Recently discovering that the xbox 360 drive can be flashed to do 'questionable' things. What I was interested in is the people that discover these things. How to they go about it?
+3
A:
The broad process might be something like this:
Figure out how to break into the box. Note that an iPod doesn't have any visible fasteners, so you might need to be prepared to destroy one or two just learning how to open it.
Identify significant chips. Mass market products often use customized versions of common parts, so this might not be trivial to do. It isn't unusual to see the markings sanded off to make this step a little more difficult. You will also encounter multiple dice in a single package (FLASH and RAM are commonly done like this in cell phones, for example), or even a chip directly bonded to the PC board under a blot of epoxy. The serious reverse engineering houses will use lapidary processes to grind the packages down slowly until they can photograph the silicon and look for markings on the die itself. Don't forget that pin count may not correlate well to the importance of a part. There are several models of MCU that can be had (with on-chip RAM and FLASH) in 6-pin and 8-pin packages, for example.
Collect data sheets. This is often easier said than done. The interesting chips will be more than a little customized, and often the real data sheets are covered by non-disclosure agreements that effectively require you to engage with the chip maker and prove you have a need to know to get the data. Of course, many chip makers are polite about data sheets, and even have extensive libraries available on line.
Dump and disassemble code. This can be easier if the identified CPU has a well-understood debug interface, and the device has made those pins available. Why would they do that on a production board? because sometimes that is a useful path for in-circuit programming in production.
Probe the circuit in action. A good mixed signal oscilloscope and/or a good logic analyzer can be a real help here. I personally like both HP and Tektronix, but there are lots of other brands out there.
From this point, you might be in a position to try experiments involving changes to the existing code. Don't be surprised if you brick a couple of units while learning what not to do.
Above all, don't expect it to be easy...
Edit: A company that does this kind of thing for a living is Portelligent. They regularly tear down random consumer items and report on what they find. Their full reports cost significant amounts of money, but they do simple reports monthly and publish them in EE Times and similar magazines. Many of the recent articles are online, and have nice photos.
RBerteig
2009-06-11 08:47:11
Would the same principal stand for a X86 main board bios?
bsdjunkies
2009-06-11 09:09:42
Nothing in the above is specific to an XBox. An x86 bios may be an easier problem overall, since you already know a lot about what it has to be doing, and there is a lot of documentation on specific x86 chips (including the support chips) available. It still won't be easy...
RBerteig
2009-06-11 09:20:40
Not to worried about difficulty, more interested in how its done.
bsdjunkies
2009-06-11 09:27:42
Once upon a time, a friend and I reprogrammed an Atari Tempest arcade console game to "customize" some of the text as a prank on its owner who was out of town and had left me the keys in case it needed anything. It needed new text, and after about 20 straight hours of hand disassembly and tweaking, we had a new PROM image blown and installed. Doing something like that once is a valuable experience. Our victim was amused, and we left the machine in its hacked state for quite a while.
RBerteig
2009-06-11 09:32:54
A:
One point to note if you don't already know is you can't go on Xbox Live once you have begun toying the Xbox. Of course if you are turning it into something crazy that probably won't concern you.
Hope that input helps!
Dom
2009-06-11 08:51:25