XBOX MODCHIP DESIGN DISCUSSIONS

Discussion in 'Xbox (Original console)' started by one_eyed_monk, Aug 28, 2017.

  1. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    Hi All,
    I would like to use this thread to foster technical discussions centered around xbox modchip design. As a first step, I spent sometime last week trying to develop a VHDL implementation for the very simple Aladdin XT modchip using the SST49LF080A LPC flash. It turns out that the LPC specification is very simple and I had a working implementation in just a few hours. I have since tested my implementation using the SST49LF020, SST49LF020A, SST49LF080A on XBOX versions 1.0, 1.1, 1.2, 1.4/1.5.

    So far, I just have the LPC Memory READ cycle implemented. My ultimate goal is to design with a modchip with a different type of flash device (Parallel NOR or NAND, QSPI, OSPI, HyperFlash, or uSD) as the LPC flash devices seem to be going obsolete. I am more interested in the uSD option because a single uSD card can hold almost all available choices of xbox bioses. There are still a few loose ends to tie like:
    1. Driving the d0 pin. Currently, the d0 pin has to be grounded.
    2. Incorporate short & long presses of the power button to enable/disable the modchip.
    3. Support LPC memory write, LPC IO Read and Write
    4. Support Switching memory banks.
    5. Include LFRAME support for version 1.6

    I know a lot of this has been done by others, but not much is available in terms of actual source code implementation. I am using this as a learning platform for myself, and I hope others can learn from this too. I am releasing the vhdl source code as well as the pin out description for the aladdin xt plus 2 chip. If you have another type of aladdin chip that uses the lc4032v cpld such as the aladdin advance, please test the pin out of your chip and adjust accordingly. The aladdin advance I tested with had the same pin out as the aladdin xt plus 2 except for the D0 and L1 pins.

    The source as is targets the SST49LF080A flash device but you can easily modify it to fit the LPC chip of your choice. You will need the datasheet handy though. Also, you will need the ispLEVER software from Lattice Semiconductor and a JTAG programmer. The JTAG connections for the aladdin XT plus are discussed in this thread https://assemblergames.com/threads/and-the-aladdin-xt-became-a-decent-modchip.52234/

    As a next step, I am looking at a uSD implementation using one of those cheap (~$20) Cyclone IV FPGA boards from aliexpress/ebay. Something like this https://www.arrow.com/en/products/deca/arrow-development-tools from arrow would be great but the $65 price tags seems a bit high to be used as a modchip. I intend to have a SoC running side by side with an LPC implementation of a modchip. This way the design will have the benefit of IO flexibility to support multiple IO peripherals such as a TFT LCD instead of the simple HD4470.

    With that said, I have a question with regard to how the LPC Memory Read request is done by the MCPX chip on the xbox. According to the book "Hacking the Xbox", the xbox boot rom area spans "0xFF00.0000 to 0xFFFF.FFFF". Any implementation of a modchip will have to adapt/multiplex that memory area to fit the flash chip of choice. This is evident in my design for the SST49LF080A. My question is: Does the LPC Memory Read happen in sequential order (i.e. from 0xFF00.0000 to 0xFFFF.FFFF) or partial sequential or even random? The answer to this question will determine if the cheap (~$20) Cyclone IV FPGA boards + uSD can be easily used to implement a SoC based xbox modchip.

    Finally, feel free to post your technical questions/answers about xbox modchip design here. My hope is to get some momentum going and help preserve knowledge about xbox modchip design.
     

    Attached Files:

  2. Korn16ftl3

    Korn16ftl3 Robust Member

    Joined:
    Jun 26, 2017
    Messages:
    200
    Likes Received:
    19
    Making this post so I can get notifications and follow this thread best of luck to you monk :)

    I may not be as in the know as you when it comes to code and electronic components and such but if u need any information I may be able to supply u know how to get at me and thanks for the work
     
    one_eyed_monk likes this.
  3. Korn16ftl3

    Korn16ftl3 Robust Member

    Joined:
    Jun 26, 2017
    Messages:
    200
    Likes Received:
    19
    I'm not sure if this is any help but I was reading this documentation when I was reading about the MCPX chip:

    http://web.archive.org/web/20100617...nux.org/wiki/The_Hidden_Boot_Code_of_the_Xbox
     
    one_eyed_monk likes this.
  4. Korn16ftl3

    Korn16ftl3 Robust Member

    Joined:
    Jun 26, 2017
    Messages:
    200
    Likes Received:
    19
    Double post somehow my bad
     
  5. bennydiamond

    bennydiamond Gutsy Member

    Joined:
    Aug 24, 2011
    Messages:
    477
    Likes Received:
    182
    If I remember correctly, MCPX reads 1MB from 0xFF00 0000 and mirrors that megabyte on 16MB, up to 0xFFFF FFFF. You then just need to supply a image for the first MB at 0xFF00 0000 and the MCPX will do the rest.

    Using SPI flash, in Quad-SPI may be possible but hard to do just because SPI flashes usually have higher data setup time than "more conventionnal" flash arrays. From what I gathered, Short SYNC WAIT is supported but I never tried Long SYNC WAIT. I don't know how many LPC cycles you can hold the bus in Short SYNC WAIT. You will necessarily have to hold the bus in WAIT state for a bit when accessing the SPI flash.

    I don't know if uSD can be done, mostly for the same reason as with SPI flash. SPI mode is likely too slow and SDIO might have too much protocol overhead to implement fast enough in a reasonnably priced logic device.

    Parallel Flash arrays might be the best solution even if they are harder to solder.

    d0 is handled the same across 1.0 to 1.5 Xboxes. Tie to ground at least until MCPX starts to read on the LPC bus. After that you're free to release it for the rest of the session. MCPX will not try to access the TSOP until a reboot.

    You've got 2 way of handling LFRAME on 1.6(b). You can simply tie it to ground as long as the Xbox is powered ON. It's the most common way modchip do it but it's the most destructive as it force the IO driver in the MCPX to supply too much current.
    The better way to do it is to catch the start of a LPC cycle by counting cycles and knowing when a X'0' on LAD[3..0] is actually a LPC START cycle(you're code must already do that to properly work anyway). Then force LFRAME to '1' using a high speed driver only for the duration of the LPC START cycle. The process in your CPLD/FPGA for this needs to be extra fast to toggle your IO driver fast enough(accounting for the driver's setup time) so the LFRAME line on the Xbox is at '1' at the moment the Xyclops latches it. You might need to have a few constraint rules to prioritize this process during synthesis and place&route.

    One last neat piece of advise. the RESET IO line toggles on power ON, hot and cold reboot. If implementing software bank switch, you need to handle RESET like a control signal and not a true reset signal in your design.

    If you ever want to create a OS controlled modchip, I suggest you have a look at this page. It contains register descriptions of certain port addresses XBlast will reply. Some of them are shared with SmartXX and Xodus Chameleon. Port 0xF701 is special and contains hard coded byte unique to a certain modchip hardware, both for Xblast and SmartXX device. If you ever want to use that port to ID your modchip, I would very much appreciate if we could discuss reserved value ranges.
    Currently, SmartXX use a few values in the 0x00 and 0x0F range. Xblast devices use in 0x10 to 0x1F and 0x50 to 0x5F.

    LCD ports addresses are standard across SmartXX (except V3 for contrast), XBlast and Aladdin XT 4064 modchips.
     
    one_eyed_monk likes this.
  6. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    Thanks, eventually I will be moving towards an OS controlled modchip and the OS of choice will be the XBlast OS since this is well documented and also the most recent.

    With regards to the MCPX reading 1MB from 0xFF000000, does it actually start at address 0xFF000000 and increments sequentially all the way to the 1MB limit (0xFF100000)? If it does, then modchip's controller does not have to wait for the MCPX and can begin filling up a dual port fifo with the contents of its flash memory device (QSPI or the like that has a longer setup time). The dual port fifo can be 256 bytes or the page size of the flash. This will make for an attractive solution but it can only work if the MCPX reading sequentially from the LPC ROM.
     
  7. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    BTW, how do you read back status info from the SST49LF080A and SST49LF020A from the OS since the modchip maps the read addresses into the memory space of these chips? Do you issue an IO cycle to the modchip to disable/enable this mapping?
     
  8. bennydiamond

    bennydiamond Gutsy Member

    Joined:
    Aug 24, 2011
    Messages:
    477
    Likes Received:
    182
    ROM reading actually starts at 0xFF00 0000 and is read sequentially, for a while at least for sure. I cannot say with total confidence that the whole 1MB range is all read sequentially as I did not try to capture the entire sequence. My design, with the LPC flash chip feeds the MCPX as fast as it can request on a per byte basis so once the logic was set to feed the requested data correctly, I didn't bother to capture the entire sequence. Common sense would dictate that it is the case, and the whole ROM is read sequentially but it's not an absolute certainty.

    Also, you must understand that the ROM region is memory mapped and thus makes the whole 16MB range accessible out of order if the system so desire. At the start of boot, the ROM is read sequentially as the MCPX boot code copies the 2bl into RAM, once it jumps to 2bl's entrypoint, anything goes! Maybe the 2bl in regular Xbox BIOSes directly access the ROM region to uncompress the cab archive. I did not analyze the 2bl ASM code that much tbh. I'm no compression wiz either so I don't know if a decompression algorithm reads the packed archive sequentially.

    Also, you need to know that 1.0 Xbox have a very tight response time to answer's the PIC challenge. In Xblast OS, when I first introduced the Universal X-Codes sequence (to boot a single image across all Xbox revisions), the added time needed to execute those X-Codes coupled with the normal 2bl init process busted that timer on 1.0. I had to optimize 2bl's init sequence to answer PIC challenge sooner in order to satisfy 1.0 boards. Adding extra delay on ROM reading might give you issues on 1.0.

    As the flash device is memory mapped, you can just write in the proper address space the commands supported by the flash device.

    You can look at either GentooxLoader's or Xblast OS source repo in ./drivers/flash to see how flash device is accessed.
     
  9. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    Thanks. I will be putting together a test modchip platform to investigate the different flash options that can be integrated into a modchip. I have several altera fpga (cyclone iv, cyclone v and max10) development boards from Terasic and Arrow lying around and will just grab one. I always like the idea of introducing a SoC into the modchip but cost might be an issue.
     
  10. Korn16ftl3

    Korn16ftl3 Robust Member

    Joined:
    Jun 26, 2017
    Messages:
    200
    Likes Received:
    19
    Anything new to report monk?
     
  11. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    I am currently expanding on my initial work on the Aladdin modchip and will be adding support for the now obsolete 2MB SST49LF160C. While there is really no need for a 2MB modchip, there is a lot of opportunity for learning. A 2MB chip will offer the possibility of multiple banks to house most bioses minimizing the need for multiple flashes.

    Although the SST49LF160C has a different flashing algorithm than the SST49LF020, SST49LF020A and SST49LF080A, the flashing algorithm is easier to implement and seems faster. Since the SST49LF160C is now obsolete, it is not supported in most flash programmers. As such, I had to develop my own SST49LF160C using an FPGA dev board I had lying around.

    My goal is to develop write capability in an OS to ease the process of flashing and also bank switching. The OS of choice will have to be XBlast since this is the most recent effort. In the next couple of weeks, I will be looking into adding support for the SST49LF160C in XBlast OS.

    For now, I have the SST49LF160C currently working in my Aladdin modchip using my vhdl implementation from above.

    In addition, I am also looking into other types of flash memory chips since the LPC flash chips seems to be fading into obsolescence. I currently have the 32MB S29GL128P working with my FPGA dev board as a modchip. In addition, I have a uSD card that contains a host of bioses. The FPGA is running an embedded softcore processor (Nios II), but this solution is not opensource as it contains proprietory software/firmware pieces. Certainly, this setup is pricey and an overkill especially for an ancient console such as the xbox, but it gives me the tools to allow for a deeper understanding of xbox modchip design.

    As always, I will be posting my design implementation files once I have everything working in a more user friendly way.
     
  12. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    Just wanted to share a few videos on my work so far on xbox modchip design. I have been working with the DE0-Nano and the DE0-Lite FPGA development boards from Terasic Technologies. The boards have a lot of IO and logic cells compared to the LC4032 or LC4064 found in the aladdin modchip. Because of the large number of IO and logic cells on the Cyclone IV and MAX 10 FPGAs on these development board, the sky is the limit on what you can incorporate in a modchip design for the xbox.

    As a start, I have included the 2MB SST49LF160C LPC flash, a uSD IP operating in SD mode and a TFT controller IP. Also, I have included an LPC host IP to allow me program the SST49LF160C since it is not supported by a host of flash programmers because it is now obsolete. The uSD card contains a lot of bioses that can be programmed into the SST49LF160C. For now, the TFT displays just status information, but can be configured to replace a HD44780 or similar LCD. In addition, I have bank switching incorporated in the design using the switches on the development boards for now.

    Here is the first video that highlights bank switching on the SST49LF160C using the DE0-Lite


    The next video shows the DE0-Nano implementation with the TFT display


    Since the SST49LF160C and most LPC chips are obsolete, I think parallel nor flash like the S29GL128P is the way to go. I have another design that works with the S29GL128P and will be sharing that soon.

    For now, I am looking at the possibility of obtaining 5V power before the xbox turns on. If this is possible, then a modchip can be built to run off RAM + uSD card. In this configuration, the FPGA can load the bios from uSD into RAM before the xbox turns on. The only issue is cost. The Cyclone IV and MAX10 FPGA are more expensive than the CPLDs found in xbox modchips, and since the xbox is an obsolete console, it doesn't make much sense to target expensive hardware for modchip design. I am fortunate to have a lot of FPGA developement boards at my disposal, but coming up with a design to incorporate features like TFT, uSD, flash programmer, e.t.c will be challenging in a modchip.
     
  13. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    I forgot to mention that both designs incorporate the 32-bit NIOS II softcore SoC with 32MB & 64 MB of SDRAM respectively and 128kB of onchip RAM. These are clocked at 100MHz but can be overclocked at 140MHz with stable operation. Another drawback is with the use of commercial tools. An open-source alternative to the NIOS II such as the open-RISC from opencores will be beneficial.
     
  14. Korn16ftl3

    Korn16ftl3 Robust Member

    Joined:
    Jun 26, 2017
    Messages:
    200
    Likes Received:
    19
    Wow that is all I have to say about that
     
    one_eyed_monk likes this.
  15. KaosEngineer

    KaosEngineer Robust Member

    Joined:
    Jun 7, 2016
    Messages:
    227
    Likes Received:
    98
    The only Xbox version that has 5Vdc standby power is the 1.6 all other versions have 3.3Vdc standby power.

    See Xbox Power Supply Pinouts
     
    Last edited: Oct 14, 2017
    one_eyed_monk likes this.
  16. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    I will try to make due with the 3.3V standby supply since this will provide a possible way of initializing the modchip before the xbox powers on. This will make possible a uSD card only xbox modchip.
     
  17. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    BTW, all my designs are based on the vhdl sourced I released above.
     
  18. Korn16ftl3

    Korn16ftl3 Robust Member

    Joined:
    Jun 26, 2017
    Messages:
    200
    Likes Received:
    19
    Would there be a way to increase the voltage from 3.3v to 5v? Just as a thought
     
  19. one_eyed_monk

    one_eyed_monk Active Member

    Joined:
    Jul 11, 2017
    Messages:
    27
    Likes Received:
    19
    Yes, there are many options. My favorite will be to use a buck-boost converter chip like the ones that are used in lithium ion powered battery devices. You will have to make sure you do not exceed the current rating of the 3.3V standby supply.
     
  20. Korn16ftl3

    Korn16ftl3 Robust Member

    Joined:
    Jun 26, 2017
    Messages:
    200
    Likes Received:
    19
    Like I said it was just a thought I'm not 100% certain how complex you want your project to be so I figured I would just throw the idea out there
     
    Last edited: Oct 15, 2017

Share This Page