Running Linux on the Xbox
In November 2001, Microsoft entered the video console business with the Xbox, a machine that continues to outperform all other consoles in terms of processor speed and video performance. As with the SEGA Dreamcast, hackers started to port Linux to the Xbox in May 2002. Only three months later, the first kernel messages from an Xbox running Linux were published on the Internet. Now, a year after the start of the project, Linux runs reliably on all versions of the Xbox, and Xbox Linux is ready for daily use.
The Xbox is driven by a 733MHz Intel Celeron processor and contains 64MB of DDR RAM (shared with video), an NVIDIA GeForce3 graphics processing unit (GPU), an 8GB or 10GB hard disk, a DVD-ROM drive, Ethernet connectivity, four USB-style controller connectors and TV-out (Figure 1 lists the details). This hardware overview sounds more like the description of a decent PC than a gaming console. The Xbox does not merely contain some typical PC components, such as an Intel CPU or an NVIDIA GPU, it actually is a PC in a smaller black case, with minor modifications. The Xbox chipset consists of the NV2A Northbridge and the MCPX Southbridge, both from NVIDIA. The NVIDIA nForce chipset for PCs is almost the same as the Xbox chipset. Its Southbridge IC is labeled MCP and contains exactly the same functionality as the MCPX: two USB controllers, an IDE controller, an Ethernet device and AC97-compatible Dolby Digital sound.
The background of the Xbox is simple. Because Microsoft already had an operating system, system libraries and the DirectX libraries for the PC, they decided to build the Xbox based on this well-known architecture. Initially, Microsoft wanted AMD to produce the CPU and the chipset for the Xbox; the video chip would come from NVIDIA. But Microsoft later changed its mind, switching to Intel for the CPU. So NVIDIA licensed the chipset from AMD, manufactured the ICs for the Xbox and sold the same design as nForce for the PC market.
The similarity of the Xbox to a PC not only made the process of installing and running Linux a lot easier, it made a lot more sense for people to use the Xbox as a computer. Unlike Dreamcast, PlayStation 2 or the GameCube, the Xbox always is equipped with a hard disk and Ethernet. And the PC hardware also makes it possible to use standard Linux distributions on the Xbox, with minor modifications.
Because of its price and its compactness, an Xbox running Linux can be used as a desktop computer (see Figure 2) or a server, replacing a standard PC, and because of its TV connectivity, it also can be used as an entertainment device for watching video or listening to audio.
Despite the similarity of the Xbox to a standard PC, installing Linux on an Xbox is not simply a matter of inserting an installation CD. For one thing, the Xbox boot process is a lot different from a PC's. PCs have a PCBIOS (basic I/O system) in ROM, which contains 16-bit library routines for keyboard, video and hard disk I/O, as well as a simple bootloader that reads the first sector from a storage device and runs it. The Xbox has no such BIOS. Its 256KB ROM image contains a statically linked, stripped-down, Windows 2000-based kernel, which runs the moment the Xbox is turned on. The hard disk—which is locked by an individual ATA password, so it cannot be read when connected to a computer or replaced with another hard disk—does not contain any operating system components. When the Xbox kernel is started, it unlocks the hard disk and tries to run the default.xbe file from a CD or DVD. If such a file cannot be found, it runs xboxdash.xbe from hard disk. This is the system configuration and audio CD player application permanently stored on the hard disk.
These .xbe files are executables, which are a lot like Linux ELF files, except they are signed digitally with Microsoft's 2048-bit RSA key. Changing a single byte within the file makes the signature invalid, and the file will be rejected by the Xbox kernel. Because of the lack of Microsoft's private key, the Xbox Linux Project cannot reproduce a valid signature; thus, we cannot create executables accepted by a standard Xbox. Two approaches are possible to get your own code running: replace the ROM or find a game with a bug that can be exploited.
The standard way for most people to get Linux running on an Xbox is to open the box and install a replacement ROM chip that overrides the onboard ROM chip. This so-called modchip can contain either a hacked version of Microsoft's ROM, which has the signature test, the hard disk test and some other things disabled, or a clean-room ROM implementation that gives the Xbox the personality of a regular PC. Although Xbox Linux supplies a bootloader that makes Linux run on hacked Microsoft ROMs (which Linux sites do not supply, but can be found on the Internet), the use of the Xbox Linux Project's clean-room implementation, called Cromwell, is recommended for legal reasons. The Cromwell ROM does not run Xbox games.
Modchips that replace the onboard ROM are available from many video game hardware stores on the Internet for about $50 US. The first generation of modchips had to be soldered into the Xbox board parallel to the original Flash chip, which required about 30 wires. Second-generation modchips were connected to the LPC bus on the Xbox board, and they typically required only nine wires. Current modchips can be screwed onto the board without any soldering. They usually ship empty and can turn themselves off completely, so if you use the Xbox Linux Clean BIOS, you still can run Xbox games.
Because the original ROM contents are stored in a reprogrammable Flash chip on the Xbox board, it also is possible to overwrite the Flash contents in order to have a permanently modded machine, without installing any additional hardware devices. This can be done by installing a modchip, bridging two pairs of points on the board to disable the write protection of the Flash IC, running Linux, disabling the modchip and, finally, running an application called raincoat in Linux to reprogram the onboard Flash. Now, the modchip can be removed permanently, so you can use one modchip to convert a lot of Xboxes to Linux.
Recently, an anonymous researcher found an exploitable bug in the Electronic Arts game 007 Agent Under Fire. In a post on an Xbox forum, he explained how to use a modified saved game to run the Linux bootloader. By connecting the write-protection bridges on the board, this method can be used to reprogram the onboard Flash within a Linux instance that has been started by this modified saved game, without even temporarily installing a modchip. This is the cheapest and most simple way to make an Xbox Linux-compatible.
All these methods apply only to Xbox consoles that have been on the market to date. Microsoft keeps changing the Xbox design. By the time you read this article, a new board layout of the Xbox might have the LPC bus or the reprogrammability of the onboard Flash removed. Refer to the Xbox Linux web site for the latest information on this topic.
|Hacking a Safe with Bash||Jul 28, 2015|
|KDE Reveals Plasma Mobile||Jul 28, 2015|
|Huge Package Overhaul for Debian and Ubuntu||Jul 23, 2015|
|diff -u: What's New in Kernel Development||Jul 22, 2015|
|Shashlik - a Tasty New Android Simulator||Jul 21, 2015|
|Embed Linux in Monitoring and Control Systems||Jul 20, 2015|
- Hacking a Safe with Bash
- KDE Reveals Plasma Mobile
- Huge Package Overhaul for Debian and Ubuntu
- diff -u: What's New in Kernel Development
- The Controversy Behind Canonical's Intellectual Property Policy
- Shashlik - a Tasty New Android Simulator
- Home Automation with Raspberry Pi
- Embed Linux in Monitoring and Control Systems
- One Port to Rule Them All!
- General Relativity in Python