AfterDawn Forums

***** How to do the JTAG Hack/Dump NAND/Xell Tutorial *****

This discussion thread has 287 messages.

Tags: JTAG Hack
#1
***** Before we begin, I take no credit for writing this tutorial *****
all credit go to EclipseModz

Xbins will be needed to download programs for this TUT.

ttp://rapidshare.com/files/283243738/xbins.exe


or

http://www.megaupload.com/?d=ZZ6A54YA


Thanks to halolordkiller3 you can now download this as a .PDF file.
Download Here

JTAG HACK

Requirements:
- Some wire.
- Soldering Iron
- Xbox 360 with kernel version 7371 or lower(Some 7371 consoles may not work if they have the patched CB)
- 2 Switching Diodes. I used 1N914 - 1N4148


You will need to know your Xbox Motherboard Revision. These are the two diagrams to follow. Each one of these will need to be bridged with a piece of wire and 2 of them require a switching diode.

The |< is where the diodes go. On the diode itself there is a thick black line. That black line is this side ---> |< of the diode. That will tell you which way to place the diode when installing the JTAG connections.

Xenon Motherboard JTAG Connections



Zephyr, Falcon, Opus, Jasper JTAG Connections




How to Dump the Xbox 360 NAND

Alright now that you have the JTAG connections out of the way its time to install the LPT cable.

Requirements for Dumping the NAND Image
You will need the following to dump your Xbox 360 NAND.
- Computer with a LPT port(Printer port)
- LPT cable with a DB25 Male end.
- 5 100-Ohm resistors. I used 100-Ohm 1/2 Watt resistors
- 1 Switching Diode. I used 1N914 - 1N4148
- Solder Iron
- Some patience
- NandPro20b to dump the NAND
- Total Commander to make sure your dumps are identical

Now dumping your NAND is crucial to this. You want to have a good clean NAND image that can be flashed back to the console if need be. So lets get started.

1. We need to set up the solder connections onto the motherboard. I used a printer cable and cut it midway and spliced it open. Then used a multimeter to figure out which cable goes to which pin. I then wrote the color/pin combination on a piece of paper. If you decide to do the same as me and not make your own cable I suggest writing down the color/pin combo so you don't have to use the multimeter again.

This is what my printer cable looks like.


As you can see I have all the resistors soldered to the ends of the cable and the one diode attached as well. All I have to do is solder it to the motherboard and I have my connection to the NAND reading and it can dump.

Soldering the cable to the board.
Now attaching the cable to the motherboard is easy as long as you know how to read the diagram which is pretty straight forward. Just follow the lines. This diagram also shows the JTAG connections. Just ignore that they are there since you already have the diagrams up top. *Diode MUST be soldered directly the the board, will not work in plug housing if you make your own cable!*
http://i144.photobucket.com/albums/r167/...-falcon-opu.png
Pin number 18 coming from the LPT cable is shown as ground. This wire should be soldered to either the ground next to where Pin 11 solders to or the ground under where Pin 16 solders to. This will ground it and prevent the 360 from shorting and turning off.

Ok so now that you have the LPT cable soldered to the motherboard and have your cable connected to your PC. It is time to start dumping the NAND. In order to dump the NAND you will need Nandpro20b which can be downloaded on Xbins.
Directory for Nandpro20b is

/XBOX 360/development/kernel/nand tools/NandPro/

Getting files together:
1. Make a new folder and name it Nandpro20b then extract the content of the rar file into this folder.
2. Place the Nandpro20b folder in the root directory of your hard drive.
3. In the Nandpro20b folder there is a prgram called "port95nt.exe" run that to install the drivers. Then you are ready.
NandPro should work with all 32bit OS's. It is said it works fine with Vista and 7 but may need admin rights and XP Compatibility on.
Anyway lets get to reading your NAND.

Plug the power cable into the back of the 360 and into the wall so it has its power source. But do not turn on the 360 as it is not required. All you need to do is plug in the power cable and continue.


Dumping the NAND:

1. Click Start
2. Select run
3. Type CMD
4. Now in the command window you will need to type the command to read.

C:\Nandpro20b\nandpro.exe lpt: -r16 nand1.bin


5. Click enter and it should start. If it says testing 4 times and fails you need to check your soldering.
6. If done right it will start to read the NAND. It should read to block 3FF.
7. Repeat step 4. You want to have at least 2 dump to compare to each other and make sure they are identical.

*Note that it is possible that your NAND has bad blocks in it. Error(25x) and you keep getting this each time you dump the NAND don't worry. It is safe to continue because that is just how your NAND image is.

How to check if your NAND dumps are identical.

Download Total commander here.

http://rapidshare.com/files/319941523/tcmd750a.exe

1. Open Total Commander.
2. Click File
3. Compare by Content
4. A new window will open. Open on nand dump for file one and open the second dump for file 2.
5. Then click Compare.
6. If it says file are identical you are set to continue. If it does not say that. I suggest you go back and dump 1 or 2 more times.

If your two dumps are identical. Congratulations. You have successfully dumped your Xbox 360 NAND. Now you can continue.


Checking the CB Version
This is a very important step for 360's with the 7371 kernel. Some of these 360's have been patched already to stop the JTAG hack. This is the way to make 100% sure whether or not your 360 is still vulnerable.

/XBOX 360/development/kernel/downgrading/

Open your NAND image in Degraded1.1
Your CB version will be displayed.



Exploitable CB versions:
1888, 1902, 1903, 1920,1921: exploitable xenon
4558: exploitable Zephyr
5761, 5766, 5770: exploitable falcon
6712, 6723: exploitable jasper

Non-Exploitable CB Versions (CD = 8453 for all of them)
Xenon: 1922, 1923, 1940
Zephyr: 4571, 4572, 4578, 4579
Falcon/Opus: 5771
Jasper: 6750


NAND wont open in Degraded? Here is how to fix that.
1) Make a copy of your NAND backup
2) Open that copy in a hex editor
3) At offset 0x0012 you will see 2004 - 2007 Microsoft Corporation
4) Change that to 2004 - 2005 Microsoft Corporation
5) Now you image will open in Degraded.


How to Install Xell

Xell is used to grab your CPU Key for your console. Which is a good thing to have in case you need to open your KV. Install Xell is easy and takes little to now time.

First you will need to download it from Xbins. Again here is the directory.

/XBOX 360/development/free60/images/


Download the image for your motherboard revision. Extract and place it in the nandpro folder. Make it easy on yourself and rename the Xell file to Xell

With your LPT cable and everything still set up. You will be using nandpro again. So here we go again.

1. Click start
2. Click run
3. Type CMD
4. Type the command.

C:\Nandpro20b\nandpro.exe lpt: -w16 Xell.bin


Don't worry about the file size. It is meant to only write to the beginning of your NAND flash.
5. Click enter and it should starting writing.
6. Once it is done writing. Unplug the lpt cable from the PC and turn on the 360. It should boot into a blue screen. If it does then you did it right.

Getting the CPU key.

Have a camera ready to take a picture of the Fuse Set's that pop up briefly.
Take a picture that includes fuse set 3,4,5,and 6. These contain your CPU key.


Take either 3 and 5 or 4 and 6. This will make up your cpu key. 3=4 5=6 So for example. I will take 3 and 5.
3= E42D681ED06A6D1C
5= 1FFD8E48C56A2058

So my CPU Key is - E42D681ED06A6D1C1FFD8E48C56A2058

Adding either one of the two will make your CPU key.

After getting your cpu key you can write your original nand image back to the board. Or go straight forward and install XBReboot or freeBOOT.

To flash your nand image back on, use this command

C:\NandPro20b\nandpro.exe lpt: -w16 (name of your nand backup)

Once again all credit goes to EclipseModz over at se7ensins.com
For Freeboot/XBReboot FAQ check HERE
This message has been edited since its posting. Latest edit was made on 21 Dec 2009 @ 14:03


▼▼ This topic has 286 answers - they are below this advertisement ▼▼
AfterDawn Advertisement
#2
That is crazy hardcore if you ask me. All that to play some cheap arcade games? How many people are going to attempt this?


#3
it will likely get easier soon but this is a great hack!
with this you can play downloaded XBLA games, use any size HDD youwant and play your 360 game .iso's right of the HDD without ever burning them! for all you cheapoz that cry about the cost of Verbs


#4
Xell will also automatically give you your cpu/dvd key at the end when you boot it up so you have plenty of time to write it down without taking a picture.

Quote:
That is crazy hardcore if you ask me. All that to play some cheap arcade games? How many people are going to attempt this?

Well I'd say anyone who can hold a soldering iron and use a keyboard.
You do know this is a forum about xbox 360 modding right? LOL! Some people like a little challenge and this is nowhere as difficult as say installing a PS2 modchip. On top of that it's not just free arcade games.
This message has been edited since its posting. Latest edit was made on 21 Dec 2009 @ 14:46

XBOX Halo Ed. = DuoX2 w/250gb HD
Xbox 360 Red Elite 120GB HDD = no-stealth 1.6 & XBReboot V3 & 1TB usb hdd
PS2 Slim = freemcboot v1.8 - PSP Black Slim = 5.00m33-6
Wii = w/ Blue XCM ii-case, Wiikey2 & softmodded
#5
Coppers right. Some of you guys are spoiled 8) You think flashing a drive is difficult.

This soldering is pretty basic. Especially compared to the PS2. You could get away with a $10 iron (though it's more of a pain) and just a little practice. And the resistors and diodes can be had from Radio Shack for a few bucks, and a few more will get you the lpt connector and shield.
#6
so with this method i can get the key also for a bricked dvd drive?


#7
thanks, diagram updated.
Just a side note to everyone, this tut will become outdated very quickly as the scene is moving at lightning speed!
This message has been edited since its posting. Latest edit was made on 21 Dec 2009 @ 14:07


#8
Originally posted by infam0us:
so with this method i can get the key also for a bricked dvd drive?

Yes.
I have a friend who bought 4 systems all with incorrect dvd drive keys and I used this method to retrieve the keys and the drive type.

XBOX Halo Ed. = DuoX2 w/250gb HD
Xbox 360 Red Elite 120GB HDD = no-stealth 1.6 & XBReboot V3 & 1TB usb hdd
PS2 Slim = freemcboot v1.8 - PSP Black Slim = 5.00m33-6
Wii = w/ Blue XCM ii-case, Wiikey2 & softmodded
#9
PS2 = Swap Magic FTW!

As jpizzle said, this new thing will evolve very very fast so I'll wait and see how it pans out. I got nothing but time... and a ton of retail games to catch up on.


#10
i personally cant sodder, i wonder how long until people are offering to do it for a price?
#11
Originally posted by palidin:
i personally cant sodder, i wonder how long until people are offering to do it for a price?
soon, very soon


#12
well if you start doing it let me know :P
#13
man i just messed up my points,to hard to sodder


#14
eer i keep getting this
nandpro20 cannot detect flash controller
i have resodder twice already,


#15
Originally posted by infam0us:
eer i keep getting this
nandpro20 cannot detect flash controller
i have resodder twice already,
Check your wires going to your cable. If you look at the plastic hub on the cable you can see the numbers on the prongs. Make sure your numbers match and go to the corresponding points. If you tried to just match the diagram then it will be backwards since the diagram is for the port on the pc and not the cable itself.

Hope that helps but if not then let us know. My setup works without the resistors or having to play with the parallel port setup in the pc bios so there are some variables to every setup.

XBOX Halo Ed. = DuoX2 w/250gb HD
Xbox 360 Red Elite 120GB HDD = no-stealth 1.6 & XBReboot V3 & 1TB usb hdd
PS2 Slim = freemcboot v1.8 - PSP Black Slim = 5.00m33-6
Wii = w/ Blue XCM ii-case, Wiikey2 & softmodded
#16
Originally posted by CopperKid:
Originally posted by infam0us:
eer i keep getting this
nandpro20 cannot detect flash controller
i have resodder twice already,
Check your wires going to your cable. If you look at the plastic hub on the cable you can see the numbers on the prongs. Make sure your numbers match and go to the corresponding points. If you tried to just match the diagram then it will be backwards since the diagram is for the port on the pc and not the cable itself.

Hope that helps but if not then let us know. My setup works without the resistors or having to play with the parallel port setup in the pc bios so there are some variables to every setup.
thanks for the help,i been trying this all night,what method did you use if you dont mind me asking


#17
I took a serial cable and lopped off both connector ends.

Cut the cable to 18" in length and splayed both ends of the cable about 4" and picked out 7 colors that I liked on both ends so that I could match them up. Simple colors like red, blue, green, black, red, purple, white. Then I cut off all the other wires that I didn't use and save them for the jtag connections. Waste not, want not. So I ended up with a solid cable with 7 x 4" of wire on one end. On the end that goes to the port you could opt to leave 7 x 2" wires.

Then I took the connector end that would plug into the pc port. Pried out the metal connector from the plastic housing being careful not the bend the metal. I used cutters to clip away at it but a dremel could work also. I cut off any remaining wires from the back end and I yanked out all of the prongs that I wouldn't need. So I left 1,2,11,14,16,17,18(gnd) and soldered the 7 wires of one end of my cable to each of the prongs on the back side of the connector.

On the other end I labeled each color with a bit of masking tape and wrote the number on the tape and stuck it to the wire. One wire has a switching diode attached.

Once I tested it to make sure my connections were solid I hot glued the points that were connected to the port and wrapped them in electrical tape so that they wouldn't come loose.

So now all I do when I want to read a nand is dab flux on each point on the mobo.
Heat up the points.
Add solder to each point.
Attach the 7 wires.
Done.

Normally I use a 15w iron but I've been using my 30w for these. Although if you are having trouble soldering then use a 15w and use a dremel to grind the tip to a fine point to make it easier.
This message has been edited since its posting. Latest edit was made on 22 Dec 2009 @ 7:51

XBOX Halo Ed. = DuoX2 w/250gb HD
Xbox 360 Red Elite 120GB HDD = no-stealth 1.6 & XBReboot V3 & 1TB usb hdd
PS2 Slim = freemcboot v1.8 - PSP Black Slim = 5.00m33-6
Wii = w/ Blue XCM ii-case, Wiikey2 & softmodded
#18
thanks i will give this a try


#19
thanks again,i gave up couldnt even get it that way,wish the guy had saved his key


#20
Successfully pulled this off last night. The hardest thing i found was getting identical dumps. I ended up using 47 OHM resistors and finally got three identical dumps in a row. I also didnt inject rawconfig.bin into XBR and after 2 attempts at flashing it worked. Alot of comps wont give reliable dumps/flashes, so either try another comp or just keep going until it finally boots like i did. Make sure your cable is only 15-20cm long and be very patient at soldering. Also Wire number 18 (DB-18) is only a ground wire so you can solder it to one of the screwholes instead of next to the 4 other wires you have to solder in an amazingly small space.
Also bad block mover is a good app if you have a bad block or 2, so therefore your XBR.bin isnt losing anything important when writing. Time for me to get into the software side of things now, lets hope that is easier.
Bring on a nintendo 64 and PS1 emulator!!!!
#21
Is there a decent guide anywhere for doing this JTAG Hack with a USB Header Board instead of an LTP cable head? My PC doesn't have an LTP port and I've heard that LTP port PCI cards do not work.

I've looked into it and can't find one anywhere. Closest I come is to a few people who say that it's possible to do it and that it's easier to wire up and faster to dump..
#22
I am currently dumping my nand at the moment, after I finish and get my cpu key and install Xell, can I desolder the lpt points, and the jtag points? Or do the jtag points need to stay soldered for me to run unsigned code?

Comp
-6-core 3.2 AMD, 12gb DDR3, Geforce femi 560ti, Running Win7 x64

Laptop
-Dual boot Win7 + Ubuntu 11.10 Gnome Classic
#23
is there anyway i could use 1n4001 diodes instead of 1N914/1N4148 diodes????
#24
Originally posted by Android16:
is there anyway i could use 1n4001 diodes instead of 1N914/1N4148 diodes????
Do you have a radio shack? That's where I get mine from.
http://www.radioshack.com/product/index.jsp?productId=2062587

I'm not sure about the 1n4001. I know others have used bat21 but I've only seen them at digikey.

XBOX Halo Ed. = DuoX2 w/250gb HD
Xbox 360 Red Elite 120GB HDD = no-stealth 1.6 & XBReboot V3 & 1TB usb hdd
PS2 Slim = freemcboot v1.8 - PSP Black Slim = 5.00m33-6
Wii = w/ Blue XCM ii-case, Wiikey2 & softmodded
#25
yeah i have im going to go pick some up actually. After i posted my last reply i looked up what my diodes are specifically made for. Which i should've done to begin with...but this site is awesome for beginning electronics. It shows what each diode is and what it does, so if anyone has any questions like i did about which diodes to use read this.

http://www.kpsec.freeuk.com/components/diode.htm
This discussion thread has been automatically closed, as it hasn't received any new posts during the last 180 days. This means that you can't post replies or new questions to this discussion thread.

If you have something to add to this topic, use this page to post your question or comments to a new discussion thread.