Kinect firmware located???

975 views
Skip to first unread message

Kihnect

unread,
Nov 26, 2010, 4:44:52 PM11/26/10
to OpenKinect
Reviewing the Kinect BOM here:

http://www.eetimes.com/electronics-news/4210649/Kinect-s-BOM-roughly--56--teardown-finds-

There are a couple of flash EEPROM's that should contain the Kinect
firmware:

"H1025519 XBOX1001 X851716-006 GEPP – Serial EEPROM for Marvell
Controller"
"STMicroelectronics 25P16V6G - M25P16 - 16 Mbit, low voltage, Serial
Flash memory with 50 MHz SPI bus interface"

Since it would be useful to know what the firmware does to be able to
better interface with the Kinect, it would be nice to get a dump of
the contents of these chips. After briefly considering clipping the
chip and dumping it the hard way, there seemed to be a better
alternative to having a pile of spare Kinect parts lying around. That
being that Microsoft most likely distributes these firmware updates;
probably with the Kinect games or with Xbox system updates as
suggested here:

http://www.joystiq.com/2010/10/28/psa-got-a-kinect-game-early-dont-stick-it-in/

It seems at the moment, Microsoft deploys firmware updates via both of
those routes. The most recent Xbox system update here:

http://download.microsoft.com/download/4/1/D/41D9A2BA-3B48-4BD5-B613-122E7C3A1390/SystemUpdate12611.zip

Unzipping this file you end up with the following:

Archive: SystemUpdate12611.zip
----
$systemupdate/AvatarEditor.xex
$systemupdate/BiometricSetup.xex
$systemupdate/Dash.AttractionScreen.xex
$systemupdate/dash.ExtraAVCodecs.xex
$systemupdate/Dash.FieldCalibration.lex
$systemupdate/dash.firstuse.xex
$systemupdate/Dash.MP.Offline.lex
$systemupdate/dash.natalpregame.xex
$systemupdate/dash.NuiFirstUse.xex
$systemupdate/dash.nuihub.xex
$systemupdate/Dash.NuiTroubleshooter.lex
$systemupdate/dashnui.xex
$systemupdate/FFFE07DF00000001
$systemupdate/FFFE07DF00000002
$systemupdate/FFFE07DF00000006
$systemupdate/FFFE07DF00000008
$systemupdate/Guide.AvatarMiniCreator.xex
$systemupdate/Guide.NuiTroubleshooter.xex
$systemupdate/livepack.xex
$systemupdate/mediasite.xzp
$systemupdate/natalsu.xex
$systemupdate/nuihud.xex
$systemupdate/su20076000_00000000
$systemupdate/system.manifest
$systemupdate/Xam.Community.xex
$systemupdate/Xam.LiveMessenger.xex
$systemupdate/Xam.WordRegister.xex
$systemupdate/XimeDic.xex
$systemupdate/XimeDicCh.xex
$systemupdate/ximedicex.xex
$systemupdate/Xna_TitleLauncher.xex
-------

Looking at some of the more obviously interesting files:

$systemupdate/natalsu.xex
This looks like a good candidate for a Kinect system update/firmware
uploader.

$systemupdate/Dash.FieldCalibration.lex
This appears to be the field calibration that uses Microsofts
Calibration Card included with Kinect games.

There are also a couple of files that turn out to be in an Xbox
specific format:

http://www.free60.org/STFS

The extract360.py script found on the previous link will extract these
files. You can find some other non-Python extractors listed there
too.

ftp://rene-ladan.nl/pub/distfiles/extract360.py

Here's what the mystery files contain:

Xbox firmware update
su20076000_00000000
-------
$flash_aac.xexp
$flash_bootanim.xex
$flash_createprofile.xex
$flash_dash.xex
$flash_deviceselector.xex
$flash_gamerprofile.xex
$flash_hud.xex
$flash_huduiskin.xex
$flash_mfgbootlauncher.xex
$flash_minimediaplayer.xex
$flash_nomni.xexp
$flash_nomnifwm.xexp
$flash_signin.xex
$flash_systemupdate.xex
$flash_systemupdate2pre.xex
$flash_updater.xex
$flash_vk.xex
$flash_xam.xex
$flash_xenonclatin.xttp
$flash_xenonjklatin.xttp
$flash_ximecore.xex
$flash_ximedic.xexp
$install_extender.xex
crl.bin
dae.bin
xboxupd.bin
-------

Some avatars
FFFE07DF00000002
-------
AvatarAssetPack.toc
AvatarAssetPackLegacyV1.toc
-------

This seems to be Kinect OOBE/Initial setup resources
FFFE07DF00000006
-------
ambient.xma
Avatar6400.Avatar
Avatar6404.Avatar
Avatar6411.Avatar
Cheer.AvatarAnimation
Gift.AvatarAnimation
IdleOffScreen.AvatarAnimation
Look.AvatarAnimation
Nielsen.xma
OobeIndex
RunIn.AvatarAnimation
RunOutLong.AvatarAnimation
RunOutMedium.AvatarAnimation
RunOutShort.AvatarAnimation
RunOutStandard.AvatarAnimation
Salute.AvatarAnimation
sensorplace_TV.png
Theme0 <DIR>
Theme1 <DIR>
Theme2 <DIR>
ThemesIndex
-------

This looks like the Kinect body position database for tracking
purposes.
FFFE07DF00000008
-------
Database.gmsodf
hands.gmsodf
NuiIdentityDbVersion.txt
NuiIdentityNN.bin.be
NuiIdentityPCA.bin.be
speech <DIR>
-------
Since Microsoft hasn't provided us with an acronym dictionary, I'll
assume that the abbreviations are related to their motion tracking
algorithms and make some wild guesses here:
NN: nearest-neighbor
PCA: principal component analysis
gmsodf: gaussian mean shift orientation distribution function
(Obviously! It was either that or 'Got me -- some other database
file.')

And the speech subdirectory looks basically identical to Microsoft's
Voice Command firmware for their cell phones (there are en-gb, en-us,
es-mx and ja-jp for UK and US English, Spanish and Japanese):

speech\en-us
-------
AI031033.am
l1033.cw
l1033.ini
l1033.phn
l1033.smp
l1033.wwd
-------


Finally, this looks like a good candidate for Kinect firmware:

FFFE07DF00000001
-------
2bl.bin
audios.bin
crown1.png
crown10.png
crown2.png
crown3.png
crown4.png
crown5.png
crown6.png
crown7.png
crown8.png
crown9.png
detroit.bin
fwversions.txt
milestone1.png
milestone2.png
milestone3.png
NuiCam.bin
-------

Some poking around suggests the following functions for these files:

2bl.bin (Nui Audio/altair/more?)
audios.bin (Nui Audio/altair)
detroit.bin (Nui Motor)
NuiCam.bin (Nui Camera)

Most of the hardware and patents suggest these are probably ARM
binaries. They compress well, so encryption seems to be minimal if
any.

Also useful to look at for ideas are the .xex files. You can view
resources from these files with XeXtractor:

http://helldoc.blogspot.com/2010/04/xextractor-v103.html

You can find shader source and strings like "sensorsafetyparams" which
seems to indicate some care needs to be taken when playing with the
laser projector to avoid possible eye damage.

Have fun reverse engineering, but take care not to redistribute
Microsoft's Xbox system update or components (and modifications)
thereof without their prior written permission!

More appropriate uses would be to identify USB commands to control the
Kinect, and hardware architecture information to write an independent
open source firmware alternative, such as for use with autonomous
Kinect controlled robots.

-Kihnect

Mike Harrison

unread,
Nov 26, 2010, 5:58:39 PM11/26/10
to openk...@googlegroups.com
On Fri, 26 Nov 2010 13:44:52 -0800 (PST), you wrote:

>Reviewing the Kinect BOM here:
>
>http://www.eetimes.com/electronics-news/4210649/Kinect-s-BOM-roughly--56--teardown-finds-
>
>There are a couple of flash EEPROM's that should contain the Kinect
>firmware:
>
>"H1025519 XBOX1001 X851716-006 GEPP – Serial EEPROM for Marvell
>Controller"

Possibly a security authentication type device - can't see any other reason for two different serial
flash chips on the same processor.

>"STMicroelectronics 25P16V6G - M25P16 - 16 Mbit, low voltage, Serial
>Flash memory with 50 MHz SPI bus interface"

This contains the firmware for the Marvell audio processor chip - I read it out and it looks like
ARM code. Looks a bit too big to be just a bootloader to soft-load firmware from the XBOX.

The depth sensor firmware will be the parallel flash next to teh Primesense chip - it's a BGA
package, so would be a bit tricky to read, and probably not very useful without data on the rest of
the processor hardware.

>You can find shader source and strings like "sensorsafetyparams" which
>seems to indicate some care needs to be taken when playing with the
>laser projector to avoid possible eye damage.

Or at least as likely to prevent melting the laser diode...
I do however suspect the laser output is set to be _just_ inside class 1, when measured as peak
power density, as the overall output is many times over the simple total power output limit for
class 1. This may well be part of the factory calibration.

Mike Harrison

unread,
Nov 26, 2010, 6:09:10 PM11/26/10
to openk...@googlegroups.com

>2bl.bin (Nui Audio/altair/more?)

bl = bootloader?

>audios.bin (Nui Audio/altair)
>detroit.bin (Nui Motor)
>NuiCam.bin (Nui Camera)

Do any of these files contain a large number of E3 and E5 bytes at addresses with the last 2 bits
set? This would indicate 32 bit ARM code

If the audios.bin file contains "HMIT" a couple of times near the start, the text AudiosFakeMDD and
a MS copyright string at around 696C0 and just before that, then that would be a match for what's
in the Marvell chip's serial flash.

Kihnect

unread,
Nov 26, 2010, 6:43:34 PM11/26/10
to OpenKinect


On Nov 26, 3:09 pm, Mike Harrison <m...@whitewing.co.uk> wrote:
> >2bl.bin (Nui Audio/altair/more?)
>
> bl = bootloader?

Probably something like that from what I briefly researched on the
Xbox firmware

> >audios.bin (Nui Audio/altair)
> >detroit.bin (Nui Motor)
> >NuiCam.bin (Nui Camera)
>
> Do any of these files contain a large number of E3 and E5 bytes at addresses with the last 2 bits
> set? This would indicate 32 bit ARM code

Yes for 2bl.bin and audios.bin; somewhat less for detroit.bin and very
little for NuiCam.bin. Know any other architecture signatures to look
for there?

> If the audios.bin file contains "HMIT" a couple  of times near the start, the text AudiosFakeMDD and
> a MS copyright string at   around 696C0 and  just before that, then that would be a match for what's
> in the Marvell chip's serial flash.

The both have text like that, but at different addresses, so they may
get combined somehow when updating the firmware.

Also, I do see the 'RBGM' string in a data area for the NuiCam.bin
which matches up with some of the known commands.

Kihnect

unread,
Nov 27, 2010, 3:04:32 AM11/27/10
to OpenKinect
Looking at NuiCam.bin, found some data that seems to match up with the
protocols partially documented here:

http://openkinect.org/wiki/Protocol_Documentation

(m): matches the protocol documentation
(x): differs from the protocol documentation
(u): unknown

0x010a 0x0018 (x)

0x010b 0x0008 (m)
0x0110 0x0004 (m)
0x0111 0x0008 (m)

0x02f0 0x00c8 (u)
0x02f1 0x0002 (u)
0x02f2 0x0064 (u)
0x02f3 0x0000 (u)
0x02f4 0x0064 (u)
0x02f5 0x0014 (u)
0x02f6 0x0064 (u)
0x02f7 0x0064 (u)

0x0103 0x0000 (x)

0x0104 0x012c (m)

0x0105 0x0012 (x)
0x0106 0x0064 (x)
0x0107 0x07d0 (x)

0x010c 0x0003 (m)
0x010d 0x00fa (m)
0x010e 0x0004 (m)
0x010f 0x2710 (m)

0x02ff 0x0000 (u)

0x0113 0x0078 (m)
0x0114 0x03e8 (m)
0x0115 0x3a98 (m)
0x0116 0x0064 (m)
0x0117 0x00b7 (m)
0x0118 0x00c6 (m)
0x0119 0x00ca (m)
0x011a 0x00f5 (m)
0x011b 0x0027 (m)

0x011c 0x0005 (u)
0x0300 0x0000 (u)
0x0400 0x0000 (u)
0x0401 0x0007 (u)

Mike Harrison

unread,
Nov 27, 2010, 5:52:20 AM11/27/10
to openk...@googlegroups.com

>> If the audios.bin file contains "HMIT" a couple  of times near the start, the text AudiosFakeMDD and
>> a MS copyright string at   around 696C0 and  just before that, then that would be a match for what's
>> in the Marvell chip's serial flash.
>
>The both have text like that, but at different addresses, so they may
>get combined somehow when updating the firmware.

Or just a different version

Kihnect

unread,
Nov 27, 2010, 7:06:04 PM11/27/10
to OpenKinect
> The depth sensor firmware will be the parallel flash next to teh Primesense chip - it's a BGA
> package, so would be a bit tricky to read, and probably not very useful without data on the rest of
> the processor hardware.

Given the PrimeSense chip should be a DSP core with ~128K of memory
and AHB, CEVA seems like a candidate. PrimeSense having a former CEVA
exec on the team further suggests that possibility.

http://www.primesense.com/?p=695
http://www.ceva-dsp.com/products/system/pdf/ceva_xpert-teak_datasheet.pdf

Anyone got any CEVA DSP docs?

Chipworks has a picture of the PrimeSense die if someone decides they
really need it:

https://chipworks.secure.force.com/catalog/ProductDetails?sku=PSE-PS1080&viewState=DetailView&cartID=&g=
Reply all
Reply to author
Forward
0 new messages