Why so cheap???

I decided it was time to get to work and try to learn something new about this device and JTAG. I’ve never used a JTAG interface before so why not just jump right in. I started by watching this video of Felix Domke, it explained the concept, and the basics about using the JTAG interface and how most hardware doesn’t bother disabling it.

First things first… Even though the pads are clearly labeled on the board, I wanted to find more information on the chip that was being used in the remote. The MAXQ610, a 16-Bit Microcontroller with Infared Module. Doesn’t that just roll of the tongue?

More Info: http://www.maxim-ic.com/datasheet/index.mvp/id/5939
Data Sheet: http://datasheets.maxim-ic.com/en/ds/MAXQ610.pdf
User Guide: http://pdfserv.maxim-ic.com/en/an/AN4812.pdf
Other Documents: http://www.maxim-ic.com/datasheet/index.mvp/id/5939/t/do

MAXQ610 Pinout

MAXQ610 Pinout

I was psyched to get started, so I got my soldering iron out, my wires all cut and ready, and began connecting wires to my JTAG programmer. It didn’t take long to get it all hooked up, and after some programmer issues, I was up and running with a small test app using the FTDI drivers and libraries directly from http://www.ftdichip.com/Drivers/D2XX.htm. I tried doing some simple stuff like navigating the JTAG TAP. It didn’t seem to work though, I tried several things reading in streams of 1’s reading in streams of 0’s none of it seemed to work. I guess it’s time to check the signals.

I hooked up the scope with the intent of probing each signal to make sure it was getting to the board. In doing so I noticed that I forgot to hook up the TCK connection, and that totally explained why nothing was happening. Without clocking the process cannot move forward. As I reached for another piece of wire to connect TCK, the probe that was connected to my TMS pin fell off the table and ripped the pad off the remote board. ARGGGggggg.

Well I guess I’m done for the day until I go get another remote to start over with.


Where is the Media Center Button???

About a year ago I moved to use Windows Media Center for my TV viewing at home. I planned on using the Xbox 360 as an extender, and was just stuck waiting for my backordered Ceton tuner to arrive. After months of waiting it showed up at my door, and the rest is history.

Xbox 360 Media Remote

Xbox 360 Media Remote

Fast forward to last month… I got my hands on the new Xbox 360 Media Remote, and loved the new look, the feel of the buttons, and the size. Something was missing though, I had become used to the Big Green Button on my other remote jumping right into Media Center. This remote had no Big Green Button, it had a live tv button, but that didn’t do anything useful. After being frustrated for a month with this design, I decided I’m going to try to make it better.

I don’t know a lot about hardware hacking, but I’ve replicated some hacks in the past done by other smart people. This device is small, cheap, and probably fairly simple in design. The price tag and complexity make this an ideal learning experience for me. So I got my screwdrivers and camera out, and began tearing it apart.

Media Remote Guts

Media Remote Guts

Six screws on the back of the remote, and the thing popped right open. Wow, pretty empty inside, a single board, no wires, nothing fancy at all. I tried to get some pictures to reference so that it would be a bit easier to inspect rather than trying to read the tiny print, and follow traces on the actual device. To my surprise they didn’t come out too bad, and I was able to clearly see several areas of interest. RX/TX pins, and what appears to be a clearly labeled JTAG interface. (Click image for GIANT size)

I immediately went to work with a razor blade scraping off the black covering to expose all the pads on the board. It appears Microsoft has pulled every pin that might be interesting out to an easily accessible location. The black covering scrapes off fairly easily as well. It is pretty clear that these boards were made as cheap as possible though, they are paper thin. That doesn’t matter, it just means they hopefully were cheap on the security of the chip as well.