– Herein lies the nuance. The on-die mask ROM inside the MCPX actually contains a small, generic bootloader. But the MCPX chip itself varies by motherboard revision. The mcpx-1.0.bin refers to a dump of that on-die boot ROM from the earliest revision of the MCPX chip, found on Xbox motherboard revisions 1.0 and 1.1.
In early versions of mcpx-1.0.bin (specifically prior to revision 2.0), the boot process had a window of ~8 CPU cycles after the 1BL locked the JTAG but before the AES key was zeroized. By asserting a hardware reset line at precise timing, an attacker could stall the 1BL and execute arbitrary code from LPC port. Mcpx-1.0.bin Bios