Difference between revisions of "Xbox DVD Movie Playback Kit"
(→Unknown version (from Xbox Linux)) |
JohnVeness (talk | contribs) m (→References: Added MS link) |
||
(28 intermediate revisions by 7 users not shown) | |||
Line 1: | Line 1: | ||
+ | [[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]] | ||
==Introduction== | ==Introduction== | ||
− | The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox. | + | The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}. |
== Remote Control == | == Remote Control == | ||
+ | |||
+ | === Infrared interface === | ||
+ | |||
+ | {{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}} | ||
+ | |||
+ | {{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}} | ||
+ | |||
+ | <pre> | ||
+ | struct { | ||
+ | uint8_t check_high; // 8 bit check | ||
+ | uint8_t check_low__data_high; // 4 bit check, 4 bit data | ||
+ | uint8_t data_low; // 8 bit data | ||
+ | }; | ||
+ | </pre> | ||
+ | |||
+ | The first part of the transfer consists of the negated data signal (<code>check</code>). | ||
+ | |||
+ | The data integrity can be confirmed by XOR-ing both parts: | ||
+ | |||
+ | <pre> | ||
+ | check = (check_high << 4) | check_low | ||
+ | data = (data_high << 8) | data_low | ||
+ | check ^ data = 0xFFF | ||
+ | </pre> | ||
+ | |||
+ | The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010. | ||
== Dongle == | == Dongle == | ||
The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. | The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone. | ||
− | Additionally the | + | |
+ | Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? | ||
+ | One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down. | ||
+ | |||
+ | Additionally the dongle contains an IR receiver to receive commands from the Remote control. | ||
=== Known versions === | === Known versions === | ||
{| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> | {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> | ||
− | ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 | + | ! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes |
|- | |- | ||
− | | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> | + | | X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |
|- | |- | ||
− | | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> | + | | X08-25402-002 || Indonesia || 1.1 ||2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> || |
+ | |- | ||
+ | | X08-25387 || Indonesia || || || || || | ||
+ | |- | ||
+ | | X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB | ||
+ | |- | ||
+ | | X08-25597 || Indonesia || 1.1 || 4 || 229790 Bytes || <code>1E6D7F4F526B56527447AA09EDA41FFF05665A16</code> || | ||
+ | |- | ||
+ | | X08-96288-002 || Indonesia || 1.1 || 3 || 229790 Bytes || <code>0447373BF9326DFF95808CD028ED19FACD54C759</code> || | ||
|} | |} | ||
=== USB Protocol === | === USB Protocol === | ||
− | {{FIXME|reason= | + | ==== USB Descriptor ==== |
+ | |||
+ | <pre> | ||
+ | |||
+ | Bus 001 Device 002: ID 045e:0284 Microsoft Corp. Xbox DVD Playback Kit | ||
+ | Couldn't open device, some information will be missing | ||
+ | Device Descriptor: | ||
+ | bLength 18 | ||
+ | bDescriptorType 1 | ||
+ | bcdUSB 1.10 | ||
+ | bDeviceClass 0 | ||
+ | bDeviceSubClass 0 | ||
+ | bDeviceProtocol 0 | ||
+ | bMaxPacketSize0 64 | ||
+ | idVendor 0x045e Microsoft Corp. | ||
+ | idProduct 0x0284 Xbox DVD Playback Kit | ||
+ | bcdDevice 0.0a | ||
+ | iManufacturer 0 | ||
+ | iProduct 0 | ||
+ | iSerial 0 | ||
+ | bNumConfigurations 1 | ||
+ | Configuration Descriptor: | ||
+ | bLength 9 | ||
+ | bDescriptorType 2 | ||
+ | wTotalLength 0x0022 | ||
+ | bNumInterfaces 2 | ||
+ | bConfigurationValue 1 | ||
+ | iConfiguration 0 | ||
+ | bmAttributes 0x00 | ||
+ | (Missing must-be-set bit!) | ||
+ | (Bus Powered) | ||
+ | MaxPower 0mA | ||
+ | Interface Descriptor: | ||
+ | bLength 9 | ||
+ | bDescriptorType 4 | ||
+ | bInterfaceNumber 0 | ||
+ | bAlternateSetting 0 | ||
+ | bNumEndpoints 1 | ||
+ | bInterfaceClass 88 Xbox | ||
+ | bInterfaceSubClass 66 Controller | ||
+ | bInterfaceProtocol 0 | ||
+ | iInterface 0 | ||
+ | Endpoint Descriptor: | ||
+ | bLength 7 | ||
+ | bDescriptorType 5 | ||
+ | bEndpointAddress 0x81 EP 1 IN | ||
+ | bmAttributes 3 | ||
+ | Transfer Type Interrupt | ||
+ | Synch Type None | ||
+ | Usage Type Data | ||
+ | wMaxPacketSize 0x0008 1x 8 bytes | ||
+ | bInterval 16 | ||
+ | Interface Descriptor: | ||
+ | bLength 9 | ||
+ | bDescriptorType 4 | ||
+ | bInterfaceNumber 1 | ||
+ | bAlternateSetting 0 | ||
+ | bNumEndpoints 0 | ||
+ | bInterfaceClass 89 | ||
+ | bInterfaceSubClass 0 | ||
+ | bInterfaceProtocol 0 | ||
+ | iInterface 0 | ||
+ | </pre> | ||
+ | |||
+ | ==== Infrared signals ==== | ||
+ | |||
+ | <!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research --> | ||
+ | |||
+ | When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long: | ||
+ | |||
+ | <pre> | ||
+ | struct { | ||
+ | uint8_t unk; // always 0x00 (These could be length high bits?) | ||
+ | uint8_t length_low; // always 0x06 | ||
+ | uint8_t data_low; | ||
+ | uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote) | ||
+ | // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). | ||
+ | // A value close to 0x0040 is returned for continously holding a button. | ||
+ | // When holding, the value often goes back and forth between 0x0040 / 0x0041. | ||
+ | // It is unknown if the receiver / remote intentionally does this. | ||
+ | uint8_t timer_low; | ||
+ | uint8_t timer_high; | ||
+ | }; | ||
+ | </pre> | ||
+ | |||
+ | When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed. | ||
+ | |||
+ | The keycodes read from an official Microsoft IR remote are as follows: | ||
+ | {| class="wikitable" | ||
+ | !Button | ||
+ | !data_low | ||
+ | !data_high | ||
+ | |- | ||
+ | |INFO | ||
+ | |0xC3 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |9 | ||
+ | |0xC6 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |8 | ||
+ | |0xC7 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |7 | ||
+ | |0xC8 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |6 | ||
+ | |0xC9 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |5 | ||
+ | |0xCA | ||
+ | |0x0A | ||
+ | |- | ||
+ | |4 | ||
+ | |0xCB | ||
+ | |0x0A | ||
+ | |- | ||
+ | |3 | ||
+ | |0xCC | ||
+ | |0x0A | ||
+ | |- | ||
+ | |2 | ||
+ | |0xCD | ||
+ | |0x0A | ||
+ | |- | ||
+ | |1 | ||
+ | |0xCE | ||
+ | |0x0A | ||
+ | |- | ||
+ | |0 | ||
+ | |0xCF | ||
+ | |0x0A | ||
+ | |- | ||
+ | |SELECT | ||
+ | |0x0B | ||
+ | |0x0A | ||
+ | |- | ||
+ | |UP | ||
+ | |0xA6 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |DOWN | ||
+ | |0xA7 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |RIGHT | ||
+ | |0xA8 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |LEFT | ||
+ | |0xA9 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |STOP | ||
+ | |0xE0 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |REVERSE | ||
+ | |0xE2 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |FORWARD | ||
+ | |0xE3 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |TITLE | ||
+ | |0xE5 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |PAUSE | ||
+ | |0xE6 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |PLAY | ||
+ | |0xEA | ||
+ | |0x0A | ||
+ | |- | ||
+ | |POWER | ||
+ | |0xD5 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |BACK | ||
+ | |0xD8 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |SKIP- | ||
+ | |0xDD | ||
+ | |0x0A | ||
+ | |- | ||
+ | |SKIP+ | ||
+ | |0xDF | ||
+ | |0x0A | ||
+ | |- | ||
+ | |MENU | ||
+ | |0xF7 | ||
+ | |0x0A | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | ==== Firmware download ==== | ||
+ | |||
+ | See https://github.com/XboxDev/dump-dvd-kit (PC Python based) or https://github.com/Ryzee119/Dongle_Dumper (Xbox homebrew). | ||
+ | |||
+ | The firmware locatedn on the DVD dongle is accessed over USB by a vendor specific control request. | ||
+ | |||
+ | The setup packet for the control transfer should have the below format: | ||
+ | |||
+ | {| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) --> | ||
+ | ! Field !! Value !! Notes | ||
+ | |- | ||
+ | | bmRequestType || 0xC1 || Device-to-host / Vendor / Interface. | ||
+ | |- | ||
+ | | bRequest || 1 or 2 || 1 = Request ROM info, 2 = Request ROM data. | ||
+ | |- | ||
+ | | wValue || What 1024 byte chunk || 0 = the first 1024 bytes, 1 = Second 1024 bytes etc. | ||
+ | |- | ||
+ | | wIndex || 1 (Normally) || Should point to the bInterfaceNumber that has a bInterfaceClass of 0x59. That happens to be 1 on most DVD Playback dongles. | ||
+ | |- | ||
+ | | wLength || Up to 1024 || Number of bytes to read from chunk set by wValue. Note the max value here is 1024. To read the next chunk, issue another setup packet with a new wValue. | ||
+ | |- | ||
+ | |} | ||
+ | |||
+ | bRequest = 1 can be used to obtain the header of the ROM. This is a 6 byte header in the form: | ||
+ | <pre> | ||
+ | typedef struct | ||
+ | { | ||
+ | uint16_t version; //The version of the embedded ROM | ||
+ | uint32_t rom_size; //In bytes | ||
+ | } xremote_info_t; | ||
+ | </pre> | ||
+ | |||
+ | The rom size can then be used with bRequest = 2 to obtain the entire ROM contents. It should be noted that the ROM header obtained with bRequest = 2 is also present at the first 6 bytes of the full ROM image. So it is possible to obtain the ROM header info with bRequest = 2 requesting the first 6 bytes. | ||
=== Components === | === Components === | ||
Line 28: | Line 302: | ||
Different versions of the dongle seem to use different hardware internally. | Different versions of the dongle seem to use different hardware internally. | ||
− | ==== X08-25387-002 (PCB: X01469-100) ==== | + | ==== X08-25387-002 (PCB: "X01469-100") ==== |
* U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} | * U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}} | ||
Line 34: | Line 308: | ||
* U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} | * U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}} | ||
− | ==== Unknown version ( | + | ==== X08-25387 (PCB: "IR DONGLE REV B") ==== |
+ | [[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]] | ||
+ | [[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]] | ||
+ | |||
+ | * U3 MX23C4000TC-10 | ||
+ | |||
+ | {{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d | ||
+ | |||
+ | ==== Unknown version (PCB: "REV C.") ==== | ||
[[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] | [[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]] | ||
Line 46: | Line 328: | ||
* U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] <[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]> | * U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] <[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]> | ||
− | : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM | + | : This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. |
− | |||
− | |||
* U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] <[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]> | * U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] <[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]> | ||
: This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. | : This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers. | ||
− | |||
− | |||
− | |||
− | |||
== References == | == References == | ||
* [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] | * [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals] | ||
− | * [https:// | + | * [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals] |
+ | * [https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/817041 Microsoft KB817041 document "Xbox: Description of the DVD Movie Playback Kit"] |
Latest revision as of 16:42, 26 January 2022
Introduction
The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox[FIXME].
Remote Control
Infrared interface
[FIXME]
[FIXME]
struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data };
The first part of the transfer consists of the negated data signal (check
).
The data integrity can be confirmed by XOR-ing both parts:
check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF
The check
, which marks the start of the transfer[FIXME], always starts with 0b0101, therefore the data
always starts with 0b1010.
Dongle
The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone.
Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the DVD Forum (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[1]. This allowed them to keep the cost of the Xbox down.
Additionally the dongle contains an IR receiver to receive commands from the Remote control.
Known versions
Part No. | Manufactured in | Version | DVD Region | ROM Size | ROM SHA1 | Notes |
---|---|---|---|---|---|---|
X08-25402 | Indonesia | 1.1 | 2 | 229790 Bytes | 70d4b5f8e073b05610fba9e9617d7356196b61ff |
|
X08-25402-002 | Indonesia | 1.1 | 2 | 229790 Bytes | 70d4b5f8e073b05610fba9e9617d7356196b61ff |
|
X08-25387 | Indonesia | |||||
X08-25387-002 | Indonesia | 1.1 | 1 | 229790 Bytes | 73814aa736d83d636380f5c6b1c291441b35354d |
Sticker: "2341P" on PCB |
X08-25597 | Indonesia | 1.1 | 4 | 229790 Bytes | 1E6D7F4F526B56527447AA09EDA41FFF05665A16 |
|
X08-96288-002 | Indonesia | 1.1 | 3 | 229790 Bytes | 0447373BF9326DFF95808CD028ED19FACD54C759 |
USB Protocol
USB Descriptor
Bus 001 Device 002: ID 045e:0284 Microsoft Corp. Xbox DVD Playback Kit Couldn't open device, some information will be missing Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 1.10 bDeviceClass 0 bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x045e Microsoft Corp. idProduct 0x0284 Xbox DVD Playback Kit bcdDevice 0.0a iManufacturer 0 iProduct 0 iSerial 0 bNumConfigurations 1 Configuration Descriptor: bLength 9 bDescriptorType 2 wTotalLength 0x0022 bNumInterfaces 2 bConfigurationValue 1 iConfiguration 0 bmAttributes 0x00 (Missing must-be-set bit!) (Bus Powered) MaxPower 0mA Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 0 bAlternateSetting 0 bNumEndpoints 1 bInterfaceClass 88 Xbox bInterfaceSubClass 66 Controller bInterfaceProtocol 0 iInterface 0 Endpoint Descriptor: bLength 7 bDescriptorType 5 bEndpointAddress 0x81 EP 1 IN bmAttributes 3 Transfer Type Interrupt Synch Type None Usage Type Data wMaxPacketSize 0x0008 1x 8 bytes bInterval 16 Interface Descriptor: bLength 9 bDescriptorType 4 bInterfaceNumber 1 bAlternateSetting 0 bNumEndpoints 0 bInterfaceClass 89 bInterfaceSubClass 0 bInterfaceProtocol 0 iInterface 0
Infrared signals
When infrared signals are received from the Remote Control, they can be read using an interrupt transfer [FIXME]. Each USB payload is 6 bytes long:
struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote) // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time). // A value close to 0x0040 is returned for continously holding a button. // When holding, the value often goes back and forth between 0x0040 / 0x0041. // It is unknown if the receiver / remote intentionally does this. uint8_t timer_low; uint8_t timer_high; };
When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed.
The keycodes read from an official Microsoft IR remote are as follows:
Button | data_low | data_high |
---|---|---|
INFO | 0xC3 | 0x0A |
9 | 0xC6 | 0x0A |
8 | 0xC7 | 0x0A |
7 | 0xC8 | 0x0A |
6 | 0xC9 | 0x0A |
5 | 0xCA | 0x0A |
4 | 0xCB | 0x0A |
3 | 0xCC | 0x0A |
2 | 0xCD | 0x0A |
1 | 0xCE | 0x0A |
0 | 0xCF | 0x0A |
SELECT | 0x0B | 0x0A |
UP | 0xA6 | 0x0A |
DOWN | 0xA7 | 0x0A |
RIGHT | 0xA8 | 0x0A |
LEFT | 0xA9 | 0x0A |
STOP | 0xE0 | 0x0A |
REVERSE | 0xE2 | 0x0A |
FORWARD | 0xE3 | 0x0A |
TITLE | 0xE5 | 0x0A |
PAUSE | 0xE6 | 0x0A |
PLAY | 0xEA | 0x0A |
POWER | 0xD5 | 0x0A |
BACK | 0xD8 | 0x0A |
SKIP- | 0xDD | 0x0A |
SKIP+ | 0xDF | 0x0A |
MENU | 0xF7 | 0x0A |
Firmware download
See https://github.com/XboxDev/dump-dvd-kit (PC Python based) or https://github.com/Ryzee119/Dongle_Dumper (Xbox homebrew).
The firmware locatedn on the DVD dongle is accessed over USB by a vendor specific control request.
The setup packet for the control transfer should have the below format:
Field | Value | Notes |
---|---|---|
bmRequestType | 0xC1 | Device-to-host / Vendor / Interface. |
bRequest | 1 or 2 | 1 = Request ROM info, 2 = Request ROM data. |
wValue | What 1024 byte chunk | 0 = the first 1024 bytes, 1 = Second 1024 bytes etc. |
wIndex | 1 (Normally) | Should point to the bInterfaceNumber that has a bInterfaceClass of 0x59. That happens to be 1 on most DVD Playback dongles. |
wLength | Up to 1024 | Number of bytes to read from chunk set by wValue. Note the max value here is 1024. To read the next chunk, issue another setup packet with a new wValue. |
bRequest = 1 can be used to obtain the header of the ROM. This is a 6 byte header in the form:
typedef struct { uint16_t version; //The version of the embedded ROM uint32_t rom_size; //In bytes } xremote_info_t;
The rom size can then be used with bRequest = 2 to obtain the entire ROM contents. It should be noted that the ROM header obtained with bRequest = 2 is also present at the first 6 bytes of the full ROM image. So it is possible to obtain the ROM header info with bRequest = 2 requesting the first 6 bytes.
Components
Different versions of the dongle seem to use different hardware internally.
X08-25387-002 (PCB: "X01469-100")
- U1 ATMEL AT43USB352M-AC[FIXME]
- U2 TSOP-1556
- U3 X393121C[FIXME]
X08-25387 (PCB: "IR DONGLE REV B")
- U3 MX23C4000TC-10
[FIXME]73814aa736d83d636380f5c6b1c291441b35354d
Unknown version (PCB: "REV C.")
- U1 92163 STMicroelectronics <Datasheet>
- This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, & MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside.
- U2 TSOP-1556 Vishay Telefunken <Datasheet>
- This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver.
- This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM.
- U4 HC574 Texas Instruments <Datasheet>
- This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.