Difference between revisions of "Xbox DVD Movie Playback Kit"

From xboxdevwiki
Jump to: navigation, search
m (Known versions: Im almost sure its region 2 (X08-25402-002) but ill dump the Rom tomorow)
(Infrared signals)
(5 intermediate revisions by 2 users not shown)
Line 2: Line 2:
 
==Introduction==
 
==Introduction==
  
The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox.
+
The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}.
  
 
== Remote Control ==
 
== Remote Control ==
 +
 +
=== Infrared interface ===
 +
 +
{{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}}
 +
 +
{{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}}
 +
 +
<pre>
 +
struct {
 +
  uint8_t check_high; // 8 bit check
 +
  uint8_t check_low__data_high; // 4 bit check, 4 bit data
 +
  uint8_t data_low; // 8 bit data
 +
};
 +
</pre>
 +
 +
The first part of the transfer consists of the negated data signal (<code>check</code>).
 +
 +
The data integrity can be confirmed by XOR-ing both parts:
 +
 +
<pre>
 +
check = (check_high << 4) | check_low
 +
data = (data_high << 8) | data_low
 +
check ^ data = 0xFFF
 +
</pre>
 +
 +
The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010.
  
 
== Dongle ==
 
== Dongle ==
Line 20: Line 46:
 
! Part No.      !! Manufactured in !! Version !! DVD Region !! ROM Size    !! ROM SHA1                                              !! Notes
 
! Part No.      !! Manufactured in !! Version !! DVD Region !! ROM Size    !! ROM SHA1                                              !! Notes
 
|-
 
|-
| X08-25402    || Indonesia      || 1.1    || 2          || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||
+
| X08-25402    || Indonesia      || 1.1    || 2          || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||  
 
|-
 
|-
| X08-25402-002    || Indonesia      ||     ||2          || || ||
+
| X08-25402-002    || Indonesia      ||   1.1  ||2          || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||  
 
|-
 
|-
 
| X08-25387    || Indonesia      ||      ||          ||  ||  ||
 
| X08-25387    || Indonesia      ||      ||          ||  ||  ||
Line 31: Line 57:
 
=== USB Protocol ===
 
=== USB Protocol ===
  
{{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}}
+
====  Infrared signals ====
 +
 
 +
<!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research -->
 +
 
 +
When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long:
 +
 
 +
<pre>
 +
struct {
 +
  uint8_t unk; // always 0x00 (These could be length high bits?)
 +
  uint8_t length_low; // always 0x06
 +
  uint8_t data_low;
 +
  uint8_t data_high; // only lower 4 bit are used
 +
  // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time).
 +
  // A value close to 0x0040 is returned for continously holding a button.
 +
  // When holding, the value often goes back and forth between 0x0040 / 0x0041.
 +
  // It is unknown if the receiver / remote intentionally does this.
 +
  uint8_t timer_low;
 +
  uint8_t timer_high;
 +
};
 +
</pre>
 +
 
 +
====  Firmware download ====
 +
 
 +
See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}}
  
 
=== Components ===
 
=== Components ===
Line 49: Line 98:
 
* U3 MX23C4000TC-10
 
* U3 MX23C4000TC-10
  
{{FIXME|reason=Didn't get rear components photographed yet}}
+
{{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d
  
 
==== Unknown version (PCB: "REV C.") ====
 
==== Unknown version (PCB: "REV C.") ====
Line 67: Line 116:
 
* U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt;
 
* U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt;
 
: This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.
 
: This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.
 
=== Hacking ===
 
 
As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security.
 
  
 
== References ==
 
== References ==

Revision as of 19:10, 27 September 2018

Remote and Receiver

Introduction

The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox[FIXME].

Remote Control

Infrared interface

[FIXME]

[FIXME]

struct {
  uint8_t check_high; // 8 bit check
  uint8_t check_low__data_high; // 4 bit check, 4 bit data
  uint8_t data_low; // 8 bit data
};

The first part of the transfer consists of the negated data signal (check).

The data integrity can be confirmed by XOR-ing both parts:

check = (check_high << 4) | check_low
data = (data_high << 8) | data_low
check ^ data = 0xFFF

The check, which marks the start of the transfer[FIXME], always starts with 0b0101, therefore the data always starts with 0b1010.

Dongle

The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone.

Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down.

Additionally the dongle contains an IR receiver to receive commands from the Remote control.

Known versions

Part No. Manufactured in Version DVD Region ROM Size ROM SHA1 Notes
X08-25402 Indonesia 1.1 2 229790 Bytes 70d4b5f8e073b05610fba9e9617d7356196b61ff
X08-25402-002 Indonesia 1.1 2 229790 Bytes 70d4b5f8e073b05610fba9e9617d7356196b61ff
X08-25387 Indonesia
X08-25387-002 Indonesia 1.1 1 229790 Bytes 73814aa736d83d636380f5c6b1c291441b35354d Sticker: "2341P" on PCB

USB Protocol

Infrared signals

When infrared signals are received from the Remote Control, they can be read using an interrupt transfer [FIXME]. Each USB payload is 6 bytes long:

struct {
  uint8_t unk; // always 0x00 (These could be length high bits?)
  uint8_t length_low; // always 0x06
  uint8_t data_low;
  uint8_t data_high; // only lower 4 bit are used
  // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time).
  // A value close to 0x0040 is returned for continously holding a button.
  // When holding, the value often goes back and forth between 0x0040 / 0x0041.
  // It is unknown if the receiver / remote intentionally does this.
  uint8_t timer_low;
  uint8_t timer_high;
};

Firmware download

See https://github.com/XboxDev/dump-dvd-kit [FIXME]

Components

Different versions of the dongle seem to use different hardware internally.

X08-25387-002 (PCB: "X01469-100")

  • U1 ATMEL AT43USB352M-AC[FIXME]
  • U2 TSOP-1556
  • U3 X393121C[FIXME]

X08-25387 (PCB: "IR DONGLE REV B")

X08-25387 Rev B Sticker
Front PCB of X08-25387
  • U3 MX23C4000TC-10

[FIXME]73814aa736d83d636380f5c6b1c291441b35354d

Unknown version (PCB: "REV C.")

Frontside
Backside
This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, & MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside.
This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver.
This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM.
This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.

References