Getting Started - JayFoxRox/xqemu-jfr GitHub Wiki

Get XQEMU

git clone https://github.com/JayFoxRox/xqemu.git

Compile XQEMU

For Mac OS X

./configure --cc=clang --enable-opengl --disable-vnc --disable-user --enable-kvm --disable-xen --with-coroutine=sigaltstack --target-list=xbox-softmmu --enable-debug
make

For Windows

It's complicated! See FK's excellent writeup.

For Linux

Requirements:

  • Python 2
  • Clang
  • EGL/GL or GLX/GL
./configure --cc=clang --enable-opengl --disable-vnc --disable-user --enable-kvm --disable-xen --with-coroutine=sigaltstack --target-list=xbox-softmmu --enable-debug --audio-drv-list=alsa --python=/usr/bin/python2
make

Make sure you make python point at your python2. Python 3 won't work. A version compiled with KVM can still be used with TCG, hence I'd recommend compiling with KVM. QEMU should automaticly disable the KVM compilation if your target CPU is not suitable.

Run XQEMU

XQEMU is a Low-Level Emulator, so you need to find a copy of the stuff the Xbox runs when it turns on:

  • Xbox MCP-X boot rom
  • Xbox 1.0 compatible bios (cromwell, 3944, 4034, 4036 or 4627)
  • Xbox dashboard files

Here are some hashes. Check them to avoid common problems:

MD5 (mcpx_1.0.bin) = d49c52a4102f6df7bcf8d0617ac475ed
MD5 (3944_1M.bin) = e8b39b98cf775496c1c76e4f7756e6ed
MD5 (3944_256k.bin) = 542c62cb976a4993c8c5027dff9638ce _What is this?_

If your mcpx_1.0.bin has an MD5 196a5f59a13382c185636e691d6c323d you dumped it badly. It has a preceeding byte 0x7F which has to be removed (So the file starts with 0x33 0xC0 ..). Additionally one byte 0xEE has to be added to the very end of the file (So the file ends with .. 0x02 0xEE).

Create an Xbox hard-disk image:

  • Create an xboxhdm cd-rom with the dashboard files
  • Create a blank hard-disk file: qemu-img create -f qcow2 xbox_harddisk.qcow2 8G
  • Run xboxhdm with qemu or something: i386-softmmu/qemu-system-i386 -hda xbox_harddisk.qcow2 -cdrom linux.iso

Running with KVM

xbox-softmmu/qemu-system-xbox -cpu pentium3 -machine xbox,bootrom=mcpx_1.0.bin,accel=kvm,kernel_irqchip=off -m 64 -drive file=xbox_harddisk.qcow2,index=0,media=disk,locked=on -drive index=1,media=cdrom -bios 3944_1M.bin -usb -device usb-xbox-gamepad

Running with TCG

xbox-softmmu/qemu-system-xbox -cpu pentium3 -machine xbox,bootrom=mcpx_1.0.bin,accel=tcg -m 64 -drive file=xbox_harddisk.qcow2,index=0,media=disk,locked=on -drive index=1,media=cdrom -bios 3944_1M.bin -usb -device usb-xbox-gamepad

You can preceed your command line with apitrace trace -a egl (in case of EGL, change it for "glx" and "cgl") to generate an apitrace.

Debugging Tips

  • QEMU can host a gdb stub! Launch with -s -S, and with gdb run target remote localhost:1234
    • Protip: You can also attach to it with IDA if you're so inclined. You can then load in a database if you export it as a IDC script!
  • XQEMU can emulate a XDK serial port (which with a debug bios hosts KD, as in this and this)! Launch with something like -device lpc47m157 -serial unix:/tmp/xserial,server. With some effort you can wrestle the unix socket into a vm for with WinDbg. There's also a very barebones perl KD client in scripts/windpl