Print

[Looouky]

Please refer to following threads and topics for installing the jtag and information purposes before proceeding here. Since what I write here is based a lot on this topics and threads. Actually a lot is plagiarized from there, so thanks go out to those guys.


http://forums.xbox-s...howtopic=698328

http://forums.xbox-s...howtopic=698328

This method has been tested and was successful on a Zephyr XBOX, but should work on every version.

The very first thing you need to check, is your xbox kernel.

• Turn on your xbox and go to console settings.
• Go to system info, the kernel version is on top right.

If you have kernel 2.0.7371.0 or lower, there is one more check to do, which requires you to read the nand chip with a homemade lpt nand reader.  Or a usb spi flasher.

For the usb spi follow the following two schematics,
since they are more updated then the google document.



http://img39.imagesh...schemaeigen.jpg

** There is no other 100% way of knowing your CB version without reading the nand.



Follow these steps to read your nand You have a Exploitable Box :

• Make sure port95nt.exe is installed, if it's not, install it (from nandpro20b folder) you might need to reboot.
• Plug your 360, but don't power it on.
• Plug the lpt cable or your usb spi
• Go to the nandpro20b folder and type :
• nandpro lpt: -r3 c1.bin or nandpro usb: -r c1.bin (from here on we will use lpt)
• Read your nand a second time, so type: nandpro lpt: -r3 c2.bin
• Compare your dumps by typing the following command: fc c1.bin c2.bin /b
• If differances where found type the following command: nandpro lpt: -r3 c3.bin
• Then compare your second and thrid dump: fc c2.bin c3.bin
• use the 2 that match, if c2 and c3 match rename c3.bin to c1.bin

Now open up c1.bin in a hex editor (free hex editor) and you should see

QUOTE

© 2004-200X Microsoft Corporation. All rights reserved.

X = 5, 6, 7, 8 or 9 (depending on what dash you have/when your console was made).

now search in hex for "CB" (without quotes) your looking for the one at or around 8400 in hex (it has to be in caps).
copy the 4 hex digits after it and convert it from hex to dec with this Conveter
Like This

Xenon: 1921 or lower is Exploitable (exception: 8192 IS EXPLOITABLE)
Zephyr: 4558 or lower is Exploitable (exception: 4580 IS EXPLOITABLE)
Falcon: 5770 or lower is Exploitable
Jasper 16mb: 6712 or lower is Exploitable
Jasper Arcade (256/512): 6723 or lower is Exploitable

If your XBOX is explotiable proceed with installing the jtag and protecting the fuses.

The XENON soldering can be found here:

http://i.imgur.com/Fdjmi.png

For Zephyr, Falcon, Opus & Jasper here:

http://pictures.xbox...e60/diagram.jpg

And to protect your cpu fuses it is recommended you do as depicted in the following images:If U6T1 is installed
http://img121.images...t3alternate.jpg

If U6T2 is installed
http://img705.images...jasperefuse.jpg

for more info refer to the following topic:

http://www.xboxhacke...p?topic=13658.0

Installing XELLOUS and getting NAND BACKUP.

Now with the jtag installed we are going to proceed on installing xellous and using the new HTTPD to download the nand backup.

First you need to download the right versions of XELL and XELLOUS otherwise this will not work.

For XELL you need the free60 versions that are specific to each motherboard and are about 1.5 mb in size.

And XELLOUS at the time of writing this was at version 1.0. Both XELL and XELLOUS should be downloaded from the usual places.


Backup your kv and config with the following commands.

Dumping KeyVault

To dump your keyvault from nand (This is the same for all motherboard versions):
Nandpro lpt: -r16 kv.bin 1 1
Dump this a couple times and compare them.


Dumping Config

To dump your Config from nand:
Nandpro lpt: -r16 rawconfig.bin 2de 2
Dump this a couple times and compare them.

For 256/512 Jaspers its:
nandpro 1.bin: -r256/-r512 config.bin ef7 2

Now flash the free60 version of XELL for your specific motherboard with the following command.

i.e. for zephyr
   
nandpro lpt: -w16 zephyr_hack_updxell.bin 0

i.e. for jasper

nandpro lpt: -w256/-w512 jasper_6723_hack_for_256mb_512mb.bin 0

Then flash your KV with the following command, it's the same for all versions of motherboards:

nandpro lpt: -w16 kv.bin 1 1

It's very import for you to flash your key otherwise you will not be to dump or flash your nand through XELLOUS.

Now let's update the XELL version of freeb60  to XELLOUS:

Don't not proceed with this step unless you have flashed freeboot60 XELL and your KV.

Flash XELLOUS with the following command it's the same for all motherboard versions:

nandpro lpt: +W16 xell-1f.bin 30

Backing up the nand:
This is the good part now....

Unplug XBOX let it sit for 30 seconds.

Connect it to your TV via component Cable and connect it to your network via the back RJ45 jack.

Power on the XBOX via the various methods to boot into XELL, I don't remember exactly which one worked. It might of boot into XELL straight of the power button actually.
I can't remember though.

Once in XELL you should see a screen that resembles the following:



Take a picture so that you have a record of your cpu key and dvd key.

Note the address of the HTTPD.

Leave XBOX on and go to your computer.

Using firefox open the httpd address.

If done correctly you should screen like this one.



Under Raw flash click download and save it to your nandpro folder naming the file 1.bin
Dump this a couple times and compare them.

FLASHING XBReboot:

rename xbr bin for your motherboard version to updflash.bin and put it in your nandpro folder.


Now make your nand backup complete with the following command:

nandpro 1.bin: -w3 c1.bin

And update xbr with your key and config.

For KV:

nandpro updflash.bin: -w16 kv.bin 1 1

or

nandpro updflash: -w256/-w512 kv.bin 1 1

For Config:

nandpro updflash.bin: -w16 config.bin 3de 2

or

nandpro updflash.bin: -w256/-w512 config.bin ef7 2


Copy updflash.bin to the root of usb drive formatted as Fat/Fat32.

Ensure XBOX is off, Plug usbdrive and turn the xbox on so that it boots into XELLOUS and watch it flash your nand.

Follow the on screen instructions. When power cycling ensure XBOX is unplug and off for 30 seconds.

Notes:

Please beware that a dvd drive needs to be plug in for booting into XELL, at lease the small black power cable.
However SATA from dvd drive does not need to be.

from XELLOUS release

USB Notes:
    For best results of getting the usb device detected. Remove the power plug from the console
    after running the MS dashboard. Then reinsert the power plug, insert usb device and then
    boot into XeLLous.
   
    Reading 66MB (updflash.bin) can take a few minutes, be patient while it loads to ram.


Thanks goes out to the whole scene, too many to mention. Special thanks goes out to BlackSteel though for providing the virgin XBOX.

If anybody wants to repot the thread and make more presentable by all means.

[dcourtney]

thankyou very much for the detailed guide I'm actually trying to do this on a virgin 512mb jasper now!

I am running into a problem though. I can flash xell fine and it boots without my keyvault inserted (does give me an error though telling me it can't read kv)

However when I insert my kv.bin file (which I had dumped and compare multiple times) via lpt xell no longer boots and I end up with a 3 red lights flashing.

Any idea what may of gone wrong here?

Edit: ok seem to be having more luck if I insert the kv.bin into the xell.bin before flashing. Might be worth noting as an option in the tutorial?

Edit2: Up and running (IMG:style_emoticons/default/smile.gif) Other than the small problem with the KV this guide was fantastic thanks again for taking the time to prepare it.

This post has been edited by dcourtney: Jan 24 2010, 10:53 AM

[welshkid]

QUOTE

Dumping Config

To dump your Config from nand:
Nandpro lpt: -r16 rawconfig.bin 2de 2
Dump this a couple times and compare them.

For 256/512 Jaspers its:
nandpro 1.bin: -r256/-r512 config.bin ef7 2

is the 256/512mb command here correct?

QUOTE

Now let's update the XELL version of freeb60 to XELLOUS:

Don't not proceed with this step unless you have flashed freeboot60 XELL and your KV.

Flash XELLOUS with the following command it's the same for all motherboard versions:

nandpro lpt: +W16 xell-1f.bin 30

Should that be -w16 ?

QUOTE

And update xbr with your key and config.

For KV:

nandpro updflash.bin: -w16 kv.bin 1 1

or

nandpro updflash: -w256/-w512 kv.bin 1 1

256/512mb should be updflash.bin ?

QUOTE

rename xbr bin for your motherboard version to updflash.bin and put it in your nandpro folder.


Now make your nand backup complete with the following command:

nandpro 1.bin: -w3 c1.bin

what is the "1.bin" you have referenced in your posts?


Want to make sure I get it right before going through with everything
cheers

[Looouky]

QUOTE

nandpro updflash: -w256/-w512 kv.bin 1 1

Should be.

QUOTE

nandpro updflash.bin: -w512 kv.bin 1 1

or

QUOTE

nandpro updflash.bin: -w256 kv.bin 1 1

To be honest tough you can use  nandpro updflash.bin: -w16 kv.bin 1 1
it really does matter how big your nand is that will work for every console.

In terms of:

QUOTE

nandpro lpt: +W16 xell-1f.bin 30

This how I have always seen the command and how I have always used, and it has never given me an issue.


The 1.bin is a complete back of your original nand, that you should keep for safety reasons. You download from the XELLOUS webpage once you have XELLOUS up and running, it will tell you the web address. The page should look like this:

(IMG:http://img51.imageshack.us/img51/4725/xellousscreen.png)

For downloading it make sure you do it 2 or 3 times, it`s very quick anyhow, and name them as follows 1.bin, 2.bin, 3.bin. Ensure as well that you make dumps complete by running the following command.

nandpro -w3 1.bin: c1.bin


Thanks for the feedback and sorry for the typo.

QUOTE

nandpro updflash:

should of been:

QUOTE

nandpro updflash.bin:

This post has been edited by Looouky: Jan 24 2010, 03:45 PM

[Looouky]

QUOTE(dcourtney @ Jan 24 2010, 10:01 AM)

thankyou very much for the detailed guide I'm actually trying to do this on a virgin 512mb jasper now!

I am running into a problem though. I can flash xell fine and it boots without my keyvault inserted (does give me an error though telling me it can't read kv)

However when I insert my kv.bin file (which I had dumped and compare multiple times) via lpt xell no longer boots and I end up with a 3 red lights flashing.

Any idea what may of gone wrong here?

Edit: ok seem to be having more luck if I insert the kv.bin into the xell.bin before flashing. Might be worth noting as an option in the tutorial?

Edit2: Up and running Other than the small problem with the KV this guide was fantastic thanks again for taking the time to prepare it.

Awesome good to hear. Yeah if I could edit the tutorial I would definitely add that little small tidbit in there about the KV.bin. And maybe even put in some notes about testing free60 XELL before updating to XELLOUS. Oh and no thanks are necessary half this thing is copied from somewhere else, due thanks should go to all the guys that made this possible. The only thing new here is the XELLOUS part, I though that I would write one document everyone could follow. I was tired of having 7 links on how to do the whole jtag.

How fast was it with the 512?

[eyric101]

I can't seem to download my raw flash (jasper 256).  It prompts me to save file but when  i click save nothing happens.

edit: i think i made this work by choosing open instead of save, then associating the bin file extension with internet explorer so it would prompt me to save it one it finished downloading.  Its actually downloading now so i will know shortly

edit2: yep, worked

edit3: interesting thing to note, i noticed on the screen after i downloaded the backup it reported a bad block foundf at 066, wonder if this will cause any problems

This post has been edited by eyric101: Jan 24 2010, 04:50 PM

[Looouky]

You need to give some time, it is a 70 mb or so file or bigger. Also it says to use firefox for a reason. So avoid IE, it is clearly stated in the XELLOUS readme file.

Kool.

This post has been edited by Looouky: Jan 24 2010, 04:48 PM

[dough4you]

Great work.  I'm in the process of dumping a 512mb nand over lpt and after 15 hours, it's still NOT DONE!  That's why this guide will be great for me and others with a 512 BB

I have one concern regarding your guide and BB nands

You are reading a small portion of the nand to get the keyvault and config info.
Then you flash xell(ous) over that small portion
than you use xell to back up the full nand over http.

But, the full nand you get is not the original.  It's the full nand with a portion flashed with xell.

Now, you have that original portion, as you backed that up originally.

How do you replace that portion in your full backup to generate an original full Nand dump?
(ie what do you type and in what program)

Again, fantastic job on the guide.

This post has been edited by dough4you: Jan 24 2010, 04:52 PM

[Looouky]

QUOTE

How do you replace that portion in your full backup to generate an original full Nand dump?
(ie what do you type and in what program)

It was stated clearly in this line:

QUOTE

Now make your nand backup complete with the following command:

nandpro 1.bin: -w3 c1.bin

c1.bin should be a backup of the first 3mb of your nand.

nandpro lpt: -r3 c1.bin

creates a backup of the first 3mb which is more then enough.

Hope that helps.

This post has been edited by Looouky: Jan 24 2010, 04:58 PM

[dough4you]

QUOTE(Looouky @ Jan 24 2010, 04:56 PM)

It was stated clearly in this line:
c1.bin should be a backup of the first 3mb of your nand.

nandpro lpt: -r3 c1.bin

creates a backup of the first 3mb which is more then enough.

Hope that helps.

 I didn't understand that's what that command was for.  Thanks for pointing that out.  Once my lpt dump is finished, I'm trying this right away  (IMG:style_emoticons/default/biggrin.gif)

[Looouky]

Awesome I am going to try and update the instructions for everyone.

[jhoff80]

Once you flash Xell, can't you skip:

QUOTE

Flash XELLOUS with the following command it's the same for all motherboard versions:

nandpro lpt: +W16 xell-1f.bin 30

and instead just rename xell-1f.bin to updxell.bin and put it on a USB drive to have it update automatically?


Also, you say:

QUOTE

Dumping Config

To dump your Config from nand:
Nandpro lpt: -r16 rawconfig.bin 2de 2
Dump this a couple times and compare them.

For 256/512 Jaspers its:
nandpro 1.bin: -r256/-r512 config.bin ef7 2

For Jaspers, at that point you haven't dumped the full 1.bin yet.  Don't you mean nandpro lpt: -r256/-r512 config.bin ef7 2 there?

This post has been edited by jhoff80: Jan 24 2010, 05:59 PM

[Looouky]

Updated documentation can be found here:

http://docs.google.com/View?id=dnfmv5h_0hbhwdzfv

This post has been edited by Looouky: Jan 24 2010, 06:02 PM

[Looouky]

QUOTE(eyric101 @ Jan 24 2010, 04:42 PM)

I can't seem to download my raw flash (jasper 256).  It prompts me to save file but when  i click save nothing happens.

edit: i think i made this work by choosing open instead of save, then associating the bin file extension with internet explorer so it would prompt me to save it one it finished downloading.  Its actually downloading now so i will know shortly

edit2: yep, worked

edit3: interesting thing to note, i noticed on the screen after i downloaded the backup it reported a bad block foundf at 066, wonder if this will cause any problems

XELLOUS is suppose to take care of bad blocks.

This is from the readme:

QUOTE

updflash.bin - Nand Image File  (this must include the metadata or aka spare/ecc bytes)
    Must be the full nand with exceptions for consoles with a built in Memory Unit.
    For consoles with built in MU you can write just Flash partition (66 MB) to the nand.

USB Notes:
    For best results of getting the usb device detected. Remove the power plug from the console
    after running the MS dashboard. Then reinsert the power plug, insert usb device and then
    boot into XeLLous.
   
    Reading 66MB (updflash.bin) can take a few minutes, be patient while it loads to ram.

Flash Notes:
    updflash.bin must include the key vault and config blocks if you require them. XeLLous
    WILL OVERWRITE what is on the nand with what is contained in the updflash.bin  

    Bad Block handling will be invoked if:
        Ran from usb
        Only data in the Flash Partition
        Is one of the following: updslot0.bin, updslot1.bin, updpatch.bin
        Is a updflash.bin AND NO PRE-REMAPPED blocks are detected in the file.

So it should cause you no trouble, since it has been flashed correctly and all bad blocks handle by XeLLous.

[Looouky]

QUOTE(jhoff80 @ Jan 24 2010, 05:57 PM)

Once you flash Xell, can't you skip:
and instead just rename xell-1f.bin to updxell.bin and put it on a USB drive to have it update automatically?
Also, you say:
For Jaspers, at that point you haven't dumped the full 1.bin yet.  Don't you mean nandpro lpt: -r256/-r512 config.bin ef7 2 there?

I believe the free60 versions of xell do not have the capability to update through usb.  So no you can't skip it. And Yes you are correct about the config. I will edit documentation.

Updated:

http://docs.google.c...fmv5h_0hbhwdzfv

Thank you, I am sorry for typos I wrote this last night at 1 am, I think most of them are taken care of now. I appreciate all the feedback. I might give people access to the document so that they can update where they might see it could use more clarification.  Of course this would only be for a select few.