Xbox 360:RGH/RGH3: Difference between revisions

From ConsoleMods Wiki
Jump to navigation Jump to search
m (Text replacement - "Category:Xbox360" to "Category:Xbox 360")
 
(30 intermediate revisions by 2 users not shown)
Line 1: Line 1:
[[Category:Xbox 360]]
{{Warning|The steps on this page are considered risky for your console, as there is a chance you can brick it. Please have someone else mod your console if you are not experienced in soldering!}}
{{Notice|Phat consoles tend to be more stubborn with RGH3, and may have inconsistant booting behavior. It is recommended to use [[Xbox_360:RGH/RGH1.2|RGH 1.2]] on a phat system, as it will be more stable.}}
RGH 3 is a modern method of the Reset Glitch Hack that uses the SMC in the Xbox 360's southbridge instead of a glitch chip in order to boot unsigned code.
RGH 3 is a modern method of the Reset Glitch Hack that uses the SMC in the Xbox 360's southbridge instead of a glitch chip in order to boot unsigned code.


MrMario2011 has video guides for RGH 3 on Falcon/Jasper<ref>https://youtu.be/Gq1Svm-s-DM?si=bU1ANSEJRyFRf-G9</ref>, Trinity<ref>https://youtu.be/D3DDglRBqfY?si=nOD4cB6T6_gaQLwp</ref>, and Corona <ref>https://youtu.be/hpOlGeCHwro?si=CQHohmwYaSVUqG-F</ref> motherboards respectively. The guides from Larvs on Xbox 360 Hub<ref>https://xbox360hub.com/guides/rgh-3-guide/</ref> and BeefyDJ on Se7enSins<ref>https://www.se7ensins.com/forums/threads/rgh-3-0-guide-phat-slim-includes-quick-tool.1832979/</ref> are also great resources for RGH 3 tutorials.  
MrMario2011 has video guides for RGH 3 on Falcon/Jasper<ref>https://youtu.be/Gq1Svm-s-DM?si=bU1ANSEJRyFRf-G9</ref>, Trinity<ref>https://youtu.be/D3DDglRBqfY?si=nOD4cB6T6_gaQLwp</ref>, and Corona <ref>https://youtu.be/hpOlGeCHwro?si=CQHohmwYaSVUqG-F</ref> motherboards respectively. The guides from Larvs on Xbox 360 Hub<ref>https://xbox360hub.com/guides/rgh-3-guide/</ref> and BeefyDJ on Se7enSins<ref>https://www.se7ensins.com/forums/threads/rgh-3-0-guide-phat-slim-includes-quick-tool.1832979/</ref> are also great resources for RGH 3 tutorials.  


{{Notice|Phat consoles tend to be more stubborn with RGH3, and may have inconsistant booting behavior. It is recommended to use [[Xbox_360:RGH/RGH1.2|RGH 1.2]] on a phat system, as it will be more stable.}}
==Equipment Needed==
==Equipment Needed==


Line 9: Line 11:
**[[Recommended Soldering Equipment|Specific recommendatons can be found on this page]]
**[[Recommended Soldering Equipment|Specific recommendatons can be found on this page]]
*28-30AWG Wire (Solid core recommended)
*28-30AWG Wire (Solid core recommended)
*An SMD or through hole ('''Required on Phat''', optional on Slim)
*An SMD or through hole resistor, SMD preferred. ('''Required on Phat''', optional on Corona. Optional but highly recommended on Trinity.)
**Falcon/Jasper: 22K Ohm (Red, Red, Orange, Yellow)
**Falcon/Jasper/Tonasket: 22K Ohm (Red, Red, Orange, Golden)
**Trinity: 3K-10K Ohm  
**Trinity: 3K Ohm (Orange, Black, Red, Golden)
***10K resistor color values are Brown, Black, Red, Gold
***Up to 10K Ohm can work, but Trinity consoles can occassionally have issues with RGH3 when using a high Ohm resistors like these, so it's best to use 3K when available.
***Some Trinity consoles can occassionally have issues with RGH3 when using a high Ohm resistor, so it's best to start with around 3K if using one.
**Corona: 1K Ohm (Brown, Black, Red, Gold)
**Corona: 1K Ohm (Optional, Brown, Black, Red, Gold)
*On Falcon/Jasper/Tonasket, an optional through hole or SMD diode of your choice, SMD preferred.
*1N4148 diode (Only Falcon/Jasper, '''highly recommended''')
**If you are not sure what to use, 1N4148 diodes are a decent option.
**Highly recommended for stubborn consoles.
*Wire Insulation (kapton tape, electrical tape, heatshrink, etc.) if using a through hole resistor/diode
*Wire Insulation (kapton tape, electrical tape, heatshrink, etc.) if using a through hole resistor/diode
*A PC running Windows Vista or later
*A PC running Windows Vista or later
*[https://github.com/Octal450/J-Runner-with-Extras J-Runner with Extras]
*[https://github.com/Octal450/J-Runner-with-Extras J-Runner with Extras]
*Any compatible NAND Programmer (Listed in the NAND backup page)
*Any compatible NAND Programmer
*NAND Backup with RGH3 XeLL written to the console
 
**[[Xbox_360:4GB_NAND|4GB Corona NAND]]
==Reading your NAND==
**[[Xbox_360:Standard_NAND|Any other NAND type]]
 
=== 4 GB Corona/Waitsburg/Stingray ===
{{Xbox 360 eMMC Flashers}}
 
=== All Other NAND Types ===
{{Xbox 360 NAND Flashers}}
 
==Waitsburg/Stingray Specific Instructions==
On Waitsburg and Stingray motherboards, the trace connecting the CPU's POST to the POST pad on the bottom of the motherboard has been removed, so you need to use a postfix adapter to be able to attach a pogo pin to the POST connection underneath the CPU. You can use the following image to determine if you need the adapter or not by removing the heatsink:
 
[[File:Corona POST.png]]
 
You can also identify if you have a Waitsburg motherboard instead of a Corona by looking for the part number of `X862605` on the bottom left of the PCB. Generally, Xbox 360 S consoles manufactured in 2012 will be Waitsburgs and need postfix adapters for RGH. Every Stingray will also need a postfix adapter with RGH.
 
As shown in following diagram, you can install it by carefully sliding the larger piece of the adapter onto the left side of the CPU (when looking at the CPU from a readable position). Gently press the PCB inward toward the CPU to depress the pogo pin, and slide the smaller PCB part over the other side of the CPU, interlocking the two PCBs together. Solder the four anchor points on the edges of the postfix adapter to prevent it from coming loose.
 
[[File:Full Postfix Guide.png]]


==RGH3 Wiring & Diagrams==
==RGH3 Wiring & Diagrams==
[[File:Phat360PLLFix.jpg|thumb|PLL Repair on a Phat motherboard (required if bottom pad is damaged)|327x327px]]
[[File:Phat360PLLFix.jpg|thumb|PLL Repair on a Phat motherboard (required if bottom pad is damaged)|327x327px]]
===[https://xbox360hub.com/wp-content/uploads/2022/01/RGH3_PHAT.png Phat (Falcon/Jasper)]===  
===Xbox 360 "Phat" (Falcon/Jasper/Tonasket)===
[https://imgur.com/rsKnsZy '''Alternative Phat Diagram''']
On Falcon/Jasper/Tonasket motherboards, you can optionally place a diode on the wire that connects POST and SMC_POST. While it could be skipped, it is more likely the console's boot times will be more unstable or inconstant without it.
 
The diode's cathode end (the side with a black band) connects to CPU POST, whereas its anode end connects to SMC_POST. '''Make sure the polarity is correct'''.


On Falcon and Jasper motherboards, you can place the a diode on the wire that connects POST and SMC_POST. While it could be skipped, is not recommended to use RGH 3 on a Falcon or Jasper without this diode, as the boot times will be more unstable or inconstant without it.
When using a through hole component, it is recommended to solder it inline the wire instead of soldering it directly to a pad. The wires will be less stiff than the component's legs, causing less strain to the joint if it moves around. Make sure the PLL wire is not nearby any high noise areas, like capacitors or coils.
When using a through hole diode, it is recommended to solder it in the middle of the wire instead of soldering it directly to a pad. The wires will be less stiff than the diode's legs, causing less strain to the joint if it moves around. This also applies to the 22K resistor on the wire connecting PLL and SMC_PLL.


'''It is not recommended to use RGH 3 on Falcon or Jasper without the suggested resistor.'''
'''It is not recommended whatsoever to use RGH 3 on Falcon or Jasper without the suggested resistor.'''


==== CPU Solder Points ====
==== Diagram ====
[[File:Phat RGH3 Diagram 2.jpg|frameless|900x900px]]
 
==== Alternate Diagram ====
[[File:Phat_RGH3.png|frameless|900x900px]]
 
==== Close-Up Solder Points ====
'''CPU PLL'''
'''CPU PLL'''
*Bottom
*Bottom
**[[File:Fat360PLL.jpg|Bottom|600x600px]]
**[[File:Fat360PLL.jpg|Bottom|865x865px]]
*Top
*Top (Requires Scraping)
**[[File:Fat360topPLL.jpg|Top (Requires scraping)|862x862px]]
**[[File:Fat360topPLL.jpg|Top (Requires scraping)|862x862px]]
'''CPU POST'''
'''CPU POST'''
*Bottom
*Bottom
**[[File:FT6U7_POST.jpg|Bottom|600x600px]]
**[[File:FT6U7_POST.jpg|Bottom|600x600px]]
*'''Top'''
*Top (Requires Scraping)
**[[File:POST_OUT1_Top.jpg|Top (Requires scraping)|600x600px]]
**[[File:POST_OUT1_Top.jpg|Top (Requires scraping)|600x600px]]


==== SMC Solder Points ====
*POST and PLL (Bottom)
*[[File:PhatRGH3SMC.png|frameless|679x679px]]
**[[File:PhatRGH3SMC.png|frameless|679x679px]]
**Alternative SMC_PLL (Top)
*Alternative SMC_PLL (Top)
***[[File:Topsidepoint.png|frameless|565x565px]]
**[[File:Topsidepoint.png|frameless|679x679px]]
===[https://xbox360hub.com/wp-content/uploads/2021/12/Trinity-full-board-min.png Slim (Trinity)]===


On Trinity, it is recommended to use a 3K to 10K Ohm resistor on the PLL wire. The resistor on Trinity is optional, but recommended for reliability if available. The diode on the POST wire is not used on Trinity or Corona. When using a through hole resistor, it is recommended to solder it in the middle of the wire instead of soldering it directly to a pad. The wires will be less stiff than the diode's legs, causing less strain to the joint if it moves around.  
===Xbox 360 S (Trinity)===
On Trinity, it is optional but highly recommended to use a 3K to 10K Ohm resistor on the PLL wire. The diode on the POST wire is not used on Trinity.


==== CPU Solder Points ====
When using a through hole resistor for PLL, it is recommended to solder it in the middle of the wire instead of soldering it directly to a pad or via. The wires will be less stiff than the diode's legs, causing less strain to the joint if it moves around. 
 
Make sure the PLL wire is not nearby any high noise areas, like any coils or capacitors.
 
==== Diagram ====
[[File:Trinity RGH3.png|frameless|900x900px]]
 
==== Close-Up Solder Points ====
* CPU PLL (Bottom, '''no alt point!''')
* CPU PLL (Bottom, '''no alt point!''')
** [[File:RGH1.2_Slim_PLL.jpg|645x645px]]
** [[File:RGH1.2_Slim_PLL.jpg|645x645px]]
Line 60: Line 93:
**[[File:TrinityPOSTandRST.png|642x642px]]
**[[File:TrinityPOSTandRST.png|642x642px]]


==== SMC Solder Points ====
* SMC_PLL
* SMC_PLL
** [[File:FT2V1.png|FT2V1|658x658px]]
** Bottom (FT2V1)
*** [[File:FT2V1.png|FT2V1|615x615px]]
** Alternate Top Points
*** DB2G3
**** [[File:Trinity smcpll.jpg|frameless|613x613px]]
***R3D2
**** [[File:Trinity R3D2.jpg]]
*SMC_POST
*SMC_POST
** [[File:TrinitySMC_POST.png|R3R22]]
** Bottom
*** [[File:TrinitySMC_POST.png|R3R22]]
 
===Xbox 360 S/E (Corona/Waitsburg/Stingray) ===
The 1K Ohm resistor on Corona motherboards is entirely optional, as the GPIO and CPU PLL both operate at 1.8v.
 
When using a through hole resistor for PLL, it is recommended to solder it in the middle of the wire instead of soldering it directly to a pad or via. The wires will be less stiff than the diode's legs, causing less strain to the joint if it moves around. 
 
Make sure the PLL wire is not nearby any high noise areas, like any coils or capacitors.


===[https://xbox360hub.com/wp-content/uploads/2021/12/Slim_Corona.jpg Slim or E (Corona/Waitsburg/Stingray)] ===
Make sure to check if the POST point on the bottom is enabled or not using the provided diagram. The diode on the POST wire is not used on Corona.


[[File:5lY3TID.png|thumb|Corona POSTFix Installation/Identification|867x867px]]
==== Diagram ====
The 1K Ohm resistor on Corona motherboards is optional, but still recommended for reliability if available. It also connects to the wire connecting SMC_PLL and the CPU's PLL. When using a through hole resistor, it is recommended to solder it in the middle of the wire instead of soldering it directly to a pad. The wires will be less stiff than the diode's legs, causing less strain to the joint if it moves around. Make sure to check if the POST point on the bottom is enabled or not using the provided diagram.
[[File:RGH3 Corona w-o POSTfix .jpg|frameless|900x900px]]


==== CPU Solder Points ====
==== Close-up Solder Points ====
* CPU PLL (Bottom, '''no alt point!''')
* CPU PLL (Bottom, '''no alt point!''')
** [[File:RGH1.2_Slim_PLL.jpg|645x645px]]
** [[File:RGH1.2_Slim_PLL.jpg|645x645px]]
*CPU POST (Bottom, RST can be ignored with RGH3)
*CPU POST (Bottom, RST can be ignored with RGH3)
**[[File:Corona_POSTandRST.png||503x503px]]
**[[File:Corona_POSTandRST.png|621x621px]]


==== SMC Solder Points ====
*POST and PLL (Bottom)
*Bottom
** [[File:CoronaSMC.png|SMC_POST and SMC_PLL|533x533px]]
** [[File:CoronaSMC.png|SMC_POST and SMC_PLL|533x533px]]
*Alternate SMC_PLL (Top)
**[[File:Coronasmcpost.jpg|frameless|488x488px]]
== Testing the Console ==
Once you've finished soldering, clean up any flux with isopropyl alcohol and cotton swabs. Partially re-assemble your Xbox 360, ensuring that:
* Heatsinks are attached (If they were removed for some reason)
* Fan(s) are in place and plugged in (On a phat console, the fans can be angled on top of the heatsinks to cool them for testing)
* The RF board is plugged into the front of the console
* An A/V or HDMI cable is plugged into the Xbox 360 and into a TV or monitor
* A power brick is plugged in to both the wall and Xbox 360
* (Optional) An ethernet cable is plugged into the Xbox 360 and a LAN (e.g. a switch, router, or directly to a PC)
Turn on your console, and it should boot into XeLL RELOADED within a minute. If you don't have an ethernet cable connected, write down (and/or take a picture of) the "CPU Key" listed on screen. If the console doesn't boot into XeLL, check all previous steps and double check your wiring accuracy and quality.


==Decrypting the NAND==
==Decrypting the NAND==
Once you have successfully obtained your CPU key, we can build an XeBuild image, which is a modified NAND built specifically for your console.
*If you want to use J-Runner with the console connected to LAN to get the CPU key, enter the IP address XeLL gives you into the lower right of the app. You can then click <code>Get CPU Key</code> and J-Runner will automatically decrypt the retail NAND dump you backed up earlier.
*If you want to use XeLL's web page to get the CPU key, enter the Xbox's IP address in your preferred web browser. You will see information about the console, and the CPU key can be easily copy and pasted from this web page.
*If you didn't have access to an ethernet cable to plug the Xbox into a PC or LAN, you can manually type the CPU key into J-Runner in order to decrypt your original NAND dump.
You may want to extract the contents of your NAND before going further for backup purposes, like your original keyvault. Here is how to do so.


# Connect an Ethernet cable and HDMI cable to the console and power it on. The glitch chip should blink once or more times, and then the console should start into XeLL RELOADED.
# Add your original NAND dump to J-Runner using the <code>Load Source</code> button. It will be either named <code>flashdmp.bin</code> or <code>nanddump(1/2).bin</code>.
# Once XeLL finishes, it will display your CPU key and some other info. There is also an IP address.
# Select the button above the Source NAND's text field named <code>Extract Files</code>.
# Enter the IP address into the box on the lower right of J-Runner and click "Get CPU Key". J-Runner will pull the info from the box, and decrypt the NANDs automatically.
# You will now have backups of the original console's keyvault, SMC configuration, and SMC firmware.  
#*If you don't want to or aren't able to connect the Xbox 360 to a network or directly to the PC, you can also manually type in the CPU key from XeLL into J-Runner.


==Writing New NAND Image ==   
==Writing New NAND Image (NAND Flasher) ==   


#Power down the console, and connect your programmer to the motherboard.   
#Power down the console, and connect your programmer to the motherboard.   
#*If you are using an xFlasher, ensure the switch is set to <code>SPI</code>.
#*If you are using an xFlasher, ensure the switch is set to <code>SPI</code>.
#In the upper right of J-Runner, ensure the <code>Glitch2</code> radio button is selected. Since RGH3 XeLL was written to the NAND earlier, Glitch2 and RGH3 should already be enabled.
#Open J-Runner and select <code>...</code> next to the Load Source field and select one of your original NAND dumps if not already selected. In the upper right of J-Runner, ensure the <code>Glitch2</code> radio button is selected.  
#*Since RGH3 XeLL was written to the NAND earlier, Glitch2 and RGH3 should already be enabled.
#Click "Create XeBuild Image". This will take a few moments.
#Click "Create XeBuild Image". This will take a few moments.
#Click "Write NAND".
#Click "Write NAND".
#Disconnect your programmer when the process completes.
#Disconnect your NAND programmer from the console's motherboard when the process completes.
#Check if the console boots to the Microsoft dashboard. If it successfully boots to the dashboard, it is an indication that you've successfully hacked your console.
#Boot the console several times and ensure it boots consistently. If not, make sure your wiring is clean and neat and avoids noisy areas. Run the wires near the X-Clamps for best results.
#*If you are on a Falcon/Jasper console and have issues with booting, you can configure the RGH 3 MHz in J-Runner from 10 Mhz to 27 MHz or vise versa.
#Continue in the [[Xbox 360:RGH/RGH3#Cleaning Up|Cleaning Up section]].
==Writing a New NAND Image (XeLL)==
#Open J-Runner and select <code>...</code> next to the Load Source field and select your nanddump1.bin or nanddump2.bin if not already selected. In the upper right corner of the window, select the dashboard version you chose for the patched dump that you wrote to the motherboard and make sure that the <code>Glitch2</code> radio button is selected.
#*Since RGH3 XeLL was written to the NAND earlier, Glitch2 and RGH3 should already be enabled.
#Click "Create XeBuild Image". This will take a few moments.
#Copy updflash.bin to a FAT32 formatted USB storage device and plug it into your powered-off console.
#Turn on your console. It will boot into XeLL and begin flashing your NAND. Once it has finished, it will power off your console.
#Turn it back on, and it should boot to the Microsoft dashboard, which is an indication that you've successfully hacked your console.
#Boot the console several times and ensure it boots consistently. If not, make sure your wiring is clean and neat and avoids noisy areas. Run the wires near the X-Clamps for best results.
#Boot the console several times and ensure it boots consistently. If not, make sure your wiring is clean and neat and avoids noisy areas. Run the wires near the X-Clamps for best results.
#Return to the RGH main page and continue in the [[Xbox_360:RGH#Cleaning_Up|Cleaning Up section]].
#*If you are on a Falcon/Jasper/Tonasket console and have issues with booting, you can configure the RGH 3 MHz in J-Runner from 10 Mhz to 27 MHz.
#Continue in the [[Xbox 360:RGH/RGH3#Cleaning Up|Cleaning Up section]].
==Cleaning Up==
Remove the NAND programmer wires from the console and clean the points. Clean all flux off the board, allow it to dry, and test it once more before re-assembling.


You may want to leave your Xbox 360 disassembled so that you can [[Xbox_360:Disabling the eFuse Burning Circuit|disable the eFuse-blowing circuit]] so you can't accidentally install official updates on your console.
==Installing XeXMenu==
#Plug a flash drive into your Xbox 360 and navigate to Console Settings > Storage. Select the flash drive and allow the console to format the flash drive.
#Extract the <code>CODE9999</code> folder from [[Xbox 360:XeXmenu|XeXmenu]] to your Desktop.
#Plug the flash drive into your PC.
#Enter the folder <code>Content</code> on the USB, or create it if it does not exist. Within this folder, create a new folder on the flash drive and name it <code>0000000000000000</code> (16 zeroes). Open the new folder, then drag the <code>CODE9999</code> folder into it.
#Safely eject your flash drive and plug it into your Xbox 360. Navigate to the Demos section of your dashboard, and it should list XeXMenu there. Select it to launch it.
#*You can install XeXMenu to your hard drive by going to Console Settings > Storage, and copying it from your flash drive to the hard drive.
From here, you can install any homebrew or mods that you want. See [[Xbox_360:Recommendations|this page]] for a list of recommended modifications and applications to install.
==References==
==References==


<references />
<references />

Latest revision as of 20:20, 4 September 2024

Exclamation-triangle-fill.svgThe steps on this page are considered risky for your console, as there is a chance you can brick it. Please have someone else mod your console if you are not experienced in soldering!


Exclamation-circle-fill.svgPhat consoles tend to be more stubborn with RGH3, and may have inconsistant booting behavior. It is recommended to use RGH 1.2 on a phat system, as it will be more stable.


RGH 3 is a modern method of the Reset Glitch Hack that uses the SMC in the Xbox 360's southbridge instead of a glitch chip in order to boot unsigned code.

MrMario2011 has video guides for RGH 3 on Falcon/Jasper[1], Trinity[2], and Corona [3] motherboards respectively. The guides from Larvs on Xbox 360 Hub[4] and BeefyDJ on Se7enSins[5] are also great resources for RGH 3 tutorials.

Equipment Needed

  • A soldering iron, solder, flux, and Isopropyl alcohol with cotton swabs
  • 28-30AWG Wire (Solid core recommended)
  • An SMD or through hole resistor, SMD preferred. (Required on Phat, optional on Corona. Optional but highly recommended on Trinity.)
    • Falcon/Jasper/Tonasket: 22K Ohm (Red, Red, Orange, Golden)
    • Trinity: 3K Ohm (Orange, Black, Red, Golden)
      • Up to 10K Ohm can work, but Trinity consoles can occassionally have issues with RGH3 when using a high Ohm resistors like these, so it's best to use 3K when available.
    • Corona: 1K Ohm (Brown, Black, Red, Gold)
  • On Falcon/Jasper/Tonasket, an optional through hole or SMD diode of your choice, SMD preferred.
    • If you are not sure what to use, 1N4148 diodes are a decent option.
    • Highly recommended for stubborn consoles.
  • Wire Insulation (kapton tape, electrical tape, heatshrink, etc.) if using a through hole resistor/diode
  • A PC running Windows Vista or later
  • J-Runner with Extras
  • Any compatible NAND Programmer

Reading your NAND

4 GB Corona/Waitsburg/Stingray

4 GB Xbox 360 S/E SKUs made after mid 2011 use an MMC NAND (Corona) or eMMC chip (Waitsburg/Stingray/Winchester) and require different tools to dump and flash the NAND compared to the 16/64/256/512 MB NAND chips. These 4 GB consoles require that you use an xFlasher 360, PicoFlasher, Element18592's 4GB USB tool, or an SD card tool. Consider the pros and cons below and choose the method that’s right for you.

A guide on how to dump and write to a 4 GB NAND can be found here.

Device Pros Cons
xFlasher 360
  • Reads NAND fast in 40 seconds to 4 minutes
  • Can also program glitch chips
  • Actively supported
  • USB-C
  • More expensive than other options
PicoFlasher
  • Usually has inconsistent dumping behavior
4GB USB Tool
  • Reads NAND fast in 40 seconds to 4 minutes (same as xFlasher)
  • Cheap
  • Comes with a header for the NAND pads, making future NAND reading easier
  • You will need a programmer to flash glitch chips
SD Card Tool (any brand)
  • Super cheap
  • Easy to find
  • Easy to DIY
  • You will need a dedicated programmer to flash glitch chips
  • Sometimes has inconsistent compatibility with SD card readers

All Other NAND Types

There are a few different tools for reading your NAND chip: xFlasher 360, Nand-X, JR Programmer, Matrix USB NAND Flasher, PicoFlasher, various SD card tools, or a LPT cable. Consider the pros and cons below and choose the method that’s right for you. An LPT cable is not recommended as it's extremely slow, requires more work than other options, and cannot be used to program glitch chips.

A guide on how to dump and write to a standard NAND can be found here.

Device Pros Cons
xFlasher 360
  • Reads NAND fast in 40 seconds to 4 minutes
  • Can also program glitch chips
  • One of four options for 4GB NANDs
  • Actively supported
  • USB-C
  • Most expensive flasher
  • Not sold on common marketplaces like Amazon or AliExpress
  • Can't be used for flashing Sonus Sounds
PicoFlasher
  • Reads NAND fast in 1-8 minutes
  • One of four options for 4GB NANDs
  • One of the two options for Sonus flashing
  • Super cheap
  • Easy to find
  • Can flash glitch chips with this J-Runner Fork
  • Due to how the currently available PicoFlasher firmware is programmed, it often has many bugs with getting consistently good non-corrupt NAND dumps or being detected by J-Runner.
  • Can sometimes have spotty reliability on Xbox 360 motherboards due to their SPI and eMMC logic being up to 5v, whereas the Pico uses 3.3v.
JR Programmer
  • Reads NAND in 3-10 minutes
  • Can also program glitch chips
  • One of the two options for Sonus flashing
  • Cheap
  • Easy to find
  • More expensive and less common than PicoFlasher
  • Does not support 4GB NANDs
Nand-X
  • Reads NAND in 2-8 minutes
  • Can also program RGH glitch chips
  • More expensive than most NAND flashers
  • Does not support 4GB NANDs
  • Can't be used for flashing Sonus Sounds
Matrix USB NAND Flasher
  • Cheap
  • Can’t be used for programming glitch chips unless you modify it
  • Does not support 4GB NANDs
  • Requires unsigned drivers
  • Reads NAND in 7-26 minutes, which is quite a bit slower than most options
  • Can't be used for flashing Sonus Sounds
LPT Cable
  • Cheap
  • Requires PC with a native parallel port and more equipment
  • More difficult
  • Does not support 4GB NANDs
  • Can’t be used for programming glitch chips
  • Can't be used for Sonus flashing
  • Takes 30-150 minutes to read NANDs

Waitsburg/Stingray Specific Instructions

On Waitsburg and Stingray motherboards, the trace connecting the CPU's POST to the POST pad on the bottom of the motherboard has been removed, so you need to use a postfix adapter to be able to attach a pogo pin to the POST connection underneath the CPU. You can use the following image to determine if you need the adapter or not by removing the heatsink:

Corona POST.png

You can also identify if you have a Waitsburg motherboard instead of a Corona by looking for the part number of X862605 on the bottom left of the PCB. Generally, Xbox 360 S consoles manufactured in 2012 will be Waitsburgs and need postfix adapters for RGH. Every Stingray will also need a postfix adapter with RGH.

As shown in following diagram, you can install it by carefully sliding the larger piece of the adapter onto the left side of the CPU (when looking at the CPU from a readable position). Gently press the PCB inward toward the CPU to depress the pogo pin, and slide the smaller PCB part over the other side of the CPU, interlocking the two PCBs together. Solder the four anchor points on the edges of the postfix adapter to prevent it from coming loose.

Full Postfix Guide.png

RGH3 Wiring & Diagrams

PLL Repair on a Phat motherboard (required if bottom pad is damaged)

Xbox 360 "Phat" (Falcon/Jasper/Tonasket)

On Falcon/Jasper/Tonasket motherboards, you can optionally place a diode on the wire that connects POST and SMC_POST. While it could be skipped, it is more likely the console's boot times will be more unstable or inconstant without it.

The diode's cathode end (the side with a black band) connects to CPU POST, whereas its anode end connects to SMC_POST. Make sure the polarity is correct.

When using a through hole component, it is recommended to solder it inline the wire instead of soldering it directly to a pad. The wires will be less stiff than the component's legs, causing less strain to the joint if it moves around. Make sure the PLL wire is not nearby any high noise areas, like capacitors or coils.

It is not recommended whatsoever to use RGH 3 on Falcon or Jasper without the suggested resistor.

Diagram

Phat RGH3 Diagram 2.jpg

Alternate Diagram

Phat RGH3.png

Close-Up Solder Points

CPU PLL

  • Bottom
    • Bottom
  • Top (Requires Scraping)
    • Top (Requires scraping)

CPU POST

  • Bottom
    • Bottom
  • Top (Requires Scraping)
    • Top (Requires scraping)
  • POST and PLL (Bottom)
    • PhatRGH3SMC.png
  • Alternative SMC_PLL (Top)
    • Topsidepoint.png

Xbox 360 S (Trinity)

On Trinity, it is optional but highly recommended to use a 3K to 10K Ohm resistor on the PLL wire. The diode on the POST wire is not used on Trinity.

When using a through hole resistor for PLL, it is recommended to solder it in the middle of the wire instead of soldering it directly to a pad or via. The wires will be less stiff than the diode's legs, causing less strain to the joint if it moves around.

Make sure the PLL wire is not nearby any high noise areas, like any coils or capacitors.

Diagram

Trinity RGH3.png

Close-Up Solder Points

  • CPU PLL (Bottom, no alt point!)
    • RGH1.2 Slim PLL.jpg
  • CPU POST (Bottom, RST can be ignored with RGH3)
    • TrinityPOSTandRST.png
  • SMC_PLL
    • Bottom (FT2V1)
      • FT2V1
    • Alternate Top Points
      • DB2G3
        • Trinity smcpll.jpg
      • R3D2
        • Trinity R3D2.jpg
  • SMC_POST
    • Bottom
      • R3R22

Xbox 360 S/E (Corona/Waitsburg/Stingray)

The 1K Ohm resistor on Corona motherboards is entirely optional, as the GPIO and CPU PLL both operate at 1.8v.

When using a through hole resistor for PLL, it is recommended to solder it in the middle of the wire instead of soldering it directly to a pad or via. The wires will be less stiff than the diode's legs, causing less strain to the joint if it moves around.

Make sure the PLL wire is not nearby any high noise areas, like any coils or capacitors.

Make sure to check if the POST point on the bottom is enabled or not using the provided diagram. The diode on the POST wire is not used on Corona.

Diagram

RGH3 Corona w-o POSTfix .jpg

Close-up Solder Points

  • CPU PLL (Bottom, no alt point!)
    • RGH1.2 Slim PLL.jpg
  • CPU POST (Bottom, RST can be ignored with RGH3)
    • Corona POSTandRST.png
  • POST and PLL (Bottom)
    • SMC_POST and SMC_PLL
  • Alternate SMC_PLL (Top)
    • Coronasmcpost.jpg

Testing the Console

Once you've finished soldering, clean up any flux with isopropyl alcohol and cotton swabs. Partially re-assemble your Xbox 360, ensuring that:

  • Heatsinks are attached (If they were removed for some reason)
  • Fan(s) are in place and plugged in (On a phat console, the fans can be angled on top of the heatsinks to cool them for testing)
  • The RF board is plugged into the front of the console
  • An A/V or HDMI cable is plugged into the Xbox 360 and into a TV or monitor
  • A power brick is plugged in to both the wall and Xbox 360
  • (Optional) An ethernet cable is plugged into the Xbox 360 and a LAN (e.g. a switch, router, or directly to a PC)

Turn on your console, and it should boot into XeLL RELOADED within a minute. If you don't have an ethernet cable connected, write down (and/or take a picture of) the "CPU Key" listed on screen. If the console doesn't boot into XeLL, check all previous steps and double check your wiring accuracy and quality.

Decrypting the NAND

Once you have successfully obtained your CPU key, we can build an XeBuild image, which is a modified NAND built specifically for your console.

  • If you want to use J-Runner with the console connected to LAN to get the CPU key, enter the IP address XeLL gives you into the lower right of the app. You can then click Get CPU Key and J-Runner will automatically decrypt the retail NAND dump you backed up earlier.
  • If you want to use XeLL's web page to get the CPU key, enter the Xbox's IP address in your preferred web browser. You will see information about the console, and the CPU key can be easily copy and pasted from this web page.
  • If you didn't have access to an ethernet cable to plug the Xbox into a PC or LAN, you can manually type the CPU key into J-Runner in order to decrypt your original NAND dump.

You may want to extract the contents of your NAND before going further for backup purposes, like your original keyvault. Here is how to do so.

  1. Add your original NAND dump to J-Runner using the Load Source button. It will be either named flashdmp.bin or nanddump(1/2).bin.
  2. Select the button above the Source NAND's text field named Extract Files.
  3. You will now have backups of the original console's keyvault, SMC configuration, and SMC firmware.

Writing New NAND Image (NAND Flasher)

  1. Power down the console, and connect your programmer to the motherboard.
    • If you are using an xFlasher, ensure the switch is set to SPI.
  2. Open J-Runner and select ... next to the Load Source field and select one of your original NAND dumps if not already selected. In the upper right of J-Runner, ensure the Glitch2 radio button is selected.
    • Since RGH3 XeLL was written to the NAND earlier, Glitch2 and RGH3 should already be enabled.
  3. Click "Create XeBuild Image". This will take a few moments.
  4. Click "Write NAND".
  5. Disconnect your NAND programmer from the console's motherboard when the process completes.
  6. Check if the console boots to the Microsoft dashboard. If it successfully boots to the dashboard, it is an indication that you've successfully hacked your console.
  7. Boot the console several times and ensure it boots consistently. If not, make sure your wiring is clean and neat and avoids noisy areas. Run the wires near the X-Clamps for best results.
    • If you are on a Falcon/Jasper console and have issues with booting, you can configure the RGH 3 MHz in J-Runner from 10 Mhz to 27 MHz or vise versa.
  8. Continue in the Cleaning Up section.

Writing a New NAND Image (XeLL)

  1. Open J-Runner and select ... next to the Load Source field and select your nanddump1.bin or nanddump2.bin if not already selected. In the upper right corner of the window, select the dashboard version you chose for the patched dump that you wrote to the motherboard and make sure that the Glitch2 radio button is selected.
    • Since RGH3 XeLL was written to the NAND earlier, Glitch2 and RGH3 should already be enabled.
  2. Click "Create XeBuild Image". This will take a few moments.
  3. Copy updflash.bin to a FAT32 formatted USB storage device and plug it into your powered-off console.
  4. Turn on your console. It will boot into XeLL and begin flashing your NAND. Once it has finished, it will power off your console.
  5. Turn it back on, and it should boot to the Microsoft dashboard, which is an indication that you've successfully hacked your console.
  6. Boot the console several times and ensure it boots consistently. If not, make sure your wiring is clean and neat and avoids noisy areas. Run the wires near the X-Clamps for best results.
    • If you are on a Falcon/Jasper/Tonasket console and have issues with booting, you can configure the RGH 3 MHz in J-Runner from 10 Mhz to 27 MHz.
  7. Continue in the Cleaning Up section.

Cleaning Up

Remove the NAND programmer wires from the console and clean the points. Clean all flux off the board, allow it to dry, and test it once more before re-assembling.

You may want to leave your Xbox 360 disassembled so that you can disable the eFuse-blowing circuit so you can't accidentally install official updates on your console.

Installing XeXMenu

  1. Plug a flash drive into your Xbox 360 and navigate to Console Settings > Storage. Select the flash drive and allow the console to format the flash drive.
  2. Extract the CODE9999 folder from XeXmenu to your Desktop.
  3. Plug the flash drive into your PC.
  4. Enter the folder Content on the USB, or create it if it does not exist. Within this folder, create a new folder on the flash drive and name it 0000000000000000 (16 zeroes). Open the new folder, then drag the CODE9999 folder into it.
  5. Safely eject your flash drive and plug it into your Xbox 360. Navigate to the Demos section of your dashboard, and it should list XeXMenu there. Select it to launch it.
    • You can install XeXMenu to your hard drive by going to Console Settings > Storage, and copying it from your flash drive to the hard drive.

From here, you can install any homebrew or mods that you want. See this page for a list of recommended modifications and applications to install.

References