The unique Microsoft Xbox was considerably distinctive amongst consoles of the period as a result of it was basically only a PC. That enabled all types of hacks, together with modchips that may let gamers run bootleg video games and different working techniques. However, after all, Microsoft wasn’t too eager on that sort of exercise and so they tried to lock down the {hardware}. The premise of that safety was a secret 512-byte bootrom that the system wanted to learn throughout startup. That was sniffed out with an FPGA again when the Xbox was new, however Markus Gaasedelen simply carried out an alternate hack via the JTAG interface.
This hack has restricted sensible utility, as a result of the key bootrom is already recognized. However it’s nonetheless an attention-grabbing experiment in true {hardware} hacking. It’s a substitute for Bunnie’s well-known FPGA hack and exhibits what might have been achieved on the time.
As a result of the unique Xbox was only a PC with an Intel Pentium III CPU, it included a JTAG interface for debugging. Gaasedelen suspected that he might learn the key bootrom via the JTAG if he might entry it. However Microsoft needed to stop precisely that, in order that they hid the TRST# pin for the JTAG beneath the CPU the place no one might work together with it whereas the system was operational. To carry out this hack, Gaasedelen wanted a approach to entry that pin whereas the Xbox booted usually.
Authentic Xbox CPU (📷: Markus Gaasedelen )
The important thing to reaching that entry was a particular “interposer” board that sits between the CPU and the Xbox mainboard. That customized PCB lets most CPU indicators go proper via to the mainboard, however supplies exterior entry to the JTAG TRST# pin through a System 50 connector. So far as the Xbox is worried, the CPU is in place correctly. However the interposer board let Gaasedelen attain the TRST# pin. With a normal CodeTAP {hardware} debugger and the suitable software program, he ought to have been capable of sniff the related information throughout startup.
However there was an issue and the system was failing its startup checks. It expects to obtain an “okay” from a PIC16 microcontroller inside 200ms, however the debugging {hardware} slowed that down. To get round that examine, Gaasedelen used an Arduino Uno improvement board to spoof the “okay” sign and bypass the PIC16 self-check.
(📷: Markus Gaasedelen )
With that workaround, Gaasedelen was capable of learn all 512 bytes of the key bootrom. If Gaasedelen had achieved that 20 years in the past, it could be large information and he could be a hero within the mod scene. However even in the present day, this can be a very spectacular accomplishment and a unbelievable lesson in {hardware} hacking.