Linux on Revision 1.6 XBoxes

For a while I was accidentally using a 1.6b-specific Cromwell, and it was even less stable---I could get a penguin about once in 20 boot attempts and sometimes even keyboard interaction, but it would never finish booting. Also, I used the ``net flasher'' in GentooX Loader and FlashBIOS, and I had to upload the .bin fast or the box would crash inside Cromwell. With the correct 1.6 non-b Cromwell it is more stable and can boot, but still isn't remotely useable.

It sounds like the game-backup guys driving the mod chip industry have fixed the problem, but it looks like the fixed xcode is not in Cromwell yet, so Linux will work if it's started from EvoX or from a savegame/font exploit, but it won't start if it's started ``natively'' through a mod chip flashed with Cromwell.

At this page, you can get a Cromwell that works on 1.6 XBoxes. Mine is 1.6a, but I think 1.6a and 1.6b will work.

It is also maybe possible to get XXX The hope of this page is that you can get flakey Linux to work just long enough to extract your own copy of the official MS ROM using raincoat, upload the ROM to another machine, and combine it with Cromwell to make a working ROM. The procedure is not as grotesque as it sounds, and it did work for me on a 1.6 XBox. Not, I heard about it working. Not, ``just go check xbox-linux.org it's all there lmfao'' or any of the other infuriating Kindergarten telephone-game helpfulness I got trying to get this thing running. I actually did it, and it worked, I swear. I dunno personally about 1.6b, though. I'll be sure to specify below what I did and tested, and what I'm just speculating about.

The problem is the ``xcode'' which is executed by an interpreter written in 512 bytes of x86 code stored in the ``secret ROM'' inside the MCPX glue chip. The ``secret ROM'' is written in Intel x86 machine language and stored in the MCPX, but the ``xcode'' is written in a simple MS-invented machine language and stored in the FLASH chip (in the MS FLASH image, in EvoX, or in Cromwell). The xcode is responsible for setting up RAM timings.

As I understand it, Cromwell has no theoretical need to set up RAM timings so early in this weird interpreted bytecode. The xbox-linux article does a good job of explaining the design motivations, but they don't all apply to Cromwell. MS needs to set up RAM timings so early because they use the 512 bytes of Secret ROM to copy-and-decrypt the Main ROM into RAM, then jump to it. Cromwell could have just as well set up the RAM timings in plain x86 assembler in its usual 2bBootLoader after the ``Good morning CPU'' comment, since there's no decryption step with Cromwell. Once Cromwell's xcodes exploit the interpreter and deliver control to Cromwell's 2bBootLoader, unlike MS ROM the first stage of Cromwell startup runs right out of FLASH. In the MS system, I think control jumps from the Secret ROM to a decrypted RAM copy of the ROM, so the RAM needs to be working before the jump.

Anyway, Cromwell doesn't have anything in it to deal with the new RAM timings at all. Fortunately Microsoft's fix for this hardware change is encapsulated in the xcode, where it is very easy for us to copy into Cromwell without understanding what really changed about the hardware. It is almost like we have a man working on the inside trying to accomodate us!

These instructions will help you copy the xcodes out of the MS ROM in your XBox into Cromwell, and make a Frankencromwell for your 1.6 mod chip that actually runs Linux stably. Since you bought the XBox, you're entitled to a copy of the MS ROM---you may as well use it. By following these instructions you can get it without downloading it off my web page, but rather by getting it out of your own ROM, so there's no way anyone can claim you ``copied'' it or something.

1. Pick one of the following paths:
   • Get a semi-working bootloader and try to finish before your XBox crashes.

     You can download and build the GentooX Loader (start with cromwell CVS 2005-06-12, then add ShaLLaX's patch) customized for either 1.6b or 1.6 XBoxes. The file you swap out is in boot_rom/2bBootStartup.S. Depending on whether you have revision 1.6 or 1.6b, a different Cromwell/GentooX Loader will work best. This is what I did, but it really doesn't work very well.

   • Get a fully-working but inconvenient temporary boot loader. Choose one of the following approaches.
     • Cheat by using my bootloader which is based on the MS ROMs in a 1.6 XBox (not 1.6b), although someone on irc told me they are both the same.
     • Install EvoX, and use it to boot xromwell.xbe (I have no idea how to do this).
     • Install EvoX, but don't boot it. Just skip to Step 4, and use EvoX in place of the legal copy of the MS ROM image you fetch out of your own ROM in Step 3. I secretly suspect this is what some of the xbox-linux ``developers'' are doing, though good luck getting one to stop posing and admit it. I don't think they were using raincoat to read their own ROMs, since the shipped version of raincoat isn't even able to read the MS ROM without a patch!
     • The above three methods kind of defeat the whole point of this exercise since you now already have the xcodes, and are just going through the motions of getting them again. The alternative,

       Use a savegame hack with Linux all embedded into it. My friend phar did this ``bert & ernie'' trick to our Revision 1.4 XBox, and it was really hard, in that it seemed flakey and didn't work every time. Also IIRC you are forced to use the Linux ``distro'' embedded into the font or savegame files, so it's harder to continue with Step 2. Hopefully you will get some Linux with networking and tmpfs support, and can scp raincoat onto the XBox over Ethernet.

       I don't think this alternative actually works because most of the security bugs were patched in revision 1.6. Your best bet might be one of the ones that uses a savegame rather than the dashboard?

2. Get a Linux CD that will boot on the XBox. I suggest following my instructions to make a Gentoo Minimal/Install CD.

3. My CD will have raincoat already on it. If you use something else, here is Raincoat modified to remove a single exit(1), which allows it to read the MS ROM inside the Xcalibur chip. Run this Raincoat inside the Installation livecd that you made in the previous step. Run it like this:

   livecd / # raincoat -r msrom.bin
   raincoat Flasher 0.11 (Jan  9 2006)
   Trying to read "/etc/raincoat.conf"... 0 flash types added from file.
   Total known flashes: 151
   
   !! Invalid manufacturer ID: 0x09
   Check all your soldering points and check that write-enable switch is enabled.
   -a start offset 0x0 is too large for ROM size 0x0
   Reading back to msrom...
   Completed
   livecd / # scp msrom.bin user@somewhere.else:.
   [...]
   

4. Put the MS xcodes into your Cromwell ROM. Cromwell's xcodes are in boot_rom/2bBootStartup.S. Use this code fragment to disassemble the MS xcodes into the #define mnemonic language in which the existing Cromwell xcodes are written.

   #! /bin/sh
   dd if=msrom.bin skip=1 bs=128 count=30 | \
   	hexdump -e '1/1 "%02x " 2/4 "0x%08x " "\n"'  | \
   	sed \
   		-e 's/^02 \(.*\) 0x00000000/	xcode_peek(\1);/' \
   		-e 's/^03 \(.*\) \(.*\)/	xcode_poke(\1,\2);/' \
   		-e 's/^04 \(.*\) \(.*\)/	xcode_pciout(\1,\2);/' \
   		-e 's/^05 \(.*\) 0x00000000/	xcode_pciin_a(\1);/' \
   		-e 's/^06 \(.*\) \(.*\)/	xcode_bittoggle(\1,\2);/' \
   		-e 's/^08 \(.*\) \(.*\)/	xcode_ifgoto(\1,addr\2);/' \
   		-e 's/^11 \(.*\) \(.*\)/	xcode_outb(\1,\2);/' \
   		-e 's/^12 \(.*\) 0x00000000/	xcode_inb(\1);/' \
   		-e 's/^07 0x00000003 \(.*\)/	xcode_poke_a(\1);/' \
   		-e 's/^07 0x00000004 \(.*\)/	xcode_pciout_a(\1);/' \
   		-e 's/^07 0x00000011 \(.*\)/	xcode_outb_a(\1);/' \
   		-e 's/^09 0x00000000 \(.*\)/	xcode_goto(addr\1);/' \
   		-e 's/^ee \(.*\) 0x00000000/	xcode_END(\1);/'
   
   then you have to fix all the addr0xffffffee -> -1 and such for 
   the xcode_*goto statements.
   

   XXX -- I need to add something to automatically fix the _goto and _ifgoto including understand two's complement

   XXX -- be sure to #define MCPXREVD5 to set some of the earlier constants the same as MS.

   boot_rom/2bBootStartup.S finished result

5. Then, add the final two xcodes for the ``Visor'' trick before the xcode_END.

           // overflow trick
           xcode_poke(0x00000000, 0xfc1000ea);
           xcode_poke(0x00000004, 0x000008ff);
   
           xcode_END(0x806);
   

6. Now build this Cromwell tree, and you have a Cromwell image that when flashed and booted should give you a stable XBox 1.6 onto which you can continue installing native Linux. too bad about the Xcalibur TV overscan problem, though.