Difference between revisions of "Xbox DVD Movie Playback Kit"

From xboxdevwiki
Jump to: navigation, search
m (X08-25387 (PCB: "IR DONGLE REV B"))
m (References: Added MS link)
 
(17 intermediate revisions by 5 users not shown)
Line 1: Line 1:
 +
[[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]]
 
==Introduction==
 
==Introduction==
  
The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox.
+
The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}.
  
 
== Remote Control ==
 
== Remote Control ==
 +
 +
=== Infrared interface ===
 +
 +
{{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}}
 +
 +
{{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}}
 +
 +
<pre>
 +
struct {
 +
  uint8_t check_high; // 8 bit check
 +
  uint8_t check_low__data_high; // 4 bit check, 4 bit data
 +
  uint8_t data_low; // 8 bit data
 +
};
 +
</pre>
 +
 +
The first part of the transfer consists of the negated data signal (<code>check</code>).
 +
 +
The data integrity can be confirmed by XOR-ing both parts:
 +
 +
<pre>
 +
check = (check_high << 4) | check_low
 +
data = (data_high << 8) | data_low
 +
check ^ data = 0xFFF
 +
</pre>
 +
 +
The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010.
  
 
== Dongle ==
 
== Dongle ==
Line 10: Line 37:
  
 
Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program?
 
Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program?
One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down.
+
One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down.
  
 
Additionally the dongle contains an IR receiver to receive commands from the Remote control.
 
Additionally the dongle contains an IR receiver to receive commands from the Remote control.
Line 19: Line 46:
 
! Part No.      !! Manufactured in !! Version !! DVD Region !! ROM Size    !! ROM SHA1                                              !! Notes
 
! Part No.      !! Manufactured in !! Version !! DVD Region !! ROM Size    !! ROM SHA1                                              !! Notes
 
|-
 
|-
| X08-25402    || Indonesia      || 1.1    || 2          || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||
+
| X08-25402    || Indonesia      || 1.1    || 2          || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||  
 
|-
 
|-
| X08-25402-002     || Indonesia      ||     ||          || || ||
+
| X08-25402-002 || Indonesia      || 1.1    ||2           || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||  
 
|-
 
|-
| X08-25387    || Indonesia      ||     ||           || || ||
+
| X08-25387    || Indonesia      ||         ||           ||             ||                                                       ||
 
|-
 
|-
 
| X08-25387-002 || Indonesia      || 1.1    || 1          || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB
 
| X08-25387-002 || Indonesia      || 1.1    || 1          || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB
 +
|-
 +
| X08-25597    || Indonesia      || 1.1    || 4          || 229790 Bytes || <code>1E6D7F4F526B56527447AA09EDA41FFF05665A16</code> ||
 +
|-
 +
| X08-96288-002 || Indonesia      || 1.1    || 3          || 229790 Bytes || <code>0447373BF9326DFF95808CD028ED19FACD54C759</code> ||
 
|}
 
|}
  
 
=== USB Protocol ===
 
=== USB Protocol ===
  
{{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}}
+
==== USB Descriptor ====
 +
 
 +
<pre>
 +
 
 +
Bus 001 Device 002: ID 045e:0284 Microsoft Corp. Xbox DVD Playback Kit
 +
Couldn't open device, some information will be missing
 +
Device Descriptor:
 +
  bLength                18
 +
  bDescriptorType        1
 +
  bcdUSB              1.10
 +
  bDeviceClass            0
 +
  bDeviceSubClass        0
 +
  bDeviceProtocol        0
 +
  bMaxPacketSize0        64
 +
  idVendor          0x045e Microsoft Corp.
 +
  idProduct          0x0284 Xbox DVD Playback Kit
 +
  bcdDevice            0.0a
 +
  iManufacturer          0
 +
  iProduct                0
 +
  iSerial                0
 +
  bNumConfigurations      1
 +
  Configuration Descriptor:
 +
    bLength                9
 +
    bDescriptorType        2
 +
    wTotalLength      0x0022
 +
    bNumInterfaces          2
 +
    bConfigurationValue    1
 +
    iConfiguration          0
 +
    bmAttributes        0x00
 +
      (Missing must-be-set bit!)
 +
      (Bus Powered)
 +
    MaxPower                0mA
 +
    Interface Descriptor:
 +
      bLength                9
 +
      bDescriptorType        4
 +
      bInterfaceNumber        0
 +
      bAlternateSetting      0
 +
      bNumEndpoints          1
 +
      bInterfaceClass        88 Xbox
 +
      bInterfaceSubClass    66 Controller
 +
      bInterfaceProtocol      0
 +
      iInterface              0
 +
      Endpoint Descriptor:
 +
        bLength                7
 +
        bDescriptorType        5
 +
        bEndpointAddress    0x81  EP 1 IN
 +
        bmAttributes            3
 +
          Transfer Type            Interrupt
 +
          Synch Type              None
 +
          Usage Type              Data
 +
        wMaxPacketSize    0x0008  1x 8 bytes
 +
        bInterval              16
 +
    Interface Descriptor:
 +
      bLength                9
 +
      bDescriptorType        4
 +
      bInterfaceNumber        1
 +
      bAlternateSetting      0
 +
      bNumEndpoints          0
 +
      bInterfaceClass        89
 +
      bInterfaceSubClass      0
 +
      bInterfaceProtocol      0
 +
      iInterface              0
 +
</pre>
 +
 
 +
====  Infrared signals ====
 +
 
 +
<!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research -->
 +
 
 +
When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long:
 +
 
 +
<pre>
 +
struct {
 +
  uint8_t unk; // always 0x00 (These could be length high bits?)
 +
  uint8_t length_low; // always 0x06
 +
  uint8_t data_low;
 +
  uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote)
 +
  // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time).
 +
  // A value close to 0x0040 is returned for continously holding a button.
 +
  // When holding, the value often goes back and forth between 0x0040 / 0x0041.
 +
  // It is unknown if the receiver / remote intentionally does this.
 +
  uint8_t timer_low;
 +
  uint8_t timer_high;
 +
};
 +
</pre>
 +
 
 +
When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed.
 +
 
 +
The keycodes read from an official Microsoft IR remote are as follows:
 +
{| class="wikitable"
 +
!Button
 +
!data_low
 +
!data_high
 +
|-
 +
|INFO
 +
|0xC3
 +
|0x0A
 +
|-
 +
|9
 +
|0xC6
 +
|0x0A
 +
|-
 +
|8
 +
|0xC7
 +
|0x0A
 +
|-
 +
|7
 +
|0xC8
 +
|0x0A
 +
|-
 +
|6
 +
|0xC9
 +
|0x0A
 +
|-
 +
|5
 +
|0xCA
 +
|0x0A
 +
|-
 +
|4
 +
|0xCB
 +
|0x0A
 +
|-
 +
|3
 +
|0xCC
 +
|0x0A
 +
|-
 +
|2
 +
|0xCD
 +
|0x0A
 +
|-
 +
|1
 +
|0xCE
 +
|0x0A
 +
|-
 +
|0
 +
|0xCF
 +
|0x0A
 +
|-
 +
|SELECT
 +
|0x0B
 +
|0x0A
 +
|-
 +
|UP
 +
|0xA6
 +
|0x0A
 +
|-
 +
|DOWN
 +
|0xA7
 +
|0x0A
 +
|-
 +
|RIGHT
 +
|0xA8
 +
|0x0A
 +
|-
 +
|LEFT
 +
|0xA9
 +
|0x0A
 +
|-
 +
|STOP
 +
|0xE0
 +
|0x0A
 +
|-
 +
|REVERSE
 +
|0xE2
 +
|0x0A
 +
|-
 +
|FORWARD
 +
|0xE3
 +
|0x0A
 +
|-
 +
|TITLE
 +
|0xE5
 +
|0x0A
 +
|-
 +
|PAUSE
 +
|0xE6
 +
|0x0A
 +
|-
 +
|PLAY
 +
|0xEA
 +
|0x0A
 +
|-
 +
|POWER
 +
|0xD5
 +
|0x0A
 +
|-
 +
|BACK
 +
|0xD8
 +
|0x0A
 +
|-
 +
|SKIP-
 +
|0xDD
 +
|0x0A
 +
|-
 +
|SKIP+
 +
|0xDF
 +
|0x0A
 +
|-
 +
|MENU
 +
|0xF7
 +
|0x0A
 +
|-
 +
|}
 +
 
 +
====  Firmware download ====
 +
 
 +
See https://github.com/XboxDev/dump-dvd-kit (PC Python based) or https://github.com/Ryzee119/Dongle_Dumper (Xbox homebrew).
 +
 
 +
The firmware locatedn on the DVD dongle is accessed over USB by a vendor specific control request.
 +
 
 +
The setup packet for the control transfer should have the below format:
 +
 
 +
{| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) -->
 +
! Field        !! Value !! Notes
 +
|-
 +
| bmRequestType || 0xC1                || Device-to-host / Vendor / Interface.
 +
|-
 +
| bRequest      || 1 or 2              || 1 = Request ROM info, 2 = Request ROM data.
 +
|-
 +
| wValue        || What 1024 byte chunk || 0 = the first 1024 bytes, 1 = Second 1024 bytes etc.
 +
|-
 +
| wIndex        || 1 (Normally)        || Should point to the bInterfaceNumber that has a bInterfaceClass of 0x59. That happens to be 1 on most DVD Playback dongles.
 +
|-
 +
| wLength      || Up to 1024          || Number of bytes to read from chunk set by wValue. Note the max value here is 1024. To read the next chunk, issue another setup packet with a new wValue.
 +
|-
 +
|}
 +
 
 +
bRequest = 1 can be used to obtain the header of the ROM. This is a 6 byte header in the form:
 +
<pre>
 +
typedef struct
 +
{
 +
    uint16_t version;  //The version of the embedded ROM
 +
    uint32_t rom_size; //In bytes
 +
} xremote_info_t;
 +
</pre>
 +
 
 +
The rom size can then be used with bRequest = 2 to obtain the entire ROM contents. It should be noted that the ROM header obtained with bRequest = 2 is also present at the first 6 bytes of the full ROM image. So it is possible to obtain the ROM header info with bRequest = 2 requesting the first 6 bytes.
  
 
=== Components ===
 
=== Components ===
Line 43: Line 309:
  
 
==== X08-25387 (PCB: "IR DONGLE REV B") ====
 
==== X08-25387 (PCB: "IR DONGLE REV B") ====
 +
[[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]]
 +
[[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]]
  
[[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|FrontPCB]]
+
* U3 MX23C4000TC-10
  
* U3 MX23C4000TC-10
+
{{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d
  
 
==== Unknown version (PCB: "REV C.") ====
 
==== Unknown version (PCB: "REV C.") ====
Line 64: Line 332:
 
* U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt;
 
* U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt;
 
: This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.
 
: This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.
 
=== Hacking ===
 
 
As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security.
 
  
 
== References ==
 
== References ==
  
 
* [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals]
 
* [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals]
* [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM]
 
 
* [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals]
 
* [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals]
 +
* [https://www.betaarchive.com/wiki/index.php/Microsoft_KB_Archive/817041 Microsoft KB817041 document "Xbox: Description of the DVD Movie Playback Kit"]

Latest revision as of 16:42, 26 January 2022

Remote and Receiver

Introduction

The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox[FIXME].

Remote Control

Infrared interface

[FIXME]

[FIXME]

struct {
  uint8_t check_high; // 8 bit check
  uint8_t check_low__data_high; // 4 bit check, 4 bit data
  uint8_t data_low; // 8 bit data
};

The first part of the transfer consists of the negated data signal (check).

The data integrity can be confirmed by XOR-ing both parts:

check = (check_high << 4) | check_low
data = (data_high << 8) | data_low
check ^ data = 0xFFF

The check, which marks the start of the transfer[FIXME], always starts with 0b0101, therefore the data always starts with 0b1010.

Dongle

The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone.

Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the DVD Forum (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[1]. This allowed them to keep the cost of the Xbox down.

Additionally the dongle contains an IR receiver to receive commands from the Remote control.

Known versions

Part No. Manufactured in Version DVD Region ROM Size ROM SHA1 Notes
X08-25402 Indonesia 1.1 2 229790 Bytes 70d4b5f8e073b05610fba9e9617d7356196b61ff
X08-25402-002 Indonesia 1.1 2 229790 Bytes 70d4b5f8e073b05610fba9e9617d7356196b61ff
X08-25387 Indonesia
X08-25387-002 Indonesia 1.1 1 229790 Bytes 73814aa736d83d636380f5c6b1c291441b35354d Sticker: "2341P" on PCB
X08-25597 Indonesia 1.1 4 229790 Bytes 1E6D7F4F526B56527447AA09EDA41FFF05665A16
X08-96288-002 Indonesia 1.1 3 229790 Bytes 0447373BF9326DFF95808CD028ED19FACD54C759

USB Protocol

USB Descriptor


Bus 001 Device 002: ID 045e:0284 Microsoft Corp. Xbox DVD Playback Kit
Couldn't open device, some information will be missing
Device Descriptor:
  bLength                18
  bDescriptorType         1
  bcdUSB               1.10
  bDeviceClass            0 
  bDeviceSubClass         0 
  bDeviceProtocol         0 
  bMaxPacketSize0        64
  idVendor           0x045e Microsoft Corp.
  idProduct          0x0284 Xbox DVD Playback Kit
  bcdDevice            0.0a
  iManufacturer           0 
  iProduct                0 
  iSerial                 0 
  bNumConfigurations      1
  Configuration Descriptor:
    bLength                 9
    bDescriptorType         2
    wTotalLength       0x0022
    bNumInterfaces          2
    bConfigurationValue     1
    iConfiguration          0 
    bmAttributes         0x00
      (Missing must-be-set bit!)
      (Bus Powered)
    MaxPower                0mA
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        0
      bAlternateSetting       0
      bNumEndpoints           1
      bInterfaceClass        88 Xbox
      bInterfaceSubClass     66 Controller
      bInterfaceProtocol      0 
      iInterface              0 
      Endpoint Descriptor:
        bLength                 7
        bDescriptorType         5
        bEndpointAddress     0x81  EP 1 IN
        bmAttributes            3
          Transfer Type            Interrupt
          Synch Type               None
          Usage Type               Data
        wMaxPacketSize     0x0008  1x 8 bytes
        bInterval              16
    Interface Descriptor:
      bLength                 9
      bDescriptorType         4
      bInterfaceNumber        1
      bAlternateSetting       0
      bNumEndpoints           0
      bInterfaceClass        89 
      bInterfaceSubClass      0 
      bInterfaceProtocol      0 
      iInterface              0 

Infrared signals

When infrared signals are received from the Remote Control, they can be read using an interrupt transfer [FIXME]. Each USB payload is 6 bytes long:

struct {
  uint8_t unk; // always 0x00 (These could be length high bits?)
  uint8_t length_low; // always 0x06
  uint8_t data_low;
  uint8_t data_high; // only lower 4 bit are used (Always 0x0A with offical Microsoft remote)
  // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time).
  // A value close to 0x0040 is returned for continously holding a button.
  // When holding, the value often goes back and forth between 0x0040 / 0x0041.
  // It is unknown if the receiver / remote intentionally does this.
  uint8_t timer_low;
  uint8_t timer_high;
};

When holding two or more buttons at once on the remote the IR receiver stops sending interrupt transfers. The last transfer will be the first button pressed.

The keycodes read from an official Microsoft IR remote are as follows:

Button data_low data_high
INFO 0xC3 0x0A
9 0xC6 0x0A
8 0xC7 0x0A
7 0xC8 0x0A
6 0xC9 0x0A
5 0xCA 0x0A
4 0xCB 0x0A
3 0xCC 0x0A
2 0xCD 0x0A
1 0xCE 0x0A
0 0xCF 0x0A
SELECT 0x0B 0x0A
UP 0xA6 0x0A
DOWN 0xA7 0x0A
RIGHT 0xA8 0x0A
LEFT 0xA9 0x0A
STOP 0xE0 0x0A
REVERSE 0xE2 0x0A
FORWARD 0xE3 0x0A
TITLE 0xE5 0x0A
PAUSE 0xE6 0x0A
PLAY 0xEA 0x0A
POWER 0xD5 0x0A
BACK 0xD8 0x0A
SKIP- 0xDD 0x0A
SKIP+ 0xDF 0x0A
MENU 0xF7 0x0A

Firmware download

See https://github.com/XboxDev/dump-dvd-kit (PC Python based) or https://github.com/Ryzee119/Dongle_Dumper (Xbox homebrew).

The firmware locatedn on the DVD dongle is accessed over USB by a vendor specific control request.

The setup packet for the control transfer should have the below format:

Field Value Notes
bmRequestType 0xC1 Device-to-host / Vendor / Interface.
bRequest 1 or 2 1 = Request ROM info, 2 = Request ROM data.
wValue What 1024 byte chunk 0 = the first 1024 bytes, 1 = Second 1024 bytes etc.
wIndex 1 (Normally) Should point to the bInterfaceNumber that has a bInterfaceClass of 0x59. That happens to be 1 on most DVD Playback dongles.
wLength Up to 1024 Number of bytes to read from chunk set by wValue. Note the max value here is 1024. To read the next chunk, issue another setup packet with a new wValue.

bRequest = 1 can be used to obtain the header of the ROM. This is a 6 byte header in the form:

typedef struct 
{
    uint16_t version;  //The version of the embedded ROM
    uint32_t rom_size; //In bytes
} xremote_info_t;

The rom size can then be used with bRequest = 2 to obtain the entire ROM contents. It should be noted that the ROM header obtained with bRequest = 2 is also present at the first 6 bytes of the full ROM image. So it is possible to obtain the ROM header info with bRequest = 2 requesting the first 6 bytes.

Components

Different versions of the dongle seem to use different hardware internally.

X08-25387-002 (PCB: "X01469-100")

  • U1 ATMEL AT43USB352M-AC[FIXME]
  • U2 TSOP-1556
  • U3 X393121C[FIXME]

X08-25387 (PCB: "IR DONGLE REV B")

X08-25387 Rev B Sticker
Front PCB of X08-25387
  • U3 MX23C4000TC-10

[FIXME]73814aa736d83d636380f5c6b1c291441b35354d

Unknown version (PCB: "REV C.")

Frontside
Backside
This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, & MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside.
This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver.
This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM.
This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.

References