This tutorial was created for the WINBOND chip. For MXIC you can follow the Russian hack. All images were created by me and all the text was written by me unless specified.Flash 0225,0272,0401 Xbox360 Slim AFTER update 13599 WINBOND GEREMIA iXtreme LT+1.91 using ONBOARD SATA no 360Lizard or 360USB.
PDF Version Download
CODE
THIS MOD IS NOT NOOB FRIENDLY, ITS NICKNAMED THE KAMIKAZE HACK FOR A REASON. DO NOT COME CRYING TO ME WHEN YOU HAVE DRILLED TOO DEEP OR YOUR DRIVE IS DEAD
If you do not already have the key from your Xbox360 Slim and you mess this up you could be left with a brick for a long time or until someone figures out how to unbrick a slim drive.
Things you will need:Compatible sata chipset or Lizard360 or 360USBPRO.
Motherboard Bios set to Legacy/compatible mode.
External power source for slim drive.
100ohm resistor connected to 3.3v
SoftwareunlockSPI
CODE
http://www.multiupload.com/GT0SVZPA3M
DosFlash
CODE
http://www.multiupload.com/P696UUDFUA
Jungleflasher 1.86 beta (267) INCLUDES SLIM FIRMWARE FILES
CODE
http://www.multiupload.com/93GG23Z55E
Windows XP, Vista, 7.
Compatible Onboard Chipset's- AMD SB6XX
- AMD SB7XX
- INTEL ICH9R
- INTEL ICH8
- INTEL ICH9
- INTEL ICH10
- VIA 6421a MUST have ide to sata converter or use PMT probe to set vendor mode
- 360Lizard
- 360USBPRO
NOT Compatible STEPS TO PERFORM THE HACK- Cleaning resin from the chip
- Marking up the chip
- Get drive into Vendor Mode
- Drilling the chip and unlocking using unlockSPI
- Read original firmware (optional depending if you have previously read the FW from your drive)
- Create custom firmware
- Write custom firmware
- Re-Locking the drive
CLEANING THE RESIN FROM THE CHIPThis is not always required but it does allow more accuracy when marking the lines on the chip.
To clean the resin from the chip it must be heated so it becomes brittle. You can use a hairdryer and a scalpel or similar. Heat the resin for around 30 seconds, try not to overheat the resin. You will know when the resin is hot enough as it will become brittle and easy to remove.
MARKING UP THE CHIPWhen doing this hack you should always mark up the chip as shown and DO NOT go by the logo printed on the chip as they are not all the same
(IMG:
http://img560.imageshack.us/img560/7027/epoxy.png)
Once you have marked up the chip you are able to move onto vendor mode
VENDOR MODEThere are a couple of different ways to achieve this. The main thing to remember that you MUST reboot your PC after every failed or successfull vendor mode! Failure to do this will result in Status 0x51.
Method 1Turn off PC
Turn off DVD Drive
Reboot
Press F8 at boot of windows to disable driver signature enforcement for Windows 7 (if required)
Open DosFlash32
DosFlash will send the commands to the drive and enter vendor mode - proceed to unlockSPI, leave Dosflash OPEN
If Dosflash asks to resend vendor intro then it has failed. You must reboot and try again.
If you see this image without dosflash asking you to power cycle then your drive is in vendor mode.
(IMG:
http://img854.imageshack.us/img854/3153/dosflash.png)
Method 2Turn off PC
Turn off DVD Drive
Reboot
Press F8 at boot of windows to disable driver signature enforcement for Windows 7 (if required)
Open Jungleflasher
Select MTKFlash tab
Click Intro
Jungleflasher will send commands to the drive and enter vendor mode - proceed to unlockSPI, leave Jungleflasher OPEN
Method 3 Vendor Mode using PMT probe - should work with most chipsets but requires soldering.
1. Run JF
2. Power on drive
3. Press Intro Device ID
4. Put the PMT on MPX01
5. MTK Vendor -> Yes
6. Power off then on
7. done!! Vendor Mode
Once Vendor Mode is achieved by either method you then move onto unlockSPI.exe below.
DRILLING THE CHIP AND UNLOCKING USING UNLOCKSPI.EXEThere are various different ways of drilling the chip and i have not done them all but here are two videos showing both the soldering iron method and the Dremel method
DREMEL
http://www.youtube.com/watch?v=1gCYXb54oig
Soldering Iron Dont use the 100ohm resistor when doing this method. Doing so may cause damage.
http://www.youtube.com/watch?v=VCrrpaKp42I
After you have decided what method to use to drill proceed to unlockSPI
First open a command window in the folder where unlockSPI is located by holding SHIFT+Right click>select "open command window here"
(IMG:
http://img830.imageshack.us/img830/5374/opencommandwindow.png)
Now you should be presented with the cmd window.
Type unlockSPI XXXX - where XXXX is your port number and can be found in dosflash.
Press ENTER
(IMG:
http://img808.imageshack.us/img808/8896/firstcommand.png)
You should now see this:
(IMG:
http://img600.imageshack.us/img600/6329/geremia1.png)
Press y and hit ENTER.
unlockSPI will do a sound test, make sure your speakers are up loud enough.
You will be presented with this below. This is where you would start to drill the chip. There are a few ways to drill the hole either by xacto knife/dremel/large pin/soldering iron all have been reported to work. The key is patience. Go very slow. As soon as you hear the siren sound, STOP.
(IMG:
http://img535.imageshack.us/img535/5866/sucessful2.png)
You should be presented with a window that looks like this. Congratulations you have unlocked your slim drive.
(IMG:
http://img97.imageshack.us/img97/9868/sucessfulunlock.png)
Your drive will now stay UNLOCKED even if you power cycle the drive or your pc. After flashing you can relock it using various methods or by running unlockSPI command again it will tell you that the drive is UNLOCKED and do you wish to LOCK it. Press Y and hit ENTER. Your drive is now LOCKED.
You can UNLOCK the drive again by touching the hole with a 100ohm resistor connected to 3.3v, using an electric lighter or by using isopropyl alcohol.
READING YOUR FIRMWARE (optional)
After you have unlocked your drive you can proceed to read the firmware from the drive. You may need to reboot your PC to re-enable vendor mode. Then open Jungleflasher or DosFlash to read your FW.
CREATING CUSTOM FIRMWAREOpen Jungleflasher
Select your original firmware dump as source firmware.
iXtreme will auto load the correct firmware for you and spoof to target.
IF YOU HAVE A SLIM DRIVE WHICH HAS 9504 ON THE COVER BUT WAS ACTUALLY 0225 THEN YOU MUST SELECT NO TO AUTOLOAD AND USE FIRMWARE
LTPlus-0225-v1.91u.binFLASHING CUSTOM FIRMWARE AND LOCKING THE DRIVE
To flash the drive simply enter vendor mode again. You may be required to reboot your PC again. This time use Jungleflasher for vendor mode.
Select your custom firmware as target, go to MTKFlash32 tab and hit WRITE.
You should get something like this:
CODE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
~~~~~~~~~~
JungleFlasher 0.1.86 Beta (267)
Session Started Fri Aug 12 00:23:22 2011
This is a Wow 64 process running on 2 x 64 bit CPUs
portio64.sys Driver Installed
portio64.sys Driver Started, thanks Schtrom !
Found 6 I/O Ports.
Found 2 Com Ports.
Found 6 windows drives C: D: E: F: G: H:
Found 0 CD/DVD drives
Drive is Slim Lite-On..
Key found in KeyDB at record (1 - SLIM CROW)
Key is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key has been tested and verified, thanks C4eva !
Loading firmware file C:\Users\Home\Desktop\JungleFlasher v0.1.86 Beta (267)\SLIM CROW\Dummy.bin
MD5 hash: 945bbd9e9365fde57fc7bd200e3108bc
Inquiry string found
Identify string found
Drive key @ 0xA030 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Firmware Osig: [PLDS DG-16D4S 0225]
Firmware is: SlimKey Extract
Auto-Loading firmware file C:\Users\Home\Desktop\JungleFlasher v0.1.86 Beta (267)\firmware\LTPlus-0225-v1.91.bin
MD5 hash: 5a14a34b933602a94f8375f9ce88f803
Genuine LT plus v1.91
Drive key @ n/a xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Firmware Osig: [PLDS DG-16D4S 0225]
Firmware is: LT-Plus 1.91
Spoofing Target
DVD Key copied to target
Key Sector copied from Source to Target
Target is LT - ID strings not copied to Target
Sending Vendor Intro to port 0x0170
Serial flash found with Status 0x72
Sending Device ID request to port 0x0170
Spi Status: 0x00
Manufacturer ID: 0xEF
Device ID: 0x11
Flash Name: Winbond/NEX(W25P20/NX25P20)
Flash Size: 262144 bytes
Getting Status from port 0x0170
SPi flash found with Status 0x72
Sending Chip Erase to Port 0x0170
Erasing:
Writing target buffer to flash
Writing Bank 0: ................
Writing Bank 1: ................
Writing Bank 2: ................
Writing Bank 3: ................
............
Flash Verification Test !
Reading Bank 0: ................
Reading Bank 1: ................
Reading Bank 2: ................
Reading Bank 3: ................
Dumped in 1814mS
Write verified OK !
Restoring sector 0x3E000.
Sending Sector Erase to Port 0x0170
Erasing: 0x3E000
Writing: 0x3E000
............
Authorised !
................
Restore verified OK !
Drive is Slim Lite-On..
Key found in KeyDB at record (1 - SLIM CROW)
Key is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key has been tested and verified, thanks C4eva !
Locking the driveTo lock the drive just re-enter vendor mode, open unlockSPI and send the command "unlockSPI XXXX - where XXXX is your port number.
unlockSPI will report the drive as being unlocked and will ask you do you wish to lock the drive.
Press Y and hit ENTER
Your drive is now locked and finished. You can put everything back together and test.
Credits to Geremia, Maximus, and all those who made this hack possible.This post has been edited by DazEB: Aug 13 2011, 03:15 AM