Skip to content

POST

During bootup the XBox 360 issues several POST Codes on a special 8-bit bus for diagnostic purposes.

POST stands for power on self test. Its a bus created to help debug the xbox boot up process. In the bootloaders there is code that updates the number represented by the bus so it is possible to see at which point the bootloader is executing and where it hangs if an error occured.

The reset glitch hack uses the post codes to track the progress of initialization and know when to assert the reset signal. In RGH1, it waits for when the second bootloader(CB) starts verifying the integrity check of the hash of the fourth bootloder(CD). When the bootloaders were updated starting on 14717, they removed the post codes from the bootloaders and added a few tricks like random delays to prevent glitchers from being able to tell when the xbox is checking the hash.

Pinout

On Phat consoles the pinout is as follows:

DBG_WN_POST_OUT0/BIT7 FT6U8
DBG_WN_POST_OUT1/BIT6 FT6U2
DBG_WN_POST_OUT2/BIT5 FT6U3
DBG_WN_POST_OUT3/BIT4 FT6U4
DBG_WN_POST_OUT4/BIT3 FT6U5
DBG_WN_POST_OUT5/BIT2 FT6U6
DBG_WN_POST_OUT6/BIT1 FT6U7
DBG_WN_POST_OUT7/BIT0 FT6U1

Voltage levels are 1.2V for PHAT / 1.8V for SLIM

Reading the POST bus

The POST bus holds the last code's bits all the time. So we can read it with simple multimeter. To assemble bits to the byte, join them together like that (BIT ORDER 76543210):

For Example:
bit7,bit6,bit5,bit4,bit3,bit2,bit1,bit0

00111010 = 0x3A = CD auth success

Writing to the POST Bus

Writing to the POST Bus is easy:

Just write you 8 bit shifted by 56 Bit left to memory location 0x8000 0200 0006 1010:

; load address in r7
li  %r7,0x200
oris  %r7,%r7,0x8000
rldicr  %r7,%r7,32,31
ori %r7,%r7,0x1010
oris  %r7,%r7,6

; write POST code
li  %r3, 0x12
rldicr  %r3, %r3, 56, 7
std %r3, 0(%r7)

The address is given in real mode, so you need to be careful when paging is enabled.

Meaning of different POST Codes

Domain Code Enum Description
JTAG & 0x10 Payload started
RGH 0x11 Payload has copied XeLL to the RAM from NAND and executed it
1BL 0x10 - 1BL started
0x11 FSB_CONFIG_PHY_CONTROL Execute FSB function1
0x12 FSB_CONFIG_RX_STATE Execute FSB function2
0x13 FSB_CONFIG_TX_STATE Execute FSB function3
0x14 FSB_CONFIG_TX_CREDITS Execute FSB function4
0x15 FETCH_OFFSET Verify CB offset
0x16 FETCH_HEADER Copy CB header from NAND
0x17 VERIFY_HEADER Verify CB header
0x18 FETCH_CONTENTS Copy CB into protected SRAM
0x19 HMACSHA_COMPUTE Generate CB HMAC key
0x1A RC4_INITIALIZE Initialize CB RC4 decryption key
0x1B RC4_DECRYPT RC4 decrypt CB
0x1C SHA_COMPUTE Generate hash of CB for verification
0x1D SIG_VERIFY RSA signature check of CB hash
0x1E BRANCH Jump to CB
1BL 0x81 PANIC - MACHINE_CHECK
Panics 0x82 PANIC - DATA_STORAGE
0x83 PANIC - DATA_SEGMENT
0x84 PANIC - INSTRUCTION_STORAGE
0x85 PANIC - INSTRUCTION_SEGMENT
0x86 PANIC - EXTERNAL
0x87 PANIC - ALIGNMENT
0x88 PANIC - PROGRAM
0x89 PANIC - FPU_UNAVAILABLE
0x8A PANIC - DECREMENTER
0x8B PANIC - HYPERVISOR_DECREMENTER
0x8C PANIC - SYSTEM_CALL
0x8D PANIC - TRACE
0x8E PANIC - VPU_UNAVAILABLE
0x8F PANIC - MAINTENANCE
0x90 PANIC - VMX_ASSIST
0x91 PANIC - THERMAL_MANAGEMENT
0x92 - 1BL is executed on wrong CPU thread (panic)
0x93 PANIC - TOO_MANY_CORES 1BL is executed on wrong CPU core (panic)
0x94 PANIC - VERIFY_OFFSET CB offset verification failed
0x95 PANIC - VERIFY_HEADER CB header verification failed
0x96 PANIC - SIG_VERIFY CB RSA signature verification failed
0x97 PANIC - NONHOST_RESUME_STATUS
0x98 PANIC - NEXT_STAGE_SIZE Size of next stage is out-of-bounds
CB_A/2BL 0xD0 CB_A entry point, copy self to 0x8000.0200.0001.C000 and continue from there
(Slim 0xD1 READ_FUSES Copy fuses from SoC for CB_B decryption
excl.) 0xD2 VERIFY_OFFSET_CB_B Verify CB_B offset
0xD3 FETCH_HEADER_CB_B Copy CB_B header from NAND for verification
0xD4 VERIFY_HEADER_CB_B Verify CB_B header
0xD5 FETCH_CONTENTS_CB_B Copy CBB into memory at 0x8000.0200.0001.0000 (old location of CB_A)
0xD6 HMACSHA_COMPUTE_CB_B Create HMAC key for CD decryption
0xD7 RC4_INITIALIZE_CB_B Initialize CD RC4 key using HMAC key
0xD8 RC4_DECRYPT_CB_B RC4 decrypt CD
0xD9 SHA_COMPUTE_CB_B Compute hash of CD for verification
0xDA SHA_VERIFY_CB_B MemCmp computed hash with expected one (where rgh2 glitches)
0xDB BRANCH_CB_B Jump to CB_B
CB_A 0xF0 PANIC - VERIFY_OFFSET_CB_B CBB offset verification fail
Panics 0xF1 PANIC - VERIFY_HEADER_CB_B CBB header verification fail
0xF2 PANIC - SHA_VERIFY_CB_B CBB security hash comparison fail
0xF3 PANIC - ENTRY_SIZE_INVALID_CB_B CBB size check fail (must be less than 0xC000)
CB/2BL 0x20 - CB entry point, initialize SoC
0x21 INIT_SECOTP Initialize secopt, verify lockdown fuses
0x22 INIT_SECENG Initialize security engine
0x23 INIT_SYSRAM Initialize EDRAM
0x24 VERIFY_OFFSET_3BL_CC
0x25 LOCATE_3BL_CC
0x26 FETCH_HEADER_3BL_CC
0x27 VERIFY_HEADER_3BL_CC
0x28 FETCH_CONTENTS_3BL_CC
0x29 HMACSHA_COMPUTE_3BL_CC
0x2A RC4_INITIALIZE_3BL_CC
0x2B RC4_DECRYPT_3BL_CC
0x2C SHA_COMPUTE_3BL_CC
0x2D SIG_VERIFY_3BL_CC
0x2E HWINIT Hardware initialization
0x2F RELOCATE Setup tlb entries, relocate to ram
0x30 VERIFY_OFFSET_4BL_CD Verify CD offset
0x31 FETCH_HEADER_4BL_CD Copy CD header from NAND for verification
0x32 VERIFY_HEADER_4BL_CD Verify CD header
0x33 FETCH_CONTENTS_4BL_CD Copy CD from nand
0x34 HMACSHA_COMPUTE_4BL_CD Create HMAC key for CD decryption
0x35 RC4_INITIALIZE_4BL_CD Initialize CD RC4 key using HMAC key
0x36 RC4_DECRYPT_4BL_CD RC4 decrypt CD with key
0x37 SHA_COMPUTE_4BL_CD Compute hash of CD for verification
0x38 SIG_VERIFY_4BL_CD RSA signature check of CD hash
0x39 SHA_VERIFY_4BL_CD MemCmp computed hash with expected one
0x3A BRANCH Setup memory encryption and jump to CD
0x3B PCI_INIT Initialize PCI
CB 0x9B PANIC - VERIFY_SECOTP_1 Secopt fuse verification fail
Panics 0x9C PANIC - VERIFY_SECOTP_2 Secopt fuse verification fail2
0x9D PANIC - VERIFY_SECOTP_3 Secopt fuse verification console type? fail
0x9E PANIC - VERIFY_SECOTP_4 Secopt fuse verification console type? fail
0x9F PANIC - VERIFY_SECOTP_5 Secopt fuse verification console type? fail
0xA0 PANIC - VERIFY_SECOTP_6 CB revocation check failed
0xA1 PANIC - VERIFY_SECOTP_7 Panic after 0x21
0xA2 PANIC - VERIFY_SECOTP_8 Panic after 0x21
0xA3 PANIC - VERIFY_SECOTP_9 Panic after 0x21
0xA4 PANIC - VERIFY_SECOTP_10 Failed SMC HMAC
0xA5 PANIC - VERIFY_OFFSET_3BL_CC
0xA6 PANIC - LOCATE_3BL_CC
0xA7 PANIC - VERIFY_HEADER_3BL_CC
0xA8 PANIC - SIG_VERIFY_3BL_CC
0xA9 PANIC - HWINIT Hardware initialization failed
0xAA PANIC - VERIFY_OFFSET_4BL_CD Failed to verify CD offset
0xAB PANIC - VERIFY_HEADER_4BL_CD Failed to verify CD header
0xAC PANIC - SIG_VERIFY_4BL_CD
0xAD PANIC - SHA_VERIFY_4BL_CD CD security hash comparison fail
0xAE PANIC - UNEXPECTED_INTERRUPT CB exception, unknown interrupt vector
0xAF PANIC - UNSUPPORTED_RAM_SIZE
0xB0 PANIC - VERIFY_CONSOLE_TYPE Secopt fuse verification console type? fail
CD/4BL 0x40 - Entrypoint of CD, setup memory paging
0x41 VERIFY_OFFSET Verify offset to CE
0x42 FETCH_HEADER Copy CE header from NAND for verification
0x43 VERIFY_HEADER Verify CE Header
0x44 FETCH_CONTENTS Read CE from nand into memory
0x45 HMACSHA_COMPUTE Create HMAC key for CE decryption
0x46 RC4_INITIALIZE Initialize CE RC4 key using HMAC key
0x47 RC4_DECRYPT RC4 decrypt CE
0x48 SHA_COMPUTE Compute hash of CE for verification
0x49 SHA_VERIFY MemCmp computed hash with expected one (where rgh1 glitches)
0x4A LOAD_6BL_CF
0x4B LZX_EXPAND LZX Decompress CE
0x4C SWEEP_CACHES
0x4D DECODE_FUSES Decode fuses
0x4E FETCH_OFFSET_6BL_CF Load CF (kernel patches) offset
0x4F VERIFY_OFFSET_6BL_CF Verify CF offset
0x50 LOAD_UPDATE_1 Load CF1/CG1 (patch slot 1) if version & header checks pass
0x51 LOAD_UPDATE_2 Load CF2/CG2 (patch slot 2) if version & header checks pass
0x52 BRANCH Startup kernel/Hypervisor
0x53 DECRYT_VERIFY_HV_CERT Decrypt and verify hypervisor certificate
CD 0xB1 PANIC - VERIFY_OFFSET CE decryption failed
Panics 0xB2 PANIC - VERIFY_HEADER Failed to verify CE header
0xB3 PANIC - SHA_VERIFY CE hash comparison fail
0xB4 PANIC - LZX_EXPAND CE LZX decompression failed
0xB5 PANIC - VERIFY_OFFSET_6BL CF verification failed
0xB6 PANIC - DECODE_FUSES Fuse decryption/check failed
0xB7 PANIC - UPDATE_MISSING CF decryption failed, patches missing.
0xB8 PANIC - CF hash auth failed
CE 0xC1 LZX_EXPAND_1 LDICreateDecompression failed
CF 0xC2 LZX_EXPAND_2 CG size verification failed
Panics 0xC3 LZX_EXPAND_3 Header / patch fragment info check failed
0xC4 LZX_EXPAND_4 Unexpected LDI fragment type
0xC5 LZX_EXPAND_5 LDISetWindowData failed
0xC6 LZX_EXPAND_6 LDIDecompress failed
0xC7 LZX_EXPAND_7 LDIResetDecompression failed
0xC8 SHA_VERIFY CG auth failed
Hypervisor 0x58 INIT_HYPERVISOR Hypervisor Initialization begin
/HV 0x59 INIT_SOC_MMIO Initialize SoC MMIO
0x5A INIT_XEX_TRAINING Initialize XEX training
0x5B INIT_KEYRING Initialize key ring
0x5C INIT_KEYS Initialize keys
0x5D INIT_SOC_INT Initialize SoC Interrupts
0x5E INIT_SOC_INT_COMPLETE Initialization complete
HV Panics 0xFF PANIC - FATAL Fatal error
Kernel 0x60 INIT_KERNEL Initialize kernel
0x61 INIT_HAL_PHASE_0 Initialize hardware abstraction layer (phase 0)
0x62 INIT_PROCESS_OBJECTS Initialize process objects
0x63 INIT_KERNEL_DEBUGGER Initialize kernel debugger
0x64 INIT_MEMORY_MANAGER Initialize memory manager
0x65 INIT_STACKS Initialize stacks
0x66 INIT_OBJECT_SYSTEM Initialize object system
0x67 INIT_PHASE1_THREAD Initialize phase 1 thread
0x68 INIT_PROCESSORS Initialize processors
0x69 INIT_KEY_VAULT Initialize keyvault
0x6A INIT_HAL_PHASE_1 Initialize hardware abstraction layer (phase 1)
0x6B INIT_SFC_DRIVER Initialize SFC (Flash controller)
0x6C INIT_SECURITY Initialize security
0x6D INIT_KEY_EX_VAULT Initialize keyvault (extended portion)
0x6E INIT_SETTINGS Initialize settings
0x6F INIT_POWER_MODE Initialize power mode
0x70 INIT_VIDEO_DRIVER Initialize video driver
0x71 INIT_AUDIO_DRIVER Initialize audio driver
0x72 INIT_BOOT_ANIMATION Initialize boot animation + XMADecoder & XAudioRender Init
0x73 INIT_SATA_DRIVER Initialize SATA driver
0x74 INIT_SHADOWBOOT Initialize shadowboot
0x75 INIT_DUMP_SYSTEM Initialize dump system
0x76 INIT_SYSTEM_ROOT Initialize system root
0x77 INIT_OTHER_DRIVERS Initialize other drivers
0x78 INIT_STFS_DRIVER Initialize STFS driver
0x79 LOAD_XAM Load XAM

Credits

Retrieved from (https://www.xdevwiki.tk/index.php?title=POST_Codes&oldid=156)