The terms Northbridge and Southbridge are vernacular specific to the PC architecture. They refer to the two basic support chips that are found in virtually every PC. A Northbridge chip connects the CPU to main memory as well as any high-performance expansion busses, such as AGP and PCI. A Southbridge chip hangs off of the Northbridge chip and contains all of the extra peripherals that are found in a typical PC — parallel, serial, USB, mouse, keyboard, IDE controllers, audio codecs,
Binary and Hexadecimal Numbers (continued)
Bin Dec Hex Bin Dec Hex
0000 0 0 1000 8 8
0001 1 1 1001 9 9
0010 2 2 1010 10 A
0011 3 3 1011 11 B
0100 4 4 1100 12 C
0101 5 5 1101 13 D
0110 6 6 1110 14 E
0111 7 7 1111 15 F
Table 2-2: Binary, decimal, and hexadecimal conversion table.
and more. Dividing the PC architecture into these three main modules — CPU, Northbridge and Southbridge — enables PC designers to mix and match different kinds of memory architectures with a diverse selection of processors and peripherals.
The connection between the Northbridge and the Southbridge chipsets varies from chipset to chipset. In the case of the Xbox, a high perfor-mance, narrow parallel bus called HyperTransport is employed as the connection between the functional equivalent of the Northbridge and Southbridge chips. The bus is only 8 bits wide in each of two directions, but it is clocked at 200 MHz and data is sampled on each clock edge so the effective peak transfer rate is 400 Mbytes/second in each direction. A Northbridge chip is connected to a CPU via a bus called the Front Side Bus (FSB). In the case of the Xbox, the FSB is a 64-bit 133 MHz bus that uses AGTL+ logic levels.
Knowing and understanding the kinds of connections between chips is crucial in reverse engineering because the kind of connection will dictate how difficult it is to intercept data going between various components.
The details of the relatively easier bus to tap, the HyperTransport bus, are discussed in Chapter 8, “Reverse Engineering Xbox Security.”
In the Xbox, the Southbridge is a chip designed by nVidia called the MCPX; it is a derivative of the nVidia nForce MCP Multimedia and Communications Processor. The Northbridge chip was also designed by nVidia, and it is called the NV2A GPU. Both the Northbridge and Southbridge chips were manufactured by TSMC (Taiwan Semiconductor Manufacturing Corporation). The NV2A combines both a GPU (Graph-ics Processing Unit) and the traditional memory and expansion bus controllers found in most Northbridge chips. As explained previously, combining the graphics processor and the Northbridge allows system designers to merge the graphics memory into main memory, at some performance penalty.
RAM
The Xbox motherboard employs 64 MB of DDR SDRAM for the main memory. DDR SDRAM stands for Double Data-Rate Synchronous Dynamic Random Access Memory. By combining synchronization and DDR techniques, the aggregate bandwidth of the Xbox main memory achieves 6.4 Gigabytes/second.
A RAM is basically a table of information that is indexed by the CPU.
Each location in RAM has a unique index number called its address, and as the name “random access” implies, there are no restrictions on the order of data access in a RAM.1
1 Actually, SDRAMs can have a few restrictions on memory access patterns (such as page modes and burst modes) for performance reasons. The “random” moniker is intended to differentiate RAMs from First-In, First-Out (FIFO) and Last-In, First-Out (LIFO) style memories where data is accessed using a strict set of ordering rules.
The term “dynamic” is applied to RAM that has to be constantly refreshed in order to preserve the integrity of data. For example, the RAM used in the Xbox must have every location read out and written back about thirty times a second. The performance penalty is not as bad as it sounds, as special hardware is built into modern DRAM chips that help optimize the process.
The “synchronous” prefix means that inside the DRAM, the procedure for data access is broken down into a series of steps. Each of these steps are independent and can occur in parallel, so that multiple data requests can be in-flight simultaneously. An external timing signal, known as a clock, is used to synchronize the movement of data access requests through the various steps inside the DRAM. As a result, data access requests flow through each step like water through a pipe, and this technique is also known as pipelining. Synchronous DRAMs have higher bandwidth throughput than their predecessors, because pipelining allows multiple requests to be processed at once. However, the time required from when an access is first issued to an SDRAM to when the data finally appears on the output —the access latency — is not improved by pipelining.
The term “Double Data Rate” refers to the way synchronous data is transferred relative to the synchronizing clock. A clock waveform consists of a repeating pattern of high and low signals. In traditional systems, data is only transferred on the low-to-high transition of a clock waveform. In a DDR system, data is transferred on both the low-to-high and the high-to-low transitions. Thus, for the same clock frequency, twice the amount of data can be transferred. The performance mnemonic quoted by DDR SDRAM vendors, such as DDR266, refers to the transfer rate, so the actual clock speed is one-half the performance mnemonic, or 133 MHz in this case.
ROM
Every computer needs to have some kind of persistent or non-volatile memory for storing the start-up, or boot, program. The DDR SDRAM discussed above does not work for this application because all data in a DDR SDRAM is lost when the power is removed. Current versions of the Xbox use a FLASH ROM instead to store data that has to persist even when the power is turned off. ROM stands for Read-Only Memory, and FLASH refers to a specific style of storage element that is electroni-cally reprogrammable. FLASH style memories are convenient in PCs because they can be reprogrammed by the end user to fix mistakes in the boot code. However, in the Xbox, FLASH ROM programming by the end user is purposely disabled. The write signal required for program-ming is disconnected by leaving out the jumper located on the back of the Xbox motherboard at component location R7R4 (see the sidebar titled “Enabling FLASH ROM Programming Hardware” for more information). In the case of the Xbox, the reprogrammability of FLASH is primarily leveraged as a convenience for Microsoft during develop-ment and production. It is quite likely that in a few months, the Xbox will
use cheaper hard-wired “mask ROMs” once Microsoft believes it is ready to etch its boot program and kernel in stone (or silicon, as the case may be).
The boot ROM is pivotal in reverse engineering any computer because it contains critical code that is responsible for initializing the whole system.
In the case of the Xbox, the boot FLASH ROM plays an even more crucial role because it is partially responsible for implementing the tight software security system. The exact role of the FLASH ROM in the security system will be explained later, but the important thing to remember for now is that the FLASH ROM controls the initialization of the hardware in the Xbox and also contains the initial operating system kernel image.