*Yeah, they know the PC isn’t a console.
1. The draw will end on July 2nd 2012 at midday GMT.
2. The competition is open to every gamer worldwide where competitions of this nature are valid.
3. Winners will be emailed and also announced on this blog.
4. Questions can be sent to giveaways@playfire.com.
It’s all over, I won 
Right so BIG NEWS, because he’s so far ahead I’m giving Dark-Fiber a Lavatube and making it a bit easier for the rest of you. Competition now ends on 25-03-12. Hopefully you will like that cause he was running away with it.
Thanks to everybody that voted, couldn’t have done it without ya 
—————————————-
Hello visitors, I need a little something back from you guys, so if I have ever helped you out in any way, I hope you can do this 1 small thing for me in return.
It’s quite simple, I REALLY want to win this little competition on Facebook, so I’m asking you guys to help me out.
It should literally take less than 10 seconds of your precious time, if you would be so kind.
All you need to do is click the “Like” button on the following Facebook page, and then write a comment on the wall saying “Dark-Fiber sent me“
http://www.facebook.com/Britvapes
If you don’t leave that comment on the page, then it’s a wasted vote, so please don’t forget that part
I’m currently in the lead, So a massive thank you to all that have helped me get there so far, but I can’t stop there. Go big or go home, right?
They could make a comeback, or there could be a newcomer! So I’m going all out. Total inhalation 
If you are worried about privacy or something, don’t be, I genuinely have no idea who 90% of the people are, on my Dark-Fiber Facebook account 
I won’t know who you are, or where you have come from, as I have posted this request on twitter and elsewhere too, so you could be anybody from anywhere.
(If you want to add me as a friend on facebook, go for it, the more the merrier)
http://www.facebook.com/DARKFiB3R
Thanks 
So, to recap…
1: Click this link… http://www.facebook.com/Britvapes
2: Click the “Like” button on the main page
3: Post this on the wall/timeline “Dark-Fiber sent me“
(you write that in the “what’s on your mind” box)**If you don’t write that on the wall, then your vote won’t count, so please don’t forget that part**
I’ve also been asked “BTW, may I ask what the hell those two things you can win are? lol”
So…
It’s the red one that is up for grabs (along with another smaller one, that I’m not so interested in)
They are PV’s (personal vaporisers), a souped up electronic cigarette, which is about a million times less damaging to your health than regular cigarettes.
I’ve been a smoker for 20 years, so finding these has been an amazing thing for me.
So not only are you helping me to win a competition, you are also helping to save my life (surely that’s gotta get me some votes, right? lol )
There is also a pretty cool modding scene, where people build their own PV’s
Google/youtube “vaping”
Old, Young, Men, Women, people from all sorts of different backgrounds are getting into it.
Obviously, if you have never smoked, then for the love of God, DO NOT start now, not even the healthier vaping option.
Thanks again to everybody that voted 
C4E’s iXtreme LT+ in association with Team Jungle & Team Xecuter
—————————————————————-Official release of the iXtreme LT+ v3.0 for 0272/0225/0401/1071 slim Liteons
- Support for topology data on AP25 enabled titles. Will correctly answer any ap25 challenge eliminating need for dae.bin to create a backup.
- No need to make new backups everytime dae.bin is updated on console
- Extra support for rare firmwares
Topology Data
————-When ap25 was first introduced I devised a way of calculating any challenge which I called the silver bullet which I made reference to along time ago.
This was withheld until it was absolutely necessary. It was easier to replay the fixed challenges.With unique per console ap25 challenges it has become necessary to use the silver bullet.
A series of measurements are taken across the disk. This topology data is then used to calculate a response to any ap25 challenge.
It is very important that the drive used to create the topology data is reliable at reading discs as bad topology data equals bad ap25 responses.
Liteon drives using 0800 v3 seem to be more accurate for this purpose. Only ap25 enabled titles require topology data. Activation of ap25 on older non-ap25 games although technically possible is highly unlikely.
Currently topology data for xgd3 titles are similar and topology data from one xgd3 title will pass on another xgd3 title although this is not advisable.
Per title title topology data is best as there are slight differences between titles and newer titles could have different topology than existing ones.
One liteon to go and four Hitachis. Have a great year everyone.
Thanks go to Team Jungle and all testers for their hard work and efforts in the development process.
Thanks also go to Team Xecuter for their support to this project.
If you’d like your console modded by a pro, don’t hesitate get in touch
CONTACT via email
Please note that I am not a developer/coder of freeBOOT, I don’t have the source, and I don’t have anything to do with releasing it.
I’m making this post because I am still getting hammered with IMs and questions about the future of freeBOOT. I have been close friends with some of the people involved from the beginning, and I contribute when I can (as evidenced by all my freeBOOT videos on YouTube – I posted the first video of it).
The project is dead. This is confirmed by me via talks with the developers. There will not be a new freeBOOT when the new dash is released. This is not speculation, there are no “unreleased versions,” it was never in development, and there is nobody with the source who is going to release a new version. When pushed for details, it was said that the reason for stopping is due to the primary uses of freeBOOT being shameless piracy and illegitimate money from cheating, neither of which the developers support nor wish to enable.
That being said, that doesn’t mean there won’t be another rebooter released in it’s place. I have no knowledge of any such projects, and it doesn’t look too good considering freeBOOT was the only rebooter released for the 9199 dash, but it is not impossible by any means.
aka no Kinect for JTAG’s. Here’s hoping that something along the lines of XBR4 will come about and save the day.
Source Se7enSins
WARNING
Important Information About Your Xbox LIVE Service
On November 1, 2010, there will be a mandatory service update to Xbox LIVE. ( Full 12615 update? ) This update will both disable the ability to play backups of your latest games, (for now) and ensure your arse gets banned from Xbox LIVE. (Which would probably happen anyway) 
[2010-10-30 03:11PM] <c4eva> New AP25 checks confirmed on new dash with fable 3, LT+ coming for required drives with SSv3 and anti AP25 included!
[2010-10-30 03:15PM] <c4eva> there are 5 ap25 checks done when xex is launched![2010-10-30 03:17PM] <c4eva> samsung doesnt have ap25
[2010-10-30 03:18PM] <c4eva> 360s LT+ will include this now
[2010-10-30 03:19PM] <c4eva> samsung and some old hitachi dont have ap25
[2010-10-30 03:22PM] <c4eva> samsung wont do ap25, it will be skipped (safe)
[2010-10-30 03:24PM] <c4eva> they will detect your drive changing to a samsung! [if you spoof to Samsung]
[2010-10-30 03:31PM] <c4eva> dash log:
[2010-10-30 03:31PM] <c4eva> AD0000000000000000180000
[2010-10-30 03:31PM] <c4eva> 55000000000000002A000000
[2010-10-30 03:32PM] <c4eva> 392077777777777777777777
[2010-10-30 03:32PM] <c4eva> 5A003900000000002A000000
[2010-10-30 03:32PM] <c4eva> 55000000000000002A000000
[2010-10-30 03:32PM] <c4eva> 392077777777777777777777
[2010-10-30 03:34PM] <c4eva> 5A003900000000002A000000
[2010-10-30 03:34PM] <c4eva> 55000000000000002A000000
[2010-10-30 03:34PM] <c4eva> 392077777777777777777777
[2010-10-30 03:34PM] <c4eva> 5A003900000000002A000000
[2010-10-30 03:34PM] <c4eva> 55000000000000002A000000
[2010-10-30 03:34PM] <c4eva> 392077777777777777777777
[2010-10-30 03:34PM] <c4eva> 5A003900000000002A000000
[2010-10-30 03:35PM] <c4eva> 55000000000000002A000000
[2010-10-30 03:35PM] <c4eva> 392077777777777777777777
[2010-10-30 03:35PM] <c4eva> 5A003900000000002A000000
[2010-10-30 03:35PM] <c4eva> 550020000000000014000000
[2010-10-30 03:35PM] <c4eva> thats it
[2010-10-30 03:41PM] <c4eva> confirmation will need to be done on released retail kinect dash!
[2010-10-30 03:43PM] <c4eva> at this point, only new games check ap25!
[2010-10-30 03:44PM] <c4eva> kreon=fail!
“Not sure if this is real or not, but here is a video from Russia showing a Slim X360 running freeBOOT and XELL”
When something seems to good to be true…
As we mentioned here, here and here, TeamHades were working on the PS3’s BD Drive, they had managed to connect both fat and slim drives up to a PC and they also managed to find out how to grab the firmware of the drives, now it emerges, that the well known Xbox 360 DVD Drive circumventers TeamJungle, are helping TeamHades with their project, here is a translated quote from TeamHades blog:
As you read in the title of this entry, the TeamJungle is working in collaboration with the TeamHades in the Reader-DB Playstation3 undoubtedly good news for the community of DHorg and his followers.
c4eva is delighted to partner with our team and finally the ps3 reader fall.
For those who do not know the TeamJungle, I can only say that they are responsible for the hacks of the reader of the xbox360, as a result xbox360 users have for years been playing their backups.
Any new comment you are DHorg community
The ball is well and truly rolling
Some time yesterday (14/08/2010) c4eva dropped one of his usual slightly cryptic, yet totally obvious bombshells “9504TEST – Hello world Slim!”
Today youtube user xdemovideos, in conjunction with Team Xecuter, Team Jungle and c4eva, posted a video to youtube showing the proof of concept “hack” in action.
Many people have been screaming FAKE, and it’s kind of understandable, what with the amount of shit that gets posted to youtube, but as ever, you really should make some sort of attempt to find out wtf you’re talking about, before you go and make yourself look like a total cunt in public.
From my limited understanding, there will still be a long way to go before any sort of user friendly method is made available, but it’s great to see this milestone happen so soon after the release of a new drive. ( Philips Lite-On DG-16D4S FW ver: 9504 )
Congrats to all involved, Never Say Never
Although it’s been in the works for some time, a few days ago LoveMHz announced that he has gotten N64 emulation running on the Xbox 360
.
About Love364, yes I changed the name ;D Currently we have the core, RSP, and audio implemented. Alot of work so far. Now what about video? Well it seems that every video plugin out there either uses OpenGL or DirectX with Fixed Pixel Pipelines which the Xbox360 does not support. Also due to the differences between Fixed Pixel Pipe-lining and HLSL a simple rewrite isn’t possible. So with the advice and over look of Zezu I have decided to write my own up to date graphics and RDP part of the emulation instead of hacking around Rice’s video code. Not much progress so far, expect I have been able to process and sort out the commands coming from the RSP. Still a lot of work todo. And thus the reason there isn’t any screenshots yet.
The general scoop of this is simple massive. Things can easily go wrong with around 20 basic commands and over 1,000 calls a second just for graphics. I easily I have my work cut out, even when I’m spending 10-12 hours a day coding.
Writing my own graphics plugin and RDP code has it’s pros, even though this just seems like a major set back.
Pros and Ideas:
* High Anti-aliasing Support
* HLSL per texture scripting
* Shaders, Bloom, and HDR possibilities.
* Texture Scaling via HLSL.So in general Love364 will hopefully redefine how N64 emulation looks and runs.
Current Emulation Status
Currently we are still running on one CPU core with little to no optimization with everything run minus graphics at around %50 of the N64 speed. I’ve yet to look into dynrec or inline function calling, but when the time comes there’s no reason why we shouldn’t be able to easily hit 100% speed on emulation.
24th Apr
25th Apr
C4E’s iXtreme Lite Touch (LT) in association with Team Jungle & Team Xecuter
——————————————————————————————————————————-
After a long development and testing process we give you the first official release of the iXtreme LT
- Supports all Liteon Drives (74850, 83850V1, 83850V2, 93450)
- Totally re-written code optimised for minimal patching
- Whole banks of firware now untouched
- New Drive response timing engine accurately mimics original drive timings
- Full disc stealth used by default
- Waveless booting , disc images are assumed to be correct!
- Split-Vid used as default
###### WARNING ######
Warning! Ensure all disc images are checked with abgx as LT assumes all stealth/ss/pfi/dmi is correct. Disc images must also be splitvid and preferred SS v2
Warning! Lt will not save you from being banned if console is already flagged by using a previous firmware or non-stealth discs
It is also advisable to apply all system updates before flashing with LT. All future console system updates (not game updates) must be applied with caution
###### WARNING ######
Thanks go to Team Jungle for their hard work and efforts in the development process.
Thanks also go to Team Xecuter for their generous support to this project.
Though you cant get your hands on it yet!
.
.
.
.
.
.
PS3 Laptop
Benjamin Heckendorn does it again!
From the man that brought us the Portable Wii Laptop, Xbox 360 Laptop, and How To Build Your Own PS360 Controller, we now have the Playstation 3 Portable
Check out his other amazing hacks / mods @ benheck.com
.
Sony KONPYUTAENTATEINMENTOJAPAN has announced that the revamped PlayStation Store will open its virtual doors on Tuesday, April 15th.
Update: SCEA has confirmed that loud-mouthed, spendthrift American PS3s will be allowed to roam the aisles on the same day, as will systems from around the globe.
The store revamp will be facilitated by enhanced firmware (version 2.30) and should mark the return of weekly content updates which have been absent since April 3rd. Once the more user-friendly interface is up and running, PS3 owners will be able to download fun things like Warhawk‘s Broken Mirror expansion and the ‘Still Alive’ DLC for Rock Band.
Read – PlayStation 3 firmware v2.30 walkthrough video
Read – Revamped PlayStation Store images
Read – DTS’ own confirmation of the good news
Release Date: April 29, 2008
Official Website: http://www.rockstargames.com/IV/
Videos:
Trailer 1: Things Will Be Different
Trailer 2: Looking For That Special Someone
Trailer 3: Move Up, Ladies
Trailer 4: Everyone’s A Rat
[2010-11-01 08:33PM] <c4eva> logged entire update process, no vendor packets, only standard inquiry and key exchange, so update process safe!
[2010-11-01 08:37PM] <c4eva> fable 3 not safe! ap2.5 active for that title with new dash!
Full quote HERE
If you want to force the update, go to test connection and it should prompt you to do the update.
REMEMBER, it is advised to return your drives firmware to stock before doing dash updates. And for the time being, this update will not allow you to play new games containing ap2.5 And if you try to play those games, you will be flagged for a ban.
Here are a few of the features that are including in this update: Continue Reading
SoulHeaven of Librasoft and the Logic-Sunrise forums, introduces a new AP2.5 bypass for 360′s with dash version 12611
.
This means that consoles updated with 12611 that have Liteon or Benq drives which currently do not read the games like Fable III because of the new AP2.5 checks, are now able to read them.
This hack requires the use of the x360SED v1.0 chip created by SoulHeaven and will be sold within a few days exclusively on Logic-Sunrise and Librasoft Store.
The principle is simple:
- Install the x360SED chip between the 360 mainboard and the DVD drive, solder the one wire from the x360SED to the consoles sync button
- Install Fable III on your console’s hard drive (From an original or a backup)
- Insert the game Fable III until it is recognized by the dashboard (Image of the game while taking the square)
- Press the sync button to eject the game Fable III
- Insert an original game Xbox 360 (Any), press again and the sync button controllers
- Press A to start the game Fable III starts without worries.
Obviously this is not safe for use on Xbox Live
[1:58am] <+c4eva> just a word of warning on the sed “disc swap”, although this passes the timing check, ap25 also returns data from its check which will be wrong with the wrong disk and will get you banned!
Quick Q&A with c4eva… Continue Reading
fbBuild 0.1
===========
Introduction:
=============
Sad to hear the rumor of ikari stepping down, and even sadder to hear
of the profiteers taking advantage of this… we bring you a tribute
to ikari. If you paid for this, get a refund!
fbBuild is a NAND image builder made to suit freeBoot style images,
the included patches and freboot.bin core are based on the original
works done by ikari.
It is suitable to build rebooter images for all current JTAG exploit
compatible xbox 360′s. As with ibuild produced images, this version
only requires a single flash 16MiB in size or larger.
What’s New:
===========
- based on targeting kernel 2.0.12611.0
- patches from freeBoot kernel/hv are ported to 12611
- supports both flash tool and ibuild extracted kv/smc_config
- supports injecting Mobile*.dat
- previously revoked usb devices should now work
- kinect works (apply system update for avatars and kinect)
it is strongly recommended that r6t3 be removed
- entirely new image builder (no extraction)
- rebuilt/cleaned core can now boot xell on slot to eject dvd drives
(see bin directory for alternate)
- exploit payload simplified Continue Reading
Source logic-sunrise
Offical Post and updates – Se7enSins
(translated)
News rained for several hours with the appearance of new freeBOOT! Sneaky Peanut released the first GUI for automated creation of a new freeBOOT 12611 image.
Very easy to use, you will create a nand Freebooter 12,611 (KINECT) easily.
Thank you to the creators of Freeboot, the creator of the GUI, and the person who made me discover.
Procedure:
1 – run the software
2 – Select your nand
3 – Check your CPU key
4 – Wait for the creation
5 – Place the image on your USB drive
6 – Flash
7 – Enjoy!
Easy GUI Freebooter 12611
I decided to release my 3D reconstruction software, even though nobody will be able to compile it yet. The problem is that it’s built on top of the Vrui VR toolkit, version 2.0, which is not released yet. But hopefully in a few days. At that point, it will definitely build on Linux, and probably on Mac OS X if you find a Mac version of the libusb-1.0 library (which I think exists).
Source okreylos @ YouTube
In case yours gets lost or damaged, or you want to sell your copy of Kinect Adventures, but still have a calibration card, I scanned the original and cleaned it up a bit.
Why M$ are charging $0.99 for this rather than giving you an image, or maybe a .pdf/.doc or whatever, is beyond me. I recommend printing this on card, or at least sticking the printed paper to some card for best results.
Click for correct size
Unfortunately I’ll probably be sound asleep when that happens, haven’t slept in 2 days 
Have fun #fw fuckers (and may the rest of you “normal” people out there, also enjoy the release)
Also… http://www.team-xecuter.com/forums/showthread.php?t=58118
Thanks go’s out to C4eva, TeamJungle, TeamXecuter and anybody else involved. Never say Trevor.
BenQ & Lite-On LT+ Multiupload
AP2.5 PATCHES @ http://bit.ly/hWm41u
Official release of C4E’s iXtreme LT+
- Supports Benq and Liteon Drives (74850, 83850V1, 83850V2, 93450)
- Optimized PFI code to accommodate AP25 SS data
- Defeats current AP25 protection
- Protects console from logging AP25 violation
- Full disc stealth used by default
- Waveless booting, disc images are assumed to be correct!
- Split-Vid used as defaultIf booting an AP25 title without AP25 SS game will not boot but will still be protected from logging AP25 violation on current dash 2.0.12611.0
If LT+ encounters an unknown AP25 challenge, game will not boot but console will still be protected from logging AP25 violation on current dash 2.0.12611.0AP25 SS are region specific for region locked games (Current Example NFS: Hot Pursuit is both PAL and NTSC – 2 different AP25 Patches)
If you boot the AP25 titles without LT+ you will probably be flagged for a ban.
You cannot spoof a different model drive as that can now be detected. With this release of LT+ you HAVE to have an original Benq or Liteon.
LT+ for slim 9504 is next followed by LT+ for slim 0225
Thanks go to Team Jungle for their hard work and efforts in the development process.
Thanks go to Team Xecuter for their generous support and input to this project.You can download the current batch of AP25 Patches from http://www.team-xecuter.com/forums/showthread.php?t=58118
Thanks go’s out to C4eva, TeamJungle, TeamXecuter and anybody else involved. Never say Trevor.
JungleFlasher
JungleFlasher is developed in conjunction with Team Jungle in an effort to bring all 360 DVD‐Drive flashing functions together in one easy to use Win32 Application. JungleFlasher provides several functions that up until now were carried out by several different app’s in both Dos and Win32.
Check out http://www.jungleflasher.net for more info, guides and the forum.
If you would like to donate to the team for all their hard work, including C4eva, please click here 
A California man charged with violating the DMCA by installing mod chips in Xbox 360 consoles won’t be allowed to claim “fair use” at his scheduled jury trial next week, a federal judge ruled Tuesday — a decision potentially devastating to the defense, and not particularly favorable to anyone who thinks they have the right to tinker with hardware that they’ve bought and paid for.
Matthew Crippen, 28, faces three years in prison on two allegations of violating the anti-circumvention provisions of the Digital Millennium Copyright Act for financial gain. Crippen, who’s from Anaheim, allegedly had a business modding Xbox 360s for between $60 and $80 a pop, allowing the consoles to run pirated games or unapproved homebrew software. He was indicted after allegedly performing the silicon surgery for an undercover corporate security investigator with the Entertainment Software Association, then again for an undercover federal agent.
His trial is set to begin on November 30 in Los Angeles, and would be the first federal criminal prosecution for console-modding to reach a jury.
Full story @ wired.com/threatlevel
[2:09pm] (+c4eva) everything looks good, expect a release within 96 hours!
.
Also made a little countdown timer for you to fapp to :p http://tinyurl.com/6bo4pza
Huge thanks go’s out to c4eva, Team Jungle, and Team Xecuter, for their continued hard work and support.
In spite of all the doubters and haters, hear it is, FREE of charge, NO x360usb pro required.
Full firmware pack
http://mir.cr/WO9UTX0P
JungleFlasher.0.1.81.Beta(226)
http://mir.cr/82CVFWHO
JungleFlasher Tutorial 1.4.0
http://mir.cr/0ZYOPU6N
If you’d like to show your appreciation to all involved, you know what to do…
BGA Reballing
We offer a complete in house service with friendly on-line support, quality and a service that will give you total assurance that your repairs, servicing and purchases made through us will be handled in a professional and efficient manner.
We use only genuine components, the highest quality materials and professional equipment to ensure a permanent fix.
Our team of skilled technicians have the technical knowledge and expertise to tackle the most complicated problem.
For the most competitive price, and quickest turnaround time, allow us to provide you with a FREE QUOTATION on any repair requirements that you might have.
Please see the “SERVICES” link at the top of the page for contact details.
Also see HERE for further information regarding the reballing process.
Posted by tuxuser @ libxenon.org
You thought it wouldn’t be possible?
You thought there are only (a few) JTAGs or total overpriced Devkits to run unsigned Code?
GliGli & Tiros are proving the opposite! They developed a Hack which glitches all recent Xbox360 Kernels to run unsigned Code on:
ZEPHYR, JASPER …….and…… TRINITY (aka SLIM!).
(no matter which Dashboard/Kernel they are running)
Here is the detailed technical explanation
Details for the fat hack
========================
On fats, the bootloader we glitch is CB, so we can run the CD we want.
cjak found that by asserting the CPU_PLL_BYPASS signal, the CPU clock is slowed down a lot, there’s a test point on the motherboard that’s a fraction of CPU speed, it’s 200Mhz when the dash runs, 66.6Mhz when the console boots, and 520Khz when that signal is asserted.
So it goes like that:
- We assert CPU_PLL_BYPASS around POST code 36 (hex).
- We wait for POST 39 start (POST 39 is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value (it’s often around 62% of entire POST 39 length), we send a 100ns pulse on CPU_RESET.
- We wait some time and then we deassert CPU_PLL_BYPASS.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error AD, the boot process continues and CB runs our custom CD.
The NAND contains a zero-paired CB, our payload in a custom CD, and a modified SMC image.
A glitch being unreliable by nature, we use a modified SMC image that reboots infinitely (ie stock images reboot 5 times and then go RROD) until the console has booted properly.
In most cases, the glitch succeeds in less than 30 seconds from power on that way.
Details for the slim hack
=========================
The bootloader we glitch is CB_A, so we can run the CB_B we want.
On slims, we weren’t able to find a motherboard track for CPU_PLL_BYPASS.
Our first idea was to remove the 27Mhz master 360 crystal and generate our own clock instead but it was a difficult modification and it didn’t yield good results.
We then looked for other ways to slow the CPU clock down and found that the HANA chip had configurable PLL registers for the 100Mhz clock that feeds CPU and GPU differential pairs.
Apparently those registers are written by the SMC through an I2C bus.
I2C bus can be freely accessed, it’s even available on a header (J2C3).
So the HANA chip will now become our weapon of choice to slow the CPU down (sorry tmbinc, you can’t always be right, it isn’t boring and it does sit on an interesting bus 
So it goes like that:
- We send an i2c command to the HANA to slow down the CPU at POST code D8 .
- We wait for POST DA start (POST DA is the memcmp between stored hash and image hash), and start a counter.
- When that counter has reached a precise value, we send a 20ns pulse on CPU_RESET.
- We wait some time and then we send an i2c command to the HANA to restore regular CPU clock.
- The cpu speed goes back to normal, and with a bit of luck, instead of getting POST error F2, the boot process continues and CB_A runs our custom CB_B.
When CB_B starts, DRAM isn’t initialised so we chose to only apply a few patches to it so that it can run any CD, the patches are:
- Always activate zero-paired mode, so that we can use a modified SMC image.
- Don’t decrypt CD, instead expect a plaintext CD in NAND.
- Don’t stop the boot process if CD hash isn’t good.
CB_B is RC4 crypted, the key comes from the CPU key, so how do we patch CB_B without knowing the CPU key?
RC4 is basically:
crypted = plaintext xor pseudo-random-keystream
So if we know plaintext and crypted, we can get the keystream, and with the keystream, we can encrypt our own code. It goes like that:
guessed-pseudo-random-keystream = crypted xor plaintext
new-crypted = guessed-pseudo-random-keystream xor plaintext-patch
You could think there’s a chicken and egg problem, how did we get plaintext in the first place?
Easy: we had plaintext CBs from fat consoles, and we thought the first few bytes of code would be the same as the new CB_B, so we could encrypt a tiny piece of code to dump the CPU key and decrypt CB_B!
The NAND contains CB_A, a patched CB_B, our payload in a custom plaintext CD, and a modified SMC image.
The SMC image is modified to have infinite reboot, and to prevent it from periodically sending I2C commands while we send ours.
Now, maybe you haven’t realised yet, but CB_A contains no checks on revocation fuses, so it’s an unpatchable hack !
Caveats
=======
Nothing is ever perfect, so there are a few caveats to that hack:
- Even in the glitch we found is pretty reliable (25% success rate per try on average), it can take up to a few minutes to boot to unsigned code.
- That success rate seems to depend on something like the hash of the modified bootloader we want to run (CD for fats and CB_B for slims).
- It requires precise and fast hardware to be able to send the reset pulse.
Our current implementation
==========================
We used a Xilinx CoolRunner II CPLD (xc2c64a) board, because it’s fast, precise, updatable, cheap and can work with 2 different voltage levels at the same time.
We use the 48Mhz standby clock from the 360 for the glitch counter. For the slim hack, the counter even runs at 96Mhz (incremented on rising and falling edges of clock)
The cpld code is written in VHDL.
We need it to be aware of the current POST code, our first implementations used the whole 8 bits POST port for this, but we are now able to detect the changes of only 1 POST bit, making wiring easier.
Conclusion
==========
We tried not to include any MS copyrighted code in the released hack tools.
The purpose of this hack is to run Xell and other free software, I (GliGli) did NOT do it to promote piracy or anything related, I just want to be able to do whatever I want with the hardware I bought, including running my own native code on it.
Credits
=======
GliGli, Tiros: Reverse engineering and hack development.
cOz: Reverse engineering, beta testing.
Razkar, tuxuser: beta testing.
cjak, Redline99, SeventhSon, tmbinc, anyone I forgot… : Prior reverse engineering and/or hacking work on the 360.
Compatible with the Xbox 360 “Reset Glitch Hack” . There are only two of these available in the UK right now, so grab one while you can.
CoolRunner-II
The CoolRunner-II XC2C CPLD has two separate banks of pins that can operate at different voltages, internal pull-up resistors, and pin keepers.
This development board from Dangerous Prototypes will help you build your first custom logic chip using simple schematic entry, Verilog, or VHDL.
Got a couple of brand new Falcons for sale, freshly JTAG’d by my good self 
Will post a sales pitch with pictures later, when I’ve got time 
Let me know if you are interested. http://about.me/DARKFiB3R
Required Hardware
Recommended
|
Required Applications/Files
|
Prepare your EnvironmentInstall the NAND-X drivers (info)Update your NAND-X to v3 if needed (info)Create a new folder on your C: drive called nandpro3Extract the following files/folder to C:\nandpro3
(Just so I don’t have to keep editing this guide so much, rename 360_Multi_Bulider_vX.X to 360_Multi_Builder)
**Note** Only the .xsvf files from coolrunner_xsvf_jed.rar are required for the TX Coolrunner. The .jed files are for other devices. |
| Dump/Read the NANDBefore dumping your NAND, it’s probably a good idea to update your xbox to the latest dashboard version. You can do this via Xbox Live, USB key or CD. This is not needed, but it’s probably quicker to get it out of the way now, and will save you and extra step at the end of the guide.DO NOTupdate to any higher version than this guide is based on, just in case MS release and update that can disable this hack. Apparently, that isn’t something they can actually do with the Reset Glitch Hack (unlike the JTAG hack) But you never know.So, with that out of the way, on to the good stuff…Take the console apart and remove the motherboard from the metal cage (info)Connect your NAND-X to the 360 motherboard by soldering your QSB’s, Pin Headers, or direct cable connections to the correct points on your motherboard.NAND-X Install Guides
Once you have your NAND-X wires installed, connect it to your PC via the USB cable…
Make sure that the mains power is connected to the xbox, but do not turn the xbox on. Now, on your computer, open a command prompt and navigate to… C:\nandpro3 Do that by hitting the start button, typing cmd and hitting Enter. Then type cd \nandpro3 and hit Enter. Or.., hold the Shift key, and Right Click on a blank space inside the nandpro3 folder, then click “Open Command window here“
Now type (or Copy and Paste) the following commands, into the command window (same command for Phats or Slims, see Note) nandpro usb: -r16 nanddump.bin
nandpro usb: -r64 nanddump.bin (The full 256MB or 512MB is not required) Quote:
Now compare dumps by typing… fc /b nanddump.bin nanddump2.bin You should see… FC: no differences found If there are differences, check your soldering and try again until you have matching dumps.
Quote:
|
Bad Blocks?If bad blockswere found while dumping your NAND… Open one of your NAND dumps in 360 flash dump tool 0.97Don’t worry if it says BADKV all over the place, this is normal because you haven’t entered the CPU Keyyet. (We will get to that later).Check for a bad blocks tab, next to the file system tab.If there is no bad blocks tab, you have no bad blocks.
If there IS a bad blocks tab, click on the tab and verify that it looks like this: Note: Bad Block ID 0×0349 [Offset: 0x00D8D200] -> Block ID 0×0349 found @ 0x3FD [Offset: 01073A00] You should see the above 2 lines of text, for each bad block you have. The numbers may be different of course, depending on which blocks are bad, but the point is, for each bad block, you should see that the block was found @ another block. This means that you did have bad blocks, but they have been corrected by the NANDs error correction, so they are legit bad blocks, and not just read errors due to dodgy soldering. Example of 3 corrected bad blocks…
If the errors are at block 0×050 or above, no further action needs to be taken, because… “Many user reports indicate that using Xell-Reloaded/Rawflash v3 to flash the Dashboard image, has a much better result over flashing with hardware flashers. This is because it helps to auto-remap the bad blocks in case they exist.” As we will be booting into Xell-Reloaded, which will use Rawflash v3 to flash the NAND later on, the bad blocks will be auto remapped for us. But… If you see: But NO found @ location for the block, that means this bad block was the result of a read error with the NAND reader. Check your soldering and try again. If you have Bad Blocks at 0×050 or below, check out Martin C’s guide on how to manually remap them. (Info) If all checks out, you now have 2 good NAND dumps. KEEP THEM SAFE. FOREVER. |
Create your XeLL/ECC Glitch imageCopy your nanddump.bin file from the nandpro3folder, to …360_Multi_Builder\Data\my360Launch Run.exe from the 360_Multi_BuilderfolderPress the number corresponding to your motherboard revision, and hit Enter You will get a warning saying The file “cpukey.txt” is missing.
This is normal as we haven’t created it yet. Press any key to continue. Sit back and watch 360 Multi Bulider do it’s stuff…
Press any key to close 360 Mulit Builder Your Image_00000000.ecc file has now been created in 360_Multi_Builder\Data
|
Flash the Reset Glitch Hack v1.1 .ecc file to the NANDMove the image_000000000.ecc file into the nandpro3folderEnter the following command for slim consoles and non BB Phatsnandpro usb: +w16 image_00000000.eccOr for BB Jaspers…nandpro usb: +w64 image_00000000.ecc*Note: it must be +w16 NOT -w16 |
Programming the TX CoolRunnerDisconnect the cables from the NAND-X (not sure if that’s actually needed, but probably for the best) (the wires can stay soldered for now)Make sure the switch on the CoolRunner is set to PRG(program) Connect the CoolRunner to your NAND-X using the NAND-X to CoolRunner JTAG Cable Enter one of the following commands (corresponding to your motherboard revision) (info) into the command prompt window, and hit Enter.
NandPro xsvf: Trinity.xsvf Once the CoolRunner is programmed, it will say “Successfully executed file“, in the command prompt window, and the Green LED will turn off.
Now disconnect the CoolRunner from the NAND-X, and move switch to NOR (Normal) Also make sure that the other switch is now set to the correct position for your console type (Phat or Slim) |
| Install the TX CoolRunner Now that you have good/matching NAND dumps, you have programmed the CoolRunner, and have created the Xell/ECC Glitch image, this is probably the best time to install the chip.Printer friendly, quick install guides (A4 paper, 300dpi) (LINK)Various other install methods and tips (LINK) |
Retrieve your CPU KeyNow that your CoolRunner is fully programmed/installed, it’s time to boot the console and retrieve the CPU Key.At this point you only need to connect…
Once you have the above items connected, turn on the console. You should see a constant Red LED on the CoolRunner as soon as you connect power to the console, joined by a flashing Green LED when you turn it on. The flashing Green LED indicates that Glitch attempts are taking place. If you do not see this happening, turn the console off, and refer to the FAQ at the bottom of this guide. Once the Glitch is successful, you will be greeted on screen with the awesomeness that is XeLL-Reloaded You may now retrieve your CPU Key, either by copying it from the screen
Or by connecting the Xbox to your LAN via an Ethernet cable, and downloading the info from XeLL-Reloaded via it’s http web interface. Using your web browser, connect to the IP address shown next to network config: For example: http://192.168.1.47
From XeLL-Reloaded’s web interface…
As you can see above, your CPU Key is made up of two fuseset lines, i.e 03 + 05, or 03 +06, ect. Your LDV (Lock Down Value) starts on line 07, the amount of f’s = the value, so in the above image, the LDV value is 2 For more info regarding LDV, check out Martin C’s post (info) |
Create your NAND ImageMove cpukey.txtto…360_Multi_Builder\Data\my360Launch 360 Multi Builder again and press the number corresponding your motherboard revision.You may get a message informing you that “No fcrt.bin found in this nand.“ This is not uncommon, and is nothing to worry about, so just continue.Just for completeness, here is what it looks like if your NAND does contain fcrt.bin  Again, just press Enter to continue. You are now given the option to create a Glitch image, or a stock NAND image (Retail MS). For the purpose of this guide, you want to choose 1
Press 1 again, choosing to build the image with DashLaunch patches included (highly recommended), and hit Enter
Now that Multi Builder has your NAND dump and CPU Key, it will use xeBuild to create your new “hacked” NAND image (nandflash.bin) and save it in 360_Multi_Builder\Data (image – xeBuild Finished. Have a nice day) (image – recommended flashing method) |
| DashLaunch Optinons *****COMING SOON***** |
Flash your NANDCopy nandflash.bin and xenon.elf from 360_Multi_Builder\Datato a USB keyIf the console is still running, with XeLL on screen, insert the USB key now.XeLL-Reloaded will find xenon.elf and use it to flash nandflash.binto your NAND. (if not, turn the console off, and on again)(again, still no need to boot with the eject button at this time) Once you see “Image written, shut down now!” on your screen, turn off the console and remover the power for at least 30 seconds, and remove the USB key.
You can use this time to put the motherboard back in the cage, and reconnect your HDD, and DVD drive. Replace the power, and boot the console. You are now running a hacked dash If all is well, fully reassemble the console. |
| Finishing UpDepending on the dashboard version you were on before you started, you may need to perform an update in order to get Avatars/Kinectworking correctly.If that is the case, put the USB key back in your PC, and delete the files from it.Now place the $systemupdate folder from the official 2.0.14699.0update, on the USB KeyIf you chose to create your NAND image with DashLaunch patches included (as you should have), then rename$systemupdate to $$ystemupdateotherwise the update wont install, because DashLaunch is configured to block updates by default.Make sure your xbox has some storage space for the update files, like a HDD or internal memory
Insert the USB key into the 360, and allow it to perform the update. You are now ready to start installing all sorts of homebrew win, but before you do that, make backup copies of the following files, and put them somewhere safe. nanddump.bin Add them to a .zip/.rar file, and then email them to yourself, so that they are stored online, as well as locally. After making your backup, delete the original files, so that you have clean working folders for any future Glitches you may do. |
| Updating If your console is already Glitched and running a hacked Dashboard, and you just want to update to the latest, follow this guide, starting from the Create your NAND Image section. |
| Resources/Tools (auto) xbins HDD Folder List Title Updates ISO2GOD XBC Party Buffalo Drive Explorer QuickBoot v2.1 |
Waffle
Thanks to blackwolf over at EMS for a large hunk of this guide, taken from here… http://www.elitemods…al-by-blackwolf and anybody else I may have nicked bits from, here and there 
And obviously a huge thanks to everybody involved in making all this even possible, not least of course, the legend that is gligli.
This was just compiled and edited to fit my own needs, but I thought If I padded it out a bit, it may be helpful to others who have the same TX based setup.
If there is anything I have left out, or something I have totally butchered (bad blocks section?), pull me on it, so I can fix it. Thanks.
