Notice: Now on HTTPS. Report any rough edges to marcan@marcan.st

Audio Firmware

From OpenKinect
Jump to: navigation, search

The audio core in the Kinect requires that a firmware be uploaded at runtime. This page is intended to provide some analysis of what such a firmware image looks like.

It is currently unknown whether the bootloader performs any checks or enforces any particular structure on the firmware images it is sent to boot.

There are two known firmware images: one taken from Xbox360 system updates (referred to as the "Xbox360 firmware"), and one from the Kinect SDK for Windows (referred to as the "Windows firmware").

Firmware images are largely little-endian ARM32 code. The firmware images have a 0x30 byte header of the form:

 struct firmware_header {
   uint32_t magic = 0xca77f00d; // Cat food? ;)
   uint16_t version_major;      // 1 in Xbox360 firmware, 2 in Windows firmware
   uint16_t version_minor;      // 1 in all known firmwares
   uint16_t version_build;      // 2025 (0x07e9) in Xbox360 firmware, 291 (0x0123) in Windows firmware
   uint16_t version_revision;   // 0 in all known firmwares
   uint32_t base_address;       // The memory address at which this image, including the header, expects to be placed.
   uint32_t image_size;         // The size of this firmware image, in bytes. 512544 (0x7d220) for the Xbox360 firmware, 185856 (0x2d600) for the Windows firmware.
   uint32_t boot_address;       // The address to which the bootloader should jump to to start this firmware.
 }

In all known firmware versions, the base address is 0x00080000 and the boot address is 0x00080030.

See also

Audio protocol documentation