Difference between revisions of "Xyclops"
From xboxdevwiki
(Created page with "The SMC on v1.6 Xboxes is a custom chip called Xyclops. It has a debug UART interface on pins 63 (RXD) and 64 (TXD) which can be used to read/write the BIOS flash, and the...") |
(No difference)
|
Revision as of 13:36, 21 May 2025
The SMC on v1.6 Xboxes is a custom chip called Xyclops. It has a debug UART interface on pins 63 (RXD) and 64 (TXD) which can be used to read/write the BIOS flash, and the SMC's RAM, registers and flash.
Xyclops serial protocol
9600 baud UART, enabled by setting the DEBUG pin (pin 29) high. Baud can be changed by writing to a register. The very first byte sent will cause Xyclops to enter debug mode where normal SMC operations are paused.
The protocol is based on 4-byte or 67-byte commands.
- Byte 0 is the opcode. Bit 0 is often controlling a destination.
- Bytes 1 - 2 are the address. The most significant byte is sent first. Commands that don't address memory will ignore this.
- Byte 3 is the payload byte, or the first byte of the 64-byte payload for some commands.
Each command will produce a response of at least 2 bytes.
- Byte 0 is the echo of the command byte, or 0x4B if the command is not accepted.
- Byte 1 is the response payload
- Bytes 2 - 64 are the rest of the payload for commands that respond with 64 bytes of data.
Opcodes
SFR = Special Function Register
| Opcode (hex) | Length | Response length | Purpose |
|---|---|---|---|
| 00 and 01 | 4 | 2 | Read 1 byte of RAM |
| 02 and 03 | 4 | 2 | Write 1 byte to RAM |
| 04 and 05 | 4 | 65 | Read 1 byte of RAM 64 times (yes, really) |
| 06 and 07 | 67 | 2 | 64-byte to something, possibly RAM. |
| 08 and 09 | 4 | 2 | Duplicate of 00 |
| 0A and 0B | 4 | 2 | Duplicate of 02 |
| 0C and 0D | 4 | 65 | Duplicate of 04 |
| 0E and 0F | 67 | 2 | Duplicate of 06 |
| 10 | 4 | 2 | Dump 1 byte from the BIOS flash |
| 11 | 4 | 2 | Dump 1 byte from the SMC flash |
| 12 | 4 | 2 | Program 1 byte of BIOS flash (untested). Needs to be unlocked by opcode 0x43. |
| 13 | 4 | 2 | Program 1 byte of SMC flash (untested). Needs to be unlocked by opcode 0x43. |
| 14 | 4 | 65 | Read 64 bytes of BIOS flash |
| 15 | 4 | 65 | Read 64 bytes of SMC flash |
| 16 | 67 | 2 | Program 64 bytes of BIOS flash. Needs to be unlocked by opcode 0x43. |
| 17 | 67 | 2 | Program 64 bytes of SMC flash. Needs to be unlocked by opcode 0x43. |
| 18 and 19 | 4 | 2 | Read 1 byte of some unknown areas |
| 1A and 1B | ? | ? | Untested |
| 1C and 1D | 4 | 65 | Read 64 bytes of some unknown areas |
| 1E and 1F | ? | ? | Possible write to unknown areas. Untested. |
| 20 and 21 | ? | ? | Assumed to read 1 byte of RAM/SFRs |
| 24 and 25 | 4 | 65 | Read 64 bytes of RAM/SFRs |
| 26 and 27 | ? | ? | Assumed to write 1 byte to RAM/SFRs |
| 28 and 29 | 4 | 2 | Read 1 byte of RAM/SFRs |
| 2A and 2B | 4 | 2 | Write 1 byte to RAM/SFRs. TODO: verify that 2A works in the same way |
| 2C and 2D | 4 | 65 | Duplicate of 24 |
| 2E and 2F | ? | ? | Assumed to be duplicate of 26 |
| --- | --- | --- | --- |
| 30 to 3F | ? | ? | Similar to 10 - 1F, but the data read is always 00. TODO: test if 32 is unlocked by opcode 0x43. TODO: dump whole area |
| --- | --- | --- | --- |
| 40 | 4 | 4 or 6 | Exits and re-enters debug mode |
| 41 | 4 | 2 | Exits debug mode and locks programming |
| 42 | 4 | 2 | Exits debug mode and locks programming |
| 43 | 4 | 2 | Unlocks programming and erasing flash |
| 48 - 4A | 4 | 2 | Not sure, appear to do nothing. |
| --- | --- | --- | --- |
| 80 and 81 | ? | ? | Could be another kind of erase, such as block or sector erase |
| 84 | 4 | 2 | Mass erase BIOS flash |
| 85 | 4 | 2 | Assumed to mass erase SMC flash. Danger: might also erase the command handler code! |
Xyclops memory spaces
- 128-byte RAM (could be 256)
- Upper 128 bytes read out as semi-random values. The 8051 core would need a bank select to naturally access them.
- 64KiB SMC flash
- 256KiB BIOS flash (4 banks)
- Bank selected by register 0x91
- Unknown 512 and 1024 byte spaces
- 256-byte mixed RAM+SFR space (first 128 is RAM, second 128 is SFRs)
Xyclops internal registers
| Address (hex) | Purpose |
|---|---|
| 91 | BIOS flash bank select. 0 - 3 for 256KiB. |
| E9 | Debug serial baud control. Higher value = faster serial. 0xB0 = 9600. 0xEC = 38400 baud |
