Hacking the Xbox

CHAPTER 8
Reverse
Engineering
Xbox Security
In this chapter, I will describe how I defeated the initial production
version of the Xbox security system that was first encountered in Chapter
6. The security system was discovered after analyzing the FLASH ROM
and realizing that the true hardware initialization and boot image
decryption sequence was somehow hidden outside of the FLASH ROM.
The Chapter 7 introduced some basic cryptography concepts that will be
useful understanding the contents of this chapter.
Extracting Secrets from Hardware
The hidden boot code in the Xbox, as concluded in Chapter 6, can be
recovered by eavesdropping on one of the following buses: (1) the FSB,
(2) the main memory bus, or (3) the Northbridge-Southbridge connection.
The format of the Front Side Bus (FSB) of the Pentium processor used in
the Xbox is documented in the Pentium III processor datasheets, available
at Intel’s Developer Website. The FSB is a bidirectional 64-bit data bus with
about fifty address and control signals, all running at 133 MHz. The bus
uses a signaling convention known as AGTL+. Eavesdropping on this bus
is an expensive and difficult proposition because of the high signal count
and challenging physical form factor. Viable approaches include: (a) socketing
the processor with a special emulator break-out socket that costs many
thousands of dollars, or (b) reverse engineering the meaning of each FSB
trace on the Xbox motherboard, and tack soldering a short probe wire onto
each of the almost one hundred signals. In addition, a logic analyzer that
supports AGTL+ signaling is required. The combination of all these factors
made me look elsewhere for a starting point for eavesdropping.