The Xbox kernel is called xboxkrnl.exe. It is closely related to the Windows NT ntoskrnl.exe. Its image base address is always 0x80010000.
xboxkrnl.exe is a mostly standard exe file. However, the MS-DOS header was patched to contain Xbox specific data in the reserved 20 byte block starting at offset 40:
|40||Size of uninitialized portion of the .data section|
|44||Size of initialized portion of the .data section|
|48|| Memory address of initialized portion of the .data section (usually in Flash). |
Used to re-initialize the data section pointed to by the next field.
Note that the pointer might be invalid during normal execution as the Flash might not be mapped at all times.
|52||Memory address where the .data section is stored (usually the same as in the section header + image base).|
All sections are identity mapped (meaning file offsets and offsets in RAM match). This is because the kernel is not loaded through a traditional PE / exe loader, but just unpacked into memory.
The .text section contains the kernel exports.
The .data section stores initialized and uninitialized data. A copy of the initialized portion of this section is usually stored in the BIOS.
Stores variables which must be preserved across a quick-reboot.
A Physical Region Descriptor Table (PRDT) for the IDE bus. This section serves as a memory allocation only, it does not have to be initialized when loading the kernel.
This section is always the last one. It contains the entrypoint of the kernel. This does all the cold-boot kernel initialization as described here. Later kernels[FIXME] will discard this section after initialization. INIT also contains the Boot Animation, so once the kernel has finished booting it can't do a full hardware re-initialization or play the boot animation anymore.