Print

[DazEB]

This tutorial was created for the WINBOND chip. For MXIC you can follow the Russian hack. All images were created by me and all the text was written by me unless specified.

Flash 0225,0272,0401 Xbox360 Slim AFTER update 13599 WINBOND GEREMIA iXtreme LT+1.91 using ONBOARD SATA no 360Lizard or 360USB.

PDF Version Download
 

CODE

http://www.megaupload.com/?d=CUZ1E3Y7

THIS MOD IS NOT NOOB FRIENDLY, ITS NICKNAMED THE KAMIKAZE HACK FOR A REASON. DO NOT COME CRYING TO ME WHEN YOU HAVE DRILLED TOO DEEP OR YOUR DRIVE IS DEAD

If you do not already have the key from your Xbox360 Slim and you mess this up you could be left with a brick for a long time or until someone figures out how to unbrick a slim drive.

Things you will need:

Compatible sata chipset or Lizard360 or 360USBPRO.
Motherboard Bios set to Legacy/compatible mode.
External power source for slim drive.
100ohm resistor connected to 3.3v

Software

unlockSPI

CODE

http://www.multiupload.com/GT0SVZPA3M

DosFlash

CODE

http://www.multiupload.com/P696UUDFUA

Jungleflasher 1.86 beta (267) INCLUDES SLIM FIRMWARE FILES

CODE

http://www.multiupload.com/93GG23Z55E

Windows XP, Vista, 7.

Compatible Onboard Chipset's

• AMD SB6XX
• AMD SB7XX
• INTEL ICH9R
• INTEL ICH8
• INTEL ICH9
• INTEL ICH10
• VIA 6421a MUST have ide to sata converter or use PMT probe to set vendor mode
• 360Lizard
• 360USBPRO
  

NOT Compatible

• INTEL ICH7
• Nvidia nForce

STEPS TO PERFORM THE HACK

1. Cleaning resin from the chip
2. Marking up the chip
3. Get drive into Vendor Mode
4. Drilling the chip and unlocking using unlockSPI
5. Read original firmware (optional depending if you have previously read the FW from your drive)
6. Create custom firmware
7. Write custom firmware
8. Re-Locking the drive

CLEANING THE RESIN FROM THE CHIP

This is not always required but it does allow more accuracy when marking the lines on the chip.

To clean the resin from the chip it must be heated so it becomes brittle. You can use a hairdryer and a scalpel or similar. Heat the resin for around 30 seconds, try not to overheat the resin. You will know when the resin is hot enough as it will become brittle and easy to remove.

MARKING UP THE CHIP

When doing this hack you should always mark up the chip as shown and DO NOT go by the logo printed on the chip as they are not all the same

(IMG:http://img560.imageshack.us/img560/7027/epoxy.png)

Once you have marked up the chip you are able to move onto vendor mode


VENDOR MODE

There are a couple of different ways to achieve this. The main thing to remember that you MUST reboot your PC after every failed or successfull vendor mode! Failure to do this will result in Status 0x51.

Method 1
Turn off PC
Turn off DVD Drive
Reboot
Press F8 at boot of windows to disable driver signature enforcement for Windows 7 (if required)
Open DosFlash32
DosFlash will send the commands to the drive and enter vendor mode - proceed to unlockSPI, leave Dosflash OPEN
If Dosflash asks to resend vendor intro then it has failed. You must reboot and try again.

If you see this image without dosflash asking you to power cycle then your drive is in vendor mode.
(IMG:http://img854.imageshack.us/img854/3153/dosflash.png)

Method 2
Turn off PC
Turn off DVD Drive
Reboot
Press F8 at boot of windows to disable driver signature enforcement for Windows 7 (if required)
Open Jungleflasher
Select MTKFlash tab
Click Intro
Jungleflasher will send commands to the drive and enter vendor mode - proceed to unlockSPI, leave Jungleflasher OPEN

Method 3
Vendor Mode using PMT probe - should work with most chipsets but requires soldering.

1. Run JF
2. Power on drive
3. Press Intro Device ID
4. Put the PMT on MPX01
5. MTK Vendor -> Yes
6. Power off then on
7. done!! Vendor Mode

Once Vendor Mode is achieved by either method you then move onto unlockSPI.exe below.
 
DRILLING THE CHIP AND UNLOCKING USING UNLOCKSPI.EXE

There are various different ways of drilling the chip and i have not done them all but here are two videos showing both the soldering iron method and the Dremel method
DREMEL
http://www.youtube.com/watch?v=1gCYXb54oig

Soldering Iron Dont use the 100ohm resistor when doing this method. Doing so may cause damage.
http://www.youtube.com/watch?v=VCrrpaKp42I

After you have decided what method to use to drill proceed to unlockSPI

First open a command window in the folder where unlockSPI is located by holding SHIFT+Right click>select "open command window here"

(IMG:http://img830.imageshack.us/img830/5374/opencommandwindow.png)

Now you should be presented with the cmd window.
Type unlockSPI XXXX - where XXXX is your port number and can be found in dosflash.
Press ENTER
(IMG:http://img808.imageshack.us/img808/8896/firstcommand.png)

You should now see this:

(IMG:http://img600.imageshack.us/img600/6329/geremia1.png)

Press y and hit ENTER.

unlockSPI will do a sound test, make sure your speakers are up loud enough.

You will be presented with this below. This is where you would start to drill the chip. There are a few ways to drill the hole either by xacto knife/dremel/large pin/soldering iron all have been reported to work. The key is patience. Go very slow. As soon as you hear the siren sound, STOP.

(IMG:http://img535.imageshack.us/img535/5866/sucessful2.png)

You should be presented with a window that looks like this. Congratulations you have unlocked your slim drive.
(IMG:http://img97.imageshack.us/img97/9868/sucessfulunlock.png)

Your drive will now stay UNLOCKED even if you power cycle the drive or your pc. After flashing you can relock it using various methods or by running unlockSPI command again it will tell you that the drive is UNLOCKED and do you wish to LOCK it. Press Y and hit ENTER. Your drive is now LOCKED.

You can UNLOCK the drive again by touching the hole with a 100ohm resistor connected to 3.3v, using an electric lighter or by using isopropyl alcohol.

READING YOUR FIRMWARE (optional)

After you have unlocked your drive you can proceed to read the firmware from the drive. You may need to reboot your PC to re-enable vendor mode. Then open Jungleflasher or DosFlash to read your FW.

CREATING CUSTOM FIRMWARE

Open Jungleflasher
Select your original firmware dump as source firmware.
iXtreme will auto load the correct firmware for you and spoof to target.

IF YOU HAVE A SLIM DRIVE WHICH HAS 9504 ON THE COVER BUT WAS ACTUALLY 0225 THEN YOU MUST SELECT NO TO AUTOLOAD AND USE FIRMWARE LTPlus-0225-v1.91u.bin

FLASHING CUSTOM FIRMWARE AND LOCKING THE DRIVE

To flash the drive simply enter vendor mode again. You may be required to reboot your PC again. This time use Jungleflasher for vendor mode.
Select your custom firmware as target, go to MTKFlash32 tab and hit WRITE.

You should get something like this:

CODE

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
JungleFlasher 0.1.86 Beta (267)
Session Started Fri Aug 12 00:23:22 2011

This is a Wow 64 process running on 2 x 64 bit CPUs
portio64.sys Driver Installed
portio64.sys Driver Started, thanks Schtrom !
Found 6 I/O Ports.
Found 2 Com Ports.
Found 6 windows drives C: D: E: F: G: H:
Found 0 CD/DVD drives

Drive is Slim Lite-On..

Key found in KeyDB at record (1 - SLIM CROW)
Key is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key has been tested and verified, thanks C4eva !
Loading firmware file C:\Users\Home\Desktop\JungleFlasher v0.1.86 Beta (267)\SLIM CROW\Dummy.bin
MD5 hash:  945bbd9e9365fde57fc7bd200e3108bc
Inquiry string found
Identify string found
Drive key @ 0xA030 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Firmware Osig: [PLDS    DG-16D4S        0225]
Firmware is:  SlimKey Extract                
Auto-Loading firmware file C:\Users\Home\Desktop\JungleFlasher v0.1.86 Beta (267)\firmware\LTPlus-0225-v1.91.bin
MD5 hash:  5a14a34b933602a94f8375f9ce88f803
Genuine LT plus v1.91
Drive key @ n/a xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Firmware Osig: [PLDS    DG-16D4S        0225]
Firmware is:  LT-Plus 1.91                    
Spoofing Target
DVD Key copied to target
Key Sector copied from Source to Target
Target is LT - ID strings not copied to Target

Sending Vendor Intro to port 0x0170

Serial flash found with Status 0x72

Sending Device ID request to port 0x0170
Spi Status: 0x00
Manufacturer ID: 0xEF
Device ID: 0x11
Flash Name:  Winbond/NEX(W25P20/NX25P20)
Flash Size:  262144 bytes

Getting Status from port 0x0170
SPi flash found with Status 0x72

Sending Chip Erase to Port 0x0170
Erasing:
Writing target buffer to flash
Writing Bank 0: ................
Writing Bank 1: ................
Writing Bank 2: ................
Writing Bank 3: ................
............
Flash Verification Test !
Reading Bank 0: ................
Reading Bank 1: ................
Reading Bank 2: ................
Reading Bank 3: ................
Dumped in 1814mS

Write verified OK !

Restoring sector 0x3E000.

Sending Sector Erase to Port 0x0170
Erasing: 0x3E000
Writing: 0x3E000
............
Authorised !
................
Restore verified OK !
Drive is Slim Lite-On..

Key found in KeyDB at record (1 - SLIM CROW)
Key is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key has been tested and verified, thanks C4eva !

Locking the drive

To lock the drive just re-enter vendor mode, open unlockSPI and send the command "unlockSPI XXXX - where XXXX is your port number.

unlockSPI will report the drive as being unlocked and will ask you do you wish to lock the drive.

Press Y and hit ENTER

Your drive is now locked and finished. You can put everything back together and test.

Credits to Geremia, Maximus, and all those who made this hack possible.

This post has been edited by DazEB: Aug 13 2011, 03:15 AM

[alanewake]

Thanks a lot man, very good tuto  (IMG:style_emoticons/default/biggrin.gif)  (IMG:style_emoticons/default/biggrin.gif)  (IMG:style_emoticons/default/smile.gif)  (IMG:style_emoticons/default/smile.gif)

[BigSteel]

So I finally decided that tonight is the night I try this and I thought hmmm....need to find a good video tutorial and BAM here it is.  Followed the tutorial to the tee and it worked perfectly.  Alot easier than I thought  (IMG:style_emoticons/default/tongue.gif)  I used a soldering iron, x360USB and I removed the epoxy with heat gun and xacto knife.

[xiaoyan848]

great post ! thank you for sharing....





 





This post has been edited by BoNg420: Aug 15 2011, 04:07 PM

[DazEB]

No problem guys, hope it helps.

[FoneFreak]

Brilliant guide, just a quick question. Can you use a dremal without 3.3 resistor?, will spiunlock still show correctly or does it need the 3.3 100ohm resistor to know when the hole is right? also some other posts have different pinouts for the chip ie 4 up etc (yours says 3 up) pls help

This post has been edited by FoneFreak: Aug 15 2011, 04:04 PM

[DazEB]

QUOTE(FoneFreak @ Aug 15 2011, 03:57 PM)

Brilliant guide, just a quick question. Can you use a dremal without 3.3 resistor?, will spiunlock still show correctly or does it need the 3.3 100ohm resistor to know when the hole is right? also some other posts have different pinouts for the chip ie 4 up etc (yours says 3 up) pls help

I have heard about people using the dremel without 100ohm resistor connected to 3.3v but it was insucessfull for me. As soon as i attached the resistor and wire to the dremel and started drilling, unlockSPI gave me the siren sound, where as before it would just instantly go to status 51.

The actual point is inbetween 3 and 4 but the space is so tiny its hardly noticeable, anywhere inbetween 3 and 4 should be perfect

[FoneFreak]

QUOTE(DazEB @ Aug 15 2011, 11:59 PM)

I have heard about people using the dremel without 100ohm resistor connected to 3.3v but it was insucessfull for me. As soon as i attached the resistor and wire to the dremel and started drilling, unlockSPI gave me the siren sound, where as before it would just instantly go to status 51.

The actual point is inbetween 3 and 4 but the space is so tiny its hardly noticeable, anywhere inbetween 3 and 4 should be perfect

Thanks very much friend.

BTW is there a similar guide for 9504 1.9lt Flashed (not locked) I want to flash BACK to ofw (stock) there is soo much conflicting information and not neat straight forward guide like this!

Apreciate any helps or links.

thanks

[DazEB]

QUOTE(FoneFreak @ Aug 17 2011, 04:25 PM)

Thanks very much friend.

BTW is there a similar guide for 9504 1.9lt Flashed (not locked) I want to flash BACK to ofw (stock) there is soo much conflicting information and not neat straight forward guide like this!

Apreciate any helps or links.

thanks

Just use Jungleflasher guide for unlocked 9504. www.jungleflasher.net

 (IMG:style_emoticons/default/smile.gif)

[ArKineX]

Excellent Tutorial!

[360newb617]

i read somewhere in the JF tutorial that you could use esata, but it does not elaborate, so can i use the esata port on my laptop with this?if so then what would i have to do ?

[dragon45801]

Thanks for the tut man, greatly appreciated. A few questions:

Why is the resistor not needed with a soldering iron?

I am also curious as to what exactly the purpose of drilling the chip is and how to tell if you have winbond or macronix? Thanks again

[alanewake]

QUOTE(360newb617 @ Aug 29 2011, 09:35 PM)

i read somewhere in the JF tutorial that you could use esata, but it does not elaborate, so can i use the esata port on my laptop with this?if so then what would i have to do ?

most likly, it won't work but you can tray (IMG:style_emoticons/default/huh.gif)

[360newb617]

anyone know of where to find a good tutorial or any info on using JF with esata in general?
i dont even know what the esata is really, i mean i cant  plug a regular sata cable into it , do i need an adaptor or just a esata to sata cable?
i dont know why it says its possible to use it in the JF tutorial pdf but then it says nothing else about it
i have no clue what  esata even is or is supposed to be for ,it seems like it is a useless POS to me ,what even uses it? or what can it be used for/with? is there an ieee/firewire to esata cable/adaptor?or a usb 3.0 to esata cable.adaptor? i take i would need some sort of esata to regular sata cable to use it or an adaptor right?
i think the one on my laptop doubles as a usb port , but only 2.0 not 3.o ,but im not really even sure, seems useless to me, never seen anything that can even connect to it,