XboxHacker BBS
 
*
Welcome, Guest. Please login or register.
Did you miss your activation email?
July 22, 2014, 04:15:07 AM


Login with username, password and session length


Pages: 1
  Print  
Author Topic: Xbox360 Controller Radio Frequency and Signal  (Read 7000 times)
jowadmax
Hacker
***
Posts: 67


View Profile
« on: December 22, 2011, 06:40:09 PM »

Hi everyone;

I was working on some basic wireless communication between Microcontrollers and got an idea but I need some answers from you guys.
I know that Xbox360 controller uses 2.4 GHz radio frequency to communicate with the 360, but I don't know how does that happen. I mean there's a lot of RF transeivers that can transmit the same signal if used properly with a Microcontroller.

My main question before I ask more is it it possible (even theoretically) to make a 360 controller hardware emulator that has an RF transmitter that can be identified by the xbox as a controller? if not, what's the obstacle? is the frequency that the 360 use special or can't be transmitted by 2.4GHz RF transmitter?

If yes, and that's my question for you guys, is there any information on how the 360 communicates and identifies the controllers and what is the encryption technique?

My main goal is to make a small hardware that emulates the Xbox360 controller by establishing a connection with the xbox but instead of sending the controller signals from the buttons themselves, it sends the signals according to what commands it gets from the computer, which are basically the mouse and the keyboard movements.

Thank you very much.
Logged
xboxbreaker
Master Hacker
****
Posts: 284


View Profile
« Reply #1 on: December 23, 2011, 06:51:55 AM »

Quote
My main question before I ask more is it it possible (even theoretically) to make a 360 controller hardware emulator that has an RF transmitter that can be identified by the xbox as a controller? if not, what's the obstacle? is the frequency that the 360 use special or can't be transmitted by 2.4GHz RF transmitter?

The controllers contain a TPM chip and use a custom 2.4GHZ protocol so it is not an easy task. I am not sure of the details of how the TPM sync/handshake works, but that is the reason you won't find many/any 3rd party controllers.
Logged
d4m4n
Master Hacker
****
Posts: 140


View Profile
« Reply #2 on: December 23, 2011, 07:24:14 AM »

Why not use a pcb from an original controller? Control it with signals from parallel port or some GPIO card/usb stick.
Logged
neonpolaris
Xbox Hacker
*****
Posts: 1051


View Profile
« Reply #3 on: December 23, 2011, 09:41:52 AM »

You're trying to make something like this?
http://hothardware.com/News/XIM3-Adapter-Enables-Keyboard--Mouse-Control-On-Xbox-360/

There are a few devices out there that do this, but I think all of them require a regular wired controller connected for them to operate.  I agree with d4m4n that your simplest bet would be to tap into a controller's board to handle the communication.  It would certainly be heaps less work, albeit less pretty.
Logged

jowadmax
Hacker
***
Posts: 67


View Profile
« Reply #4 on: December 23, 2011, 10:27:15 AM »

@xboxbreaker, thank you very much for the info, I think I'll start with sniffing the USB communication of a wired controller to see what is happening.
@d4m4n, that's exactly what I'll do if I couldn't do the emulation part, it's not a hard process, especially with PIC18F MCU, but I wanted the other method because it would be much cheaper as it doesn't require tearing a controller apart and also because it's more interesting  Wink
@neonpolaris, basically, yes, but way cheaper and easier to DIY.

I'm wondering guys why would XIM3 need a controller to be connected all the time? does it use the authentication chip on the controller to act if that controller is the connected? could that be done just through the USB?

Thanks
« Last Edit: December 23, 2011, 10:30:41 AM by jowadmax » Logged
xboxbreaker
Master Hacker
****
Posts: 284


View Profile
« Reply #5 on: December 23, 2011, 10:51:18 AM »

I think all the traffic (button presses, headset audio, etc) is encrypted by the TPM chip, so it's not a one off handshake. The TPM encrypts over wi-fi and USB, so the XIM3 would need an official controller to do all that work I assume.
Logged
xboxbreaker
Master Hacker
****
Posts: 284


View Profile
« Reply #6 on: December 23, 2011, 10:59:48 AM »

Some more info here:
http://www.free60.org/GamePad

Not much in it about the security itself though, kind of treats it as transparent.
Logged
peshkohacka
Master Hacker
****
Posts: 276


View Profile
« Reply #7 on: December 23, 2011, 12:32:09 PM »

I believe the XIM guys have the requirement to keep a pad connected to avoid legal issues, cause breaking the cryptography is infact a crime.

This is a bit of info about past research on the RF board:

Connect the RF board to a PC
Or hook up Arduino to the RF.
And another topic covering the serial communication between RF board and the x360.
« Last Edit: December 23, 2011, 12:34:19 PM by peshkohacka » Logged
l_oliveira
Xbox Hacker
*****
Posts: 1342


View Profile
« Reply #8 on: December 28, 2011, 08:43:03 AM »

Quote
My main question before I ask more is it it possible (even theoretically) to make a 360 controller hardware emulator that has an RF transmitter that can be identified by the xbox as a controller? if not, what's the obstacle? is the frequency that the 360 use special or can't be transmitted by 2.4GHz RF transmitter?

The controllers contain a TPM chip and use a custom 2.4GHZ protocol so it is not an easy task. I am not sure of the details of how the TPM sync/handshake works, but that is the reason you won't find many/any 3rd party controllers.

Actually, the RF part is lest of the concerns when making a controller. There's a device within the controller (an 8 pin security chip with XBOX written in it) which replies challenges from the XBOX360 kernel and if the kernel does not like the answers the device is denied connection.
Logged


It's a Rough World
peshkohacka
Master Hacker
****
Posts: 276


View Profile
« Reply #9 on: December 28, 2011, 11:23:05 AM »

Why are quoting him, to say the exactly same thing he said? It was already said there is a TPM chip, its just unclear whether it encrypts all of the data or its just triggered upon challenge from the console.
Logged
l_oliveira
Xbox Hacker
*****
Posts: 1342


View Profile
« Reply #10 on: December 28, 2011, 12:22:09 PM »

Why are quoting him, to say the exactly same thing he said? It was already said there is a TPM chip, its just unclear whether it encrypts all of the data or its just triggered upon challenge from the console.

Because I wanted to say that the RADIO being custom is not the issue.

And the TPM is just used when the controller receives the challenges. The controller works flawlessly on a PC with the TPM part removed.
Logged


It's a Rough World
jowadmax
Hacker
***
Posts: 67


View Profile
« Reply #11 on: December 28, 2011, 05:11:26 PM »

within the controller (an 8 pin security chip with XBOX written in it) which replies challenges from the XBOX360 kernel and if the kernel does not like the answers the device is denied connection.

Thanks xboxbreaker, d4m4n, neonpolaris, peshkohacka, and l_oliveira for your useful answers! Wink
That's why I asked HERE and NOW. Here, because this forum is full of awesome and talented hackers who know what they're doing. Now, because now reversing the kernel is not an impossible task, thanks to the JTAG/RGH exploits.

My question for kernel reversing guys (i.e. c0z and others) who are really familiar with kernel as if it is their town!, is it possible to know what does this security chip do without reversing the chip itself, I mean if we can reverse the kernel, can't we know what is expected from that chip and how it works, to use MC instead of that chip?
« Last Edit: December 29, 2011, 06:17:04 AM by jowadmax » Logged
neonpolaris
Xbox Hacker
*****
Posts: 1051


View Profile
« Reply #12 on: December 29, 2011, 09:20:20 AM »

Such a polite fellow.

Sorry, I can't help you there, and I don't remember ever reading anything discussing controller security before.  Best of luck, though.
Logged

jowadmax
Hacker
***
Posts: 67


View Profile
« Reply #13 on: February 24, 2012, 11:03:05 PM »

hey guys, new updates!
http://www.xboxhacker.org/index.php?topic=17779.0
Logged
xboxbreaker
Master Hacker
****
Posts: 284


View Profile
« Reply #14 on: February 25, 2012, 08:39:06 PM »

Good work mate, nice to see you stuck it out and got it working.
Logged
Pages: 1
  Print  
 
Jump to:  

Powered by MySQL Powered by PHP Powered by SMF 1.1.11 | SMF © 2006-2009, Simple Machines LLC

Valid XHTML 1.0! Valid CSS! Dilber MC Theme by HarzeM