Xbox eeprom hack

It also seems like whoever wrote the decryption code did it in pure assembly. I doubt any compiler could produce code of that quality and density Roastbeef has also provided me with these insights on the PIC: 1 The PIC is powered all the time that the system is plugged into the wall.

Maybe this is where they're keeping the real time clock. Decryption is probably hit 20k or 30k CPU instructions after power good Update on ROM extraction and decryption I guess it's been a little while since I've updated this page.

Given the level of paranoia that went into designing the Xbox, I am now assuming that the code extracted in the top bytes of ROM are in fact bogus and placed there as a red herring.

I think a method along this vein is most likely the best way to extract the decrypted ROM contents. My thought du jour is to actually hack the LDT bus between the northbridge and southbridge chipsets. It's the smallest pin-count bus it is 9 bits wide, differential, in each direction , and conveniently, all the traces are right there in one spot on the motherboard: some are even labelled. Plus, LDT is a semi-open standard and the protocol seems to be fairly simple.

To tap it, you'd have to hit well over signals, since the data bus alone to the northbridge is bits wide. Correction to the above: an o-scope measurement of the LDT clock indicates that the bus is moving at MHz speeds that's so slow, it's almost DC! Count on nVidia and microsoft to do spec inflation by citing the full-duplex bandwidth of the bus. Bottom line: it's much easier than I thought to tap the LDT bus.

For the curious and the hardware-minded: the xbox motherboard is a 4-layer board. A mystery Who knows Click on it for a higher res version I've had a request to trace the JTAG wires out to the nearest convenient holes or resistor pads. The image on the left shows the key JTAG pins broken out to a set of resistors near the processor.

It needs to be pulsed low on power-on, but pulling it permanently low as it is on the Xbox should permantently disable the JTAG bus. Perhaps this was intentional? You can see this "hole" on the right hand side image below. Also of note in the above picture to the left above is that one pin so far as I've noticed I haven't gone through and tracked through every pin! They are identical.

They all look like In other words, the high-level metal power busses criss-cross the entirety of the chip, obscuring most of the otherwise "interseting" features underneath. I don't really feel like removing the passivation and metallization, so I'll leave them as such. Ah well Next step: tap the LDT bus NV2A logo Unfortuneately, I have yet to find any neat easter-eggs on the chips. I believe it is fabricated on a 0.

MCPX southbridge: 5. I also believe this is fabricated on a 0. Celeron: 8. This is, of course, fabricated on an Intel process. Not sure which process generation off the top of my head The estimated manufacturing cost of a Pentium III in 0. There is a , maybe byte EEPROM on the Xbox which stores, among other things, your serial number, time zone settings, MAC address, and there is some speculation that hard drive keys and encryption keys are stored there as well.

The I2C address was set in part by the address pin straps on the Xbox motherboard. The table in my case was filled with numbers, no dashes. I proceeded to rip anyway and it worked fine. Is the ripped eeprom definitely wrong, or is there a way i can verify that it is correct? However, seeing that you said the table was filled with numbers it sounds like you might have a wiring issue.

Adding the includes for string. Surprising or am I missing something? I Code 4 Coffee. Menu Downloads Donate About Me. Read xbox eeprom to eeprom. Write eeprom. Erase the eeprom :. Read eeprom at I2C address 0x50 to eeprom. Dukenukemx , Oct 29, Last edited: Oct 31, I hooked up the hard drive to my Windows XP machine, and tried to read it through xplorer Xplorer couldn't find a FatX drive.

I didn't try unlocking the drive first, cause the only way I know how to is through hot swapping the EIDE cables. I don't know if I could do the same thing with Windows XP. If the eeprom. If not, then can anyone recommend me a cheap Xbox mod chip? I don't care if I have to solder either. Dukenukemx , Oct 31, Dukenukemx , Nov 1, I have it fixed and the hard drive is replaced.