Xbox 360:JTAG

The steps on this page are considered risky for your console, as there is a chance you can brick it. Please have someone else mod your console if you are not experienced in soldering!

The JTAG (aka SMC) hack was the first permanent modification that allows you to run unsigned code, mods, game backups, and homebrew on your phat console. The hack relies on vulnerabilities in the CB bootloader, which are only present on dashboards 7371 and lower. If you are on a higher dashboard, take a look at the recommended exploit chart and see what hack is right for you.

Note that this guide is a condensation of multiple JTAG guides, most notably the oblivioncth's Xbox 360 Ultimate Exploit Guide^[1], Xecuter's JTAG guide^[2], M AzeeM K's Alternate JTAG guide^[3], X-Splinter's Matrix USB Flasher guide^[4], as well as personal experience.

While it's recommended to read through this guide in its entirety, a video guide for JTAG can be found on MrMario2011's channel^[5].

Note that JTAG does not support Slim/E motherboards.

Requirements

Below are the requirements to JTAG your Xbox 360. It's recommended to read ahead and choose the NAND dumping method and JTAG-specific wiring method that's right for you, as you will need more equipment or a NAND programmer depending on the method you choose.

To check if your console is exploitable, you must have:

1. A fat console (Xenon, Zephyr, Falcon, Opus, or Jasper model). You can look at the back of your console and check the motherboard identification chart to find out what model you have.
   • If you have a Jasper, determine whether if there is Memory Unit built in. If it has 214MB of storage, it's a 256MB NAND. If it has 451MB of storage, it is a 512MB NAND.
2. Your console on dashboard 7371 or lower. If you are on the original blades dashboard, that is sufficient. Otherwise, you can check this by navigating to Settings > Console Settings > Hover over System Info. Your dashboard version will be shown in the top right in the form 2.0.xxxxx.0, where xxxxx is your dashboard version.
   • If it is on dashboard 7371, the system may not be JTAGable. You can only find out by dumping your NAND.
3. Soldering experience. The Xbox 360 is not a good place to learn to solder. Regardless of which dumping method you choose, you will need a soldering iron, solder, and flux.

Equipment Needed

• A soldering iron, solder, flux, and Isopropyl alcohol with cotton swabs
  • Specific recommendatons can be found on this page
• 28-30 AWG Wire (Solid core recommended)
• Two 1N914/4148 switching diodes (Only with Xenon or traditional AUD_CLAMP methods)
• Two 10K Ohm 1/2W or 1/4W resistors with two 2N3904 transistors (Only with the Boxxdr method)
• Wire Insulation (kapton tape, electrical tape, heatshrink, etc.) for the diodes
• A PC running Windows Vista or later
• J-Runner with Extras
• Any compatible NAND Programmer (Listed below)
• NAND Backup with XeLL written to the console (Listed below)

Reading your NAND

There are a few different tools for reading your NAND chip: xFlasher 360, Nand-X, JR Programmer, Matrix USB NAND Flasher, PicoFlasher, various SD card tools, or a LPT cable. Consider the pros and cons below and choose the method that’s right for you. An LPT cable is not recommended as it's extremely slow, requires more work than other options, and cannot be used to program glitch chips.

A guide on how to dump and write to a standard NAND can be found here.

Device	Pros	Cons
xFlasher 360	Reads NAND fast in 40 seconds to 4 minutes Can also program glitch chips One of four options for 4GB Corona Actively supported USB-C Uses signed drivers	Most expensive flasher Can't be used for flashing Sonus Sounds
PicoFlasher	Reads NAND fast in 1-8 minutes One of four options for 4GB Corona One of the two options for Sonus or Slim sound programming Super cheap Easy to find Uses signed drivers	Wire routing is more sensitive compared to other NAND flashers
JR Programmer	Reads NAND in 3-10 minutes Can also program glitch chips One of the two options for Sonus or Slim sound programming Cheap Easy to find	More expensive than PicoFlasher Requires unsigned drivers
Nand-X	Reads NAND in 2-8 minutes Can also program RGH glitch chips	More expensive than most NAND flashers Not much cheaper than the xFlasher Does not support 4GB Coronas Requires unsigned drivers Can't be used for flashing Sonus Sounds
Matrix USB NAND Flasher	Reads NAND in 7-26 minutes Super cheap	Can’t be used for programming glitch chips unless you modify it Does not support 4GB Coronas Requires unsigned drivers Can't be used for flashing Sonus Sounds
LPT Cable	Cheap Doesn't require unsigned drivers	Requires PC with a native parallel port and more equipment More difficult Can’t be used for programming glitch chips Can't be used for flashing Sonus Sounds Takes 30-150 minutes to read NANDs

JTAG-Specific Wiring

Choose the guide that pertains to you:

Xenon

• This is the only method for Xenon motherboards, and cannot be used on non-Xenon retail motherboards due to them missing the unused pins for debug LEDs.

AUD_CLAMP

This is the traditional method for Zephyr, Opus, Falcon, or Jasper motherboards. This method may disable 5.1 audio output.

AUD_CLAMP + Boxxdr

• This is an alternative method is for Zephyr, Opus, Falcon, or Jasper motherboards. This method may disable 5.1 audio output.

AUD_CLAMP + Open_Tray

• Use this method if the traditional or Boxxdr method doesn't boot, you receive E79 errors, or you have issues with HDMI. This method may cause your DVD drive to eject on bootup. Also, your console will reboot instead of shutting down if you turn off the console while a controller is charging via USB.

Decrypting the NAND

Once you have successfully obtained your CPU key, we can build an XeBuild image, which is a modified NAND built specifically for your console.

• If you want to use J-Runner with the console connected to LAN to get the CPU key, enter the IP address XeLL gives you into the lower right of the app. You can then click Get CPU Key and XeLL will automatically decrypt the retail NAND dump you backed up earlier.
• If you want to use XeLL's web page to get the CPU key, enter the Xbox's IP address in your preferred web browser. You will see information about the console, and the CPU key can be easily copy and pasted from this web page.
• If you didn't have access to an ethernet cable to plug the Xbox into a PC or LAN, you can manually type the CPU key into J-Runner in order to decrypt your original NAND dump.

Writing a New NAND Image (NAND Flasher)

1. Power down the console, and connect your programmer to the motherboard and computer.  
   • If you are using an xFlasher, ensure the switch is set to SPI.
2. Open J-Runner and select ... next to the Load Source field and select one of your original NAND dumps if not already selected. In the upper right of J-Runner, make sure that the Jtag radio button is selected.
   • If you have a non-Xenon console, the Aud_clamp checkbox should be enabled.
3. Click "Create XeBuild Image". This will take a few moments.
4. Click "Write NAND".
5. Disconnect your programmer from the Xbox when the process completes, and check if the console boots to the Microsoft dashboard.
6. If it successfully boots to the dashboard, it is an indication that you've successfully hacked your console.
7. Continue in the Cleaning Up section.

Writing a New NAND Image (XeLL)

1. Open J-Runner and select ... next to the Load Source field and select one of your original NAND dumps if not already selected. In the upper right of J-Runner, make sure that the Jtag radio button is selected.
   • If you have a non-Xenon console, the Aud_clamp checkbox should be enabled.
2. Click "Create XeBuild Image". This will take a few moments.
3. Copy updflash.bin to a FAT32 formatted USB storage device and plug it into your powered-off console.
4. Turn on your console and it will boot into XeLL and begin flashing your NAND. Once it has finished, it will power off your console.
5. Turn it back on, and it should boot to the Microsoft dashboard, which is an indication that you've successfully hacked your console.
6. Continue in the Cleaning Up section.

Cleaning Up

Remove the NAND programmer wires from the console and clean the points. Clean all flux off the board, allow it to dry, and test it once more before re-assembling.

You may want to leave your Xbox 360 disassembled so that you can disable the eFuse-blowing circuit so you can't accidentally install official updates on your console.

Installing XeXMenu

1. Plug a flash drive into your Xbox 360 and navigate to Console Settings > Storage. Select the flash drive and allow it to format the flash drive as a system drive.
2. Extract the CODE9999 folder from the XeXMenu 1.2 rar^[6] to your Desktop.
3. Plug the flash drive into your PC. Create a new folder on the flash drive and name it 0000000000000000 (16 zeroes). Open the new folder, then drag the CODE9999 folder into it.
4. Safely eject your flash drive and plug it into your Xbox 360. Navigate to the Demos section of your dashboard, and it should list XeXMenu there. Select it to launch it.
   • You can install XeXMenu to your hard drive by going to Console Settings > Storage, and copying it from your flash drive to the hard drive.

From here, you can install any homebrew or mods that you want. See this page for a list of recommended modifications and applications to install.

References