Xbox 360 talk:R-JTAG

From ConsoleMods Wiki
Jump to navigation Jump to search
Exclamation-circle-fill.svgRough draft for new page that has CR4 instructions


Exclamation-triangle-fill.svgThe steps on this page are considered risky for your console, as there is a chance you can brick it. Please have someone else mod your console if you are not experienced in soldering!


Exclamation-circle-fill.svgR-JTAG requires an R-JTAG kit or CR4 XL which aren't sold anymore, and tends to have slow boot times compared to RGH 1.0/1.2/3 or R-JTOP. Thus, this specific exploit is not recommended over RGH/R-JTOP.


The R-JTAG hack is essentially a re-enabling of the JTAG hack using the reset glitch hack, which allows you to run unsigned code and homebrew on phat consoles. It works by glitching the CB fuse check when loading the old JTAGable CB, which allows JTAG (SMC Hack) to be performed like normal. There are 2 versions of R-JTAG, the normal version which uses I2C slowdown, and R-JTAG+ which uses PLL slowdown. It should be noted that R-JTAG has been known to potentially write garbage to your NAND in some cases.

While it’s recommended to read through this guide in its entirety, a video guide for R-JTAG can be found on MrMario2011’s channel. A well-used R-JTAG guide can be found on the Team Xecuter site.

Note: R-JTAG does not support Xenon or S/E motherboards, and will have mediocre glitching performance on Zephyr motherboards. R-JTOP on Xenon and Zephyr may work reliability if the source code is compiled to use EXT_CLK instead of CPU_PLL.

Requirements

Below are the requirements to R-JTAG your Xbox 360. It’s recommended to read ahead and choose the NAND dumping method and JTAG specific wiring method that’s right for you, as you will need a NAND programmer if you choose the R-JTAG Starter Kit and potentially more equipment depending on which methods you choose.

To check that your console is exploitable, it must meet the following conditions. You must have:

  1. A non-Xenon fat console (Zephyr, Falcon, Opus, Jasper, or Tonasket model). You can use this guide to find out what model you have.
    • If you have a Jasper, determine whether if there is Memory Unit built in. If it has 214MB of storage, it’s a 256MB NAND. If it has 451MB of storage, it is a 512MB NAND.
  2. A console on dashboard/kernel 14719 or higher. You can check this by navigating to Settings > Console Settings > Hover over System Info. Your dashboard version will be shown in the top right in the form 2.0.xxxxx.0, where xxxxx is your dashboard version.
    • If it is on a lower dashboard, you can update it to the latest (Currently 17559).
  3. Soldering experience. The Xbox 360 is not a good place to learn to solder. Regardless of which dumping method you choose, you will need a soldering iron, solder, and flux.
  4. You will need one of the following R-JTAG kits and the extras listed below it. The kits may be sold as R-JTAG "1.0" or "1.1". The only difference is that 1.1 is more reliable for Zephyr consoles (information here). The CR4 XL will be fixed with Zephyr consoles.
TX R-JTAG Kit
  • A NAND reader (JR Programmer, NAND-X, Matrix USB NAND Flasher, or LPT cable)
    • An R-JTAG Ultimate Kit will already come with a JR Programmer
  • J-Runner with Extras
  • Equipment listed in the relevant JTAG specific wiring below
TX CR4 XL
  • A NAND reader (JR Programmer, NAND-X, Matrix USB NAND Flasher, or LPT cable)
  • J-Runner with Extras
  • Equipment listed in the relevant JTAG specific wiring below

Reading your NAND

There are a few different tools for reading your NAND chip: xFlasher 360, Nand-X, JR Programmer, Matrix USB NAND Flasher, PicoFlasher, various SD card tools, or a LPT cable. Consider the pros and cons below and choose the method that’s right for you. An LPT cable is not recommended as it's extremely slow, requires more work than other options, and cannot be used to program glitch chips.

A guide on how to dump and write to a standard NAND can be found here.

Device Pros Cons
xFlasher 360
  • Reads NAND fast in 40 seconds to 4 minutes
  • Can also program glitch chips
  • One of four options for 4GB NANDs
  • Actively supported
  • USB-C
  • Most expensive flasher
  • Not sold on common marketplaces like Amazon or AliExpress
  • Can't be used for flashing Sonus Sounds
PicoFlasher
  • Reads NAND fast in 1-8 minutes
  • One of four options for 4GB NANDs
  • One of the two options for Sonus flashing
  • Super cheap
  • Easy to find
  • Can flash glitch chips with this J-Runner Fork
  • Due to how the currently available PicoFlasher firmware is programmed, it often has many bugs with getting consistently good non-corrupt NAND dumps or being detected by J-Runner.
  • Can sometimes have spotty reliability on Xbox 360 motherboards due to their SPI and eMMC logic being up to 5v, whereas the Pico uses 3.3v.
JR Programmer
  • Reads NAND in 3-10 minutes
  • Can also program glitch chips
  • One of the two options for Sonus flashing
  • Cheap
  • Easy to find
  • More expensive and less common than PicoFlasher
  • Does not support 4GB NANDs
Nand-X
  • Reads NAND in 2-8 minutes
  • Can also program RGH glitch chips
  • More expensive than most NAND flashers
  • Does not support 4GB NANDs
  • Can't be used for flashing Sonus Sounds
Matrix USB NAND Flasher
  • Cheap
  • Can’t be used for programming glitch chips unless you modify it
  • Does not support 4GB NANDs
  • Requires unsigned drivers
  • Reads NAND in 7-26 minutes, which is quite a bit slower than most options
  • Can't be used for flashing Sonus Sounds
LPT Cable
  • Cheap
  • Requires PC with a native parallel port and more equipment
  • More difficult
  • Does not support 4GB NANDs
  • Can’t be used for programming glitch chips
  • Can't be used for Sonus flashing
  • Takes 30-150 minutes to read NANDs

R-JTAG Kit Instructions

Wiring Diagram

  • 5HlH4R2.jpg
    • Following the wire color scheme using the provided image to install the R-JTAG module. The R-JTAG module itself will rest on top of the DVD drive, hanging partially off of the side closest to the back of the console.
    • On the QSB labelled "JTAG ALT V2", short pins 1 and 3 together, set the left switch to the ON position, and set the right switch to the middle (470 ohms) position. Later on, if you have bad boot times, try switching the right switch to the left position (330 ohms).
    • Stick the adhesive backings on the bottom of the QSBs and set them in place on the motherboard. The adhesive is just meant to hold the QSBs in place as you solder them. Solder all of the QSBs in place as according to the diagram. It should be obvious as to which points will attach to the QSB.

CR4 XL Instructions

Wiring is essentially the same as the R-JTAG kit and uses the same QSBs. However, these always use R-JTAG+.

Dip Switch Settings

RJTAG-DIP.png

Configure the DIP switches as follows, only having one "either" switch on at a time:

R-JTAG Kit

Motherboard 1 2 3 4 5 6 7 8
Jasper/Tonasket Off Off Off Either Either Off On On
Falcon/Opus Off Off Either Either Either Off On Off
Zephyr (R-JTAG 1.0) Off Off On Off Off Off Off On
Zephyr (R-JTAG 1.1) Off Off On Off Off Off Off Off

Change the "either" switches around if you have bad boot times or flashing red lights (false RROD), but make sure only one "either" switch is enabled. Leave them off by default.

CR4 XL

Motherboard 1 2 3 4 5 6 7 8
Jasper/Tonasket Off Off Off Off Off Off Off Off
Falcon/Opus Off Off Off Off Off Off On Off
Zephyr Off Off On Off Off Off On On

Decrypting the NAND

Once you have successfully obtained your CPU key, we can build an XeBuild image, which is a modified NAND built specifically for your console.

  • If you want to use J-Runner with the console connected to LAN to get the CPU key, enter the IP address XeLL gives you into the lower right of the app. You can then click Get CPU Key and XeLL will automatically decrypt the retail NAND dump you backed up earlier.
  • If you want to use XeLL's web page to get the CPU key, enter the Xbox's IP address in your preferred web browser. You will see information about the console, and the CPU key can be easily copy and pasted from this web page.
  • If you didn't have access to an ethernet cable to plug the Xbox into a PC or LAN, you can manually type the CPU key into J-Runner in order to decrypt your original NAND dump.

Writing a New NAND Image (NAND Flasher)

  1. Power down the console, and connect your programmer to the motherboard and computer.  
    • If you are using an xFlasher, ensure the switch is set to SPI.
  2. Open J-Runner and select ... next to the Load Source field and either select your nanddump1.bin or nanddump2.bin if not already selected. In the upper right corner of the window, select the desired dashboard version you want to install (It will auto-select to the latest, which is 17559) and select the Jtag radio button. Make sure the R-JTAG checkbox is enabled.
    • If you have a non-Xenon console, the Aud_clamp checkbox should be enabled.
  3. Click Create XeBuild Image. This will take a few moments.
  4. Click Write NAND.
  5. Disconnect your NAND programmer from the console when the process completes, and check if the console boots to the Microsoft dashboard. If it successfully boots to the dashboard, it is an indication that you've successfully hacked your console.
    • You may want to leave your Xbox 360 disassembled so that you can disable the eFuse-blowing circuit so you can't accidentally install official updates on your console.
  6. Remove your NAND programmer wires and clean the points. Clean all flux off the board, allow it to dry, and test it once more before re-assembling. You're now free to install XEXMenu (instructions in section below).

Writing a New NAND Image (XeLL with USB Storage)

  1. Open J-Runner and select ... next to the Load Source field and either select your nanddump1.bin or nanddump2.bin if not already selected. In the upper right corner of the window, select the desired dashboard version you want to install (It will auto-select to the latest, which is 17559) and select the Jtag radio button. Make sure the R-JTAG checkbox is enabled.
    • If you have a non-Xenon console, the Aud_clamp checkbox should be enabled.
  2. Click Create XeBuild Image. This will take a few moments.
  3. Copy updflash.bin to a FAT32 formatted USB storage device and plug it into your powered-off console. Turn on your console and it will boot into XeLL and begin flashing your NAND. Once it has finished, it will power off your console. Turn it back on, and it should boot to the Microsoft dashboard, which is an indication that you've successfully hacked your console.
    • You may want to leave your Xbox 360 disassembled so that you can disable the eFuse-blowing circuit so you can't accidentally install official updates on your console.
  4. Remove your NAND programmer wires (if they are still attached) and clean the points. Clean all flux off the board, allow it to dry, and test it once more before re-assembling. You're now free to install XEXMenu (instructions in section below).

Installing XeXMenu

  1. Plug a flash drive into your Xbox 360 and navigate to Console Settings > Storage. Select the flash drive and allow it to format the flash drive as a system drive.
  2. Extract the CODE9999 folder from the XeXMenu 7zip file to your Desktop.
  3. Plug the flash drive into your PC. Create a new folder on the flash drive and name it 0000000000000000 (16 zeroes). Open the new folder, then drag the CODE9999 folder into it.
  4. Select Drive > Close, then close Xplorer360. Safely eject your flash drive and plug it into your Xbox 360. Navigate to the Demos section of your dashboard, and it should list XeXMenu there. Select it to launch it.
    • You can install XeXMenu to your hard drive by going to Console Settings > Storage, and copying it from your flash drive to the hard drive.

From here, you can install any homebrew or mods that you want. See this page for a list of recommended modifications and applications to install.

Retrieved from "https://consolemods.org/wiki/index.php?title=Xbox_360_talk:R-JTAG&oldid=49130"