The unique Microsoft Xbox was considerably distinctive amongst consoles of the period as a result of it was basically only a PC. That enabled all types of hacks, together with modchips that may let gamers run bootleg video games and various working techniques. However, in fact, Microsoft wasn’t too eager on that sort of exercise and so they tried to lock down the {hardware}. The idea of that safety was a secret 512-byte bootrom that the system wanted to learn throughout startup. That was sniffed out with an FPGA again when the Xbox was new, however Markus Gaasedelen simply carried out another hack by way of the JTAG interface.
This hack has restricted sensible utility, as a result of the key bootrom is already recognized. However it’s nonetheless an fascinating experiment in true {hardware} hacking. It’s an alternative choice to Bunnie’s well-known FPGA hack and reveals what might have been achieved on the time.
As a result of the unique Xbox was only a PC with an Intel Pentium III CPU, it included a JTAG interface for debugging. Gaasedelen suspected that he might learn the key bootrom by way of the JTAG if he might entry it. However Microsoft needed to stop precisely that, so that they hid the TRST# pin for the JTAG beneath the CPU the place no one might work together with it whereas the system was operational. To carry out this hack, Gaasedelen wanted a approach to entry that pin whereas the Xbox booted usually.
Unique Xbox CPU (📷: Markus Gaasedelen )
The important thing to attaining that entry was a particular “interposer” board that sits between the CPU and the Xbox mainboard. That customized PCB lets most CPU indicators go proper by way of to the mainboard, however offers exterior entry to the JTAG TRST# pin by way of a System 50 connector. So far as the Xbox is worried, the CPU is in place correctly. However the interposer board let Gaasedelen attain the TRST# pin. With a normal CodeTAP {hardware} debugger and the suitable software program, he ought to have been capable of sniff the related knowledge throughout startup.
However there was an issue and the system was failing its startup checks. It expects to obtain an “okay” from a PIC16 microcontroller inside 200ms, however the debugging {hardware} slowed that down. To get round that examine, Gaasedelen used an Arduino Uno improvement board to spoof the “okay” sign and bypass the PIC16 self-check.
(📷: Markus Gaasedelen )
With that workaround, Gaasedelen was capable of learn all 512 bytes of the key bootrom. If Gaasedelen had achieved that 20 years in the past, it might be huge information and he can be a hero within the mod scene. However even as we speak, this can be a very spectacular accomplishment and a improbable lesson in {hardware} hacking.
