Difference between revisions of "Xbox DVD Movie Playback Kit"

From xboxdevwiki
Jump to: navigation, search
(Add source for dongle having to do with licensing)
(37 intermediate revisions by 6 users not shown)
Line 1: Line 1:
{{retrieved|http://www.xbox-linux.org/wiki/DVD-IR_Internals}}
+
[[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]]
 +
==Introduction==
 +
 
 +
The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox{{FIXME|reason=One of these parts, or both, seem to have a model number PG8012?}}.
 +
 
 +
== Remote Control ==
 +
 
 +
=== Infrared interface ===
 +
 
 +
{{FIXME|reason=Missing info about light frequency, timing, possible preamble and more}}
 +
 
 +
{{FIXME|reason=The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/Xbox and all logic was extrapolated; it's entirely unconfirmed}}
 +
 
 +
<pre>
 +
struct {
 +
  uint8_t check_high; // 8 bit check
 +
  uint8_t check_low__data_high; // 4 bit check, 4 bit data
 +
  uint8_t data_low; // 8 bit data
 +
};
 +
</pre>
 +
 
 +
The first part of the transfer consists of the negated data signal (<code>check</code>).
 +
 
 +
The data integrity can be confirmed by XOR-ing both parts:
 +
 
 +
<pre>
 +
check = (check_high << 4) | check_low
 +
data = (data_high << 8) | data_low
 +
check ^ data = 0xFFF
 +
</pre>
  
 +
The <code>check</code>, which marks the start of the transfer{{FIXME|reason=There might be a preamble}}, always starts with 0b0101, therefore the <code>data</code> always starts with 0b1010.
  
 +
== Dongle ==
  
by ''Rob Reilink'', 3 Mar 2003
+
The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone.
  
 +
Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program?
 +
One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the [[wikipedia:DVD Forum|DVD Forum]] (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[https://www.youtube.com/watch?v=gquAV8f7OAY&t=2059]. This allowed them to keep the cost of the Xbox down.
  
 +
Additionally the dongle contains an IR receiver to receive commands from the Remote control.
  
==Introduction==
+
=== Known versions ===
  
The DVD-IR remote receiver is a part of the DVD kit which allows you to view DVDs on your Xbox. It comes together with a remote controller. Although it may seem just a simple microcontroller device with a receiver module, there is something more inside which could make it even more interesting.
+
{| class="wikitable" <!-- Version is: "%X.%X" % (version >> 8, version & 0xFF) -->
 +
! Part No.      !! Manufactured in !! Version !! DVD Region !! ROM Size    !! ROM SHA1                                              !! Notes
 +
|-
 +
| X08-25402    || Indonesia      || 1.1    || 2          || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||
 +
|-
 +
| X08-25402-002    || Indonesia      ||  1.1  ||2          || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||
 +
|-
 +
| X08-25387    || Indonesia      ||      ||          ||  ||  ||
 +
|-
 +
| X08-25387-002 || Indonesia      || 1.1    || 1          || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB
 +
|}
  
 +
=== USB Protocol ===
  
==Pictures==
+
====  Infrared signals ====
  
Ok, let's start with the pictures from the internals:
+
<!-- The following information has been derived from http://lirc.sourceforge.net/remotes/microsoft/lircd.conf.xbox + own research -->
  
'''Missing image'''<br />''Dvdirfront.jpg'' <br />Image:Dvdirfront.jpg<br /><br />
+
When infrared signals are received from the Remote Control, they can be read using an interrupt transfer {{FIXME|reason=What interface etc?}}. Each USB payload is 6 bytes long:
'''Missing image'''<br />''Dvdirback.jpg'' <br />Image:Dvdirback.jpg<br /><br />
 
  
 +
<pre>
 +
struct {
 +
  uint8_t unk; // always 0x00 (These could be length high bits?)
 +
  uint8_t length_low; // always 0x06
 +
  uint8_t data_low;
 +
  uint8_t data_high; // only lower 4 bit are used
 +
  // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time).
 +
  // A value close to 0x0040 is returned for continously holding a button.
 +
  // When holding, the value often goes back and forth between 0x0040 / 0x0041.
 +
  // It is unknown if the receiver / remote intentionally does this.
 +
  uint8_t timer_low;
 +
  uint8_t timer_high;
 +
};
 +
</pre>
  
==IC's==
+
====  Firmware download ====
  
So, what is inside and what does it do?
+
See https://github.com/XboxDev/dump-dvd-kit {{FIXME|reason=Document the protocol here}}
  
 +
=== Components ===
  
* U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt;
+
Different versions of the dongle seem to use different hardware internally.
: This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside.
 
  
 +
==== X08-25387-002 (PCB: "X01469-100") ====
  
 +
* U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}}
 +
* U2 TSOP-1556
 +
* U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}}
  
* U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt;
+
==== X08-25387 (PCB: "IR DONGLE REV B") ====
: This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver.
+
[[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]]
 +
[[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]]
  
 +
* U3 MX23C4000TC-10
  
 +
{{FIXME|reason=Didn't get rear components photographed yet}}73814aa736d83d636380f5c6b1c291441b35354d
  
* U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt;
+
==== Unknown version (PCB: "REV C.") ====
: This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM. It is assumed that it contains the DVD player application. WHY? Why would they not just put this little 512kb max. application on the harddisk? Why another ROM which contains the program?
 
  
 +
[[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]]
 +
[[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]]
  
: One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down.
+
* U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] &lt;[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]&gt;
 +
: This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, &amp; MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside.
  
 +
* U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] &lt;[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]&gt;
 +
: This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver.
  
 +
* U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] &lt;[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]&gt;
 +
: This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM.
  
 
* U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt;
 
* U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] &lt;[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]&gt;
 
: This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.
 
: This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.
  
 +
== References ==
  
 
+
* [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals]
==Hacking!==
+
* [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals]
 
 
As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. It should be noted though, that the ROM is probably scrambled. Also, the microcontroller could encrypt the data even more. As the mask ROM is not a proprietary device, it is known not to contain any encryption hardware. On the other hand is it quite reasonable to assume Microsoft also signed this piece of code, and the dashboard might refuse to run it if it is not signed.
 

Revision as of 08:01, 19 December 2019

Remote and Receiver

Introduction

The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox[FIXME].

Remote Control

Infrared interface

[FIXME]

[FIXME]

struct {
  uint8_t check_high; // 8 bit check
  uint8_t check_low__data_high; // 4 bit check, 4 bit data
  uint8_t data_low; // 8 bit data
};

The first part of the transfer consists of the negated data signal (check).

The data integrity can be confirmed by XOR-ing both parts:

check = (check_high << 4) | check_low
data = (data_high << 8) | data_low
check ^ data = 0xFFF

The check, which marks the start of the transfer[FIXME], always starts with 0b0101, therefore the data always starts with 0b1010.

Dongle

The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone.

Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program? One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they didn't have to pay the DVD Forum (and apparently also Dolby) for every Xbox sold, but just for every DVD Remote kit sold[1]. This allowed them to keep the cost of the Xbox down.

Additionally the dongle contains an IR receiver to receive commands from the Remote control.

Known versions

Part No. Manufactured in Version DVD Region ROM Size ROM SHA1 Notes
X08-25402 Indonesia 1.1 2 229790 Bytes 70d4b5f8e073b05610fba9e9617d7356196b61ff
X08-25402-002 Indonesia 1.1 2 229790 Bytes 70d4b5f8e073b05610fba9e9617d7356196b61ff
X08-25387 Indonesia
X08-25387-002 Indonesia 1.1 1 229790 Bytes 73814aa736d83d636380f5c6b1c291441b35354d Sticker: "2341P" on PCB

USB Protocol

Infrared signals

When infrared signals are received from the Remote Control, they can be read using an interrupt transfer [FIXME]. Each USB payload is 6 bytes long:

struct {
  uint8_t unk; // always 0x00 (These could be length high bits?)
  uint8_t length_low; // always 0x06
  uint8_t data_low;
  uint8_t data_high; // only lower 4 bit are used
  // Milliseconds since last press (will clamp to 0xFFFF when no button was pressed in a long time).
  // A value close to 0x0040 is returned for continously holding a button.
  // When holding, the value often goes back and forth between 0x0040 / 0x0041.
  // It is unknown if the receiver / remote intentionally does this.
  uint8_t timer_low;
  uint8_t timer_high;
};

Firmware download

See https://github.com/XboxDev/dump-dvd-kit [FIXME]

Components

Different versions of the dongle seem to use different hardware internally.

X08-25387-002 (PCB: "X01469-100")

  • U1 ATMEL AT43USB352M-AC[FIXME]
  • U2 TSOP-1556
  • U3 X393121C[FIXME]

X08-25387 (PCB: "IR DONGLE REV B")

X08-25387 Rev B Sticker
Front PCB of X08-25387
  • U3 MX23C4000TC-10

[FIXME]73814aa736d83d636380f5c6b1c291441b35354d

Unknown version (PCB: "REV C.")

Frontside
Backside
This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, & MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside.
This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver.
This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM.
This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.

References