Xbox 360:R-JTOP

From ConsoleMods Wiki
Jump to navigation Jump to search
Exclamation-triangle-fill.svgThe steps on this page are considered risky for your console, as there is a chance you can brick it. Please have someone else mod your console if you are not experienced in soldering!


The R-JTOP hack is an open source modification that allows you to run unsigned code, mods, game backups, and homebrew on phat consoles. It works by glitching the CB fuse check when loading the old JTAGable CB, which allows JTAG (SMC Hack) to be performed like normal. It works the same way as the R-JTAG(+) hack and achieves the same result through a different method. It is preferred over R-JTAG, as it doesn't require out of production Team Executer hardware while having better glitching performance, but it is lesser used than normal RGH methods and therefore you will not receive much support if you run into issues. There is generally little reason to use R-JTOP over RGH 1.2 because of this.

Note: R-JTOP does not support S/E motherboards.

Requirements

Below are the requirements to R-JTOP your Xbox 360. It’s recommended to read ahead and choose the NAND dumping method and R-JTOP specific wiring that’s right for you, as you will need a NAND programmer and potentially more equipment depending on which methods you choose.

To check that your console is exploitable, it must meet the following conditions. You must have:

  • An original Xbox 360 console (Falcon/Opus, Jasper, or Tonasket model). You can look at the back of your console and check this guide to find out what model you have.
    • Xenons and Zephyrs do not have any reports of them working although the original announcement post said "some work". It is highly recommended to use EXT_CLK on these consoles. It may also possible to compile R-JTOP timing files that use EXT_CLK instead of CPU_PLL, but this isn't widely tested. Thus, this guide only covers Falcon/Jasper/Tonasket consoles.
  • A console on dashboard 15572 or higher. You can check this by navigating to Settings > Console Settings > Hover over System Info. Your dashboard version will be shown in the top right in the form 2.0.xxxxx.0, where xxxxx is your dashboard version.
    • If it is on a lower dashboard, you can update it to the latest.
  • Soldering experience. The Xbox 360 is not a good place to learn to solder. Regardless of which dumping method you choose, you will need a soldering iron, solder, and flux.

You will also need:

  • A NAND reader that can program glitch chips (JR Programmer, NAND-X, or two Matrix USB NAND Flasher)
  • A xc2c64a based glitch chip or the ability to compile the source for another chip
    • CoolRunner 3
    • CoolRunner rev C/D
    • Matrix Glitcher
  • J-Runner with Extras (Includes R-JTOP timing files for Falcon and Jasper.)
  • Equipment listed in the relevant R-JTOP specific wiring diagrams

Reading your NAND

There are a few different tools for reading your NAND chip: xFlasher 360, Nand-X, JR Programmer, Matrix USB NAND Flasher, PicoFlasher, various SD card tools, or a LPT cable. Consider the pros and cons below and choose the method that’s right for you. An LPT cable is not recommended as it's extremely slow, requires more work than other options, and cannot be used to program glitch chips.

A guide on how to dump and write to a standard NAND can be found here.

Device Pros Cons
xFlasher 360
  • Reads NAND fast in 40 seconds to 4 minutes
  • Can also program glitch chips
  • One of four options for 4GB NANDs
  • Actively supported
  • USB-C
  • Most expensive flasher
  • Not sold on common marketplaces like Amazon or AliExpress
  • Can't be used for flashing Sonus Sounds
PicoFlasher
  • Reads NAND fast in 1-8 minutes
  • One of four options for 4GB NANDs
  • One of the two options for Sonus flashing
  • Super cheap
  • Easy to find
  • Can flash glitch chips with this J-Runner Fork
  • Due to how the currently available PicoFlasher firmware is programmed, it often has many bugs with getting consistently good non-corrupt NAND dumps or being detected by J-Runner.
  • Can sometimes have spotty reliability on Xbox 360 motherboards due to their SPI and eMMC logic being up to 5v, whereas the Pico uses 3.3v.
JR Programmer
  • Reads NAND in 3-10 minutes
  • Can also program glitch chips
  • One of the two options for Sonus flashing
  • Cheap
  • Easy to find
  • More expensive and less common than PicoFlasher
  • Does not support 4GB NANDs
Nand-X
  • Reads NAND in 2-8 minutes
  • Can also program RGH glitch chips
  • More expensive than most NAND flashers
  • Does not support 4GB NANDs
  • Can't be used for flashing Sonus Sounds
Matrix USB NAND Flasher
  • Cheap
  • Can’t be used for programming glitch chips unless you modify it
  • Does not support 4GB NANDs
  • Requires unsigned drivers
  • Reads NAND in 7-26 minutes, which is quite a bit slower than most options
  • Can't be used for flashing Sonus Sounds
LPT Cable
  • Cheap
  • Requires PC with a native parallel port and more equipment
  • More difficult
  • Does not support 4GB NANDs
  • Can’t be used for programming glitch chips
  • Can't be used for Sonus flashing
  • Takes 30-150 minutes to read NANDs

Programming the Glitch Chip

  1. Plug the cable from your programmer into the chip programmer.
    • If you are using an xFlasher, ensure the switch is set to SPI
    • CoolRunner: Slide switch on the CoolRunner to "PRG".
  2. Open J-Runner with Extras. Click "Program Timing File" in the upper left and select your console’s tab and the relevant radio button for R-JTOP.
  3. Click "Program". When complete, unplug the cable from the glitch chip.
    • Coolrunner: Set the switch back to "NOR".
  4. If you are using an X360ACE, you can follow flashing instructions here.
    • Note: The X360ACE requires you to compile timing files for it.

R-JTOP Specific Wiring

The extra wiring for R-JTOP is the same as the wiring for the JTAG hack. Choose the guide that pertains to you:

AUD_CLAMP

This is the traditional method for Zephyr, Opus, Falcon, or Jasper motherboards. This method may disable 5.1 audio output.

AUD_CLAMP + Boxxdr

  • This is an alternative method is for Zephyr, Opus, Falcon, or Jasper motherboards. This method may disable 5.1 audio output.

AUD_CLAMP + Open_Tray

  • Use this method if the traditional or Boxxdr method doesn't boot, you receive E79 errors, or you have issues with HDMI. This method may cause your DVD drive to eject on bootup. Also, your console will reboot instead of shutting down if you turn off the console while a controller is charging via USB.

Glitch Chip Wiring

X360ACE Diode

The wiring for R-JTOP is the same as the wiring for RGH 1.2. If you chose to modify the source code to use EXT_CLK, use that solder pad instead of CPU_PLL.

Motherboard Points (Phat)

Glitch Chip Pinouts & Diagrams

Coolrunner Rev C or D

  • A - PLL
  • B - STBY_CLK (only if not using oscillator)
  • C - POST
  • D - RST

Coolrunner 3 Lite

  • A - PLL
  • B - STBY_CLK (only if not using oscillator)
  • C - POST
  • D - RST

Matrix Glitcher

  • A - RST
  • B - POST
  • C - STBY_CLK (only if not using oscillator)
  • F - PLL

Decrypting the NAND

Once you have successfully obtained your CPU key, we can build an XeBuild image, which is a modified NAND built specifically for your console.

  • If you want to use J-Runner with the console connected to LAN to get the CPU key, enter the IP address XeLL gives you into the lower right of the app. You can then click Get CPU Key and XeLL will automatically decrypt the retail NAND dump you backed up earlier.
  • If you want to use XeLL's web page to get the CPU key, enter the Xbox's IP address in your preferred web browser. You will see information about the console, and the CPU key can be easily copy and pasted from this web page.
  • If you didn't have access to an ethernet cable to plug the Xbox into a PC or LAN, you can manually type the CPU key into J-Runner in order to decrypt your original NAND dump.

Writing a New NAND Image (NAND Flasher)

  1. Power down the console, and connect your programmer to the motherboard and computer.  
    • If you are using an xFlasher, ensure the switch is set to SPI.
  2. Open J-Runner and select ... next to the Load Source field and either select your nanddump1.bin or nanddump2.bin if not already selected. In the upper right corner of the window, select the dashboard version you chose for the patched dump that you wrote to the motherboard and select the Jtag radio button. Make sure the R-JTAG and Aud_Clamp checkboxes are enabled.
  3. Click Create XeBuild Image. This will take a few moments.
  4. Click Write NAND.
  5. Disconnect your NAND programmer from the console when the process completes, and check if the console boots to the Microsoft dashboard. If it successfully boots to the dashboard, it is an indication that you've successfully hacked your console.
    • You may want to leave your Xbox 360 disassembled so that you can disable the eFuse-blowing circuit so you can't accidentally install official updates on your console.
  6. Remove your NAND programmer wires and clean the points. Clean all flux off the board, allow it to dry, and test it once more before re-assembling. You're now free to install XEXMenu (instructions in section below).

Writing a New NAND Image (XeLL with USB Storage)

  1. Open J-Runner and select ... next to the Load Source field and either select your nanddump1.bin or nanddump2.bin if not already selected. In the upper right corner of the window, select the dashboard version you chose for the patched dump that you wrote to the motherboard and select the Jtag radio button. Make sure the R-JTAG checkbox is enabled.
    • If you have a non-Xenon console, the Aud_clamp checkbox should be enabled.
  2. Click Create XeBuild Image. This will take a few moments.
  3. Copy updflash.bin to a FAT32 formatted USB storage device and plug it into your powered-off console. Turn on your console and it will boot into XeLL and begin flashing your NAND. Once it has finished, it will power off your console. Turn it back on, and it should boot to the Microsoft dashboard, which is an indication that you've successfully hacked your console.
    • You may want to leave your Xbox 360 disassembled so that you can disable the eFuse-blowing circuit so you can't accidentally install official updates on your console.
  4. Remove your NAND programmer wires (if they are still attached) and clean the points. Clean all flux off the board, allow it to dry, and test it once more before re-assembling. You're now free to install XEXMenu (instructions in section below).

Installing XeXMenu

  1. Plug a flash drive into your Xbox 360 and navigate to Console Settings > Storage. Select the flash drive and allow it to format the flash drive as a system drive.
  2. Extract the CODE9999 folder from the XeXMenu 1.2 rar to your Desktop.
  3. Plug the flash drive into your PC. Open Xplorer360 and select Drive > Open > Harddrive or Memcard. On the left-hand side, select Partition 3, then right-click the Content folder, select New Folder, and name it 0000000000000000 (16 zeroes). Open the new folder, then drag the CODE9999 folder into it.
  4. Select Drive > Close, then close Xplorer360. Safely eject your flash drive and plug it into your Xbox 360. Navigate to the Demos section of your dashboard, and it should list XeXMenu there. Select it to launch it.
    • You can install XeXMenu to your hard drive by going to Console Settings > Storage, and copying it from your flash drive to the hard drive.

From here, you can install any homebrew or mods that you want. See this page for a list of recommended modifications and applications to install.