Unfortunately, booting cromwell is not possible without a proper MCPX ROM and associated X-code interpreter. Cromwell is not encrypted, but uses the x-code interpreter to do basic system init before exploiting the interpreter to take over control (see Xcodes.h). Therefore we should allow cromwell to host the reset vector and perform Xcode initialization itself in the event an interpreter is unavailable.

Detailed information about the X-code interpreter and reset boot flow is available here: https://mborgerson.com/deconstructing-the-xbox-boot-rom/

My reset vector code is available here: https://github.com/mborgerson/xqemu-kernel/blob/master/src/start.nasm

Note: I will likely resolve this issue myself, but anyone else is of course welcome to work on it.