And the Aladdin XT became a decent modchip!

Discussion in 'Xbox (Original console)' started by bennydiamond, Jun 18, 2014.

  1. bennydiamond

    bennydiamond Gutsy Member

    Joined:
    Aug 24, 2011
    Messages:
    477
    Likes Received:
    181
    Hello everyone,

    So I had a few Aladdin XT mods laying around. I wasn't really interested into using them because they simply offered the possibility of booting from a 256KB BIOS. Not much more useful compared to a TSOP mod unless you want a dual boot system. 1.6(b) Xbox could do just fine with a softmod.

    SST49LF080A flash chip is 1MB in size and uses the same commands as it's now obsolete brother, SST49LF020(A). Of course the range of addresses is not the same so a simple chip swap wasn't going to do it. So I took the liberty to develop a new code for this modchip. I started off by modifying the "leaked" Aladdin CPLD VHDL sources from hkmod but it quickly got almost all rewritten. After some probing with the logic analyser and lots of code revisions, I was able to boot from the new flash chip.

    Up to this point I have 3 versions of my code:
    1. Dual 512KB banks
    2. Single 1MB bank with write protect switch
    3. Single 256KB bank with write protect switch

    All 3 versions have these features:
    • 1.0 to 1.6(b) support (not all Xbox revisions were tested, 1.0 and 1.6 worked fine)
    • Full BIOS read and write support in EvolutionX and Gentoox Loader (other tools are not tested but should work too if they support 49LF080A)
    • Optional bank/flash protect switch
    • Long power press disable modchip (not 100% tested, I don't really care for this feature. Theorically it should work)
    • Hot-swapable
    • Proper LFRAME signal release (1.6(b) are the only consoles that benefit from this)

    UPDATE: I will upload a new version soon. I messed up a little concerning the "long power press disables the modchip". Turns out my code works the other way around... Short power press disables the modchip and long power press enables it. I like it better the other way around (the way I originally intended it to be). I also have some other features I could implement. I'll need to test them first so that's why I'm not uploading any here for now.


    So for the skepticals, here's the video proof of the dual bank version, made on a 1.6 Xbox:


    For the still skepticals here are the programmable bitstreams in both JED and SVF formats.
    The single archive contains the 3 versions:
    • 1MB Dual 512KB Banks
    • 1MB Single bank with write protect
    • 256KB Single bank with write protect

    An archive is attached to this post. The archive also contains the Aladdin XBlast variant of the mod which grants full OS control over the Aladdin XT as like other 4th gen modchips. For more info on Aladdin XBlast, please visit this thread.

    Specific installation info on this mod is the following.
    14447134784_c8500cc4e8_o.jpg
    14446897582_1c7d9f38d0_o.jpg


    So beside your Aladdin XT modchip, all you need is the new flash chip and optionally at least a SPST switch.
    For the rest of the installation instructions, please refer to the regular Aladdin XT installation schematics for missing info.


    A picture of a temporary installation on a 1.6:
    14425036986_a2dbcc919a_c.jpg
    The looped blue wire is for simulating either a long or short power press. The other dangling wire is for Xbox LFRAME signal control.

    Wire should be as short as possible as timing is a little tight. However, it can still be somewhat long as you can see in the following screenshot:
    14261722247_7ab094fb4e_c.jpg

    Novice installers should not have too much trouble making it work.


    Pre-emptive FAQ
    Q1. How to I program my Aladdin XT with this new code?
    A. You will need a JTAG adapter that works for this chip. You can make a cheap parallel cable following the schematic here: View attachment lattpsch.pdf . I made this one for myself and it works with "ispVM System", the download tool from Lattice ispLEVER Classic software suite. You can probably use urJTAG and any supported adapter it to program the CPLD. Just remember to power your board with +3.3V.

    Q2. Where do I get the SST49LF080A flash chip?
    A. Digikey, Farnell, MicrochipDirect, etc. or less reliable suppliers on eBay and others.

    Q3. How do I initially program the new flash chip?
    A. You can make yourself a CheapLPC programmer or use any "universal" programmer (I used a TL866CS) that supports this flash chip. You can also hotswap to flash it from the Xbox.

    Q4. What if I don't want to install the optional switch to benefit from dual banks/write protect?
    A. You don't need to! The only draw back will be that you'll only have access to the second bank of the 2, in the case you select the dual bank version. With the other versions of the code, write protect will be disabled and you'll always have full read and write access to the chip at any time.

    Q5. How does your code releases Xbox LFRAME signal while other modchip makers do not (except for SmartXX)?
    A. My guess is they either didn't thought about it during coding, it wasn't a know fact that grounding LFRAME was a bad idea or they didn't knew how to implement it. My implementation differs from the usual way of disabling LFRAME#. Instead of forcing it to GND, I do the exact opposite: I force the signal to a logical '1' only when it drops to signal the Xyclops chip the start of a LPC transfer cycle. So effectively, the Xyclops chip never receives the start signal to initiate a LPC cycle and sits idle forever. The benefit is that the modchip holds the LFRAME signal only about 15ns every LPC cycle. LPC cycles are only initiated for BIOS read/write and every now and then when you need to access the modchip (LCD or special modchip features). Another benefit is that the current needed to drive LFRAME# "up" is far less than what's required to force it to GND. A single IO pin of the LC4032V (CPLD) can supply enough current to do this. This means less stress and heat on the MCPX chip, which normally drives the LFRAME# signal.

    Q6. Help! My Xbox will not boot or boots inconsistently using L1 LFRAME control signal.
    A. First of all, L1 is only for 1.6 and 1.6b Xbox revisions. Second, try to reduce the length of the wire, use small wiring gauge (I use 30AWG). If it still doesn't work, use D0 instead.

    Q7. Do you know that the SST49LF160C LPC flash chip exist and that it's 2MB in size?
    A. Yes I know, it's not 100% compatible. There's not enough "space" in the LC4032V to make it work like with the 49LF080A. BIOS Reading is possible but not writing (so no BIOS flashing from Xbox) *using current Xbox apps*. This chip uses a different set of commands to erase and program the memory array. A new Xbox app would have to be created to send the proper commands to this chip. Also, I don't really care for 2MB flash, dual 512KB or single 1MB banks are fine with me.

    Q8. Why make a 256KB version when we can now use a 1MB chip?
    A. My first development steps were to replicate the behavior of the stock Aladdin XT modchip. Only once this done I could move to the 1MB versions. I figured I would release it as well if anyone would like to benefit from either write protect or LFRAME release features without upgrading their flash chip.

    Q9. Will you sell me a Aladdin XT?
    A. Currently, I am selling 2 units I used for development but I don't have plans sell any more after those. If there's enough demand I will consider selling a batch. My guess is that there will be enough opportunistic sellers profiting from my work. But... if you want to congratulate or thank me, you can always buy me a beer (or additional development gear!) here: [​IMG]
    Thank you!

    Q10. You don't reply very fast to your PMs and/or forum posts...
    A. No I don't, deal with it.

    Q11. Do you plan on making any further development on this project?
    A. Not on the Aladdin XT, unless there's a major bug to be found. However, I do have another project that is based on this code...... ;)

    Q12. Will you release the VHDL source code?
    A. No, not now. Don't bother asking why if you don't want Q10 to especially apply to you.

    Q13. Will your code work on a Aladdin XT with LCD support (LC4064 chip)?
    A. Maybe but my guess is no. Also, if it were to work, you would lose the LCD.

    Q14. I have issues with this new mod! Help me!
    A. Please search the forums first and then start a public thread to discuss about your issue. Chances are that if you have a problem, someone else might encounter the same. Better share the knowledge!


    So now you can enjoy almost any BIOS on your "inferior" Aladdin XT modchip.
     

    Attached Files:

    Last edited: Jul 16, 2017
    Armorant, KaosEngineer and ASSEMbler like this.
  2. Floydthebarber

    Floydthebarber Rapidly Rising Member

    Joined:
    Sep 1, 2012
    Messages:
    76
    Likes Received:
    4
    Wow that is dam cool bennydiamond congrats. I am working on a similar project, and I need to get the VHDL data from a Xilinx cpld in order to pull it off. Do you think with the right adapter (Like this one http://www.dataman.com/dil48-tqfp100-zif-pld-2.html) and a programmer capable of writing and reading the CPLD, that I will be able to read off the VHDL data? I know that these chips can be security locked, so I am thinking that it will probably be a real gamble to try. The project is to clone a clone Xenium modchip that has LCD support.

    Here is a picture of the modchip I am talking about, it is the one on the right.
    Sans-titre-1.jpg
     
    Last edited: Jun 18, 2014
  3. davidthomas

    davidthomas Site Supporter 2013,2014

    Joined:
    Jun 28, 2013
    Messages:
    461
    Likes Received:
    4
    Nice work! The aladdin was always a inferior chip with that little crappy 256k chip. Now it can handle a real bios or 2 or them to be exact. To bad it wont work with the 4064 LCD version. That would be a true upgrade for that chip. Well that is if you can find one these days.

    What until they see what the ;) project is! Remember I want to be close to first on that! I have been thinking about it a good amount and it will be awesome!
     
    Last edited: Jun 18, 2014
  4. kylethedude

    kylethedude Nintendo DS NFR/Demo Lord

    Joined:
    Apr 16, 2013
    Messages:
    302
    Likes Received:
    4
    That's awesome! Lovely work
     
  5. CodeAsm

    CodeAsm ohci_write: Bad offset 30

    Joined:
    Dec 22, 2010
    Messages:
    1,504
    Likes Received:
    178
    one cannot read the orriginal VHDL data from a clpd or fpga, you could maybe get all the bits on wich everything is set, and so reconstruct a VHDL like code.
    but I found this text that is more detailed:
    Its nothing like an arduino that contains data for a mcu, there is no mcu/cpu, its all logic and data that is used to set wich part of logic connects other logic and what the logic is doing.
    Find source, or enjoy many many hours of reverseengineering. or build your own, wich is maybe better to understand Xbox modchips (I have no experiance in xbox modchip making field.)

    Anyway, good luck and awesome mod :D
     
  6. bennydiamond

    bennydiamond Gutsy Member

    Joined:
    Aug 24, 2011
    Messages:
    477
    Likes Received:
    181
    If I recall well, I saw a paper about a security flaw on the XC9572XL that enabled retreiving the bitstream of a locked CPLD under certain conditions. I can't find it anymore....

    I don't know how they did it but the necessary conditions to extract the bitstream were present on the Xenium but not on other 4th gen chips, which do use Xilinx CPLDs (Xecuter3 have a ProAsic inscription but it was later demonstrated to be a deception, Actel engraves the chips, they don't print on them!).

    Looking at pictures of the modchip, I would start by looking at those 6 solder pads on the backside of the Xenium modchip. It looks alot like a JTAG port; I did not find any info on those 6 solder pads, probably used for programming the chip. Use the XC9572XL datasheet and a multimeter to probe which solder pad is mapped to which CPLD pin. You'll probably find that they all map to TDO, TDI, TCK, TMS, +VCC and GND. If so that's your first (and cheaper!) ticket in.

    If you really want to try this, start by trying to connect a Xilinx-Compatible JTAG adapter on those 6 solder pads.Use impact or urJTAG to identify the chip and try to crack it. I cannot help you cracking that CPLD, I don't know how. There are few shady businesses listed on the Internet that claim to be able to extract code from this chip. You'll probably have to pay them a load of cash and send the bare CPLD chip for them to crack it. They'll probably scrap it in the process by extracting the die with acid.

    Personnally, I wouldn't invest too much money or time in such enterprise. If extracting CPLD code was at the reach of most people, you could find bitstreams for about any electronic devices floating on the web.
    Take the EverDrive 64 for example. V1 was cloned easily because the bitstream of the Altera Cyclone FPGA was available for download by the author. V2 hasn't been cloned yet because the hardware contains an extra Altera MAX CPLD for which the bitstream has never been made public. Cloners cannot do anything without this bitstream, and you don't see any V2 clones out there because extracting code from a locked CPLD is a tedious task. I know they are not the same brand of chips but the idea is the same.

    Anyway good luck with this!
     
    kylethedude likes this.
  7. Looney Bin Jim

    Looney Bin Jim Spirited Member

    Joined:
    May 1, 2014
    Messages:
    130
    Likes Received:
    12
    Awesome man! Great work!
     
  8. CodeAsm

    CodeAsm ohci_write: Bad offset 30

    Joined:
    Dec 22, 2010
    Messages:
    1,504
    Likes Received:
    178
  9. APE

    APE Site Supporter 2015

    Joined:
    Dec 5, 2005
    Messages:
    6,417
    Likes Received:
    141
    Bitchin, I think I've got a bunch of that flash laying around from me procuring it as samples when I had nothing better to sample. Not sure if my Aladdin XTs are the right version though.

    Maybe I can get them to work in my 1.6 XBox finally.
     
  10. bennydiamond

    bennydiamond Gutsy Member

    Joined:
    Aug 24, 2011
    Messages:
    477
    Likes Received:
    181
    Check the two pictures with the green arrows I made. It's exactly that model. If the black sticker on the back side says Aladdin XT PLUS2 you're on the right track!
     
  11. Floydthebarber

    Floydthebarber Rapidly Rising Member

    Joined:
    Sep 1, 2012
    Messages:
    76
    Likes Received:
    4
    Thanks for the replies bennydiamond and Codeasm, I really appreciate it!
     
  12. APE

    APE Site Supporter 2015

    Joined:
    Dec 5, 2005
    Messages:
    6,417
    Likes Received:
    141
    The one in my hand is. I couldn't get these stupid things to boot on a 1.0 mobo the other day so I'll probably TSOP it. The Aladdin XTs have a really poor success rate, looks like I'll need to get a PLCC adapter first.
     
  13. johnscrub

    johnscrub Newly Registered

    Joined:
    Jul 3, 2014
    Messages:
    2
    Likes Received:
    0
    Total noob here to aladdin chips but do you or anybody have these in a bin format?i would like to try and hotswap method on it?
     
  14. bennydiamond

    bennydiamond Gutsy Member

    Joined:
    Aug 24, 2011
    Messages:
    477
    Likes Received:
    181
    UPDATE: I will upload a new version soon. I messed up a little concerning the "long power press disables the modchip". Turns out my code works the other way around... Short power press disables the modchip and long power press enables it. I like it better the other way around. I also have some other features I could implement. I'll need to test them first so that's why I'm not uploading any here for now.


    It's not a BIOS file. It's a programming file for the CPLD (LC4032) chip. BIOS BIN files goes into the flash (big chip) and jed/svf goes in cpld (smaller chip).

    You need a hardware programmer to reprogram the cpld.
     
    Last edited: Jul 4, 2014
  15. johnscrub

    johnscrub Newly Registered

    Joined:
    Jul 3, 2014
    Messages:
    2
    Likes Received:
    0
    ok i misunderstood.After i reprogram the onboard cpld i can add the sst49lf080a flash chip then use any of the normal bios as long as ive used the correct cpld jed file?
     
  16. rso

    rso Gone. See y'all elsewhere, maybe.

    Joined:
    Mar 26, 2010
    Messages:
    2,192
    Likes Received:
    448
    Just for the record, since this thread comes up rather high on the list when you're looking for ways to use a bigger BIOS with an Aladdin XT: This project is not dead, it has been continued as "XBlast" here.
    And now... may this thread forever rest in peace.
     
  17. Bad_Ad84

    Bad_Ad84 The Tick

    Joined:
    May 26, 2011
    Messages:
    8,604
    Likes Received:
    1,375
    Thread isn't really dead, I sell upgraded aladdins and a kick back sent to benny.

    Edit: I didn't realize you linked to the other aladdin mod. I thought it was a link to his modchip he made. My mistake!
     
    Last edited: Jul 19, 2016
    kylethedude likes this.
  18. bennydiamond

    bennydiamond Gutsy Member

    Joined:
    Aug 24, 2011
    Messages:
    477
    Likes Received:
    181
    Well it's dead in the sense that I don't plan on working further on this or on Aladdin XBlast mod. Everything seem to work fine. Development-wise, it's pretty much dead. I haven't had any negative feedback on these so they must be working as intended.

    I will gladly answer questions regarding those mods tho.

    You sold some Aladdin XBlast yet? People liking it so far?
     
  19. Bad_Ad84

    Bad_Ad84 The Tick

    Joined:
    May 26, 2011
    Messages:
    8,604
    Likes Received:
    1,375
    I owe you for a couple I think, I've been meaning to drop you a message. Will check my records when I get a few mins. But as you lack paypal, probably best to just save it up until it's a worthwhile amount to transfer.

    No complaints so far, but think it's mostly lack of awareness... I just add stuff for sale in my thread, so people may not know when something new is added.
     
    CodeAsm likes this.
  20. bennydiamond

    bennydiamond Gutsy Member

    Joined:
    Aug 24, 2011
    Messages:
    477
    Likes Received:
    181
    You don't owe me anything. I released all of this in hopes people would find it useful. The price you're selling them is also quite reasonable when you factor in the price of the new flash chip and the fact that you allow people to get one without them purchasing a JTAG programmer.

    That being said, I won't spit on money if you are still willing to share! I have a Bitcoin wallet btw.
     
    CodeAsm likes this.

Share This Page