1. lisreal2401

    OP lisreal2401 GBAtemp Advanced Fan
    Member

    Joined:
    Jun 4, 2013
    Messages:
    809
    Country:
    United States
    But instead, desoldering the CPU!

    If you can find a CPU literally never used on any 360 before... well, it's a thing

     
    Aew4life and brickmii82 like this.
  2. brickmii82

    brickmii82 GBAtemp Maniac
    Member

    Joined:
    Feb 21, 2015
    Messages:
    1,321
    Country:
    United States
    Theoretically this chip swap makes Winchester’s hackable
     
    Aew4life likes this.
  3. lisreal2401

    OP lisreal2401 GBAtemp Advanced Fan
    Member

    Joined:
    Jun 4, 2013
    Messages:
    809
    Country:
    United States
    You could find a unused xcgpu - though, have fun with that
     
    Aew4life and brickmii82 like this.
  4. The Real Jdbye

    The Real Jdbye Always Remember 30/07/08
    Member

    Joined:
    Mar 17, 2010
    Messages:
    20,924
    Country:
    Norway
    This doesn't seem very practical. I can't imagine swapping the chip is an easy job, if you can even find a 0 fuse CPU. Not that the RGH install is easy either, but at least it's only like 10 wires, and only a few of the points look difficult. But cool nonetheless.
     
  5. aadz93

    aadz93 GBAtemp Official Psychonaut
    Member

    Joined:
    Jan 29, 2008
    Messages:
    1,316
    Country:
    Korea, North
    yes this is entirely possible, on original phats, you can still find nos cpus for the 360 which have all fuses intact (hint: china), you still need rgh so you can boot a (really old) xdk recovery so you can flash a valid (earliest jasper recovery = 7776.1) fuseset, then update to 4532 then jtag, or set the fuseset as a devkit, remember once you set the fuse to retail or dev thats it no going back (note: don't flash a fuseset for a dash earlier than what the mobo was released with)

    there used to be services back in the day that did this for a little while but they're gone now, plus https://ps3specialist.com/ is a scam they just steal your console unfortunately

    thats where this thread came from...
    https://gbatemp.net/threads/downgrade-slim-by-cpu-swap.537899/

    — Posts automatically merged - Please don't double post! —

    https://www.alibaba.com/product-det...l?spm=a2700.7724838.2017115.14.32c7b167x4E0jK

    jasper cpu:
    https://www.alibaba.com/product-det...spm=a2700.galleryofferlist.0.0.6c4c54c8NeuP4o


    it'd be worth swapping a jasper to have a big block jtag


    this is what a cpu swap looks like, via xell (rgh)
    [​IMG]


    also you can swap cpu from a known jtaggable or jtagged unit if you already have its cpu key, or a copy of its stock nand
     
    Last edited by aadz93, Sep 2, 2020
    Aew4life and contezero like this.
  6. aadz93

    aadz93 GBAtemp Official Psychonaut
    Member

    Joined:
    Jan 29, 2008
    Messages:
    1,316
    Country:
    Korea, North
    so i did a bit more research, to set the fuses, you have to rgh2 and boot into a dev kernel, from there you can load a recovery to set up the cpu as a devkit or retail, it will then generate keys accordingly, ive also read that you have to use the old bootloaders also since it get cb ldv from whatever version fusion is running... if you want a retail jtaggable state

    since i have a big block jasper, i can turn it into a devkit by swapping the cpu (you need 64mb of nand for this), but i have to jump through hoops to run retail dash and connect online (plus stealth tends to cost more on devkits)

    — Posts automatically merged - Please don't double post! —

    its the only way to hack a Winchester
     
    Last edited by aadz93, Aug 31, 2020
    Aew4life likes this.
  7. Deleted User

    Deleted User Newbie

    So..... can this ONLY be done by getting a CPU from some chinese vendor and getting someone to install it for all the awkward stuff above, or should it be possibly to force CPU's to 0x0?
     
  8. aadz93

    aadz93 GBAtemp Official Psychonaut
    Member

    Joined:
    Jan 29, 2008
    Messages:
    1,316
    Country:
    Korea, North
    doing this will allow you to have a cpu with no efuses set (they come from the factory with only 1bl installed, efuses would be burnt before packing a completed unit for sale), using rgh this allows you to boot a devkernel, which then you can run a recovery, which then you can flash a devkit fuseset or a retail one, ldv is set based on what version recovery is used, so you would use the oldest recovery made for the specific mobo, burn the fuses, and have a jtaggable dash, devkit, and is the only way to exploit a winchester, this is a oneshot thing so have to get it right the first time

    ive seen some people who tried to do a retail flash, it worked, but as a devkit with "retail" keys, remember you only get one try to burn efuses
     
    Last edited by aadz93, Sep 1, 2020
    Aew4life likes this.
  9. brickmii82

    brickmii82 GBAtemp Maniac
    Member

    Joined:
    Feb 21, 2015
    Messages:
    1,321
    Country:
    United States
    It’s not the fuses, it’s the lack of post out that stops the Winchester RGH. No ones said it, but the Winchester CPUs have post fuses they burned after debugging so all post out is disabled. No post=no timing.

    This is an educated theory. I also believe there may be a possibility of a kamikaze style attack on the chip to re-enable post 4 where the attack is timed off of. Probably near impossible, but let’s be honest. Some of the stuff these devs come up with borders on impossible.

    I’m not trying it tho lol.
     
  10. aadz93

    aadz93 GBAtemp Official Psychonaut
    Member

    Joined:
    Jan 29, 2008
    Messages:
    1,316
    Country:
    Korea, North
    You have to CPU swap a Winchester to rgh, that's what 15432 did, because post out is disabled
     
    Aew4life and DinohScene like this.
Draft saved Draft deleted
Loading...

Hide similar threads Similar threads with keywords - homebrew, loading, without