Hacking the Xbox
Hacking the Xbox
Hacking the Xbox
Create successful ePaper yourself
Turn your PDF publications into a flip-book with our unique Google optimized e-Paper software.
Chapter 6 - The Best <strong>Xbox</strong> Game: Security <strong>Hacking</strong> 99<br />
• Install a memory sniffer to try and capture <strong>the</strong> decrypted data<br />
stream as it is written into memory.<br />
• Use microscopy to read out <strong>the</strong> contents of <strong>the</strong> secure boot<br />
area from <strong>the</strong> chip surface.<br />
• Probe <strong>the</strong> bus between <strong>the</strong> Southbridge and <strong>the</strong><br />
Northbridge chips to try and capture <strong>the</strong> boot code being sent<br />
to <strong>the</strong> processor by <strong>the</strong> chipset. This would only work if <strong>the</strong> boot<br />
data is stored somewhere in <strong>the</strong> Southbridge chip.<br />
None of <strong>the</strong>se <strong>the</strong>ories were trivial to test, so <strong>the</strong> <strong>Xbox</strong> hacking effort slowly<br />
ground down to a halt as frustrated hackers gave up trying to cryptanalyze<br />
<strong>the</strong> FLASH ROM image. I would have been one of <strong>the</strong> quitters (after all, I<br />
had a doctoral <strong>the</strong>sis to finish and write in just a few months) had it not<br />
been for <strong>the</strong> community of determined hackers feeding me encouragement.<br />
Over Christmas break in December 2001, I kept in touch with my hacker<br />
friends via IRC channels and web fora. Hackers from all over <strong>the</strong> world and<br />
all walks of life pervaded <strong>the</strong> <strong>Xbox</strong> hacking IRC channel, and I enjoyed<br />
learning from <strong>the</strong>m and chatting with <strong>the</strong>m about <strong>the</strong>ir various experiences,<br />
both technical and personal.<br />
Even though I was determined to spend all of January writing my PhD<br />
<strong>the</strong>sis 6 and avoiding <strong>Xbox</strong> hacking, I was still pulled in by <strong>the</strong> intriguingly<br />
complex security employed by <strong>the</strong> <strong>Xbox</strong>. As time went on, <strong>the</strong> need for a<br />
hardware guy to join <strong>the</strong> small group of hardcore hackers hanging out on<br />
<strong>the</strong> IRC channel became increasingly clear. By <strong>the</strong> end of January, <strong>the</strong> reports<br />
I was hearing about <strong>the</strong> <strong>Xbox</strong> security scheme were too interesting to<br />
ignore.<br />
I purchased a second <strong>Xbox</strong> and I started removing all of its key parts using<br />
a hot air gun. Stripping down <strong>the</strong> <strong>Xbox</strong> served many purposes. First,<br />
removing <strong>the</strong> chips exposed all of <strong>the</strong> traces and connections on <strong>the</strong> <strong>Xbox</strong><br />
so that I could easily follow <strong>the</strong> connections between chips using <strong>the</strong><br />
continuity test mode on my multimeter. Second, I was able to drop all of<br />
<strong>the</strong> interesting chips into a hot acid bath and remove <strong>the</strong>ir plastic encapsulation<br />
for analysis under a microscope. Finally, buying an <strong>Xbox</strong> and totally<br />
ripping it apart gave me a sort of peace of mind when it comes to probing<br />
and modifying a working <strong>Xbox</strong>. (Reverse engineering is like gardening.<br />
Planting a garden is much more challenging if you’re trying to keep your<br />
hands and knees clean, so you might as well get over it and start rolling in<br />
<strong>the</strong> dirt.)<br />
The results of <strong>the</strong> <strong>Xbox</strong> tear-down revealed some of <strong>the</strong> measures that<br />
Microsoft took to secure <strong>the</strong> box against hardware hackers. For example, I<br />
first checked <strong>the</strong> JTAG connections on <strong>the</strong> Pentium CPU. All of <strong>the</strong> JTAG<br />
signals were conveniently routed to a set of easy-to-tap resistors near <strong>the</strong><br />
processor, except for one, <strong>the</strong> TRST# signal. TRST# plays a critical role in<br />
6 For those interested in supercomputer architecture, data and<br />
thread migration, fault tolerance, high speed low-latency<br />
networks, or massively multithreaded machines, check out my<br />
<strong>the</strong>sis at http://www.xenatera.com/bunnie/phd<strong>the</strong>sis.pdf.