This is a compilation of all information I could find throughout the Web. All information is thanks to it original creators. Such as tmbinc, Tiros, Ruley, Sandungas, Phoney, Tony Bologna, kote aka logi, and anyone else I have missed.
Before you even Start: Can this be done to all motherboard revisions? Yes, all motherboard revisions are vulnerable to this hack. But the dashboard update on August 10, 2009 patched this hack. Some consoles that were manufactured or refurbished around June/July already have the patch applied. Which is why some kernels are not vulnerable.
How do I know what kernel version I have? In the dashboard go to System Settings>Console Settings then scroll down to System Info. Your kernel version is shown here. In this picture the 360 has the 8955 kernel applied. This example is not vulnerable.
This image has been resized. Click this bar to view the full image. The original image is sized 593x342.
Kernel Vulnerability:
8498 and Higher - Any console with a kernel 8498 and higher have been patched to stop the hack.
7371 and lower - Any console with the 7371 kernel or a lower version of the kernel are most likely vulnerable to the hack.
7363 & 7371 - These the "iffy" kernels. With this kernels you have to dump your NAND to make sure that you have a vulnerable CB. Some consoles with this kernel already have the patch applied to them and cannot be JTAG'd. This would be if the console was repaired or manufactured since June/July. If repaired or manufactured before that should be exploitable. Those consoles you see in tuts or on youtube that say they are on 8955 dash is because before the update they were on a less than 8XXX dash.
XBRebooter it is a modified version of 8955 and will display as 8955 in the system menu.
But again they are on this dash AFTER the mod but NOT before.
As of now if you are already on Stock 8955 there is no way to JTAG your system, but have hope for future.
Reading Nand: Requirements
First of all, you'll need soldering skills?if you've never used a iron before, you honestly should train on a different, less expensive object. This won't be much harder than adding a modchip to a console anyway.
You'll also need the following things:
At least one 32-bit PC and an LPT (parallel) port
More PCs with different mainboards are helpful since on some boards parallel ports were neglected in development due to the increasing success of USB. Therefore quite old boards SEEM to work better. Someone even used an old 386 for this hack.
With NANDPro2 (we'll talk later about this) comes a driver for 32-bit systems only port95nt.exe. There is a 64-bit port on the Internet, but no one has proven that it works with NandPro2 . Since many 64-bit systems don't even have a parallel port, this shouldn't bother too many people.
Windows 95 or better
Sorry, that doesn't mean Linux yet. It even seems to work with Windows Vista 32-bit and Windows 7 32-bit, but you might need to turn on Windows XP Compatibility Mode and run it with administrator rights. But there aren't many reports on that yet. However, you should prefer a XP or worse (earlier) system: XP, 2000(?), Me, 98, or 95.
An old LPT cable no-one will miss
Openable plug housings with screws/clips will make your life easier. Alternatively, use a bare DB25 male connector and wire.
As already mentioned: Soldering skills, tools and so on... 3× diode BAT41 Or 1N4148
There are several diodes you can use. People on xboxhacker.net had the best experiences with BAT41.
5 × 100?120 Ω resistors
*not a must-have, but it'll protect your box 30 AWG Wire Voltmeter and continuity tester
For this step we will use a standard LPT cable. There is a mod using a db25 connector and Cat5 cable but for this guide we will just be using the LPT cable.
First cut off the female end. So you will get a cable with a DB25 connector at one side and loose wires on the other side.
Now you need to trace the wires in the cable. If you've got a cable with openable plug housings, you're in luck: just open the housings and compare single wires with those on the loose end. Otherwise it's time for your continuity tester. You will need to know which wire goes to which pin at the end. Write down the colour of the wire attached to each pin. Since there are only seven needed wires, you don't have to trace every wire. The following pins need to be connected: 1, 2, 11, 14, 16, 17, 18. In case a pin isn't connected, just resolder a wire from an unneeded pin (e.g., 15) to the needed one (e.g., 14).
After you've done that, you can cut the unneeded wires at the loose end so they won't bother you while soldering. Strip a small amount of insulation (5 mm should be plenty) from the end of each of the other wires, and twist the loose strands inside together. Tin each wire, so that you get nice and sweet clean wires. Step 2: Preparing the board and Soldering everything
After opening your box and removing the DVD-ROM drive, fan shroud, etc., you should have a clear view of the board. Now it's time to locate the solder pads of J1D2 (red) and J2B1 (blue).
This image has been resized. Click this bar to view the full image. The original image is sized 640x426.
You will have to establish the following connections:
"Component" means that you will have to add the resistor or diode between those two points. I suggest that you first solder the component on the board and after that the wire to the component. The diode's black ring has to be in the direction of the Xbox board. By "screwhole", we mean a screwhole. (The ground (or "earth") connection we're using is also present on J1D2.6 and J2B1.12, but those are difficult to solder.) Solder the wire from DB25.18 to one of those big reddish rings (where the long screws go through the DVD-ROM drive legs), and fix it with insulation tape (NOT DUCT TAPE! Otherwise you will damage your Xbox). It is important that you solder the diode directly to the board. It won't work if it's in the plug housing!
This is how you count on a board:
This image has been resized. Click this bar to view the full image. The original image is sized 800x605.
The square is always 1, in this case J2B1.1. Also, notice the white dot near pin 1 and the labels near pins 2, 12, and 13.
Another diagram (including LPT & JTAG connections) LPT will be same for all boards but JTAG will vary for the different board revisions.
This image has been resized. Click this bar to view the full image. The original image is sized 640x367.
Step 3: Checking everything
Checklist:
* Is every wire connected to the correct pin? * Are there any short circuits or doubly connected wires? * Have you taken everything out of the box that doesn't belong in there?
When you've checked that, plug the parallel cable into your turned-off computer, the power supply into your Xbox, and the power cable into the power outlet.
Step 4: Setting up your PC
Turn on your PC. It's possible that your Xbox will turn on, too. Don't worry, just leave it turned on. As long as it doesn't start to smoke, smell, or anything else weird it will be fine. Later on, it should turn off the fans on its own, but the LEDs will remain blinking. If it doesn't turn on: don't worry, it doesn't have to be turned on while reading the NAND.
Go to the BIOS settings and search for LPT mode settings. Tiros recommends SPP/Normal mode in his help file (Nandpro.txt), but the mode doesn't actually appear to matter. If you're having trouble in the next step, give a different mode a try. After you have done that, save settings and leave BIOS. Boot up Windows.
Now the time has come to unpack NandPro2. In the archive you'll find port95nt.exe (driver) and some other files (e.g. NandPro.exe). Install the driver. If you're using Vista or higher, you might have to turn on XP Compatibility Mode, as already mentioned. To install it, just double-click on it and walk through the setup. There shouldn't be any error messages. Then: reboot.
Step 5: Reading/Dumping the nand.
Open up Windows Command Prompt (press Windows Key + R to open up Run. Type cmd and press Enter).
Navigate to NandPro's installation directory by using common commands (cd, dir, and the TAB key for auto-completion).
Then type nandpro.exe lpt: -r16 nand1.bin and press enter. If everything's fine, it should output this:
Testing LPT device address:0378 - address can differ Using LPT device at address:0378 - address can differ FlashConfig:01198010 - must be the same Starting Block:0x000000 Ending Block:0x0003FF
Starting and ending should be as shown here if you want to read the whole flash.
Press any key to continue. It should start to count up addresses. If it starts to output stuff like "Error 0 .. blah blah" something's wrong. Recheck wiring, change LPT mode, or try a different computer. It is possible that there are one or two bad blocks on your NAND (error 25x), so don't worry if you get that error once or twice.
Well, the reading (dumping) process will take about half an hour. Unfortunately, we will need at least two dumps to check whether there are really no failures in your dump. So once NandPro has finished dumping, press the up arrow key (or retype the command), CHANGE THE FILENAME TO NAND2.BIN, press Enter, and dump it a second time.
When NandPro2 has finished the second dump without errors, you can either make a third or close the command-line. Step 6: Checking for errors
First, open up the files with 360 Flash Tool. If it looks like in the picture beneath this, everything should be fine. If an error message "Couldn't open file" pops up, something went wrong.
This image has been resized. Click this bar to view the full image. The original image is sized 709x390.
Check with Hex workshop
Start up Hex Workshop. Choose tools -> Compare -> Compare Files. A new window will open. Select both files and click on OK. If they are identical you are done with this.
If not, search for errors in wiring etc. or try a different PC.
While 360 Flash Tool will show you the content of the NAND, it's not a conclusive check whether the integrity is good: it's possible to get a "thumbs up" from the utility even if you have corrupted (and more importantly, vital) blocks. A much better check is to run the resulted image through Degraded v1.1, which will highlight any errors. Check with Degraded
Run Degraded and click settings, enter DD88AD0C9ED669E7B56794FB68563EFA. After you set the key click Valid next to it and set the File System Start to 39. Click ok. Open orig.bin If you get, cannot read file , you must edit the orig.bin file. Make a copy of it, origcopy.bin and open it up in your hex editor. At offset 0x0012 , you will see 2004 - 2007 Microsoft Corporation... Change it to : 2004 - 2005 Microsoft Corporation and it will open with Degraded.
If your NAND has bad blocks it will looks like this:
Note in this example that the bad block information has been located elsewhere, so you *should* be okay. Even so, it's advisable to run a second dump through the utility and see whether this has a bad block (and relocated) in the exact same address.
A good NAND dump might look like this:
If you get this your NAND dump is about as good as it's gonna be. Now after all this work you can only now be sure it is even exploitable. Check which version of CB you have.
Disconnect LPT from computer. If you CB is exploitable continue to JTAG installation.
Installing JTAG Hack
This mod allows for the writing to the NAND There are several Variations for the JTAG depending on which motherboard you have. Requirements: 2- Diodes 30awg wire
Xenon:
This image has been resized. Click this bar to view the full image. The original image is sized 640x439.
Falcon, Zephyr, Opus & Jasper:
This image has been resized. Click this bar to view the full image. The original image is sized 640x370.
All the diodes used are "switching diodes". Some that are know to work are: BAT41 1N4148 or 1N4153
DO NOT CONTINUE IF YOU DO NOT HAVE AT LEAST 2 MATCHING 100% DUMPS Creating/Writing patched XBRebooter
Now connect LPT to computer and turn it on. There is no need to turn on xbox now either. Open command prompt (Windows + R. type CMD hit enter) Navigate to your NandPro directory. Step 1) Extract KV and Config blocks from orig.bin Type these commands into command prompt: nandpro orig.bin: -r16 rawkv.bin 1 1 nandpro orig.bin: -r16 rawconfig.bin 3de 2
You can also do this 2 times and compare with Hex Workshop to ensure a good dump. Just the second time use nandpro orig.bin: -r16 rawkv2.bin 1 1 nandpro orig.bin: -r16 rawconfig2.bin 3de 2
Step 2) Inject those blocks into XBR.bin nandpro XBR.bin: -w16 rawkv.bin 1 1 nandpro XBR.bin: -w16 rawconfig.bin 3de 2
Then you need to do a "True" power cycle. in-order to do this you must unplug the Xbox 360 and wait 5-10 minutes for all volitale memory to be erased. This prevents conflicts from corrupting the newly written NAND.
If you have any problems it may be due to Bad blocks if you had any. If so you can try this program. Redline99 released a small tool to remap bad blocks in an XBReboot image to match with your NAND chip, this could solve issues some people had trying to make XBReboot work:
This is a small tool that will remap bad blocks in a full 16mb "zeropaired" (xbreboot) nand image. It looks at the original Microsoft backup (that you should have) and figures out from the spare area the remapped bad blocks. You can also enter the block id's into the textbox. It does not modify the original MS image, but it does modify the zeropaired image. Run the app only one time, be sure to make a backup beforhand.
This app has had ZERO testing, If anything comes up I'll try and fix it, but I need some feedback.
This is only for 16mb images, non jasper. http://www.mega upload.com/?d=VMV1FTYC (REMOVE SPACES)
Items Needed: Gentoo Live CD:http://www.mega upload.com/?d=5Z42P664 (REMOVE SPACE) USB mouse and Keyboard Usb Flash Drive loaded with: XBR.bin with your KV and config injected XBRFLASH.c: http://www.mega upload.com/?d=HFL3CYOT (REMOVE SPACE)
01. Put Gentoo Live V2 disc in your 360 and bootup Xell/Gentoo
02. In gentoo, open up the terminal (Applications->Accessories->Terminal )
03. Type sudo passwd this will prompt you to enter a new password and verify it (the characteres of the password will not be displayed) This will give you admin powers
04. Now we can mount the USB drive Plug the USB in (rear USB port if you have used the front for mouse/keyboard)
In the terminal type: su it will ask for your password, the one the just entered
Type cd Desktop/ to change dir to Desktop
Type mkdir flash to create a folder on the desktop
Type dmesg | grep -i "SCSI device" (the quotes around SCSI Device should be kept)
This will display a few lines similar to: SCSI Device sda: ... (4GB) The important part here is the part after Device (sda, could also be sdb, sdc etc)
Type pwd this will show you the path to the desktop Finally type mount -t vfat -o uid=gentoo,gid=users /dev/sda1 /home/gentoo/Desktop/flash Keep in mind to change the sda to the value you had (rear port should be sda) and the last part to what the "pwd" command showed + /flash
05. You should have a folder on the desktop named flash and inside you should see the xbr.bin (or whatever you called it) and XBRFLASH.c
06. In the terminal, type cd flash to change dir to the USB drive
07. type gcc XBRFLASH.c this will compile the script and create an a.out file on the USB drive
08. type chmod +x a.out this will make it executable
09. type ./a.out -d nandback.bin -w XBR.bin this will create a file called nandback.bin and flash xbr.bin to the NAND (change xbr.bin to the name of your file)-If you only want a backup of your current Nand only do./a.out -d nandback.bin
10. NAND should be flashed so turn the 360 off and boot up, and hope you get launched into a kernel