Hacking the Xbox CONTROLLER

80,436

44

70

Published

Introduction: Hacking the Xbox CONTROLLER

In this tutorial I show you step-by-step how I install a PIC microcontroller inside of an Xbox controller in order to provide custom functions. Now that you have the methods, all you have to do is go write some code and program a chip! Well, I know this is easier said than done, but check out my "5 transistor PIC programmer" if you are ready to go down that road.

Step 1: Tools

a small phillips screwdriver
soldering iron
solder (60/40 or 63/37... not the lead-free silver solder)

flux (this is more or less a must-have to get good connection to pcb traces)

glue gun
30 AWG wrapping wire
wire wrap tool (Optional, but makes things easier)

wire stripper (A razorblade works well on wrapping wire, but check out my instructional on "precision wire stripper" to see the one I use in this tutorial.

A DIP microcontroller
A small tactile switch

Step 2: Locate and Remove the Screws

There are seven phillips head screws holding the two halves of the controller together. One of them is hidden underneath the sticker.

Step 3: Voiding the Warranty

The easiest way to get to the hidden screw is to feel where it is, then push the screwdriver through.

Step 4: Remove the Bottom Half

Now that you have removed and stored all seven screws, remove the BOTTOM half of the controller. If you remove the top, all the buttons will fall out. The bottom should lift off easily, leaving you with this...

Step 5: Remove the Board

Now, pull up on the plastic bit that holds the headset and other peripherals. It will slide out, along with the pcb. Be mindful of the rumble motors that are still plugged into the pcb. We'll disconnect these in a later step.

Now that you have removed the pcb, store the top half in a safe place, where you won't lose any buttons. If they do fall out, putting them back is pretty easy. They all have unique shapes, and they can't be put in the wrong hole.

Step 6: Back to the PCB

Now we will remove the communicator/peripheral socket and motors to get better access to the board, itself.

Step 7: Motors

Let's take the motors off, first. We don't want the wires to break. The connector is rather like a chinese finger trap. The harder you pull on it, the tighter it gets. The trick to get it out easily is to catch the edge of this ridge with a small screwdriver or a probe/needle of some type.

Step 8: Communicator Socket

This pesky bit of plastic has four retainer tabs holding it in place. This can be removed easily once you have found them.

Step 9: Where to Put the Chip

First notice the white circles? These circles show where the support cylinders on the bottom plastic contact the board. We don't want any wires to cross these lines.

There is room enough to place a small microcontroller here. The trick is to "dead bug" it. This means we are going to place the chip upside down, and affix it to the pcb with hotmelt glue.

Step 10: Closer Look

Here's a closer look at the area highlighted in the previous picture. Notice the proximity to accessible ground and power points, as well as one of the signal traces that I was interested in for this project, namely the trace that carries the signal from the Y button to the main Atmel microcontroller that is the "brain" of this particular controller.

Look carefully for the yellow highligted boxes that show the Y-button and X-button access points.

Step 11: FYI

FYI, this is the brain of the controller. All of the button inputs eventually end up here. So why don't we just solder directly to this chip? Well, when you see how small this chip is, you will know. The average hobbyist doesn't have the ability to solder to things this small. You can see that the pins are labelled at pin 1, 12, 13, 24, 25, 36, and 48. But I digress.

Step 12: Dead Bug

Here's our dead bug. I chose the pic 12f683. The indentation on the chip is pointing down.

Step 13: Give It Some Juice

The Atmel "brain" runs on 5V, as is common with many other microcontrollers, including our PIC, so we just have to find a good place to commandeer. I chose to take power and ground from the peripheral port. Why don't I use that closer ground point I highlighted earlier? Well, both points are in continuity, but that's not the whole story. Capacitance at each point may be different, and I don't want to take any other components on the board out of their specified operating parameter in this regard, especially the precision pots nearby that provide the R thumstick inputs.

So first, apply a dab of solder to the ground lead, highlighted here.

Step 14: Prep Your Wire

I am using teflon insulated wire. About the only thing that will strip it (that doesn't cost 50+ dollars) is a very sharp knife or razor blade. I posted a short instructional on my homemade stripper, which you can find by searching for "precision wire stripper."

Step 15: Solder

Solder your wire in place.

Step 16: Wire Wrap

Wire wrapping provides a very durable and reliable connection. I have read that is it more reliable than soldering, even, especially where the connection will be exposed to vibration. To do a good wire wrap, you should have one rotation of insulated wire followed by seven rotations of bare wire. You can also solder this connection, if you don't have a wire wrap tool. (You can buy the tool I use from Rad shack online store for 7 dollars.)

For future reference, this is pin 8, because the chip is upside down.

Step 17: Next Step

Do the same thing for the +5V power rail. This gets wrapped to pin 1.

Step 18: R Trigger

Now what? Let's go to the other side of the board and get a connection to the R trigger. There are three pins for the trigger potentiometer. When you pull the middle pin to ground, the controller registers a trigger pull. Solder your wire to this pin.

Step 19: Route the Wire

There's a small hole that goes all the way though the peripheral port and the pcb. You can thread the wire through this hole.

Step 20: Next

Here's a picture of the wire, already stripped, poking through the hole, right next to our chip.

Step 21: Affix Trigger

I affixed the trigger signal to pin 5. Pin 6 and 7 are also close, but they are the chip's clock and data pins. The trigger's potentiometer will interfere with in-circuit programming if I attach the chip there.

Step 22: The "back" Button

Wow, if there is a useless button on the controller, it is the back button. In many games, the back button does absolutely nothing unless you are in the program menu. So I wire this as an input. It still performs the normal "back" button functions, but the chip will also identify when this button is pressed, so we can make it do more interesting things.

From the top, the back button is the leftmost button. So looking from the bottom, we are on the right side of the pcb, here, over by the left trigger.

I routed the wire underneath the trigger housing.

Step 23: Next

Remember to avoid the white circles. You may have to push the wire a bit. It will stay in place pretty well. Wrapping wire has thin insulation, so it kind of sticks where you put it.

Step 24: Affix Back Button Wire to Pin 6

We affix this wire to pin 6. This won't interfere with programming, because this signal is pulled up to (connected to via a high value resistor) the +5V power rail (aka Vdd). The programmer can easily pull this signal low or high as it sees fit.

Step 25: X Button

The X button is accessible over here, in front of the right trigger. Using the tip of an exacto knife, scrape the green coating off of part of this circle, until you can see some bare copper underneath. Be careful not to disturb the mask on other traces, and also take care not to cut the trace that attaches to the circle.

Step 26: The Hard Part

The hard part is getting solder to stick to this tiny point of bare copper that we exposed. The intact solder mask surrounding this point will repel solder. I will walk you through this part.

First get your flux. As I said, this is pretty much required. I can't imagine making a good connection here without it. I am using zinc chloride flux, which is acid based. This is not recommended for electronics, because it is strong enough to erode the trace. BUT, as long as you use a small dab and don't heat the connection too long, you will be fine. The reaction that eats away the copper is greatly accelerated by high temperature. Once you remove the heat, it might take a couple of lifetimes for the flux to eat away the trace on it's own. Plus, once it dries out (it's a hydrophillic suspension) the reaction will slow even further.

See picture 2: Now get a lil bead of solder onto the end of your 30AWG wrapping wire... You must use 30AWG wire, as the tip will fit inside the indentation of the via, providing capillary suction to the solder.

Once you have a bead as in my picture, cut the end of the wire off so that just a teeny bit is poking out of the bead.

Dip the bead into the flux. You don't want to see a visible gob. Just know that you did, indeed, make good contact between the bead and the flux, and that should be enough.

Step 27: Now Add a Lil Heat

Fit the end of the beaded and flux-dipped wire into the via that you have previously scraped. Holding the wire there, touch the tip of your soldering iron to the joint just long enough for the solder to "disappear." Actually, some of the solder gets sucked onto your iron's tip. If you are lucky, the rest of the solder got sucked into/onto the via. If you look closely, you will see a small "volcano" of solder. This is the one sign of a good connection. The better sign is to give it a light tug to see if it remains attached. :)

See pic 2: Holding onto the other stripped end of the wire, you can slide the insulation down a bit, if you want to be tidy.

Professional engineers will tell you that you now have to wash away flux residue with water. I'm not a professional engineer. But if there's any visible residue around the joint, you used to much flux, and you should wipe it away.

Step 28: Affix X to Pin 3

I affix this wire to pin 3 of the chip.

Step 29: Y Signal

Now solder a wire to this spot to access the Y-signal. Affis this to pin 2 of the chip.

See pic 2: Remember to keep this wire out of that lil white circle.

Step 30: Adding an External Button

I drilled a 1/4 inch hole in the bottom plastic to add a tactile switch for the R middle finger. Solder a couple wires to the switch from the other side. Make sure they are long enough to reach the chip. Then glue the switch and wires in place with hotmelt glue. See pics 2 and 3.

Step 31: Connect Switch Leads to Pins 7 and 8.

We will eventually connect these wire to pins 7 and 8 of the chip. 8 is ground, remember? When the button is pressed, pin 7 will be pulled to ground. When it is not pressed, it will be pulled up to Vdd by this particular chip's internal pullup resistor. If it didn't have an internal pullup, I would have had to add a 10k resistor to pin 7 and affixed the other end of the resistor to Vdd.

BUT, let's start putting the controller back together first, so we don't end up stressing these wires too much.

Step 32: Assembly

1. Slide the communicator socket back on.

2. Place the controller back into the top plastic.

3. Put the vibration motors back in place and plug them back in.

4. and 5. Affix the switch to the chip as discussed in the previous step.

Step 33: So What Good Does This Do Me?

Well, I assume you have an in circuit pic programmer. If you don't, check my tutorial "5 transistor pic programmer."

Now you can build a "dead bug" programming adaptor, as pictured below. I used an old mouse cable for this. It is thin, flexible, and has four insulated wires and a shield, which I used for the ground wire.

If you left enough of the pins on the chip sticking out, you can slip this adapter over the chip to change the code.

See pic 2: Since this requires actually opening up the controller, I recommend that you actually add a dedicated programming port to your controller. This is a different project, but the idea is the same. Just route the programming lines to somewhere more easily accessible.

In this particular controller, I have installed a 28 pin microcontroller that has input and output access to nearly every button and even some of the pad and stick controls. I had to remove the bottom peripheral port entirely, in order to make the room. I also put a breakaway connector right into the controller (see top of pic).

Step 34: Some Useful Links

Intro to PIC microcontrollers http://www.amqrp.org/elmer160/lessons/

Cheap programmer I adapted from Bob Blick's version of "the TAIT."
https://www.instructables.com/id/ESAIM0ZR07EX5035XL/

Having trouble stripping those tiny wires? Check this out.
https://www.instructables.com/id/EY5CZYAL4DEXCF9WK2/

What, did you expect me to post some actual code? Well, perhaps in the future. Right now I have a couple simple programs that I am still working on, which I am keeping under wraps! :)

Share

    Recommendations

    • Microcontroller Contest

      Microcontroller Contest
    • Flowers Challenge

      Flowers Challenge
    • Outdoor Fitness Challenge

      Outdoor Fitness Challenge
    user

    We have a be nice policy.
    Please be positive and constructive.

    Tips

    Questions

    70 Comments

    you may be able to answer a question I have, I have a Bluetooth controller that doesn't have vibration motors, can I make it vibrate?

    user

    WOW GOOD

    just wondering what features can you add by doing this? auto fire?

    Hold a lighter for a few secs under your wire and burn away the Casing It will work but usally nit ery neat

    Can you do this with a PlayStation2 Controller?

    I really need some help. IF you could PM me with the answer, that would be great. I am going to be programming my own chips (taking the code from an ebay kit) and installing them into/ selling controllers to kids at my school. I don't want to go through the work of making the reader/writer myself, so which programmer would be best for me? I have serial ports on my computer, so that's not an issue. I also need to know which chip to use. The ones in all the kits are 8-pin pic microcontrollers like the one you've used here. If you can help me, that would be great. Thanks for your time, -Nick

    a 555 timer is more reliable, and you don't have to program it!

    Ah so that's why they hide the screws! The warranty

    anyone ??

    hey i did all of your steps and followed them to the tee, but i am a little confused on how to communicate to the microcontroller and have it do whatever it is that i want. Is there any advice you can give me? Btw I thought the tutorial was pretty awesome ive never seen clearer instruction and pics. Thanks

    One of my friends is selling my kit. His ebay ID is halo3controllers. Superscorer copied my kit. I dunno if his is as good. Maybe it's better? But I know his pinout is not exactly the same as mine, so you will have to follow his installation instructions if you buy his kit.

    <<<<>> PLEASE RESPOND.. rocket1200@hotmail.com TELL ME HOW....PLEASE HELP ME>>>>>

    If you don't want to make your program open source i guess thats alright, but could you at least tell us the exact timing between buttons in the double shot sequence. That would be a great help. : )

    5 replies

    Well, my timings are all in assembly. They don't go by micro or milliseconds, as do the commands in pbasic. They are all decfsz loops, so they don't translate very well.

    yea my timings aren't exactly milliseconds either, could I just have the numbers you use just so I know the best ratio. my timings are good, they just could be a little better.

    I think the best way to go would be to make a subroutine that do the same thing (e.g., RRX), with registers for the timing delays. Then make a code loop that increments the delays (ie, time pressed, time between presses, etc) every time an input is detected. The input can be a different one than ones for the buttons, one just used for testing and debugging. You could of course do this while the controller is still apart. That way, you would press a button/short teminals/etc to fire the test input, and would keep track of how many times you fired the input so you would know what timing delays would work.

    Hah, yes I did that, I stored the time to the eeprom of the 12f683, and then when I got it right, I recover it back with the programmer. It took me a while but it worked, I am not sure if it is perfect, but I think it looks pretty good, you can take a look at: http://r00t-ed.homeip.net/projects/xbox_mod_v2/
    And my code/project files are open source, you are welcome to take a look and modify it if you feel like it. I used mikro C, the free demo is enough for this project.

    I am done with the version 3 of the thing, it does BRXX, if extra button is tap, and if it is held down it does just double shot. I may make it public, not sure yet, the thing is that halo 3 is almost out; probably it is just irrelevant at this point.

    user

    Why dont you guys just practice the double shot and play legit, instead of spending all this time and money on cheating?