The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See Hardware Revisions for more information.
- 1 Partitions
- 2 Locking Mechanism and Basics
- 3 Unlocking
- 4 How To: Backup an HDD
- 5 Further Reading
The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a Master Boot Record or GUID Partition Table to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is FATX, a variant of FAT16/32 developed by Microsoft specifically for the Xbox. [FIXME]
|Drive Letter[FIXME]||Description||Offset (bytes)||Size (bytes)||Filesystem||Device Object (MS Retail Kernel)|
|N/A||Config Area||0x00000000||0x00080000||Fixed Structure||N/A|
- side note: CD/DVD Drive "D:" <=> "\Device\CdRom0"
- and usually: added Drive "F:" <=> "\Device\Harddisk0\Partition6"[FIXME]
- added Drive "G:" <=> "\Device\Harddisk0\Partition7"[FIXME]
|Drive Letter||Description||Offset (bytes)||Size (bytes)||Filesystem||Device Object (MS Retail Kernel)|
- Add info on how extended partitions are added.
Locking Mechanism and Basics
The hard drives in the Xbox are standard IDE drives locked with a key (referred to as the HDKey). The drive is unlocked by the Kernel at boot. The XBox uses a User Password with the Maximum security mode (see below). The password is generated in two distinct phases:
- Extract the HDKey from the EEPROM which is unique to each Xbox making this phase dependent only on the EEPROM.
- Generate a drive specific password (keyed to the model and serial number of the drive) with the extracted HDKey from the EEPROM.
The security feature of the hard drive can be enabled and disabled by sending special ATA commands to the drive. If a device is locked, it will refuse all access until it is unlocked.
The ATA/ATAPI Command Set - 2 (ACS-2) specification  defines an optional SECURITY feature subset (chapter 7.43 - 7.48) which allows to limit access to the drive's data behind a hardware implemented locking mechanism:
- SECURITY DISABLE PASSWORD (Chapter 7.43)
- SECURITY ERASE PREPARE (Chapter 7.44)
- SECURITY ERASE UNIT (Chapter 7.45)
- SECURITY FREEZE LOCK (Chapter 7.46)
- SECURITY SET PASSWORD (Chapter 7.47)
- SECURITY UNLOCK (Chapter 7.48)
A device can have two passwords; either or both may be set with a maximum of 32 byte each. A device can be locked in two modes: High security mode or Maximum security mode. If the User password is not available, the only remaining way to get at least the bare hardware back to a usable state is to issue the SECURITY ERASE PREPARE command, immediately followed by SECURITY ERASE UNIT. In Maximum security mode, the SECURITY ERASE UNIT command requires the Master password and will completely erase all data on the disk.
If a User Password is set (SECURITY SET PASSWORD), the drive blocks the access on a reboot again so you have to re-enter the password (SECURITY UNLOCK). Setting the User Password will also set the Master Password Capability.
If the Master Password Capability is set the drive could be locked in one of two modes. Bit 8 in word 128 of the IDENTIFY response shows which mode the drive is in:
- 0 = High: the Master Password could be used to unlock (SECURITY UNLOCK) just like the User Password or to deactivate the User Password (SECURITY DISABLE PASSWORD).
- 1 = Maximum: the Master Password could only be used to wipe the drive (SECURITY ERASE UNIT). This makes the drive usable again but all data on it is lost.
During the second phase, the serial and model numbers are needed. These values are available in the response data from the DEVICE_IDENTITY ATA command. However, the data needs to be reorganized. It is read in Big Endian words, and needs to be byte swapped first to get the byte ordering correct. Then, starting from the end of the data (serial == 20 bytes, model == 40 bytes) ignore ASCII spaces (byte value of 0x20) at the end of the data. Zeros are *not* trimmed, *only* spaces. Do not be fooled into believing that this data is a string. On some drives this is the case, but on others there are non-ASCII values in the fields.
Basic Security Algorithms
There are three primary cryptography routines/functions needed when generating an XBox drive password:
- SHA1: Hashing algorithm. It's primary purpose is to take an input message and create a (relatively) small signature (called a digest) which is unique to the original message. One of the goals of SHA1 is to make it difficult to alter the input message in such a way as to result in the same output digest.
- RC4: Symmetric cipher. This means that the algorithm for encryption is the same as that for decryption. The purpose is to make one key work in both directions.
- HMAC: Uses a hashing algorithm (in this case SHA1) to generate a cryptographically "strong" signature.
- Key data is shown entering functions from the side - Data is shown entring from above or below in order of presentation from left to right
RC4_key >--(second)-->--, /|\ | | | .-<--|__eeprom_key__|-->-----------> HMAC_SHA1 | | /|\ | | | | | .--->-----------' | | | | | eeprom_data = |__data_hash___|__enc_conf__|__enc_data__| | | | | | | | | \|/ | | | | rc4_decrypt <----|---------<| | | | | | | \|/ | | | | (must be equal) | \|/ | | /|\ | rc4_decrypt <---' | | | | | | \|/ \|/ | | |_confounder_|____data____| | | / / | | | / / | | | / / | | | / / | | | \|/ / \|/ `--->-----------------> HMAC_SHA1 / |__HDKey__|__| /|\ / | \______/ | | .-------------------------<--------' | | model_number serial_number | \ / | \ / `--->-----------------> HMAC_SHA1 | \|/ HD_password
This seems to be the easiest way to show the required calculations.
Basically there are several intermediate steps. First, generate the RC4_key from the eeprom_key and the data_hash (first 20 bytes of eeprom_data). Use the RC4_key to decrypt the encrypted confounder (8 bytes 20 bytes into eeprom_data) and the encrypted data (20 bytes 28 bytes into eeprom_data). Now generate an HMAC_SHA1 hash from the eeprom_key and the decrypted confounder and data. Verify that this hash matches the data_hash stored in the eeprom. If they don't match then the eeprom data is not correct. If the hashes match then the first 16 bytes of the decrypted data field is the HDKey.
Once you have the HDKey get the model and serial number from the drive. Generate an HMAC_SHA1 hash from the HDKey, model and serial numbers. The resulting 20 bytes are the HD password. The remaining 12 bytes needed for the password are zeros.
Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly.
Unlock via Serial for Seagate drives
Universal Unlock Method(s)
- Provide more info on locking/unlocking procedure.
- Provide details about the key and how it can be derived from the EEPROM data.
How To: Backup an HDD
There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive.
Method 1: File Copy
This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM.
Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in C: and E:.
Unlock the HDD, connect it to your PC, mount the drive (see FATX), copy the files.
Method 2: Exact Copy
This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here.
Unlock the HDD, connect it to your PC using a USB-IDE adapter (available for ~$20USD). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example:
sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512. append
status=progress to see the progress during copying if you run a recent distro, like so:
sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see FATX).