Hacking the Xbox

Recommendations

Info

46 Hacking the Xbox: An Introduction to Reverse Engineering The term “dynamic” is applied to RAM that has to be constantly refreshed in order to preserve the integrity of data. For example, the RAM used in the Xbox must have every location read out and written back about thirty times a second. The performance penalty is not as bad as it sounds, as special hardware is built into modern DRAM chips that help optimize the process. The “synchronous” prefix means that inside the DRAM, the procedure for data access is broken down into a series of steps. Each of these steps are independent and can occur in parallel, so that multiple data requests can be in-flight simultaneously. An external timing signal, known as a clock, is used to synchronize the movement of data access requests through the various steps inside the DRAM. As a result, data access requests flow through each step like water through a pipe, and this technique is also known as pipelining. Synchronous DRAMs have higher bandwidth throughput than their predecessors, because pipelining allows multiple requests to be processed at once. However, the time required from when an access is first issued to an SDRAM to when the data finally appears on the output —the access latency — is not improved by pipelining. The term “Double Data Rate” refers to the way synchronous data is transferred relative to the synchronizing clock. A clock waveform consists of a repeating pattern of high and low signals. In traditional systems, data is only transferred on the low-to-high transition of a clock waveform. In a DDR system, data is transferred on both the low-to-high and the high-to-low transitions. Thus, for the same clock frequency, twice the amount of data can be transferred. The performance mnemonic quoted by DDR SDRAM vendors, such as DDR266, refers to the transfer rate, so the actual clock speed is one-half the performance mnemonic, or 133 MHz in this case. ROM Every computer needs to have some kind of persistent or non-volatile memory for storing the start-up, or boot, program. The DDR SDRAM discussed above does not work for this application because all data in a DDR SDRAM is lost when the power is removed. Current versions of the Xbox use a FLASH ROM instead to store data that has to persist even when the power is turned off. ROM stands for Read-Only Memory, and FLASH refers to a specific style of storage element that is electronically reprogrammable. FLASH style memories are convenient in PCs because they can be reprogrammed by the end user to fix mistakes in the boot code. However, in the Xbox, FLASH ROM programming by the end user is purposely disabled. The write signal required for programming is disconnected by leaving out the jumper located on the back of the Xbox motherboard at component location R7R4 (see the sidebar titled “Enabling FLASH ROM Programming Hardware” for more information). In the case of the Xbox, the reprogrammability of FLASH is primarily leveraged as a convenience for Microsoft during development and production. It is quite likely that in a few months, the Xbox will
Chapter 2 - Thinking Inside the Box 47 Enabling FLASH ROM Programming Hardware Patching the signal that was disconnected by Microsoft in order to prevent in-system FLASH ROM programming is a fairly simple procedure. The FLASH ROM write signal was disconnected by omitting a single resistor, component number R7R4, located on the bottom side of the Xbox motherboard at sector 7R. You can solder a piece of wire between the two silver pads of the resistor, or you could even simply bridge the pads with a large amount of solder. Note, even though FLASH ROM programming is enabled in the hardware by this patch, you still do not have a program that actually does the reprogramming. Running such a program is a much greater challenge due to the cryptographic software security system put in place by Microsoft. use cheaper hard-wired “mask ROMs” once Microsoft believes it is ready to etch its boot program and kernel in stone (or silicon, as the case may be). The boot ROM is pivotal in reverse engineering any computer because it contains critical code that is responsible for initializing the whole system. In the case of the Xbox, the boot FLASH ROM plays an even more crucial role because it is partially responsible for implementing the tight software security system. The exact role of the FLASH ROM in the security system will be explained later, but the important thing to remember for now is that the FLASH ROM controls the initialization of the hardware in the Xbox and also contains the initial operating system kernel image. Odds and Ends The Xbox features a small 8-bit coprocessor called the System Management Controller (SMC). The SMC is a complete miniature computer with RAM, ROM, and a processor in a single package. The processor inside the SMC uses the PIC (Peripheral Interface Controller) architecture, originally developed at Harvard university around 1975 and adapted by General Instruments for commercial sale. Arizona Microchip Technology (now called Microchip Technology, www.microchip.com) acquired the PIC product line in 1985 and has been selling it ever since. The SMC can be found in sector 7B on the Xbox, and its reference designator is U7B2. The SMC monitors the power button on the front of the Xbox, so the SMC must run even when the CPU is turned off. As a result, the Xbox power supply has a low-current 3.3V “standby” power line that is always active when the Xbox is plugged in. The SMC is also responsible for controlling the lights around the power button on the Xbox, and it controls the DVD eject mechanism as well. Finally, the SMC has a function that monitors the health of the CPU, and reboots the CPU in case it crashes. The SMC monitoring function must be disabled if you
Page 1:
Hacking the Xbox An Introduction to
Page 4 and 5:
The US government is far and away t
Page 7 and 8:
Hacking the Xbox An Introduction to
Page 9:
In memory of Aaron Swartz
Page 12 and 13:
x Hacking the Xbox: An Introduction
Page 14 and 15: xii Hacking the Xbox: An Introducti
Page 17: Acknowledgments I would like to tha
Page 20 and 21: 2 Hacking the Xbox: An Introduction
Page 28 and 29: 10 Hacking the Xbox: An Introductio
Page 85 and 86: CHAPTER 4 Building a USB Adapter Ca
Page 87 and 88: Strategy Chapter 4 - Building a USB
Page 89 and 90: Chapter 4 - Building a USB Adapter
Page 91 and 92: CHAPTER 5 Replacing a Broken Power
Page 93 and 94: Chapter 5 - Replacing a Broken Powe
Page 95 and 96: Strategy Chapter 5 - Replacing a Br
Page 101 and 102: Figure 5-6: The final cable assembl
Page 105: Chapter 5 - Replacing a Broken Powe
Page 114 and 115:
96 Hacking the Xbox: An Introductio
Page 116 and 117:
98 Hacking the Xbox: An Introductio
Page 118 and 119:
100 Hacking the Xbox: An Introducti
Page 120 and 121:
Page 122 and 123:
Page 124 and 125:
Page 126 and 127:
Page 128 and 129:
Page 130 and 131:
Page 132 and 133:
Page 134 and 135:
Page 137 and 138:
CHAPTER 8 Reverse Engineering Xbox
Page 139 and 140:
Chapter 8 - Reverse Engineering Xbo
Page 141 and 142:
Page 143 and 144:
Page 145 and 146:
clearance for motherboard component
Page 147 and 148:
Page 149 and 150:
Page 151 and 152:
Page 153 and 154:
Page 155 and 156:
CHAPTER 9 Sneaking in the Back Door
Page 157 and 158:
Chapter 9 - Sneaking in the Back Do
Page 159 and 160:
Page 161 and 162:
Page 163 and 164:
Page 165 and 166:
Page 167:
Note Chapter 9 - Sneaking in the Ba
Page 170 and 171:
Page 172 and 173:
Page 174 and 175:
Page 176 and 177:
Page 179 and 180:
CHAPTER 11 Developing Software for
Page 181 and 182:
Chapter 11 - Developing Software fo
Page 183 and 184:
Page 185 and 186:
Page 187 and 188:
Page 189 and 190:
Page 191 and 192:
CHAPTER 12 Caveat Hacker Reverse en
Page 193 and 194:
Chapter 12 - Caveat Hacker 175 tech
Page 195 and 196:
Chapter 12 - Caveat Hacker 177 type
Page 197 and 198:
Chapter 12 - Caveat Hacker 179 art
Page 199 and 200:
Chapter 12 - Caveat Hacker 181 tres
Page 201 and 202:
Chapter 12 - Caveat Hacker 183 Also
Page 203 and 204:
Chapter 12 - Caveat Hacker 185 oppo
Page 205 and 206:
Chapter 12 - Caveat Hacker 187 inte
Page 207 and 208:
Chapter 12 - Caveat Hacker 189 Such
Page 209:
Chapter 12 - Caveat Hacker 191 his
Page 212 and 213:
Page 214 and 215:
Page 216 and 217:
Page 218 and 219:
Page 220 and 221:
Page 222 and 223:
Page 224 and 225:
Page 226 and 227:
Page 228 and 229:
Page 230 and 231:
Page 232 and 233:
Page 234 and 235:
Page 236 and 237:
Page 238 and 239:
Page 240 and 241:
Page 242 and 243:
Page 244 and 245:
Page 246 and 247:
Page 248 and 249:
Page 250 and 251:
Page 252 and 253:
Page 255 and 256:
APPENDIX D Getting Started with FPG
Page 257 and 258:
Appendix D - Getting Started with F
Page 259 and 260:
Page 261 and 262:
Page 263:
Page 266 and 267:
Page 268 and 269:
Page 270 and 271:
Page 272 and 273:
Page 275 and 276:
APPENDIX F Xbox Hardware Reference
Page 277 and 278:
Appendix F - Xbox Hardware Referenc
Page 279 and 280:
Appendix F - Xbox Hardware Referenc
Page 281 and 282:
DVD-ROM Power Connector Appendix F
Page 283:
Fan Connector Appendix F - Xbox Har
Page 286 and 287:
268 continuity mode, in DMMs 19 Cop
Page 288 and 289:
270 Molex 76 Moore’s Law 5 Mosis
Page 290 and 291:
272 Virtex-II FPGA 123 Visor 139, 1
show all

Hacking the Xbox

Create successful ePaper yourself

Delete template?

Save as template?