(WIP) New modchip coming in
- professor_jonny
- Posts: 1297
- Joined: Thu Jul 05, 2012 5:41 am
- Location: New Zealand
- Has thanked: 66 times
- Been thanked: 196 times
Re: (WIP) New modchip coming in
I believe these matrix and d6 tsop bioses have something to do with shadowing of the rom image in the upper 16mb on boot and where it reads the shadows from.
It will fail to boot with the d6 tsop bios with out a valid and some what bootable image in the tsop and I know it compairs the four copys in 000 to ffff to test for a valid boot.
As a semi eduicated guess I think the bios boots from lcp then when you remove d0 it then reads the bios copies from the tsop to copy shadows to memory.
After getting a valid kernel start it reads the rest of the images from the tsop for the shadow's in doing so it unlocks the read and write lines alowing you to flash but still initilises the xbox with a hacked kernel.
I guess one just needs to do a memory dump of the first 16mb on boot to see what is going on with one of these bioses.
It will fail to boot with the d6 tsop bios with out a valid and some what bootable image in the tsop and I know it compairs the four copys in 000 to ffff to test for a valid boot.
As a semi eduicated guess I think the bios boots from lcp then when you remove d0 it then reads the bios copies from the tsop to copy shadows to memory.
After getting a valid kernel start it reads the rest of the images from the tsop for the shadow's in doing so it unlocks the read and write lines alowing you to flash but still initilises the xbox with a hacked kernel.
I guess one just needs to do a memory dump of the first 16mb on boot to see what is going on with one of these bioses.
-
- Posts: 213
- Joined: Fri Oct 05, 2012 5:19 pm
- Location: Québec, Canada
- Has thanked: 21 times
- Been thanked: 125 times
Re: (WIP) New modchip coming in
Where can I find the special D6 BIOS that would enable TSO recovery?
I found an Evox D6 to download at Eurasia but I don't think it's the right one. I think I read that the "X" logo of the BIOS in question should be yellow or blue (can't recall); mine is plain green like stock.
I found an Evox D6 to download at Eurasia but I don't think it's the right one. I think I read that the "X" logo of the BIOS in question should be yellow or blue (can't recall); mine is plain green like stock.
- Xphazer
- Posts: 524
- Joined: Wed Jul 04, 2012 4:39 am
- Location: Montréal
- Has thanked: 238 times
- Been thanked: 106 times
Re: (WIP) New modchip coming in
No problem for Boblight, it's still a very interesting modchip even without it!
And thanks for the nice TSOP splitting explanation!
Here's what I can see:
Black solder mask...
And thanks for the nice TSOP splitting explanation!
Here's what I can see:
- CPLD pin 34 to transistor base* with a 1kΩ in-line resistor
- flash chip pin 47 (GND?) to transistor emitter*
- pad A15 to transistor collector*
Black solder mask...
-
- Posts: 213
- Joined: Fri Oct 05, 2012 5:19 pm
- Location: Québec, Canada
- Has thanked: 21 times
- Been thanked: 125 times
Re: (WIP) New modchip coming in
Thank you Xphazer for the very detailed pictures.
So I would deduce that this A15 signal is controlled in either of those 3 ways:
-Command coming from LPC bus
-Timeout due to an internal counter in the CPLD chip
-Timeout due to an external hardware counter
Third possibility il not really probable since I don't see anything that could trigger a logic level change over time, like a RC circuit.
Second possibility is also unlikely if the A15 signal must be turned way after booting the console. The XC9572XL does not contain enough logic elements to implement a counter that could overflow in a matter of milliseconds when it runs at 33MHz and takes care of the LPC and flash interface at the same time! If so, they were really exceptionnal coders with magic coming out of their fingers!
So a signal coming from the LPC bus is necessary. Whether it be a dedicated signal like what's being sent to drive a HD44780 LCD, or a detection of a particular chain of events; like the Xbox requesting to read flash data at a specific address offset. I'll have to whip out the logic analyzer to see if anything is being sent on the LPC bus after the 256KB of data have been sent. Maybe the EvoX D6 does send data over the LPC bus after while booting (after the console reads the BIOS).
If it's not the case, then I guess the only course of action possible is to probe the Chameleon Chip with a logic analyzer to precisely pinpoint the moment the A15 signal is released from ground. That means someone will have to probe LAD0-3, CLK, RST and the CPLD pin that controls A15's transistor while the Xbox boots with a logic analyzer and provide me with multiple captured waveforms!
So I would deduce that this A15 signal is controlled in either of those 3 ways:
-Command coming from LPC bus
-Timeout due to an internal counter in the CPLD chip
-Timeout due to an external hardware counter
Third possibility il not really probable since I don't see anything that could trigger a logic level change over time, like a RC circuit.
Second possibility is also unlikely if the A15 signal must be turned way after booting the console. The XC9572XL does not contain enough logic elements to implement a counter that could overflow in a matter of milliseconds when it runs at 33MHz and takes care of the LPC and flash interface at the same time! If so, they were really exceptionnal coders with magic coming out of their fingers!
So a signal coming from the LPC bus is necessary. Whether it be a dedicated signal like what's being sent to drive a HD44780 LCD, or a detection of a particular chain of events; like the Xbox requesting to read flash data at a specific address offset. I'll have to whip out the logic analyzer to see if anything is being sent on the LPC bus after the 256KB of data have been sent. Maybe the EvoX D6 does send data over the LPC bus after while booting (after the console reads the BIOS).
If it's not the case, then I guess the only course of action possible is to probe the Chameleon Chip with a logic analyzer to precisely pinpoint the moment the A15 signal is released from ground. That means someone will have to probe LAD0-3, CLK, RST and the CPLD pin that controls A15's transistor while the Xbox boots with a logic analyzer and provide me with multiple captured waveforms!
- professor_jonny
- Posts: 1297
- Joined: Thu Jul 05, 2012 5:41 am
- Location: New Zealand
- Has thanked: 66 times
- Been thanked: 196 times
Re: (WIP) New modchip coming in
I believe it is backagedpsyko_chewbacca wrote:Where can I find the special D6 BIOS that would enable TSO recovery?
I found an Evox D6 to download at Eurasia but I don't think it's the right one. I think I read that the "X" logo of the BIOS in question should be yellow or blue (can't recall); mine is plain green like stock.
in slayers in the old bios folder in one of the older builds out in the wild .
I think it is EVO D6 TSOP and has yellow and blue ill have a look at home for it on my old pc.
- Xphazer
- Posts: 524
- Joined: Wed Jul 04, 2012 4:39 am
- Location: Montréal
- Has thanked: 238 times
- Been thanked: 106 times
Re: (WIP) New modchip coming in
There you go, the tsop d6.bin I've used in the pass with the Chameleon is attached to this post.
And again, I would be very happy to lend you the modchip if you need it.
And again, I would be very happy to lend you the modchip if you need it.
- Attachments
-
- tsop_d6.zip
- (221.08 KiB) Downloaded 461 times
- professor_jonny
- Posts: 1297
- Joined: Thu Jul 05, 2012 5:41 am
- Location: New Zealand
- Has thanked: 66 times
- Been thanked: 196 times
Re: (WIP) New modchip coming in
Thanks Xphazer you beat me to it.
i just had a look it is in the old bios folder in the slayers 2.6 final iso on xbins.
i just had a look it is in the old bios folder in the slayers 2.6 final iso on xbins.
-
- Posts: 213
- Joined: Fri Oct 05, 2012 5:19 pm
- Location: Québec, Canada
- Has thanked: 21 times
- Been thanked: 125 times
Re: (WIP) New modchip coming in
Thank you all.
I just cannot seem to make this BIOS to boot right... It's just stuck on a black screen and quickly reset the console over and over.
This got me to purposely corrupt my 1.0 Xbox TSOP, the bad way unfortunately... Got it fixed the hard way:
That Minipro programmer just pays for itself!
I think I begin to see how this whole TSOP recovery works. Your Xbox's TSOP must contain valid data in the first 32KB to initially boot from it and then switch to the LPC bus as the upper part of the flash cannot be properly decrypted. MCPX then switch to LPC to fetch the remaining data and finally boot a valid kernel.
Anyway, I hooked up my logic analyzer and after some patience and a lot of luck, I found something that doesn't belong when you normally load up a BIOS.
That's an I/O LPC operation, much like what XBlast OS does to send command to the XBlast modchip. I still don't know what that specific command does to a Chameleon. If I had to guess, I'd say that command either toggles D0 or A15. I guess I'll need a Chameleon after all!
I just cannot seem to make this BIOS to boot right... It's just stuck on a black screen and quickly reset the console over and over.
This got me to purposely corrupt my 1.0 Xbox TSOP, the bad way unfortunately... Got it fixed the hard way:
That Minipro programmer just pays for itself!
I think I begin to see how this whole TSOP recovery works. Your Xbox's TSOP must contain valid data in the first 32KB to initially boot from it and then switch to the LPC bus as the upper part of the flash cannot be properly decrypted. MCPX then switch to LPC to fetch the remaining data and finally boot a valid kernel.
Anyway, I hooked up my logic analyzer and after some patience and a lot of luck, I found something that doesn't belong when you normally load up a BIOS.
That's an I/O LPC operation, much like what XBlast OS does to send command to the XBlast modchip. I still don't know what that specific command does to a Chameleon. If I had to guess, I'd say that command either toggles D0 or A15. I guess I'll need a Chameleon after all!
- professor_jonny
- Posts: 1297
- Joined: Thu Jul 05, 2012 5:41 am
- Location: New Zealand
- Has thanked: 66 times
- Been thanked: 196 times
Re: (WIP) New modchip coming in
The chemelion bios may boot from the chip first then read out the tsop padding after the kernel image?
that would enable the tsop we and wr support lines and not crash from a non valid image in the tsop
that would enable the tsop we and wr support lines and not crash from a non valid image in the tsop
- xman
- Posts: 1289
- Joined: Wed Jul 04, 2012 2:30 pm
- Location: Sydney, Australia
- Has thanked: 55 times
- Been thanked: 168 times
Re: (WIP) New modchip coming in
Just curious why your logic analyzer is picking up clock pulses that aren't all the same duration?. Usually indicates the clock pulse circuit is on it's way out especially when they are not of any set pattern where the pulse is longer.
-
- Posts: 213
- Joined: Fri Oct 05, 2012 5:19 pm
- Location: Québec, Canada
- Has thanked: 21 times
- Been thanked: 125 times
Re: (WIP) New modchip coming in
I just found out that the Chameleon could be controlled from Evolution-X dashboard. There was a number of commands you could write into your evox.ini file to switch/flash banks and disable modchip.
I cannot find the Chameleon manual which supposely contains all the commands supported in Evolution-X. I haven't checked on Xbins yet but if it's not there, could someone upload the PDF manual?
I might change the LPC commands set I currently use in XBlast OS to control modchip's banks to make it work under Evolution-X (bonus feature so why not!)
I cannot find the Chameleon manual which supposely contains all the commands supported in Evolution-X. I haven't checked on Xbins yet but if it's not there, could someone upload the PDF manual?
I might change the LPC commands set I currently use in XBlast OS to control modchip's banks to make it work under Evolution-X (bonus feature so why not!)
- Xphazer
- Posts: 524
- Joined: Wed Jul 04, 2012 4:39 am
- Location: Montréal
- Has thanked: 238 times
- Been thanked: 106 times
Re: (WIP) New modchip coming in
There you go.
- Attachments
-
- chameleon_user_manual.zip
- (580.26 KiB) Downloaded 471 times
-
- Posts: 213
- Joined: Fri Oct 05, 2012 5:19 pm
- Location: Québec, Canada
- Has thanked: 21 times
- Been thanked: 125 times
Re: (WIP) New modchip coming in
Well first of all, the clock signal is sampled like other signals. It is not used as a clock source like you're supposed to do. It served to spot glitches when I was initially developing code for the CPLD. Also, as you can see in the picture below, my setup isn't really good at keeping signal integrity but it gets the job done.xman wrote:Just curious why your logic analyzer is picking up clock pulses that aren't all the same duration?. Usually indicates the clock pulse circuit is on it's way out especially when they are not of any set pattern where the pulse is longer.
Moreover, the Logic Sniffer is not a top of the line logic analyzer but for 50$ you get a 16bits(expandable to 32bits) capture bus you can sample up to 200MHz. At the time I bought it, it was the best thing for the money. Now you can get clones of commercial logic analyzers pretty cheap on Aliexpress. I wonder how well they work compared to their genuine couterpart...
I captured a lot of data coming from the LPC bus when launching Evolution-X dashboard. Looks like there's a lot going in there. I hope it won't require me to modify the CPLD code too much as I don't have a lot of space left in it to implement new things! Also, I tried adding the configuration example of the Chameleon's manual in my evox.ini file but none of the menu showed up in Evolution-X. Maybe it requires to detect a Chameleon modchip or support for those commands has been drop in later versions (unlikely since there's activity on the LPC bus). Anyway I'll know this weekend as Xphazer was kind enough to lend me his Chameleon modchip! Thank you.
EDIT: Well, Evolution-X is reading the BIOS straight from the active flash device to ID it... Didn't think that one. So when filtering all the Memory READ LPC commands, I'm left with only one recurring I/O read command showing up.
Evolution-X checks at address 0x00FE periodically, probably for a Chameleon modchip but no one's there to answer. It is fits in the logic of the Evox D6 BIOS sending the I/O write command at address 0x00FF I found yesterday.
-
- Posts: 213
- Joined: Fri Oct 05, 2012 5:19 pm
- Location: Québec, Canada
- Has thanked: 21 times
- Been thanked: 125 times
Re: (WIP) New modchip coming in
I got it!
TSOP recovery using tsop_d6.bin works perfectly on the XBlast Mod now; just like on the Chameleon. I will post more info on it later.
This will require a new PCB revision.
TSOP split will only split 1MB TSOP in 2 now. I originally planned to support 4-way split but to reduce part count and PCB complexity, I decided to remove control of TSOP's A18 line.
Also, I looked into spoofing Chameleon flash control logic to support EvoX dash exclusive features related to Chameleon but that's maybe not going to happen. I'm still not decided if I will do it. Is it really worth it? Is there a real benefit to be able to switch flash banks from Evolution-X when there's an OS on board that already does that? For now only Chameleon ID is supported. Evolution-X will report a Chameleon modchip detected but that stops there.
Anyway everyone can thank Xphazer for lending me his Chameleon modchip. It would have been nearly impossible to make this work without it!
TSOP recovery using tsop_d6.bin works perfectly on the XBlast Mod now; just like on the Chameleon. I will post more info on it later.
This will require a new PCB revision.
TSOP split will only split 1MB TSOP in 2 now. I originally planned to support 4-way split but to reduce part count and PCB complexity, I decided to remove control of TSOP's A18 line.
Also, I looked into spoofing Chameleon flash control logic to support EvoX dash exclusive features related to Chameleon but that's maybe not going to happen. I'm still not decided if I will do it. Is it really worth it? Is there a real benefit to be able to switch flash banks from Evolution-X when there's an OS on board that already does that? For now only Chameleon ID is supported. Evolution-X will report a Chameleon modchip detected but that stops there.
Anyway everyone can thank Xphazer for lending me his Chameleon modchip. It would have been nearly impossible to make this work without it!
- professor_jonny
- Posts: 1297
- Joined: Thu Jul 05, 2012 5:41 am
- Location: New Zealand
- Has thanked: 66 times
- Been thanked: 196 times
Re: (WIP) New modchip coming in
I guess that part was the intention to reboot and boot into another bank or flash a different bank than you booted from?
as xbox live is not around any more it maybe not that important any more ?
as xbox live is not around any more it maybe not that important any more ?
- spicemuseum
- Posts: 906
- Joined: Mon Jul 09, 2012 11:08 pm
- Has thanked: 94 times
- Been thanked: 75 times
Re: (WIP) New modchip coming in
Fantastic! Look forward to more info.psyko_chewbacca wrote:I got it!
TSOP recovery using tsop_d6.bin works perfectly on the XBlast Mod now; just like on the Chameleon. I will post more info on it later.
I suppose the question arising is whether the TSOP recovery will work on a 256K TSOP (v1.2-v1.5 xbox) ?psyko_chewbacca wrote:This will require a new PCB revision.
TSOP split will only split 1MB TSOP in 2 now. I originally planned to support 4-way split but to reduce part count and PCB complexity, I decided to remove control of TSOP's A18 line.
-
- Posts: 213
- Joined: Fri Oct 05, 2012 5:19 pm
- Location: Québec, Canada
- Has thanked: 21 times
- Been thanked: 125 times
Re: (WIP) New modchip coming in
tsop_d6.bin BIOS works on 1.0 to 1.3 Xboxes. During my experimentation, I was not able to make this BIOS work when Evox M8+ or X2 5035 was flashed on TSOP; console FRAG. I was able to make it work on a 1.2 with IND-BIOS 5004 on TSOP but not on a 1.0... Weird.spicemuseum wrote: I suppose the question arising is whether the TSOP recovery will work on a 256K TSOP (v1.2-v1.5 xbox) ?
I am looking for a cheap 1.4/1.5 Xbox. Created a thread in Marketplace section: http://www.xbmc4xbox.org.uk/forum/viewt ... =16&t=3339
Thanks.
- spicemuseum
- Posts: 906
- Joined: Mon Jul 09, 2012 11:08 pm
- Has thanked: 94 times
- Been thanked: 75 times
Re: (WIP) New modchip coming in
Anything to do with the TSOP brand (ST/Hynix/Winbond), or size (1MB/256KB) ?psyko_chewbacca wrote:tsop_d6.bin BIOS works on 1.0 to 1.3 Xboxes. During my experimentation, I was not able to make this BIOS work when Evox M8+ or X2 5035 was flashed on TSOP; console FRAG. I was able to make it work on a 1.2 with IND-BIOS 5004 on TSOP but not on a 1.0... Weird.
-
- Posts: 213
- Joined: Fri Oct 05, 2012 5:19 pm
- Location: Québec, Canada
- Has thanked: 21 times
- Been thanked: 125 times
Re: (WIP) New modchip coming in
It is very unlikely.spicemuseum wrote:Anything to do with the TSOP brand (ST/Hynix/Winbond), or size (1MB/256KB) ?
The TSOP flash only serves as a container for the MCPX to map the image contained in the TSOP mirrored in the upper 16MB of the address space. The difference between a 1MB and a 256KB TSOP is the number of time the physical amount of flash is mirrored.
In fact, the MCPX doesn't even know what kind of TSOP or what size it is. It blindly interfaces the TSOP using JEDEC standards which is supported across all types of TSOP chips used in Xboxes. Also, the ISA bus runs at 8MHz and so data request happens at 125ns intervals. All of the TSOP chips used are rated 90ns or below so there's no way this could be a timing issue.
I think that the MCPX chip revision and the type of BIOS used are the key elements here.
Both M8 and X2 5035 are "Multi" BIOSes; is IND-BIOS a "Multi" BIOS too? Anybody knows how I could extract the 2bl from these BIOSes?
- spicemuseum
- Posts: 906
- Joined: Mon Jul 09, 2012 11:08 pm
- Has thanked: 94 times
- Been thanked: 75 times
Re: (WIP) New modchip coming in
What do you mean by multi? I thought this referred to the repetition of 256k blocks in a 1MB flash device.