xboxdevwiki - User contributions [en]

NV2A

2018-11-10T05:00:49Z

DaveX: fix broken link

The northbridge of the chipset, and is the GPU

== GPU ==

The GPU is part of the NV20 family (Kelvin)[https://nouveau.freedesktop.org/wiki/CodeNames/]:

{| class="wikitable"
! Code name !! Official Name
|-
|NV20 || GeForce3 (Ti)<br>Quadro DCC
|-
|NV25 || GeForce4 Ti 4200, Ti 4400, Ti 4600<br>Quadro4 700 XGL, 750 XGL, 900 XGL
|-
|NV28 || GeForce4 Ti 4200-8X, Ti 4800 (SE), 4200 Go<br>Quadro4 780 XGL, 980 XGL
|-
|NV2A || Xbox GPU
|}

== Notes ==

* [https://web.archive.org/web/20031004105935/http://developer.nvidia.com:80/object/nv30_emulation.html NV30 information and emulator]
* [https://developer.download.nvidia.com/opengl/specs/nv30specs.pdf List of implemented GL extensions for NV10-NV30: "NVIDIA OpenGL Extension Specifications for the CineFX Architecture (NV3x)", 13 Nov. 2006]

File:XboxPcSpkrTrace.jpg

2018-09-19T00:03:19Z

DaveX: DaveX uploaded a new version of File:XboxPcSpkrTrace.jpg

Image by Andy Anderson

MCPX

2018-09-18T23:42:10Z

DaveX:

The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml].

=== ROM ===

The MCPX is home to the secret [[MCPX ROM]].

=== Pin L21: PC Speaker ===

The MCPX has PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface].
However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox.

A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/]

The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication.

<gallery mode="slideshow">
Image:XboxWithPcSpkr.jpg|'' ''
Image:XboxPcSpkrTrace.jpg|'' ''
Image:XboxPcSpkrSolderPoints.jpg|'' ''
</gallery>

MCPX

2018-09-18T23:36:26Z

DaveX: /* Pin L21: PC Speaker */

The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml].

=== ROM ===

The MCPX is home to the secret [[MCPX ROM]].

=== Pin L21: PC Speaker ===

The MCPX has PC Speaker pin which can be controlled using [https://wiki.osdev.org/PC_Speaker the standard PC Speaker interface].
However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox.

A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/]

The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication.

<gallery mode="slideshow">
Image:XboxWithPcSpkr.jpg|''[[commons:Astronotus ocellatus|Astronotus ocellatus]]'' (Oscar)
Image:XboxPcSpkrTrace.jpg|''[[commons:Salmo salar|Salmo salar]]'' (Salmon Larva)
Image:XboxPcSpkrSolderPoints.jpg|''[[commons:Epinephelus lanceolatus|Epinephelus lanceolatus]]'' (Giant grouper)
</gallery>

File:XboxPcSpkrTrace.jpg

2018-09-18T22:13:16Z

DaveX: Image by Andy Anderson

Image by Andy Anderson

MCPX

2018-09-18T22:12:24Z

DaveX:

The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml].

=== ROM ===

The MCPX is home to the secret [[MCPX ROM]].

=== Pin L21: PC Speaker ===

The MCPX has PC Speaker pin which can be controlled using [the standard PC Speaker interface https://wiki.osdev.org/PC_Speaker].
However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox.

A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/]

The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication.

[[File:XboxWithPcSpkr.jpg|left|500px]] <br \>
[[File:XboxPcSpkrTrace.jpg|left|500px]] <br \>
[[File:XboxPcSpkrSolderPoints.jpg|left|500px]]

MCPX

2018-09-16T21:01:47Z

DaveX: /* Pin L21: PC Speaker */

The MCPX is the southbridge chip of the Xbox chipset by Nvidia. It contains the sound processors ([[APU]] and [[ACI]]) and also the USB, PCI, IDE, etc, controllers[https://web.archive.org/web/20010418214256/http://www.ga-hardware.com:80/preview.cfm?id=NVIDIAMCP], [https://web.archive.org/web/20010410003338/http://www.nvnews.net/previews/mcpx/mcpx.shtml].

=== ROM ===

The MCPX is home to the secret [[MCPX ROM]].

=== Pin L21: PC Speaker ===

The MCPX has PC Speaker pin which can be controlled using [the standard PC Speaker interface https://wiki.osdev.org/PC_Speaker].
However, no actual speaker is connected to the pin, so while the signal exists, there will be no audible sound on a stock Xbox.

A speaker can be soldered to this pin and to make the signal audible [https://www.youtube.com/watch?v=Te4MSskbBEE][https://github.com/0DaveX/beep/]

The original Microsoft code does not drive the PC Speaker at all, so this otherwise unused pin can also be used for inaudible forms of unidirectional communication.

[[File:XboxWithPcSpkr.jpg|left|500px]] <br \>
[[File:XboxPcSpkrSolderPoints.jpg|left|500px]]

File:XboxPcSpkrSolderPoints.jpg

2018-09-16T20:50:18Z

DaveX:

File:XboxWithPcSpkr.jpg

2018-09-16T20:49:34Z

DaveX:

Exploits

2018-09-12T18:17:01Z

DaveX: /* Attack ideas */

== MCPX ==

=== LDT (Hypertransport) bus tap ===

See [http://www.xenatera.com/bunnie/proj/anatak/xboxmod.html#ldt bunnie's adventures hacking the Xbox].

=== Visor hack ===

Exploits incorrect rollover of memory address.

=== MIST hack ===

Exploits error in xcode interpreter security check.
There are at least 2 variations of this hack.

=== A20M# hack ===

[[File:Haxar-a20m.jpg|thumb|200px|A jumper wire hack to enable A20]]

Uses a legacy x86 feature.

=== RC4 attack (MCPX 1.0 only) ===

Microsoft uses the last bytes of the decrypted 2BL to check the integrity of the 2BL.
However, RC4 does not have any feedback which means changes in the 2BL will not reflect in the last couple of bytes which are checked.
As such, the 2BL can be freely modified, as long as the last couple of bytes still match what the MCPX ROM expects.

This can be used to take over the 2BL entry point.

When the attack happens, the MCPX ROM is still visible, making this a very powerful attack.

''This attack is described by Michael Steil in his Google talk.''

=== TEA attack (MCPX 1.1 only) ===

TEA, which is only used in MCPX 1.1, can not be used as a hash in Davies-Meyer mode [http://www.tayloredge.com/reference/Mathematics/VRAndem.pdf][https://www.schneier.com/academic/paperfiles/paper-key-schedule.pdf]. And yet, Microsoft used it that way.

The original attack uses the 5 bytes at 0xffffd400 (FBL entry point) which are <code>E9 83 01 00 00</code>.
This is <code>jmp 0xffffd588</code> (which is a jump within the flash region).

When flipping the highest bit of the operand DWORD (at 0xffffd400, mind your endianess) this will become: <code>E9 83 01 80 00</code>.
This is <code>jmp 0x7fd588</code> (which is a jump into the RAM region).
For the attack to be succssful, the highest bit in the DWORD at 0xffffd404 also has to be flipped.

The RAM can be controlled using the x-code command to write to RAM.
So the idea is to copy a program from Flash to RAM using x-codes.
Then the FBL / 2BL is modified to jump into said RAM region by flipping a bit of a jump operand (as described above).
The 2 bit flips will not change the hash of FBL / 2BL as TEA is broken.

As such, the FBL verification will succeed, the MCPX ROM will hand control to the FBL which will then jump into the attacker controlled RAM.

When the attack happens, the MCPX ROM is still visible, making this a very powerful attack.

''The TEA algorithm and exploit are also described in more detail in Bunnnies book (Page 109 and Page 142).''

== Dashboard ==

=== Audio hacks ===
=== Font hacks ===

[http://archiv.sega-dc.de/phoenix.maxconsole.net/docs/berternie.inc.htm Analysis of "Bert & Ernie" font-exploit].

==== Easter-egg exploit ====

== Savegames ==
Savedgames can be used as an exploit method, but care must be taken for most games are verifying digital signatures of savedgames {{citation needed}} [http://bunniefoo.com/nostarch/HackingTheXbox_Free.pdf]
=== [[007: Agent Under Fire]] ===
=== [[Frogger Beyond]] ===
=== [[MechAssault]] ===
=== [[Tom Clancy's Splinter Cell]] ===
=== [[Tony Hawk's Pro Skater 4]] ===
Grimdoomer discovered a savegame exploit in THPS4, shared it on Discord and was later included with the Rocky5 softmod installer.
[https://drive.google.com/file/d/0B9WVULxHOmNkQVBCMHMtVGhqVVU/view a video demonstrating the game trigger (custom skatepark)]

''10-4-2017 it's just shell code I injected into the game save/ granted this save is slightly more complicated than the others and requires a small "loader" that is just a memcpy basically it's literally as simple as a buffer overflow...I just looked for null terminated strings and fuzzed them then when I got a crash I looked in teh xbe to figure out what was going on. yeah it's literally just a stack overflow'' - grimdoomer

another website talking about his exploit.
[https://www.xbmc4xbox.org.uk/forum/viewtopic.php?t=7310 xbmc4xbox.org.uk]

== Attack ideas ==

{| class="wikitable"
! Purpose || Author || Description || Status
|-
| Preserving memory across boot || JayFoxRox
| Confirm behaviour described in the coldboot paper (https://jhalderm.com/pub/papers/coldboot-cacm09.pdf). This can be used to transfer code / setups for other exploits across a boot (such as preparing memory for A20 attack).
| Success: We have marked memory and rebooted the Xbox (through SMC warm and cold, and manual reboot using power switch). At room temperature, and the Xbox pre-heated, hundreds of markers can still be found after 10 seconds. Within the first 5 seconds, no loss of data was measured at all (although not many bits have been marked to begin with). We have confirmed the memory persistence not only for the main RAM, but also MCPX APU DSP memory banks. Other memory or register banks were not tested yet.
|-
| Early boot control || JayFoxRox
| Xcodes allow writing PCI config space. This can be used to set PCI BARs to random page-aligned addresses. Some devices like the NV2A or MCPX APU contain large register banks which can be read and written like RAM. So effectively we can probably overlay the flash memory or MCPX ROM with a temporary PCI mapping. To fill the memory, the PCI device can be mapped to a lower region, and be filled through Xcode memory writes.
This can be used to take control over code contained in RAM (FBL / 2BL), flash or possibly even the MCPX ROM during boot. This attack could be used to avoid unmapping the MCPX ROM and is therefore quite powerful. However, it requires knowledge of the Xcodes.
| This has not been tested during real-mode or early boot yet, but is assumed to work. It was tested from protected mode by mapping USB1 over the Flash and MCPX ROM region (main RAM has not been tested yet). Mapping the overlay pages without caching resulted in crashes. However, the PD was not reviewed at the time and might have been broken (through unconventional use of MmMapIoSpace).
|-
| Dumping the MCPX ROM || JayFoxRox
| Trying to find problems with the SMC reset chain:
* Map PCI devices over the MCPX ROM region
* Schedule a reset
* Keep reading MCPX ROM memory with CPU to persistent page
* If we are lucky, the CPU would now copies the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover)
| Failed: I've tried reading MCPX ROM memory for as long as possible using the CPU. I've tried resets using PM26 (assumed PWRBTN), SMC Soft (0x01) and SMC Hard (0x40).
Memory was read based on observing value changes (in PCI regions, signalling reset), and timing alone (X cycles after starting reset).
The MCPX ROM region access always crashed. Shadowing the MCPX ROM with a PCI device does not help: The CPU never observed the PCI devices being remapped / lost.
As MCPX and CPU are both reset by the SMC directly, this is not surprising.
|-
| Dumping the MCPX ROM || JayFoxRox
| Trying to find problems with the SMC reset chain:
* Map PCI devices over the MCPX ROM region
* Check if NV2A can access the mapped PCI device
* Configure NV2A to continously stream from MCPX ROM region to RAM - Reset system using SMC (idea: this resets the PCI device mappings in the MCPX and should re-enable the MCPX ROM)
* If we are lucky, the NV2A would now stream the MCPX ROM to RAM in it's last cycles with a broken LDT (this depends on how LDTs work and if they can recover)
| Concept only: No interest in experimenting with NV2A DMA.
|-
| Dumping the MCPX ROM || JayFoxRox
| Trying to find problems with the SMC reset chain: On a warm boot, the x86 might do a bad boot (the following is a theory, someone please measure pins). Theroy: PWRGD is provided, but CPURST is still high from the previous run; CPURST might only go low once NV2A reboots:
* Map device in NV2A to MCPX ROM region (note: mapping MCPX device would not work, because that gets reset with PWRGD)
* Warm reset using SMC
* Code in NV2A device should now jump to lower memory and unmap the MCPX ROM region (by moving itself for example)
* Delay by X cycles [probably in the range from 1ns to idk.. 500ms] to avoid reading the MCPX ROM before MCPX reset
* Code in lower region should copy MCPX ROM region to persisting pages
| Concept only: Someone should measure the pins and possibly look into the memory signals. This is too time consuming for me.
|-
| Unknown || JayFoxRox
| Partial system reset using 0xCF9 I/O register
| Resetting through 0xCF9 lands us on a black screen and the LED flashes as if the DVD tray was being opened. It's currently assumed that 0xCF9 only resets peripherals and NV2A / CPU, but it does not seem to reset the MCPX itself (hence issues booting and PCI activity which causes LED to flash). This has not been tested yet. An idea to confirm this, might be to map a device at 0xFFFFFFF0 which places an x86 jump to a good memory page. If the MCPX really isn't reset, then the CPU would boot from the MMIO / known page.
|-
| Dumping the MCPX ROM || JayFoxRox
| Trying to find problems with the SMC reset chain. The SMC takes a couple of milliseconds to reset the system. Parts of the peripherals might stay alive for long enough. So chances (extremly unlikely) are, the peripherals could be programmed to do DMA where the DMA is only executed after the reboot.
| Failed: An attempt was made to use the APU GP DSP DMA to continuously store x86 code where 2BL would unpack. The system was then reset using the SMC. It booted normally. It is assumed that the DMA is probably long dead by the time that the 2BL is being unpacked / ran.
|-
| Unknown || JayFoxRox
| Resetting from wrong address. The errata for the CPU states that a warm-reset might occur from the wrong address.
| Concept only: Needs more research
|-
| Dumping the MCPX ROM || JayFoxRox
| Trying to access MCPX ROM through peripherals in the southbridge. If the address logic is broken, parts like the OHCI, APU or AC97 might be able to access it still.
|
* AC97: Lots of crashes / hangs. Sometimes crackling noise. Sometimes does not crash. Also can access some non-existing memory regions without any crashes. Data read from invalid addresses seemed to be 300 Hz square wave. While crashing the hardware output will have exponential falloff (measured on PCM line-out).
* APU: Mapping GP DSP Scratch memory from 0x00000000 to 0x7FFFFFFF reveals mirrors of physical RAM. Setting the highest bit (addresses over 0x80000000) will result in a crash of the Xbox.
* OHCI: Untested
* Others: Untested
|-
| Dumping Kernel INIT || JayFoxRox
| INIT is free'd right before passing execution to the first XBE. Depending on what the XBE allocates, the INIT section might still be in memory when a dumper is run.
| Probably doesn't work. Would need the dumper to directly run after cold-boot. Softmods unfortunately reboot the Xbox and during this warm-boot the INIT section is (in at least most cases) lost.
|-
| Dumping Kernel INIT || DaveX || An extension to JayFoxRox dumping idea. Instead of running a dumper-XBE through a softmod, the softmod itself could do the dumping. This means creation of a custom softmod, just for dumping. This depends on the used softmod entry-point (font-exploit (signed target xbe), audio-exploit, ..) to gain execution as early as possible. This strategy might be slightly risky as harddisk contents have to be modified for the temporary softmod.
| WIP as of 2018-09-12
|-
| rowspan="13" | Homebrew entry point || rowspan="13" | Community
| rowspan="13" | Some movie DVDs contain default XBEs signed to run on original Xbox from DVD-R{{FIXME|reason=Add region / product codes and other DVDs you know of}}. If we can find an exploit in one of them (loaded files), we could possibly take over the entire system and run homebrew from DVD-R.
|-
|'''Star Wars: Clone Wars - Volume Two'''
[[Battlefront II]]

Untested
|-
|'''Star Wars: Episode III - Revenge of the Sith (Widescreen Edition)'''
[[Battlefront II]]

Untested
|-
|'''Star Wars Trilogy (Widescreen Edition with Bonus Disc)'''
[[Battlefront]]

Untested
|-
|'''Star Wars Trilogy DVD with Demo'''
[[Lego Star Wars 2]]

Untested
|-
|'''Star Wars: Clone Wars - Volume One'''
[[Battlefront]]

Untested
|-
|'''The Chronicles of Riddick (Widescreen Unrated Director's Cut)'''
[[Chronicles of Riddick]]

Untested
|-
|'''Doom (Unrated Widescreen Edition)'''
[[Doom 3]]

Untested
|-
|'''Hulk (Special Edition)'''
[[Hulk]]

Untested
|-
|'''King Arthur - The Director's Cut (Widescreen Edition)'''
[[King Arthur]]

Untested
|-
|'''Robots (Widescreen Edition)'''
[[Robots]]

Untested
|-
|'''Van Helsing (Widescreen Edition)'''
[[Van Helsing]]

Untested
|-
|'''Clone Wars Volume 1'''
[[Republic Commando]]

Untested
|}

== Notes ==

* [https://events.ccc.de/congress/2005/fahrplan/attachments/591-paper_xbox.pdf 17 Mistakes Microsoft Made in the Xbox Security System]
* [http://toogam.bespin.org/xboxmod/site/xbehacks.htm A list of some exploit implementations]

MCPX

2018-09-03T01:23:47Z

DaveX:

MCPX

2018-09-02T21:55:26Z

DaveX:

MCPX

2018-09-02T21:33:32Z

DaveX: added note about the PC speaker

Hard Drive

2018-08-23T21:22:36Z

DaveX: /* Partitionstable extended with Device Object Names */

The original Xbox hard disk drive was 8 GB in size. Later releases, 10 GB drives; however, only the first 8 GB of the drive was used. See [[Hardware Revisions]] for more information.

== Partitions ==
The Xbox hard disk contains multiple partitions. Unlike a PC, which typically contains either a [https://en.wikipedia.org/wiki/Master_boot_record Master Boot Record] or [https://en.wikipedia.org/wiki/GUID_Partition_Table GUID Partition Table] to specify the partition information, the Xbox kernel uses a fixed partition layout. The file system used on the Xbox is [[FATX]], a variant of FAT16/32 developed by Microsoft specifically for the Xbox.
{{FIXME|reason=Is this the same for all HDD sizes? could the number of free blocks in the savegame menu be used to calculate what kind of HDD you have?}}

{| class="wikitable"
|-
! Drive Letter
! Description
! Offset (bytes)
! Size (bytes)
! Filesystem
! Device Object (MS Retail Kernel)
|-
| N/A
| Config Area
| 0x00000000
| 0x00080000
| Fixed Structure
| N/A
|-
| X
| Game Cache
| 0x00080000
| 0x2ee00000
| FATX
| \Device\Harddisk0\Partition3
|-
| Y
| Game Cache
| 0x2ee80000
| 0x2ee00000
| FATX
| \Device\Harddisk0\Partition4
|-
| Z
| Game Cache
| 0x5dc80000
| 0x2ee00000
| FATX
| \Device\Harddisk0\Partition5
|-
| C
| System
| 0x8ca80000
| 0x1f400000
| FATX
| \Device\Harddisk0\Partition2
|-
| E
| Data
| 0xabe80000
| 0x131f00000
| FATX
| \Device\Harddisk0\Partition1
|}

::::::::::::::::::::::''side note: CD/DVD Drive "D:" <=> "\Device\CdRom0"''
::::::::::::::::::::::''and usually: added Drive "F:" <=> "\Device\Harddisk0\Partition6"''
:::::::::::::::::::::::::   ''added Drive "G:" <=> "\Device\Harddisk0\Partition7"''

'''Debug/Devkit HDD:'''
{| class="wikitable"
|-
! Drive Letter
! Description
! Offset (bytes)
! Size (bytes)
! Filesystem
! Device Object (MS Retail Kernel)
|-
| [FIXME]
| [FIXME]
| [FIXME]
| [FIXME]
| [FIXME]
| [FIXME]
|-
|}

'''FIXME:'''
* Add info on how extended partitions are added.

== Locking ==
The hard drives in the Xbox are locked with a key which is unique to the specific Xbox. The drive is unlocked by the kernel at boot.

=== Unlocking for Backups ===
Before connecting an Xbox HDD to a PC for a backup or modification, the drive must first be unlocked. This can be done with alternative dashboards (such as EvoX). But beware, once you unlock the disk you cannot use it with an official BIOS until you re-lock the disk! For this reason it is suggested to use a patched BIOS which does not require the disk to be locked. If you are unable to run unsigned code (needed to unlock the HDD before powering off), it is possible to hot-swap the drive after the Xbox has started. This is not a suggested method, but it has been known to work. The idea is that you start the Xbox and wait for the dashboard, at which point the drive will be unlocked. Then, while the Xbox is running, you disconnect the IDE cable (but not the power!), and then connect the drive to your PC. Then the drive can be mounted for read/write (using XboxHDM), or imaged directly.

'''FIXME:'''
* Provide more info on locking/unlocking procedure.
* Provide details about the key and how it can be derived from the [[EEPROM]] data.

== How To: Backup an HDD ==
There are two general methods to back up your HDD: copying the files, or creating a byte-for-byte image of the drive.

=== Method 1: File Copy ===
This is an acceptable backup method, but it is not as accurate an exact copy. This method requires less work to create the backup, but more work to re-create a usable disk image. The dashboard files (found in C:) are the most essential part of a backup, and a complete disk image can be re-created (with some effort) with a copy of the dashboard files using a tool such as XboxHDM.

==== Remote ====
Simply run an XBE on your Xbox that provides an FTP server. This is a standard feature for alternative dashboards (such as EvoX). Then connect to your Xbox from another system and copy all files in '''C:''' and '''E:'''.

==== Direct ====
Unlock the HDD, connect it to your PC, mount the drive (see [[FATX]]), copy the files.

=== Method 2: Exact Copy ===
This is the most accurate method to backup your hard disk. This method requires more work to create the backup, but does not require any effort to create a usable disk image like the first method. There are multiple ways to implement this method, one is provided here.

Unlock the HDD, connect it to your PC using a USB-IDE adapter ([https://www.amazon.com/Sabrent-USB-DSC9-SATA-Drive-Converter/dp/B00DQJME7Y available for ~$20USD]). In GNU/Linux and other *NIX variants, DD can be used to perform the block copy. For example: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512</code>. append <code>status=progress</code> to see the progress during copying if you run a recent distro, like so: <code>sudo dd if=/dev/sdb of=xbox_hdd.raw bs=512 status=progress</code>.If you're dumping an original Xbox HDD (capacity 8G or 10G), this will finish pretty quickly. The files can be extracted by mounting the filesystems in the image (see [[FATX]]).

== Further Reading ==
* [http://hackipedia.org/Disk%20formats/Partition%20tables/X-Box/Xbox_Partitioning_and_Filesystem_Details.htm Xbox Partitioning and Filesystem Details]

Exploits

2018-03-04T04:08:51Z

DaveX: /* Attack ideas */

Xtf

2017-09-12T18:35:37Z

DaveX: /* Dashboard fonts */

[[File:Xbox-dashboard-font-specimen.png|thumb|200px|Xbox Font Specimen]]

XTF is a font file format used in the [[Dashboard]].
It became famous for being [[Exploits#Font hacks|exploited]].
Both fonts were also used for branding and promotional use.

== Dashboard fonts ==

The dashboard fonts were designed by [[Wikipedia:Steve Matteson|Steve Matteson]] of [[Wikipedia:Ascender Corporation|Ascdender Corporation]] for use on the Xbox. Matteson had already created many of Microsoft's [[Wikipedia:Microsoft Windows|Windows]] core fonts and would later create the [https://www.fonts.com/font/microsoft/convection Convection fonts used on the Xbox 360].

Each font contains 7365 glyphs.

=== Xbox.xtf ===

A monospace font.

<div style="display: inline-block;">[[File:Xbox-xtf.png|800px|thumb|Xbox.xtf from [[Dashboard]].]]</div>

=== XBox Book.xtf ===

<div style="display: inline-block;">[[File:XBox Book-xtf.png|800px|thumb|XBox Book.xtf from [[Dashboard]].]]</div>

== File format ==

* 4 byte (magic)
* 4 byte (length prefix for following string)
* zero-terminated string with given buffer length (font-name)
* [https://msdn.microsoft.com/en-us/library/dd144956%28v=vs.85%29.aspx GLYPHSET] (List of supported glyphs)
* For each cGlyphsSupported:
** [https://msdn.microsoft.com/en-us/library/windows/desktop/dd374209(v=vs.85).aspx GLYPHMETRICSFLOAT] (Metrics for each glyph)
** 4 byte (Offset of glyph in file)
* For each GLYPHSET range
** For each glyph in this range (stored as a triangle strip)
*** 2 byte (Index count)
*** 2 byte (Vertex count)
*** For each index:
**** 2 byte (Vertex index)
*** For each vertex:
**** 4 byte float (X-coordinate)
**** 4 byte float (Y-coordinate)

{{FIXME|reason=Confirm these findings and format them better}}

== Links ==

* [https://github.com/JayFoxRox/xbox-tools/tree/master/xtf-converter A tool to convert XTF fonts to SVG fonts]

Xbox Memory Unit

2017-09-11T23:02:25Z

DaveX:

The memory units are typically formatted with [[FATX]].

{| class="wikitable"
! Product name !! VID !! PID !! Capacity !! Notes"
|-
| Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one
|-
| ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster
|}

== Unlicensed Xbox Memory Units ==
Some unlicensed Memory Units where made.

{| class="wikitable"
! Product name !! VID !! PID !! Capacity !! Notes
|-
| Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves"
|}

== Compatible USB sticks ==

Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit. (It is rumored that the capacity should not exceed 4GB)
However, not all devices are compatible, so the following table gives a list of known devices:

{| class="wikitable"
! Product name !! VID !! PID !! Capacity !! Notes
|-
|BESTRUNNER 256MB Speicherstick || 0xABCD || 0x1234 || 256MB ||
|-
|USB Mass Storage Device || 0x058F || 0x9381 || 64MB || Generic Mass Storage Device
|}

== References ==

* [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz]
* [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm]

Xbox Memory Unit

2017-09-07T14:41:48Z

DaveX:

The memory units are typically formatted with [[FATX]].

{| class="wikitable"
! Product name !! VID !! PID !! Capacity !! Notes"
|-
| Microsoft Corp. Xbox Memory Unit (8MB) || 0x045e || 0x0280 || 8MB || Official one
|-
| ThrustMaster, Inc. || 0x044f || 0x0f0c || 8MB || Green logo Xbox and white "Trustmaster
|}

== Unlicensed Xbox Memory Units ==
Some unlicensed Memory Units where made.

{| class="wikitable"
! Product name !! VID !! PID !! Capacity !! Notes
|-
| Weltrend Semiconductor XBOX Xploder || 0x040b || 0x6520 || 8MB || Green sticker "Gamesaves"
|}

== Compatible USB sticks ==

Aside from the official licensed Memory Units, some standard USB storage devices can be reformatted as Xbox Memory Unit.
However, not all devices are compatible, so the following table gives a list of known devices:

{| class="wikitable"
! Product name !! VID !! PID !! Capacity !! Notes
|-
|BESTRUNNER 256MB Speicherstick || 0xABCD || 0x1234 || 256MB ||
|}
== References ==

* [http://imgur.com/a/8QmDA Thrustmaster XBOX Memory Unit images by DarkGabz]
* [http://imgur.com/gallery/M0PZ6 3 XBOX memory units images by CodeAsm]

Exploits

2017-09-05T03:27:21Z

DaveX: /* Attack ideas */

Xbox DVD Movie Playback Kit

2017-08-27T04:00:19Z

DaveX:

[[File:Xbox-Remote-and-Receiver.jpg|thumb|200px|Remote and Receiver]]
==Introduction==

The DVD Movie Playback Kit contains 2 parts: A remote and a dongle for the Xbox.

== Remote Control ==

== Dongle ==

The dongle contains a ROM with an XBE which provides some functions for the DVD playback application. However, the XBE is not standalone.

Why would they not just put this little < 512kiB library on the harddisk? Why another ROM which contains the program?
One could think it is to allow them to upgrade the application easily, but the real reason seems to be different: licensing. As the label on the back notes: "Made under license from Dolby Laboratories". By including the software in the DVD Remote kit, they don't have to pay Dolby for every Xbox sold, but just for every DVD Remote kit sold. This allows them to keep the cost of the Xbox down.

Additionally the dongle contains an IR receiver to receive commands from the Remote control.

=== Known versions ===

{| class="wikitable" 
! Part No. !! Manufactured in !! Version !! DVD Region !! ROM Size !! ROM SHA1 !! Notes
|-
| X08-25402 || Indonesia || 1.1 || 2 || 229790 Bytes || <code>70d4b5f8e073b05610fba9e9617d7356196b61ff</code> ||
|-
| X08-25402-002 || Indonesia || || || || ||
|-
| X08-25387 || Indonesia || || || || ||
|-
| X08-25387-002 || Indonesia || 1.1 || 1 || 229790 Bytes || <code>73814aa736d83d636380f5c6b1c291441b35354d</code> || Sticker: "2341P" on PCB
|}

=== USB Protocol ===

{{FIXME|reason=Partially documented in JayFoxRox/xbox-tools on github}}

=== Components ===

Different versions of the dongle seem to use different hardware internally.

==== X08-25387-002 (PCB: "X01469-100") ====

* U1 ATMEL AT43USB352M-AC{{FIXME|reason=Can't find datasheet.. only for AT43USB351M-AC and AT43USB353M-AC; both of which have various differences}}
* U2 TSOP-1556
* U3 X393121C{{FIXME|reason=What is this? a ROM? how large?}}

==== X08-25387 (PCB: "IR DONGLE REV B") ====
[[File:X08-25387-Sticker.jpeg|thumb|200px|X08-25387 Rev B Sticker]]
[[File:IR_DONGLEREVB-FRNT.jpeg|thumb|200px|Front PCB of X08-25387]]

* U3 MX23C4000TC-10

{{FIXME|reason=Didn't get rear components photographed yet}}

==== Unknown version (PCB: "REV C.") ====

[[File:Xbox-linux-dvd-dongle-front.jpg|thumb|200px|Frontside]]
[[File:Xbox-linux-dvd-dongle-back.jpg|thumb|200px|Backside]]

* U1 92163 [https://web.archive.org/web/20100617020513/http://www.st.com/ STMicroelectronics] <[https://web.archive.org/web/20100617020513/http://www.st.com/stonline/books/pdf/docs/5521.pdf Datasheet]>
: This big square IC on the backside is the microcontroller. STMicroelectronics describes it as "8/16-BIT FULL SPEED USB MCU FOR COMPOSITE DEVICES WITH 16 ENDPOINTS, 20K ROM, 2K RAM, I 2 C, SCI, & MFT". Since the program resides inside in its ROM, it is almost impossible to extract the program from inside.

* U2 TSOP-1556 [https://web.archive.org/web/20100617020513/http://www.vishay.com/ Vishay Telefunken] <[https://web.archive.org/web/20100617020513/http://www.vishay.com/docs/82029/82029.pdf Datasheet]>
: This black box on the middle of the frontside is an integrated IR receiver. It filters the received infrared pulses and demodulates them. Its filter frequency is 56kHz, while 38kHz is standard for most remote controls. Therefore, chances are few other remotes will work with the Xbox receiver.

* U3 MX23C4000TC-10 [https://web.archive.org/web/20100617020513/http://www.macronix.com/ Macronix] <[https://web.archive.org/web/20100617020513/http://www.macronix.com/QuickPlace/hq/PageLibrary48256D9D002BA613.nsf/h_6057FA6682A90C3948256DCE0052D2D3/67DCB124F1BE4E7D48256DC50039AC31/$File/MX23C4000-4.2.pdf/?OpenElement Datasheet]>
: This wide TSOP IC on the frontside could be the most interesting of all. It is a 4MBit mask ROM.

* U4 HC574 [https://web.archive.org/web/20100617020513/http://www.ti.com/ Texas Instruments] <[https://web.archive.org/web/20100617020513/http://focus.ti.com/lit/ds/symlink/sn74hc574.pdf Datasheet]>
: This 20-pin standard logic IC is an octal D-flipflop, which splits the databus from the 92163 to 8 adress bits. This technique is very well known from the 8051 and other microcontrollers.

=== Hacking ===

As the dashboard presumably downloads the code from the ROM into the memory of the Xbox, this could be a hardware hack requiring no hardware modifications. The XBE loader for the DVD image is different from the usual XBE loader. However, the XBE is still signed and checked for security.

== References ==

* [https://ibb.co/album/cmr5rF Pictures of X08-25387-002 including internals]
* [https://github.com/JayFoxRox/xbox-tools/tree/master/dump-dvd-kit Tool to dump DVD Dongle ROM]
* [https://web.archive.org/web/20100617020513/http://www.xbox-linux.org/wiki/DVD-IR_Internals DVD-IR Internals]

File:Xbox-Remote-and-Receiver.jpg

2017-08-27T03:58:54Z

DaveX: Author: "Evan Amos Vanamo Media" Copyright holder: "Public Domain"

Author: "Evan Amos Vanamo Media"
Copyright holder: "Public Domain"

File:Xbox Live Communicator.png

2017-08-22T01:28:53Z

DaveX: DaveX uploaded a new version of File:Xbox Live Communicator.png

The Xbox Live Communicator looks roughly like this.

File:Xbox Live Communicator.png

2017-08-22T01:28:13Z

DaveX: DaveX uploaded a new version of File:Xbox Live Communicator.png

The Xbox Live Communicator looks roughly like this.

File:Xbox Live Communicator.png

2017-08-22T01:26:37Z

DaveX: DaveX uploaded a new version of File:Xbox Live Communicator.png

The Xbox Live Communicator looks roughly like this.

Xbox Live Communicator

2017-08-22T01:21:59Z

DaveX: added pic

The Xbox Live Communicator is the headset which is used for Xbox Live.
[[File:Xbox_Live_Communicator.png|thumb|200px|Headset / Xbox Live Communicator]]

== Protocol ==

=== USB Descriptor ===

<pre>
Bus 003 Device 006: ID 045e:0283 Microsoft Corp. Xbox Communicator
Device Descriptor:
bLength 18
bDescriptorType 1
bcdUSB 1.10
bDeviceClass 0
bDeviceSubClass 0
bDeviceProtocol 0
bMaxPacketSize0 8
idVendor 0x045e Microsoft Corp.
idProduct 0x0283 Xbox Communicator
bcdDevice 1.58
iManufacturer 0
iProduct 0
iSerial 0
bNumConfigurations 1
Configuration Descriptor:
bLength 9
bDescriptorType 2
wTotalLength 45
bNumInterfaces 2
bConfigurationValue 1
iConfiguration 0
bmAttributes 0x80
(Bus Powered)
MaxPower 100mA
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 0
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 120
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x04 EP 4 OUT
bmAttributes 5
Transfer Type Isochronous
Synch Type Asynchronous
Usage Type Data
wMaxPacketSize 0x0030 1x 48 bytes
bInterval 1
bRefresh 0
bSynchAddress 0
Interface Descriptor:
bLength 9
bDescriptorType 4
bInterfaceNumber 1
bAlternateSetting 0
bNumEndpoints 1
bInterfaceClass 120
bInterfaceSubClass 0
bInterfaceProtocol 0
iInterface 0
Endpoint Descriptor:
bLength 9
bDescriptorType 5
bEndpointAddress 0x85 EP 5 IN
bmAttributes 5
Transfer Type Isochronous
Synch Type Asynchronous
Usage Type Data
wMaxPacketSize 0x0030 1x 48 bytes
bInterval 1
bRefresh 0
bSynchAddress 0
can't get debug descriptor: Resource temporarily unavailable
Device Status: 0x0000
(Bus Powered)
</pre>

=== Microphone ===

{{FIXME}}

=== Speaker ===

{{FIXME}}

File:Xbox Live Communicator.png

2017-08-22T01:18:34Z

DaveX: The Xbox Live Communicator looks roughly like this.

The Xbox Live Communicator looks roughly like this.

Template:Unknown

2017-07-16T13:12:08Z

DaveX:

<noinclude>{| class="wikitable"
|-
|</noinclude>style="background:#CFCFCF;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|Unknown}}}<noinclude>
|}
{{documentation}}
</noinclude>

Emulators

2017-07-13T15:22:31Z

DaveX:

This is a list of known Xbox emulation projects

{| class="wikitable sortable"
!Status
!Approach
!Chihiro
!Name
!Links
!Initiator
!Platform
!License
!Notes
|-
|{{Maintained}}
|LLE
|{{Yes}}
|[[XQEMU]]
|[http://xqemu.com/][https://github.com/xqemu/][https://github.com/espes/xqemu]
|espes
|Windows/Linux/Mac/Others
|
|XQEMU supports hardware-acceleration for the CPU emulation on Linux through KVM.
|-
|{{Maintained}}
|HLE
|{{No}}
|[[Cxbx-Reloaded]]
|[http://cxbx-reloaded.co.uk/][https://github.com/Cxbx-Reloaded/Cxbx-Reloaded]
|SoullessSentinel
|Windows
|
|At the time of writing Cxbx-Reloaded is almost purely HLE. LLE GPU emulation is planned, but currently not implemented.
|-
|{{Dead}}
|HLE
|{{No}}
|[[Cxbx]]
|
|Caustik
|Windows
|
|
|-
|{{Dead}}
|HLE
|{{No}}
|Dxbx
|[http://dxbx-emu.com][https://github.com/PatrickvL/Dxbx/]
|ShadowTj
|Windows
|
|The project was started on March 23rd 2008. It is an improved port of Cxbx to the Delphi programming language.
|-
|{{Unknown}}
|Unknown
|{{No}}
|[https://github.com/impeachgod/Dirtbox Dirtbox]
|
|
|Windows
|
|
|-
|{{Unknown}}
|HLE
|{{No}}
|[https://sourceforge.net/p/ironbabel/code/HEAD/tree/trunk/Box/Xbox/ IronBabel]
|
|daeken
|Unknown
|
|This seems to have been a generic portability framework
|-
|{{Unknown}}
|HLE
|{{No}}
|[https://github.com/daeken/Steelbreeze Steelbreeze]
|
|daeken
|Unknown
|
|
|-
|{{Unknown}}
|LLE/HLE Hybrid
|{{No}}
|[https://github.com/daeken/Zookeeper Zookeeper]
|[https://www.reddit.com/r/EmuDev/comments/4isyvu/project_zookeeper_a_new_xbox_emulator/]
|daeken
|Mac
|
|Using Apple's Hypervisor.framework to run a custom kernel (NightBeliever in the repo) and then running Xbox code from there
|-
|{{Unknown}}
|Unknown
|{{No}}
|[http://ngemu.com/threads/.154342/ XbeNext]
|
|LoveMHz
|Windows
|
|
|-
|{{Dead}}
|HLE
|{{No}}
|[http://ngemu.com/forums/.65/ Xeon]
|
|
|Windows
|
|
|-
|{{Unknown}}
|Unknown
|{{No}}
|[http://ngemu.com/threads/.105210/ XProject]
|
|
|Windows
|
|
|-
|{{Unknown}}
|Unknown
|{{No}}
|[https://code.google.com/p/xbem xbem]
|
|
|Windows
|
|
|-
|{{Dead}}
|LLE/HLE Hybrid
|{{Yes}}
|Hackbox
|
|JayFoxRox
|Windows/Linux
|Private
|This was originally going to be a commercial emulator (but plans were dropped quickly in favor of preservation). The source code was temporarily public but then made private. The source code is still available to a selected group of developers. Hackbox was designed from scratch but re-used code from Cxbx for HLE routine detection.
|-
|{{Unknown}}
|LLE
|{{No}}
|[https://github.com/phire/kvmbox kvmbox]
|
|phire
|Linux
|
|
|-
|{{Unknown}}
|HLE
|{{No}}
|[https://github.com/Gabriel-Maldonado/XboxHLE XboxHLE]
|
|
|Windows
|
|
|-
|{{Unknown}}
|Unknown
|{{No}}
|[https://github.com/bjh83/boombox boombox]
|
|
|Windows
|
|
|-
|{{Unknown}}
|Unknown
|{{No}}
|[https://github.com/docbrown/vxb vxb]
|
|
|Windows
|
|
|-
|{{Unknown}}
|Unknown
|{{No}}
|[https://github.com/quantumdude836/exciplex exciplex]
|
|
|Windows
|
|
|-
|{{Maintained}}
|LLE
|{{Yes}}
|[http://mamedev.org/ MAME]
|
|MAME Team
|Windows/Linux/Mac/Others
|
|Focus seems to be on Chihiro emulation. Does Xbox (non-Chihiro) emulation exist yet?{{citation needed}}
|-
|{{Dead}}
|LLE
|{{No}}
|[https://github.com/monocasa/xbvm XBVM]
|
|monocasa
|Windows
|
|
|-
|{{Dead}}
|
|{{No}}
|[http://xenoborg-emu.blogspot.com/ Xenoborg]
|
|blueshogun96
|Windows
|
|
|-
|{{Dead}}
|LLE/HLE Hybrid
|{{No}}
|[[Xbox 360 Backward Compatibility]]
|
|Microsoft
|Xbox 360
|Proprietary
|
|-
|{{Maintained}}
|LLE/HLE Hybrid{{citation needed}}
|{{No}}
|[[Xbox One Backward Compatibility]]
|[http://www.xbox.com/en-US/xbox-one/backward-compatibility]
|Microsoft
|Xbox One
|Proprietary
|Announced at E3 2017. Said to be working similar to the 360 support in the Xbox One [https://youtu.be/x0NKP7-h_G0?t=8503]. The 360 support is probably ahead of time shader translation and runtime CPU translation [https://majornelson.com/podcast/584-xbox-one-backward-compatibility-turns-1/].
|}

== References and links ==

* [https://www.reddit.com/r/emulation/comments/6a958p/cxbx_reloaded_xbox_emulator_panzer_dragoon_orta/ Discussion about Xbox emulation and technical differences between [[Cxbx-Reloaded]] and [[XQEMU]]]

Template:Unknown

2017-07-13T15:20:25Z

DaveX: Created page with "<noinclude>{| class="wikitable" |- |</noinclude>style="background:#CFCFCF;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|✔ Unk..."

<noinclude>{| class="wikitable"
|-
|</noinclude>style="background:#CFCFCF;vertical-align:middle;text-align:{{{align|center}}};{{{style|}}}" class="table-yes"|{{{1|✔ Unknown}}}<noinclude>
|}
{{documentation}}
</noinclude>

Azurik: Rise of Perathia

2017-06-27T03:17:10Z

DaveX: image uploaded

{{Game}}
=== Known tricky behaviour ===

==== Skinning code / Shader rounding mode ====

This game depends on correct GPU rounding. If an emulator suffers from issues with non-exact rounding in the shaders which do the skinning / skeletal animation the character models will be very broken.

[[File:Azurik--Rise-of-Perathia--bugged.png]]

IIRC Code is like:

A0 = c[113].x + c[113].z = 18
*do stuff with c[96+A0] to c[98+A0]*

A0 = c[113].x + c[113].z = 21
*do stuff with c[96+A0] to c[98+A0]*

A0 = c[113].y * v2
*do stuff with c[96+A0] to c[98+A0]*

c[113] is vec4(15, 765, 3, 0). 765 = 3*255.
v2 is GL_UNSIGNED_BYTE, normalized => v2 = raw/255.
A0 = 765 * raw/255 = 3*raw.

This should all be working, but it's not. [[NV2A/Vertex Shader]] does round-to-zero. Behaviour for GLSL and other modern graphic APIs is undefined..
To work around this rounding issue <code>A0 += 1.0/255.0</code> can be used as a temporary hack

File:Azurik--Rise-of-Perathia--bugged.png

2017-06-27T03:11:34Z

DaveX: GPU emu non-exact rounding issues e.g. in Azurik: Rise of Perathia

GPU emu non-exact rounding issues e.g. in Azurik: Rise of Perathia

APU

2017-06-27T03:04:51Z

DaveX: /* Modifications for Boot Animation */

The [[MCPX]] contains an APU (Audio Processing Unit).

* SSL = Stream Segment List
* SGE = Scatter Gather Entry
* PRD = Physical Resource Descriptor (Same thing as SGE?!)

== Voice Processor (VP) ==

A powerful voice processor. There can be up to 256 voices{{citation needed}} and 64{{citation needed}} of those can be 3D.

Per-voice settings:
* Input type (8bit, 16bit, 24bit, ADPCM)
* [[wikipedia:Head-related transfer function|Head-related transfer function]] (HRTF)
* [[wikipedia:Low-frequency oscillation|Low-frequency oscillation]] (LFO)
* Pitch
* 2x Pitch (?) envelope
* 2x LFO (?) envelope
* 8 target bins, each with a custom volume for this voice

There are 32 bins which these voices will be mixed into.

=== Related APU memory ===

* VPV = VP Voices
* VPHT = VP HRTF Target
* VPHC = VP HRTF Current
* VPSGE = VP SGEs
* VPSSL = VP SSLs

=== Voice lists ===

The voices are kept in a single-linked list. There are 3 voice lists:

* 2D
* 3D
* MP (Multipass?)

=== Voice structure ===

This is 0x80 bytes

==== Pitch calculation ====

The 16 bit signed pitch value (''p'') can be converted to and from a unsigned frequency in Hz (''f'') using the following formulas:

<pre>
p = 4096 * log2(f / 48000)
f = pow2(p / 4096) * 48000
</pre>

=== Operation ===

Voices are stored in VPV.
Input data (from the CPU) is loaded using VPSGE.
Voices are then processed and written to the GP MIXBUF.

== Global Processor (GP) ==

The GP runs all enabled sound effects on the voice bins.

The GP DSP seems to run at 160 MHz

=== MIXBUF ===

The MIXBUF is a 0x400 word (24-Bit, stored as 32-Bit) section. It is split into 32 * 0x20 words.
Each 0x20 word block represents one of the 32 voice bins of the VP.
The 0x20 words are 24-Bit PCM mono samples to be played back at 48kHz. The duration of each frame is hence 0.{{overline|6}}ms.

=== Memory map ===

=== Related APU memory ===

* GPS = GP Scratch (?)
* GPF = GP FIFO

== Encode Processor (EP) ==

The EP encodes the final AC3 stream for SPDIF. {{FIXME|reason=It might do more than just that; what does it do in analog mode for example?}}
It is not used during the [[Boot Animation]].

=== Memory map ===

=== Related APU memory ===

* EPS = EP Scratch (?)
* EPF = EP FIFO

== Usage in DirectSound ==

''This topic deserves it's own article{{FIXME}}''

The bins are used {{FIXME|reason=How?}}
DirectSound allows to load custom GP DSP code for filter / effects.
{{FIXME|reaon=Will GP DSP automatically download code or is code pushed to it?}}
The GP waits for the frame interrupt which signals that MIXBUF data is available. It then goes through a filter chain.
At the end of the chain, the GP DSP will verify that the execution didn't take longer than the frame duration.

The GP will then issue 6 DMA requests to output the processed frames to a ringbuffer in scratch space.
The frameformat will be the same format as the GP MIXBUF format (also 0x20 words per channel).
Each ringbuffer is 0x200 words and therefore holds the last 16 frames.
Therefore, the ringbuffer region is 6 * 0x800 Bytes = 0x3000 Bytes in physical memory.

The order of the channels in the ringbuffer is (also DMA order):

* Front Left
* Center{{citation needed}}
* Front Right
* Rear Left{{citation needed}}
* Rear Right{{citation needed}}
* [[Wikipedia:Low-frequency effects|Low-frequency effects]] (LFE){{citation needed}}

The EP maps the same data to its own scratch space. It is assumed that it will DMA this region to its own internal memory.
The EP then AC3 encodes the audio data{{citation needed}} and writes it to the EP FIFO memory{{FIXME|How does this happen? DMA?}}.
{{FIXME|reason=When does this happen and what happens to stereo? headphones? mono?}}
The data is then send to the ACI AC97 using EP FIFO channels 0 (PCM) and 1 (SPDIF){{citation needed}}.

=== Modifications for Boot Animation ===

During the [[Boot Animation]] a different version of DirectSound is used.
The EP is disabled in this case.
The data is send to the ACI AC97 using GP FIFO channel 0 (PCM).
There is no AC3 / SPDIF during the boot animation[http://www.gamasutra.com/blogs/BrianSchmidt/20111117/90625/Designing_the_Boot_Sound_for_the_Original_Xbox.php]{{citation needed|reason=Link to brians gamasutra stuff}}.

== Related ==

* [[ACI]]
* [[DSP]]
* [[Xbox ADPCM]]
* [https://github.com/JayFoxRox/xbox-tools/blob/master/python-scripts/apu.py Script to inspect APU registers and voice buffers]

NForce

2017-06-23T04:59:42Z

DaveX: typo

{{retrieved|http://www.xbox-linux.org/wiki/NForce}}

This documents collects information about the Xbox chipset and its sibling, the nVidia nForce chipset, as well as further relatives.

== nForce ==

The nForce chipset consists of the IGP (Integrated Graphics Processor) Northbridge and the MCP (Media and Communications Processor) Southbridge. Both are available in different flavours:

* IGP-64: 64 bit memory bus
* IGP-128: 128 bit memory bus (TwinBank), requires two DIMM modules for 128 bit operation
* MCP-D: includes Dolby Digital encoder
* MCP: Dolby Digital encoder disabled

So these are the four possible combinations:

{| class="wikitable"
|-
|
| MCP
| MCP-D
|-
| IGP-64
| nForce 220
| nForce 220D
|-
| IGP-128
| nForce 420
| nForce 420D
|}
[https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/05/31/nvidia_crush_chipset_named_nforce/]
[https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2001/06/01/nvidia_crush_is_called_nforce/]

The VGA controller inside the IGP is a "GeForce2 MX Integrated Graphics" (PCI ID:10de/01a0). Its internal name is NV1A.

[https://web.archive.org/web/20100617023830/http://pciids.sourceforge.net/iii/?i=10de]
[https://web.archive.org/web/20100617023830/http://www.nvitalia.com/articoli/editoriali/produzione_nvidia_2001.htm]

Although IGP-64 and IGP-128 are different and their respective chipsets have different codenames (Crush11 and Crush12, see below), there seems to be no difference from the software side:

* The VGA BIOS of the MS-6367 mainboard (nForce 420D configuration, i.e. Crush12) has the internal name "CR11BT.ROM". It also includes the strings "NVIDIA GeForce2 Integrated GPU", "CR11 Board" and "Chip Rev B2".
* The PCI IDs seem to be the same for the GPUs inside IGP-64 and IGP-128.

== Crush ==

"Crush" was the codename of the nForce chipset. Crush11 is the nForce 220/220D/230/230-T, Crush12 is the nForce 420/420D/430/430-T, and Crush18 is the nForce2. The "11" probably derives from "NV11", the internal name of the GeForce2 MX.

[https://web.archive.org/web/20100617023830/http://users.erols.com/chare/chipsets.htm]
[https://web.archive.org/web/20100617023830/http://www.theregister.co.uk/2000/11/17/nvidias_super_secret_crush_spec/]

== nForce & Xbox ==

The Xbox has an IGP-128 that uses an NV2A video core (PCI ID:10de/02a5), which is between the GeForce3 (NV20) and the GeForce4 (NV25). The Southbridge is called "MCP-X" and lacks the PCI card bus (PCI bus #1).

[https://web.archive.org/web/20100617023830/http://www.digit-life.com/articles/nvidianforce/]
[https://web.archive.org/web/20100617023830/http://www.anandtech.com/showdoc.html?i=1484]
[https://web.archive.org/web/20100617023830/http://www.anandtech.com/cpuchipsets/showdoc.aspx?i=1535]
[https://web.archive.org/web/20100617023830/http://www.anandtech.com/systems/showdoc.aspx?i=1561&p=3]

== AMD Heritage ==

There is the following rumour, which is not fully verified yet:

* Microsoft wanted AMD to make the CPU and the chipset for the Xbox, and nVidia to make the video hardware.
* When alpha hardware had already bee built, Intel made a better deal
* Microsoft agreed to have Intel CPUs; Intel had to modify AMD's chipset to support an AMD CPU
* Intel insisted that the brand name AMD could not be associated with the Xbox, so nVidia licensed the AMD chipset. Now the Xbox chipset was by nVidia.
* nVidia sold the same chipset for PCs, calling it "nForce".

This is the reason why

* the Xbox is the only nForce chipset with an Intel CPU
* the AMD chipset and the nForce chipset are so similar

Evidence:

* The AMD and nForce AMD IDE controllers are fully compatible. (Linux kernel: "AMD 755/756/766/8111 and nVidia nForce/2/2s/3/3s/CK804/MCP04 IDE driver for Linux." [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/ide/pci/amd74xx.c])
* The I2C/SMBus controller on the nForce is fully AMD-756/766/68 compatible. [https://web.archive.org/web/20100617023830/http://lxr.linux.no/source/drivers/i2c/busses/i2c-amd756.c]
* The audio controller is i810 compatible - as is the audio controller of the AMD-768 and the AMD-8111.
* The nForce and AMD-768 modems are compatible.
* At least one register ("VGA_en") in the nForce PCI-to-AGP bridge is compatible with the AMD chipset (AMD-761, 24081.pdf, page 136).
* The nForce uses HyperTransport.
* [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0307.3/0922.html], [https://web.archive.org/web/20100617023830/http://www.uwsg.iu.edu/hypermail/linux/kernel/0301.3/0305.html]
* ''"One man's guess, the silicon is not a major factor. Because the nForce and 760 MP have a similar pin count, they are going to be cost comparable."'' [https://web.archive.org/web/20100617023830/http://overclockers.com/articles446/]

{| class="wikitable"
|-
|
| Northbridge
| Southbridge
|-
| AMD-760
| AMD-761
| AMD-766
|-
| AMD-760MP
| AMD-762
| AMD-766
|-
| AMD-760MPX
| AMD-762
| AMD-768
|}
[https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_1133,00.html AMD-760™ Chipset Tech Docs]
[https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_739_1130,00.html AMD-760™ MP Chipset Tech Docs]
[https://web.archive.org/web/20100617023830/http://www.amd.com/us-en/Processors/TechnicalResources/0,,30_182_873_4296,00.html AMD-760™ MPX Chipset Tech Docs]
<br />
The nForce chipset might be based on the AMD-760 chipset.

== More Links ==

[https://web.archive.org/web/20100617023830/http://www.duxcw.com/digest/guides/mb_chip/nforce/print.htm]