Xbox 360:JTAG
The steps on this page are considered risky for your console, as there is a chance you can brick it. Please have someone else mod your console if you are not experienced in soldering! |
The JTAG (aka SMC) hack was the first permanent modification that allows you to run unsigned code, mods, game backups, and homebrew on your phat console. The hack relies on vulnerabilities in the CB bootloader, which are only present on dashboards 7371 and lower. If you are on a higher dashboard, take a look at the recommended exploit chart and see what hack is right for you.
Note that this guide is a condensation of multiple JTAG guides, most notably the oblivioncth's Xbox 360 Ultimate Exploit Guide[1], Xecuter's JTAG guide[2], M AzeeM K's Alternate JTAG guide[3], X-Splinter's Matrix USB Flasher guide[4], as well as personal experience.
While it's recommended to read through this guide in its entirety, a video guide for JTAG can be found on MrMario2011's channel[5].
Note that JTAG does not support S/E motherboards.
Requirements
Below are the requirements to JTAG your Xbox 360. It's recommended to read ahead and choose the NAND dumping method and JTAG-specific wiring method that's right for you, as you will need more equipment or a NAND programmer depending on the method you choose.
To check if your console is exploitable, you must have:
- A fat console (Xenon, Zephyr, Falcon, Opus, or Jasper model). You can look at the back of your console and check the motherboard identification chart to find out what model you have.
- If you have a Jasper, determine whether if there is Memory Unit built in. If it has 214MB of storage, it's a 256MB NAND. If it has 451MB of storage, it is a 512MB NAND.
- Your console on dashboard 7371 or lower. If you are on the original blades dashboard, that is sufficient. Otherwise, you can check this by navigating to Settings > Console Settings > Hover over System Info. Your dashboard version will be shown in the top right in the form 2.0.xxxxx.0, where xxxxx is your dashboard version.
- If it is a Jasper on dashboard 7371, the system may not be JTAGable. You can only find out by dumping your NAND.
- If the system has a dashboard newer than 7371, the Reset Glitch Hack can still be accomplished.
- Soldering experience. The Xbox 360 is not a good place to learn to solder. Regardless of which dumping method you choose, you will need a soldering iron, solder, and flux.
Equipment Needed
- A soldering iron, solder, flux, and Isopropyl alcohol with cotton swabs
- 28-30 AWG Wire (Solid core recommended)
- Two 1N914/4148 switching diodes (Only with Xenon or traditional AUD_CLAMP methods)
- Two 10K Ohm 1/2W or 1/4W resistors with two 2N3904 transistors (Only with the Boxxdr method)
- Wire Insulation (kapton tape, electrical tape, heatshrink, etc.) for the diodes
- A PC running Windows Vista or later
- J-Runner with Extras
- Any compatible NAND Programmer (Listed below)
- NAND Backup with XeLL written to the console (Listed below)
Reading your NAND
There are a few different tools for reading your NAND chip: xFlasher 360, Nand-X, JR Programmer, Matrix USB NAND Flasher, PicoFlasher, various SD card tools, or a LPT cable. Consider the pros and cons below and choose the method that’s right for you. An LPT cable is not recommended as it's extremely slow, requires more work than other options, and cannot be used to program glitch chips.
A guide on how to dump and write to a standard NAND can be found here.
Device | Pros | Cons |
---|---|---|
xFlasher 360 |
|
|
PicoFlasher |
|
|
JR Programmer |
|
|
Nand-X |
|
|
Matrix USB NAND Flasher |
|
|
LPT Cable |
|
|
JTAG-Specific Wiring
Choose the guide that pertains to you:
Xenon
- This is the only method for Xenon motherboards, and cannot be used on non-Xenon retail motherboards due to them missing the unused pins for debug LEDs.
AUD_CLAMP
This is the traditional method for Zephyr, Opus, Falcon, or Jasper motherboards. This method may disable 5.1 audio output.
AUD_CLAMP + Boxxdr
- This is an alternative method is for Zephyr, Opus, Falcon, or Jasper motherboards. This method may disable 5.1 audio output.
AUD_CLAMP + Open_Tray
- Use this method if the traditional or Boxxdr method doesn't boot, you receive E79 errors, or you have issues with HDMI. This method may cause your DVD drive to eject on bootup. Also, your console will reboot instead of shutting down if you turn off the console while a controller is charging via USB.
Decrypting the NAND
Once you have successfully obtained your CPU key, we can build an XeBuild image, which is a modified NAND built specifically for your console.
- If you want to use J-Runner with the console connected to LAN to get the CPU key, enter the IP address XeLL gives you into the lower right of the app. You can then click
Get CPU Key
and XeLL will automatically decrypt the retail NAND dump you backed up earlier. - If you want to use XeLL's web page to get the CPU key, enter the Xbox's IP address in your preferred web browser. You will see information about the console, and the CPU key can be easily copy and pasted from this web page.
- If you didn't have access to an ethernet cable to plug the Xbox into a PC or LAN, you can manually type the CPU key into J-Runner in order to decrypt your original NAND dump.
Writing a New NAND Image (NAND Flasher)
- Power down the console, and connect your programmer to the motherboard and computer.
- If you are using an xFlasher, ensure the switch is set to
SPI
.
- If you are using an xFlasher, ensure the switch is set to
- Open J-Runner and select
...
next to the Load Source field and select one of your original NAND dumps if not already selected. In the upper right of J-Runner, make sure that theJtag
radio button is selected.- If you have a non-Xenon console, the
Aud_clamp
checkbox should be enabled.
- If you have a non-Xenon console, the
- Click "Create XeBuild Image". This will take a few moments.
- Click "Write NAND".
- Disconnect your programmer from the Xbox when the process completes, and check if the console boots to the Microsoft dashboard.
- If it successfully boots to the dashboard, it is an indication that you've successfully hacked your console.
- Continue in the Cleaning Up section.
Writing a New NAND Image (XeLL)
- Open J-Runner and select
...
next to the Load Source field and select one of your original NAND dumps if not already selected. In the upper right of J-Runner, make sure that theJtag
radio button is selected.- If you have a non-Xenon console, the
Aud_clamp
checkbox should be enabled.
- If you have a non-Xenon console, the
- Click "Create XeBuild Image". This will take a few moments.
- Copy updflash.bin to a FAT32 formatted USB storage device and plug it into your powered-off console.
- Turn on your console and it will boot into XeLL and begin flashing your NAND. Once it has finished, it will power off your console.
- Turn it back on, and it should boot to the Microsoft dashboard, which is an indication that you've successfully hacked your console.
- Continue in the Cleaning Up section.
Cleaning Up
Remove the NAND programmer wires from the console and clean the points. Clean all flux off the board, allow it to dry, and test it once more before re-assembling.
You may want to leave your Xbox 360 disassembled so that you can disable the eFuse-blowing circuit so you can't accidentally install official updates on your console.
Installing XeXMenu
- Plug a flash drive into your Xbox 360 and navigate to Console Settings > Storage. Select the flash drive and allow it to format the flash drive as a system drive.
- Extract the
CODE9999
folder from the XeXMenu 7zip file to your Desktop. - Plug the flash drive into your PC. Create a new folder on the flash drive and name it
0000000000000000
(16 zeroes). Open the new folder, then drag theCODE9999
folder into it. - Safely eject your flash drive and plug it into your Xbox 360. Navigate to the Demos section of your dashboard, and it should list XeXMenu there. Select it to launch it.
- You can install XeXMenu to your hard drive by going to Console Settings > Storage, and copying it from your flash drive to the hard drive.
From here, you can install any homebrew or mods that you want. See this page for a list of recommended modifications and applications to install.
References
- ↑ https://www.se7ensins.com/forums/threads/jtag-rgh-r-jtag-xbox-360-ultimate-exploit-guide.804054/
- ↑ https://web.archive.org/web/20130906233032/http://team-xecuter.com/forums/showthread.php/54423-NAND-X-JTAG-Install-Guides-JTAG-KITS-2-5-8-E79
- ↑ https://web.archive.org/web/20120527145714/http://team-xecuter.com/forums/showthread.php?t=55189
- ↑ http://www.360-hq.com/xbox-tutorials-162.html
- ↑ https://youtu.be/v9eAG3WSmU4?list=PL1CadovfabPskGb2Ur4kBGzD5s7DzQw5I