Xbox 360:RGH/RGH1.2: Difference between revisions

RGH1.2 combines RGH1-like PLL slowdown with Glitch2 images to allow reliable glitching of Falcon/Jasper consoles with split CB (post 14699 kernel). RGH1.2 V2 ports this hack to Trinity/Corona consoles as well as fixing a few issues on Jaspers.

Equipment Needed

• A glitch chip:
  • Coolrunner Rev A/B/C/D
  • CR3 Lite
  • Matrix Glitcher
  • Squirt BGA/Reloaded
  • X360ACE V1/V2/V3
  • X360ACE V3+/V4/V5 (Trinity/Corona only)
  • DGX
• A PC running Windows Vista or later
• A soldering iron, solder, and flux (MG 835 recommended)
• Isopropyl alcohol (91% or higher recommended) and cotton swabs
• A NAND and glitch chip programmer:
  • xFlasher 360
  • NAND-X
  • JR-Programmer
  • Modified Matrix Flasher
• NAND Backup with XeLL written to the console
  • Standard NAND
  • 4GB Corona
• J-Runner with Extras (Includes RGH1.2 V2 Matrix/Coolrunner Timings)
• RGH1.2 V2 Timing Files (X360ACE/Squirt chips only)

Glitch Chip Installation

PLL Repair on a Phat motherboard (required if bottom pad is damaged). Image credit to TheLazyITGuy.

1.8v on an Ace V3

Motherboard points

Phat (Non-Xenon)

Slim (Trinity)

Slim or E (Corona/Waitsburg/Stingray)

Glitch chip pinouts & diagrams

Phat

Coolrunner Rev A/B/C/D

• A - PLL
• B - STBY_CLK (only if not using oscillator)
• C - POST
• D - RST

CR3 Lite

• A - PLL
• B - STBY_CLK (only if not using oscillator)
• C - POST
• D - RST

Matrix Glitcher

• A - RST
• B - POST
• C - STBY_CLK (only if not using oscillator)
• F - PLL

Squirt

• Squirt BGA 1.2: Disable the onboard 670pf and/or 480pf caps by removing R7 and R8
• Squirt Reloaded 2.X: remove R2 and connect STBY_CLK
• Pinout follows written labels
• Don't use POST or RST tuners

X360ACE (V1/V2/V3), DGX

• C - POST
• D - RST
• E - STBY_CLK (only if not using oscillator version)
• F - PLL (22K ohm resistor required)
• Remember to remove the diode and connect 1.8V

Slim

Coolrunner Rev A/B/C/D

• B - STBY_CLK (only if not using oscillator)
• C - POST
• D - RST
• E - PLL (10K ohm resistor recommended)

CR3 Lite

• B - STBY_CLK (only if not using oscillator)
• C - POST
• D - RST
• E - PLL (10K ohm resistor recommended)

Matrix Glitcher (Corona)

• A - RST
• B - POST
• E - PLL (10K ohm resistor recommended)

Matrix Glitcher (Trinity)

• A - RST
• B - POST
• C - STBY_CLK (only if not using oscillator)
• E - PLL (10K ohm resistor recommended)

X360ACE (V1/V2/V3/V3+), DGX

• C - POST
• D - RST
• F - PLL (10K ohm resistor recommended)

X360ACE V4/V5

• A - RST
• B - POST
• C1 - CPU_CLK_DP
• C2 - CPU_CLK_DN
• D - PLL (10K ohm resistor required)

Squirt

• Squirt Reloaded 2.X: remove R2 and connect STBY_CLK or remove 100 MHz and add 48 MHz oscillator
• Use SCL pad for PLL
• Pinout follows written labels
• Don't use POST or RST tuners

Programming the Glitch Chip

1. Plug the cable from your programmer into the chip programmer.
   • If you are using an xFlasher, ensure the switch is set to SPI.
   • CoolRunner: Slide switch to "PRG".
2. Open J-Runner with Extras. Click "Program Timing File" in the upper left and select your console’s tab and the relevant radio button for RGH 1.2.
   • You can use the timing assistant in the bottom left to auto select a safe timing for your motherboard revision.
3. Click "Program". When complete, unplug the cable from the glitch chip.
   • Coolrunner: Set the switch back to "NOR".

X360ACE V4/V5/V3+

• xFlasher or other Gowin compatible programmer required in order to program these chips
• Programming Instructions

Decrypting the NAND

1. Connect Ethernet and power on the console. The glitch chip should blink once or more times, and then the console should start into XeLL RELOADED.
2. Once XeLL finishes, it will display your CPU key and some other info. There is also an IP address.
3. Enter the IP address into the box on the lower right of J-Runner and click "Get CPU Key". J-Runner will pull the info from the box, and decrypt the NANDs automatically.

Writing New NAND Image

1. Power down the console, and connect your programmer to the motherboard.
   • If you are using an xFlasher, ensure the switch is set to SPI.
2. In the upper right of J-Runner, ensure the Glitch2 radio button is selected.
   • Enable SMC+ for better boot times.
3. Click "Create XeBuild Image". This will take a few moments.
4. Click "Write NAND".
5. Disconnect your programmer when the process completes.
6. Boot the console several times and ensure it boots consistently. If not, make sure your wiring is clean and neat and avoids noisy area. Run the wires near the X-Clamps for best results.
7. Tune glitch chip timings if necessary.
8. Return to the RGH main page and continue in the Cleaning Up section.

Tuning Boot Times

Jasper: - If the console does not glitch reliably even after tuning the value, add 68nf-100nf capacitor (ex: 683 cap or SMD cap) from PLL to GND. - Onboard 100nf on Coolrunner Rev-C may be used by bridging CAP. - Onboard 100nf on Squirt Reloaded 2.X may be used by bridging J5. - If adding a cap, PLL will be more sensitive to noise. If you have strange blinking, be sure that your wire is routed away from clock signals. - For X360ACE/DGX make sure the capacitor is after the 22K Ohm resistor.

Start at the top of the recommended range and work down until you get good boots

On chips with crystals, the optimal timing will depend on the crystal (how close it is to its rated frequency)

If the light stays on at the end of a cycle: - This means that the checks were passed, but the console failed to start - Probably the timing is too low, or the pulse length is too large

If the light goes off at the end of a cycle but doesn't boot: - This means that the checks failed - Probably the timing is too high, or the pulse length is too small

Note that the debug light behavior may be slightly misleading due to using POST_OUT bit 0.