Xyclops
From xboxdevwiki
The SMC on v1.6 Xboxes is a custom chip called Xyclops. It has a debug UART interface on pins 63 (RXD) and 64 (TXD) which can be used to read/write the BIOS flash, and the SMC's RAM, registers and flash.
Contents
Processor core
The embedded microcontroller that supports SMC functions is an 8051 core.
Debug serial protocol
9600 baud UART, enabled by setting the DEBUG pin (pin 29) high. Baud can be changed by writing to a register. The very first byte sent will cause Xyclops to enter debug mode where normal SMC operations are paused.
The protocol is based on 4-byte or 67-byte commands.
- Byte 0 is the opcode. Bit 0 is often controlling a destination.
- Bytes 1 - 2 are the address. The most significant byte is sent first. Commands that don't address memory will ignore this.
- Byte 3 is the payload byte, or the first byte of the 64-byte payload for some commands.
Each command will produce a response of at least 2 bytes.
- Byte 0 is the echo of the command byte, or 0x4B if the command is not accepted.
- Byte 1 is the response payload
- Bytes 2 - 64 are the rest of the payload for commands that respond with 64 bytes of data.
Opcodes
SFR = Special Function Register
| Opcode (hex) | Length | Response length | Purpose |
|---|---|---|---|
| 00 and 01 | 4 | 2 | Read 1 byte of RAM |
| 02 and 03 | 4 | 2 | Write 1 byte to RAM |
| 04 and 05 | 4 | 65 | Read 1 byte of RAM 64 times (yes, really) |
| 06 and 07 | 67 | 2 | 64-byte to something, possibly RAM. |
| 08 and 09 | 4 | 2 | Duplicate of 00 |
| 0A and 0B | 4 | 2 | Duplicate of 02 |
| 0C and 0D | 4 | 65 | Duplicate of 04 |
| 0E and 0F | 67 | 2 | Duplicate of 06 |
| 10 | 4 | 2 | Read 1 byte from the BIOS flash |
| 11 | 4 | 2 | Read 1 byte from the SMC flash |
| 12 | 4 | 2 | Program 1 byte of BIOS flash. Needs to be unlocked by opcode 0x43. |
| 13 | 4 | 2 | Program 1 byte of SMC flash. Needs to be unlocked by opcode 0x43. Addresses are aliased within the 16KiB flash space. |
| 14 | 4 | 65 | Read 64 bytes of BIOS flash |
| 15 | 4 | 65 | Read 64 bytes of SMC flash |
| 16 | 67 | 2 | Program 64 bytes of BIOS flash. Needs to be unlocked by opcode 0x43. |
| 17 | 67 | 2 | Program 64 bytes of SMC flash. Needs to be unlocked by opcode 0x43. Addresses are aliased within the 16KiB flash space. |
| 18 and 19 | 4 | 2 | Read 1 byte from spare sector 0 or 1 |
| 1A and 1B | 4 | 2 | Program 1 byte of spare sector 0 or 1. Needs to be unlocked by opcode 0x43. Addresses are aliased within the 2KiB or 0.5KiB memory space. |
| 1C and 1D | 4 | 65 | Read 64 bytes from spare sector 0 or 1 |
| 1E and 1F | 67 | 2 | Program 64 bytes of spare sector 0 or 1 |
| 20 and 21 | 4 | 2 | Read 1 byte of RAM/SFRs |
| 22 and 23 | 4 | 2 | Write 1 byte to RAM/SFRs |
| 24 and 25 | 4 | 65 | Read 1 byte of RAM/SFRs 64 times |
| 26 and 27 | ? | ? | Possibly broken write of 64 bytes to RAM/SFRs |
| 28 and 29 | 4 | 2 | Duplicate of 20 and 21 |
| 2A and 2B | 4 | 2 | Duplicate of 22 and 23 |
| 2C and 2D | 4 | 65 | Duplicate of 24 and 25 |
| 2E and 2F | ? | ? | Assumed to be duplicate of 26 |
| --- | --- | --- | --- |
| 30 to 3F | - | - | Similar to 10 - 1F, but the data read is always 00. Write attempts with opcode 0x32 are always rejected. |
| --- | --- | --- | --- |
| 40 | 4 | 4 or 6 | Exits and re-enters debug mode |
| 41 | 4 | 2 | Exits debug mode and locks programming |
| 42 | 4 | 2 | Exits debug mode and locks programming |
| 43 | 4 | 2 | Unlocks programming and erasing flash |
| 48 - 4A | 4 | 2 | Not sure, appears to do nothing. |
| --- | --- | --- | --- |
| 80 | 4 | 2 | Sector erase BIOS flash. Sectors are 0x800 bytes. |
| 81 | 4 | 2 | Sector erase SMC flash. Sectors are 0x200 bytes. |
| 84 | 4 | 2 | Mass erase BIOS flash. Takes about 350ms. |
| 85 | 4 | 2 | Mass erase SMC flash. Takes about 350ms. |
| 88 | 4 | 2 | Erase spare sector 0 (0x200 bytes) |
| 89 | 4 | 2 | Erase spare sector 1 (0x80 bytes) |
| 8C | 4 | 2 | Erase spare sector 0 |
| 8D | 4 | 2 | Erase spare sector 1 |
Xyclops memory spaces
- 128-byte RAM (could be 256)
- Upper 128 bytes read out as semi-random values. The 8051 core would need a bank select to naturally access them.
- 16KiB SMC flash
- 1KiB SMC debug ROM (at address 0xFC00 in the SMC flash space)
- 256KiB BIOS flash (4 banks)
- Bank selected by register 0x91
- 512-byte spare sector 0
- 128-byte spare sector 1
- 256-byte mixed RAM+SFR space (first 128 is RAM, second 128 is SFRs)
Internal registers
| Address (hex) | Purpose |
|---|---|
| 80 | Port 0 output value (write) and input value (read) |
| 90 | Port 1 output value (write) and input value (read) |
| 91 | BIOS flash bank select. 0 - 3 for 256KiB. |
| 9D | Port 0 open drain mode. 0 = normal GPIO. 1 = open drain mode (pin is floating when output value == 1). |
| 9E | Port 1 open drain mode. 0 = normal GPIO. 1 = open drain mode (pin is floating when output value == 1). |
| 9F | Port 2 open drain mode. 0 = normal GPIO. 1 = open drain mode (pin is floating when output value == 1). |
| A0 | Port 2 output value (write) and input value (read) |
| B0 | Port 0 tristate. 0 = output on. 1 = floating. |
| C0 | Port 1 tristate. 0 = output on. 1 = floating. |
| D7 | SMBus related |
| D8 | Port 2 tristate. 0 = output on. 1 = floating. |
| D8 | GPIO port 2 related (seemingly related to reading pin states) |
| D9 - DE | SMBus related |
| E9 | Debug serial baud control. Higher value = faster serial. 0xB0 = 9600. 0xEC = 38400 baud |
| EC | Flash program/erase control. Bits 3:0 determine the flash region to target. Bits 7:5 control the kind of operation. Bit 4 starts the operation. |
Revisions
Known revisions are:
- Unlabelled - prototypes
- A-A02 - flashable
- A-B01 - not flashable
The die and bonding of A-B01 looks identical to A-A02, so it is not currently understood what prevents it from being flashed. The program and erase commands still execute successfully but don't produce any change in memory contents.
