BIOS
The BIOS (an acronym for Basic Input/Output System and also known as the BIOS ROM or Xbox ROM) is a firmware image that is mapped to the top 16MiB of the CPU's physical address space (0xFF000000 - 0xFFFFFFFF). Like the standard PC BIOS, it is responsible for initializing the Xbox hardware and booting the system. Unlike the PC BIOS, however, the Xbox BIOS image also contains the kernel in a compressed and encrypted form.
On a standard Xbox, the BIOS image is stored in the Flash ROM. The BIOS image is actually 256 kiB, duplicated 4 times to fill the 1 MiB ROM chip. You can verify this by running:
$ split -n 4 xbox.bin $ md5sum xa* 542c62cb976a4993c8c5027dff9638ce xaa 542c62cb976a4993c8c5027dff9638ce xab 542c62cb976a4993c8c5027dff9638ce xac 542c62cb976a4993c8c5027dff9638ce xad
You'll notice it is the same file repeated 4 times. That explains how some BIOS chips are 1 MiB and some are 256 kiB. The next thing is that the BIOS is repeated from 0xFF000000 until it fills the rest of memory. In other words, that 256 kiB of data is repeated 64 times.
Contents
Components
The BIOS is split into different components. These are largely the same from BIOS to BIOS, but with some differences.
| 3944 | 4034 | 4134 | 4817 | 5101 | 5530 | 5713 | 5838 | |
|---|---|---|---|---|---|---|---|---|
| MCPX Initialization Table | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 | 0x00000 |
| X-Codes | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 | 0x00080 |
| Copyright String | 0x00CFA | 0x00CFA | 0x00CFA | 0x00DB9 | 0x00E49 | 0x00E59 | 0x00E59 | 0x00DCC |
| Kernel | 0x0619C | |||||||
| Kernel Data Segment | 0x3944C | |||||||
| 2BL Always 0x6000 bytes |
0x39E00 | 0x39E00 | 0x39E00 | |||||
| FBL Always 0x2880 bytes |
0x3D400 | 0x3D400 | 0x3D400 | 0x3D400 | 0x3D400 | |||
| Decoy Boot Loader | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 | 0x3FE00 |
For information how these sections are used, see Boot Process.
MCPX Initialization Table
From 0x00000000 - 0x0000007F
The first DWORD is a pointer to a table of values that the MCPX core uses to initialize itself, but with the least-significant bit always set to 1. The second DWORD is the unmodified table pointer. On all Xbox BIOS, the MCPX initialization table is always at file offset 8, virtual address 0xFF000008.
The first DWORD of the MCPX initialization table is the magic number 0x2B16D065 (called the "boot header"). The purpose of the remaining values in the table is unknown[FIXME].
xcodes
These are the xcode operations run by the MCPX interpreter. The first couple of lines appear to be nonsense (they don't execute any functionality), but then the first actual codes that I have found are:
The xcodes in the BIOS versions 3944, 4034, 4134 all start with:
04 10 08 00 80 01 80 00 00
The xcodes in the BIOS versions 4817, 5101, 5530, 5713, 5838 all start with:
04 84 08 00 80 01 80 00 00
This leads me to believe that the first three BIOS versions that I have are compatible with the 1.0 MCPX, and the rest are compatible with the 1.1 MCPX.
Next, some people believed that there was another unknown section between the xcodes and the copyright string. As far as I can tell, that section was to allow the xcode instruction set to expand, as the 5838 BIOS has considerably more xcodes than the 3944 BIOS.
Copyright String
Literally contains the ASCII encoded text: "Copyright (c) Microsoft Corporation. All rights reserved." (57 bytes long).
Decoy bootloader
This is very similar to the MCPX ROM, only the xcode interpreter is different, and it doesn't include any decryption/hashing algorithms.
