Using JTAG To Dump The Xbox’s Secret Boot ROM

When Microsoft released its first entry into the video game console market with the Xbox, a lot of the discussions at the time revolved around the fact that it used a nearly off-the-shelf Intel CPU and NVIDIA GPU solution. This made it quite different from the very custom consoles from Nintendo and Sony, and invited thoughts on running custom code on the x86 console. Although the security in the console was hacked before long, there were still some open questions, such as whether the secret boot ROM could have been dumped via the CPU’s JTAG interface. This is the question which [Markus Gaasedelen] sought to answer.

The reason why this secret code was originally dumped by intercepting it as it made its merry way from the South to the North Bridge (containing the GPU) of the Xbox was because Microsoft had foolishly left this path unencrypted, and because the JTAG interface on the CPU was left disabled via the TRST# pin which was tied to ground. This meant that without removing the CPU and adding some kind of interposer, the JTAG interface would not be active.

A small issue after the harrowing task of desoldering the CPU and reinstalling it with the custom interposer in place was to keep the system integrity check (enforced by an onboard PIC16 MCU) intact. With the CPU hooked up to the JTAG debugger this check failed, requiring an external injection of the signal on the I2C bus to keep the PIC16 from resetting the system. Yet even after all of this, and getting the secret bootrom code dumped via JTAG, there was one final system reset that was tied to the detection of an abnormal CPU start-up.

The original Xbox ended up being hacked pretty thoroughly, famously giving rise to projects like Xbox Media Center (XBMC), which today is known as Kodi. Microsoft learned their lesson though, as each of their new consoles has been more secure than the last. Barring some colossal screw-up in Redmond, the glory days of Xbox hacking are sadly well behind us.

Selectric Typewriter Goes From Trash Can To Linux Terminal

If there’s only lesson to be learned from [alnwlsn]’s conversion of an IBM Selectric typewriter into a serial terminal for Linux, it’s that we’ve been hanging around the wrong garbage cans. Because that’s where he found the donor machine for this project, and it wasn’t even the first one he’s come across in the trash. The best we’ve ever done is a nasty old microwave.

For being a dumpster find, the Selectric II was actually in pretty decent shape. The first couple of minutes of the video after the break show not only the minimal repairs needed to get the typewriter back on its feet, but also a whirlwind tour of the remarkably complex mechanisms that turn keypresses into characters on the page. As it turns out, knowing how the mechanical linkages work is the secret behind converting the Selectric into a teletype, entirely within the original enclosure and with as few modifications to the existing mechanism as possible.

Keypresses are mimicked with a mere thirteen solenoids — six for the “latch interposers” that interface with the famous whiffletree mechanism that converts binary input to a specific character on the typeball, and six more that control thinks like the cycle bail and control keys. The thirteenth solenoid controls an added bell, because every good teletype needs a bell. For sensing the keypresses — this is to be a duplex terminal, after all — [alnwlsn] pulled a page from the Soviet Cold War fieldcraft manual and used opto-interrupters to monitor the positions of the latch interposers as keys are pressed, plus more for the control keys.

The electronics are pretty straightforward — a bunch of MOSFETs to drive the solenoids, plus an AVR microcontroller. The terminal speaks RS-232, as one would expect, and within the limitations of keyboard and character set differences over the 50-odd years since the Selectric was introduced, it works fantastic as a Linux terminal. The back half of the video is loaded with demos, some of which aptly demonstrate why a lot of Unix commands look the way they do, but also some neat hybrid stuff, like a ChatGPT client.

Hats off to [alnwlsn] for tackling a difficult project while maintaining the integrity of the original hardware.

Continue reading “Selectric Typewriter Goes From Trash Can To Linux Terminal”