Complete NAND/JTAG Tutorial - FOLLOW THIS GUIDE FIRST !

Well, I Used coolshrimps jtag tool, read my nand ok but couldn't get anything else to work correctly (freeboot and xell). Followed Ubergeeks's guide on remapping, still no joy, so I went followed this tut to install xbreboot. I wanted to install freeboot but for what ever reason would not work. I had e79 up until I used the following tutorial below All this went well and xbr3 installed perfectly. You start to doubt your own abilities after a while when your getting know where and I just wanted to prove to myself that a) my soldering was good and b) that I could follow a tutorial! The very first thing you need to check, is your xbox kernel. At the time of writing, the most recent kernel is : 2.0.8955.0 Turn on your xbox and go to console settings. Go to system info, the kernel version is on top right.

Warning

As of 5/12/09 (December 5th 2009) If you have kernel 2.0.8495.0 or HIGHER, YOU CANNOT INSTALL XBReboot.

Warning

As of 5/12/09 (December 5th 2009) If you have kernel 2.0.8495.0 or HIGHER, YOU CANNOT INSTALL XBReboot.
If you have kernel 2.0.7371.0 or lower, there is one more check to do, which requires you to read the nand chip with NAND-X ** There is no other 100% way of knowing your CB version without reading the nand. Once the cable is ready and double checked, grab nandpro20d from Xbins (Make sure its version 2.0d) Follow these steps to read your nand (Based on 16MB NAND) : Plug your 360, but don't power it on. Install NAND-X drivers and connect hook it up from Xbox to USB Go to the nandpro20d folder and type : nandpro usb: -r16 orig.bin MAKE SURE THAT THE FLASH CONFIG SAYS : FlashConfig:01198010 (This is a 16MB NAND) , if it doesn't , refer to FLASHCONFIG troubleshooting at end of guide. Wait patiently... If there are errors, refer to trouble shooting at end of guide. If there are no errors, read the nand again : nandpro usb: -r16 orig2.bin Reading it a 3rd time is not a bad idea. Don't power on the console in between reads , especially not without dvd drive connected , or your dumps will most likely not match.

Once you have a good dump , at any point you can restore it to your 360. Follow instructions at end of guide. How to make sure you have a good nand dump (*note this tool may not work with non-16MB Nand so try the other tools mentioned below) First , compare the dumps together using a hex editor or other tool, they should match 100% Grab Degraded 1.1b from Xbins. You can also use 360 Flash tool to verify CB. Run Degraded and click settings, enter key you found using google "Degraded 1BL key" should pop right up. After you set the key click Valid next to it and set the File System Start to 39. Click ok. Open orig.bin If you get, cannot read file , you must edit the orig.bin file. Make a copy of it, origcopy.bin and open it up in your hex editor. At offset 0x0012 , you will see 2004 - 2007 Microsoft Corporation... Change it to : 2004 - 2005 Microsoft Corporation and it will open with Degraded :

(This picture shows an un-exploitable CB version) If Degraded shows you some bad blocks, refer to the bad blocks section at the end of the guide. Check which version of CB you have. Exploitable CB versions: 1888, 1902, 1903, 1920,1921: exploitable xenon 4558: exploitable Zephyr 5761, 5766, 5770: exploitable falcon 6712, 6723: exploitable jasper These CB versions are patched so the JTAG/SMC Hack is no longer working: (CD = 8453 for all of them) Xenon: 1922, 1923, 1940 Zephyr: 4571, 4572, 4578, 4579 Falcon/Opus: 5771 Jasper: 6750 If you have an exploitable CB , then you are in luck , if you dont, then for now , there is nothing you can do but find another xbox 360. So you have a 7371 or earlier kernel , and an exploitable CB you can install the JTAG hack that comes with your NAND-X. Once you wired your 360 this way, you install XBR to your nand. There are newer tools that you can use for this stuff - that also support 256/512 Jasper Nand NAND Compare and Reconstruction Tool v1.2 - With 256/512 Jasper Support Download: here

360 Flash Dump Tool v0.95 Download: here Flashing XBR to your nand : Grab the latest XBR_8955 matching your motherboard from Xbins ( XBOX 360/development/XBReboot/ ) Go to your nandpro20d folder nandpro orig.bin: -r16 rawkv.bin 1 1 nandpro orig.bin: -r16 rawconfig.bin 3de 2 Now that you have extracted your keyvault and config blocks from your orig.bin, inject them in the xbr_8955.bin of your motherboard version : Rename the xbr_8955.bin of your board to xbr.bin to simplify things. nandpro xbr.bin: -w16 rawkv.bin 1 1 nandpro xbr.bin: -w16 rawconfig.bin 3de 2 Now that you've injected your keyvault and config into xbr.bin all you need to do is flash it back to your nand. nandpro usb: -w16 xbr.bin Once done , unplug nand-x usb cable from pc. Leave the console unplugged, and powered off for 30 seconds in order to clear the SMC from memory. Turn on xbox and enjoy XBR (To boot to Xell power on with your eject button) Bad Blocks in the nand If Degraded shows you some bad blocks, you will have to move the blocks from your xbr.bin to where they are remapped.

You can also use these tools: NAND Compare and Reconstruction Tool v1.2 - With 256/512 Jasper Support Download: here and also... Bad Block Remapper If you want to do it manually, you have to do this: Take the picture above as example. It says: Note : Block 0x2CE found at 0x3F8 This is where the bad block 0x2CE was remapped. nandpro xbr.bin: -r16 block2ce.bin 2ce 1 (Reads block 0x02CE and saves as block2ce.bin) nandpro xbr.bin: -w16 block2ce.bin 3f8 1 (Write block2ce.bin to 0x3f8 where block is remapped) You will have to do this for each block. Here is the "formula": nandpro xbr.bin -r16 blockXXX.bin XXX 1 (Where XXX is the bad block number) nandpro xbr.bin -w16 blockXXX.bin YYY 1 (Where YYY is the address where block is found in degraded)

Getting the CPU key using XBR Power on with Eject Button Have a camera ready to take a picture of the Fuse Set's that pop up briefly. Take a picture that includes fuse set 3,4,5,and 6. These contain your CPU key.

Take either 3 and 5 or 4 and 6. This will make up your cpu key. 3=4 5=6 So for example. I will take 3 and 5. 3= E42D681ED06A6D1C 5= 1FFD8E48C56A2058 So my CPU Key is - E42D681ED06A6D1C1FFD8E48C56A2058 Adding either one of the two will make your CPU key.

After getting your cpu key you can write your original nand image back to the board or simply use XBREBOOT or FREEBOOT for homebrew goodness Nandpro Flashconfig: 01198010 / reading errors : Non Nand-X - Are you using the diode as explained in the cable making tutorial? The diode is a hit and miss, if you receive config 01198010 then its not needed. The diode goes with the black line towards the board , and pin 11 of lpt port connected to the other leg. Non Nand-X - Shorten your wires Non Nand-X - Are you using the 5 resistors? Some boards require you to solder directly, without using the resistors. This will fix reading errors above 0x200 that some experience. Check solder joints, make sure they are clean and they are not touching each other. FLASHCONFIG TROUBLESHOOTING FlashConfigs can also be different depending on your Motherboard. Here's a list to help you identify what you should be seeing (thanks to Big_Ted): 01198010 - Xenon, Zephyr, Opus, Falcon (e.g. nandpro usb: -r16 orig.bin) 00023010 - 16mb Jasper (e.g. nandpro usb: -r16 orig.bin) 008A3020 - 256mb Jasper (e.g. nandpro usb: -r256 orig.bin) 00AA3020 - 512mb Jasper (e.g. nandpro usb: -r512 orig.bin) Nandpro Error 250: Error 250: This ,could mean that the block is full of 0's, and is not an error you should be concerned about if you come across it once or twice. Of course if you keep getting Error 250, there might be an error elsewhere , or maybe you've flashed 0's all over your nand. RRoD / Blackscreen / Error 79 : Do you have an exploitable CB? People seem to only look at their dash board and see it's 7371 or lower and think they can install XBR without verifying their CB to see if JTAG hack will work. Did you inject the rawkv.bin into xbr.bin ? (nandpro xbr.bin: -w16 rawkv.bin 1 1) Did you inject the rawconfig.bin into xbr.bin ? (nandpro xbr.bin: -w16 rawconfig.bin 3de 2) Did you have Bad Blocks in your orig.bin ? Did you follow the Bad Block Installation notes? If you have a XENON and you have followed all this correctly and you still get E79 - then you will probably need another type of JTAG kit that is designed for the rare few consoles that won't work with the standard JTAG Kit - its called the XENON JTAG E79 Kit