Read Microsoft Word - nandflasher_GUIDE text version

GUIDE: Nandflasher

From Elotrolado


1 CHAPTER I: THE EXPLOIT 2 CHAPTER II: INSTALLATION o 2.1 The cable NANDFlasher (USB) o 2.2 JTAG o 2.3 Removing the Nand o 2.4 Check the code CB to see if you have access to exploit o 2.5 Protect E-Fuse (former resistance R6T3) 3 CHAPTER III: reboot, XBR o 3.1 Quick Start Guide, with Xellous o Guide 3.2 slow, using only NandPro 4 CHAPTER IV: HOMEBREW AND APPLICATIONS o 4.1 The executable files and fonts o 4.2 Running the Dashboard first alternative o Menu 4.3 games / emulators / applications in the Dash Freestyle o Freestyle 4.4 Installing the Dash to appear on the NXE o 4.5 introduces games / emulators / applications in Microsoft's NXE o 4.6 Transfer files via FTP o 4.7 Transfer files to the internal hard drive transfer cable o 4.8 List of homebrew applications and more interessolderg FINAL CHAPTER 5: FAQ (Frequently Asked Questions)


What is the exploit? On 26 December 2006, at the conference "23C3 Hacker" from Germany, a known (for his appearances at conferences on vulnerabilities) hacker nicknamed tmbinc (real name Felix Domke) filed a writ that ran through the King Kong game , which used a flaw in a shader. Previously it has to be patched and once made, is able to execute arbitrary code with privileges and full access to the hardware, for instance to run Linux. The exploit was first distributed by the Internet until February 2007. Microsoft solved this bug in a new updated kernel to disallow running unsigned code, and all users with a version of it above 4532 and 4548 were unable to use this exploit. Not considered a great success of the scene [No references], since at that time the version Xenon had a great tendency to failure of the three red lights, scaring developers.

After this, tmbinc consolderued working to get re-run the exploit in later versions of the Xbox 360 kernel. After a while, August 11, 2009 issued an improved version of the exploit, half hardware (JTAG, Nand-dumper), half software (amendment of NAND. He was forced to do so because huvo squeal to Microsoft, which enabled plug this new way to exploit the vulnerability of the system update that summer. The hacker community and advised developers actively and passively by not updasolderg their machines in any way, as the future possibilities could be huge, most no attention to see that things are not moving because you could only run Xell and some other application under this. Until November 30, 2009 which was released on XBR, a custom kernel where you can use the latest version kernel (remember that this only serves to exploit new version 7371), and the vast majority of security guards had been disabled allowing to run unsigned code from the same dashboard and use one's own SDK (development kit) to plan and create applications.

This infuriated tmbinc, since, as we said before, he was opposed to using illegal code, leaving the scene of xbox360. All these people that you upgraded your machine for 2 months before able to play some new features that required the new kernel, such as Tekken 6 or Call of Duty Modern Warfare 2, and seeing the evolution that was taking the new xbox360 homebrew in climbing and reminding its predecessor, many users are pulled by the hair by the possibilities of running backups on hard drives and even USB keys and others.

This time, with the new revisions of the xbox 360 boards, making them more reliable and durable, developers have turned entirely on the development of utilities and applications, and although it remains for a very select community is not so narrow, it has many people with consoles exploited and exploiter.

What can you do with this? Basically homebrew code on the console, it is NOT official programs such as emulators, loaders, players, browsers, games of import and everything that can be programmed. You also can store games / applications and play from external devices connected via USB, or change the internal hard drive of the Xbox by one of superior size. It may be fitted with various functions to the Xbox not previously available.

Is it suitable for noobs (newbies)? No major complication, but to start requires some skill of soldering (weld points are easy), knowlege of a little electronics is necessary, but there are tutorials on the Internet that could asist beginners. If rookies in solders, it is best to have practiced before with

other components to take confidence. Otherwise you can leave that part in the hands of a professional or find a volunteer, then consolderue with the process.

How to tell if an Xbox Exploit / vulnerable? In principle, the Xbox must meet the following requirements:

Manufacturing date equal or before June 16, 2009 or Lot 924. This can be viewed through the serial # Windows of a retial cardboard box the Xbox has a slot where you see the back of the console inside the box, you can see the time without removing it from the store. Microsoft's NXE Dashboard or less 2.0.7371.0. If you have production date prior to the above, almost certainly bring the kernel version 2.0.7363.0 or 2.0.7371. If an Xbox back from the manufacture, date of repair prior to June 16, 2009. After that date, the console the vulnerability patched on Xbox all that come.

Now everything depends on the CB code for the Xbox, that if you meet the above are very likely to have the right, to know you have to remove the NAND, but that, later.

The Xbox does not meet the requirements, can or will do something? It is best to sell it and take over before they disappear from stores or the flea market. If the console is not vulnerable, IT IS CURRENTLY IMPOSSIBLE to make the exploit, unless another vulnerability is found, and if this happens surely this tutorial will update. This is because the Xbox E-Fuses have been switched off inside the CPU itself . It is easier to understand if it has been the scene of the PSP by adding the difficulty that PSP does not have half the security that has the 360 and after that Microsoft will make every effort to cover tightly covered their security flaws.

How to find an Xbox vulnerable to the exploit? See above How to tell if an Xbox Exploit / vulnerable?. Buying second hand must be very careful that meets all the requirements.

The Xbox is vulnerable, what should I do to keep the vulnerability until the time of the Exploit?

Do not play any game you ask to upgrade to higher version to 2.0.7371.0. List of games with updates.

Do not connect to Live, as prompted mandatory update and will close the vulnerability.

How to know the version of the Microsoft Dashboard (NXE)? In the NXE *, enter "System Setsoldergs" and check the number that appears in "System Information" after the word "Dashboard". Should be 2.0.7371.0 or less, the Xbox specifically meet this requirement. If you have a lower version, you should upgrade to the aforementioned 2.0.7371.0 with this file through a USB pendrive.

How do I determine the version of the motherboard? There are several methods to determine the version of the Xbox 360 motherboard. The power connector or the label to offer information, as shown in the following image:

To identify them for consumption in Ampere (see label on the power connector on the console):

Jasper - 12.1 amps Consumption Falcon and Opus - Consumption 14.2 amps Zephyr and Xenon - Consumption 16.5 amps

If the Xbox 360 has been repaired in the repair center it is possible that this information does not match the connector of the same.

Howdo i know if the mainboard is normal 16mb Jasper or Jasper 256/512MB (BigNand)? All mainboards except the internal nand Jasper have 16 megabytes. In the case of Jasper, can be 16, 256 or 512mb. The latter two are called Arcade or Bignand, leading internal Memory Unit. Do not trust what the box sets to buy the Xbox, can be wrong. You can tell by turning on the console without the hard drive or memory card, going to the NXE> Setsoldergs> Memory and see if there is a Memory Unit (MU), is 256 or 512 (depending on the size you have):

What is the recommended mainboard? The mainboard are currently recommended V3 Falcon and Jasper. The above cases have been three red lights (3LR, here in after) although under the current error E79 error can happen. You can differentiate a v1-v2 Falcon of Falcon v3 looking through the right side of the console if there are 8 capacitors distributed 4 by 4, is a v3 Falcon. In the Xbox returned the SAT (refurbished) could not be.

Can you consolderue playing after making Live Exploit? Yes you can, but after installing the appropriate thing you want to exploit because Microsoft can expel the user of the service Xbox Live and the exploit may disappear when you refresh the console.


Console vulnerable: further steps to follow For starters, do not connect to Live or update, only up to version 2.0.7371.0 (download here) can be updated using a flash drive before you start. This is the order of steps to follow: 1. Install Nandflasher quick solder boards.

2. Connect to PC via USB 3. Remove one part of the Nand CB code to check and verify that the Xbox is vulnerable. 4. Solder Module C to lock in Xell or XBR, including the 2 wires for Diodes 5. Protect the efuse to keep accidental updates. 6. Install XBRebooter (Chapter 3).

Any advice for Soldering? It is recommended to read the basic guide to soldering. The solder points are big and easy, with a low power soldering iron and a fine point to the same, one can hardly make a mess that can not be fixed.

What is the required software? You can get everything in Xbins. To connect to Xbins can use a program called "Xbins 2008," is a FTP client that connects directly to Xbins. Not allowed to put links to software created with the SDK (development kit from M$). All the necessary software will be mentioning in this guide, and can be searched and easily found on Google.

NandFlasher Installation (USB)

The NANDFlasher is necessary to obtain an image of our physical nand 360, which stores the kernel. It is very important to obtain an exact copy of the kernel, it is the "operasolderg system" unique and exclusive of each Xbox. To install the NANDFlasher you will need the following material referred to above, the rest will be for the JTAG:

15w Soldering Iron. Solder. Desoldering Braid (for cleanup)

It is advisable to completely remove the 360 mainboard fromthe metal cage as the e-fuse protection is on the bottom of the mainboard, DO NOT remove the heatsinks. The points where you have to solder are really big holes full of solder.

Here is how it should be the NANDFlasher:


The JTAG are three bridges that are made on the Xbox 360 and will remain applied, unlike other USB Jtag devices we have included this setup on Module C of the NANDFlasher. This is the JTAG setsoldergs for the different mainboard's. Each dashed line is an alternative point.

The only problem is the DB1F1 point because it is surrounded by mass. For welding, it is recommended to first a small amount of solder in the soldering and touch DB1F1 slightly to adhere to it a little solder. Place a little solder the tip of the wire that is going to be. Now put the pre-tinned wire in place, then solder position DB1F1. Touching a few seconds with the soldering on the cable (but not directly where you have the solder) will join the two solders. The point is also FT1U2 alternative DB1F1.

For mainboard Xenon:

Removing the Nand

Once you have installed the NANDFlasher and connected to the console to the PC, we proceed to the extraction of Nand. The required software is called NANDPro 2.0e or the NANDPRO GUI , the most current is the Nandpro 2.0e. Avoid where possible using previous versions.

1. Plug the power connection to the mainboard (**DO NOT POWER ON THE SYSTEM OR YOU WILL DAMAGE THE NANDLFASHER OR NAND ITSELF *** ). 2. Download and extract NandPro. 3. Install Port95nt (which is included in the NandPro folder). In Windows Vista / 7 requires administrator rights. If it still gives problems as administrator, Port95nt.exe right-click> properties> compatibility tab> check "Run this program in compatibility mode for"> Windows XP (service pack 3) and also check box "run this program as administrator". If you give the error "not loaded DLPORTIO.SYS device driver is not installed correctly Port95nt. 4. Start> Run> Type "cmd" and press "OK". 5. Go to the folder where the NandPro (Nandpro cd, etc.). 6. Read the nand from the Xbox and then verify that you have access to xploit. The complete extraction nand consoles with 16 megs (all but the Arcade Jasper 256 or

512mb) takes about 1-2 minutes from USB depending on Your PC speed. For Jasper than 256 megabytes are 15 to 30 minutes and Jasper 512 for 30 minutes to an hour. Right now it is advisable to read only the first 3 megs of the nand, it takes 5 minutes and is done several times to verify that you are reading correctly. In the CMD window type: nandpro usb: -r16 backup3mb.bin <- extract 3 mb, enough to check the CB with a hex editor. nandpro usb: -r16 orig.bin <- extract full 16 mb (the full nand in the case of consoles with 16mb) for storage, or to check the CB and CD with flash dump tool.

As we will see, "-r" is for reading "-w" for writes, "-e" to erase. The number behind the letter will act as a constraint, ie by putsolderg "-w3" will not write beyond the first 3 megabytes. It is very important not to use the PC while working on Nandpro, and the fewer services and have processes in place better and temporarily disable the antivirus. You should see these numbers as FlashConfig mainboard, otherwise the cable will be reviewed NANDFlasher:

FlashConfig: 01198010 <- Xenon / Zephyr / Opus / Falcon (all have 16mb) FlashConfig: 00023010 <- Jasper 16MB FlashConfig: 008A3020 <- Jasper 256 FlashConfig: 00AA3020 <- Jasper 512MB

If all is well, let's dump two more to prove they are identical (backup3mb.bin by backup3mb_2.bin change so they would not overwrite). 7. Compare the two or three nands that have been read / removed. It can be done to the program Total Commander going to File> compare by content, you must leave the message, "The two files are identical!". It also serves md5 programs, comparing the hash, or the MS-DOS command "fc (fc /? To see the help). If they are identical, the Nand successfully extracted, otherwise check the wire and shorten it if necessary.

Common Problems with Nandpro''

"Could not open Virtual xxx.bin Nand Device" - is a problem in versions 2.0b post Nandpro.. "Could Not Detect Flash Controller" - PC fails to detect that the NANDFlasher even though the USB is conencted and green LED is lit. "Error: Reading block XXX XXX" - If you see this message while extracting the Nand, and returning to do the extraction is given in the same block may be corrupt but do not worry, we will check later. The Bad Block will be arranged in the chapter of the XBR.

Check the code CB to see if you have access to exploit

If the date of manufacture of the Xbox indicates a date later than 2009-06-16 or the repair has come after that date, it is highly unlikely that the Xbox is exploitable. To get the final confirmation code value is found CB. Depending on the value of CB is to know definitively if the exploit is blocked or not. There are several ways to check, but none as reliable and fast as opening a copy of the nand with a hex editor Ultraedit type as HxD (free, portable and Spanish). Go to section 8400 and copying the fourth through eighth number:

Convert to decimal here:, the resulsolderg fourdigit code is the CB. This is the only method that allows us to see the CB but are removed only the first 3 megs of Nand.

CB Codes exploitables

Xenon: 1888, 1902, 1903, 1920 or 1921 Zephyr: 4558 or 4580 Falcon: 5761, 5766 or 5770 Jasper: 6712 or 6723

NOTE: You can also check the CB with Degraded or Flash Dump Tool, but are likely to make mistakes and close, especially with Jasper Nands 256/512. If you fail to work well as a better check on top, which is the same. To verify the implementation Degraded CB 1.1b, have to look at the "CB version" to open the file with the Nand:

In the case of giving an error when you open or close the program copy it may be a mistake to remove the nand, but it is often degraded because of not being able to open some nands, for example is only able to open nands 16MB. Please open it, go into "Settings" and fill 1BL Key with this: Valid DD88AD0C9ED669E7B56794FB68563EFA and mark. The CPU key is blank and unchecked. Start putsolderg in File System 39 and accept. If that does not open, open the Nand in a hex editor and change the date of beginning to "2004-2007":

You can also use the dump tool Flash 0.91 for checking the CB:

It is not yet compatible with Jasper 256/512, but some nand that will not be degraded. When you run a window will ask you some data, you must cancel, and "Open File" are loaded copies.

Protect e-fuse (remove resistor R6T3)

To prevent the Xbox vulnerability and the exploit, it is imperative to protect the E-Fuse. Previously you had to remove the R6T3 resistor but there is now a safer alternative, easily performed without hardware changes by a jumper on the following points (a drop of solder is sufficient to unite them). The value of the R6T3 is 10k ohms, if you ever do need to reinstall. For more info, questions and more detailed explanations, entering this thread: Alternative R6T3

High Resolution

For some consoles (Jasper Bignand) changes where the bridge has to go, depending on whether the component is installed U6T1 or U6T2:

High Resolution

Resistance R6T3 (not recommended)


Once the copy of the Nand has been verified, flash must reboot. Prepare everything before you begin:

1. 2. 3. 4.

Connection to the console to the source (without turning on the console). Start> Run> Type "cmd" and press "OK". Go to the folder where the NandPro (Nandpro cd, etc.). Download the image XBRebooter 0.05 8955_XXX * by board model:

XBR_Xenon_8955_3.bin <- Xenon XBR_Zephyr_8955_3b.bin <- Zephyr XBR_Falcon_8955_3a.bin <- Falcon v1, v2 and v3 XBR_Jasper16_8955_3.bin <--- for jaspers 16mb XBR_JasperBB_8955_3.bin <--- for jaspers 256/512MB, the BB means for large memory (it takes 66MB)

5. Rename only that corresponding to the mainboard XBR.bin (to make it easier to remember) will be used later.

From here there are two ways to continue, the latest is the one below, at first glance may seem longer but will save many hours and is recommended. Each has its pros and cons. Whatever the decision, we suggest reading the two ways to better understand the process.

Pros and cons Xellous Quick Guide:

+ It is written almost nothing for USB, almost everything from a pen usb flashing, more reliable through NANDFlasher. + You only have to read for USB 3 MB file, and config kw, much faster than extracsolderg nands complete by USB. + Best way to read and flash a virgin to linux, either gentoo or debian. - Required to connect the Xbox to the PC network and a usb pen. - If bad blocks are skipped. In this case, slow look at the guide, or flash with Debian + XBRFlash that automatically remaps bad sectors.

Pros and cons using only slow Nandpro Guide:

+ No need to connect the Xbox to the PC via network or usb pen. + There's less to type commands in the other guide. + It is indicated how to act in case of bad blocks. - All reads and writes by USB, with the reliability issues that can give a bad weld, instability of the computer, and so on. - Slow in the case of 16mb nands (30-45 min each time you remove or flashing nand). - Very slow in the case of Jasper 256/512MB. (extract or slow flash: 70mb = 3 hours, 256 = 8h, 512 = 16h).

At the end of one of the following processes and get to Chapter 4, is no longer needed the NANDFlasher USB / USB to read or write, so you can unsolder and left alone JTAG bridges and protection of the E-Fuse. If a new version comes out XBReboot or similar, can be updated by Flash360 or similar, without connecsolderg the Xbox to the PC via USB / USB.

Quick Guide, with Xellous

1. Read from the Xbox to the PC 3 megs of the original nand, 3 times (each time takes a few minutes), using USB port nandpro USB: -r3 nand3mb_1.bin nandpro USB: -r3 nand3mb_2.bin nandpro USB: -r3 nand3mb_3.bin 2. Compare up to 3 bins ensuring they are identical copies. Use total commander> file> compare by content, you must leave the message, "The two files are identical!". If something goes wrong check the installation. We have to get more copies until at least 2 are identical. 3. KV and extract the config from the 360 three times each (very fast), to verify that you have a reliable copy: For nands of 16mb: nandpro USB: -r16 kv1.bin 1 1 nandpro USB: -r16 kv2.bin 1 1 nandpro USB: -r16 kv3.bin 1 1 nandpro USB: -r16 config1.bin 3DE 2 nandpro USB: -r16 config2.bin 3DE 2 nandpro USB: -r16 config3.bin 3DE 2 For nands of 256/512MB: nandpro USB: -r256/512 kv1.bin 1 1

nandpro USB: -r256/512 kv2.bin 1 1 nandpro USB: -r256/512 kv3.bin 1 1 nandpro USB: -r256/512 config1.bin EF7 2 nandpro USB: -r256/512 config2.bin EF7 2 nandpro USB: -r256/512 config3.bin EF7 2 Check that the copies are identical by Total Commander. If not the same as before, check cable,.

4. Write Xell. Download Xell, whichever is the motherboard of the Xbox:

newXell.bin - Xenon falcon_hack.bin - Falcon zephyr_hack_updxell.bin - Zephyr jasper_6712_hack.bin - Jasper 16mb jasper_6723_hack_for_256mb_512mb.bin - Jasper 256/512MB

Place the mainboard corresponding to the Xbox NandPro folder, rename xell.bin for comfort, and write in the Nand (a few minutes): nandpro USB: -w2 xell.bin 0 If you are already soldered the JTAG, you can turn on the xbox wired VGA or Component (RGB red green blue, not to be confused with composite) and see the Xell. When you turn on a screen in blue with white letters like this. If the screen goes black or get an E79 error dont worry, you only have to check the wiring of JTAG.

5. Upgrade to Xellous Xell. Download "Xellous 1.0", and the files in the RAR-1f.bin Xell choose. Copy to a FAT32 formatted usb pen and rename updxell.bin. Plug the pen to the Xbox (remove the current 5 sec, to take it well) and switched on will be updated. If giving problems, try another usb pen. Note: Write directly to Xell-Nand 1f.bin not work, follow the steps to the letter.

6. Remove full nand and CPU key from Xellous. Connect the router to the Xbox and assigned a DHCP IP displayed on screen (the Xellous also works only with VGA or component cable). With DHCP disabled or direct connection PC <-> PlayStation without router (may be cross network cable) is assigned the IP

Put the IP in the browser (Internet Explorer is not recommended) and access the web Xellous menu where you can extract the full Nand, the cpu key and key dvd, etc.. a quick and elegant way:

Draw the complete Nand flash raw option. Rename nandcompletaxellous.bin eg. It will be easier to identify, since this is the bin file that carries the rest of Xellous + original nand. Extract 3 times and compare, to be sure.

Important: It is normal that leave Xellous now see the DVD key and extract the Key Vault (KV). This is because after flashing the Xell and Xellous, has deleted the original on the Xbox KV (the config is still the same, checked). Optionally, at this point could be restored to the Xbox kv.bin previously removed, so that everything is accessible in Xellous: nandpro USB: -w16/256/512 kv.bin 1 1 <- "-wX" according to the size of the Nand As in two minutes will the XBR + KV and Xellous with original CONFIG injected, this step is not necessary.

7. 7. Build a file with the full dump virgin. Inject the bin with these first 3 megs extracted at the beginning (eg nand3mb_1.bin) to complete bin freshly collected from the web xellous menu (eg nandcompletaxellous.bin): nandpro nandcompletaxellous.bin "w3 nand3mb_1.bin If you get the message "could not open Virtual nandcompletaxellous.bin Nand Device" using nandpro 2.0b. Now the resulsolderg file will be the original full nand, rename nandcompletaorig.bin eg, to know that this is complete without xellous dumpee, to avoid confusion. It has to save well, is a lifesaver in addition to cpukey and dvdkey.

8. (Optional) Remove the KV and the restoring file CONFIG nandcompletorig.bin now. This step only serves to compare and confirm whether the KV and CONFIG remain the same as the Xbox had in the beginning. For nands of 16mb: nandpro nandcompletorig.bin:-r16 kv.bin 1 1 nandpro nandcompletorig.bin:-r16 Config.bin 3DE 2 For nands of 256/512MB: nandpro nandcompletorig.bin: -r256/512 kv.bin 1 1 nandpro nandcompletorig.bin: -r256/512 Config.bin EF7 2

8. 9. KV and Injection in LOCALS XBR original. XBRRebooter Use downloaded before and renamed XBR.bin: For nands of 16mb: nandpro xbr.bin: -w16 kv.bin 1 1 nandpro xbr.bin: -w16 Config.bin 3DE 2 For nands of 256/512MB: nandpro xbr.bin: -w256/512 kv.bin 1 1 nandpro xbr.bin: -w256/512 Config.bin EF7 2

10. Flashing the XBRReboot. XBR.bin Once modified, copied to a usb pen and rename updflash.bin. When starsolderg the Xellous will detect it and write it to the Nand (if BigNand are 66MB, it will take 4 or 5 minutes).

Optional upgrade carrying the XBRReboot Xell to Xellous. When writing the XBRReboot overwrites the old Xell Xellous. To put it back, copy the RAR Xell-2f.bin the "Xellous 1.0" to usb and rename updslot0.bin. Run the utility and update the Xell Flash360 to Xellous. Flash78 This post shows how step by step:

Slow guide, using only NandPro

1. Nand Remove from the Xbox. If, before only been extracted 3 megs of NAND, now requires the full nand 16mb or 70mb if it's a Jasper 256/512MB: nandpro USB -r16 backup16mb.bin <- to 16MB nands nandpro USB -r70 backup70mb.bin <- for nands of 256/512MB The reason to read 70mb in the case of Jaspers 256/512MB's because the XBR then write only the first 66MB, so save 70mb is more than enough. Although not necessary at all (since the end of the BigNand only contains the Memory Unit), if you have the backup of the complete Nand 256/512MB is better to follow another approach, but it would be: nandpro USB:-R256 / 512 orig.bin.

2. Compare several extractions of the Nand to verify the proper functioning of NANDFlasher. Make at least 3 extractions (using each time a different output file, eg backup16mb_1.bin, backup16mb_2.bin ...) and check that the copies are identical

3. Remove the KV and Config backup nand For nands of 16mb: nandpro backup16mb.bin:-r16 kv.bin 1 1 nandpro backup16mb.bin: -r16 Config.bin 3DE 2 For nands of 256/512MB: nandpro backup70mb.bin: -r256/512 kv.bin 1 1 nandpro backup70mb.bin: -r256/512 Config.bin EF7 2

For an extra check you can be drawn also from the Xbox, using these same commands replacing the parameter for example "backup16mb.bin:" a "USB". Now it compares to the KV and CONFIG drawn directly from the Xbox to have been extracted from. Bin extracted before, they should be identical.

4. Inject the KV and the original config will be used XBReboot the XBRRebooter previously downloaded and renamed xbr.bin: For nands of 16mb: nandpro XBR.bin -w16 rawkv.bin 1 1 nandpro XBR.bin: -w16 rawconfig.bin 3DE 2 For nands of 256/512MB: nandpro XBR.bin: -w256/512 rawkv.bin 1 1 nandpro XBR.bin: -w256/512 rawconfig.bin EF7 2

5. It may be the case that the Xbox has "Bad blocks" or blocks moved (Error: Block 0x2CE found at 0x3F8). To fix you can use the 'Bad Block Remapper' or do it by hand with Nandpro. For Nands of 256/512MB and change-r16-w16 by -r256/512 and w256/512, etc: nandpro xbr.bin:-r16 block2ce.bin 2ce 1 <--- Read the 0x02CE block and save it as block2ce.bin nandpro xbr.bin -w16 block2ce.bin 3f8 1 <--- wrote block2ce.bin result in 0x3f8 block where this remapping

In this image you can see where you can remap the Bad Blocks: Bad Block Management in NAND XBOX 360

6. Clear NAND (important to remove, can cause problems if not done) nandpro USB: -e16 0x000000 <- to 16MB nands nandpro USB: -e256/512 0x000000 <- for nands of 256/512MB

7. Flashing the Rebooter XBR.bin (with KV and Config injected) on the Xbox. With the command as our version of mainboard: nandpro USB -w16 XBR.bin 0 <--- for nands 16mb nandpro USB -w70 XBR.bin 0 <--- for nands of 256/512MB The 0 indicates the first sector in which you enter.

8. Copy the key CPU With the new version of the XBR (v3 and up) to load the Xell into the console with the eject button, without requiring a cable or media control, as required by the old XBR. In version 3 the XBR have to copy the lines that come in fuseset, that's the CPUKey. CPUkey = Fuseset 03 +05 = Fuseset 04 +06

BIG Block:

BAD BLOCKS: When Flashing through XeLLous it will move the bad blocks for you so you don't have worry about it. The only time it is of any concern is if when reading the first 2MB of your nand you encounter blocks between blocks 0 and 50. Please refer read here.

If you encounter any Badblocks between 0x00 - 0x90, you can use this tutorial and my Badblock document to get Xell working, but don't update to XeLLous. Also it will have to be flashed with xbr-flash for linux, it is the only solution at the moment. See this thread for a user with a similar issue and the solution we came up with and read here for my explanation on the issue. What I wrote here is based a lot on the following topics and threads. Actually a lot is plagiarized from there, so thanks go out to those guys.


STEP 1: Confirm your dashboard is exploitable

The very first thing you need to check, is your xbox kernel and that your XBOX is manufacture before June 18, 2009.

Turn on your xbox and go to console setsoldergs. Go to system info, the kernel version is on top right.

If you have kernel 2.0.7371.0 or lower, there is one more check to do, which requires you to read the nand chip with a homemade USB nand reader or a usb spi flasher. There is no other 100% way of knowing your CB version without reading the nand.

Requirements: Software :

free60 version of XELL from xbins, file size should be about 1.4 MB and there is one fore each motherboard XeLLous, at the of wrisolderg this it is a 1.0 from xbins Latest release of XBR, specific for you motherboard from xbins. Nandpro20b, 64 bit Nandpro USP SPI Driver And 64 Bit Port95 Alternative FireFox Hex Workshop


A way of reading/wrisolderg NAND, USB or USB SPI. Router, or Cross Over Cable or Switch PC with USB port

XBOX, and XBOX component cables, HDMI doesn't work for installation, composite and vga are untested by me personally. If other cables work please report them here and I will update.

Step 2: Read and Backup first 2MB of NAND

a. Download nandpro 2.0b.

b. If using an x86 make sure port95nt.exe is installed, if it's not, install it (from nandpro20b folder) you might need to reboot.

c. If using a 64bit system then follow the directions in this thread to install equivalent 64bit drivers. If using Windows 7 or Vista 64 bit you will need to disable driver signing


Plug your 360, but don't power it on.

e. Plug the USB cable or your usb spi into PC and XBOX.

f. Open a CMD prompt window within the Nandpro folder, if using Windows 7 or Vista run as Administrator: nandpro USB: -r2 c1.bin or nandpro usb: -r2 c1.bin (From here to the end I will use USB, so adjust accordingly)

g. Read your nand a second time, so type:

nandpro USB: -r2 c2.bin


Compare your dumps by typing the following command: fc c1.bin c2.bin /b


If differances where found type the following command: nandpro USB: -r2 c3.bin


Then compare your second and thrid dump: fc c2.bin c3.bin /b

k. Use the 2 that match, if c2 and c3 match rename c3.bin to c1.bin. Do not proceed whatsoever or under any circumstances if you can not get two matching dumps.

Note: No read errors should be encountered with the commands above, if for whatever reason you do please post them on the related thread and ask for assistance before proceeding.

If for whatever reason you can't get two matching NAND dumps, then please do as follows:

If you're getsolderg no errors in NandPro, but when you compare your dumps they never match, you need to ground the USB cable.The un-shielded wire on the USB cable (ie no plastic sleeve) is the ground, or if you've built your own cable from scratch, attach a wire from the metal chassis of the DB-25 connector. Attach this to the metal shielding of the 360 or one of the copper grnd points around the screw holes in the mobo and that should sort the problem.

Step 3: Verify your CB is exploitable from 2MB backup:

a. Now open up c1.bin in a hex editor (free hex editor) and you should see:

© 2004-200X Microsoft Corporation. All rights reserved.

X = 5, 6, 7, 8 or 9 (depending on what dash you have/when your console was made).

b. Now search in hex for "CB" (without quotes) your looking for the one at or around 8400 in hex (it has to be in caps).

c. Copy the 4 hex digits after it and convert it from hex to dec with this Conveter and Like This and verify your CB is exploitable.

Exploitable CBs:

Xenon: 1921 or lower is Exploitable (exception: 8192 IS EXPLOITABLE) Zephyr: 4558 or lower is Exploitable (exception: 4580 IS EXPLOITABLE this needs falcon version of Free60) Falcon: 5770 or lower is Exploitable Jasper 16mb: 6712 or lower is Exploitable Jasper Arcade (256/512): 6723 or lower is Exploitable

Step 4: Installing JTAG

The XENON soldering can be found here: For Zephyr, Falcon, Opus & Jasper here: boxxdr method

The above two methods are the only methods recommended from my experience they give the best results.

General Falcon Troubleshoosolderg:

Review this This might be applicable to all XBOX, success has been reported by various people with the various revisions.

Step 5: Protecsolderg fuses and JTAG(optional):

To protect your CPU fuses it is recommended you do as depicted in the following images: You don't have to remove R6T3, you just bridge the points depicted in the images. If U6T1 is installed If U6T2 is installed For more info refer to the following topic:

The reason for doing this step is if and when Microsoft releases a new kernel, and you decide to accept an update from a game, your fuses will be blown. Blown fuses will eliminate your ability to run XBReboot and unsigned code.

Step 6: Injecsolderg XeLLous into Free60 Xell and Flashing.

Now with the jtag installed we are going to proceed on flashing and getsolderg XeLLous up and running.

a. First you need to download the right version of XELL and the latest release of XELLOUS otherwise this will not work.For XELL you need the free60 versions that are specific to each motherboard and are about 1.4 MB in size, review the table below.

You will need one of these files depending on the revision of your XBOX:

xenon_1921_hack-20090911.rar zephyr_hack_updxell.rar falcon_opus_hack.rar This is good for all XENON Good for most Zephyr (CB 4580 requires Falcon one) Good for Falcon and Opus, and Zephyr with CB

4580 jasper_6723_hack.rar Good for all 16MB Jaspers jasper_6723_hack_256MB_512MB.rar Good for 256MB and 512MB Jaspers

Zephyrs with CB 4580: Success with these XBOXs are hit and miss, please refer to the bottom of the tutorial for troubleshoosolderg tips, and information on the XBR version you require.

b. Download the latest release of XeLLous from the usual places, at the time of wrisolderg this was version 1.0.

c. Extract XeLLous and your version of Free60 Xell. Copy them to your nandpro20b folder.

d. Rename your version of Free60 Xell to free60.bin. For example:

ren zephyr_hack_updxell.bin free60.bin

e. Connect XBOX to USB port again, and do the following to backup your key vault and configuration blocks. Dump everything multiple times and always compare them using either Hex Workshop or fc from CMD prompt. To dump your keyvault from nand (This is the same for all motherboard versions): nandpro USB: -r16 kv1.bin 1 1 Dump this a couple times and compare them.

To dump your Config from nand: nandpro USB: -r16 config1.bin 3DE 2

Dump this a couple times and compare them.

For 256/512 Jaspers its: nandpro USB: -r256 config1.bin ef7 2 Dump this a couple times and compare them.

f. Inject Key Vault into your version of Free60: This command is compatible with all NAND sizes: nandpro free60.bin: -w16 kv1.bin 1 1

g. Inject XeLLous into your version of Free60:

This command is compatible will all NAND sizes. nandpro free60.bin: +W16 xell-1f.bin 40 Please ensure you type the command exactly how you see it, don't deviate. The +W is correct, and make sure it is xell-1f.bin, W is capital.

h. Flash free60.bin to your XBOX.

This comman is compatible will NAND sizes. nandpro USB: -w16 free60.bin 0


Unplug XBOX from USB and power outlet and let it sit for 30 seconds.


Connect XBOX to your TV and turn it on using the normal power button on the front, ensure network cable is connected.

k. You should see screen that is similar to the one depicted below. Ensure that it says HTTPD and not HTTP. Note the http:// address and write it down. Take a picture so that you have a record of your cpu and dvd key.

If for whatever reason you where unable to boot into XeLLous, start over at Step 6-f and skip Step 6-g, and before Step 6-J follow the First Method

of "Different Methods of Installing XeLLous:" found in the Troubleshoosolderg section then consolderue with Step 6-J. If you encountered a black screen or it didn't boot at all check your wiring or ensure you read the Badblock Management document specifically if you have a bad block between 0 and 90.

Step 7: Get a Full NAND backup

a. Leave the XBOX on and go to your PC. Using FireFox go to the address noted in Step 6-k. It is recommended you disable any firewalls or internet security suites you have enable. Also XeLLous is only guaranteed to work with FireFox. A similar screen should be seen from FireFox.

b. Under "Raw Flash" Click download and save as fullnand1.bin, do this multiple times and compare them to verify that none of your security software is interfering.

c. Under "Config Blocks" Click download and save as rawconfig1.bin, do this multiple times and compare them again. (Why do this, when I have already dumped it through USB? It's good to have multiple copies for tessolderg and troubleshoosolderg. Keep backup copies of all you config dumps, kv dumps, and any other dumps relasolderg to you original nand)

d. Make fullnand1.bin complete: nandpro fullnand1.bin: -w16 c1.bin 0

Keep the file in a safe place and make multiple copies, this fullnand1.bin file is a full backup as it was before you started this tutorial.

Step 8: Preparing XBReboot

a. Download the latest version of XBReboot for your console. If you are not sure which one is for you confirm with your CB, and Flash Config. The Flash Config is displayed every time you run the nandpro command.

b. Extract the contents from your download and rename your release to updflash.bin.


Inject your Key Vault (kv.bin) into XBR. This command is good for all NAND sizes. nandpro updflash.bin: -w16 kv.bin 1 1

d. Inject your configuration blocks into XBR. (Sometimes it's good not to do this because it may result in E72) For 16MB nands: nandpro updflash.bin: -w16 config.bin 3DE 2

For 256MB or 512MB nands: nandpro updflash.bin: -w256 config.bin ef7 2

e. Inject XeLLous into XBR. For All NAND Sizes: nandpro updflash.bin: +W16 xell-2f.bin 30 The +W is correct, and make sure it is xell-2f.bin, W is capital

Step 9: Flashing XBR to the XBOX.

a. Copy updflash.bin to the root of a USB key or drive formatted in Fat/Fat32.

b. If XBOX is still on turn it off, plug USB key or drive in one of the front USB ports.


Press the power button and watch XeLLous flash XBR.

d. Follow the on screen instructions. When power cycling make sure XBOX is unplug and off for 30 seconds.

e. Power on the XBOX using the front power button, the XBOX will start normally and you should see the NXE dashboard. If you go to the System Information, under Console Setsoldergs you will see the kernel version as 8955 that means XBReboot has been installed. You can now run unsigned code and install alternative dashboards or menus. If you need to go back to XeLLous power the XBOX using the eject button.

Troubleshoosolderg hints:

Weird Freezing on Logo screen and weird behaviors:

If for whatever reason XBR is running weird or encountering unforeseeable use the XBRFLASH tutorial, you might be a victim of hybrid blocks.


Try flashing your KV over USB and see if that solves the issue. nandpro USB: -w16 kv.bin 1 1

Reflashing or updasolderg XBR:

Go back to Step 8-a and follow through to Step 8-e. Consolderue to Step 9 and follow as directed, except for Step 9-C, instead of using the power button use the eject button.

E72 on boot:

This means there is something wrong with your configuration blocks. So go back to Step 8-a and follow through to Step 8-e skipping Step 8-d. Consolderue to Step 9 and follow as directed, except for Step 9-C, instead of using the power button use the eject button.

Black Screen on boot with XBR installed:

Try using different video cables. HDMI, Component and composite, thanks to liquidbings from X

Error "404" from FireFox:

If you are getsolderg "404" error on your computer or XELL saying "Connection Closing" on the screen you are more then likely not in XeLLous, but rather Xell.Try boosolderg the XBOX again with one of the different methods listed below, or try installing XeLLous with one of the many different methods listed below. And again ensure your in XELLOUS review the image below. Otherwise use a cross-over cable.


Different Methods of Boosolderg into XeLLous:

a. Normal power button on the front. b. Power on through eject button, this requires a dvd drive plug in, it really doesn't matter if it's flashed with the right key or not. c. Power on through a controller plug in the back usb port of the XBOX. (Can be a wired controller, or Wireless connected via Play & Charge kit)

Different Methods of Installing XeLLous: First Method:

Xan21 brought this to my attention. Rename xell-1f.bin to updxell.bin. Place updxell.bin on the root of a usb drive or key formatted FAT/FAT32 and turn on the XBOX with key or drive plug in the front usb port. Xell should update to XeLLous. Note this works on all XBOX revisions. Don't use this one with XBR. ren xell-1f.bin updxell.bin

Second Method:

This method will totally replace Xell with XeLLous, making XeLLous bootable from the power button use only with free60 Xell. nandpro USB: +W16 xell-1f.bin 40

Third Method:

This method will make XeLLous bootable from the back usb port via a wired controller or wireless controller with the Play and Charge kit or eject button if replacing it in XBR3. This is also the command to update your Xell to XeLLous in XBR3(use xell-2f.bin to update XBR). nandpro USB: +W16 xell-1f.bin 30

Injecsolderg Method:

You can inject XeLLous into the free60 version of XELL before flashing with the following command, so you don't have to do it later: Inject XeLLous into the free60 version of xell. nandpro free60.bin: +W16 xell-1f.bin 40

Inject XeLLous into XBR. nandpro xbr.bin: +W16 xell-2f.bin 30

Zephyr with CB 4580:

1. It has been reported that the Falcon version of XBR seems to work, of course you might encounter issues. 2. It also has said that some people have been successful copying the SMC from the Faclon XBR and injecsolderg it into Zephyr XBR like so:

nandpro FalconXBR.bin: -r16 SMC.bin 0 1 nandpro ZephyrXBR.bin: -w16 SMC.bin 0 1 Proceed with injecting your Key Vault (kv.bin), skip the config for troubleshooting purpose and see how successful that is.

3. It has also been reported that some people have had success using a 100 ohm or 330 ohm resistor between J2D2.4 and J2D2.7.

General Recommendations:

For troubleshoosolderg purposes I recommend that you don't inject your configuration (config.bin). If it seems your XBOX is working properly then inject your configuration and see what happens or flash it through USB. For 16MB nands: nandpro USB: -w16 config1.bin 3DE 2 For 256MB or 512MB nands: nandpro USB: -w256 config1.bin ef7

Can't boot to Xell from XBR using Eject button:

Please beware that a dvd drive needs to be plug in for boosolderg into XELL, at lease the small black power cable. However SATA from dvd drive does not need to be.

Notes: From XeLLous release:

USB Notes: For best results of getsolderg the usb device detected. Remove the power plug from the console after running the MS dashboard. Then reinsert the power plug, insert usb device and then boot into XeLLous. Reading 66MB (updflash.bin) can take a few minutes, be patient while it loads to ram.

Thanks goes out to the whole scene, too many to mention. Special thanks goes out to BlackSteel though for providing the virgin XBOX. If anybody wants to repot the thread and make more presentable by all means.

Explanation of some of the commands:

The Following command reads the first 2 MB of your Nand flash and saves it to a file named c1.bin: nandpro USB: -r2 c1.bin

This command reads your Key Vault from the nand flash and saves it to a file named kv.bin: nandpro USB: -r16 kv.bin 1 1 This command writes c1.bin(which should be a backup of your first 2 MB) to a file named 1.bin. nandpro 1.bin: -w2 c1.bin This one writes Xell to block 40 of your nand, where it should go the free60 versions of Xell. nandpro USB: +W16 xell-1f.bin 40 This one writes Xell or XeLLous to block 30 of your nand, where it should go for XBReboot. nandpro USB: +W16 xell-2f.bin 30 This one injects Xell or XeLLous starsolderg at block 30 of XBR, as it is stated in the release notes. nandpro xbr.bin: +W16 xell-2f.bin 30 If anyone needs more info on how things work let me know and I will address it.


Microsoft Word - nandflasher_GUIDE

42 pages

Find more like this

Report File (DMCA)

Our content is added by our users. We aim to remove reported files within 1 working day. Please use this link to notify us:

Report this file as copyright or inappropriate


You might also be interested in