Microsoft Xbox Repair Manual page 66

Extracting the HD password from an Xbox hard drive
The Xbox harddrive uses a fairly old but relatively unused set of security commands to prevent
easy access to it's built in drive. However, since the password system does not specify any form
of challenge/reply system the password is transmitted in "clear" form. Thus with the right
equipment and a little bit of patience you can easily read the values.
The ATA spec provides a command labeled SECURITY UNLOCK (command code 0xF2) which
provides a means for passing a 32 byte password to an IDE drive in order to unlock it. There are
two passwords, a master and a user password.
The Xbox uses the user password.
To get to the password you need at least 22 (preferably 23) probes.
DD (15:0) -- data pins
CS (1:0) - -- Chip Select
DA (2:0) -- Device Address
DIOW- -- Device I/O Write
DIOR- -- Device I/O Read (optional)
When dealing with hardware you need to realize that there is a difference in the voltage level of a
line and the line's meaning. For the "standard" wire the low voltage condition (usually 0V)
corresponds to binary 0 and the high voltage condition (2.7V, 3.3V, 5V, 12V, or whatever) is
binary 1. There are signals that are "negative logic" in which case the opposite is true: 0V ==
binary 1, +xV == binary 0. The ata spec uses the symbol 'A' (for asserted) to indicate the high
voltage condition, and the symbol 'N' (for negated) for the low voltage condition.
The CS0-1, DIOW, and DIOR lines are negative logic, which is indicated by the '-' mark after
their names (above and in the spec).
There are several registers in the ATA spec; they are addressed by the combination of the CS and
DA lines. Several of these registers have different meanings depending on whether they are read
or written, the write meaning is shown first.
The values for these registers are:
cs1- CS0- DA2 DA1 DA bits Name
0(A) 1(N) 1(A) 1(A) 0(N) 8 Device Control Reg./Alt. Status Reg.
1(N) 1(N) X X X 16 Data Port
1(N) 0(A) 1(A) 1(A) 1(A) 8 Command Reg./Status Reg.
1(N) 0(A) 1(A) 1(A) 0(N) 8 Device Reg.
1(N) 0(A) 1(A) 0(N) 1(A) 8 LBA High Reg.
1(N) 0(A) 1(A) 0(N) 0(N) 8 LBA Mid Reg.
1(N) 0(A) 0(N) 1(A) 1(A) 8 LBA Low Reg.
1(N) 0(A) 0(N) 1(A) 0(N) 8 Sector Count Reg.
1(N) 0(A) 0(N) 0(N) 1(A) 8 Feature Reg./Error Reg.
1(N) 0(A) 0(N) 0(N) 0(N) 16 Data Reg.
The value to be placed in the register is passed on the DD lines (the data lines). When setting an 8
bit register the low bits in the data lines (0-7) are used.
Page 66 of 87