Using JTAG To Dump The Xbox’s Secret Boot ROM

When Microsoft released its first entry into the video game console market with the Xbox, a lot of the discussions at the time revolved around the fact that it used a nearly off-the-shelf Intel CPU and NVIDIA GPU solution. This made it quite different from the very custom consoles from Nintendo and Sony, and invited thoughts on running custom code on the x86 console. Although the security in the console was hacked before long, there were still some open questions, such as whether the secret boot ROM could have been dumped via the CPU’s JTAG interface. This is the question which [Markus Gaasedelen] sought to answer.

The reason why this secret code was originally dumped by intercepting it as it made its merry way from the South to the North Bridge (containing the GPU) of the Xbox was because Microsoft had foolishly left this path unencrypted, and because the JTAG interface on the CPU was left disabled via the TRST# pin which was tied to ground. This meant that without removing the CPU and adding some kind of interposer, the JTAG interface would not be active.

A small issue after the harrowing task of desoldering the CPU and reinstalling it with the custom interposer in place was to keep the system integrity check (enforced by an onboard PIC16 MCU) intact. With the CPU hooked up to the JTAG debugger this check failed, requiring an external injection of the signal on the I2C bus to keep the PIC16 from resetting the system. Yet even after all of this, and getting the secret bootrom code dumped via JTAG, there was one final system reset that was tied to the detection of an abnormal CPU start-up.

The original Xbox ended up being hacked pretty thoroughly, famously giving rise to projects like Xbox Media Center (XBMC), which today is known as Kodi. Microsoft learned their lesson though, as each of their new consoles has been more secure than the last. Barring some colossal screw-up in Redmond, the glory days of Xbox hacking are sadly well behind us.

Picture of the modification as it's being performed, with an extra chip stacked on top of the original, extra magnet wire connection going to the chip select line pin

Original XBox V1.6 RAM Upgrade Stacks TQFP Chips

RAM upgrades for the original XBox have been a popular mod — you could relatively easily bump your RAM from 64MB to 128MB. While it wouldn’t give you any benefit in most games written to expect 64MB, it does help with emulators, game development, and running alternative OSes like Linux. The XBox PCB always had footprints for extra RAM chips, so RAM upgrades were simple – just get some new RAM ICs and solder them onto the board. However, in the hardware revision 1.6, these footprints were removed, and RAM upgrades on v1.6 were always considered impossible.

[Prehistoricman] brings a mod that makes RAM upgrades on v1.6 possible using an old trick from the early days of home computers. He’s stacking new RAM chips on top of the old ones and soldering them on in parallel. The overwhelming majority of the RAM lines are shared between chips, which is what makes this mod possible – all you need to connect to the extra chips is magnet wire for extra RAM chip select lines, which are, thankfully, still available on the board. He shares a tutorial with plenty of illustrations, so it should be easier for you to perform this mod, in case you’re stuck with a newer console that doesn’t have the RAM chip footprints left onboard.

We just covered an original XBox softmodding tutorial, so this is as timely as ever! If you’re looking to read about the 128MB mod, this is a good place to start.

We thank [DjBiohazard] for sharing this with us!

“Hacking The Xbox” Released For Free In Honor Of [Aaron Swartz]

Hacking the Xbox Cover

[Bunnie], the hardware hacker who first hacked into the original Xbox while at MIT, is releasing his book on the subject for free. The book was originally released in 2003, and delves into both the technical and legal aspects of hacking into the console.

The book is being released along with an open letter from [Bunnie]. He discusses the issues he faced with MIT legal and copyright law when working on the project, and explains that the book is being released to honor [Aaron Swartz]. [Swartz] committed suicide in January following aggressive prosecution by the US government.

The book is a great read on practical applications of hardware hacking. It starts off with simple hacks: installing a blue LED, building a USB adapter for the device’s controller ports, and replacing the power supply. The rest of the book goes over how the security on the device was compromised, and the legal implications of pulling off the hack.

[Bunnie]’s open letter is worth a read, it explains the legal bullying that hackers deal with from a first hand prospective. The book itself is a fantastic primer on hardware hacking, and with this release anyone who hasn’t read it should grab the free PDF.