FJITA: The Project that Just Wasn't Meant To Be

Common wisedom says to not give up. But nevertheless sometimes, that seems to be exactly the right thing to do. Project FJITA (no, I will not explain what the acronym means) was an interesting idea that originated in 2007. Back then, I became interested in the lower-level details of DVDs. I had build a hardware hack that allowed me to capture the raw bitstream from DVDs, and wrote a software decoder for DVD bitstreams.

A Hacker's Look at Dieselgate

Another year, another post. (Isn’t it great that the timestamp is actually updated when I start writing the post? So this is still good for 2015.) During 32C3, I’ve held a talk on the Volkswagen emissions cheating (“Dieselgate”), together with Daniel Lange. You can watch the video here, or get the slides as PDF or html. Jake over at wrote a very good summary here, in case you haven’t watched the video.

OpenVizsla OV3 - Hello, World!

I’ve previously talked about the hardware design of the the OpenVizsla OV3 USB hardware analyzer, and about the FPGA design. Now we could use OV3 to sniff some USB traffic - but we can do this later as well. Instead we should write a ‘hello world’-type component. Hello, World I’ve chosen to implement something that allows to write an 8-bit register, does a computation (invert all bits), and allow that to be read back.

OpenVizsla OV3 - FPGA design

I’ve previously talked about the hardware design of the the OpenVizsla OV3 USB hardware analyzer. This time I want to give a broad overview of how the FPGA part of the design works. The OpenVizsla FPGA design (available in the GitHub OV repository was written using Migen, “a Python toolbox for building complex digital hardware”. Migen allows to write logic as the result of a Python script, and compile them to Verilog (and ultimately an FPGA bitstream).

OpenVizsla OV3 - Hardware

Fail. That’s probably the first word you think of when hearing the word “OpenVizsla”. It all started good in - WTF - 2010 when bushing and pytey thought it would be a good idea to build an open-source USB sniffer. Scam. That’s what people called the project after unable to provide a working prototype after one year, two years, three years. But let me assure you: this project is not a scam.

What's Inside: Tektronix DPO5034

Expectations This post is about a teardown of an DPO5000 oscilloscope (DPO5034). This is a 2011, mid-range, Windows-based Tektronix oscilloscope. List price is $12.000, but eBay has them - used - down to $5500 or so if you're lucky. This particular model is a 350MHz, 5Gs/s model without MSO functionality (adding 16 digital channels, a "poor man's logic analyzer" -even though it rather *makes* you poor when buying it, since it's pretty expensive).

Real Life Statistics

I recently noticed the above relationship between posts-per-year and family size. This is Paul Matti, born 2012-03-05 (07:01am). He turned one today, and his sister also thinks that he is awesome.

xvcd - The Xilinx Virtual Cable Daemon

I recently discovered an almost undocumented function in Xilinx ISE: the Xilinx virtual cable driver. It’s basically “a platform cable without a platform cable” (as marcan said so nicely) - it allows you use Impact (and Chipscope, and all other tools) over TCP/IP. Normally, ISE comes with a limited set of cable drivers: It supports cables on the parallel port, such as the Xilinx Parallel Cable III (DLC5), which can be DIY’ed easily, or the faster Xilinx Parallel Cable IV (which has an integrated CPLD), or the - quite expensive, but also sophisticated - USB Platform cables.

What's Inside: Hilti PD-30

I love physics hacks, and I consider phase shift measurements in general as a great hack. As a consequence, I love laser distance meters. A while ago I took apart a Fluke 411D - coincidentally with nearly identical results as this SparkFun tutorial: I disassembled it, found the serial port, found the “?\r\n”, tried sending all kind of data to the other “RX” pins - and didn’t receive any answer from the device.

Almost Secure

Vulnerabilities are like good ideas - you’re rarely the first one dealing with it. Some vulnerabilities are almost classic, so I’ll proudly present: 7 old but surprisingly useful bugs that might also affect YOUR device. (With “you” either being the designer or attacker.) Just to be clear: none of these exploits are rocket science. This is kind of the “low tech” hacking approach - no fancy oscilloscopes required, no DPA involved, no FIB to rent.

What's Inside: Metz 50 AF-1 N

{% endmark -%} I recently bought a Metz 50 AF-1 N flash that I’m very happy with. One of the reason why I bought this one was that it has a USB port to upgrade the firmware. (Call me crazy, but that’s a valid reason for me.) Looking at their firmware, we find a number of “.mtz” files that all look - weird. Their entropy is much too low for a real encryption scheme (plus they don’t seem to have any length alignment).

"if you call that hacking, then we embrace that.", or: please have a cake.

From nyt: Some hackers say Sony wants to deter customers from modifying the PlayStation3. Is that true? No, there’s a real misnomer there, we embrace independent game development; if you call that hacking, then we embrace that. We give people tools that let them create new experiences. What I don’t think we are in support of is someone trying to hack our device to pirate software and possibly collapse the platform.

The Last Piece

As described in this post on and in this post, there is still a secret left that needs to be lifted for the newer “Type 3” triforces. As a short summary, the new type triforce is probably a cost reduction of the old hardware. As part of this cost reduction, handling of the GDROM and security PIC, which was previously implemented in an SH-4 CPU, was “removed”. The network stuff was now handled separately on a MIPS cpu, but several strings that are proven to exist do not exist anymore in the flash rom, at least not as plaintext.

Encrypted Links

Just a random failscript we stumbled across: $random_key = get_option(‘XXXXX_random_code’); $output = “\n”.stripslashes($cart_item_name).” - “.$script_location.‘download.php?file=’.rawurlencode(base64_encode(RC4Crypt::encrypt($random_key,$download))); I vote for removing crypto primitives from PHP altogether. Oh wait, people would just code up their own ROT26 then and use CRC for hashing. Nevermind. Maybe also remove the xor operator then?


Recently mist came up with an update of his 2005 slide summarizing the effects of a number of hacks that started benign and ended up, well, not so benign. While I this kind of meta-discussions are not really my métier, an interesting discussion was started in the comments. I don’t want to re-start this discussion. The major points have been made, from both sides. One of my points, though, that is an important foundation for this discussion, is my belief that most hacks, regardless of being benign or not, have not been made by a commercial party.

Scope pr0n

Every now and then, I come across something on my scope that’s just beautiful. Being ecstatic on weird traces on your scope sure makes you a geek, but hey, don’t we love being geeks? To make this more interesting, I’ll won’t describe this further and leave this to my readers. Can someone figure out what signal you can see here? Bonus points for those who understand what makes this data so unique, and a cookie for everyone who guesses what kind of breakthrough (not mine, unfortunately) you can see here.


1 I apologize for the lack of updates. Yeah, I’m sorry. But this time, I’ve got a proper excuse! Her name is Ida Klara, she was born on April 26th, and she’s awesome2! Yeah, I’m still on 32bit. [return] And no, that doesn’t mean I’ve stopped hacking. I have some interesting things going on, they are just not finalized3 enough so I can post4 them. [return] [return] Now with a hugo-powered blog.

Probe Hacking, Part 2

In this part of my “probe hacking” series, I’ll explain how I connected a P7350 to my scope. Hell, this sounds like I’m writing an unboxing post. But don’t worry. I’m way too cheap to buy this probe new and unbox it. So what I did was to go to eBay, and buy a broken P7350, in the hope I could repair it. Well, it didn’t work. The probe was already foobar when I got it, but I’ve learned important things about probes: First, all the high-frequency work happens directly inside the probe head.

Probe Hacking, Part 1

The WhatsInside post from January was not an incidental post. It is actually snapshot of a much longer forensic investigation to find the ground truth behind some of the technology behind Tektronix’ scope accessories. Pun aside - In October 2009, I’ve got a new scope, a Tektronix DPO4034. It’s a scope in the $8k range, so while not exactly low-cost, you don’t need a mortgage on your home to buy it.

What's Inside: Part IV - TL-SG210

8 ports should be enough for everyone - but 24 ports are so much cooler. The more, the better. I’ve decided again for minimum investment - 68 EUR for 24 bidirectional Gigabit isn’t that bad. It’s a TP-Link L-SG1024. So I’ve ripped it open (you expected that, right?). To make a long story short: This switch isn’t hackable. It uses a Marvell Prestera-DX switch (with external QPHYs), and this is a strictly unmanaged switch solution.

What's Inside, Part III: TP-Link TL-SG1008D

I was looking for a successor to my last project. Some time ago I’ve bought the most cheapest Gigabit-Ethernet switch I could find. It was a TP-Link TL-SG1008D - 8 ports, GigE on all of them, and in the end, it was much bulkier than I expected it from the photo. It served well, and I finally decided to open it up. Turns out that the heat sink is pretty much damn massively soldered into the PCB.

Exit Review: K-Brand Cutting Edge Cable Cutter

I mean - it was a really cool thing, until it failed. The low price tag most certainly wasn’t the reason for the ultimate failure of this gadget, it was me, mis-operating. Raw force is usually a solution - this time, it wasn’t.

Site Update

I’ve switched to a more recent wordpress. Please don’t root me now because I’m not using a century old version anymore. And I’ve switched the theme. I hope you like it.

What's Inside - Part II, HDMI Audio Splitter

I’ve bought a HDMI Audio Splitter from dealextreme. I’ve ripped it open. The thing has two HDMI inputs, one HDMI output. So far it’s boring - most of these devices just use analog switches to route the HDMI. However, this thing also has a coaxial and optical SPDIF output. That means it must at least being able to parse the HDMI stream, potentially decrypt it (if HDCP is used), and extract the audio information.

What's Inside - Part I, Tektronix TPA-BNC

From time to time, I’ll rip apart devices just because I want to know what’s inside. I mean, usually you know what’s inside - but sometimes, there’s more. Those are the happy days. Sometimes, it’s just a tiny PCB and a lot of weight. Those are the not so happy days. I’ll start this series - which hopefully evolves a bit more than the last series I’ve started here (which I still intend to finish… some day) - with the Tektronix TPA-BNC.

Manage Your Ethernet Switch

I’m cheap. Most of my switches aren’t manageable. I know that they are cheap now. My switches are still cheaper. On the other hand, I recently required a device on a separate network. Having just one NIC on my linux machine, I naturally wanted to use VLANs for that; all it needs is a switch in VLAN mode, where each of the ports (except for one, the “master” port) is on a separate VLAN.

Liquid Waste

Maybe I’m just not used to this kind of american humor, but I found it hilarious: OCR’ed after the break. Sorry for the iPhonish quality. The text reads: “By installing this water-saving handle with dual-function flush, this facility has demonstrated its commitment to protect and preserve the environment. For the system to work, we need your help. Please take a look at the diagram above and push the handle in the direction which best suits your needs.


It’s “b”. Ever wrote PowerPC inline assembly with GCC, and wondered why certain code combinations don’t run? Do you see what’s wrong with this code? uint64_t ld(volatile void *addr) { uint64_t l; asm volatile (“ld %0, 0(%1)” : “=r” (l) : “r” (addr)); return l; } Well, it’s using the “r” register constraint, and GCC might choose r0 for you. However, some instructions (like load instructions) will use a literal 0 if you specify r0, because that let’s you do zero-page addressing.

Some Xbox 360 homebrew

Given that there is little existing homebrew code for xbox 360, I’ve sat down and ported Snes9x. After a day, mostly spent in debugging libxenon itself, I’ve had this running: (Excuse the bad movie quality, my digicam sucks at movies.) I used Snes9x GX, i.e. the Wii/Gamecube-Port, as a base. I didn’t use much of the GC-specific code, but it gave me a good idea of what functions I have to implement.

Dangerous Xbox 360 Update Killing Homebrew

On Tuesday, Microsoft has released an Xbox 360 software update that overwrites the first stage bootloader of the system. Although there have been numerous software updates for Microsoft’s gaming console in the past, this is the first one to overwrite the vital boot block. Any failure while updating this will break the Xbox 360 beyond repair. Statistics from other systems have shown that about one in a thousand bootloader updates goes wrong, and unless Microsoft has a novel solution to this problem, this puts tens of thousands of Xboxes at risk.

And YOU thought a keyboard firmware upgrade would be far-fetched...

Or: The “I cracked it open, so you don’t need to”-series. I just figured out that there is a firmware upgrade available for Apple’s $29 miniDP->VGA Dongle. Yes, that’s right. That thing isn’t just plastic with some wires. It isn’t just a passive level adaption. It has real hardware inside. In this case, it’s a ST / genesis microchip gm58009. I couldn’t find much information about that thing (can anyone help?

Triforce Tools

I’m sitting on this for a while now, and it didn’t change a lot. That means it’s either 100% finished or completely useless. It’s a python script which talks to the NetDIMM board on a Triforce/Naomi/Chihiro, and implements the “Satellite” protocol for uploading and running games. I dunno if it really works. Have fun! Here it

bgrep - A Binary Grep

I’m terribly annoyed by the fact that grep(1) cannot look for binary strings. I’m even more annoyed by the fact that a simple search for “binary grep” doesn’t yield a tool which could do that. So I wrote one. Have fun: bgrep.c. Usage is simple: Just give it a hex string (without spaces) as first argument, and possibly use ‘??’ to mask out bytes. It will print matching files and the offset.

Anatomy of an Optical Medium Authentication (Part 1)

Introduction Abstract In this series of articles, I will talk about the design, implementation and fall of an optical media authentication used on a popular, but past, gaming console. I will show that it’s possible to reverse engineer such stuff without access to expensive equipment or insider information.While I will not talk about practical implementation of attacks against the discussed scheme, I will show that this has been done, and I will analyze how this has been done.


See some hardware pr0n after the break. First, please remember the overall structure of a pre-Type-3-Triforce:The first picture shows the Gamecube board, together with the Power- and IO-board still attached. Also you can see the bios override chip (modchip).  Here you can see the IPL with debug output redirected to the screen:Finally, the whole setup (GDROM is in the blue thing in the back, PCB on top is the network PCB of the DIMM board) as it’s currently on my desk: Thanks!

Triforce, Type 3

As my original Triforce is not reachable for me at the moment, I’ve bought another one. This time it was a “newer-type” Triforce, without the detachable DIMM board. Those are also called “type 3”. At first it looked as they only integrated the DIMM board into the triforce housing, but after more investigations, it looks like this was a complete redesign. On the other hand, the Base board (handling JVS IO) and the gamecube remained identical.

Just a Small Tool

Just a small tool to decrypt Triforce images: Have fun! You have to point it to the right place for the keys. Also, you need to unpack the ISO filesystem first. I do this by Converting the GD-ROM data session to 2048 bytes/sector (UltraISO offers this functionality in the context menu), extracting the game files with extract.exe A bit ugly, but that works. See for more details on how this works.

Part 5: The Other Way Around

[I’ve started writing this a few days after the last post. I was still waiting for some things to develop, but I’m a bit out reach at the moment, so this might take some time. So this post isn’t as finished as I hoped it it would be. But these “news” already started to smell funny.] In the first 3 parts I explained how I could modify the Gamecube board inside the Triforce to dump the plain game images.

Pah, security!

Step 1: $40k overpriced LA (could be replaced easily with a $150 FPGA board), some wires < Step 2: 20 lines of python code Difference between those? Just some simple XOR and ADD. Ok, now a better step-for-step description what’s this all about. As you might have seen, GDROM-games for the Naomi/Triforce/Chihiro come with a security chip, which has to be plugged into the “DIMM Board”. The “DIMM board” is, as previously explained, in charge for loading and decrypting the GDROM data.

Part 4: Profit

I’ve spent some time on understanding the exact protocol spoken to the baseboard. Thanks to dolphin, I could run the software (for example, media board bios) and log all EXI/SI transfers. More details later, but I could replay them on the Triforce, thus grabbing the right responses, and emulating them properly in dolphin. There is still a lot left to do, of course. :) The media board emulation is more than incomplete (it only emulates reads, so far), and there is no JVS IO yet.

Part 3: Dumping the game content

I almost forgot to write about the successful execution of Task 3: I basically patched the SegaLoader (i.e. the Media Board payload) to break after initializing the GD-ROM, i.e. after reading the GD-ROM into Dimm-Board’s memory. Then I just repeated the steps I did for dumping the Media Board (after the Media Board is switched into “Dimm Board”-mode, the same read commands will read the data from the DIMM Board instead of the onboard flash).

Captcha fun...

Ok, this post is a bit lame. First, I know that captchas are random, and there are a lot of funny words in a 26^6-space. Second, it only works in German, if you want translate it: “po” means “butt”. So yes, it’s a lame sexual reference. Still interested? Fine, then read on.

Part 2: Dumping the Media Board

The Media Board contains an FPGA which interfaces to the DI bus, i.e. replaces the DVD-ROM. However, A quick test shows that the original DVD commands don’t work. Here the modchip’ed triforce comes handy again: The qoob bios leaves the original bootrom (i.e. the triforce IPL) at 0x81300000. I could then upload my own test tool via network, patch the IPL (for example I’ve redirected OSReport to the screen and to the USBGecko), and let it run.

Part 1: Dumping the Triforce-IPL

I’ve already described that the heart of the beast is a basically unmodified retail Gamecube board. Rumors tell it has 48MB of (MEM1-)RAM, but based on the memory chip quantity and description, I cannot confirm that - they exactly match a retail Gamecube. As a side note, games seem to be 512MB max. I won’t give any further comment about the possible implications of these facts ;). However what is modified versus a retail Gamecube board is that a different IPL is installed.

The Beast.. in parts

What is “The Beast”? Other than what you find on wikipedia, the Triforce can be described as a tweaked Gamecube. The heart is a standard, retail Gamecube board, allegedly with twice the amount of MEM1, and a custom IPL. Instead of the DVD drive, the Triforce has a Sega-developed “media board” which interfaces to a “DIMM board”. The “DIMM board” is an embedded computer running VxWorks. It has a large amount of buffer RAM (my unit has 512MB), and interfaces to a NAOMI GD-ROM.

Please, *don't*!

The TIOBE Index states: “The index can be used […] to make a strategic decision about what programming language should be adopted when starting to build a new software system.” Please. Really, do not do that. (What actually scares me the most is that Visual Basic is gaining importance.)

Xbox 360 GPU update

First, here are the promised slides for my Breakpoint 2008 presentation about “Gaming Consoles for demosceners”: breakpoint-2008-slides.pdf Then, I’ve updated my GPU library a bit. The biggest thing was a rewrite of the interface, so now it’s all encapsulated into a nice API. I’ve also added some features (stencil buffer ops, drawing with index buffers), and fixed a LOT of bugs (for example vfetch patches on more complex shaders). The updated GPU library, included the mentioned “spinning cube” example, is available here: gpu-0.

Thank you, Datel.

EDIT: This post was - seriously - posted before I’ve read “<Ch0p> the owner of datel electronics just made a $1000 donation to wiibrew“. However, I still believe my objections are valid. Anyway, Datel, thank you (a LOT) for supporting wiibrew. Thank you, Datel, for all your precious hacker tools. You call them “videogame enhancement products”, which is probably as what most people see them, but I call them “hacker tools”, and that’s a compliment.


I’ve got rid of the obsolete content on, so I’ve decided to move this content there. Old URIs should be still valid and will be redirected.

Wii hacked it!

After bushing had shown the first homebrew exploit, a lot of stuff has happened in the Wii-world. The exploit was based on a hole in the disc hashing&verification, but the original finder (segher) decided that he doesn’t want the bug to be published. While this caused some controversy, the reason behind this was that the hole could be patched very easily in a future firmware version, as no original function relies on it.


Sorry, I just had to put this online… (In case you didn’t get it: KabelBW is a big cable provider in germany. They offer an “IPTV” service, where you can watch some TV channels over the internet, from everywhere. Now one channel, ”BW-family”, doesn’t seem to work, and reveals how they are transcoding their content for the Web - essentially using a specific, unnamed set-top-box tied up to an analog-to-flc encoder, which displays this ugly message box when a channel was not found… I bet it’s even my faul that the message box title still says “Switch” and not something more user friendly.


The 24c3 is over now, and we really had a lot of fun. We brought 6 of our Xboxes, which allowed us to grab attention from quite a lot of people in the hackcenter :). bushing showed a nice Wii hack we had been developing in the last few weeks (though I mostly did watch the show). Ben has been burning like 50 DVDs or so, which all did different things from doing nothing at all to immediately freezing the system, but like 30 min before our lecture, he made it working!

My personal iPhone-experience...

Sorry, no technical post today. I have a few project which just require the final touches, but unfortunately, I just wasn’t in the mood to do them. And you don’t want to read something half-finished, right? I’ve recently got hold of an iPhone. No, I didn’t pay for it, and no, I can’t keep it forever. The iPhone might be one of the devices in ‘07 which raised the most expectations (to either side).

iPod Nano (2nd) USB fun...

I just stumbled over that, and it seems that nobody else did yet (at least, I couldn’t find anything on google): Bus 001 Device 007: ID 05ac:1260 Apple Computer, Inc. Device Descriptor: bLength 18 bDescriptorType 1 bcdUSB 2.00 bDeviceClass 0 (Defined at Interface level) bDeviceSubClass 0 bDeviceProtocol 0 bMaxPacketSize0 64 idVendor 0x05ac Apple Computer, Inc. idProduct 0x1260 bcdDevice 0.02 iManufacturer 1 Apple iProduct 2 iSerial 3 000A2700188443C7 bNumConfigurations 2 Configuration Descriptor: […] Interface Descriptor: […] bInterfaceClass 8 Mass Storage […] Configuration Descriptor: […] iConfiguration 4 iPod USB Interface Interface Descriptor: […] bInterfaceClass 1 Audio […] AudioControl Interface Descriptor: […] wTerminalType 0x0201 Microphone […] bDescriptorSubtype 3 (OUTPUT_TERMINAL) wTerminalType 0x0101 USB Streaming […] Interface Descriptor: […] bInterfaceClass 3 Human Interface Devices It really looks like the iPod is exposing its Audio interface (and possibly the keys?

Fear, triangles!

I’m proud to present: Triangles on the 360, MANY OF THEM - about 40 million per second, or even more if you write clever code. (But this is not a depth of field, just a blurry screenshot ;) I finally polished my GPU stuff far enough so I can risk a release. You need to compile your shaders, so you need Tser’s shader compiler (which uses part of the windows XNA libraries).

Valgrind, you saved my day.

While writing code to extract the GPU microcode out of the kernel from flash (on 360, in order to not require the GPU library to ship with any copyrighted files), I’ve came across a very ugly bug: My code worked perfectly, until I’ve changed the stack layout by inserting a variable or changed gcc’s optimization setting. Suddently, libmspack refused to unpack my data. I’ve carefully audited my code, but couldn’t find any oddity or abuse.

Bye, bye, xpc823...

I have known since years that the day had to come, but it was hard anyhow: My beloved iMac G5 (rev. 1) had to be taken down, in order to move to his new home, the waldobjekt. During the last few years, it always served well the kuehlschrank-website (it’s down now, of course!), provided a home for my emails (people are still calling me crazy for setting up the MX for my primary mail domain into a dyndns), archived our webcam pictures, connected my home to the world wide web (and even further), and had not suffered a single crash.


I apologize for the lack of recent updates. The main reason is that I moved, or better, split up, currently into three different places: My new flat, my old flat (which still takes care of a lot of my equipment), and a new home for electronic devices, called “waldobjekt”. The waldobjekt is a place which finally has enough space for all of my projects (and much more). >260 m² of space for storage, working and having fun!

Compiling a ReadyNAS kernel...

I’ve struggled a day or so with this, so let me summarize: Infrant loves replacing their kernel every now and then with a different version, without changing the filename. Be sure to not use the RAIDiator 2.0 release. It’s buggy and misses stuff (so much for “GPL compliance”). The 3.0 (md5sum of .tar.bz2: d7da0363a6d4da912907dd03385d6f7a) is ok. You need to use gcc-2.95.3 to compile the kernel. I’ve spent half a day to fix the kernel to compile with a recent gcc-3.

Running own code on the Infrant ReadyNAS

The Infrant ReadyNAS NV is a Sparc (Leon) powered NAS. It’s not really cheap, but, well, I’ve got it somehow cheap. It featueres 4 SATA channels and Gigabit ethernet, unfortunately it runs a heavily modified Linux Version. Now, Infrant (of course!) complies to the GPL by releasing a 2.4.20-based kernel every now and then, of course every time with an undocumented set of changes under the same filename. Did I forget to tell you that some kernel releases are missing important files (lp_code, lp_data for example was missing in the “2.

Read your DVDs the RAW way...

This will be an attempt to document stuff I’ve done in the past. I’m bad at documenting, so I’ll just present what I’ve done. If you have further questions, always feel free to email me. This time I wanted to know what’s on my DVDs. I mean, not what’s normally visible, but what’s underneath the data layer. Contrary to CDs, where a lot of work has been done to allow reading every bit of a CD, there is surprisingly less information for DVDs.

#2 fixed

Today I looked at Xbox #2, which made some strange fan-based noises. I checked the fan, and in fact, the CPU fan (which made the noises) had a much larger axial tolerance than the GPU fan. With some minimal force I could even detach the fan blades! It seemed that the clamped connection wasn’t in place, and touched a non-moving part. I simply removed the clamp, so the fan is now only hold in place via magnetism.

Network trouble.

Again, things aren’t as easy as one could hope. After my obvious fix to the xenon_net kernel module, I’ve noticed that after every reboot, the interface name incremented by one. I’ve now got up to eth5! At first I was very puzzled, but obi was able to identify the issue: The debian udev scripts are trying to preserve interface names for removed network adapters. They are matched on the MAC-address which is - random, in our case.

Thermal problem... fixed?

I’m not good at case-modding, and I cannot judge at all whether a cooling system is a good one or not. So I have to totally trust in the engineering power which Microsoft has invested into the Xbox 360 cooling system. Still, my Xbox #9 had a problem, even I could see that. I’ve removed the GPU heatsink, and removed the (evil? Probably not really.) thermal foil (I couldn’t see any damage/misalignment on it, though.

AV pack fix

I was sick of attaching my VGA cable to each box while booting, so I fixed that: The nice thing is that the VGA AV-Pack can still be attached. So when I need to debug a box, i can just attach it, and the videomode etc. (which we cannot set in linux at the moment) is already set to VGA.

Status: 9 of 10 up.

Unit #2 has still a problem with the DVDROM. Though i fear that unit #9 has a thermal problem: $ ./foreach /usr/src/smc -s | grep sensor sensor data: 65.3 C, 61.4 C, 66.9 C, 29.9 C, sensor data: 69.1 C, 63.7 C, 64.2 C, 29.9 C, sensor data: 70.0 C, 59.3 C, 61.1 C, 28.8 C, sensor data: 66.9 C, 62.3 C, 62.5 C, 30.2 C, sensor data: 69.4 C, 63.

Ok, I should have listened...

But I didn’t. After I booted 9 of the 10 devices (nr. #2 failed with a flaky DVD drive, and a possibly broken fan), I could only access them “a few times”. They behaved very erratically. A bug in the kernel? Random oopses? It was a bit simpler than I have thought. sudo arp -v | grep 00:01 ether 00:01:02:03:04:05 C eth0 ether 00:01:02:03:04:05 C eth0 ether 00:01:02:03:04:05 C eth0 10.

First electrical test!

After about two and a half hours of opening, flashing, closing all the boxes, they were all ready. Side note: All boxes were produced on 2006-10-25, and all had Hitachi drives. Did you know that drives are stackable? Don’t they look nice? (Don’t worry about the red ring - they just don’t have any AV cable connected yet.)

Harddisks prepared!

Thanks to some automatic script, preparing all the harddisks with a stock debian root was easy. Big thanks to Microsoft for their cool transfer cable! (Which is a plain USB storage cable…) I also automatically generated labels thanks to our donated CAB Apollo 1 label printer. (The truth is that I had to switch to my laptop, as the USB support in the kernel is still flaky. What a pity.

Hardware arrived!

Today at 9:50AM, the local GLS dude brought three big packages. Inside: A total of 5.12GB of RAM, 30 PPC64 CPU cores, 10 ATI (approx.) R600-level GPUs, seperated evenly into… 10 Xbox 360! The mission: Using them with Linux, having some fun! (Ok, the real mission was to evaluate if we can replace some normal servers with 360 hardware.)


I’m Felix “tmbinc” Domke. I like disassemblers, soldering irons and oscilloscopes, and I use them to hack stuff. As you can see, I’m particularly bad at web design and keeping a blog updated, but every once in a while you can expect another quality post[citation needed]. You can reach me at My PGP Key ID is 0xC9B37337 (fingerprint: F3E7 0E7F 7CF7 6A44 3E27 42A0 34F7 E743 C9B3 7337) and is available on a few keyservers.