Xbox 360:R-JTAG

From ConsoleMods Wiki
Revision as of 20:21, 4 September 2024 by Derf (talk | contribs) (Text replacement - "Category:Xbox360" to "Category:Xbox 360")
Jump to navigation Jump to search
Exclamation-triangle-fill.svgThe steps on this page are considered risky for your console, as there is a chance you can brick it. Please have someone else mod your console if you are not experienced in soldering!


Exclamation-circle-fill.svgR-JTAG requires an R-JTAG kit or CR4 XL which aren't sold anymore, and tends to have slow boot times compared to RGH 1.0/1.2/3 or R-JTOP. Thus, this specific exploit is not recommended over RGH/R-JTOP.


The R-JTAG hack is essentially a re-enabling of the JTAG hack using the reset glitch from RGH, which allows you to run unsigned code, mods, game backups, and homebrew on phat consoles. It works by glitching the CB fuse check when loading the old JTAGable CB, which allows JTAG (SMC Hack) to be performed like normal. There are 2 versions of R-JTAG, the normal version which uses I2C slowdown, and R-JTAG+ which uses PLL slowdown. This should only be used if your console doesn’t work well with RGH 1.2 as it requires you to buy an R-JTAG kit and has been known to potentially write garbage to your NAND in some cases. It’s recommended to take a look at the recommended exploit chart and see what hack is recommended for your console.

While it’s recommended to read through this guide in its entirety, a video guide for R-JTAG can be found on MrMario2011’s channel. A well-used R-JTAG guide can be found on the Team Xecuter site.

Note that R-JTAG does not support Xenon or S/E motherboards.

Requirements

Below are the requirements to R-JTAG your Xbox 360. It’s recommended to read ahead and choose the NAND dumping method and JTAG specific wiring method that’s right for you, as you will need a NAND programmer if you choose the R-JTAG Starter Kit and potentially more equipment depending on which methods you choose.

To check that your console is exploitable, it must meet the following conditions. You must have:

  1. A non-Xenon fat console (Zephyr, Falcon, Opus, or Jasper model). You can look at the back of your console and check this chart to find out what model you have.
    • If you have a Jasper, determine whether if there is Memory Unit built in. If it has 214MB of storage, it’s a 256MB NAND. If it has 451MB of storage, it is a 512MB NAND.
  2. Your console on dashboard 14719 or higher. You can check this by navigating to Settings > Console Settings > Hover over System Info. Your dashboard version will be shown in the top right in the form 2.0.xxxxx.0, where xxxxx is your dashboard version.
    • If it is on a lower dashboard, you can update it to the latest.
  3. Soldering experience. The Xbox 360 is not a good place to learn to solder. Regardless of which dumping method you choose, you will need a soldering iron, solder, and flux.
  4. You will need one of the following R-JTAG kits and the extras listed below it. The kits may be sold as R-JTAG "1.0" or "1.1". The only difference is that 1.1 is more reliable for Zephyr consoles (information here).
R-JTAG Ultimate Kit
R-JTAG Starter Kit
  • A NAND reader (JR Programmer, NAND-X, Matrix USB NAND Flasher, or LPT cable)
  • J-Runner with Extras
  • Equipment listed in the relevant JTAG specific wiring below

Reading your NAND

There are a few different tools for reading your NAND chip: xFlasher 360, Nand-X, JR Programmer, Matrix USB NAND Flasher, PicoFlasher, various SD card tools, or a LPT cable. Consider the pros and cons below and choose the method that’s right for you. An LPT cable is not recommended as it's extremely slow, requires more work than other options, and cannot be used to program glitch chips.

A guide on how to dump and write to a standard NAND can be found here.

Device Pros Cons
xFlasher 360
  • Reads NAND fast in 40 seconds to 4 minutes
  • Can also program glitch chips
  • One of four options for 4GB NANDs
  • Actively supported
  • USB-C
  • Most expensive flasher
  • Not sold on common marketplaces like Amazon or AliExpress
  • Can't be used for flashing Sonus Sounds
PicoFlasher
  • Reads NAND fast in 1-8 minutes
  • One of four options for 4GB NANDs
  • One of the two options for Sonus flashing
  • Super cheap
  • Easy to find
  • Can flash glitch chips with this J-Runner Fork
  • Due to how the currently available PicoFlasher firmware is programmed, it often has many bugs with getting consistently good non-corrupt NAND dumps or being detected by J-Runner.
  • Can sometimes have spotty reliability on Xbox 360 motherboards due to their SPI and eMMC logic being up to 5v, whereas the Pico uses 3.3v.
JR Programmer
  • Reads NAND in 3-10 minutes
  • Can also program glitch chips
  • One of the two options for Sonus flashing
  • Cheap
  • Easy to find
  • More expensive and less common than PicoFlasher
  • Does not support 4GB NANDs
Nand-X
  • Reads NAND in 2-8 minutes
  • Can also program RGH glitch chips
  • More expensive than most NAND flashers
  • Does not support 4GB NANDs
  • Can't be used for flashing Sonus Sounds
Matrix USB NAND Flasher
  • Cheap
  • Can’t be used for programming glitch chips unless you modify it
  • Does not support 4GB NANDs
  • Requires unsigned drivers
  • Reads NAND in 7-26 minutes, which is quite a bit slower than most options
  • Can't be used for flashing Sonus Sounds
LPT Cable
  • Cheap
  • Requires PC with a native parallel port and more equipment
  • More difficult
  • Does not support 4GB NANDs
  • Can’t be used for programming glitch chips
  • Can't be used for Sonus flashing
  • Takes 30-150 minutes to read NANDs

JTAG Specific Wiring

Following the wire color scheme, use this image to install the R-JTAG module. The R-JTAG module itself will rest on top of the DVD drive, hanging partially off of the side closest to the back of the console.

On the QSB labelled "JTAG ALT V2", short pins 1 and 3 together, set the left switch to the ON position, and set the right switch to the middle (470 ohms) position. Later on, if you have bad boot times, try switching the right switch to the left position (330 ohms).

Stick the adhesive backings on the bottom of the QSBs and set them in place on the motherboard. The adhesive is just meant to hold the QSBs in place as you solder them. Solder all of the QSBs in place as according to the picture above. It should be obvious as to which points will attach to the QSB.

R-JTAG Module Dip Switches

RJTAG-DIP.png

Configure the DIP switches as follows, only having one "either" switch on at a time:

Motherboard 1 2 3 4 5 6 7 8
Jasper Off Off Off Either Either Off On On
Falcon/Opus Off Off Either Either Either Off On Off
Zephyr (R-JTAG 1.0) Off Off On Off Off Off Off On
Zephyr (R-JTAG 1.1) Off Off On Off Off Off Off Off
  • Change the "either" switches around if you have bad boot times or flashing red lights (false RROD), but make sure only one "either" switch is enabled.

Creating an XeBuild Image

You should now be able to turn on your Xbox 360 and boot into XeLL and see your CPU key. With that CPU key, we can build an XeBuild image, which is a NAND dump built specifically for your console. Ensure that you have written down your CPU key and have powered off your console.

  1. Open J-Runner and select "…" next to the Load Source field and select your nanddump1.bin if not already selected. In the upper right corner of the window, select the dashboard version you chose for the patched dump that you wrote to the motherboard and make sure that the "Jtag" radio button is selected, the R-jtag box has a check in it, and if you have a non-Xenon console, the Aud_clamp? box has a check in it.
  2. Select the "Create Image" button in the top left of the window. It may prompt you for your motherboard model, select it and click OK. It will build your image and save it to a numbered folder within the J-Runner directory as updflash.bin.
    • If you get an error during this step, see the troubleshooting section below.
  3. Copy updflash.bin to a FAT32 formatted USB storage device and plug it into your powered-off console. Turn on your console and it will boot into XeLL and begin flashing your NAND. Once it has finished, it will power off your console. Turn it back on, and it should boot to the Microsoft dashboard, which is an indication that you’ve successfully hacked your console. You’re now free to install XEXmenu (instructions in section below).
  • You may want to leave your Xbox 360 disassembled so that you can:
    • disable the eFuse-blowing circuit so that you can’t accidentally install official updates on your console.
    • …check what it’s running temperatures are so that you can judge whether it’d be a good idea to use cooling mods to avoid overheating issues. This is recommended for all fat consoles, particularly Xenons.

Installing XeXMenu

  1. Plug a flash drive into your Xbox 360 and navigate to Console Settings > Storage. Select the flash drive and allow it to format the flash drive as a system drive.
  2. Extract the CODE9999 folder from the XeXMenu 7zip file to your Desktop.
  3. Plug the flash drive into your PC. Open Xplorer360 and select Drive > Open > Harddrive or Memcard. On the left-hand side, select Partition 3, then right-click the Content folder, select "New Folder", and name it 0000000000000000 (16 zeroes). Open the new folder, then drag the CODE9999 folder into it.
  4. Select Drive > Close, then close Xplorer360. Safely eject your flash drive and plug it into your Xbox 360. Navigate to the Demos section of your dashboard, and it should list XeXMenu there. Select it to launch it.
  • You can install XeXMenu to your hard drive by going to Console Settings > Storage, and copying it from your flash drive to the hard drive.

From here, you can install any homebrew or mods that you want. See this page for a list of recommended modifications and applications to install.