Difference between revisions of "BIOS"

From xboxdevwiki
Jump to: navigation, search
(Decoy bootloader)
(Components: 2BL exists there on all BIOSes that contain a FBL)
 
(31 intermediate revisions by 5 users not shown)
Line 1: Line 1:
The BIOS is either a 1MB or 256KB memory which is loaded to the top 16MB of memory (from 0xFF000000). There are a couple of things to understand in order for this to make sense. First, the 1MB BIOS is actually 256KB of data repeated 4 times. So, if you do:
+
The '''BIOS''' (an acronym for '''Basic Input/Output System''' and also known as the '''BIOS ROM''' or '''Xbox ROM''') is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000 - 0xFFFFFFFF). Like the standard [https://en.wikipedia.org/wiki/BIOS PC BIOS], it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form.
 +
 
 +
On a standard Xbox, the BIOS image is stored in the [[Flash ROM]]. The BIOS image is actually 256 kiB, duplicated 4 times to fill the 1 MiB ROM chip. You can verify this by running:
  
 
<pre>
 
<pre>
Line 10: Line 12:
 
</pre>
 
</pre>
  
You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1MB and some are 256KB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256KB of data is repeated 64 times.
+
You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1 MiB and some are 256 kiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256 kiB of data is repeated 64 times.
  
 
== Components ==
 
== Components ==
Line 16: Line 18:
 
The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences.
 
The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences.
  
=== Unknown ===
+
{| class="wikitable"
 +
!                   
 +
!  3944  !!  4034  !!  4134{{FIXME|reason=Some sources claim there is 4132; however, neither 4134 or 4132 are listed in redump. So this might not be a real MS bios}} !!  4817  !!  5101  !!  5530  !!  5713  !!  5838
 +
|-
 +
! NV2A Initialization Table           
 +
| 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000 || 0x00000
 +
|-
 +
! MCPX Initialization Table
 +
| 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070 || 0x00070
 +
|-
 +
! X-Codes           
 +
| 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080 || 0x00080
 +
|-
 +
! Copyright String   
 +
| 0x00CFA || 0x00CFA || 0x00CFA || 0x00DB9 || 0x00E49 || 0x00E59 || 0x00E59 || 0x00DCC
 +
|-
 +
! Kernel
 +
| 0x0619C ||        ||        ||        ||        ||        ||        ||       
 +
|-
 +
! Kernel Data Segment
 +
| 0x3944C ||        ||        ||        ||        ||        ||        ||         
 +
|-
 +
! 2BL <br> ''Always 0x6000 bytes''               
 +
| 0x39E00 || 0x39E00 || 0x39E00 || 0x39E00 || 0x39E00 || 0x39E00 || 0x39E00 || 0x39E00
 +
|-
 +
! FBL <br> ''Always 0x2880 bytes''
 +
|        ||        ||        || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400 || 0x3D400
 +
|-
 +
! Decoy Boot Loader 
 +
| 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00 || 0x3FE00
 +
|}
 +
 
 +
For information how these sections are used, see [[Boot Process]].
 +
 
 +
=== NV2A Initialization Table ===
  
From 0x00000000 - 0x000000079
+
The first DWORD is a pointer to a table of values that the NV2A northbridge uses to initialize itself, but with the least-significant bit always set to 1 (likely some sort of sanity check). The second DWORD is the unmodified table pointer. On all Xbox BIOS, the NV2A initialization table is always at file offset 8, virtual address 0xFF000008.
  
Not sure what this does. Some people think it might be involved with initialising the [[MCPX ROM]], but I don't know. The Reset Vector on the Pentium 3 would mean that this wasn't called before the MCPX ROM, but I'm guessing there are people out there who know a lot more about it than me.
+
The first DWORD of the NV2A initialization table is the magic number 0x2B16D065 (called the "boot header"). The purpose of the remaining values in the table is unknown{{FIXME}}.
 +
 
 +
=== MCPX Initialization Table ===
 +
 
 +
This is a table of values used to initialize the MCPX southbridge. It ''must'' be placed at offset 0x70 in the ROM image.
  
 
=== xcodes ===
 
=== xcodes ===
 
From 0x00000080 - Copyright string
 
  
 
These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are:
 
These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are:
  
 
The xcodes in the BIOS versions 3944, 4034, 4134 all start with:
 
The xcodes in the BIOS versions 3944, 4034, 4134 all start with:
04 10 08 00 80 01 80 00 00
+
<code>04 10 08 00 80 01 80 00 00</code>
  
 
The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with:
 
The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with:
04 84 08 00 80 01 80 00 00
+
<code>04 84 08 00 80 01 80 00 00</code>
  
 
This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX.
 
This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX.
  
Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 instructions are considerably larger than those in the 3944 BIOS.
+
Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS.
  
 
=== Copyright String ===
 
=== Copyright String ===
  
57 bytes long with the following start positions:
+
Literally contains the ASCII encoded text: "<code>Copyright (c) Microsoft Corporation. All rights reserved.</code>" (57 bytes long).
 
 
* 3394 - 0xcfa
 
* 4034 - 0xcfa
 
* 4134 - 0xcfa
 
* 4817 - 0xdb9
 
* 5101 - 0xe49
 
* 5530 - 0xe59
 
* 5713 - 0xe59
 
* 5838 - 0xdcc
 
 
 
Literally contains the text: "Copyright (c) Microsoft Corporation. All rights reserved.".
 
 
 
=== Kernel ===
 
 
 
Still need to analyse
 
 
 
=== Kernel Data Segment ===
 
 
 
Still need to analyse
 
 
 
=== 2BL ===
 
 
 
Still need to analyse
 
  
 
=== Decoy bootloader ===
 
=== Decoy bootloader ===
Line 69: Line 84:
 
This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms.
 
This is very similar to the [[MCPX ROM]], only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms.
  
== Known Retail BIOSs ==
+
== See Also ==
  
* 3394
+
[[BIOS Dumping]]
* 4034
 
* 4134
 
* 4817
 
* 5101
 
* 5530
 
* 5713
 
* 5838
 
  
 
== References ==
 
== References ==
  
* [http://hackspot.net/XboxBlog/?p=1 Understanding the Xbox boot process]
+
* [http://redump.org/datfile/xbox-bios/ Xbox BIOS dat file from Redump Project]

Latest revision as of 19:14, 10 January 2024

The BIOS (an acronym for Basic Input/Output System and also known as the BIOS ROM or Xbox ROM) is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000 - 0xFFFFFFFF). Like the standard PC BIOS, it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form.

On a standard Xbox, the BIOS image is stored in the Flash ROM. The BIOS image is actually 256 kiB, duplicated 4 times to fill the 1 MiB ROM chip. You can verify this by running:

$ split -n 4 xbox.bin 
$ md5sum xa*
542c62cb976a4993c8c5027dff9638ce  xaa
542c62cb976a4993c8c5027dff9638ce  xab
542c62cb976a4993c8c5027dff9638ce  xac
542c62cb976a4993c8c5027dff9638ce  xad

You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1 MiB and some are 256 kiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256 kiB of data is repeated 64 times.

Components

The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences.

3944 4034 4134[FIXME] 4817 5101 5530 5713 5838
NV2A Initialization Table 0x00000 0x00000 0x00000 0x00000 0x00000 0x00000 0x00000 0x00000
MCPX Initialization Table 0x00070 0x00070 0x00070 0x00070 0x00070 0x00070 0x00070 0x00070
X-Codes 0x00080 0x00080 0x00080 0x00080 0x00080 0x00080 0x00080 0x00080
Copyright String 0x00CFA 0x00CFA 0x00CFA 0x00DB9 0x00E49 0x00E59 0x00E59 0x00DCC
Kernel 0x0619C
Kernel Data Segment 0x3944C
2BL
Always 0x6000 bytes
0x39E00 0x39E00 0x39E00 0x39E00 0x39E00 0x39E00 0x39E00 0x39E00
FBL
Always 0x2880 bytes
0x3D400 0x3D400 0x3D400 0x3D400 0x3D400
Decoy Boot Loader 0x3FE00 0x3FE00 0x3FE00 0x3FE00 0x3FE00 0x3FE00 0x3FE00 0x3FE00

For information how these sections are used, see Boot Process.

NV2A Initialization Table

The first DWORD is a pointer to a table of values that the NV2A northbridge uses to initialize itself, but with the least-significant bit always set to 1 (likely some sort of sanity check). The second DWORD is the unmodified table pointer. On all Xbox BIOS, the NV2A initialization table is always at file offset 8, virtual address 0xFF000008.

The first DWORD of the NV2A initialization table is the magic number 0x2B16D065 (called the "boot header"). The purpose of the remaining values in the table is unknown[FIXME].

MCPX Initialization Table

This is a table of values used to initialize the MCPX southbridge. It must be placed at offset 0x70 in the ROM image.

xcodes

These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are:

The xcodes in the BIOS versions 3944, 4034, 4134 all start with: 04 10 08 00 80 01 80 00 00

The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with: 04 84 08 00 80 01 80 00 00

This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX.

Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS.

Copyright String

Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long).

Decoy bootloader

This is very similar to the MCPX ROM, only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms.

See Also

BIOS Dumping

References