Linux on Revision 1.6 XBoxes

Linux doesn't run natively (with Cromwell ROM) on 1.6 XBoxes at all, neither 1.6a nor 1.6b. There is substantial confusion and...i don't want to say LIES...but at least, excessive optimism, on the web site and elsewhere about this. It may seem to work a little bit, but it's not stable. For me on my 1.6 XBox (not 1.6b), ``not stable'' means I couldn't download a 50MB file with wget. I would get sig11's and kernel register dumps on the console during boot, at different spots each time, and I could only download about 30MB without wget crashing.

For a while I was accidentally using a 1.6b-specific Cromwell, and it was even less stable---I could get a penguin about once in 20 boot attempts and sometimes even keyboard interaction, but it would never finish booting. Also, I used the ``net flasher'' in GentooX Loader and FlashBIOS, and I had to upload the .bin fast or the box would crash inside Cromwell. With the correct 1.6 non-b Cromwell it is more stable and can boot, but still isn't remotely useable.

It sounds like the game-backup guys driving the mod chip industry have fixed the problem, but it looks like the fixed xcode is not in Cromwell yet, so Linux will work if it's started from EvoX or from a savegame/font exploit, but it won't start if it's started ``natively'' through a mod chip flashed with Cromwell.

At this page, you can get a Cromwell that works on 1.6 XBoxes. Mine is 1.6a, but I think 1.6a and 1.6b will work.

It is also maybe possible to get XXX The hope of this page is that you can get flakey Linux to work just long enough to extract your own copy of the official MS ROM using raincoat, upload the ROM to another machine, and combine it with Cromwell to make a working ROM. The procedure is not as grotesque as it sounds, and it did work for me on a 1.6 XBox. Not, I heard about it working. Not, ``just go check it's all there lmfao'' or any of the other infuriating Kindergarten telephone-game helpfulness I got trying to get this thing running. I actually did it, and it worked, I swear. I dunno personally about 1.6b, though. I'll be sure to specify below what I did and tested, and what I'm just speculating about.

The problem is the ``xcode'' which is executed by an interpreter written in 512 bytes of x86 code stored in the ``secret ROM'' inside the MCPX glue chip. The ``secret ROM'' is written in Intel x86 machine language and stored in the MCPX, but the ``xcode'' is written in a simple MS-invented machine language and stored in the FLASH chip (in the MS FLASH image, in EvoX, or in Cromwell). The xcode is responsible for setting up RAM timings.

As I understand it, Cromwell has no theoretical need to set up RAM timings so early in this weird interpreted bytecode. The xbox-linux article does a good job of explaining the design motivations, but they don't all apply to Cromwell. MS needs to set up RAM timings so early because they use the 512 bytes of Secret ROM to copy-and-decrypt the Main ROM into RAM, then jump to it. Cromwell could have just as well set up the RAM timings in plain x86 assembler in its usual 2bBootLoader after the ``Good morning CPU'' comment, since there's no decryption step with Cromwell. Once Cromwell's xcodes exploit the interpreter and deliver control to Cromwell's 2bBootLoader, unlike MS ROM the first stage of Cromwell startup runs right out of FLASH. In the MS system, I think control jumps from the Secret ROM to a decrypted RAM copy of the ROM, so the RAM needs to be working before the jump.

Anyway, Cromwell doesn't have anything in it to deal with the new RAM timings at all. Fortunately Microsoft's fix for this hardware change is encapsulated in the xcode, where it is very easy for us to copy into Cromwell without understanding what really changed about the hardware. It is almost like we have a man working on the inside trying to accomodate us!

These instructions will help you copy the xcodes out of the MS ROM in your XBox into Cromwell, and make a Frankencromwell for your 1.6 mod chip that actually runs Linux stably. Since you bought the XBox, you're entitled to a copy of the MS ROM---you may as well use it. By following these instructions you can get it without downloading it off my web page, but rather by getting it out of your own ROM, so there's no way anyone can claim you ``copied'' it or something.

  1. Pick one of the following paths:

  2. Get a Linux CD that will boot on the XBox. I suggest following my instructions to make a Gentoo Minimal/Install CD.

  3. My CD will have raincoat already on it. If you use something else, here is Raincoat modified to remove a single exit(1), which allows it to read the MS ROM inside the Xcalibur chip. Run this Raincoat inside the Installation livecd that you made in the previous step. Run it like this:

    livecd / # raincoat -r msrom.bin
    raincoat Flasher 0.11 (Jan  9 2006)
    Trying to read "/etc/raincoat.conf"... 0 flash types added from file.
    Total known flashes: 151
    !! Invalid manufacturer ID: 0x09
    Check all your soldering points and check that write-enable switch is enabled.
    -a start offset 0x0 is too large for ROM size 0x0
    Reading back to msrom...
    livecd / # scp msrom.bin user@somewhere.else:.

  4. Put the MS xcodes into your Cromwell ROM. Cromwell's xcodes are in boot_rom/2bBootStartup.S. Use this code fragment to disassemble the MS xcodes into the #define mnemonic language in which the existing Cromwell xcodes are written.

    #! /bin/sh
    dd if=msrom.bin skip=1 bs=128 count=30 | \
    	hexdump -e '1/1 "%02x " 2/4 "0x%08x " "\n"'  | \
    	sed \
    		-e 's/^02 \(.*\) 0x00000000/	xcode_peek(\1);/' \
    		-e 's/^03 \(.*\) \(.*\)/	xcode_poke(\1,\2);/' \
    		-e 's/^04 \(.*\) \(.*\)/	xcode_pciout(\1,\2);/' \
    		-e 's/^05 \(.*\) 0x00000000/	xcode_pciin_a(\1);/' \
    		-e 's/^06 \(.*\) \(.*\)/	xcode_bittoggle(\1,\2);/' \
    		-e 's/^08 \(.*\) \(.*\)/	xcode_ifgoto(\1,addr\2);/' \
    		-e 's/^11 \(.*\) \(.*\)/	xcode_outb(\1,\2);/' \
    		-e 's/^12 \(.*\) 0x00000000/	xcode_inb(\1);/' \
    		-e 's/^07 0x00000003 \(.*\)/	xcode_poke_a(\1);/' \
    		-e 's/^07 0x00000004 \(.*\)/	xcode_pciout_a(\1);/' \
    		-e 's/^07 0x00000011 \(.*\)/	xcode_outb_a(\1);/' \
    		-e 's/^09 0x00000000 \(.*\)/	xcode_goto(addr\1);/' \
    		-e 's/^ee \(.*\) 0x00000000/	xcode_END(\1);/'
    then you have to fix all the addr0xffffffee -> -1 and such for 
    the xcode_*goto statements.

    XXX -- I need to add something to automatically fix the _goto and _ifgoto including understand two's complement

    XXX -- be sure to #define MCPXREVD5 to set some of the earlier constants the same as MS.

    boot_rom/2bBootStartup.S finished result

  5. Then, add the final two xcodes for the ``Visor'' trick before the xcode_END.

            // overflow trick
            xcode_poke(0x00000000, 0xfc1000ea);
            xcode_poke(0x00000004, 0x000008ff);

  6. Now build this Cromwell tree, and you have a Cromwell image that when flashed and booted should give you a stable XBox 1.6 onto which you can continue installing native Linux. too bad about the Xcalibur TV overscan problem, though.

carton's page / map / GentooX GPL Compliance Lab / Miles Nordin <carton@Ivy.NET>
Last update (UTC timezone): $Id: xbox16.html,v 1.15 2007/03/18 23:15:16 carton Exp $