Xbox360TsopMemoryLayout

From EurAsiaWiki

Main Page | Recent changes | View source | Page history | Log in / create account |

Special pages Double redirects Broken redirects Disambiguation pages Log in / create account Preferences My watchlist Recent changes Upload file File list Gallery of new files User list Statistics Random page Orphaned pages Uncategorized pages Uncategorized categories Uncategorized files Uncategorized templates Unused categories Unused files Wanted pages Wanted categories Most linked to pages Most linked to categories Most linked-to templates Pages with the most categories Most linked to files Pages with the most revisions Pages with the fewest revisions Short pages Long pages New pages Oldest pages Dead-end pages Protected pages Protected titles All pages Prefix index List of blocked IP addresses and usernames User contributions What links here Book sources Categories Export pages Version System messages Logs MIME search List redirects Unused templates Random redirect Pages without language links File path Popular pages Search

Printable version | Disclaimers | Privacy policy
Category: Xbox360

---

garyopa @ http://www.xboxhacker.net/index.php?topic=2701.0

The 16mb NAND flash is not completely encrypted, it basically is a Microsoft compressed ROMDISK system.

It contains a small header, then a "encrypted" loader, and then a number of stored files in a "compact flash" file system, these files match byte for byte the updated files in the "system_update", and are basically the dashboard files in stored signed-XEX2 file format.

---

FLASH ROM 16MB LAYOUT
---------------------

640K FIXED COMMON BIOS PART (1/2)
---------------------------------
>000000 = 4K COPYRIGHT HEADER
>001000 = SMC encrypted code --- Southbridge code, always starts here.
>008000 = "CB" encrypted code --  Bootup cpu code, always starts here.
>00E5E0 = "CD" encrypted code --  Sometimes starts at this address: >0E1E0
>013CD0 = "CE" encrypted code --  Sometiems starts at this address: >138D0
>06C000 = "CF" kernal original    ---  Base x360 kernal, always starts here.
>0704C0 = "CG" kernal original   --- THIS four parts are still encrypted as same as the rest above.
>07C000 = "CF" kernal live ver   ---  JUST the two parts are the "BASE" shipped factory version.
>0804C0 = "CG" kernal live ver   --- And the bottom two are the same until updated by "LIVE"

First a 4K header always the same, nothing special.

Then we have a 28,672 byte chunk of code starting at >1000,
which looks encrypted and for the SMC, but for some reason
it is interchangable between systems, even tho it is different on each dump.

Then we have two small chunks with headers of CB and CD,
which look like start-up code for the CPU, also different in every dump,
and first CB is sometimes 26,080 bytes long and on other dumps it is 25,056 bytes long
(why?, Pal, Core, more info on the dumps are needed first), and the second CD is always 22,256 bytes long.

Next we have the main kernal with a header of CE,
which is the brain behind the dashboard, and is always 352,368 bytes long.

The last two sections CF and CG are patches or updates to the main kernal.
Sometimes there is none (factory fresh, no games played or live updates),
so the flash will have no CF and CG chunks, then first two appear (most likely from game discs),
and then more appear (most likely from live updates).

But the CF and CG always appear in chunks of two, and never see more than four in total so far.

The first CF is always 17,600 bytes long and the second CG is always 47,936 bytes long.

The CF chunk has a 32 byte headers on the front of it.
(I guess to tell the system where to patch into the main chunk)

The CB, CD, CE chunks only have 16 byte headers in them.

These headers contain length of the chunk plus a memory starting address for the CPU,
plus a build value/version like "1888", etc.

The CE chunk also has at the end a 6 byte CRC checksum, whereas the others don't.

15200K VARIABLE FILE STORAGE AREA
---------------------------------
(Always start at location :A0000)
(But can vary at anytime/updated)
(Think of like a 15MB Hard Drive)
>0A0000 = mfgbootlauncher.xex
>0AC000 = xam.xex
>1D8000 = bootanim.xex
>23C000 = hud.xex
>25C000 = signin.xex
>268000 = friends.xex
>284000 = vk.xex
>2A0000 = updater.xex
>2A8000 = feedback.xex
>2BC000 = deviceselector.xex
>2C4000 = voicemail.xex
>2DC000 = minimediaplayer.xex
>2E8000 = marketplace.xex
>30C000 = quickchat.xex
>314000 = gamerprofile.xex
>328000 = createprofile.xex
>5F8000 = ximedic.xex
>688000 = dash.xex
>904000 = hudiskin.xex

(Rest of needed files, files are splited into three parts)
(Since less than 512K of RAM is available for programs)
(A bank-switching system is in placed for large XEX's)
(Common XEX code, then part1, then part2, and so on)
(Never seen a part3, but it could be possible in future=)=

>924000 = (xex2 file)
>928000 = (xex2 file)
>930000 = (xex2 file)
>934000 = (xex2 file)
>A18000 = (xex2 file)
>A1C000 = (xex2 file)
>A20000 = (xex2 file)
>A2C000 = (xex2 file)
>A34000 = (xex2 file)
>A38000 = (xex2 file)
>A3C000 = (xex2 file)
>A48000 = (xex2 file)
>A4C000 = (xex2 file)
>A50000 = (xex2 file)
>A54000 = (xex2 file)
>A58000 = (xex2 file)
>A5C000 = (xex2 file)
>A64000 = (xex2 file)
>A68000 = (xex2 file)
>AB8000 = (xex2 file)
>AC8000 = (xex2 file)
>ACC000 = (xex2 file)
>AD4000 = (xex2 file)
>AD8000 = (xex2 file)
>BBC000 = (xex2 file)
>BC0000 = (xex2 file)
>BC4000 = (xex2 file)
>BD0000 = (xex2 file)
>BD4000 = (xex2 file)
>BDC000 = (xex2 file)
>BE0000 = (xex2 file)
>BEC000 = (xex2 file)
>BF0000 = (xex2 file)
>BF4000 = (xex2 file)
>BF8000 = (xex2 file)
>BFC000 = (xex2 file)
>C00000 = (xex2 file)
>C04000 = (xex2 file)
>C08000 = (xex2 file)
>C58000 = (xex2 file)
>C7C000 = (xex2 file)
>C84000 = (xex2 file)
>C8C000 = (xex2 file)
>C90000 = (xex2 file)
>E58000 = (xex2 file)
>E5C000 = (xex2 file)
>E64000 = (xex2 file)
>E74000 = (xex2 file)
>E7C000 = (xex2 file)
>E84000 = (xex2 file)
>E88000 = (xex2 file)
>E98000 = (xex2 file)
>E9C000 = (xex2 file)
>EA0000 = (xex2 file)
>EA8000 = (xex2 file)
>EB0000 = (xex2 file)
>EB4000 = (xex2 file)
>EBC000 = (xex2 file)
>EC8000 = (xex2 file)
>F38000 = (xex2 file)
>F3C000 = Flash   LAYOUT (1/4)
>F3C200 = Filename TABLE (1/4)
        - mfgbootlauncher.xex
        - xam.xex
        - bootanim.xex
        - hud.xex
        - signin.xex
        - friends.xex
        - vk.xex
        - updater.xex
        - feedback.xex
        - deviceselector.xex
        - voicemail.xex
        - minimediaplayer.xex
        - marketplace.xex
        - quickchat.xex
        - gamerprofile.xex
        - createprofile.xex
>F3C400 = Flash   LAYOUT (2/4)
>F3C600 = Filename TABLE (2/4)
        - xenonjklatin.xtt
        - xenonclatin.xtt
        - ximedic.xex
        - dash.xex
        - huduiskin.xex
        - sysupdate.xexp1
        - aac.xexp1
        - bootanim.xexp1
        - createprofile.xexp1
        - dash.xexp1
        - deviceselector.xexp1
        - feedback.xexp1
        - friends.xexp1
        - gamerprofile.xexp1
        - hud.xexp1
        - huduiskin.xexp1
>F3C800 = Flash   LAYOUT (3/4)
>F3CA00 = Filename TABLE (3/4)
        - marketplace.xexp1
        - mfgbootlauncher.xexp1
        - minimediaplayer.xexp1
        - quickchat.xexp1
        - signin.xexp1
        - updater.xexp1
        - vk.xexp1
        - voicemail.xexp1
        - xam.xexp1
        - XenonCLatin.xttp1
        - ximedic.xexp1
        - sysupdate.xexp2
        - acc.xexp2
        - bootanim.xexp2
        - createprofile.xexp2
        - dash.xexp2
>F3CC00 = Flash   LAYOUT (4/4)
>F3CE00 = Filename TABLE (4/4)
        - deviceselector.xexp2
        - feedback.xexp2
        - friends.xexp2
        - gamerprofile.xexp2
        - hud.xexp2
        - huduiskin.xexp2
        - marketplace.xexp2
        - mfgbootlauncher.xexp2
        - minimediaplayer.xexp2
        - quickchat.xexp2
        - signin.xexp2
        - updater.xexp2
        - vk.xexp2
        - voicemail.xexp2
        - xam.xexp2
        - XenonCLatin.xttp2
>F3D200 - ximedic.xexp2 (ENTRY)

544K FIXED COMMON BIOS AREA (2/2)
---------------------------------
>F78000 - SETTINGS
>F78600 - ZERO
>F7C000 - TABLE
>F7C200 - SETTINGS
>F7C600 - ZERO
>F80000 - 512K EMPTY SPACE

Little tidbit, what is the "paddnu" at the end of the flash section, starting at >F7C000,
it is different on all dumps of the flashrom. It is a checksum of the stored files?

Would like to dump the flashrom on original untouch system, then update the dashboard,
and see if "numbers" at >F7C000 changes.

---

View source | Discuss this page | Page history | What links here | Related changes


This page has been accessed 1,305 times. This page was last modified 08:06, 16 February 2010.
Main Page | About EurAsiaWiki |

 

Check the EurAsia Online Shop for your hardware modding needs.