Cxbx's Emulation Theory

The basic theory behind Cxbx is a tasty blend of HLE (High Level Emulation), and extremely efficient direct code execution. Since the Xbox uses an Intel Pentium processor, a large percentage of the code (most importantly, the code that tends to eat up the CPU) can be executed directly. This means there is no need for DynaRec (Dynamic Recompilation), which saves alot of CPU and RAM. Emulators such as UltraHLE and Project64 have proven that High Level Emulation is a really great way to achieve high performance. Cxbx takes this idea and, because of the Xbox's architecture, takes it to the next level by combining it with direct code execution. The result is speed and accuracy.

Here is a progress report I wrote a while back for my student project.

Goal Checklist

  Xbox Architecture Research

The first step to creating an Xbox Emulator was determining the hardware and software systems used by the Xbox. Since the Xbox is pretty much a PC dressed up like a console, the hardware component was easy enough. The software side was a bit more complicated. The Xbox uses a stripped down and partially modified Windows 2000 Kernel. The Xbox also only executes a single process at a time.

In order to emulate an Xbox game, it is necessary to simulate the game's environment. For the Xbox, this means making the game believe that it is running on a very specific set of PC hardware, running a very specific operating system. The operating system is simulated by intercepting kernel function calls, and wrapping them around existing NTDLL functions within Windows 2000 and Windows XP. The specific hardware is simulated by intercepting code that is known to touch the hardware at the lowest level possible. For Direct3D, this means simulating the Direct3D API by wrapping it around the windows Direct3D API.

  Xbe to Exe Conversion

In order to give an Xbox game the chance to execute, it must first be loaded as a new process, with specific environmental requirements. This task was accomplished by analyzing the XBE (Xbox Executable) file format, and finding a suitable conversion to the PE (Windows Exe) file format. During the time this conversion was being programmed, the XBE File Format was documented.

It is also necessary to prepend crucial initialization code at the beginning of the converted executable, in order to analyze the loaded XBE file and hijack all necessary functions. This is done by appending a special section to the executable, and altering the entry point.

  Thread Local Storage

Typically, a multi-threaded environment will provide some way for the programmer to access thread-specific data. In x86 Win32, this is done using the FS segment selector register. Unfortunately, the Xbox and Win32 do this just a tad bit differently. The idea is the same, but the structures are a little bit different. After banging my head against a few walls, and brute force hacking my way around to figure out exactly how the Xbox does it's TLS, I was able to stabilize a very efficient method for handling the differences. TLS is actually not used very heavily in games. It is, however, used by the CRT and must be emulated correctly.

  Kernel Hijacking

The basic purpose of the Xbox operating system is to provide Xbox games with a stable and efficient environment to run inside of. Typically, the closest an Xbox game programmer will get to the hardware is through the Xbox Kernel's API interface. Cxbx takes over this interface, and mimics the expected behavior of the Xbox operating system. Much of the API is wrapped almost directly around the Win2k/XP NTDLL interface. This is very efficient, and leaves very little overhead.

  High Level Function Interception

In addition to the Xbox Kernel API interface, Xbox games use statically linked libraries that directly access the NVidia chip and other hardware components. In order to allow an Xbox game to run on a PC, these libraries must be located, intercepted, and emulated and/or wrapped around existing Windows API. If you are familiar with IDAPro, the concept of FLIRT libraries is very similar to the technique used by Cxbx. Taking advantage of the fact that even relocatable libraries have distinguishing characteristics, Direct3D and other APIs can be located inside of the virtual address space of a loaded XBE file, hooked, and emulated.

  Complete Direct3D Interception/Emulation

Direct3D is a complex system in itself. In addition to this complexity is the added optimizations provided on the Xbox system. Since it is safe for the developer to assume a very specific set of hardware, many pieces of code are literally removed by an optimizing compiler. Other pieces of code have changed in significant ways from Windows Direct3D. There are also many Xbox specific features which must be emulated, including hardware specific precompiled texture formats, vertex and pixel shaders, CPU optimized routines, texture swizzling, special alpha ops, etc. In order for a game to not only run but look good, these features must be accurated emulated.

  Sound and Network Support

The depth of the Cxbx project is significant enough that certain aspects were basically ignored for the time being. Relatively speaking, sound and network support are non-crucial features that can be implemented after retail games become playable. For the time being, there is no support for these two components. In the big picture, these features are relatively easy to add.