Incomplete. Work in progress.
This is an unfinished / modified version of Looouky’s awesome UPDATED guide which can be found here https://docs.google.com/View?id=dnfmv5h_30dw33vpf4
Please use Looouky’s guide until further notice
The very first thing you need to check is your Xbox kernel.
- Turn on your Xbox and go to console settings.
- Go to system info, the kernel version is on top right.
Even if you have kernel 2.0.7371.0 or lower, depending on the date the console was made, there may still be a chance that your 360 is NOT exploitable.
In that case you will have to dump a small part of the NAND to make further checks.
SPI Dump/Flash tool
In order to dump your NAND and carry out the rest of this hack you need make and install an SPI to LPT or SPI to USB reader.
If all is well, or you are sure you Xbox is exploitable, you can install the JTAG wires too
(New diagrams and SPI to RJ45 tutorial to be added soon.)
To make a USB SPI flasher follow the following threads and schematics:
USB SPI Flasher (mini how to)
Technical Discussion on USB SPI FLASHER -Find updated Drivers Released January 25, 2010 and PIC software (PICFLASH_v3b_plus2.zip at the time of writing)
** There is no other 100% way of knowing your CB version without reading the NAND.
To install the JTAG wires on the underside of the board, follow the diagram below.
To install the JTAG wires top side and install a homemade LPT reader, follow the diagram below.
For Xenon motherboards follow the diagram below.
With the hardware side complete you can move on to the second stage of the hack.
- XeLL (free60 version) File size should be about 1.4 MB and there is a version for each motherboard. (Download from xbins)
- XeLLous, at the time of writing this is at version 1.0 (Download from xbins)
- Latest release of XBReboot, specific for your motherboard. (Download from xbins)
- NandPro v2.0 B (nandpro20b) (Download from X-S)
- 64 bit NandPro USP SPI Driver (Download from cory1492)
- 64 Bit Port95 Alternative (Download from X-S)
- Firefox (Download from Mozilla)
- WinHex or Hex Workshop (Google it)
- An Xbox 360 :p
- A way of reading/writing your NAND (LPT or USB SPI)
- A Router, Switch or direct connection from PC to Xbox via CAT5 “cross over” or “Patch” network cable
- Computer running Windows
- Xbox video leads. Component, VGA or Composite/SCART (XeLL/XeLLous cannot output to HDMI)
Dumping your NAND
Follow these steps to dump just 3MB of your NAND:
(use dump to confirm box is exploitable and inject into XeLL)
- Extract the contents of nandpro20b.rar to a folder on the root of your C drive (c:\nandpro)
- Install Port95nt (included in nandpro20b.rar) You may need to reboot.
- Plug your 360 into the mains so it has standby power, but don’t turn it on.
- Connect the LPT or USB SPI cable to your PC
- Open a Command Prompt. Start > All Programs > Accessories > Command Prompt
- To navigate to the NandPro folder, type: cd c:\nandpro
- Take the first dump of your NAND, type: nandpro lpt: -r3 c1.bin
- nandpro usb: -r c1.bin (from here on, we will use lpt)
- Read your NAND a second time, so type: nandpro lpt: -r3 c2.bin
- Compare your dumps by typing the following command: fc c1.bin c2.bin /b
- If differences where found type the following command: nandpro lpt: -r3 c3.bin
- Then compare your second and third dump by typing: fc c2.bin c3.bin
- Only use one of the two that match for the following step, so if only c2.bin and c3.bin match, delete the original c1.bin and c2.bin and rename c3.bin to c1.bin
Note: No read errors should be encountered with the commands above
If for whatever reason you do get errors, please post them on the related thread and ask for assistance before proceeding.
If you’re getting no errors in NandPro, but when you compare your dumps they never match, then depending on what method you used, you may need to ground your LPT cable.
The un-shielded wire on the LPT cable, (i.e. no plastic sleeve) is the ground. Or if you’ve built your own cable from scratch, attach a wire from the metal chassis of the DB-25 connector.
Attach this to the metal cage of the 360, or one of the copper ground points around the screw holes in the motherboard, and that should sort the problem.
Check if console exploitable
Open c1.bin in WinHex, and you should see:
© 2004-200X Microsoft Corporation. All rights reserved.
X = 5, 6, 7, 8 or 9 (depending on what dash you have/when your console was made).
Now search for CB
Click in the column on the right to search within that. You’re looking for CB at or around 8400 in hex (it has to be in caps).
Once found, look at the line of numbers adjacent to CB, skip the first 4 digits (2 sets of 2) and take note of the following 4 numbers/ letters.
Now convert those from hexadecimal to decimal (hex to dec) using the Windows calculator.
Open calculator and from the view menu, choose Scientific (Programmer in Win 7).
Put a mark in the Hex radio button and enter the four digits you found; now put the mark in the Dec radio button, and the digits you entered will change to your CB version
- Xenon: 1921 or lower is Exploitable (exception: 8192 IS EXPLOITABLE)
- Zephyr: 4558 or lower is Exploitable (exception: 4580 IS EXPLOITABLE this needs falcon version of Free60)
- Falcon: 5770 or lower is Exploitable
- Jasper 16mb: 6712 or lower is Exploitable
- Jasper 256MB /512MB: 6723 or lower is Exploitable
If your Xbox is exploitable,you can proceed with installing the JTAG wires, if you haven’t done so already.
Protecting your e-fuses
R6T3 is the label of a resistor on the mainboard of the Xbox 360. It supplies the necessary voltage for the CPU to burn the so-called e-fuses. Burned e-fuses prevent older firmwares (currently any older rev. than 4552) from running on your Xbox 360, thus eliminating the possibility to downgrade to an earlier version of the kernel. It is a 10k Ohm (10,000 Ohm) SMT resistor (Case 0402) functioning as part of a current limiting circuit.
The removal of R6T3 will cause an E80 system error if the NXE update is installed. Replacing the resistor with the original or with another 10K Ohm resistor usually fixes the error state. Given the difficulty in surface mounting a resistor as small as R6T3, simply holding a 10K Ohm in place while the 360 is powering up after giving a E80 will typically allow normal operation from then on. Care must be taken not to bridge the gap without a resistor in place as this may cause system damage.
It is possible that a future update may burn some e-fuses, thus rendering the JTAG hack useless.
XBReboot has virtual e-fuses, and will boot fine with the R6T3 resistor removed.
To protect your e-fuses, it is recommended that you take one of the following courses of action:
I removed R6T3 using this method
Another way is to swamp the whole resistor with solder, allowing both ends to come lose at the same time.
Make sure no solder is left bridging the two points (de-soldering braid can help here).
Alternative methods to protect you e-fuses
If U6T1 is installed
If U6T2 is installed
for more info refer to the following topic:
With the JTAG / SPI hack installed we are now going to proceed to installing XeLL, updating it to XeLLous and using the new HTTPD method to download a full NAND backup.
First you need to download the right version of XeLL and the latest release of XeLLous, otherwise this will not work.
For XeLL you need the free60 version that is specific to your motherboard revision. (They are around 1.4 MB in size each).
XeLLous is compatible with all motherboards, so just download the latest version (v1.0 at the time of writing).
Both XeLL and XeLLous can be downloaded from Xbins
Make sure you get the correct version of XeLL for your motherboard revision.
Zephyr (CB 4580 requires falcon_opus_hack.rar)
Falcon and Opus, (and Zephyr with CB 4580)
Jasper (16MB )
Jasper (256MB / 512MB)
Zephyrs with CB 4580:
Success with these Xboxs are hit and miss, please refer to the bottom of the tutorial for troubleshooting tips, and information on the XBR version you require.
Dumping your your keyVault and Config
These files will be flashed back to your NAND after flashing XeLL.
Dump everything multiple times and always compare them using WinHex
To dump your KeyVault from the NAND two or more times (two should be enough) type the following commands:
nandpro lpt: -r16 kv.bin 1 1
nandpro lpt: -r16 kv2.bin 1 1
nandpro lpt: -r16 kv3.bin 1 1
(These commands are the same for all motherboard versions)
Now compare them.
Start WinHex > Tools > File Tools > Compare
If you cannot find the files to open and compare, make sure that “All Files” is selected in the “Files of Type” drop down menu.
Open two of you KeyVault dumps, leave all other options as they are and click OK, the size of the files to be compared will be automatically filled in.
Click OK again to run the comparison, you should get the massage “No differences found.”
To dump your Config from the NAND, type:
nandpro lpt: -r16 config.bin 3de 2
nandpro lpt: -r16 config2.bin 3de 2
nandpro lpt: -r16 config3.bin 3de 2
Dump this a couple times and compare them using the same process as above
For 256/512 Jaspers its:
nandpro lpt: -r256 config.bin ef7 2
*** The above command will work for both 512 and 256.***
Copy the free60 version of XeLL for your specific motherboard to c:\nandpro
Now flash XeLL with the following command.
i.e. for zephyr
nandpro lpt: -w16 zephyr_hack_updxell.bin 0
i.e. for jasper
nandpro lpt: -w256/-w512 jasper_6723_hack_for_256mb_512mb.bin 0
Now flash your KeyVault back to the NAND with the following command ( it’s the same for all versions of motherboards)
nandpro lpt: -w16 kv.bin 1 1
It’s very import for you to flash your key otherwise you will not be to dump or flash your NAND through XeLLous.
Update XeLL with XeLLous
Don’t not proceed with this step unless you have flashed XeLL and your KV.
Flash XeLLous with the following command it’s the same for all motherboard versions:
nandpro lpt: +W16 xell-1f.bin 30
Backing up the NAND:
This is the good part now….
Unplug your Xbox and let it sit for 30 seconds.
Connect it to your TV via Component, Composite, SCART or to your monitor via VGA (Xell/XeLLous cannot output to HDMI.)
Connect it to your network via the back RJ45 jack.
Boot into XeLLous by powering on the Xbox via the eject button. I don’t remember exactly which one worked. It might of boot into XELL straight of the power button actually.
I can’t remember though.
Once in XeLL you should see a screen that resembles the following:
Take a picture so that you have a record of your cpu key and dvd key.
Note the address of the HTTPD.
If you see “XeLL network config: 10.0.120.209 / 255.255.255.0”
It means you are still in XeLL, and the XeLLous update did not work.
Rename xell-1f.bin to updxell.bin
Put it on a USB stick, Disconnect LPT/USB cable, boot the 360 via the eject button with the USB stick inserted and it will auto update to XeLLous, and give you the IP address 192.168.1.99
Leave XBOX on and go to your computer.
Using firefox open the httpd address.
If done correctly you should screen like this one.
Under Raw flash click download and save it to your NandPro folder naming the file 1.bin
Dump this a couple times and compare them.
Turn off the 360 and reconnect it to the PC via LPT or USB
rename xbr bin for your motherboard version to updflash.bin and put it in your NandPro folder.
Make your NAND Dump Whole Again:
Since we over wrote the first two MB of your NAND with the Free60 version of XELL, we now need to write those MB back to your RAW FLASH dump from XELLOUS.
This can be done as follows:
nandpro 1.bin: -w3 c1.bin
And update xbr with your key and config.
nandpro updflash.bin: -w16 kv.bin 1 1
nandpro updflash.bin: -w256/-w512 kv.bin 1 1
nandpro updflash.bin: -w16 config.bin 3de 2
nandpro updflash.bin: -w256/-w512 config.bin ef7 2
Copy updflash.bin to the root of USB drive formatted as Fat/Fat32.
Ensure XBOX is off, disconnect LPT/USB cable Plug USBdrive and turn the Xbox on so that it boots into XeLLous and watch it flash your NAND.
Follow the on screen instructions. When power cycling ensure XBOX is unplug and off for 30 seconds.
Please beware that a dvd drive needs to be plug in for booting into XELL, at lease the small black power cable.
However SATA from dvd drive does not need to be.
from XeLLous release
For best results of getting the USB device detected. Remove the power plug from the console after running the MS dashboard. Then reinsert the power plug, insert USB device and then boot into XeLLous.
Reading 66MB (updflash.bin) can take a few minutes, be patient while it loads to ram.
Thanks goes out to the whole scene, too many to mention. Special thanks goes out to BlackSteel though for providing the virgin XBOX.
If anybody wants to repot the thread and make more presentable by all means.