Why you shouldn't do TSOP Splitting
From Xbox-Linux
by Michael Steil, Franz Lehner, 26 Sep 2003
All Xboxes until early 2003 had a 1 MB flash chip on the motherboard, but both the original Xbox ROM and Cromwell fit into 256 KB. So many people split their flash ROM into four parts, so they could boot either into the orginal system, into a stable Cromwell or into an experimental Cromwell system, for example. On the hardware side, this has been done by adding switches to address lines A18 and A19.
This method might work in some cases, but we suggest that you do not use it .
| Table of contents |
The Xbox ROM Region
In the area between 0xFF00_0000 and 0xFFFF_FFFF, the Xbox CPU sees ROM. That's 16 MB. The (old) Xbox only has a 1 MB ROM, so it is mirrored 16 times. We don't care about these 16 images right now, and neither does the Xbox system software, it just assumes 1 MB of ROM between 0xFFF0_000 and 0xFFFF_FFFF.
The original 1 MB ROM in the Xbox contains 4 identical 256 KB images in the ROM, i.e. the four quadrants
- at 0xFFF0_0000
- at 0xFFF4_0000
- at 0xFFF8_0000
- at 0xFFFC_0000
contain the same data.
The Method
So people thought it was obvious that they could flash four different images into the four quadrants, and make the CPU see one of these four images in all four quadrants.
They tried to do so by adding one switch between A18 of the flash IC and GND and one switch between A19 and GND. This way they thought they had four possibilities for the four images.
What this will do
At first sight, it looks good, the switches are supposed to switch bits A18 and A19 of the address to 00, 01, 10 or 11. But they don't.
If both switches are ON, A18 and A19 are grounded, and A18 and A19 are 0 - this is correct, the first image is visible in all four quadrants.
If both switches are OFF, nothing happens, nothing is grounded. The CPU sees these four images, as they are in the flash.
If one switch is ON, and one is OFF, only one address line is kept at 0, the other one still works as always, resulting in two different images in the ROM address space.
The following four pictures show what the CPU sees in the four cases:
| 00
A19 ON A18 ON | 01
A19 ON A18 OFF |
FFF0_0000: bank 0 FFF4_0000: bank 0 FFF8_0000: bank 0 FFFC_0000: bank 0 |
FFF0_0000: bank 0 FFF4_0000: bank 1 FFF8_0000: bank 0 FFFC_0000: bank 1 |
| 10
A19 OFF A18 ON | 11
A19 OFF A18 OFF |
FFF0_0000: bank 0 FFF4_0000: bank 0 FFF8_0000: bank 2 FFFC_0000: bank 2 |
FFF0_0000: bank 0 FFF4_0000: bank 1 FFF8_0000: bank 2 FFFC_0000: bank 3 |
As you can see, only at FFFC_0000, the correct image appears, and at FFF0_0000, bank 0 is always visible.
Why this doesn't work
Xbox ROMs, including Cromwell, don't (can't!) just have all their code in one quadrant, they need to have the same image in all four quadrants, or else it can happen that the Xcode interpreter in the MCPX runs the Xcodes of an image other than the current one - and most ROM images only run if the correct Xcodes are executed.
Example: You select bank 3 ("11", A19 OFF, A18 OFF):
FFF0_0000: bank 0 FFF4_0000: bank 1 FFF8_0000: bank 2 FFFC_0000: bank 3
As described before, this 1 MB gets mirrored 15 times, starting at 0xFF00_0000. Therefore, the complete memory map looks like this:
FF00_0000: bank 0 <-- Xcodes are fetched from here FF04_0000: bank 1 FF08_0000: bank 2 FF0C_0000: bank 3 FF10_0000: bank 0 FF14_0000: bank 1 FF18_0000: bank 2 FF1C_0000: bank 3 [...] FFE0_0000: bank 0 FFE4_0000: bank 1 FFE8_0000: bank 2 FFEC_0000: bank 3 FFF0_0000: bank 0 FFF4_0000: bank 1 FFF8_0000: bank 2 FFFC_0000: bank 3 <-- x86 code is run here
The Xcode interpreter, which is stored in the MCPX ROM and cannot be changed, always reads its instructions from 0xFF00_0000, while all Xbox ROMs refer to the x86 code at 0xFFFC_0000. (Paul Bartholomew already pointed this out in "Understanding the Xbox boot process/Flash structures" (http://www.xbox-linux.org/docs/msbios.html).) Therefore the Xcodes that get executed do not belong to the active image - actually the Xcodes from bank 0 get executed always , no matter what bank you select.
If you have four very similar images, this might work, but very often it doesn't work!
It was suggested to connect A18 and A19 resp. either to GND or to Vcc, to have definitive 1s and 0s, but we cannot recommand this either, because it is quite likely that this will make your MCPX explode ! Because of the open collector logic, connecting a pin to Vcc means that you shorten Vcc and GND, which, in the best case, will break the transistor in the MCPX that switches the address line (so that you cannot access more than 256 KB of flash afterwards), and in the worst case, it will break the whole MCPX. This will not be the case if you cut the A18 and A19 pins, but many people broke their Xboxes this way, so better don't do it.
Conclusion
Because of severe compatibility problems and possible hardware risks, the Xbox Linux project suggests that you do not use this method . If you really need this functionality, please get a modchip with multiple banks.
