Read/Write an Xbox EEPROM with a Raspberry Pi
I’ve recently been playing around with CPLDs and the original xbox console. While doing so I came across an old xbox that I had lost the HDD locking key to. I didn’t really have any means to boot alternate BIOS from a modchip to try and recover the key, but I had a few Raspberry Pi’s laying around. I knew from an older project that the EEPROM on the xbox console sits on the I2C bus, and that the Pi has an I2C interface. After doing some digging around to find where the I2C points are exposed on the xbox motherboard, and some programming to read the contents of the EEPROM, I was able to successfully dump the contents of the EEPROM on a working xbox!
Now I just had to run the same program on the broken xbox and I would soon be able to rejoice in retrieving years of game save from my childhood. Only one problem… I have removed most of the chips from the broken motherboard, so getting it to boot so I could read the EEPROM was a no go. However, the EEPROM has it’s own I2C interface. With some quick solder work I was able to remove the EEPROM from the console and solder a few jumpers to a pin header that I could connect to my Pi. Yippee, back on track!
After I dumped the contents of the EEPROM I quickly decrypted the HDD key and realized the the EEPROM had been created anew before the xbox broke. That is, the HDD key was set to all 00s. There was no rejoicing to be had for my lost game saves. But I now had a nifty setup that would allow me to read and write the EEPROM from an xbox, whether it was still attached to the motherboard or removed. I cleaned up the code I had wrote and dubbed the program PiPROM: The Raspberry Pi Xbox EEPROM Programmer. Using only a Pi and three connections to an xbox motherboard you can read and write to the EEPROM, recovering your lost HDD keys and restoring your broken consoles.
The Xbox Connections
The I2C interface can easily be found on the LPC port of the xbox motherboard. You are going to want to solder three wires, one for SDA, one for SCL, and one for GND. The ground wire is very important, so don’t skip it! I’d recommend soldering a pin header to the motherboard just to make life easier for any future mods, but it is not necessary if you are only here to recover the EEPROM. If you have a 1.6 version motherboard you might have to restore the connections to pins 13 and 14 (the I2C pins) on the LPC port using the “LPC Rebuild” method. However, I don’t believe I had to do this for my 1.6 motherboard, I think the LFRAME, RST, and LAD pins are the ones that have been disconnected.
Once you have the connections made to the xbox motherboard you can connect the three wires to your Raspberry Pi. The pinouts for all of the Pi models have been the same thus far, but when in doubt you should look up the pinout for your version of the Pi. You are going to want to connect the SDA/SCL pins on the xbox to the SDA/SCL pins on the Pi, and connect GND from the xbox to GND on the Pi. Real hard stuff, I know.
Using PiPROM on your Pi
Once you have the connections made you can head on over to the GitHub page for PiPROM and download the source code. You will also find the instructions on how to compile PiPROM for your version of the Raspberry Pi, as well as enable the I2C interface on your Pi. PiPROM is currently supported on the Model A, B+, and v2 B models of the Pi. Once you have PiPROM up and running you are ready to start programming your xbox’s EEPROM.
To use PiPROM your xbox must be powered on, but don’y worry, as long as you are not doing anything on your xbox when you run PiPROM you won’t harm anything. Once your console is on, and assuming you have the i2ctools package installed on your Pi, you can run
sudo i2cdetect -y 1 to scan the I2C address range and see what devices your Pi can detect. You should see output that is almost identical to mine below, unless you have your Pi connected directly to an I2C EEPROM, and not to an xbox motherboard. If your output is different then something is wrong with one of your connections (you left out the GND connection didn’t you? Tisk tisk…). Check your wires and try again.
The address we are interested in is 0x54. If your Pi is connected directly to the EEPROM then you will only see one address listed in the output, and that is the address you are going to plug into PiPROM.
Reading, Writing, and Erasing the EEPROM
Now you are ready to starting reading and writing EEPROMs! Below you can find the syntax for PiPROM. You will need to run PiPROM using
sudo in order for it to be able to access the I2C interface. If your Pi is connected to an xbox console and you want to read, write, or erase the EEPROM, you can use one of the following commands:
Read xbox eeprom to eeprom.bin: sudo PiPROM -r ./eeprom.bin Write eeprom.bin to the xbox: sudo PiPROM -w ./eeprom.bin Erase the eeprom: sudo PiPROM -e
If your Pi is connected directly to an EEPROM not attached to an xbox motherboard you will need the I2C address you found using i2cdetect earlier.
Read eeprom at I2C address 0x50 to eeprom.bin: sudo PiPROM -r -a 0x50 ./eeprom.bin Write eeprom.bin to eeprom at I2C address 0x48: sudo PiPROM -w -a 0x48 ./eeprom.bin Erase eeprom at I2C address 0x54: sudo PiPROM -e -a 0x54
Note: You may need to replace “PiPROM” with “./PiPROM.a” on the command line if you get an error that says “PiPROM command not found”. If you receive any errors during the reading or writing process check your wiring. Make sure your SDA, SCL, and GND wires have a strong connection between the Pi and the Xbox/EEPROM chip.
As with all of my projects I claim no responsibility for any damage done to your xbox or Raspberry Pi! Use this information and software at your own risk!!