Older News
2002-07-16
Filtror is now with two other people working on the Linux Bios effort
and they both seem pleased. It is downloading the ROM image in less
than six seconds and providing debugging IO as intended, all part of the
Makefile. Above is a shot of the Filtror terminal emulator embedded
into the KDE Kate app, showing the Debugging app running in the X-Box bootrom.
2002-07-15
Been very busy getting filtror working for the other people working
on the Linux BIOS. But, not too busy to make a new information page
about debugging prototypes.
2002-07-10
A new project is brewing, Jektor. This is a
software extension to milk designed to interpret an SVF (Serial Vector
Format) file and spew it out to a Xilinx parallel cable (or Cheaptag equivalent)
in realtime.. Well, what's so cool about that? Xilinx does it
already! It does it under Linux, where there is currently no
good solution for this functionality, even under Wine. Jektor will
allow people to run their Xilinx tools entirely under Linux (see Josh's HOWTO for
getting the main software to run under Linux), or allow people who are just
consuming .jed files to program them under linux. The existing Xilinx
tools are capable to convert a .jed file to a SVF file for a particular chain
of devices.
Assuming I can get Josh's scripts working, the number of apps that
tie me to having Windows at all is down to two. And I have experiments
in mind for one and definite plans for the other.
Also, the first Filtror has been dispatched to MIST64. The
second Filtror will go out to anonymous tomorrow. We live in exciting
times!
2002-07-09
Added a tutorial on soldering surface mount devices (see above).
2002-07-08
Filtror works great! - today I was able to load it
from a console in Linux, and have it resetart the X-Box automatically.
Downloads 1MByte in 6 seconds; run a script and six seconds later
your code it up and running on the box. I was additionally able to
read from the Filtror memory from the PC while the X-Box was executing
from it :-) Below is the PC reading back from memory where a message
has been copied by the X-Box app.
[root@spandex lmilk]# ./lmilk -f -s 20 -a ff00f000
Milksop GPL Reflasher - 0.3 - (c)2002 andy@warmcat.com
FILTROR on printer port at 0x378
000000: 48 65 6C 6C 6F 20 66 72 6F 6D 20 46 69 6C 74 72
000010: 6F 72 00 00 00 00 00 00 00 00 00 00 00 00 00 00
There are still some hurdles to overcome in the X-Box side to due
with cacheing; to get the test above to work I turned off all cacheing
at the CPU (otherwise the X-Box can never see the changed data as
it reads it from the cache each time). Obviously what is needed
is a way to use the GDT to turn off cacheing for one 4K page.
I do not have any experience with this but ozpaulb is helping out.
2002-07-04
PCBs for Filtror and Linux Powered Chip arrived yesterday, unfortunately
some parts from Farnell did not, should have them today. Filtror
successfully configured its own CPLD from its own printer port however,
that's very encouraging, working on the PC-side code while waiting for
the SRAMs. Updated several pages with new photos.
Filtror and CheapLPC both use milk.exe/linuxmilk to operate. I
will probably give this app its own page on the website and will be issuing
an update soon.
I examined the SST LPC 49LF020A flash datasheet more carefully,
and the news is not good, it will not respond to the addresses that
the X-Box issues. This would explain why we are not seeing any
direct LPC flash mods around.. There are other manufacturers, we
must see how the land lies there. Someone as good as told me all
this before I looked at the datasheet, I think Surferdude, I am really
confirming what I was already told.
Expect good and amusing news from the Linux Project soon :-)
2002-07-02
CheapLPC project completed tonight - have added schematic, will
add more details on construction tomorrow. Tested successfully
by dumping contents of Milksop in LPC mode back to PC.
2002-07-01
Filtror PCBs due back Wednesday 2002-07-03... new Cheaptag project
allows anyone to program/reprogram Xilinx CPLDs, removing an obstacle
from people wanting to 'roll their own'.
At the last moment I added a quick LPC CPLD/flash design to be
made at the same time as Filtror, which I have christened ''Linux Powered
Chip''. People are looking at direct interface of LPC flashes,
which I expect will work; as of today they do not seem to be available
though. Visor has already made such a beast, Zeb Crusaders tells
us he is working on one; however I do not think these support LPC Writes
to the flash, nor is their status open-source-wise clear. So even
though I have some expectation the need for such a design is transient,
I have gone ahead with it anyway.
2002-06-26
The
Filtror (fil-tror) project has started. See
the link at the top of the page for more details.
2002-06-25
Today I completed a Linux version of the milksop driver
app, called linuxmilk. An RPM and the sources are available from
the Project page. I also updated to Windows version to be in accordance
with Linux command prompt styles.
After a conversation with MIST on XBOXHACKER it looks like I
will be starting on a new LPC-related project shortly. More information
tomorrow.
2002-06-24
Milksop has been working great here allowing me to examine
the insides of the X-Box. Last week I was able to put together
a minimum clean BIOS and take control of the X-Box for the first time,
such that it will not auto-reboot. Admittedly all this 'first
BIOS' can do right now is flash the front panel LED in a new and interesting
way, but it proves there are no great pitfalls to taking control of the
X-Box from the BIOS. There is a discussion going on at the moment
over on XBOXHACKER about the legality of including any MS code at all
in a 'clean' BIOS, I hope this can be resolved to everyone's satisfaction.
I have also updated the project page with some hints on assembling
the PCB and details of the steps needed to program the flash. At
least two groups are talking about getting some boards made so I hope
this will be of assistance.
2002-06-17
LPC read mode working too
I can now boot my X-Box from the LPC connector with
Milksop while the regular flash is disabled by holding flash D0 to
0V. So in this sense the Milksop project is now completed successfully.
There is nothing to suggest there is anything different about
LPC mode compared to regular flash mode as far as the X-Box is concerned,
it takes the same flash image and no doubt performs the same verification
steps.
Note: The LPC mode and the forcing mode are different CPLD
configurations. This is because the 95108 is not large enough
to take all of the logic required; the forcing mode logic alone fills
it around 90%. For me this is fine because they are two separate
areas of investigation. The only compatible alternative is the
95144, I am not sure all the logic will fit in a device that is only 30%
larger.
The future
Its clear that as soon as it is possible to boot genuinely
clean code and have proper control of the X-Box, it will become possible
to reprogram the regular flash from the LPC connector, without requiring
the TSOP test header. All you will need to do is make the link on
the rear of the motherboard to allow MPC control of the flash nWE, (or
at a pinch we could even synthesize our own synchronized flash nWE signal)
and connect to the LPC header for less than a minute, perhaps using sprung
loaded probes.
(note added 2002-07-01:
visor reported that when booting from LPC the LPC interface seems to replace
the regular flash interface such that accesses to the regular flash addresses
select LPC instead. It is not known how to defeat this at the moment.
Until it is discovered how to re-select the regular flash, a milksop
is the only way to reprogram the flash in-situ).
Its also clear that they next generation of LPC modchips will
be much friendlier to fit than the first, and that they will work fine.
You will only have to connect to one testpad or TSOP leg, and solder
a dozen or so wires into the large LPC pads. If you were thinking
of buying a physical modchip, I would strongly suggest you wait. (or
use a Milksop).
What I would like to do next is to assist the software hackers
trying to create a clean BIOS. I am open to suggestions about
how I can be of assistance, especially in the area of the proven hardware
assets from Milksop.
Milksop availability
Milksop is a GPL'd project, that is, it is open source hardware,
firmware and software. You are welcome to make your own copies
of it free of charge under the GNU GP License. You must abide by
the terms of the GPL if you do so, that means making public any modifications
or enhancements.
I have been requested by several people to manufacture more
Milksops, I will give it some thought, but I don't think it can be
done at a reasonable price by me.
Flash block protection in use?
Some strange information from Zeb Crusaders on XBOXHACKER.
In his first post he seemed (to my at that time inebriated eyes)
to suggest that the X-Box factory in Hungary was clipping nOE or nCE
off the TSOP body now, which I don't believe can ever be the case. Later
reading, and a second post from him (apologies if there is such a thing
as a female Zeb Crusader) instead made it sound like they were setting
the flash protection bits. I can confirm that on my X-Box the flash
protection bits were clear.
If this is so, and new X-boxes will have their flash write
protect enabled, I believe it will only require a track cutting on
Milksop, the addition of a diode and a wire to hook to 12V from the XBOX
to add the ability to defeat the protection. The Milksop software
reads the protection status and reports it, if there are any indications
the protection is set I will test my proposed addition and publish the necessary
details.
2002-06-16
Milksop TSOP forcing works great!
|
At 20:00 BST tonight Milksop
successfully reprogrammed its first X-Box TSOP flash in-situ, using the
forcing technique! Total erase/program and verify time is <45
Sec.
No heating was observed on the Milksop, MCPX or the flash. I tested
it a further five times in a row without errors. It works!
|
Next I will be attempting to get the Milksop private flash to appear
in the LPC memory. I am very encouraged now that the milksop project
has achieved its original goal :-D
2002-06-15
Milksop lives
The board actually arrived yesterday afternoon. I use
Swift Circuits in Wales for several
years now, they are reasonably priced and have been very reliable. How
often do you hear a fast-turnaround PCB arrives a day earlier than you ordered?
Excellent.
I spent yesterday and today building and debugging my soldering.
Here is the board built up as far as it is today:
And here it is inside my X-box, in its temporary protective case:
It is hooked into the LPC connector right now just to get power.
Well - does it work?
The news so far:
I am able to erase, program, verify and readback
the flash on the Milksop from the PC as intended. Because the
onboard flash uses the same signals as used to force the host flash, and
I used the same 8Mbit ST TSOP flash as in on the X-box, this encourages me
greatly, I have to spend most of the rest if the weekend with my family,
but I hope to have more news to report tomorrow evening.
Intel Qx3 as a PCB debugger
I have been using an Intel Qx3 microscope with some success to check
my fine-pitch soldering. Here are two examples. The first is
a 1206 respack at x60
The second shows a solder bridge on two TSOP pins at x60 that was completely
invisible to the naked eye:
2002-06-14
More I2C
I added one more scenario to the I2C captures, which is when D0 on
the flash bus is held low. I also cut'n'pasted some code from Jarin
the Penguin demonstrating I2C from the X-Box side.
They wanted to go here today
I note from my web logs I am getting some hits from microsoft.com.
Who knows, perhaps these are merely individuals interested in blowing
Linux on their box, billg, for example. In any event I am honoured,
the X-Box guys did a nice job. I'm sure the security guys knew they
were just buying time; its June and there is still no real mass-market hack,
I think you should congratulate them. Too bad you didn't let people
run their own code on it from the get-go, that would have done wonders for
the market penetration. You could still 'open the box' even now, although
who knows what you have promised the game publishers. But that's not
the way that corporate culture lets you go. The kind of person we are
shapes what we do, and the what we do shapes the kind of person we are.
Turning Japanese
I also see I am being linked to from a Japanese x-box site, that tickled
me to see (at least, I think I see) Milksop being spelt out in phonetic
characters :-) I wonder what they made of it when they looked it
up in the dictionary? An old girlfriend of mine could read some Japanese.
It probably says, ''Crazy English makes stupid machine! Follow
link for grins!''
Plug
<shamelessplug>I work as a consultant, you
can see my
CV (word document) if you're interested
or feel you might have a project that needs designing.
</shamelessplug>
2002-06-13
visor points out on XBOXHACKER that he has in mind a watchdog that
is operating in a very narrow time window, just after the contents of the
flash are copied over. He still believes the PIC is involved in this
action (and gives credible reasons why it might be so). He further
suspects that something has to issue I2C to the PIC to call off the dogs.
This makes it important to have a reliable transcript of the I2C activity
so the sequence can be discovered and issued by a clean BIOS.
Today I have captured the entire I2C traffic during startup, shutdown
and some other scenarios, which is available for download on the X-Box page.
2002-06-12
PIC examination
After some discussion on XBOXHACKER, I took a look at the PIC device
this morning. It seems any 200ms watchdog as seen by Visor does
not live in the PIC. (2002-06-14: more precisely, it shows there
is no such watchdog generally active) See the X-Box page for more
details.
2002-06-11
I decided to split the
X-box information away
from Milksop as it was threatening to overwhelm the project information.
Milksop PCB sent for manufacture
Despite a ton of last minute changes, the Milksop PCB is now being
manufactured and should be with me Saturday.
Looking at LPC
Following an email from a fellow non-US hacker, Paul Bartholomew,
I was turned on to the importance of the LPC header in the future of being
able to take control of the X-Box. You can see some more on this
in the
X-Box information section.
I decided then
add an LPC interface to Milksop to allow me
to examine this interesting interface further, which I did yesterday in
time for it to be on the PCB.
Flash on Milksop
I have
also added a flash to Milksop, hooked up to the same
IOs that are used for in-system programming, but with its own private
chip enable. This is so I can experiment further with hooking Milksop
up to the LPC busses pretending to be a BIOS Rom.
Power cycling from Milksop
I also
added optional circuitry to cause the X-Box to turn itself
off and on again quickly under PC control - this would automate execution
of newly loaded code, and is very useful for developers. Two wires
are required to be soldered to the front panel if you want to use this.
One-chip BIOS hack possible?
Paul Bartholomew also pointed me in the direction of serveral LPC-interface
Flash chips that are out there. These have been designed to go on
PC motherboards as a BIOS; they are able to use smaller packages with LPC
and there are other benefits to having an LPC-centric motherboard (which
is why Intel designed it).
One of these, the SST 49LF080A, looks like it would interface to the
LPC header just fine, with no other chips required. I would imagine
this is the basis of the 12-wire modchips being talked about.
For what its worth, by changing the CPLD program on Milksop, it should
be able to read and program these devices over their LPC bus by hooking
them up to the Milksop LPC bus.
Kinds of BIOS replacement
It seems there are two kinds of BIOS replacement desired, one that
still allows execution of XBEs and one that is a complete brain transplant
for booting into Linux. I am firmly in the second camp, I do not
even have any games (legit or otherwise) for my X-Box, in fact, it has never
been run with its IDE devices in :-) That's why Milksop's focus is
to reprogram the flash on the motherboard.
The future options seem to be:
1) testpad modchip like we have at present - nightmare to fit, I think
soon to be dead
2) LPC modchip - moderately easy to fit
3) LPC modchip used to take control, run code to reprogram X-Box's
own flash, then removed - using springloaded testpins this would be quite
simple, only two wires needed (D0 pullpown and to connect MCP nWR to flash
nWR)
4) Some kind of unknown software hack via a signed DVD or one exploiting
a hole to take control
5) and of course a Milksop-style flash 're-education'
Improving the Milksop drive circuitry
Following the work determining Rdson in the X-Box and the CPLD,
I was worried that simultaneously overriding 20 signals from the same
CPLD might prove too much for its ground level, causing glitches in the
digital logic in the CPLD. So I decided to change the design to use
an external tristate buffer of some kind. I checked the performance
of serveral kinds of N-channel drivers, for example the 74HC125 I looked
at turned out to have an N-channel Rdson of 25R, double that of the CPLD!
In the end I chose the 74LVX4245 octal level translator, for its robustness
(it is designed for PCMCIA slots), voltage translation (so now we have true
3.3V levels) and amazing Rdson of 4.5R at 5V and 5.5R at 3.3V, half that
of the CPLD. So with this in mind I added the new drivers, series
resistors to correct for the very low drive resistence if necessary, and
pulldowns for ESD ruggedizing.