Guide for installing JTag hack and XBReboot

Discussion in 'Xbox 360 - Games & Content' started by moosh01, Dec 29, 2009.

Dec 29, 2009
  1. moosh01
    OP

    Member moosh01 GBAtemp Fan

    Joined:
    Nov 9, 2008
    Messages:
    306
    Country:
    United States
    Before you even Start go to system settings -> Console setting -> Highlight System Info but dont click A. On the Right it will show your DashBoard. If its 2.0.8XXX.0 (X being any number) Then currently you cannot do this.



    Those consoles you see in tuts or on youtube that say they are on 8955 dash is because before the update they were on a less than 8XXX dash.

    XBRebooter it is a modified version of 8955 and will display as 8955 in the system menu.

    But again they are on this dash AFTER the mod but NOT before.

    As of now if you are already on Stock 8955 there is no way to JTAG your system, but have hope for future.

    Reading Nand:

    Requirements

    First of all, you'll need soldering skills. If you've never used a iron before, you honestly should train on a different, less expensive object. This won't be much harder than adding a modchip to a console anyway.

    You'll also need the following things:

    At least one 32-bit PC and an LPT (parallel) port

    More PCs with different mainboards are helpful since on some boards parallel ports were neglected in development due to the increasing success of USB. Therefore quite old boards SEEM to work better. Someone even used an old 386 for this hack.

    With NANDPro2 (we'll talk later about this) comes a driver for 32-bit systems only port95nt.exe. There is a 64-bit port on the Internet, but no one has proven that it works with NandPro2 . Since many 64-bit systems don't even have a parallel port, this shouldn't bother too many people.

    Windows 95 or better

    Sorry, that doesn't mean Linux yet. It even seems to work with Windows Vista 32-bit and Windows 7 32-bit, but you might need to turn on Windows XP Compatibility Mode and run it with administrator rights. But there aren't many reports on that yet. However, you should prefer a XP or worse (earlier) system: XP, 2000(?), Me, 98, or 95.

    An old LPT cable no-one will miss

    Openable plug housings with screws/clips will make your life easier. Alternatively, use a bare DB25 male connector and wire.

    As already mentioned: Soldering skills, tools and so on...

    3× diode BAT41 Or 1N4148

    There are several diodes you can use. People on xboxhacker.net had the best experiences with BAT41.

    5 × 100?120 Ω resistors

    *not a must-have, but it'll protect your box

    30 AWG Wire

    Voltmeter and continuity tester

    NandPro2.0b by Tiros <a href="http://www.megaupload.com/?d=MBIFUWUU" target="_blank">http://www.megaupload.com/?d=MBIFUWUU</a>

    XBRebooter bin for you motherboard

    Xenon: <a href="http://www.megaupload.com/?d=UCZSAZX4" target="_blank">http://www.megaupload.com/?d=UCZSAZX4</a>
    Xenon 1921: <a href="http://www.megaupload.com/?d=JVW65QXY" target="_blank">http://www.megaupload.com/?d=JVW65QXY</a>
    Zephyr: <a href="http://www.megaupload.com/?d=YSNUB59N" target="_blank">http://www.megaupload.com/?d=YSNUB59N</a>
    Falcon: <a href="http://www.megaupload.com/?d=JDBEW8KK" target="_blank">http://www.megaupload.com/?d=JDBEW8KK</a>
    Jasper: <a href="http://www.megaupload.com/?d=0T9OM30J" target="_blank">http://www.megaupload.com/?d=0T9OM30J</a>

    Place this file in the same directory as NandPro and rename to XBR.bin


    Hex Workshop: <a href="http://www.megaupload.com/?d=3VUUGC9B" target="_blank">http://www.megaupload.com/?d=3VUUGC9B</a>
    360 Flash Tool: <a href="http://www.megaupload.com/?d=SS8SXW0X" target="_blank">http://www.megaupload.com/?d=SS8SXW0X</a>
    Degraded 1.1: <a href="http://www.megaupload.com/?d=Y8065XV5" target="_blank">http://www.megaupload.com/?d=Y8065XV5</a>



    Step 1: Preparing the cable

    For this step we will use a standard LPT cable. There is a mod using a db25 connector and Cat5 cable but for this guide we will just be using the LPT cable.


    First cut off the female end. So you will get a cable with a DB25 connector at one side and loose wires on the other side.

    Now you need to trace the wires in the cable. If you've got a cable with openable plug housings, you're in luck: just open the housings and compare single wires with those on the loose end. Otherwise it's time for your continuity tester. You will need to know which wire goes to which pin at the end. Write down the colour of the wire attached to each pin. Since there are only seven needed wires, you don't have to trace every wire. The following pins need to be connected: 1, 2, 11, 14, 16, 17, 18. In case a pin isn't connected, just resolder a wire from an unneeded pin (e.g., 15) to the needed one (e.g., 14).




    After you've done that, you can cut the unneeded wires at the loose end so they won't bother you while soldering. Strip a small amount of insulation (5 mm should be plenty) from the end of each of the other wires, and twist the loose strands inside together. Tin each wire, so that you get nice and sweet clean wires.


    Step 2: Preparing the board and Soldering everything

    After opening your box and removing the DVD-ROM drive, fan shroud, etc., you should have a clear view of the board. Now it's time to locate the solder pads of J1D2 (red) and J2B1 (blue).

    <img src="http://img198.imageshack.us/img198/4507/locationnoqa.jpg" border="0" class="linked-image" />


    You will have to establish the following connections:

    <img src="http://www.abload.de/img/connectiontableaolh.jpg" border="0" class="linked-image" />

    "Component" means that you will have to add the resistor or diode between those two points. I suggest that you first solder the component on the board and after that the wire to the component. The diode's black ring has to be in the direction of the Xbox board. By "screwhole", we mean a screwhole. (The ground (or "earth") connection we're using is also present on J1D2.6 and J2B1.12, but those are difficult to solder.) Solder the wire from DB25.18 to one of those big reddish rings (where the long screws go through the DVD-ROM drive legs), and fix it with insulation tape (NOT DUCT TAPE! Otherwise you will damage your Xbox). It is important that you solder the diode directly to the board. It won't work if it's in the plug housing!

    This is how you count on a board:

    <img src="http://img4.abload.de/img/howtocount5y02.jpg" border="0" class="linked-image" />

    The square is always 1, in this case J2B1.1. Also, notice the white dot near pin 1 and the labels near pins 2, 12, and 13.


    Another diagram (including LPT & JTAG connections) LPT will be same for all boards but JTAG will vary for the different board revisions.

    <img src="http://img697.imageshack.us/img697/9356/spijtagdiagramzephyrfal.png" border="0" class="linked-image" />

    Step 3: Checking everything

    Checklist:

    * Is every wire connected to the correct pin?
    * Are there any short circuits or doubly connected wires?
    * Have you taken everything out of the box that doesn't belong in there?

    When you've checked that, plug the parallel cable into your turned-off computer, the power supply into your Xbox, and the power cable into the power outlet.

    Step 4: Setting up your PC

    Turn on your PC. It's possible that your Xbox will turn on, too. Don't worry, just leave it turned on. As long as it doesn't start to smoke, smell, or anything else weird it will be fine. Later on, it should turn off the fans on its own, but the LEDs will remain blinking. If it doesn'tturn on: don't worry, it doesn't have to be turned on while reading the NAND.

    Go to the BIOS settings and search for LPT mode settings. Tiros recommends SPP/Normal mode in his help file (Nandpro.txt), but the mode doesn't actually appear to matter. If you're having trouble in the next step, give a different mode a try. After you have done that, save settings and leave BIOS. Boot up Windows.

    Now the time has come to unpack NandPro2. In the archive you'll find port95nt.exe (driver) and some other files (e.g. NandPro.exe). Install the driver. If you're using Vista or higher, you might haveto turn on XP Compatibility Mode, as already mentioned. To install it, just double-click on it and walk through the setup. There shouldn't be any error messages. Then: reboot.


    Step 5: Reading/Dumping the nand.

    Open up Windows Command Prompt (press Windows Key + R to open up Run. Type cmd and press Enter).

    Navigate to NandPro's installation directory by using common commands (cd, dir, and the TAB key for auto-completion).

    Then type nandpro.exe lpt: -r16 nand1.bin and press enter. If everything's fine, it should output this:

    Testing LPT device address:0378 - address can differ
    Using LPT device at address:0378 - address can differ
    FlashConfig:01198010 - must be the same
    Starting Block:0x000000
    Ending Block:0x0003FF

    Starting and ending should be as shown here if you want to read the whole flash.

    Press any key to continue. It should start to count up addresses. If it starts to output stuff like "Error 0 .. blah blah" something's wrong. Recheck wiring, change LPT mode, or try a different computer. It is possible that there are one or two bad blocks on your NAND (error 25x), so don't worry if you get that error once or twice.

    Well, the reading (dumping) process will take about half an hour. Unfortunately, we will need at least two dumps to check whether there are really no failures in your dump. So once NandPro has finished dumping, press the up arrow key (or retype the command), CHANGE THE FILENAME TO NAND2.BIN, press Enter, and dump it a second time.

    When NandPro2 has finished the second dump without errors, you can either make a third or close the command-line.

    Step 6: Checking for errors

    First, open up the files with 360 Flash Tool. If it looks like in the picture beneath this, everything should be fine. If an error message "Couldn't open file" pops up, something went wrong.

    <img src="http://www.abload.de/img/360flashtool4ld2.jpg" border="0" class="linked-image" />

    Check with Hex workshop
    Start up Hex Workshop. Choose tools -> Compare -> Compare Files. A new window will open. Select both files and click on OK. If they are identical you are done with this.

    If not, search for errors in wiring etc. or try a different PC.

    While 360 Flash Tool will show you the content of the NAND, it's not a conclusive check whether the integrity is good: it's possible to get a "thumbs up" from the utility even if you have corrupted (and more importantly, vital) blocks. A much better check is to run the resulted image through Degraded v1.1, which will highlight any errors.

    Check with Degraded
    Run Degraded and click settings, enter DD88AD0C9ED669E7B56794FB68563EFA.
    After you set the key click Valid next to it and set the File System Start to 39. Click ok.
    Open orig.bin
    If you get, cannot read file , you must edit the orig.bin file.
    Make a copy of it, origcopy.bin and open it up in your hex editor. At offset 0x0012 , you will see 2004 - 2007 Microsoft Corporation...
    Change it to : 2004 - 2005 Microsoft Corporation and it will open with Degraded.

    If your NAND has bad blocks it will looks like this:

    <img src="http://www.infectus.biz/INFECTUS-BOOK/Tutorial_Eng/Xbox360/Timing_Attack_Infectus/File/Bad_Block_DUMP.jpg" border="0" class="linked-image" />

    Note in this example that the bad block information has been located elsewhere, so you *should* be okay. Even so, it's advisable to run a second dump through the utility and see whether this has a bad block (and relocated) in the exact same address.


    A good NAND dump might look like this:

    <img src="http://www.infectus.biz/INFECTUS-BOOK/Tutorial_Eng/Xbox360/Timing_Attack_Infectus/File/Degraded_1.jpg" border="0" class="linked-image" />

    If you get this your NAND dump is about as good as it's gonna be. Now after all this work you can only now be sure it is even exploitable. Check which version of CB you have.

    Exploitable CB versions:
    1888, 1902, 1903, 1920,1921: exploitable xenon
    4558: exploitable Zephyr
    5761, 5766, 5770: exploitable falcon
    6712, 6723: exploitable jasper

    NON-Exploitable CB Versions: (CD = 8453 for all of them)

    Xenon: 1922, 1923, 1940
    Zephyr: 4571, 4572, 4578, 4579
    Falcon/Opus: 5771
    Jasper: 6750

    Disconnect LPT from computer. If you CB is exploitable continue to JTAG installation.


    Installing JTAG Hack

    This mod allows for the writing to the NAND
    There are several Variations for the JTAG depending on which motherboard you have.
    Requirements:

    2- Diodes
    30awg wire

    Xenon:
    <img src="http://img15.imageshack.us/img15/6074/fdjmi.png" border="0" class="linked-image" />

    Falcon, Zephyr, Opus & Jasper:
    <img src="http://img4.imageshack.us/img4/371/diagramv.jpg" border="0" class="linked-image" />

    All the diodes used are "switching diodes". Some that are know to work are: BAT41 1N4148 or 1N4153

    Creating/Writing patched XBRebooter

    Now connect LPT to computer and turn it on. There is no need to turn on xbox now either.
    Open command prompt (Windows + R. type CMD hit enter)
    Navigate to your NandPro directory.

    Step 1) Extract KV and Config blocks from orig.bin
    Type these commands into command prompt:
    nandpro orig.bin: -r16 rawkv.bin 1 1
    nandpro orig.bin: -r16 rawconfig.bin 3de 2

    You can also do this 2 times and compare with Hex Workshop to ensure a good dump. Just the second time use
    nandpro orig.bin: -r16 rawkv2.bin 1 1
    nandpro orig.bin: -r16 rawconfig2.bin 3de 2

    Step 2) Inject those blocks into XBR.bin
    nandpro XBR.bin: -w16 rawkv.bin 1 1
    nandpro XBR.bin: -w16 rawconfig.bin 3de 2

    Step 3) Flash Your Custom Patched XBRebooter
    nandpro lpt: -w16 XBR.bin

    Then you need to do a "True" power cycle. in-order to do this you must unplug the Xbox 360 and wait 5-10 minutes for all volitale memory to be erased. This prevents conflicts from corrupting the newly written NAND.
     
  2. ZeWarrior

    Member ZeWarrior TheWarrior

    Joined:
    Jul 2, 2007
    Messages:
    2,810
    Country:
    Brazil
    I'm 99% sure I've seen this EXACT guide somewhere, down to every word. Give credit where credit is due bro. Don't steal other peoples things.
     
  3. retiredjerk

    Member retiredjerk GBAtemp Regular

    Joined:
    Dec 7, 2006
    Messages:
    251
    Country:
    either way kickass guide.been looking for this
     
  4. moosh01
    OP

    Member moosh01 GBAtemp Fan

    Joined:
    Nov 9, 2008
    Messages:
    306
    Country:
    United States
    Yeah I did not write this, just cleaned up a bit and posted it here because I haven't seen any guides for this on gbatemp.
    Credit goes to belenos
     
  5. djricekcn

    Member djricekcn GBAtemp Advanced Fan

    Joined:
    May 29, 2009
    Messages:
    792
    Country:
    United States
    Unless if I over looked at it, need to mention that you need a console made before June 2009 due to a new bootloader. not 100% confirmed but the earlier jasper the better for this.
     
  6. moosh01
    OP

    Member moosh01 GBAtemp Fan

    Joined:
    Nov 9, 2008
    Messages:
    306
    Country:
    United States
    The guide mentions which dashboard kernel you need to have.
     
  7. djricekcn

    Member djricekcn GBAtemp Advanced Fan

    Joined:
    May 29, 2009
    Messages:
    792
    Country:
    United States
    I was talking about the Boot Loader, not the Kernel
     

Share This Page