The unique Microsoft Xbox was considerably distinctive amongst consoles of the period as a result of it was basically only a PC. That enabled every kind of hacks, together with modchips that may let gamers run bootleg video games and various working programs. However, in fact, Microsoft wasn’t too eager on that form of exercise and so they tried to lock down the {hardware}. The premise of that safety was a secret 512-byte bootrom that the system wanted to learn throughout startup. That was sniffed out with an FPGA again when the Xbox was new, however Markus Gaasedelen simply carried out another hack by way of the JTAG interface.

This hack has restricted sensible utility, as a result of the key bootrom is already identified. However it’s nonetheless an attention-grabbing experiment in true {hardware} hacking. It’s a substitute for Bunnie’s well-known FPGA hack and reveals what may have been achieved on the time.

As a result of the unique Xbox was only a PC with an Intel Pentium III CPU, it included a JTAG interface for debugging. Gaasedelen suspected that he may learn the key bootrom by way of the JTAG if he may entry it. However Microsoft wished to forestall precisely that, in order that they hid the TRST# pin for the JTAG beneath the CPU the place no person may work together with it whereas the system was operational. To carry out this hack, Gaasedelen wanted a solution to entry that pin whereas the Xbox booted usually.

The important thing to reaching that entry was a particular “interposer” board that sits between the CPU and the Xbox mainboard. That customized PCB lets most CPU indicators go proper by way of to the mainboard, however offers exterior entry to the JTAG TRST# pin through a System 50 connector. So far as the Xbox is anxious, the CPU is in place correctly. However the interposer board let Gaasedelen attain the TRST# pin. With an ordinary CodeTAP {hardware} debugger and the suitable software program, he ought to have been in a position to sniff the related knowledge throughout startup.

However there was an issue and the system was failing its startup checks. It expects to obtain an “okay” from a PIC16 microcontroller inside 200ms, however the debugging {hardware} slowed that down. To get round that verify, Gaasedelen used an Arduino Uno growth board to spoof the “okay” sign and bypass the PIC16 self-check.

With that workaround, Gaasedelen was in a position to learn all 512 bytes of the key bootrom. If Gaasedelen had achieved that 20 years in the past, it will be huge information and he can be a hero within the mod scene. However even right now, this can be a very spectacular accomplishment and a incredible lesson in {hardware} hacking.