Difference between revisions of "EEPROM"

From xboxdevwiki
Jump to: navigation, search
m (Contents: standard and daylight timezone name descriptions reworded (shortened))
(Contents: ConfigMagic-Final-1.6 EEPROM Checksum anomalies (wrong value for size parameter to QuickCRC function call).)
Line 37: Line 37:
 
| 0x30
 
| 0x30
 
| 0x33
 
| 0x33
| Checksum2 - Checksum of next 44 bytes
+
| Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)<sup>*</sup>
 
|-
 
|-
 
| 0x34
 
| 0x34
Line 57: Line 57:
 
| 0x58
 
| 0x58
 
| 0x5B
 
| 0x5B
| **Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J,  0x00800300 = PAL
+
| Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J,  0x00800300 = PAL
 
|-
 
|-
 
| 0x5C
 
| 0x5C
Line 65: Line 65:
 
| 0x60
 
| 0x60
 
| 0x63
 
| 0x63
| Checksum3 - Checksum of the next 92 bytes (0x64-0xBF)
+
| Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)<sup>*</sup>
 
|-
 
|-
 
| 0x64
 
| 0x64
 
| 0x67
 
| 0x67
| Zone Bias - Offset in # minutes to subtract from GMT time (e.g., for GMT-06 Central; 6hr = 360min = 0x0000168)
+
| Zone Bias - Offset in # minutes to subtract from GMT time  
 +
(e.g., for GMT-06 Central; 6hr = 360min = 0x0000168)
 
|-
 
|-
 
| 0x68
 
| 0x68
Line 158: Line 159:
  
 
Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h].
 
Note: Info in above table comes from XKUtils [https://svn.exotica.org.uk:8443/xbmc4xbox/tags/3.5.3/xbmc/xbox/XKEEPROM.h XKEEPROM.h].
 +
 +
<sup>*</sup>Configmagic-FINAL-1.6 used the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 was correct since the extra 4 bytes not used  in the CRC computation were all 0's which would not change the computed CRC value.  However, Simliar problem with computation of Checksum3,  the extra 4 bytes used are all 0's on all but v1.6 Xbox's. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions.
  
 
== Reading/Writing the EEPROM ==
 
== Reading/Writing the EEPROM ==

Revision as of 12:46, 28 August 2017

The Xbox EEPROM is a 256 byte non-volatile storage device which contains device-specific information. It is connected via I²C and located on address 0x54. Parts of the EEPROM are encrypted using Kernel/XboxEEPROMKey.

Chip Models

Xbox Model Manufacturer Model
1.4 (Others?) Catalyst CAT24WC02J

Contents

Start End Notes
0x00 0x13 HMAC_SHA1 Hash
0x14 0x1B RC4 Encrypted Confounder ??
0x1C 0x2B RC4 Encrypted HDD key
0x2C 0x2F RC4 Encrypted Region code (0x01 North America, 0x02 Japan, 0x04 Europe)
0x30 0x33 Checksum2 - Checksum of next 44 (0x2C) bytes (0x34 - 0x5F)*
0x34 0x3F Xbox serial number - (ASCII chars 0x30 - 0x39 to match each digit in SN)
0x40 0x45 Ethernet MAC address
0x46 0x47 Unknown Padding ?
0x48 0x57 Online Key ?
0x58 0x5B Video Standard 0x00400100 = NTSC-M, 0x00400200 = NTSC-J, 0x00800300 = PAL
0x5C 0x5F Unknown Padding ?
0x60 0x63 Checksum3 - Checksum of the next 92 (0x5C) bytes (0x64 - 0xBF)*
0x64 0x67 Zone Bias - Offset in # minutes to subtract from GMT time

(e.g., for GMT-06 Central; 6hr = 360min = 0x0000168)

0x68 0x6B Standard Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CST\0, ACST)
0x6C 0x6F Daylight Timezone Name: 4 characters, NULL fill remainder if shorter (e.g., CDT\0, ACDT)
0x70 0x77 Unknown Padding ?
0x78 0x7B Standard Time Starts 10-05-00-02 (Month-Day-DayOfWeek-Hour)
0x7C 0x7F Daylight Savings Time Starts 04-01-00-02 (Month-Day-DayOfWeek-Hour)
0x80 0x87 Unknown Padding ?
0x88 0x8B Standard Timezone Bias; if not DST, 0 (0x00000000) minute time adjust
0x8C 0x8F Daylight Savings Time Bias; if DST, -60 (0xFFFFFFC4) minute time adjust
0x90 0x93 Language ID
0x94 0x97 Video Settings; Offset 0x96, 0x??=Normal, 0xB0=Widescreen and 0xB4=Letterbox
0x98 0x9B Audio Settings
0x9C 0x9F Parental Control Games (0=MAX rating)
0xA0 0xA3 Parental Control Passcode; 4 button sequence (0x07=X, 0x08=Y, 0x0B=LTrigger, 0x0C=RTrigger) (0 = disabled)
0xA4 0xA7 Parental Control Movies (0=Max rating)
0xA8 0xAB XBOX Live IP Address..
0xAC 0xAF XBOX Live DNS Server..
0xB0 0xB3 XBOX Live Gateway Address..
0xB4 0xB7 XBOX Live Subnet Mask..
0xB8 0xBB Other XBLive settings ?
0xBC 0xBF DVD Playback Kit Zone
0xC0 0xFF Unknown Codes / History ? do not change any values in this region

Note: Info in above table comes from XKUtils XKEEPROM.h.

*Configmagic-FINAL-1.6 used the wrong size when computing Checksum2 (40 instead of 44 bytes) and Checksum3 (96 instead of 92 bytes). Checksum2 was correct since the extra 4 bytes not used in the CRC computation were all 0's which would not change the computed CRC value. However, Simliar problem with computation of Checksum3, the extra 4 bytes used are all 0's on all but v1.6 Xbox's. The CRC computed for v1.6 Xbox's is incorrect as the 4 extra bytes are not 0's as on earlier versions.

Reading/Writing the EEPROM

Software Method

This is the easiest way to dump an Xbox EEPROM. Use your alternative dashboard to dump the EEPROM to a file and download it over FTP.

Hardware Method

If you cannot dump the EEPROM using software, you can dump it using hardware. You have several options: use an I2C host adapter (see here or here), build an I2C-Serial cable, or use a device like a RaspberryPi which has an I2C interface. Connect SDA/SCL/ground to the LPC pinout on the board. See here for pinout information. Then use the corresponding software to read/write the EEPROM.


The HMAC HDD Key

The HMAC HDD Key is generated out of the first 48 bytes. This section has been identified clearly.


The Region Code

This DWORD is encrypted. It corresponds to the region code in the XBE header:


1 North America
2 Japan
4 Europe/Australia
0x80000000 Manufacturing plant

The Serial Number

     1166356 20903
     ||    | |||||__
     ||    | ||||___ factory number
     ||    | |||____
     ||    | ||_____ week of year (starting Mondays)
     ||    | |______ last digit of year
     ||    |________
     ||_____________ number of Xbox within week and factory
     |______________ production line within factory 
   
1 1 6 6 3 5 6 2 0 9 0 3
| \ _ _ _ _ / | | | \ \ _ Factory Number (02=Mexico, 03=Hungary, 05=China, 06=Taiwan)
| | | | | |
| | | | \ \ _ _ _ week of year (starting Mondays)
| | | |
| | | \ _ _ _ _ _ last digit of year (200Y)
| | |
| \ \ _ _ _ _ _ _ _ _ _ number of Xbox within week and factory
|
\ _ _ _ _ _ _ _ _ _ _ _ _ _ production line within factory

The MAC address

This is the MAC address of the Ethernet hardware, which has been issued by the IEEE.


DVD Region

This DWORD corresponds to the region code for playback of DVD movies:


0x00 None
0x01 Region 1
... ...
0x06 Region 6

Checksum Algorithm

Checksum2 and Checksum3 values can be calculated by running the following code snippet over the area the checksum covers:

 /* The EepromCRC algorithm was obtained from the XKUtils 0.2 source released by
  * TeamAssembly under the GNU GPL.
  * Specifically, from XKCRC.cpp
  *
  * Rewritten to ANSI C by David Pye (dmp@davidmpye.dyndns.org)
  *
  * Thanks! */
 void EepromCRC(unsigned char *crc, unsigned char *data, long dataLen) {
         unsigned char* CRC_Data = (unsigned char *)malloc(dataLen+4);
         int pos=0;
         memset(crc,0x00,4);
 
         memset(CRC_Data,0x00, dataLen+4);
         //Circle shift input data one byte right
         memcpy(CRC_Data + 0x01 , data, dataLen-1);
         memcpy(CRC_Data, data + dataLen-1, 0x01);
 
         for (pos=0; pos<4; ++pos) {
                 unsigned short CRCPosVal = 0xFFFF;
                 unsigned long l;
                 for (l=pos; l<dataLen; l+=4) {
                         CRCPosVal -= *(unsigned short*)(&CRC_Data[l]);
                 }
                 CRCPosVal &= 0xFF00;
                 crc[pos] = (unsigned char) (CRCPosVal >> 8);
         }
         free(CRC_Data);
 }


Further Reading