POST Codes

From XDevWiki
Jump to navigation Jump to search

POST stands for power on self test. Its a bus created to help debug the xbox boot up process. In the bootloaders there is code that updates the number represented by the bus so it is possible to see at which point the bootloader is executing and where it hangs if an error occured.

The reset glitch hack uses the post codes to track the progress of initialization and know when to assert the reset signal. In RGH1, it waits for when the second bootloader(CB) starts verifying the integrity check of the hash of the fourth bootloder(CD). When the bootloaders were updated starting on 14717, they removed the post codes from the bootloaders and added a few tricks like random delays to prevent glitchers from being able to tell when the xbox is checking the hash.

Pinout[edit]

On Phat consoles the pinout is as follows:

DBG_WN_POST_OUT0/BIT7 FT6U8
DBG_WN_POST_OUT1/BIT6 FT6U2
DBG_WN_POST_OUT2/BIT5 FT6U3
DBG_WN_POST_OUT3/BIT4 FT6U4
DBG_WN_POST_OUT4/BIT3 FT6U5
DBG_WN_POST_OUT5/BIT2 FT6U6
DBG_WN_POST_OUT6/BIT1 FT6U7
DBG_WN_POST_OUT7/BIT0 FT6U1

Voltage levels are 1.2 on phat, and 1.8 on slim

Diagram FAT[edit]

Phatpost.png

Diagram Slim[edit]

SlimPOST.jpg

Reading the POST bus[edit]

The POST bus holds the last code's bits all the time, so if the xbox crashes it may hold the error it ended at. To read a failed post code, you can do it with simple multimeter. To assemble bits to the byte, join them together like that (BIT ORDER 76543210):

For Example:
bit7,bit6,bit5,bit4,bit3,bit2,bit1,bit0

00111010 = 0x3A = CD auth success

If you want a full sequence of post bits as the xbox initializes you will need a POST monitor/sniffer. You can either build your own or use a glitch chip like the CR Pro that comes with it.
Example: http://rgloader.spiffy360.com/thread-90.html

Writing to the POST Bus[edit]

To write a value to the post bus, you simply write the byte value to a register and shift it left by 56 bits. Then store the value into the real memory address 0x8000 0200 0006 1010

; load address into r3
li    %r3,0x200        # r3 = 0x200  (load immediate)
oris  %r3,%r3,0x8000   # r3 = 0x80000200  (or immediate shifted)
sldi  %r3,%r3,32       # r3 = (r3 << 32) ... r3 = 0x8000020000000000  (shift left double immediate)
oris  %r3,%r3,6        # r3 = 0x8000020000060000  (or immediate shifted)
ori   %r3,%r3,0x1010   # r3 = 0x8000020000061010  (or immediate)


; write POST code
li   %r4, 0x12     (load immediate, post code to be output)
sldi %r4, %r4, 56  (shift left double immediate by 56, to get the byte to the far end)
std  %r4, 0(%r3)   (store double, in r4 into address held by r3)

The address is given in real mode, so you need to be careful when paging is enabled.

Meaning of different POST Codes[edit]

Domain POST Code Description
JTAG payload
0x10 Payload started
0x11 Payload has copied XeLL to the RAM from NAND and executed it
1BL
0x10 1BL started
0x11 Execute FSB function1
0x12 Execute FSB function2
0x13 Execute FSB function3
0x14 Execute FSB function4
0x15 Verify CB offset
0x16 Copy CB header from NAND
0x17 Verify CB header
0x18 Copy CB into protected SRAM
0x19 Generate CB HMAC key
0x1A Initialize CB RC4 decryption key
0x1B RC4 decrypt CB
0x1C Generate hash of CB for verification
0x1D RSA signature check of CB hash
0x1E Jump to CB
0x81-0x8F Panic codes
0x91 Panic
0x92 1BL is executed on wrong CPU thread (panic)
0x93 1BL is executed on wrong CPU core (panic)
0x95 CB offset verification failed
0x96 CB RSA signature verification failed
CBA/2BL (splitCB)
0xD0 CB_A entry point, copy self to 0x8000.0200.0001.C000 and continue from there
0xD1 Copy fuses from SoC for CBB decryption
0xD2 Verify CBB offset
0xD3 Copy CBB header from NAND for verification
0xD4 Verify CBB header
0xD5 Copy CBB into memory at 0x8000.0200.0001.0000 (old location of CBA)
0xD6 Create HMAC key for CD decryption
0xD7 Initialize CD RC4 key using HMAC key
0xD8 RC4 decrypt CD
0xD9 Compute hash of CD for verification
0xDA MemCmp computed hash with expected one (where rgh2 glitches)
0xDB Jump to CBB
0xF0 CBB offset verification fail
0xF1 CBB header verification fail
0xF2 CBB security hash comparison fail
0xF3 CBB size check fail (must be less than 0xC000)
CBB/2BL
0x20 CB entry point, initialize SoC
0x21 Initialize secopt, verify lockdown fuses
0x22 Initialize security engine
0x23 Undocumented Subroutine Start
0x2E Hardware initialization
0x2F Setup tlb entries, relocate to ram
0x30 Verify CD offset
0x31 Copy CD header from NAND for verification
0x32 Verify CD header
0x33 Copy CD from nand
0x34 Create HMAC key for CD decryption
0x35 Initialize CD RC4 key using HMAC key
0x36 RC4 decrypt CD with key
0x37 Compute hash of CD for verification
0x39 MemCmp computed hash with expected one
0x3B Initialize PCI
0x3A Setup memory encryption and jump to CD
0x9B Secopt fuse verification fail
0x9C Secopt fuse verification fail2
0x9D Secopt fuse verification console type? fail
0x9E Secopt fuse verification console type? fail
0x9F Secopt fuse verification console type? fail
0xA0 CB revocation check failed
0xA1 Panic after 0x21
0xA2 Panic after 0x21
0xA3 Panic after 0x21
0xA4 Failed SMC HMAC
0xA9
0xAA Failed to verify CD offset
0xAB Failed to verify CD header
0xAD CD security hash comparison fail
0xAE CB exception, unknown interrupt vector
0xB0 Secopt fuse verification console type? fail
CD/4BL
0x40 Entrypoint of CD, setup memory paging
0x41 Verify offset to CE
0x42 Copy CE header from NAND for verification
0x43 Verify CE Header
0x44 Read CE from nand into memory
0x45 Create HMAC key for CE decryption
0x46 Initialize CE RC4 key using HMAC key
0x47 RC4 decrypt CE
0x48 Compute hash of CE for verification
0x49 MemCmp computed hash with expected one (where rgh1 glitches)
0x4B LZX Decompress CE
0x4D Decode fuses
0x4E Load CF (kernel patches) offset
0x4F Verify CF offset
0x50 Load CF1/CG1 (patchslot1) if version & header checks pass
0x51 Load CF2/CG2 (patchslot2) if version & header checks pass
0x52 Startup kernel/Hypervisor
0xB1 CE decryption failed
0xB2 Failed to verify CE header
0xB3 CE hash comparison fail
0xB4 CE LZX decompression failed
0xB5 CF verification failed
0xB6 Fuse decryption/check failed
0xB7 CF decryption failed, patches missing.
0xB8 CF hash auth failed
CE
CF
0xC1 LDICreateDecompression failed
0xC2 CG size verification failed
0xC3 Header / patch fragment info check failed
0xC4 Unexpected LDI fragment type
0xC5 LDISetWindowData failed
0xC6 LDIDecompress failed
0xC7 LDIResetDecompression failed
0xC8 CG auth failed
Hypervisor
0x58 Hypervisor Initialization begin
0x59 Initialize SoC MMIO
0x5A Initialize XEX training
0x5B Initialize key ring
0x5C Initialize keys
0x5E Initialize SoC Interrupts
0x5F Initialization complete
0xFF Fatal Error
Kernel
0x64 INIT_MEMORY_MANAGER
0x65 INIT_STACKS
0x66 INIT_OBJECT_SYSTEM
0x67 INIT_PHASE1_THREAD
0x68 Started phase 1 Initialization + INIT_PROCESSORS
0x69 INIT_KEY_VAULT
0x6A INIT_HAL_PHASE_1
0x6B INIT_SFC_DRIVER
0x6C INIT_SECURITY
0x6D INIT_KEY_EX_VAULT
0x6E INIT_SETTINGS
0x6F INIT_POWER_MODE
0x70 INIT_VIDEO_DRIVER
0x71 INIT_AUDIO_DRIVER
0x72 INIT_BOOT_ANIMATION + XMADecoder & XAudioRender Init
0x73 INIT_SATA_DRIVER
0x74 INIT_SHADOWBOOT
0x75 INIT_DUMP_SYSTEM
0x76 INIT_SYSTEM_ROOT
0x77 INIT_OTHER_DRIVERS
0x78 INIT_STFS_DRIVER
0x79 LOAD_XAM