I-Hacked.com Taking Advantage Of Technology - Installing a Modchip in a Microsoft Xbox

The following is an complete tutorial from the book "Game Console Hacking" by Syngress Publishing.

Installing a Modchip into a Microsoft Xbox by Syngress Publishing

The goal of this hack is to install a modchip into your Xbox. Because a modchip is able to operate and interface with the Xbox’s hardware at some of the lowest hardware levels, it will allow you to gain the ultimate control of your Xbox. With the modchip installed in your Xbox, you will add different capabilities, such as alternate graphic interfaces or even alternate operating systems such as Linux.

When a viable set of exploits and workarounds is found to bypass a particular security feature, the modchip is born. Modchips are small printed circuit boards (PCBs) with wires that attach to various components on the console’s main board. A modchip is usually controlled by a Microchip PIC or standard programmable logic such as a programmable logic device (PLD), but modern modchips for the Xbox and other systems include an FPGA and Flash ROM so that they can be updated with bug fixes and new features.

Many different types of modchips exist for the Xbox, all with specific functions they are designed to perform. Before laying down your hard earned cash to purchase a modchip, make sure you understand the capabilities of the device. Additionally, some modchips are very dependent on the version of the Xbox hardware they will operate on, so be sure that your desired modchip will even work with your hardware. (See the “Xbox Versions” section at the beginning of this chapter for more details.)

Typically, a basic Xbox modchip will load an alternate startup routine into the Basic Input/Output System (BIOS) of the Xbox. The BIOS controls the low-level input and output functions of the Xbox. Using a customized BIOS will allow us to load functions that are not normally part of the standard Xbox user interface.

Circumventing technical protection measures to play pirated games is unlawful. Both the U.S. and foreign governments have successfully prosecuted sellers of such modchips. In addition, downloading and using BIOS images that copy Microsoft’s proprietary code infringes Microsoft’s copyrights. Please check your country’s laws regarding this potential problem before you get involved with modchips.

Microsoft’s gaming service, Xbox Live (or XBL, as it’s often called), checks for the presence of modchips on the Xbox every time you check in with Xbox Live. If you attempt to use Xbox Live with a modified Xbox, the service will note the serial number of your Xbox and permanently ban that Xbox from XBL. Removing or disabling the modchip will not reverse the ban. The only way to get back on Xbox Live is to use a different Xbox. The main reason behind the XBL policy is that it prevents cheating. Due to the fact that modchips allow software modification to the games being played, allowing a modified Xbox onto the service would put those players with unmodified Xboxes at a disadvantage.

The modchip used in this section is the Xecuter Lite+ from www.teamxecuter.com (see Figure 3.44). At the time of this writing, version 2.3B is now available and retails for approximately $50.00. It can be purchased from many online sites, including www.system-mods.com. As of September 2004, production of the Xecuter version 3.0 is coming shortly.

Modchips are installed into the Xbox in a variety of ways. Some must be soldered directly to the Xbox motherboard. Others are “solderless” in that they use “pogo pins” to make contact with test points on the Xbox motherboard, without the need to solder. Pogo pins are commonly used for product testing during manufacturing, since they can quickly make contact with the circuit under test. The pogo pin contacts are spring-loaded and look and act like miniature pogo sticks. The spring-loaded design keeps the pin in contact with a contact pad on the motherboard, thus ensuring a good electrical connection. The pogo pins on the underside of the Xecuter Lite+ modchip are shown in Figure 3.45.

No matter what the specifics of the modchips, they almost all function via the Low Pin Count (LPC) data bus. The LPC bus is an industry-standard interface designed by Intel (and commonly used on PC-based architectures) that replaces the aging Industry Standard Architecture (ISA) interface. The LPC bus can be used to connect the CPU to other peripheral devices such as the BIOS, mouse, and keyboard. On the Xbox, the LPC bus is used for testing and debugging during production. It consists of 15 contacts in an 8x2 array. The LPC bus is located on the Xbox on the left side of the motherboard as you face the front of the Xbox (see Figure 3.46). You should note that Pin 4 is used only as a key, and the contact is completely missing from the Xbox’s motherboard.

Modchips function by loading an alternate version of firmware or “boot code” into the Xbox at system startup. By design, the Xbox looks to load alternate firmware from the LPC if the normal boot code is not available from the Flash ROM on the Xbox. The Xbox is tricked into believing that the normal Flash ROM is not available if the lowest bit on Flash ROM’s data bus line, D0, is pulled to ground (0V). In other words, when D0 is forced to a low state, the Xbox loads alternate boot code from the modchip instead of from its standard Flash ROM.

The D0 line is accessed by means of a via to the right of the LPC contacts (see Figure 3.47). A via is a plated through-hole connecting different layers of a PCB. Some brands of modchips require that a small wire be soldered to the D0 via (the protective green soldermask coating will first need to be scratched off the via using an X-ACTO knife). Other modchips use pogo-pin contacts. Due to the small size of the via, those modchips that use pogo pins need to be very precisely aligned to function.

For this hack, you will need to obtain a modchip. We’re using the Xecuter Lite+ for this chapter. You will also need the following tools:

1. Open the Xbox case as described in the “Opening the Xbox” section. You do not need to remove the front panel.

2. Plug one end of the cable assembly (received with your modchip) into the Xecuter main circuit board.

3. Locate the LPC bus on the left side of the motherboard. Adjacent to Pin 16 of the LPC, there is a Phillips-head screw holding the motherboard in place. Remove the screw and set it aside.

4. Place the Xecuter modchip on the motherboard, noting exact alignment of the pogo pin for the D0 via (see Figure 3.44). Note that the D0 line has been moved slightly in versions 1.2 and higher of the Xbox motherboard. Make sure that you know the exact location of the via for your version of the Xbox or the modchip will not function properly. Complete installation tutorials for the Xecuter modchips can be found at www.teamxecuter.com.

5. Replace the motherboard screw, passing it through the Xecuter’s circuit board to secure it into place. Your Xbox should resemble the one shown in Figure 3.48.

6. Next, mount the Xecuter’s switchboard on the front of the Xbox. The ideal placement is on the lower-left front corner, below the DVD drive (see Figures 3.49 and 3.50).

7. Now route the cable assembly (connected to the modchip) to the outside of the case. The cable will need to pass through the interior metal RF shield and the Xbox’s plastic housing.

9. Plug the other end of the cable assembly (received with your modchip) into the Xecuter switchboard on the outside of the Xbox.

The physical installation of your Xbox is now complete. For the modchip to operate, you will need to obtain a boot disk image and desired firmware. The firmware is usually included with the modchip, but if it isn’t, or if you want updated or special firmware, follow the next steps.

10. Using an Internet Relay Chat (IRC) client, connect to an EFNet server (irc.efnet.org) and join either the #xbins4newbies or #xbins channel. (For more information on IRC, visit www.irc.org.) Popular IRC clients include mIRC for Windows (www.mirc.com), BitchX for UNIX (www.bitchx.org), and Conversation for Mac OS X (http://homepage.mac.com/philrobin/conversation).

-onjoin- Welcome to #xbins! In Order to get FILES you must type /msg xbins !list he will then give you FTP info along with a username/password. You MUST be in this channel in order to recieve any info/files. If he is not in the channel then a server split is occuring and he will be back shortly. #xbins is not a help channel, it is a distribution channel. If you would like to talk in general, join #xbins-chat. If you need help, join #xbins-help.

-onjoin- For the latest releases type /msg onjoin !releases (for the 3 most recent) or !releases 10 (for the 10 most recent). Need to find a file on the FTP? Use SITE SEARCH as a raw command once logged into the ftp (CTRL + R for flashfxp)

12. In the channel, send the /msg xbins !list command. You should receive a private message from the xbins user similar to the following, which will contain the distribution FTP site, username, and password (note that the actual username and password have been deleted from this example):

<xbins> FTP ADDRESS: distribution.xbins.org PORT: 21 USERNAME: username PASSWORD: password NOTE: This Username And Password will be deleted upon connection for security reasons. This site contains 100% homebrew files and absolutly NO warez. Brought to you by #xbins and team xecuter

<xbins> Each person is allowed 30 files a day. We do NOT tolerate GREED and you shall be banned if you break this rule. Got a ACCESS DENIED error? DON'T use IE or LeechFTP. Use FlashFXP/SmartFTP/CuteFTP for best results. AFTER EVERY ATTEMPT, SUCCESSFUL OR NOT, YOU NEED TO !list AGAIN.

<xbins> If you would like CVS builds of XBMP/XBMC or any other XBMP/XBMC releases, get it on our ftp at xbmp.uk.xbins.org (Europe 100mbit) Username = username Password = password

13. Armed with this information, use an FTP client to connect to the given address and log in with the given username and password. You can only log in one time with each username/password combination before it is deleted. Upon connection, you will be prompted with a list of directories: PC, DEBUG, and XBOX.

14. Download the desired BIOS and boot disk files from the XBOX directory. The files you download are specific to your modchip and the goals of your hack. Make sure that the BIOS image fits the size of the image bank(s) in your model of Xecuter (or other modchip). For this hack, we’re using the Evolution X, or Evo X, boot disk.

With the firmware and boot disk images in hand (either obtained with the modchip or from the previous steps), we can now program the modchip and configure the Xbox. Follow these steps:

18. When prompted, for the BIOS image, swap the boot CD for the one containing the BIOS image. You will then be prompted to transfer the BIOS image to the modchip. This is done by directing the program to the image on the CDR.

19. Transfer the required boot and operating system files to the Xbox’s hard drive. These will depend on the boot image

The SlaYer Xbox Auto-Installer from http://slayer.xbox-scene.com is a great tool for installing the needed files for a modchip. In addition to the actual auto-installer program, the SlaYer site has an excellent instruction manual detailing all the steps of the installation process and several variations. These variations include upgrading hard drives in the Xbox and upgrading the BIOS.

19. Once the BIOS has been loaded into the modchip and the system files have been transferred to the Xbox hard drive, the Xbox can be shut down.

20. Ensure that the leftmost switch of the Xecuter’s switchboard is set to Enable, and restart the Xbox. If the Xecuter is installed correctly, the LED on the switchboard should illuminate and the Evo X splash screen will be displayed on the TV (see Figure 3.51). The Evo X is very similar to the standard Xbox boot screen, except that it has the Evo X logo in the upper-left corner.

21. Once the boot-up sequence is completed, a new dashboard should load. The dashboard is Xbox's graphical user interface. Figure 3.52 shows the standard Xbox dashboard; Figure 3.53 shows the Administr8tor dashboard, just one of several alternative dashboards that come as part of the Evolution X package.

Congratulations! If you can see the new dashboard, your modchip is successfully installed and operating correctly.
{mos_sb_discuss:18}