Hello there, You are looking at my massive tut on how to Jtag anxbox 360 console from start to finish. If you want to jtag your console and dont know where to start, this is where you want to look!
So lets begin....
This tut will be done on an xenon console and the jtag wiring (diodes) will be different for other revisions, other than that i will always be the same
This is gona be long, compacted and you are gona need alot of things.
Parts list and quantities from maplins (UK) - (you can get from alternative sources if you wish) Switching diodes - Part Number QL80B Quantity - 2 (i recommend getting a spare)
Ethernet cable - Part Number CW45Y - Quantity - 1 (1M of it)
Soldier - Part Number N51AW - Quantity - 1 (tube)
soldiering iron - Part Number N11BY - Quantity 1 (30W should be fine)
100 ohm resistors - Part Number M100R - Quantity 6 (May not be needed but get to be on safe side)
A large space to work
A computer with this port (LTP Port):
A Jtagable console: It needs the 7371 dashboard or below.. (To get it, go to System Preferences > System Settings > System Info)
NAND-X ALTERNATIVE TUTORIAL
Installing NAND-X QSB Jtag Wiring
First off we need to install the JTAG wiring (two diodes and a jumper) what are included in official NAND-X bundles, This is simply two QSB's (Quick Solder Boards) and a cable, you can see it here:
Now, we need to soldier these onto the motherboard. Here is a picture of where the QSB's need to go:
first off, remove the sticky pad on the back and stick them where i do below:
Make sure you align them with the holes on the motherboard!
So now the motherboard should look a little like this:
Now with your super slick soldering skills, Connect the connectors on the QSB with the holes under it:
Now, you have soldiered on the QSB we can no add that blue and yellow wire, so connect it up
Now we need to configure the switch and jumper. Here is a quote from the team-xecuter "There are 2 versions of JTAG install with the NAND-X. One for Xenon Motherboards and one for Non-Xenon Motherboards (falcon, Opus, Zephyr, Jasper) There are also various Switch / Jumper settings. Some users get better boot performance / fix RROD's when using Resistor level 0 or 330. It's down to preference, however you should try 0 as default to start with. If after booting XELL and you get E79 then your install is bad OR your NAND image of Xell is bad (bad blocks etc) Note: BAT41 Diodes are ALWAYS enabled. Switch 0 = No Resistor Switch 330/470 - Jumper 330 = Set Resistor level to 330 Switch 330/470 - Jumper 470 = Set Resistor level to 470 Switch OFF = Disable JTAG Completely"
So i am going to go by what they say, i have switched the switch to the setting closest to the jumper (0) and removed the jumper. If i get errors later i will do what they say and change it if needed.
So it should look like this:
Thats the Jtag writing part done.
Now we need to install the NAND read/write points. I will also be using the QSB to do this as well. It is very simular to the above one so i recommend that your read that bit first as i may go a bit quick through this one...
Now we need to do the same as we did above but in two different places... i am just going to whiz through here and show you where they need to go...
So these are the two QSB's we have:
Now as mentioned earlier, install them into these locations:
Once you have installed them two, connect up the three pin headers to the two QSB's.
Now we have all this connected we can begin to dump our nand, so connect the cable up and move on..
So now we have our JTAG hack diodes installed we now need to get the console ready for writing to the nand.
Making and installing the LPT cable
So now we have our Jtag wiring installed we now need to write the modded image (freeboot) but before we can do that we need to install the connection from our computer to the console... this will require more soldiering btw.
so lets begin, first off, this can be done in two ways, install a permanent cable (im not going to go into it) or a temporary one (what im gona do)
This cable is only needed once for reading and writing to the nand the modded image. For more experienced modders who will try loads of hacks to booting ect i would recomend that you use your brain and create a socket what lets you write to the nand with the console closed up (most common method is get an ethernet coupler and make a hole under the HDD... this will be more clearer later on in this spoiler.)
anyway, the temporary method:
(i will do a more permanent method later if i get a client who requests it)
Right first... we need to get our cat5 cable and cut it down so it is no more than 40cm (anything more and it will corrupt the data giving bad nand dumps, some PC's may need it shorter)
Now you want to cut about 9cm of the outer insulation (in my case the blue bit) so you can see 9cm of the 8 wires in side
now we only need 7 wires so pick a colour and get rid of it
Now because i jtag alot of consoles i want a more long lasting cable so i am attaching stronger bits of metal to the end of my cable so i can solider and disorder easily. If you want to copy me all i did was dug out some heat shrink tubing (2.4MM) and some old resistors (using the metal from each end of it) and did this (below) to each side:
so now you have the cable made (if you dont want my fancy add on just strip the wires down and neaten it up ready to soldier into the holes) we can no get ready to soldier on the console motherboard.
take a look at this picture, the coloured dots are where you need to soldier to, these will also be matched with a corresponding colour slot in on the LPT port of the PC:
and they need to connect to here:
Now unless you have a multimeter and can test the voltage the PC outputs to the LPT, i would install the 5 100 ohm resistors to cables; Orange, Orange/White, Green, Blue and Blue/White.
The only way to tell if these are needed is if we get an error later on trying to read the nand, if we do we will take them off. I know in my case i don't need them so i wont bother with them but you all should.
so now you know where you need to soldier to (We are only soldering to the motherboard, we only have to slide the cables into the PC port) we can get soldering! here is a pic of what it should look like when were done:
Now we have the cable wired on we are now ready to connect it up to out PC!
lets move on!
So now we have our wiring done we now need to prepare our computer (the one with the LPT port) for dumping, making and writing to the nand... lets begin
Setting up the computer
i believe you computer needs to be running 32 bit windows; xp, vista or 7 for this to work... make sure you have one of the three installed and your ready to move on! - 64 also works
i have now released iHc NandTool what can do all of this easily with just one simple tool
so once you have downloaded the file extract the contents to a folder... i called mine iHC Xbox 360 and launch iHc Xbox 360 from inside that folder you will get the fancy ass loading screen:
Once it has loaded.. accept the update
then at the top click Jtag tools and you will see iHC NandTool... just click that and it will open
Just leave it as it is for now.... and we will come back to it later.
now we are ready to dump the nand! so we need to set up our console and get to connected to the PC and a power source
so first off get the console near to the LPT port and plug it into its power pack
Now going back to earlier:
you need to connect the console up to the LPT port...
this is what it should look like:
so now we have our wireing done, the program is in place... means its time to dump the nand!
So we have the Jtag connected up to the computer, nandpro in place... lets dump the nand!... oh, just one more thing
PreDump CB Check (Make sure we can jtag)
This pre-dump CB check is a handy feature as the only way tou be 100% sure you can jtag is to check the CB version... now if you are using a LPT your dumps can take a VERY long time... this pre-dump CB check only dumps 33KB instead of 16Mb,256Mb or 512Mb to possibly be let down... anyway lets do this shizzles!
So to do this make sure that iHc NandToolV2 is open and under "NandPro" tab click "Check CB"
follow the on screen instructions and it will quickly dump one block... once it's done that press any key and it will check.
Now refer to the console log (the big black window in iHc NandToolV2) and read the last few lines it has outputted. it should tell you the CB version and if it is jtaggable or not. if it does not please go to the errors spoiler at the bottom of the tutorial.
so if you have a jtaggable console, move on... if you dont... sorry you just waisted your time but this is the only way of being 100% sure you can dump
so now if we have passed the CB check stage... we can now dump our nand!
Dumping the nand
Now to dump the nand go back to iHc NandTool and to configure it we need to select two options...
Connection Type and Motherboard Revision
Connection type is how your jtag is connected so we will click LPT and the motherboard revision...
click on these buttons to select how you want to setup:
as this tut is mainly for xenon i will select xenon... it should look like this over on the right:
Now... the simple bit... press Read from NAND over in the NandPro tab... since i have moved on since this tut and no do all my dumping via USB i will have USB selected but its the same process..
on first use the nandpro files may have not been downloaded as to save space and download times it will only download the files needed for the user... say if you donwnload it just to check dumps.. you wouldnt need these files (only 2 meg lol) but just for those whith super slow speeds... anyway just click yes and the program will begin to download and continue when its ready.
hit read nand
then a console window will pop out (this is because of a bug) and will execute your command for dumping the nand... now it should look something like the image below but there is also a chance of an error if its your first time... its okay though i can help later.
once it has got to 3FF (on 16MB) it will say Press any key to continue..
if it hasn't got to 3FF or you have seen different or some sort of error but can still see Press any key to continue then you have an issue but i can help.. first, do as it says and when you get out of the console window it will read the nandpro debug log into the program, you will be able to see it in the logging console. then head to the bottom of the tutorial to the Error's section and follow what it says.
if it did go okay or sometimes it still will think its ok even when its not, after you press any key you will get a save screen... save the dump so somewhere and call it orig1.bin or something...
repeat these dumping steps again so you get a 2nd dump then we can quicly check them... dont disconnect your jtag yes as you may need to get another dump...
So now we have 2 copies of our original nand? lets check them then mod them!!!
Checking the nand images
right... now this couldn't be any easier, on iHc NandTool go to the "Nand Tools" tab and click "Compare dumps" and it will load a open box.. select the first dump then press open... then another box will popup, select your 2nd dump... once you click OK it will run the check process through:
if you get a screen like that, your good to go! if however, like many people do get get this message:
this means there was a little corruption in the dumping process... this is normal and it can take sometimes upto ~9 dumps to get an identical pair,
if your dumps are not correct... just go back, get another one and then run them trough the checker again until you get two identical dumps...
when you have an identical dump, move on
So you got a good dump? lets double check that is okay to jtag this console
Checking the CB version (Make sure we can jtag)
f you did a predump CB check then you don't need to do this... move on
Now we have a nand image we now need to check the CB version to make sure the console is actually exploitable. I know you may have a 7371 dash or below but this is also needed to be checked.
So to do this make sure that iHc NandTool is open and under "Nand Tools" Click "Check CB"
An open file dialogue will open asking you to select your Nand Dump... click OK and you will get one of the following messages:
if you get message 1... congratulations, you can move on as your console is jtaggable! if you get message 2... im sorry, your console is not jtaggable at the present time (and a long time after) if you get message 3... iHc NandTool could not read the CB version... this is either because you haven't selected a real nand dump or there is a bad read on some of the blocks... if your 100% sure you have a real nand image dump again a few times and try again.. so if you have a jtaggable console, move on... if you dont... sorry you just waisted your time but this is the only way of being 100% sure you can dump
Now we know for certian that our console can be jtaged, lets flash xell to the console
Installing Xell to get the CPU key
right, go back to iHc NandTool and click the Get Xellous button... a message will pop up to download it asking if you want to get xellous for the motherboard you selected earlier...
once you clicked OK it will begin the download.
then it will ask to save it... select where you want to save it and then we can write it...
Now click Write to NAND (MAKE SURE YOU HAVE 2 IDENTICAL NAND DUMPS FIRST!!!)
then a window will open, select the file you downloaded... by default it should be called xellous_xenon.bin
and just confirm your selection...
a command window will open and you would have successfully wrote xellous
Got xell on your xbox? now you can get your CPU key for the console,
Obtaining your CPU key
Right, so now you have xell installed to your xbox, turn your console on via the eject key, plugged into a tv and not the LPT port you should get a blue screen.
Now get a camera handy and when you turn it on, you should see this:
now wait a second and you will see something like this
Now thats ^^^ is what you want to take a picture of. The console fusesets.... if you look you will see set's 3&4 and 5&6 are identical... now take either set 3&4 and 5&6 and put them together. This makes your CPU key.
So mine are
Set 4: AF39DF25B0CD3878
Set 5: 36C083CF14E6E4D6
So my CPU key is: AF39DF25B0CD387836C083CF14E6E4D6
Note that down and save it! you will need it in the future!
Now its safe to turn off your xbox once you get your key.
Now we have everything we need to build our Freeboot 0.032 image... lets move on
So we have our CPU key and original image, we can now make our freeboot image what will actually carry the hack
Making the freeboot 0.032 image
Right, there are three things we need to make this image:
Your CPU key
Your original nand dump
Now, lets make our image...
now make sure you have the correct motherboard revision selected and click Build FreeBOOT 0.032 image
if its your first time it will ask to download the files... just click yes, they are 12Mb so may take a coupple minutes:
Once they are downloaded a text box and "Build" button will appear.
put your CPU key what you got from xellous in there.
also remember to select the patch you want to be patched into the image.
once you hit Build, it will ask to locate your NAND dump... select one from earlier what was identical with another one and click open.
you will then see activity in the console...
once done you will be asked to save it, if it don't save or don't ask then go to the "Errors" part of this tutorial for help
after that you are done... now we can move on to writing the new FreeBOOT image back
Now we can move onto writing the image back.
So your nearly there... made your image, now lets write it back.
Writing freeboot image back to xbox
Right, were nearly there, you should be able to smell the ability to hack shizzles! We just need to get the modded freeboot image back onto the console,
now just go back to the NandPro tab and click "write nand", then you will need to select the newly made freeBOOT image and click open
you will then see another console window pop up like last time, let it do its stuff and when you see Press any key to continue it SHOULD have wrote correctly... if you see loads of errors in the console then something went wrong. if something went wrong then go to the Errors part of the tutorial.
once it has write fully you have no jtagged your xbox! congrats!
once its done, unplug the console from the computer, desoldier the LPT cable. NOT THE TWO DIODES AND JUMPER! Just the 7 that go into the pc, unless you want to keep them of course and you xbox will now officially be jtaged!
Well done for doing it yourself and not going off to buy one!
If your wondering what to do now read on...
So you managed to get an error... well now ive tried to make it alot easier for people to help you fix your errors.
first off DO NOT CLOSE THE PROGRAM we need the log and i don't save it for certain reasons...
anyway, i made this nice an simple.. all you need to do is click the "Upload Console Log" button on your right.
it will then ask for an email for contact... put a VALID email in there or you wont get help then click okay.
The program will then gather some information (system environment settings) that scary fast text you can see is just the computer reading all the files you have in the /freeboot and /nandprofiles folder so we can debug
then it will upload the log.
you will see this:
now to get help from a pro give them that link and the ID...
once it gets popular (if it does) they will know what to do with it but if you don't head to the link
then type the ID into the search box
you will see the above.. in that database entry there SHOULD be enough information for a pro to help you fix your issue, as you can see it has uploaded the log as well and links you to it... this is the URL for this specific log if anyone is interested its here:http://www.essexcons...2_714390037.txt
then you can wait for a response from a helper
So you have successfully made yourself a jtag, upset bill gates, done tonnes of illegal shitz... now what