Microsoft Xbox Repair Manual page 67

The Xbox appears to use a standard method for sending ata commands to its drives. The
SECURITY UNLOCK command doesn't require the use of the sector count, LBA low/mid/high,
or features registers, but they get cleared anyway. The only register that we are really interested
in, to begin with, is the command register. What we need to do it setup our logic analyzer to
trigger (start capturing) when the command register is written to with a value of 0xF2. The
method for doing this is dependant on your analyzer, RTFM. So, trigger when:
CS1 == 1
CS0 == 0
DA2 == 1
DA1 == 1
DA0 == 1
DIOW == 1
DD (7:0) == 0xF2
At this point the Xbox has written the command 0xF2 (SECURITY UNLOCK) to the drive,
which is now expecting to receive the password over the data lines in subsequent writes. The
mode used to transfer the data is called "PIO data-out" and transfers 512 bytes of data (that's 256
16 bit writes) over the data lines, controlled by bits in the Status register. There is a good diagram
in the ATA spec showing the transfer process, and you are encouraged to have it on hand when
going through this the first time (the latest ATA specs can be found at www.t13.org).
The data to be transferred is:
word #0: bit 0 == 1->Master password, 0->User password bits 15-1 == reserved (these were 0 in
my case)
so the whole data word was 0x0000
word #1: first two bytes of password
word #2: second two bytes of password
.. .. .. .. .. .. ..
word #16: last two bytes of password
words #17-255: reserved (these were all zero in my case)
The transfer does not begin immediately. The device (the ide drive in the Xbox) must first signal
that it is ready to receive the data. In the PIO modes this flow control is done through the Status
Register. The bits in the 8 bit status register are:
bit 7: BSY Busy (the device is busy)
bit 6: DRDY Device Ready (the device is accepting commands)
bit 5: DF Device Fault (device is unable to complete the command) bit 4: # (Command Specific)
bit 3: DRQ Data Request (device is ready to transfer data) bit 2: --- Unused (Obsolete)
bit 1: --- Unused (Obsolete)
bit 0: ERR Error (an error occurred while processing a command)
The transfer of data to the drive cannot occur until BSY == 0. You will see (if you are watching
the DIOR line) that the Xbox is polling that register waiting for the bit to clear. When it does the
Xbox will begin transferring the data bytes to the drive.
It is worth while for me to note that on high speed analyzers you will see the logic lines drift from
their previous value to the new value. This is *normal* and is due to the capacitance of the data
bus. You need to be looking at the stable signal, not at the (possibly multiple) transient values
Page 67 of 87