Xyclops

The SMC on v1.6 Xboxes is a custom chip called Xyclops. It has a debug UART interface on pins 63 (RXD) and 64 (TXD) which can be used to read/write the BIOS flash, and the SMC's RAM, registers and flash.

Xyclops serial protocol

9600 baud UART, enabled by setting the DEBUG pin (pin 29) high. Baud can be changed by writing to a register. The very first byte sent will cause Xyclops to enter debug mode where normal SMC operations are paused.

The protocol is based on 4-byte or 67-byte commands.

Byte 0 is the opcode. Bit 0 is often controlling a destination.
Bytes 1 - 2 are the address. The most significant byte is sent first. Commands that don't address memory will ignore this.
Byte 3 is the payload byte, or the first byte of the 64-byte payload for some commands.

Each command will produce a response of at least 2 bytes.

Byte 0 is the echo of the command byte, or 0x4B if the command is not accepted.
Byte 1 is the response payload
Bytes 2 - 64 are the rest of the payload for commands that respond with 64 bytes of data.

Opcodes

SFR = Special Function Register

Opcode (hex)	Length	Response length	Purpose
00 and 01	4	2	Read 1 byte of RAM
02 and 03	4	2	Write 1 byte to RAM
04 and 05	4	65	Read 1 byte of RAM 64 times (yes, really)
06 and 07	67	2	64-byte to something, possibly RAM.
08 and 09	4	2	Duplicate of 00
0A and 0B	4	2	Duplicate of 02
0C and 0D	4	65	Duplicate of 04
0E and 0F	67	2	Duplicate of 06
10	4	2	Dump 1 byte from the BIOS flash
11	4	2	Dump 1 byte from the SMC flash
12	4	2	Program 1 byte of BIOS flash (untested). Needs to be unlocked by opcode 0x43.
13	4	2	Program 1 byte of SMC flash (untested). Needs to be unlocked by opcode 0x43.
14	4	65	Read 64 bytes of BIOS flash
15	4	65	Read 64 bytes of SMC flash
16	67	2	Program 64 bytes of BIOS flash. Needs to be unlocked by opcode 0x43.
17	67	2	Program 64 bytes of SMC flash. Needs to be unlocked by opcode 0x43.
18 and 19	4	2	Read 1 byte of some unknown areas
1A and 1B	?	?	Untested
1C and 1D	4	65	Read 64 bytes of some unknown areas
1E and 1F	?	?	Possible write to unknown areas. Untested.
20 and 21	?	?	Assumed to read 1 byte of RAM/SFRs
24 and 25	4	65	Read 64 bytes of RAM/SFRs
26 and 27	?	?	Assumed to write 1 byte to RAM/SFRs
28 and 29	4	2	Read 1 byte of RAM/SFRs
2A and 2B	4	2	Write 1 byte to RAM/SFRs. TODO: verify that 2A works in the same way
2C and 2D	4	65	Duplicate of 24
2E and 2F	?	?	Assumed to be duplicate of 26
---	---	---	---
30 to 3F	?	?	Similar to 10 - 1F, but the data read is always 00. TODO: test if 32 is unlocked by opcode 0x43. TODO: dump whole area
---	---	---	---
40	4	4 or 6	Exits and re-enters debug mode
41	4	2	Exits debug mode and locks programming
42	4	2	Exits debug mode and locks programming
43	4	2	Unlocks programming and erasing flash
48 - 4A	4	2	Not sure, appear to do nothing.
---	---	---	---
80 and 81	?	?	Could be another kind of erase, such as block or sector erase
84	4	2	Mass erase BIOS flash
85	4	2	Assumed to mass erase SMC flash. Danger: might also erase the command handler code!

Xyclops memory spaces

128-byte RAM (could be 256)
- Upper 128 bytes read out as semi-random values. The 8051 core would need a bank select to naturally access them.
64KiB SMC flash
256KiB BIOS flash (4 banks)
- Bank selected by register 0x91
Unknown 512 and 1024 byte spaces
256-byte mixed RAM+SFR space (first 128 is RAM, second 128 is SFRs)

Xyclops internal registers

Address (hex)	Purpose
91	BIOS flash bank select. 0 - 3 for 256KiB.
E9	Debug serial baud control. Higher value = faster serial. 0xB0 = 9600. 0xEC = 38400 baud

Xyclops

Contents

Xyclops serial protocol

Opcodes

Xyclops memory spaces

Xyclops internal registers

Navigation menu

Personal tools

Namespaces

Variants

Views

More

Search

Navigation

Tools