[EN] Reset Glitch Hack tutorial

1298 visiteurs sur le site | S'incrire

Accédez aux coordonnées de l’ensemble des techniciens professionnels recommandés par logic-sunrise 20 derniers dossiers et tutoriaux

Hi,


This Tutorial explains how to hack your Xbox 360 with the Reset Glitch Hack of GliGli and Tiros in order to launch unsigned code.

 

I: Preamble :


   A: Compatible console revisions :

 

? FAT


? Opus

? Zephyr

? Falcon

? Jasper

 

? Slim


? Trinity

 

   B: Exceptions

 

? FAT with split CB:

Some xbox Fat have a split CB (NAND contains CB_A and CB_B instead of CB_A only) they CAN'T be glitched at this time of writing.

? Zephyr  CB 4577

? Falcon CB 5772

? Jasper CB 6752

 

? Slim with Corona motherboard

 

 

 

How to recognize it:

? There is no HANA chip

HANA chip

 

?On the backside of the case you can see an Amperage of 9.86A (Some trinity have that too but must of the console with 9.86A written are corona).

 

Backside of the Xbox Slim

 

?Voir les pack compatible

 

II: REQUIRED HARDWARE AND SOFTWARE :


   A: Hardware :


? GENERAL :

 

?CPLD module (XC2C64A chip based)
?JTAG programmer
?USB SPI NAND programmer 


FAT SPECIFIC (only for people using devboard : Cmod, seeedstudio) :

 

?3x 1N4148 diodes
?1x 22 kOhm resistor
?1x 1 kOhm resistor
?1x 100nF capacitor

 

SLIM SPECIFIC (only for people using devboard : Cmod, seeedstudio) :

 

? 1x 270pF capacitor

 

   B: Software :


?Python and Pyton Crypto.
?Impact (from Xilinx Lab Tools) ott 360gcprog
?NandPro v2.0e (for PIC18 based NAND programmer) ou NandPro V3.0 (For LPC2148 based NAND programmer).

 

   C: More Infos :

 

?  Module CPLD disponible :

 

?C-mod Digilent
?Seeedstudio
?X360glitchip
?Coolrunner

 

? Programateur Jtag disponible  :

 

?LPT JTAG cable
?LPT JTAG cable maison
?Jtag to Usb Cable
?LPC2148 ARM (TeamXecuter NAND-X, Maximus NANDFlasher 360, X360Super Nand Flasher)


? NAND Dumper/Flasher disponible  :

 

? USB SPI programmer
? LPC2148 ARM (TeamXecuter NAND-X, Maximus NANDFlasher 360, Super Nand Flasher)
? AT90USB

 

III: Hacking the XBOX


   A: NAND Dump


Step 1 : Use the following diagram to solder your USB SPI Programmert

 

? FAT

 

 

? SLIM

 

 

If you have a NAND-X you can find the diagram HERE

 

Step 2 : Open windows' command prompt and launch NandPro.

 

Étape 3 : Dump your NAND twice by using the read command :

 

?  If you have a 16 mo nand

 

nandpro usb : -r16 nanddumpaname.bin

 

?  If you have a 256/512 mo nand

 

nandpro usb : -r64 nanddumpaname.bin

 

 

Step 3 : Compare the two dumps with the following command (you can use MD5 Checksums too) :

 

fc /b  nanddumpname.bin nanddumpname2.bin 

 

 

You should see something like FC : No difference found. If the two dumps don't match, do a new dump and check again.

 

B: Installation de Python et Python Crypto 

 

NB : The part B et C can be done with GUI Apps like BestPig ToolBox or 360 Mutlibuilder, but in this tutorial we will explain the former method.

 

Step 1 : Install Python 2.7 (32bit!) and PyCrypto 2.3 with the default settings :

 

Step 2 : Go in Control Panel > System > Advanced system settings

 

 

Step 3 : Click on environnement variables

 

 

 

Step 4 : Click on New in system variable

 

 

Step 5 : Add this for the name and the value of the variable :

 

PYTHONPATH
%PYTHONPATH%;C:\Python27 ;

 

 

C: Creating the ECC image :

 

Step 1 : Download  this archive and uncompress.

 

Step 2 : Put your original NAND dump in the root of the gggggg-folder and create a folder named "ouput" (in the root aswell).

 

 

The Step 3 and 4 arent' necessary for slim console.

 

Step 3 : In the common/imguild folder, do a right clik on the build.py, and open with it IDLE..

 

 

Step 4 : Then add the 1BL like that : :

 

\xDD\x88\xAD\x0C\x9E\xD6\x69\xE7\xB5\x67\x94\xFB\x68\x56\x3E\xFA

 

 

Step 5 : Open windows' command prompt again and navigate to the hack folder, then type this python command (don't forget to modify it with your NAND dump name) :

 

? Command for SLIM and FAT FALCON OPUS ZEPHYR :

 

python common/imgbuild/build.py nanddumpname.bin common/cdxell/CD common/xell/xell-gggggg.bin

 

? Command for JASPER :

 

python common/imgbuild/build.py nanddumpname.bin common/cdxell/CDjasper common/xell/xell-gggggg.bin


  SPECIFIC CASE

 

If you have a Jasper with CB version 6751 you need to downgrade to 6750, download this archive, copy the cb_6750.bin file next to your nand image in the RGH folder.
Then use this command :

 

python common/imgbuild/build.py orig.bin common/cdxell/CDjasper common/xell/xell-gggggg.bin Cb_6750.bin.

 

Example with an Xbox Slim :

 

 

You should see the following

 

 

Once the process is over, you should find the file image_00000000.ecc in the output folder.

 

 

D : Flashing the ECC image :

 

Step 1 : Copy the image_00000000.ecc file into your nandpro folder and navigate to the folder via command prompt again.

 

Step 2 : Use the following command to flash the image to your console's NAND.

 

? SIf you have a 16 mo nand

 

nandpro usb: +w16 image_00000000.ecc

 

Pay attention that you have to use the +w16 command instead of -w16

 

If you have a 256/512 mo nand

 

nandpro usb: +w64 image_00000000.ecc

 

Pay attention that you have to use the +w64 command instead of -w64

 

 

The flashed file has a size of 50 blocks so you should see 004F when the flashing is done.

 

E: Wiring :

 

? SLIM

 

 

If you use CMOD or seeestudio board, you will have to add this electronic components :

 

 

? SLIM

 

 

If you use CMOD or seeestudio board, you will have to add this electronic components :

 

F: Programming the CPLD :

 

Step 1 : Grab your LPT/USB XilinX JTAG programmer cable. Connect the cable to the PC and the CPLD.(If you don't have one, you can use GliGli's schematic to build a LPT JTAG Programmer)

 

Step 2 : if you use a LPT a cable, connect the power suppy to your console without turning it on.

 

Step 3 : Two program the CPLD you can use, 360gcprog (recommended) or "iMPACT" (from XilinX Lab Tools)

 

? 360GCProg

 

Step 4 : If you have a LPT Jtag cable, you will have to know the port adress of you LPT cable. Go in Device Manager and in the Ports (COM and LPT) section open the properties of you cable).

 

 

Now check the Input Adress (on the pics it’s D480)

 

 

Step 5 : In select cable, choose if you have a USB ou LPT cable:

 

? If you have a USB cable go directly so step 4.

? If you have a LPT cable, clik on the settiongs logo.

 

 

Step 6 : Put the value we get in Step 1 and then Save.

 

 

Step 7 : Click on connect, you should see the status at the bottom moving to Connected and displaying the chip model.

 

 

 

Step 8 : In select file to flash, click on the small arrow and choose the JED corresponding to your motherboard.
NB : You can use a custom on by clicking on the … logo

 

 

Step 9 : Now clik on Flash.

 

 

You should see :

 

 

Your CPLD is now programmed and ready to make your console glitch.


? Impact

 

Launch "iMPACT" (from XilinX Lab Tools) and let's start the programming ... just follow the images.(You have to setup the compatibility mode only if your Programmer does not get detected right away).

 

 

 

 

 

 

 

 

Selectionner le JED pour Zéphyr ou Jasper selon votre console.

 

 

 

 

 

F: Grabing the CPU keys and building the Hacked Image:

 

 Step 1 : Connect your xbox (to your local network too), start your console normally and see XeLL boot within 2 minutes

 

 

Step 2 : Note the Ip adress written at the end of XeLL :

 

Step 3 : Create your nand with XeBuild GUI. Follow the step in the video (watch in full screen for better quality).

Example for Xbox Slim :

 

 

The FCRT patch permit to not provide FCRT.bin and .meta files for the building process. You can use it on all xbox slim except the one with 1175 Drive.

 

G: Flashing the hacked NAND

 

Step 1 : Download RawFlash V4 and put the xenon.elf file at the root of the USB key.

 

Step 2 : Copy the hacked NAND renamed nandflash.bin at the root of the USBkey.

 

 

Step 3 : Plus the USB key in your 360 and turn it on, you should see this :

 

 

H: Installing Dashlaunch

 

The patch for dashlaunch are already added in the nand built by Xebuild GUI, you only have to create a launch.ini file in order to set the apps you want on direct boot.

 

Step 1 : Create a NotePad file and rename it to launch.ini

 

Step 2 : Open the launch.ini with NotePad and set the path you want as directboot and quickboot:

 

Currently supported devices and paths:
- internal hard disk    Hdd:\
- usb memory stick      Usb:\
- memory unit           Mu:\
- USB memory unit       UsbMu:\
- big block NAND mu     FlashMu:\

- 4Go Slim memory        IntMu:\

- CD/DVD                Dvd:\     (not recommended to use this one)
buttons can point to any xex, or any CON with default.xex in it on any of the above devices
note that Right Bumper is ALWAYS default to return NXE

 

This file should begin with [QuickLaunchButtons]

 

For example mine is

[QuickLaunchButtons]
Default = Usb:\applications\FSD2 Alpha\Default.xex
BUT_X = Hdd:\Content\0000000000000000\C0DE9999\00080000\C0DE99990F586558

 

My console startup on FSD and if i press X it boot on XeXMenu. To boot on NXE maintain RB during return to dashboard.

 

Step 3 : Put the launch.ini at the root of your HDD USB, HDD 360 or memory unit

 

H: Avatars Update

 

Step 1 : Download the official update corresponding to kernel version you need. (type in the LS bar search the number of the update ex : 14699, 13599 ...)

Step 2 : Rename $systemupdate to $$ystemupdate

 

Step 3 : Placez le dossier à la racine d'une clé USB et laisser la mise à jours se faire. La console va redémarrer  et les avatars seront installé.

 

IV: TroubleShootings

 

A: Soldering the Hardware

 

? After soldering i get 0022 RROD :

?This can happen if the wire from CPY_PLL_BYPASS is too thick or too thin. Try to use another cable.
?You flashed the image with a wrong command via nandpro or you didn't flash the Hack-Image yet.

 

? The console doesn't show any reaction after the soldering (doesn't turn on) :

?The trace/solder point STBY_CLK could be damaged. Check it and solder again if needed. (It needs connection to the resistor!)

 

? A point of the motherboard got damaged while soldering:

?Get somebody, who knows what he does, to do this job

?Look at the diagram in the Altpoint folder

 

 

 

B: Programming the CPLD :

Your CPLD don’t show up on iMPACT or 360gcprog :

?Vérifiez  que votre CPLD est bien alimenter si vous utilisez un cable LPT.

?Vérifiez vos soudures et qu'il n'y est pas de court-circuit

 

C: Grabing the CPU key  :

? Console doesn't show XeLL

?Be sure you hear the Resets (Power supply giving a high pitched sound, Fans slowing down around each 5 seconds)

?Check if the .ecc Image was created correctly :

         - 1BL added in build.py for FAT?

         - Did you use the good CD File (CD/CDjasper)?

         - Did you remap the badblock before 4F,

         - Did you flash the .ecc image with Nandpro 2.0e and the command "+w16" or "+w64" (depending on your NAND-Size)?.

?Avoid this area on FAT

 

 

? Xell Boot but console freeze randomly (FAT)

?Check you wiring don't pass throught these areas.

 

 

D : Hacked NAND  :

 

? Xell Show up but not on the MS dash.

?The LDV value you used is probably false, grab it directly from XeLL : count the number of F in the fuseline 7, when you have the value rebuild a nand with the proper value and flash it.

 

VI: GREETZ :

 

? GliGli et Tiros for the hack

? Cancerous, Ced2911, Tuxuser et [cOz] for their help and support

? _n3o_, SoulHeaven, Swizzy for the pics and support

 

Tutoriel realisé par Razkar pour Logic-Sunrise.com

Diffusion/modification interdite sans notre accord

Posté : dimanche 28 août 2011, 14:56 par Razkar.
28 août 2011, 17:55
Approuver ce commentaire (+1)
Sympa la traduction :D
Répondre à ce commentaire
28 août 2011, 22:33
Approuver ce commentaire (+1)
what about the phat version?
Répondre à ce commentaire
Utilisateur en ligne
28 août 2011, 22:36
Approuver ce commentaire (+1)
it's pretty much the same things, look in the hack archive /fat/wiring ... for the wiring.
Then you just have to use the correct jed and command line for the fat...

Répondre à ce commentaire
29 août 2011, 00:56
Approuver ce commentaire (+1)
méchant je vais m'acheter une slim et faire le glitch dessus,qui ira près de ma jtag
Répondre à ce commentaire
29 août 2011, 01:55
Approuver ce commentaire (+1)
Razkar: Amazing work! :P


JTAG Programming Cable

Low-cost JTAG configuration solution
Intended for use with Digilent FPGA boards. (Not intended for use with Digilent AVR boards)
Connects directly to the parallel port of a PC, and to a standard 6-pin JTAG programming header
Can program devices that have a JTAG voltage of 1.8V or greater

http://digilentinc.c...ath=2,395&Cat=5 (Dernier sur la liste..)

Cela va fonctionner avec le Digital C-Mod ?

Je ne trouve pas le plant pour le wiring du "Phat" ...
Répondre à ce commentaire
29 août 2011, 07:57
Approuver ce commentaire (+1)
Good work Gents, very impressive!

Anyone have a schematic for a SPI USB Programmer?
Would I be able to replicate the Digilent C-mod from these schematics {http://digilentinc.c.../C-Mod_sch.pdf} ? Or does the Digilent C-mod chip come pre-programmed with a bootloader of sorts?
Can I use any JTAG programmer, or build one perhaps from a online schematic?'

Any help would be much appreciated, this hack is frikken AWeSome!
Répondre à ce commentaire
30 août 2011, 11:04
Approuver ce commentaire (+1)
Very good ! ;)
Thanks...
Répondre à ce commentaire
27 octobre 2011, 13:37
Approuver ce commentaire (+1)
Hi guys.

Thanks for the great tuto.

I'm having a really hard time trying to read slim nand with lpt cable. Could you please give me a hand?

Thanks a lot.

Hugs
Répondre à ce commentaire
Utilisateur en ligne
27 octobre 2011, 13:58
Approuver ce commentaire (+1)
Well there is not much things to say :

- Double check all you soldering, you can use multimeter to be sure ...
- Be sure to have the needed driver installed ...*


If you still get trouble maybe just buy a cheap usb spi ... it should cost like 15 20 $ ...

Répondre à ce commentaire
09 novembre 2011, 12:02
Approuver ce commentaire (+1)
hi,

I did all the process from programming to end but at the END i got a BLACK Screen instead of xshell

where's the problem here and why it give a black screen ? we did all the process step by step

any help or hint will be appreciated
Répondre à ce commentaire
Utilisateur en ligne
08 janvier 2012, 20:08
Approuver ce commentaire (+1)
updated
Répondre à ce commentaire
25 février 2012, 13:07
Approuver ce commentaire (+1)
Can someone help me please!
My Jasper dead, after I wrote the ecc image.
link removed, warez site

Thanks already... 

Répondre à ce commentaire
25 février 2012, 14:19
Approuver ce commentaire (+1)
My link was remowed (but it's not a warez site) ???
So I decided to wrote here...

My Jasper Dead after I wrote the ecc image.
It wont boot at all & I can't wrote the original nand.

Used USB nand reader (PIC F182550-17SP) with JtagTool (from coolshrimp)
"CB=6750 and Feb/March 2009 model with 74850c"

I have done reading nand couple of times.
1st : Done
2nd : Not matching with first.
3rd : Match.
4th : Match.

Program created ecc image and I wrote this to X360.

After that it never booted, or give a life signal.
My USB shown as a Memory device but when I try to wrote the image to xbox, nandpro shows that "no flash configuration found" message.

I have tryed with and without Coolrunner chip.
It won't open, what could it be?
I don't think is my CoolRunner causes the problem, because my jasper dead after I wrote the ecc image.

Someone says on other forums to anoher person "maybe your nand blocked, you have to shore the nand"...
But I can't find any information about that...
Répondre à ce commentaire
10 février 2015, 12:57
Approuver ce commentaire (+1)
here is a tutorial for who can't understand french :)
http://consolesnews....ith-coolrunner/
Répondre à ce commentaire
18 juillet 2019, 07:01
Approuver ce commentaire (+1)

here is a tutorial for who can't understand french :)
http://consolesnews....x-360-rgh-with-writemyessay-coolrunner

 

 

Thanks, I've a RGH and a JTAG and I favor the RGH more.The reason is simple -  it can be done on a slim. Not sure if Xbox 360 LT 3.0 can be jtagged. Any experience with it?

Répondre à ce commentaire
Cliquer ici pour continuer sur le forum
Envoyer