__ ____ ___ ___ _____
/ _|_ __ ___ ___| __ ) / _ \ / _ \_ _|
| |_| '__/ _ \/ _ \ _ \| | | | | | || |
| _| | | __/ __/ |_) | |_| | |_| || |
|_| |_| \___|\___|____/ \___/ \___/ |_|
[v0.01 - coded by ikari]
I. Introduction
================
Finally, here it is - freeBOOT, a rebooter for the Microsoft Xbox 360. This
version of freeBOOT allows you to reboot into kernel 2.0.8498 on a Xenon
or Falcon console, which can be exploited by the JTAG hack. Support for
Zephyr, Opus, and Jasper consoles will follow shortly.
As freeBOOT needs a second flash memory to store kernel 2.0.8498 and
associated data, a Cygnos360 is required at the moment.
Read through the following instructions carefully. Building your own images
is yet a complicated task involving many steps. Future versions of freeBOOT
will be easier to build.
II. Instructions
================
1. Extract the contents of this archive to a directory of your choice. All
file and directory names in the proceeding steps will be given relative
to that directory.
2. Update your Xbox 360 to kernel 2.0.7371 (Fall 08 Update). If your Xbox 360
has already been updated to a newer kernel, you can proceed to the next
step.
You can download the update from:
http://www.xbox.com/en-us/support/systemus...stemupdates.htm
Follow the instructions on this site on how to apply the update. The
update process will not succeed with resistor R6T3 desoldered. Resolder
resistor R6T3 in that case before starting the update process.
3. If present, desolder resistor R6T3 to prevent any accidentally applied
update fixing the JTAG hack vulnerability.
4. Save an image of your flash memory to the file "bin\7371.bin".
5. In case you don't already know your Xbox 360's CPU key, retrieve it now.
There are various ways to accomplish this, but they will not be covered
here.
6. Launch the 360 Flash Tool included in this archive. It incorporates the
fixes proposed by arnezami and thus works with newer dashboard versions.
Aside from that, it can also extract the SMC configuration block.
Click on the "Keys" button and enter the generic 1BL key and the CPU key
matching your "bin\7371.bin" image. Once you have entered the keys, close
the application and launch it again.
Open your "bin\7371.bin" image next and click on the "Extract" button.
Select the options "Cx Sections", "Key Vault", and "Raw File System
(No Unpacking)" from the "Extract Flash" dialog. Choose "data" as output
directory.
7. Delete all files from the "data" directory except:
- crl.bin
- extended.bin
- kv.bin
- odd.bin
- secdata.bin
- smc.bin
- smc_config.bin
8. The remaining files necessary to build an image with kernel 2.0.8498 must
be extracted from an image of an updated Xbox 360, further on referred to
as "bin\other8498.bin". Please do *NOT* update your Xbox 360 to kernel
2.0.8498, otherwise you will loose the ability to run the JTAG hack and
freeBOOT.
Launch 360 Flash Tool included in this archive and click on the "Keys"
button again. Now enter the CPU key corresponding to the "bin\other8498.bin"
image. Afterwards, close the application and launch it again.
Open the "bin\other8498.bin" image next and click on the "Extract" button.
Select the options "Cx Sections", and "Raw File System (No Unpacking)"
from the "Extract Flash" dialog. Choose "tmp" as output directory.
9. Copy the following files from the "tmp" to the "data" directory:
- aac.xexp[1,2]
- bootanim.xex
- bootanim.xexp[1,2]
- cb_1940.bin
- cd_8453.bin
- ce_1888.bin
- cf_8498.bin
- cg_8498.bin
- createprofile.xex
- createprofile.xexp[1,2]
- dash.xex
- deviceselector.xex
- deviceselector.xexp[1,2]
- gamerprofile.xex
- gamerprofile.xexp[1,2]
- hud.xex
- hud.xexp[1,2]
- huduiskin.xex
- mfgbootlauncher.xex
- mfgbootlauncher.xexp[1,2]
- minimediaplayer.xex
- minimediaplayer.xexp[1,2]
- signin.xex
- signin.xexp[1,2]
- updater.xex
- updater.xexp[1,2]
- vk.xex
- vk.xexp[1,2]
- xam.xex
- xam.xexp[1,2]
- xenonclatin.xtt
- xenonclatin.xttp[1,2]
- xenonjklatin.xtt
- xenonjklatin.xttp[1,2]
- ximecore.xex
- ximedic.xex
- ximedic.xexp[1,2]
"[1,2]" means the file name contains either "1" or "2" at that position.
10. Rename the following files in your "data" directory:
- aac.xexp[1,2] --> aac.xexp
- bootanim.xexp[1,2] --> bootanim.xexp
- createprofile.xexp[1,2] --> createprofile.xexp
- deviceselector.xexp[1,2] --> deviceselector.xexp
- gamerprofile.xexp[1,2] --> gamerprofile.xexp
- hud.xexp[1,2] --> hud.xexp
- mfgbootlauncher.xexp[1,2] --> mfgbootlauncher.xexp
- minimediaplayer.xexp[1,2] --> minimediaplayer.xexp
- signin.xexp[1,2] --> signin.xexp
- updater.xexp[1,2] --> updater.xexp
- vk.xexp[1,2] --> vk.xexp
- xam.xexp[1,2] --> xam.xexp
- xenonclatin.xttp[1,2] --> xenonclatin.xttp
- xenonjklatin.xttp[1,2] --> xenonjklatin.xttp
- ximedic.xexp[1,2] --> ximedic.xexp
You can easily rename the files by entering "ren *p1 *p" or "ren *p2 *p"
at the command prompt.
11. Now you can build your kernel 2.0.8498 image with ibuild. To do so,
launch ibuild with the following parameters:
Xenon:
ibuild -console xenon -dir data\ -1blkey
-cpukey bin\my8498.bin bin\fuses.bin
Falcon:
ibuild -console falcon -dir data\ -1blkey
-cpukey bin\my8498.bin bin\fuses.bin
Enter both 16 byte keys as hexadecimal numbers without leading "0x". The
CPU key in this case is the one matching your "bin\7371.bin" image. When
ibuild completes successfully, you will find two new files in the "bin"
directory. The file "bin\my8498.bin" contains your newly build kernel
2.0.8498 image, that will be booted by freeBOOT. The file "bin\fuses.bin"
contains the virtual fuse settings used by freeBOOT. Please do not mix
images and virtual fuses of different ibuild runs, it won't work
otherwise.
12. In order to build the freeBOOT image, Python is needed. If you already
have Python installed, you can proceed to step 13.
The easiest way to run Python scripts under Windows is to install Cygwin.
You can download the Cygwin setup from here:
http://www.cygwin.org/cygwin/
Install Cygwin to any directory of your choice along with the these
packages:
- python
- python-crypto
13. Open "build.py" with a text editor and look for these two lines:
# you need to fill in this
secret_1BL = None
Replace "None" with the 1BL key. This example shows you the format
in which the key has to be entered. The key itself is wrong.
secret_1BL = "\x01\x0F\x0E\x0C\x0E\xD6\x69\xE7\xB5\x67\x94\xFB\x68\x56\x3E\xFA"
14. The freeBOOT image can now be built. Open a Cygwin shell and change to the
directory where you extracted the contents of this archive into. Launch
the Python build script with the following parameters:
Xenon:
python build.py bin/xenon_hack.bin
Falcon:
python build.py bin/falcon_hack.bin
The "bin\xenon_hack.bin" and "bin\falcon_hack.bin" images are standard
JTAG hack images and can be found at the usual places.
15. Program "bin\my8498.bin" to the Cygnos360 flash memory and "bin\hack.bin"
to the Xbox 360 flash memory.
16. Power on your Xbox 360. If everything went correctly, you should see the
blue LED light up a few seconds later, followed by the usual boot
animation. If you power on your Xbox 360 with the DVD tray eject button,
XeLL will be loaded instead.
III. Credits
============
Writing freeBOOT would not have been possible without the great work done by
many hackers. Kudoz to arnezami, Redline99, Robinsod, SeventhSon, Tiros,
tmbinc, xorloser, and anyone else I may have missed.
IV. What's next
===============
Features planned for the next release(s):
- support for all consoles
- update to the latest kernel
-----
ikari, 2009/10/15
BakerMan
I rather enjoy a life of taking it easy. I haven't reached that life yet though.
