Xbox DVD Movie Playback Kit
Introduction
The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox[FIXME].
Remote Control
Infrared interface
[FIXME]
[FIXME]
struct { uint8_t check_high; // 8 bit check uint8_t check_low__data_high; // 4 bit check, 4 bit data uint8_t data_low; // 8 bit data };
The first part of the transfer consists of the negated data signal (check
).
The data integrity can be confirmed by XOR-ing both parts:
check = (check_high << 4) | check_low data = (data_high << 8) | data_low check ^ data = 0xFFF
The check
, which marks the start of the transfer[FIXME], always starts with 0b0101, therefore the data
always starts with 0b1010.
Dongle
The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone.
Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down.
Additionally the dongle contains an IR receiver to receive commands from the Remote control.
Known versions
Part No. | Manufactured in | Version | DVD Region | ROM Size | ROM SHA1 | Notes |
---|---|---|---|---|---|---|
X08-25402 | Indonesia | 1.1 | 2 | 229790 Bytes | 70d4b5f8e073b05610fba9e9617d7356196b61ff |
|
X08-25402-002 | Indonesia | 1.1 | 2 | 229790 Bytes | 70d4b5f8e073b05610fba9e9617d7356196b61ff |
|
X08-25387 | Indonesia | |||||
X08-25387-002 | Indonesia | 1.1 | 1 | 229790 Bytes | 73814aa736d83d636380f5c6b1c291441b35354d |
Sticker: "2341P" on PCB |
USB Protocol
Infrared signals
When infrared signals are received from the Remote Control, they can be read using an interrupt transfer [FIXME]. Each USB payload is 6 bytes long:
struct { uint8_t unk; // always 0x00 (These could be length high bits?) uint8_t length_low; // always 0x06 uint8_t data_low; uint8_t data_high; // only lower 4 bit are used // This appears to be some timer which counts down from ~0x9XY // When it reaches 0x0040, it gets reset to 0x0041. // So for very short presses you get high values, and for continously holding // you get a repeating pattern: 0x0040, 0x0041, 0x0040, 0x0041, 0x0040, ... uint8_t timer_low; uint8_t timer_high; };
Firmware download
See https://github.com/XboxDev/dump-dvd-kit [FIXME]
Components
Different versions of the dongle seem to use different hardware internally.
X08-25387-002 (PCB: "X01469-100")
- U1 ATMEL AT43USB352M-AC[FIXME]
- U2 TSOP-1556
- U3 X393121C[FIXME]
X08-25387 (PCB: "IR DONGLE REV B")
- U3 MX23C4000TC-10
[FIXME]73814aa736d83d636380f5c6b1c291441b35354d
Unknown version (PCB: "REV C.")
- U1 92163 STMicroelectronics <Datasheet>
- This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, & MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside.
- U2 TSOP-1556 Vishay Telefunken <Datasheet>
- This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver.
- This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM.
- U4 HC574 Texas Instruments <Datasheet>
- This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.
Hacking
As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security.