Boot Process: Difference between revisions

From Xenon Wiki
Jump to navigation Jump to search
imported>TEIR1plus2
 
(10 intermediate revisions by 3 users not shown)
Line 1: Line 1:
This page details the boot process used in the Xbox 360. The process is slightly different between Devkit/Retail and certain boxes which have a secondary CB loader (trinity/some jaspers)
This article describes the boot sequence of the Xenon platform.


=Retail=
= Power On Process =
==1BL (Inside CPU)==
<br/>
Loads and decrypts CB(_A) into ram, it computes a RotSumSha1 of CB(_A) and uses it to verify its RSA signature. If the signature is valid, 1BL jumps to CB(_A).
<center>[[File:Bootprocess.png|1500px]]</center>
== 1BL ==
The first bootloader. This is stored in the CPU ROM and is loaded first when the console is powered on.


==CB==
== CB (aka 2BL) ==
'''SLIMS ONLY''': CB_A loads and decrypts CB_B into ram, it computes a RotSumSha1 of CB_B and checks it against the known hash. If it matches CB_A jumps to CB_B.
The second bootloader. This is decrypted/loaded by 1BL and is stored within the NAND.


CB(_B) starts up a virtual machine, which does:
RSA signed using asymmetric crypto.
<pre>
- initializes the PCI Bridge
- disables the GPU PCIE JTAG test port
- initializes the serial port
- talks to the SMC to clear the "handshake" bit
- initializes memory
- generates RROD if memory init fails
</pre>
CB(_B) loads and decrypts CD into ram, it computes a RotSumSha1 of CD and checks it against the known hash. If it matches CB(_B) jumps to CD.


Methods to dump the CB bootloaders and examples of them reversed can be found here: [[CB Code]]
== CD ==
Loaded/decrypted by CB. This loads, decrypts and decompresses CE, which contains the base kernel + base HV (Hypervisor).


==CD==
== CF ==
Loads and decrypts CE into ram, computes a RotSumSha1 of CE. If it matches the known hash, it decompresses the LZX compressed base kernel.<br />
Loaded/decrypted by CD. This loads, decrypts and decompresses CG, which contains the patches for kernel and HV. It then applies the patches and starts up the patched HV and then the patched kernel. It then boots to the dashboard.
It then checks for patch slots. If it finds one, it will load and decrypt the corresponding CF bootloader for that patch. It then computes a RotSumSha1 of CF and uses it to verify the CF loaders signature. If the signature is valid, CD stays in memory but jumps to CF.


There can be up to 2 CF/CG pairs for patching the kernel.
RSA signed using asymmetric crypto.


==CF==
= OLD ALPHA BOOT PROCESS =
Loads CG into memory by reading the CG data in the NAND header and then reads the rest of the CG data from the CG blocks specified in CF header. It then decrypts the CG in memory using the key generated from decrypting CF. To verify it, it computes a RotSumSha1 and checks it against the known hash. If it matches, it uses LZX delta decompress to apply the patch to the base kernel in memory. Once its done, it jumps back to CD and once CD has finished up, it jumps to the reset vector in the [[Hypervisor]].
This article describes the boot sequence of the PowerPC G5 starting a Xenon kernel and OS.
== Overview ==


[[Category:Xbox360 System Software]]
The PowerPC G5 has a ROM containing the openfirmware (OF) bios, as well as a NVRAM containing variables used by the openfirmware to find bootable partitions or bootloaders like yaBoot or BootX(MacOSX). Its the task of openfirmware (OF) to find and start the os.
 
The basics are:
* After CPU reset vector and cpu initialization the boot ROM stored in NVRAM provides power on self test (POST - diagnostics), and initializes enough of the system to load Open Firmware. When enough initialization has occurred to execute Open Firmware, the boot chime is played and Open Firmware is loaded.
* OpenFirmware (Init) will then probe the system's I/O buses to determine the device configuration and build a device tree.. the system will then examine the values of its enviroment variables. If the auto-boot? variable is flagged as true, the system will then read the value... and attempt to boot from that device. If additional information is required the boot-file variable is read. If the auto-boot? variable is flagged as false, the system will halt the boot process and drop to the Open Firmware user interface.
* Default Boot Device on Apple systems is "hd:,\\:tbxi". ("tbxi", tells the system to look for files of type tbxi. )
* the tbxi (bootfile) is started and from here on we follow the "Xenon" bootpath instead of the MacOSX.
 
=== Xenon boot from OF ===
In case of the Xenon Alpha, we found that a special Partition called [[XeBoot]] is at the beginning of the harddrive. This contains either or what we asume 2 files, a bootx file (like MacOSX, containing a configuration script) and a xboxroma.bin file, wich is a (stripped ?) ELF file like the MacOSx kernel. This "rom" file will start looking for the Xenon OS kernel on various devices and start it.
[[citation needed]]
Known location the xboxroma.bin is looking:
* \Device\Cdrom0\*
* \Device\Harddisk0\Partition1\xboxroma.bin
* \Device\Harddisk0\Partition1\xboxrom_update.bin
* \Device\Harddisk0\Partition3\ROM\0000\xboxroma_1mb.bin
(NT/WINworld notation) [[citation needed]](is this realy the rom, or kernel that does check if its running the latest kernel?)
 
When the latest kernel is found and started it will locate its Dashboard or XShell files and optionaly if found, start the XBDM.dll (named XBDM.XEX)
 
== Extra information ==
* OF will automatically convert "hd" into the appropriate device path, as hd is simply an alias. The notation "\\" tells the system to start searching for "blessed" folders (directories) starting on the first HFS or HFS+ partition found on the system.
 
* All versions of MacOS have a folder known as System Folder that is "blessed", and contains a MacOS Boot ROM file which is of type tbxi. The Boot ROM file is simply a stripped ELF executable image wrapped with a forth boot script.
 
* A "blessed" folder is simply one with a special attribute (or flag) set on it. The system will search all HFS partitions for a bblessed folder and a file of type tbxi within it, if none are located, the boot will fail. The system will always select the first one found, unless the boot-device is modified to a specific partition id.
 
"tbxi", tells the system to look for files of type tbxi.
 
== Openfirmware ==
To get into openfirmware, press Command (⌘) + Option (⌥) + O + F [[citation needed]]
 
=== commands in openfirmware ===
The following commands work in the openfirmware used in the Apple G5 version known to boot Xbox software
[[citation needed]] (Please check commands on real Mac and add missing helpful commands)
{| class="wikitable"
|-
! Command !! Explanation
|-
| boot [option] || boot the device stored in NVRAM variable boot or boot the given option [[citation needed]]
|-
| ls || list the current device list (handy to find if a device is found by OF and its partitions are listed) [[citation needed]]
|-
| devalias || list all current known aliases for devices [[citation needed]]
|-
| printenv || prints all currently environment variables and their default values (if available)
|-
| setenv || used to change or set an environment variable
|-
| eject cd || ejects the optical drive (if available)
|-
| reset-all || reboots the system
|-
| reset-nvram || sets up a factory defaults reset of the NVRAM on reboot
|-
| set-defaults || sets a flag that restores all defaults contained within the BootROM to the NVRAM on reboot
|}
 
=== Reverting OF into MacOSX bootable state ===
try booting macos from OF by typing:
<pre>mac-boot</pre>[[citation needed]]
If this fails, try checking if the bootdevice is actualy set by typing:
<pre>nvram boot-device</pre>[[citation needed]]
 
 
Asuming the Harddisk containing MacOSX is reinserted and NVram or Openfirmware is not able to boot macosx, try:
<pre>setenv auto-boot true</pre>[[citation needed]]
 
 
 
== Resourses ==
* [https://openfirmware.info/Welcome_to_OpenBIOS] Opensource website used by the openfirmware on the apple G5
* [https://books.google.nl/books?id=K8vUkpOXhN4C&pg=PA344&lpg=PA344&dq=macosx+bootdevice+OF&source=bl&ots=OMkhRYYw-C&sig=cATnoVTg7ShRia8tvxZr4y_cy6o&hl=nl&sa=X&ved=2ahUKEwi24oel7rLcAhUJM-wKHe9EBKQQ6AEwDnoECAQQAQ#v=onepage&q=macosx%20bootdevice%20OF&f=false] Mac OS X Internals: A Systems Approach (paperback)
* [http://mac.linux.be/content/guide-open-firmware-apple-bios-0] Guide to openfirmware on the Apple
 
 
[[Category:Xbox 360 System Software]]

Latest revision as of 05:22, 29 December 2018

This article describes the boot sequence of the Xenon platform.

Power On Process


Bootprocess.png

1BL

The first bootloader. This is stored in the CPU ROM and is loaded first when the console is powered on.

CB (aka 2BL)

The second bootloader. This is decrypted/loaded by 1BL and is stored within the NAND.

RSA signed using asymmetric crypto.

CD

Loaded/decrypted by CB. This loads, decrypts and decompresses CE, which contains the base kernel + base HV (Hypervisor).

CF

Loaded/decrypted by CD. This loads, decrypts and decompresses CG, which contains the patches for kernel and HV. It then applies the patches and starts up the patched HV and then the patched kernel. It then boots to the dashboard.

RSA signed using asymmetric crypto.

OLD ALPHA BOOT PROCESS

This article describes the boot sequence of the PowerPC G5 starting a Xenon kernel and OS.

Overview

The PowerPC G5 has a ROM containing the openfirmware (OF) bios, as well as a NVRAM containing variables used by the openfirmware to find bootable partitions or bootloaders like yaBoot or BootX(MacOSX). Its the task of openfirmware (OF) to find and start the os.

The basics are:

  • After CPU reset vector and cpu initialization the boot ROM stored in NVRAM provides power on self test (POST - diagnostics), and initializes enough of the system to load Open Firmware. When enough initialization has occurred to execute Open Firmware, the boot chime is played and Open Firmware is loaded.
  • OpenFirmware (Init) will then probe the system's I/O buses to determine the device configuration and build a device tree.. the system will then examine the values of its enviroment variables. If the auto-boot? variable is flagged as true, the system will then read the value... and attempt to boot from that device. If additional information is required the boot-file variable is read. If the auto-boot? variable is flagged as false, the system will halt the boot process and drop to the Open Firmware user interface.
  • Default Boot Device on Apple systems is "hd:,\\:tbxi". ("tbxi", tells the system to look for files of type tbxi. )
  • the tbxi (bootfile) is started and from here on we follow the "Xenon" bootpath instead of the MacOSX.

Xenon boot from OF

In case of the Xenon Alpha, we found that a special Partition called XeBoot is at the beginning of the harddrive. This contains either or what we asume 2 files, a bootx file (like MacOSX, containing a configuration script) and a xboxroma.bin file, wich is a (stripped ?) ELF file like the MacOSx kernel. This "rom" file will start looking for the Xenon OS kernel on various devices and start it. citation needed Known location the xboxroma.bin is looking:

  • \Device\Cdrom0\*
  • \Device\Harddisk0\Partition1\xboxroma.bin
  • \Device\Harddisk0\Partition1\xboxrom_update.bin
  • \Device\Harddisk0\Partition3\ROM\0000\xboxroma_1mb.bin

(NT/WINworld notation) citation needed(is this realy the rom, or kernel that does check if its running the latest kernel?)

When the latest kernel is found and started it will locate its Dashboard or XShell files and optionaly if found, start the XBDM.dll (named XBDM.XEX)

Extra information

  • OF will automatically convert "hd" into the appropriate device path, as hd is simply an alias. The notation "\\" tells the system to start searching for "blessed" folders (directories) starting on the first HFS or HFS+ partition found on the system.
  • All versions of MacOS have a folder known as System Folder that is "blessed", and contains a MacOS Boot ROM file which is of type tbxi. The Boot ROM file is simply a stripped ELF executable image wrapped with a forth boot script.
  • A "blessed" folder is simply one with a special attribute (or flag) set on it. The system will search all HFS partitions for a bblessed folder and a file of type tbxi within it, if none are located, the boot will fail. The system will always select the first one found, unless the boot-device is modified to a specific partition id.


"tbxi", tells the system to look for files of type tbxi.

Openfirmware

To get into openfirmware, press Command (⌘) + Option (⌥) + O + F citation needed

commands in openfirmware

The following commands work in the openfirmware used in the Apple G5 version known to boot Xbox software 

citation needed (Please check commands on real Mac and add missing helpful commands)
Command Explanation
boot [option] boot the device stored in NVRAM variable boot or boot the given option citation needed
ls list the current device list (handy to find if a device is found by OF and its partitions are listed) citation needed
devalias list all current known aliases for devices citation needed
printenv prints all currently environment variables and their default values (if available)
setenv used to change or set an environment variable
eject cd ejects the optical drive (if available)
reset-all reboots the system
reset-nvram sets up a factory defaults reset of the NVRAM on reboot
set-defaults sets a flag that restores all defaults contained within the BootROM to the NVRAM on reboot

Reverting OF into MacOSX bootable state

try booting macos from OF by typing: 

mac-boot

citation needed

If this fails, try checking if the bootdevice is actualy set by typing: 

nvram boot-device

citation needed


Asuming the Harddisk containing MacOSX is reinserted and NVram or Openfirmware is not able to boot macosx, try: 

setenv auto-boot true

citation needed


Resourses

  • [1] Opensource website used by the openfirmware on the apple G5
  • [2] Mac OS X Internals: A Systems Approach (paperback)
  • [3] Guide to openfirmware on the Apple
Retrieved from "https://www.xenonwiki.com/index.php?title=Boot_Process&oldid=351"