12 - Caveat Hacker 177 type
Page 197 and 198:
Chapter 12 - Caveat Hacker 179 art
Page 199 and 200:
Chapter 12 - Caveat Hacker 181 tres
Page 201 and 202:
Chapter 12 - Caveat Hacker 183 Also
Page 203 and 204:
Chapter 12 - Caveat Hacker 185 oppo
Page 205 and 206:
Chapter 12 - Caveat Hacker 187 inte
Page 207 and 208:
Chapter 12 - Caveat Hacker 189 Such
Page 209:
Chapter 12 - Caveat Hacker 191 his
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 255 and 256:
APPENDIX D Getting Started with FPG
Page 257 and 258:
Appendix D - Getting Started with F
Page 259 and 260:
Page 261 and 262:
Page 263:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 275 and 276:
APPENDIX F Xbox Hardware Reference
Page 277 and 278:
Appendix F - Xbox Hardware Referenc
Page 279 and 280:
Appendix F - Xbox Hardware Referenc
Page 281 and 282:
DVD-ROM Power Connector Appendix F
Page 283:
Fan Connector Appendix F - Xbox Har
Page 286 and 287:
268 continuity mode, in DMMs 19 Cop
Page 288 and 289:
270 Molex 76 Moore’s Law 5 Mosis
Page 290 and 291:
272 Virtex-II FPGA 123 Visor 139, 1
show all

Hacking the Xbox

You also want an ePaper? Increase the reach of your titles

Delete template?

Save as template?