Post by: inspuration on August 05, 2010, 09:25:00 AM
QUOTE(jhon_scott @ Aug 5 2010, 01:23 PM) 
If this is real that is crazy. Downloading now.
EDIT: From what I see so far this looks legit.
EDIT2: Loading the doc file crashes Word for some reason. Im going to see about converting it to a pdf.
EDIT 3: Holy fuck I don`t understand most of what this document says but it definitely looks legit. Where did you find this?
Post by: Morning Call on August 05, 2010, 10:09:00 AM
Post by: njmbb8 on August 05, 2010, 10:16:00 AM
Post by: red_ring_of_box on August 05, 2010, 10:19:00 AM
QUOTE(inspuration @ Aug 5 2010, 11:25 AM)
If this is real that is crazy. Downloading now.
EDIT: From what I see so far this looks legit.
EDIT2: Loading the doc file crashes Word for some reason. Im going to see about converting it to a pdf.
EDIT 3: Holy fuck I don`t understand most of what this document says but it definitely looks legit. Where did you find this?
Try opening it in Wordpad, works for me.
Same here it looks legit but I barely have a clue as to what it is talking about. I can only assume that the acronyms in the document are the following:
BOM: Bill of Materials
PCBA: Printed Circuit Board Assembly(kind of easy to guess that one lol)
ECO: still can't find any info as to what that is.
Agile doc D02652: http://www.agilemode...cumentation.htm
I'm guess it would have to be a document in one of the books there perhaps that we would have to refer to.
STUFF/UNSTUFF: I tried to look up what it is these terms mean but I haven't found anything.
Remove X812632-001 and replace with X812631-001: I can't find anything about what these things are besides the fact that they are flash chips. Same with all the other remove/replace instructions.
Also I found while searching for the parts a google document titled: FACTORY REPAIR ACTION FOR ERROR CODE 0x810E1FF1 that is very similar to this doc but has a few more steps in it, though the Doc's filename is also XDK.doc.
http://webcache.goog...r...=clnk&gl=us
Well I hope someone smarter than I can elaborate a bit more as I am very interested in seeing how the process is done, as I cannot understand the document fully just yet.
Post by: red_ring_of_box on August 05, 2010, 10:26:00 AM
Post by: ImRickJamesB1tch on August 05, 2010, 10:28:00 AM
Title: Factory Repair Action: For Error Code 0x810E1FF1
Author: Emily Ascolese
Very random indeed...
Post by: red_ring_of_box on August 05, 2010, 10:40:00 AM
QUOTE(ImRickJamesB1tch @ Aug 5 2010, 12:28 PM)
Look at the properties of the doc:
Title: Factory Repair Action: For Error Code 0x810E1FF1
Author: Emily Ascolese
Very random indeed...
Weird its the same properties in that google doc I posted, When I saved it to my computer and checked the properties of the doc it has the same info.
Another question I have now is which one is the right one, the original or this edited one posted here?
Edit: Nice find inspuration! This seems to really validate that this is legit, but why would a Microsoft employee even write a guide on how to make a retail console into a Dev? Maybe someone is a little pissed off at Microsoft? lol.
here is here full profile link for reference:
http://www.linkedin....n/emilyascolese
Post by: inspuration on August 05, 2010, 10:59:00 AM
R1C4 is between the DVD Sata port and the southbridge. Can't miss it.
R1P2 is on the bottom side of the mobo between the sata pins and the southbridge.
J2B1 is one of the pads you solder to to flash a JTAG. heres a pic:
J1D2 is the other pad you solder your LPT cable to. pictured here:
R2D6 is one of the points that attaches to the right of the hynix chip. Heres a pic of the general area
U2E1 is a trace coming from the southbridge that is just below the hynix chip on the left side.
R2D5 is a resistor coming out the right side of the hynix chip as well.
Post by: njmbb8 on August 05, 2010, 12:01:00 PM
Post by: bamarquez226 on August 05, 2010, 12:32:00 PM
QUOTE(inspuration @ Aug 5 2010, 11:12 AM)
I found the exact same document posted on a chineese hacking site called a9vg.com
This is probably where he got it. The document also checks out since it was made by a micosoft employee.
I'm like njmbb8, I'm a little weary of the validity of the doc. I question the authenticity of it just because it can be easily written to look legit, and back dated. As well as use terminology that there is no known reference to, i.e. MS id numbers for chips.
Post by: red_ring_of_box on August 05, 2010, 12:42:00 PM
inspuration- that's the same document that I linked to here:
http://webcache.goog...r...=clnk&gl=us
if you want to view it in your browser.
Also thanks for the pics.
I still don't know what the flash chips X812632-001, X810284-001, X810283, X811906, X814013, are or where they even go, as well as all the other Xxxxxxx-xxx chips that need to be stuffed/unstuffed for the motherboard revisions. Or perhaps I'm just reading the document wrong.
Edit: Well I think I realize why I wasn't able to find any info about the X chips, or parts, because as Morning Call said we are missing the document that tells use what all those part IDs stand for, so I guess the BOMs for these part IDs are in the Agile doc D02652, which is also the document Morning Call said we are missing. Whether or not it is in that Document book is beyond me, but I'm leaning more towards it not being in there and more of it being a classified Microsoft document.
Post by: Morning Call on August 05, 2010, 02:55:00 PM
QUOTE
Stuff R1C4 with X800601-001 RES,S/M,LF,1.0KOHM,5%,1/16W,0402 (was NO-STUFF) <1000ohm 1/16watt resistor
Unstuff R1P2 (was X800590-001 RES,S/M,LF,10KOHM,5%,1/16W,0402) <--- 10 000ohm 1/6watt resistor. these are the same resistors used for r6t3 and the ones beside the NAND itself (can be changed to convert a 16mb jasper to 256/512 or visa versa)
Stuff J2B1 with X804259-001 CONN,HDR,TH,LF,2X7,DUAL-ROW,VERT, PIN 14 KEYED,2.4 TAILS <-- 2 row by 7pin pin header vertical position (aka straight up)(14 pins) but pin 14 REMOVED (aka keyed) to limit inserting the wrong way. not sure what 2.4tails is, probably the spacing between pins?
Stuff J1D2 with X804260-001 CONN,HDR,TH,LF,2X5,DUAL-ROW,VERT, PIN 10 KEYED,2.4 <-- same as previous except 2x5 and pin10 removed/keyed. same 2.4tail (spacing?)
Stuff R2D6 with X800590-001 RES,S/M,LF,10KOHM,5%,1/16W,0402 <-- resistor. can be taken from R1P2 as its the exact same.
Stuff U2E1 with X802184-001 IC,S/M,MEM,LF,NAND,64MX8,TSOP48,SAMSUNG B-DIE <--- flash chip, 64mb. surface mount flash (same as existing) not sure what samsung b-die is, could be samsung flash chip
Unstuff R2D5 with X800590-001 RES,S/M,LF,10KOHM,5%,1/16W,0402 <-- 10 000ohm resistor again. same as other resistors)
Stuff R8B6 with X800427-001 RES,S/M,LF,2KOHM,1%,1/16W,0402 <--- 2000 ohm 1/16watt resistor with %1 tolerance (not %5 like normal)
Stuff R8A5 with X800601-001 RES,S/M,LF,1.0KOHM,5%,1/16W,0402 <--- 1000 ohm %5 1/16watt resistor.
Stuff Q8B6 with X801037-001 BJT,S/M,LF,NPN,SWITCH,2N2222,SOT23 <-- some sort of transistor? not sure exactly. its a switch of some variation. 2n2222????
Stuff D8B4 with X801078-001 LED,LF,GREEN,QTLP601C-AG,0603 <--- green led? must be some sort of debugging LED?
When building into a console, stuff the following Lamprey cables following standard installation procedures:
X801796-001 CABLE ASSEMBLY, MOBO, LAMPREY, SMC KERNEL DEBUG PORT <-- standard devkit pigtails i assume for j1d2 and j2b1 pin headers
X801797-001 CABLE ASSEMBLY, MOBO, LAMPREY, SPI PORT <-- standard devkit pigtails i assume for j1d2 and j2b1 pin headers
the 10 000ohm resistors appear to be the resistors that are swapped to switch from a small block nand to a big block nand (without consulting my diagrams)... afaik to go from 16mb to big block, you removed one resistor and put two somewhere else). this was a trick performed for people with big block jaspers before xbr3 came out for them.
Post by: inspuration on August 05, 2010, 03:57:00 PM
CODE
6) Reset the console type from Retail to Dev (Agile doc H03710)
RETAIL 00000002
DEVELOPMENT 00000001
RETAIL 00000002
DEVELOPMENT 00000001
And what the hell is 'Agile'?
Post by: red_ring_of_box on August 05, 2010, 04:36:00 PM
QUOTE
How would one go about doing this though:
CODE
6) Reset the console type from Retail to Dev (Agile doc H03710)
RETAIL 00000002
DEVELOPMENT 00000001
RETAIL 00000002
DEVELOPMENT 00000001
I have no idea what this does but I can only assume at boot up it is used to pick between booting the retail on-board nand, and the 64mb nand you installed when the console first starts up. Maybe it is similar to how the Cygnos V2 chooses which nand to boot by using some kind of jtag interface(thus the pin headers).
Which makes me think, could we do an XD card mod and just use a 64mb card for those of us with 16mb nands? It sounds like it would work if maybe we made a custom breadboard with a switch to enable/disable big block and onboard nands.
QUOTE
And what the hell is 'Agile'?
I believe Agile is a kind of documentation that allows you to explain what the project you are working on does in enough detail for people to understand it enough to use it.
http://www.agilemode...cumentation.htm
The link above will explain more.
QUOTE
How would one go about doing this though:
CODE
6) Reset the console type from Retail to Dev (Agile doc H03710)
RETAIL 00000002
DEVELOPMENT 00000001
RETAIL 00000002
DEVELOPMENT 00000001
I have no idea what this does but I can only assume at boot up it is used to pick between booting the retail on-board nand, and the 64mb nand you installed when the console first starts up. Maybe it is similar to how the Cygnos V2 chooses which nand to boot by using some kind of jtag interface(thus the pin headers).
Which makes me think, could we do an XD card mod and just use a 64mb card for those of us with 16mb nands? It sounds like it would work if maybe we made a custom breadboard with a switch to enable/disable big block and onboard nands.
QUOTE
And what the hell is 'Agile'?
I believe Agile is a kind of documentation that allows you to explain what the project you are working on does in enough detail for people to understand it enough to use it.
http://www.agilemode...cumentation.htm
The link above will explain more.
Post by: inspuration on August 05, 2010, 08:08:00 PM
QUOTE(Morning Call @ Aug 6 2010, 12:41 AM)
its a whole other work instruction.
guaranteed, its how to blow certain efuses to convert from retail to dev.
odds are, you could probably convert retail to dev but not dev to retail.
Who cares, dev is waaaaaaaay better than retail.
Post by: uN0pEn on August 05, 2010, 08:32:00 PM
Post by: red_ring_of_box on August 05, 2010, 09:16:00 PM
QUOTE(Morning Call @ Aug 5 2010, 07:41 PM)
its a whole other work instruction.
guaranteed, its how to blow certain efuses to convert from retail to dev.
odds are, you could probably convert retail to dev but not dev to retail.
Ah, thank you once again Morning Call your aid with figuring out this document has been a great help in understanding what is needed for this too work. LOL, without your insight I'd probably still be googling 'Agile doc D02652' and trying madly to find any documentation at all.
So I guess here is the question as to whether or not this is even feasible. Could we not reboot the console as freeboot does, but with the needed fuses for a dev console emulated in software so the dev nand would work? That way we could still have a jtag retail to test compiled apps on and a dev kit to develop the apps on.
Of course Pnet is probably going to be out of the question but we shouldn't be messing with that anyway. Though, the debug tools available to us would help the homebrew scene greatly for those who can't shell out $1000 for a stolen dev kit.
I really need to reread that topic on XBH where freeboot started, that way I can remotely get an idea of what would be needed for this to work and not just blindly spew out questions, but just thought I'd ask here because right now it seems like it could be possible from what I know(which isn't much but enough to get the picture.)
Post by: thwack on August 06, 2010, 02:45:00 AM
http://www.datasheet...6U2B NAND-Flash Whoops meant to linky to 64mb)
The 2N2222 is an amplifying tranny:
http://en.wikipedia.org/wiki/2N2222
SOT23:
http://www.fairchild...ng/sot23_1.html
And we've all seen the QTLP601C-AG before (ROL Mods):
http://www.alldatash...TLP601C-AG.html
However, not too sure this doc is going to be any good without the supporting ref'd docs - although props to the OP for linking to it. Also wouldn't all this have to work in conjunction with hooking up to MS private servers - aka the 'debug' or 'repair mode' memory cards.....
*Edit* This as discussed would maybe work on JTAG's - not retail for the above reasons....I'm prolly completely wrong though.
Post by: cory1492 on August 06, 2010, 11:45:00 AM
QUOTE
6) Reset the console type from Retail to Dev (Agile doc H03710)
RETAIL 00000002
DEVELOPMENT 00000001
RETAIL 00000002
DEVELOPMENT 00000001
That is referring to console type set in the keyvault, 0x40000001 is a "test kit" which can be used for dev.
BOM is likely referring to the boot image. Without doc H03710 (as well as any software/external hardware) I doubt it will be possible to perform the process required to actually do this, enabling the debug headers and adding debug LED ain't gonna change the software on the chip nor magically alter the cpu fuse settings which are also set to retail (to not pass the dev bootloader checks.)
Post by: WarriorSan on August 07, 2010, 12:30:00 PM
QUOTE(Morning Call @ Aug 5 2010, 06:45 PM)
this whole reset the console from retail to dev gets me. i honestly can't see this happening.
for it to work, we need to blow efuses, and i dont see this happening anytime soon. perhaps on a jtag unit this could be achieved, but do we really want to sacrifice a jtag unit for a frankendev unit that wont be able to connect to pnet?
Maybe that explains the shitload of refurbished *devkits* (Proto's, Test kits etc.) that are been offered on the net lately:
here, here, here and here some even seems to connect to PNet and they're very cheap also..
Sellers PN LIVE ID: coolala, yzgolden
Post by: WarriorSan on August 07, 2010, 01:24:00 PM
Post by: xXCoNdEmRXx on August 07, 2010, 05:26:00 PM
Post by: Juvenal1228 on August 07, 2010, 09:14:00 PM
If you have a JTAG and a way to get the DEV kernel and encrypt it to your CPU then by all means make yourself a DEV board!
Post by: hack.rid on August 09, 2010, 10:13:00 AM