Seamus Blackley, the “father of the Xbox”, has teased about the existence of an easter egg regarding the Xbox startup animation since 2017. He claims there is a secret animation triggered by “startup chaos” - rare, but impossible to miss when it happens. [Source]
Yet the community still has not found the easter egg. I believe a common misconception may be hampering efforts to find it (if it exists): despite many discussions suggesting the animation is a unique, random sequence on every boot, I found it actually always uses a fixed seed - which causes the render to always be the same.
The animation is rendered dynamically (i.e. it’s not a video), but the sources of randomness always use the same seed, making the output identical every single boot.
See two videos from 10 years apart:
Left: https://www.youtube.com/watch?v=UN3WNjnmbVQ
Right: https://www.youtube.com/watch?v=E1ebJZUOtL8
Around the 3rd flash:
At first glance of the source code, the animation appears to be able to run with random parameters, the primary source being from a class named QRand. However its initialization based on startup “chaos” appears to have been removed with C pre-processing:
…/ani2/xbs_app.cpp - XBoxStartupApp::Construct()
…/ani2/qrand.h
The #if 0 pre-processor directive - which evaluates to false - leads me to believe that the block that would have supplied the qrand code with the system time was removed during compilation, leaving the init with the fixed seed default argument of 0x76543210.
While other sources of randomness - like reading uninitialized memory - could have been used elsewhere, the animation appearing the same every boot leads me to believe qrand being initialized with KeQuerySystemTime() was the intended random “chaos” Blackley mentioned.
To put it another way, because the community hasn’t apparently discussed that the animation always renders the same way, I think Blackley likely believes the easter egg might be functional based on that randomness - when it actually isn’t random.
We can also take a look at the kernel binary to confirm that the qrand.Init() call uses that seed and the non-deterministic path was indeed removed.
We use a different function’s arguments, namely the setting of the moodlight’s position to find the function XBoxStartupApp::Construct(), which is the entrypoint of the animation code and where the qrand.Init() call is:
To find this line in the kernel we search the binary for the -40.0f argument, which is 00 00 20 C2 in little endian hex bytes:
This is the only location in the kernel where these bytes appear.
A few addresses above in the same function is where we can find 0x76543210 supplied to a function - thus we can infer it’s the seed supplied to QRand, not startup chaos.
I believe Seamus that there is an easter egg (or there was one at an earlier stage of development, removed before the system went gold) - sourced from either a specific seed to QRand.Init() from the KeQuerySystemTime() call or a read from uninitialized memory. But if the easter egg depends on a correct seed for QRand, I think he might be mistaken that a retail Xbox would be able to see it.
On the surface, there appears to be nothing random about the animation, and the source code and the kernel binary both seem to confirm that the most obvious potential source of randomness is not actually random.
I’ll see if I can build kernels with different seeds and see if that could reveal the easter egg.
Tools used:
- Ghidra for kernel decompilation
- https://github.com/tommojphillips/XboxBiosTool for extracting the kernel binary from the raw BIOS data
Thanks to GoTeamScotch and the OG Xbox community for their published research into the easter egg.