X-Pi, an xbox modchip using a Raspberry Pi
Posted: Sun May 24, 2015 4:45 am
So I've been playing around with my Raspberry Pi's for a while now making all sorts of cool stuff. I've been tossing around the idea of seeing if I can make a modchip using the raspberry pi to feed the console a BIOS image over the LPC port. So I decided to start working on it earlier today. I'll post my progress here, and if everything works out in the end I will post schematics and code needed to reproduce it. This is really just a test to see if I can do it and if it will work, I'm not trying to do anything new here.
My end goal is to be able to feed the console a BIOS image of choice through the LPC port using a raspberry pi. Essentially I want to be able to SSH into the pi, run a script/program and give it the file name of the BIOS image I want to boot. It will then boot the console into that BIOS image.
Background
For those of you who don't know how the xbox loads alternate BIOS images from your modchips this part might be of interest. If you are already familiar with the process then this section can be skipped.
So how do xbox modchips work? Well the xbox console has a debug port called the LPC port on the motherboard. LPC (Low Pin Count) is an interface used to connect legacy peripherals and boot ROMs to the cpu of a computer. If you have ever opened your xbox console you might have seen this port. This is the LPC port, and most modchips will attach to it.
The port is activated when a certain pin (D0) on the motherboard is pulled low (grounded). When the xbox boots and sees that the D0 line is pulled low, it knows to load the BIOS from the LPC port rather than the onboard flash chip. The modchips in your console will wait for the LPC port to become active and then feed the BIOS image to the console using the protocol as specified by the LPC specification. Once the image has been read the console will attempt to boot into it.
The first generation of modchips were nothing more than a replacement flash chip that supported LPC. Yup, a single chip with a couple of wires soldered to it, nothing more. It was called the Xbox Cheapmod.
What I want to try and do is have the Raspberry Pi act as a LPC device and feed the console a BIOS image from a file on the Pi's SD card.
Step 1 - Preparing the console
Before I can even start playing around with the LPC port I needed to do some preparations. The Raspberry Pi must be fully booted before the xbox console is turned on, which means I need to tap a 5v power line that is powered at standby. I will also want a way to turn the console on and off via the Pi to make testing easier. Lastly, I will need to tap the D0 wire to make the LPC port active.
I was able to find a 5v SB power line on the power connector for the motherboard. On my console, and others I looked at, the orange wires coming off of the PSU are 5v SB. I simply tapped one of the 5v SB lines and a GND line right from the PSU connector port on the motherboard, and backfed one of the 5v and GND GPIOs on the pi. When I plug the console in, the pi is powered and boots up.
Next I will need a way to turn the console on and off. I was hoping to just tap into the I2C bus on the console, which would allow me to not only control power cycling, but control things like reading/writing the EEPROM, change LED colors, control fan speed, etc. Unfortunately I was unable to find any information on where the pins for it are, so I reluctantly tapped the power button pin on the switchboard on the front of the console.
Once I had the wire soldered in and connected to pin #12 on the pi, I wrote a quick python script to pulse the pin:
Once I SSH into the pi I can easily turn the console on or off by running this script (XboxPower.py). Awesome, now I just need to tap the D0 line and... shit, this console is a v1.6... Unfortunately I had a v1.6 console in front of me, which means I have to manually rebuild the LPC port to make the connections live again. No problem, I have some 30 AWG wire laying around so it only took a few minutes to do.
Full Size
Now that I have the D0 line tapped and the LPC port is fully functional again, it's time to give things a test. If I SSH into my pi and run my boot script the console powers on, run it again and the console powers off. If I ground the D0 line the console frags at boot, which is good. This means the console is trying to load the BIOS image from the LPC port, and because no image is loaded, the console can't boot and instead frags. Sweet, now the preparations are complete, on to step two!
Full Size
Step 2 - Emulate the LPC Port
Coming soon...
My end goal is to be able to feed the console a BIOS image of choice through the LPC port using a raspberry pi. Essentially I want to be able to SSH into the pi, run a script/program and give it the file name of the BIOS image I want to boot. It will then boot the console into that BIOS image.
Background
For those of you who don't know how the xbox loads alternate BIOS images from your modchips this part might be of interest. If you are already familiar with the process then this section can be skipped.
So how do xbox modchips work? Well the xbox console has a debug port called the LPC port on the motherboard. LPC (Low Pin Count) is an interface used to connect legacy peripherals and boot ROMs to the cpu of a computer. If you have ever opened your xbox console you might have seen this port. This is the LPC port, and most modchips will attach to it.
The port is activated when a certain pin (D0) on the motherboard is pulled low (grounded). When the xbox boots and sees that the D0 line is pulled low, it knows to load the BIOS from the LPC port rather than the onboard flash chip. The modchips in your console will wait for the LPC port to become active and then feed the BIOS image to the console using the protocol as specified by the LPC specification. Once the image has been read the console will attempt to boot into it.
The first generation of modchips were nothing more than a replacement flash chip that supported LPC. Yup, a single chip with a couple of wires soldered to it, nothing more. It was called the Xbox Cheapmod.
What I want to try and do is have the Raspberry Pi act as a LPC device and feed the console a BIOS image from a file on the Pi's SD card.
Step 1 - Preparing the console
Before I can even start playing around with the LPC port I needed to do some preparations. The Raspberry Pi must be fully booted before the xbox console is turned on, which means I need to tap a 5v power line that is powered at standby. I will also want a way to turn the console on and off via the Pi to make testing easier. Lastly, I will need to tap the D0 wire to make the LPC port active.
I was able to find a 5v SB power line on the power connector for the motherboard. On my console, and others I looked at, the orange wires coming off of the PSU are 5v SB. I simply tapped one of the 5v SB lines and a GND line right from the PSU connector port on the motherboard, and backfed one of the 5v and GND GPIOs on the pi. When I plug the console in, the pi is powered and boots up.
Next I will need a way to turn the console on and off. I was hoping to just tap into the I2C bus on the console, which would allow me to not only control power cycling, but control things like reading/writing the EEPROM, change LED colors, control fan speed, etc. Unfortunately I was unable to find any information on where the pins for it are, so I reluctantly tapped the power button pin on the switchboard on the front of the console.
Once I had the wire soldered in and connected to pin #12 on the pi, I wrote a quick python script to pulse the pin:
Code: Select all
#!/usr/bin/python
import RPi.GPIO as GPIO
import time
# Set the numbering system to the pin numbers and not the SoC numbers.
GPIO.setmode(GPIO.BOARD)
# Set pin 12 as an output gpio.
GPIO.setup(12, GPIO.OUT)
# Pull pin 12 low for 1 second to cycle power on the console.
GPIO.output(12, 0)
time.sleep(0.1)
GPIO.output(12, 1)
Full Size
Now that I have the D0 line tapped and the LPC port is fully functional again, it's time to give things a test. If I SSH into my pi and run my boot script the console powers on, run it again and the console powers off. If I ground the D0 line the console frags at boot, which is good. This means the console is trying to load the BIOS image from the LPC port, and because no image is loaded, the console can't boot and instead frags. Sweet, now the preparations are complete, on to step two!
Full Size
Step 2 - Emulate the LPC Port
Coming soon...