# [X360] The Reset Glitch Hack



## Aurora Wright (Aug 28, 2011)

[youtube]http://www.youtube.com/watch?v=JyYdL4L6vwE[/youtube]​We all know that the Xbox 360 is a masterpiece as far as _software_ security is concerned, hackers such as tmbinc and marcan said so too.
Since software was so secure, some hackers found an hardware glitch, which works by using a chip to destabilyze the processor, while it checks the signature of one of the bootloaders.
This glitch hack works on both FAT and SLIM models, allowing them to run unsigned code  
	

	
	
		
		

		
			




Details about how it works:


Spoiler



**********************************
* The Xbox 360 reset glitch hack *
**********************************

Introduction / some important facts
===================================

tmbinc said it himself, software based approaches of running unsigned code on the 360 mostly don't work, it was designed to be secure from a software point of view.

The processor starts running code from ROM (1bl) , which then starts loading a RSA signed and RC4 crypted piece of code from NAND (CB).

CB then initialises the processor security engine, its task will be to do real time encryption and hash check of physical DRAM memory. From what we found, it's using AES128 for crypto and strong (Toeplitz ?) hashing. The crypto is different each boot because it is seeded at least from:
- A hash of the entire fuseset.
- The timebase counter value.
- A truly random value that comes from the hardware random number generator the processor embeds. on fats, that RNG could be electronically deactivated, but there's a check for "apparent randomness" (merely a count of 1 bits) in CB, it just waits for a seemingly proper random number.

CB can then run some kind of simple bytecode based software engine whose task will mainly be to initialise DRAM, CB can then load the next bootloader (CD) from NAND into it, and run it.

Basically, CD will load a base kernel from NAND, patch it and run it.

That kernel contains a small privileged piece of code (hypervisor), when the console runs, this is the only code that would have enough rights to run unsigned code.
In kernel versions 4532/4548, a critical flaw in it appeared, and all known 360 hacks needed to run one of those kernels and exploit that flaw to run unsigned code.
On current 360s, CD contains a hash of those 2 kernels and will stop the boot process if you try to load them.
The hypervisor is a relatively small piece of code to check for flaws and apparently no newer ones has any flaws that could allow running unsigned code.

On the other hand, tmbinc said the 360 wasn't designed to withstand certain hardware attacks such as the timing attack and "glitching".

Glitching here is basically the process of triggering processor bugs by electronical means.

This is the way we used to be able to run unsigned code.

The reset glitch in a few words
===============================

We found that by sending a tiny reset pulse to the processor while it is slowed down does not reset it but instead changes the way the code runs, it seems it's very efficient at making bootloaders memcmp functions always return "no differences". memcmp is often used to check the next bootloader SHA hash against a stored one, allowing it to run if they are the same. So we can put a bootloader that would fail hash check in NAND, glitch the previous one and that bootloader will run, allowing almost any code to run.

Details for the fat hack
========================

On fats, the bootloader we glitch is CB, so we can run the CD we want.

cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there's a test point on the motherboard that's a fraction of CPU speed, it's 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.

So it goes like that:
- We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value (it's often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.

The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.

Details for the slim hack
=========================

The bootloader we glitch is CB_A, so we can run the CB_B we want.

On slims, we weren't able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn't yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it's even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can't always be right, it isn't boring and it does sit on an interesting bus

So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.

When CB_B starts, DRAM isn't initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don't decrypt CD, instead expect a plaintext CD in NAND.
- Don't stop the boot process if CD hash isn't good.

CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there's a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!

The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.

Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !

Caveats
=======

Nothing is ever perfect, so there are a few caveats to that hack:
- Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
- That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
- It requires precise and fast hardware to be able to send the reset pulse.

Our current implementation
==========================

We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it's fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.

Conclusion
==========

We tried not to include any MS copyrighted code in the released hack tools.
The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.

Credits
=======

GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot... : Prior reverse engineering and/or hacking work on the 360.


Tutorial (it requires hardware soldering skills)


----------



## TLSS_N (Aug 28, 2011)

Hell yea, NOW were talking!


----------



## Devin (Aug 28, 2011)

The Living Shadow said:
			
		

> Hell yea, NOW were talking!



You said it. Just ended my search for a JTAG 360, might do it to this Jasper I have.


----------



## TLSS_N (Aug 28, 2011)

Devin said:
			
		

> The Living Shadow said:
> 
> 
> 
> ...



I wonder if this group let Microsoft know about this before they released it,  since that's what happened with j-tag, it makes me wonder.


----------



## Devin (Aug 28, 2011)

The Living Shadow said:
			
		

> Devin said:
> 
> 
> 
> ...



I'm also curious about that, but if it works on any Dash. Don't update.


----------



## FAST6191 (Aug 28, 2011)

Wow a good read. I shall have to see how this all plays out and if it turns out it can be done on some more commodity hardware (thinking some of the more common development boards although a quick scan says the current setup is nothing major) I sense I shall be doing a few as this looks like it will work on banned hardware too.


----------



## TLSS_N (Aug 28, 2011)

Devin said:
			
		

> The Living Shadow said:
> 
> 
> 
> ...


Well, if anyone needs a box, I suggest waiting a bit to find out if microsoft has patched it, just keep an eye on xbox-scene forums for a heads up. I know I am going to get a new box either way, I need it. and let's hope someone grabs the keys!!


----------



## Devin (Aug 28, 2011)

The Living Shadow said:
			
		

> Devin said:
> 
> 
> 
> ...



Yup. If it hasn't been patched yet great. Until I get it done, my 360 stays offline. Just bought a 360 from a friend, so I'll have two to screw around with.

(So that means the 360's can run games, and still play on Live? Amazing.


----------



## Fudge (Aug 28, 2011)

Awesome!!! Unsigned code is possible once more!


----------



## raulpica (Aug 28, 2011)

Hm, this will probably have a nice huge drop of JTAG'd 360s prices. Good.

I wonder if MS will still ban you if you use this hack... Hopefully it'll be less detectable.


----------



## machomuu (Aug 28, 2011)

Sounds awesome, but I can't solder so 
	

	
	
		
		

		
		
	


	




I might buy another 360 just to do this.


----------



## chartube12 (Aug 28, 2011)

So much for the secret of how the xode was gonna work!


----------



## hunter291 (Aug 28, 2011)

So in noob language... could we describe it as "JTAG" for newer models ? I mean can this lead to the same stuff ? Freestyledash, xellous, freeboot and stuff ?


----------



## 431unknown (Aug 28, 2011)

lol, Nice! I knew somebody would find something new eventually.


----------



## gregor1997 (Aug 28, 2011)

This is awesome!


----------



## shakirmoledina (Aug 28, 2011)

i wonder if 3ds at the end will require an advance hack like this
i do also remember fast talked about messing around with the clocks to get some strange results. this is a rare hack i have read about.
if i am not mistaken, its all about making a false hash (SHA) to think it is the correct hash value right?

A little info i know about SHA from a book
Similar to MD5, the message digest is 160 bits instead of 128 bits.This algorithm provides the hash function for the DSA algorithm specified within the DSS.


----------



## FAST6191 (Aug 28, 2011)

If you are referring to that hacking concepts thread in the 3ds section clock hacks there were more about superclocking or underclocking to cause commands to be missed, interpreted badly or a race condition which is a similar class of attack the eventual one here. However from reading the above it seems as though the clocks were slowed to allow things to work on simpler hardware- trying to get things to mesh at 200MHz or higher (the post said the point viewed was a fraction of the actual speed) is a nightmare (pretty much university or corporate level) but at the sort of speeds they are mentioning when the CPU gets slowed down is far easier to work with.

Once this is done the CPU reset function seems to get abused- I am guessing it resets any flags in the CPU that get returned on the compare check as "not a match" just in time for the next part of the routine to think it is in fact correct and carry on booting. It being that early in the boot process means you can tell it whatever you like and that includes getting it to give you the keys to the kingdom.


----------



## Armadillo (Aug 28, 2011)

Nice, might have to grab a slim when funds allow it, already got a jtag, but with fans at 80% it's pretty loud.

This line from the readme

"Now, maybe you haven't realised yet, but CB_A contains no checks on revocation fuses, so it's an unpatchable hack !"

So does that mean unpatchable by software? or just unpatchable forever 
	

	
	
		
		

		
		
	


	




. It's a glitch on the cpu, so I'd assume any fix would have to be a hardware one, but I'm just wondering if the attack is at such a level, would the console need a complete redesign to fix it.

I see a wave of 360 modchips coming now.


----------



## dilav (Aug 28, 2011)

Great news, but debating on if I should pick one up. 25% boot rate isn't too bad either.


----------



## shakirmoledina (Aug 28, 2011)

so speed is such a strange thing in processing that even a computer/machine can misinterpret a situation

then again, i dont understand how they figure it out to try this... is there a clue or have they searched through the codes? or is it a guess/chance based on some info?

PS - Fast, i had to read yer post at least 4 times to try to understand what u said and hopefully i get u


----------



## Nujui (Aug 28, 2011)

inb4 modding shops add this.

I would really like to try this, but I suck at hardware hacking XD.


----------



## machomuu (Aug 28, 2011)

KirbyBoy said:
			
		

> inb4 modding shops add this.
> 
> I would really like to try this, but I suck at hardware hacking XD.


So do I, that's why I stick to soft-mods


----------



## Ace (Aug 28, 2011)

This is pretty cool, but they could've announced this two years ago, when I still had a X360 xD

Oh well, cheers to the mates who'll hack their X360 like this! They're true bronies.


----------



## Devin (Aug 28, 2011)

machomuu said:
			
		

> KirbyBoy said:
> 
> 
> 
> ...



I'm either going to do it myself, or have a friend of mine do it for me.


----------



## FAST6191 (Aug 28, 2011)

shakirmoledina said:
			
		

> so speed is such a strange thing in processing that even a computer/machine can misinterpret a situation
> 
> then again, i dont understand how they figure it out to try this... is there a clue or have they searched through the codes? or is it a guess/chance based on some info?
> 
> PS - Fast, i had to read yer post at least 4 times to try to understand what u said and hopefully i get u



Speeds are very important to computers and speed related issues pretty much control/trouble everything- ever wondered what the timings on your ram are? (they are just what speed in terms of clock cycles the ram is rated to perform operations at- http://www.techpowerup.com/printarticle.php?id=131 )

A person's hacking method is much like their writing method really- it just has to work for them. As they said though software attacks were not that much use as the thing gets locked down early and hard by a very small, very tight piece of code (the hypervisor) - it is now several revisions old but still a nice overview http://www.youtube.com/watch?v=uxjpmc8ZIxM (I probably should have linked it earlier) so that means coming at it from hardware. As you have to attack it early and the boot process is well understood thanks to all the earlier hacks (they rely on the same concepts) you then have some points to attack not to mention similar things earlier on in the 360 lifetime (we already saw a timing attack way back when). I am in danger of understating the work that presumably went into it so I will end this section by saying this is some proper hacking work done by those that do really know what they are doing.

re: the 25% thing, if I understand the post correctly it is a 25% per attempt thing but it will try as many times as necessary which should lead to a boot fairly early on. A proper/good hook will see it booting in but a second or two but probability means it gets quite likely to happen within about 30 seconds- kind of like rolling a dice will see you say roll a 5 at a probability of 1/6 but rolling a dice 200 times and not getting a 5 is very odd (but still possible).

edit: @Armadillo 1bl is buried as ROM inside the CPU and it loads 2BL so if you can get your own 2BL in there you are sorted. The fuses thing is icing on the cake and I guess yeah it means new hardware revision (and probably quite a few changes to the boot method).


----------



## Devin (Aug 28, 2011)

So FAST, from what you know so far do you think that I could buy a Cygnos Modchip and Dual boot a "official" NAND, and a JTAG'd one? I'm a bit wary on buying one, unless I know it's be compatible with this exploit. Think it'd work? Me being able to switch between a JTAG NAND for USB Launch, Homebrew, ect, but still be able to switch over to a "Legit" NAND in order to play over Xbox Live? Thanks.


----------



## Armadillo (Aug 28, 2011)

FAST6191 said:
			
		

> edit: @Armadillo 1bl is buried as ROM inside the CPU and it loads 2BL so if you can get your own 2BL in there you are sorted. The fuses thing is icing on the cake and I guess yeah it means new hardware revision (and probably quite a few changes to the boot method).




Nice. Guess there is no need for me to get one asap then as backup for my jtag'd falcon. Probably pick one up when they drop to £99 (the 4gb always seem to be going on sale) or if news of a new hardware revision surfaces. Nice thing with it being unpatchable by software is used/banned jaspers will be a nice cheap alternative and are in plentiful supply.

Wonder if Microsoft will even bother with hardware revisions, this late in the consoles life or just keep them off live and whether hardware revision can fix it fully or whether it'll be more a game of cat and mouse from now on (they move/hide the points to solder to, new ones are found and so on, like with the chips on last gen consoles).

Definitely going to be interesting now , hope it breathes some life back into the homebrew scene on the 360, as it's pretty barren at moment 
	

	
	
		
		

		
		
	


	




.


----------



## FAST6191 (Aug 28, 2011)

I would advise against calling this a JTAG hack. Related concepts but different enough to make the name confusing.

Dual nand (do remember you can also just find an XD card and do a dual NAND that way). Given MS are back on the profile banning kick and they can still check your profile for unreleased games and probably do something like check what 360 last signed the profile (they did similar things in the early days for the save game swapping crowd) I would be hesitant to call it safe.
As for cygnos itself some were NAND related but others were aimed more at employing the JTAG hack (acting as an alternate to using the SMC to punt the hack data) so you might wish to read up and see what goes there. Also I have no idea what MS will do down the line so it might work for a little bit and then MS put a stop to it (you can bet things are pretty crazy at MS HQ right now) at which point you have effectively wasted some money. I think my advice will remain if you want to hack in any way beyond the DVD flashing and simple USB stuff (GOTY type DLC installs) you will lose any easy/"safe" access to live.

Edit: @Armadillo yeah the 360 homebrew scene could use a bit of a kickstart and hopefully this will be the thing to do it- some of the emulator proof of concepts were looking pretty nice. It will also be interesting to see what happens on the DVD flashing front. Not sure about what MS will do though

I now am debating whether to do to my Jasper I accidentally updated back when. Price wise it is not too bad but my history with CPLDs is not a shining example of technology working for me. I wonder if any of the old passmes will be useful here.


----------



## Armadillo (Aug 29, 2011)

FAST6191 said:
			
		

> Edit: @Armadillo yeah the 360 homebrew scene could use a bit of a kickstart and hopefully this will be the thing to do it- some of the emulator proof of concepts were looking pretty nice. It will also be interesting to see what happens on the DVD flashing front. Not sure about what MS will do though
> 
> I now am debating whether to do to my Jasper I accidentally updated back when. Price wise it is not too bad but my history with CPLDs is not a shining example of technology working for me. I wonder if any of the old passmes will be useful here.



DVD flashing will stay around I think. This won't be live safe and for some reason this gen people have an obsession with having homebrew/copies + live on the same console, so I think that there will still be a demand for it. Add that to the fact that even though it's unpatchable via software, you'll still need a rebooter or similar to get into a hacked MS dash/kernal which needs to be updated periodically (although drive flashes are getting this way now), I think there will still be a market for them. Same with the  drive emulators if they make them live safe (or as safe as can be).

As for MS I reckon first response might be just to remove some of the headers, like when they pulled the lpt port on the 1.6 xbox. Just an attempt to make it as hard as possible to do, rather than nice easy points.



As for the Jasper, I'd probably wait until there is at least a rebooter for it. I'm lazy and wouldn't be bothered to do all that soldering and preparation to get to use xell and nothing retail 
	

	
	
		
		

		
		
	


	




.


----------



## chrisrlink (Aug 29, 2011)

one leap for us one GIANT kick in the nuts for MS lets hope they dont follow like sony and start suing.....also im willing to ship my slim (Latest FW) to one of you to do this


----------



## Fear Zoa (Aug 29, 2011)

And now I can finally hack my xbox so that everything I own (except the 3ds at this point) is hacked...


----------



## Gh0sti (Aug 29, 2011)

impressive work im surprised they got n64 emu already on there and on a slim


----------



## FAST6191 (Aug 29, 2011)

@Gh0sti the N64 emulator has been around for a while- this is just a new hack to launch it.

@Armadillo yeah I was not thinking the end of DVD flashing but more the chance of a software flash, dodging the fun stuff like the mra hack, russian hack and kamikaze unlocks (it was theorised there has to be a developer backdoor and now we control software....) and/or key extraction.

Also others it seems a media player dropped- there were some proof of concept things way back when but this looks to be a more workable one.


----------



## Blebleman (Aug 29, 2011)

I'm actually surprised that this glitch doesn't seem to exist in the Xenon consoles! 
	

	
	
		
		

		
		
	


	



I updated mine (yes, it's still alive) past the JTAG point a while ago.


----------



## FAST6191 (Aug 29, 2011)

Blebleman said:
			
		

> I'm actually surprised that this glitch doesn't seem to exist in the Xenon consoles!
> 
> 
> 
> ...



Where did you read it was incompatible with xenon boards?


----------



## Blebleman (Aug 29, 2011)

FAST6191 said:
			
		

> Blebleman said:
> 
> 
> 
> ...



Well, nowhere is it said explicitly _"This doesn't work on Xenon"_, but they enumerate the compatible models and Xenon isn't there 
	

	
	
		
		

		
		
	


	




[EDIT] In fact, I just read "Expect Xenon + Falcon support to show up later"

I guess they just didn't have one on hand.


----------



## ploggy (Aug 29, 2011)

From what I understand the current hack incorporates the hana (hdmi) chip so all non hdmi (ana chip) consoles will work with this method....yet.
and a rebooter must be written around this hack before FSD and other apps will load


----------



## wolffangalchemist (Aug 29, 2011)

all the interesting stuff always happens when my Internet goes out  
	

	
	
		
		

		
		
	


	




 , also where is a tutorial for the Phat 360's that tutorial is only for slims.


----------



## Armadillo (Aug 29, 2011)

FAST6191 said:
			
		

> @Gh0sti the N64 emulator has been around for a while- this is just a new hack to launch it.
> 
> @Armadillo yeah I was not thinking the end of DVD flashing but more the chance of a software flash, dodging the fun stuff like the mra hack, russian hack and kamikaze unlocks (it was theorised there has to be a developer backdoor and now we control software....) and/or key extraction.
> 
> Also others it seems a media player dropped- there were some proof of concept things way back when but this looks to be a more workable one.



Will have to keep my eye on the media player. Would like to see it eventually get to the point where it's comparable to xbmc on the original box or even a port of xbmc would do me 
	

	
	
		
		

		
		
	


	




. Will definitely have to go to a slim or an old jasper though for it though.


----------



## Gh0sti (Aug 29, 2011)

so can MS update 360s to block this hack or is it a pwn for life kindof hack? seems like a difficult console to hack and a lot of hardware needed to do so if anything i would rather have a software hack to my system or usb dongle


----------



## Lube_Skyballer (Aug 29, 2011)

Gh0sti said:
			
		

> so can MS update 360s to block this hack or is it a pwn for life kindof hack? seems like a difficult console to hack and a lot of hardware needed to do so if anything i would rather have a software hack to my system or usb dongle



The hackers said that Microsoft cannot fix this problem with a software update. They would have to redesign the motherboard itself. So Microsoft is basically screwed


----------



## GameWinner (Aug 30, 2011)

Gonna wait for a noob friendly method (Same for PS3) before I attempt this. Nice to see the 360 is opening up more in terms of hacking.


----------



## fgghjjkll (Aug 30, 2011)

Lube_Skyballer said:
			
		

> Gh0sti said:
> 
> 
> 
> ...


Microsoft is NOT screwed. The effort it takes to set up this hack is a lot and only die-hard homebrew fans would take the time and money to set up this hack. It is risky and costly whereas a JTAG (assuming you have a compatible drive) doesn't take much effort to flash...


----------



## Fudge (Aug 30, 2011)

fgghjjkll said:
			
		

> Lube_Skyballer said:
> 
> 
> 
> ...


I'm assuming you mean drive flashing, because JTAGing is as or even more difficult to accomplish then the reset glitch hack.


----------



## wolffangalchemist (Aug 30, 2011)

fgghjjkll said:
			
		

> Microsoft is NOT screwed. The effort it takes to set up this hack is a lot and only die-hard homebrew fans would take the time and money to set up this hack.


Jtag isn't all that hard if you have a proper tutorial and a set of steady hands/some minor experience soldering modchips.
only problem i see people running into with Jtaging is not have a PC with a serial port.
also the effort it takes to flash a 360 dvd drive with hacked firmware is beyond most everyday people as well if you are trying to say anyone can do it,  i have people i have tried to show how who end up just paying me to reflash their drive when a update takes out the hacked firmware on there 360's.
short story: Most everyday people won't be attempting any kind of hacking anyway,and most people willing to learn how to hack things are going to be more open to soldering some wires here and there to a chip or two.


----------



## VashTS (Aug 30, 2011)

i am certainly going to get on board with this, but i need to find the funds to get the hardware to complete the mod. it seems pretty complicated for something that's not very advanced yet, so i will wait and see how it progresses (since i have to anyway). 

i've done an MRA hack on a liteon 9, can't be any more troublesome than that i imagine. 

hey fast, what are the parts costing for this? got any links to buy it?


----------



## Armadillo (Aug 30, 2011)

From a quick look

As you're in the us, you can grab the board here
http://www.digilentinc.com/Products/Detail...8&Prod=CMOD

Although it's not shipping until the 9th

If you want the programming cable, I'm not sure , I think it may be this http://www.digilentinc.com/Products/Detail...p;Prod=JTAG-HS1 or http://www.digilentinc.com/Products/Detail...p;Prod=JTAG-USB, but all the usb ones seem to be quite expensive, cheaper to just use the lpt option that they give you the diagram for.


USB spi programmer , well there are loads of commercial ones around from the jtag hack, xecuters nand-x, maximus 360 nandflasher  and a few other places have smaller units based on this design here http://dev360.wikia.com/wiki/USB_Nand_SPI_Flasher
or you can just make your own (circuit diagrams and parts list are on there as well).

Other stuff is just standard components that you can get from pretty much anywhere (caps, sockets, male lpt plug etc).


----------



## VashTS (Aug 30, 2011)

so is there a chip that remains in the xbox after this is done?

also anyone got a link showing off what jtags can do? i know its a lot but i want to see it.


----------



## Armadillo (Aug 30, 2011)

VashTS said:
			
		

> so is there a chip that remains in the xbox after this is done?
> 
> also anyone got a link showing off what jtags can do? i know its a lot but i want to see it.



Yes, there is a chip that remains in the xbox. SPI programmer can be removed once you have written your hacked image to the nand, the XC2C64A CoolRunner-II CPLD has to remain in the xbox to execute the hack.


Jtag videos, there are quite a few on youtube. There isn't really anything too interesting though. They can run unsigned code (so you get region free, games from hdd, xbla,dlc and homebrew), but there isn't that much homebrew stuff available, so most videos are just people showing alternative dashboards or just scrolling through lists of games.


----------



## Sc4rFac3d (Oct 11, 2011)

Anyone from Temp successfully achieved this new JTAG method yet?


----------



## Vinnymac (Dec 6, 2011)

The RGH method is ingenious. If you have any hesitation though I suggest you to pay to have it done. TBH it will only cost about 60-80$ for the coolrunner install. And if you were to do it yourself it would cost you even more money. After buying the Coolrunner 20$, QSBs, and Nand-X. And other cables to update the nand-x to v3.

Anyways, I am thinking of getting this done soon. Just waiting to find out if my Slim is going to be banned or not , if not I'll just have it done to an older box.


----------

