POST Codes: Difference between revisions
(Created page with "<div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> This is a mirror of the RGL...") |
No edit summary |
||
Line 1: | Line 1: | ||
<div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> | <div style="background-color:#e7eef6; border: 1px solid #ccc; color:#000; margin-top: 15px; margin-bottom: 10px; padding: 8px; text-align:center;"> | ||
This is a mirror of the RGLoader Forums' POST Codes wiki page located at https://www.xdevwiki.tk/index.php?title=POST_Codes | This is a mirror of the RGLoader Forums' POST Codes wiki page located at https://www.xdevwiki.tk/index.php?title=POST_Codes with some modifications. | ||
</div> | </div> | ||
Revision as of 16:05, 4 August 2020
This is a mirror of the RGLoader Forums' POST Codes wiki page located at https://www.xdevwiki.tk/index.php?title=POST_Codes with some modifications.
POST stands for power on self test. Its a bus created to help debug the xbox boot up process. In the bootloaders there is code that updates the number represented by the bus so it is possible to see at which point the bootloader is executing and where it hangs if an error occured.
The reset glitch hack uses the post codes to track the progress of initialization and know when to assert the reset signal. In RGH1, it waits for when the second bootloader(CB) starts verifying the integrity check of the hash of the fourth bootloder(CD). When the bootloaders were updated starting on 14717, they removed the post codes from the bootloaders and added a few tricks like random delays to prevent glitchers from being able to tell when the xbox is checking the hash.
Pinout
On Phat consoles the pinout is as follows:
DBG_WN_POST_OUT0/BIT7 | FT6U8 |
DBG_WN_POST_OUT1/BIT6 | FT6U2 |
DBG_WN_POST_OUT2/BIT5 | FT6U3 |
DBG_WN_POST_OUT3/BIT4 | FT6U4 |
DBG_WN_POST_OUT4/BIT3 | FT6U5 |
DBG_WN_POST_OUT5/BIT2 | FT6U6 |
DBG_WN_POST_OUT6/BIT1 | FT6U7 |
DBG_WN_POST_OUT7/BIT0 | FT6U1 |
Voltage levels are 1.2 on phat, and 1.8 on slim
Diagram FAT
Diagram Slim
Reading the POST bus
The POST bus holds the last code's bits all the time, so if the xbox crashes it may hold the error it ended at. To read a failed post code, you can do it with simple multimeter. To assemble bits to the byte, join them together like that (BIT ORDER 76543210):
For Example: bit7,bit6,bit5,bit4,bit3,bit2,bit1,bit0 00111010 = 0x3A = CD auth success
If you want a full sequence of post bits as the xbox initializes you will need a POST monitor/sniffer. You can either build your own or use a glitch chip like the CR Pro that comes with it.
Example: http://rgloader.spiffy360.com/thread-90.html
Writing to the POST Bus
To write a value to the post bus, you simply write the byte value to a register and shift it left by 56 bits. Then store the value into the real memory address 0x8000 0200 0006 1010
; load address into r3 li %r3,0x200 # r3 = 0x200 (load immediate) oris %r3,%r3,0x8000 # r3 = 0x80000200 (or immediate shifted) sldi %r3,%r3,32 # r3 = (r3 << 32) ... r3 = 0x8000020000000000 (shift left double immediate) oris %r3,%r3,6 # r3 = 0x8000020000060000 (or immediate shifted) ori %r3,%r3,0x1010 # r3 = 0x8000020000061010 (or immediate) ; write POST code li %r4, 0x12 (load immediate, post code to be output) sldi %r4, %r4, 56 (shift left double immediate by 56, to get the byte to the far end) std %r4, 0(%r3) (store double, in r4 into address held by r3)
The address is given in real mode, so you need to be careful when paging is enabled.
Meaning of different POST Codes
Domain | POST Code | Description |
---|---|---|
JTAG payload | ||
0x10 | Payload started | |
0x11 | Payload has copied XeLL to the RAM from NAND and executed it | |
1BL | ||
0x10 | 1BL started | |
0x11 | Execute FSB function1 | |
0x12 | Execute FSB function2 | |
0x13 | Execute FSB function3 | |
0x14 | Execute FSB function4 | |
0x15 | Verify CB offset | |
0x16 | Copy CB header from NAND | |
0x17 | Verify CB header | |
0x18 | Copy CB into protected SRAM | |
0x19 | Generate CB HMAC key | |
0x1A | Initialize CB RC4 decryption key | |
0x1B | RC4 decrypt CB | |
0x1C | Generate hash of CB for verification | |
0x1D | RSA signature check of CB hash | |
0x1E | Jump to CB | |
0x81-0x8F | Panic codes | |
0x91 | Panic | |
0x92 | 1BL is executed on wrong CPU thread (panic) | |
0x93 | 1BL is executed on wrong CPU core (panic) | |
0x95 | CB offset verification failed | |
0x96 | CB RSA signature verification failed | |
CBA/2BL (splitCB) | ||
0xD0 | CB_A entry point, copy self to 0x8000.0200.0001.C000 and continue from there | |
0xD1 | Copy fuses from SoC for CBB decryption | |
0xD2 | Verify CBB offset | |
0xD3 | Copy CBB header from NAND for verification | |
0xD4 | Verify CBB header | |
0xD5 | Copy CBB into memory at 0x8000.0200.0001.0000 (old location of CBA) | |
0xD6 | Create HMAC key for CD decryption | |
0xD7 | Initialize CD RC4 key using HMAC key | |
0xD8 | RC4 decrypt CD | |
0xD9 | Compute hash of CD for verification | |
0xDA | MemCmp computed hash with expected one (where rgh2 glitches) | |
0xDB | Jump to CBB | |
0xF0 | CBB offset verification fail | |
0xF1 | CBB header verification fail | |
0xF2 | CBB security hash comparison fail | |
0xF3 | CBB size check fail (must be less than 0xC000) | |
CBB/2BL | ||
0x20 | CB entry point, initialize SoC | |
0x21 | Initialize secopt, verify lockdown fuses | |
0x22 | Initialize security engine | |
0x23 | Undocumented Subroutine Start | |
0x2E | Hardware initialization | |
0x2F | Setup tlb entries, relocate to ram | |
0x30 | Verify CD offset | |
0x31 | Copy CD header from NAND for verification | |
0x32 | Verify CD header | |
0x33 | Copy CD from nand | |
0x34 | Create HMAC key for CD decryption | |
0x35 | Initialize CD RC4 key using HMAC key | |
0x36 | RC4 decrypt CD with key | |
0x37 | Compute hash of CD for verification | |
0x39 | MemCmp computed hash with expected one | |
0x3B | Initialize PCI | |
0x3A | Setup memory encryption and jump to CD | |
0x9B | Secopt fuse verification fail | |
0x9C | Secopt fuse verification fail2 | |
0x9D | Secopt fuse verification console type? fail | |
0x9E | Secopt fuse verification console type? fail | |
0x9F | Secopt fuse verification console type? fail | |
0xA0 | CB revocation check failed | |
0xA1 | Panic after 0x21 | |
0xA2 | Panic after 0x21 | |
0xA3 | Panic after 0x21 | |
0xA4 | Failed SMC HMAC | |
0xA9 | ||
0xAA | Failed to verify CD offset | |
0xAB | Failed to verify CD header | |
0xAD | CD security hash comparison fail | |
0xAE | CB exception, unknown interrupt vector | |
0xB0 | Secopt fuse verification console type? fail | |
CD/4BL | ||
0x40 | Entrypoint of CD, setup memory paging | |
0x41 | Verify offset to CE | |
0x42 | Copy CE header from NAND for verification | |
0x43 | Verify CE Header | |
0x44 | Read CE from nand into memory | |
0x45 | Create HMAC key for CE decryption | |
0x46 | Initialize CE RC4 key using HMAC key | |
0x47 | RC4 decrypt CE | |
0x48 | Compute hash of CE for verification | |
0x49 | MemCmp computed hash with expected one (where rgh1 glitches) | |
0x4B | LZX Decompress CE | |
0x4D | Decode fuses | |
0x4E | Load CF (kernel patches) offset | |
0x4F | Verify CF offset | |
0x50 | Load CF1/CG1 (patchslot1) if version & header checks pass | |
0x51 | Load CF2/CG2 (patchslot2) if version & header checks pass | |
0x52 | Startup kernel/Hypervisor | |
0xB1 | CE decryption failed | |
0xB2 | Failed to verify CE header | |
0xB3 | CE hash comparison fail | |
0xB4 | CE LZX decompression failed | |
0xB5 | CF verification failed | |
0xB6 | Fuse decryption/check failed | |
0xB7 | CF decryption failed, patches missing. | |
0xB8 | CF hash auth failed | |
CE | ||
CF | ||
0xC1 | LDICreateDecompression failed | |
0xC2 | CG size verification failed | |
0xC3 | Header / patch fragment info check failed | |
0xC4 | Unexpected LDI fragment type | |
0xC5 | LDISetWindowData failed | |
0xC6 | LDIDecompress failed | |
0xC7 | LDIResetDecompression failed | |
0xC8 | CG auth failed | |
Hypervisor | ||
0x58 | Hypervisor Initialization begin | |
0x59 | Initialize SoC MMIO | |
0x5A | Initialize XEX training | |
0x5B | Initialize key ring | |
0x5C | Initialize keys | |
0x5E | Initialize SoC Interrupts | |
0x5F | Initialization complete | |
0xFF | Fatal Error | |
Kernel | ||
0x64 | INIT_MEMORY_MANAGER | |
0x65 | INIT_STACKS | |
0x66 | INIT_OBJECT_SYSTEM | |
0x67 | INIT_PHASE1_THREAD | |
0x68 | Started phase 1 Initialization + INIT_PROCESSORS | |
0x69 | INIT_KEY_VAULT | |
0x6A | INIT_HAL_PHASE_1 | |
0x6B | INIT_SFC_DRIVER | |
0x6C | INIT_SECURITY | |
0x6D | INIT_KEY_EX_VAULT | |
0x6E | INIT_SETTINGS | |
0x6F | INIT_POWER_MODE | |
0x70 | INIT_VIDEO_DRIVER | |
0x71 | INIT_AUDIO_DRIVER | |
0x72 | INIT_BOOT_ANIMATION + XMADecoder & XAudioRender Init | |
0x73 | INIT_SATA_DRIVER | |
0x74 | INIT_SHADOWBOOT | |
0x75 | INIT_DUMP_SYSTEM | |
0x76 | INIT_SYSTEM_ROOT | |
0x77 | INIT_OTHER_DRIVERS | |
0x78 | INIT_STFS_DRIVER | |
0x79 | LOAD_XAM |