A command-line tool for extracting and decrypting components of An Original Xbox BIOS.
| Command | Desc |
|---|---|
/? |
Displays help message |
/ls |
Display BIOS infomation |
/extr |
Extract components from a BIOS |
/bld |
Build a BIOS |
/split |
Split a BIOS into banks |
/combine |
Combine multiple banks into a single BIOS |
/replicate |
replicate a single BIOS |
/xcode-sim |
Simulate xcodes and Decode x86 |
/xcode-decode |
Decode Xcodes from a BIOS or init table |
/x86-encode |
Encode x86 as xcodes |
/compress |
Compress a file using lzx |
/decompress |
Decompress a file using lzx |
| Switch | Description |
|---|---|
/enc-bldr |
Assume the 2BL is unencrypted (Decryption will be skipped) |
/enc-krnl |
Assume the kernel is unencrypted (Decryption will be skipped) |
/key-bldr <path> |
16-byte 2BL RC4 file |
/key-krnl <path> |
16-byte kernel RC4 file |
/mcpx <path> |
MCPX ROM file. Used for en/decrypting the 2BL |
/romsize <size> |
How much space is available for the BIOS in kb, (256, 512, 1024) |
/binsize <size> |
Total space of the file or flash in kb (256, 512, 1024) |
- Supports all Original Xbox BIOSes.
- There is no guarantee that this program will work correctly with modified BIOSes.
The 2BL needs to be decrypted to calculate the offsets to the kernel image.
You need to provide the RC4 2BL key in the form of a MCPX rom or a 16-byte file.
If the 2BL isn't encrypted, you can ignore these switches.
- Use
/key-bldr <path>to specify the key from a file. (16-byte file) - Use
/mcpx <path>to specify the key from the MCPX ROM file. (512-byte file)
If the 2BL has been decrypted, you will see a message like decrypting 2BL
The Kernel needs to be decrypted before decompressing it. The RC4 Kernel Key
can be found in the decrypted 2BL or you can provide it.
If the Kernel isn't encrypted, Use /enc-krnl to specify do not want the kernel decrypted.
- Use
/key-krnl <path>to specify a kernel key from a file. (16-byte file) - Use
/enc-krnlif you do not want the kernel decrypted.
If the kernel has been decrypted, you will see a message like decrypting kernel
It depends on the BIOS version. The different revisions of the MCPX have different keys and different hashing algorithms.
Rev. 0 |
MD5 Hash |
|---|---|
| MCPX v1.0 | d49c52a4102f6df7bcf8d0617ac475ed |
| M.O.U.S.E rev. 0 v0.9.0 | da9e9f527c5cb716f7a2143e976f6091 |
Rev. 1 |
MD5 Hash |
|---|---|
| MCPX v1.1 | 2870d58a459c745d7cc4c6122ceb3dcb |
| M.O.U.S.E rev. 1 v0.9.0 | 06b227adbefc4dd55fb127c33590b735 |
- Use MCPX
Rev. 0for BIOSes< 4817 - Use MCPX
Rev. 1for BIOSes4817+
Typically, if the BIOS contains a Preldr (FBL), Use a Rev. 1 MCPX .
This is only true if the FBL TEA Attack hasn't been applied. in that instance
it's likely that the BIOS is not encrypted at all, and the startup format maybe different.
xbios.exe /<command> /mcpx <mcpx_file>
Display command/switch list:
xbios.exe /?
Display help about a specific command:
xbios.exe /? <command>
Display help about Encryption:
xbios.exe /? /help-enc
Display infomation about the BIOS.
The list command has some flags to display specific infomation.
| Switch | Desc |
|---|---|
/in <path> |
BIOS file (req) |
/datatbl |
Display ROM drive / slew calibration table data |
/nv2a |
Display init table magic values |
/img |
Display kernel image header info |
/keys |
Display rc4, rsa keys |
xbios.exe /ls <bios_file> <extra_flags>
Extract components from a BIOS file
Bldr (2BL)Preldr (FBL)Init table (magic numbers, xcodes)Compressed & Decompressed kernel image (.bin) (.img)Uncompressed kernel section dataRC4, RSA keys
| Switch | Desc |
|---|---|
/in <path> |
BIOS file (req) |
/keys |
Extract keys |
/nobootparams |
Dont restore 2BL boot params (FBL BIOSes) |
/dir <path> |
Set output directory |
| Output file | Desc |
|---|---|
/bldr <path> |
Output 2BL file |
/inittbl <path> |
Output init table file |
/krnl <path> |
Output compressed kernel file |
/krnldata <path> |
Output uncompressed data section file |
/preldr <path> |
Output preldr file |
/eepromkey <path> |
Output eeprom key file |
/certkey <path> |
Output cert key file |
xbios.exe /extr <bios_file> <extra_flags>
Build a BIOS from a 2BL, compressed kernel, uncompressed data section, init table.
| Switch | Desc |
|---|---|
/out <path> |
Output BIOS file; defaults to bios.bin |
/xcodes <path> |
Inject xcodes file |
/romsize <size> |
romsize in kb (256, 512, 1024) |
/binsize <size> |
binsize in kb (256, 512, 1024) |
/enc-krnl |
Locate the kernel key in 2BL and use it for encryption |
/bfm |
Patch BIOS to boot from media ( bfm ) |
/hackinittbl |
Hack initbl size (size = 0) |
/hacksignature |
Hack 2BL boot signature (signature = 0xFFFFFFFF) |
/nobootparams |
Dont update boot params |
| Input file | Desc |
|---|---|
/bldr <path> |
Input 2BL file (req) |
/inittbl <path> |
Input Init table file (req) |
/krnl <path> |
Input Compressed kernel file (req) |
/krnldata <path> |
Input Uncompressed data section file (req) |
/preldr <path> |
Input Preldr (FBL) file |
The switch, -enc-krnl works different with this command. Provide the flag
if you want the kernel encrypted with the kernel key located in the 2BL.
The switch, -xcodes injects the xcodes at the end of the xcode table.
If no space is available, (no zero space) the exit xcode is replaced with
a jump to free space where the xcodes will be injected.
xbios.exe /bld /bldr <bldr> /inittbl <inittbl> /krnl <krnl> /krnldata <krnl_data> <extra__flags>
Split a BIOS into banks.
| Switch | Desc |
|---|---|
/in <path> |
BIOS file (req) |
/romsize |
Bank size (256, 512, 1024) ; defaults to 256kb |
xbios.exe /split <bios_file> /romsize <bank_size>
Combine multiple banks into a single BIOS file. Provide atleast 2 banks to combine.
The -bank[1-4] switches are inferred with this command.
- The first file provided without a switch (
/<switch>) is bank[1] - The second file provided without a switch (
/<switch>) is bank[2] - etc
| Switch | Desc |
|---|---|
-bank[1-4] <path> |
Bank file |
/out <path> |
BIOS file; defaults to bios.bin |
xbios.exe /combine <bank1_file> <bank2_file> <bank3_file> <bank4_file>
Replicate a single BIOS file.
| Switch | Desc |
|---|---|
/in <path> |
BIOS file (req) |
/out <path> |
BIOS file; defaults to bios.bin |
/binsize |
BIOS size (req) (256, 512, 1024) |
Encode x86 machine code as xcode byte code that writes to RAM.
| Switch | Desc |
|---|---|
/in <path> |
Input file |
/out <path> |
Output file; defaults to xcodes.bin |
- Start address of mem-write is 0. Each write is increment by 4 bytes.
- Code size increases by a factor of x2.25.
xbios.exe /x86-encode <code_file> /out <output_xcodes>
x2.25 Example
Machine code: ---> Byte code:
0000: B8 ED 0B F0 mov eax, 0xfff00bed 0000: 03 00 00 00 xc_mem_write 0x00, 0xf00bedb8
0004: FF FF E0 jmp eax 0004: 00 F0 0B ED
0007: 90 nop 0008: B8
0009: 03 00 00 00 xc_mem_write 0x04, 0x90e0ffff
000D: 04 90 E0 FF
0011: FF
Simulate mem-write xcodes and disassemble x86 machine code. (visor sim)
| Switch | Desc | Default |
|---|---|---|
/in <path> |
Input file (req) | |
/base <addr> |
Base address of xcodes | 0x80 |
/offset <addr> |
Address of start offset | 0x00 |
/simsize <size> |
Size of the sim space in bytes | 0x20 |
/d |
Write to a file; Use -out to specify output file |
false |
If simulating a file other than a BIOS or extracted init table,
The base of the xcodes might be different. Use -base <addr> to specify.
-offset is used to change what mem-writes are recorded starting from some
offset extending to offset + simsize. Only mem-writes in this range are recorded.
xbios.exe /xcode-sim <bios_file> <extra_flags>
Example 1 output
Xcodes:
1a9f: xc_mem_write 0x00, 0x7FC900BE
1aa8: xc_mem_write 0x04, 0x0000BFFF
1ab1: xc_mem_write 0x08, 0x00B90009
1aba: xc_mem_write 0x0c, 0xFC000018
1ac3: xc_mem_write 0x10, 0x1D8BA5F3
1acc: xc_mem_write 0x14, 0x00090000
1ad5: xc_mem_write 0x18, 0x0000E3FF
1ade: xc_mem_write 0x1c, 0x00000000
Assembly:
mov esi, 0xff7fc900
mov edi, 0x90000
mov ecx, 0x1800
cld
rep movsd
mov ebx, [0x90000]
jmp ebx
Mem dump: ( 26 bytes )
0000: BE 00 C9 7F FF BF 00 00
0008: 09 00 B9 00 18 00 00 FC
0010: F3 A5 8B 1D 00 00 09 00
0018: FF E3
Example 2 output
Xcodes:
0869: xc_mem_write 0x00, 0xFC1000EA
0872: xc_mem_write 0x04, 0x000008FF
Assembly:
jmp 0xfffc1000:0x08
Mem dump: ( 7 bytes )
0000: EA 00 10 FC FF 08 00
Decode Xcodes from a BIOS file, extracted init table.
| Switch | Desc | Default |
|---|---|---|
/in <path> |
Input file (req) | |
/base <addr> |
Base address for xcodes | 0x80 |
/ini <path> |
Decode settings file | default |
/branch |
Take unbranchable jumps | false |
/d |
Write to a file; Use -out to specify output file. |
false |
If decoding a file other than a BIOS or extracted init table,
The base of the xcodes might be different. Use /base <addr> to specify.
See: Xcode Decode Settings for more infomation.
xbios.exe /xcode-decode <bios_file> <extra_flags>
Compress a file using lzx
| Switch | Desc |
|---|---|
/in <path> |
Input file (req) |
/out <path> |
Output file (req) |
xbios.exe /compress <in_file> /out <out_file>
Decompress a file using lzx
| Switch | Desc |
|---|---|
/in <path> |
Input file (req) |
/out <path> |
Output file (req) |
xbios.exe /decompress <in_file> /out <out_file>
Extract BIOS + Keys
xbios.exe /extr /keys /mcpx <mcpx_file> <bios_file>
List BIOS infomation
xbios.exe /ls /mcpx <mcpx_file> <bios_file>
List BIOS Keys
xbios.exe /ls /keys /mcpx <mcpx_file> <bios_file>
Replicate BIOS (256 kb) to 512 kb
xbios.exe /replicate <bios_file> /binsize 512
The project is built in Visual Studio 2022
- Clone the repo
git clone https://github.com/tommojphillips/XboxBiosTool.git
- Open vc\XboxBiosTools.sln in visual studio and build and run
- Xbox Dev Wiki
- Deconstructing the Xbox Boot Rom by mborgerson
- xbedump by XboxDev - sha1.c implementation
- XBOverclock by WulfyStylez - GPU clock calculations