Hello there, You are looking at my massive tut on how to Jtag an xbox from start to finish. If you want to jtag your console and dont know where to start, this is where you wana be! This whole tutorial relies on use of iHc NandTool Version 2 (you can get it from the links below) So to get started... Software Downloads: Spoiler iHc Toolbox - Downloading Latest iHc Toolbox Microsoft .Net Framework 3.5 of above - Download details: Microsoft .NET Framework 4 (Web Installer) Jtag files - Mirrors in spoiler Spoiler Mirrors: Code (Text): http://www.2shared.com/file/sjGf-wqV/NandToolDependenciesPack.html http://www.multiupload.com/SEX6WI9AQC http://rapidshare.com/#!download|258tl2|441170343|NandToolDependenciesPack.rar|20869 http://hotfile.com/dl/94787440/9bb35a5/NandToolDependenciesPack.rar.html http://depositfiles.com/en/files/xqi4onchq http://www.megaupload.com/?d=TNWANM7F Once you have the software we can now move onto hardware... So lets begin.... This tut will be done on an xenon console and the jtag wiring (diodes) will be different for other revisions, other than that i will always be the same This is gona be long, compacted and you are gona need alot of things. Requirements Spoiler Parts list and quantities from maplins (UK) - (you can get from alternative sources if you wish) Spoiler Switching diodes - Part Number QL80B Quantity - 2 (i recommend getting a spare) Ethernet cable - Part Number CW45Y - Quantity - 1 (1M of it) Soldier - Part Number N51AW - Quantity - 1 (tube) soldiering iron - Part Number N11BY - Quantity 1 (30W should be fine) 100 ohm resistors - Part Number M100R - Quantity 6 (May not be needed but get to be on safe side) There the physical parts ^^^ now some things you need in your house... A tidy work area: Spoiler A computer with one of these badboy ports (LTP Port, Usually used for Printers) Spoiler A victim to exploit: Spoiler It needs the 7371 dashboard or below.. (To get it, go to System Preferences > System Settings > System Info Right this can be a little more complicated than just having that dashboard... Although I say dashboard 7371 or below, if your console has a MFR date of 1st June 2009 or above and still has 7371 dashboard then it may have been patched already! However you could be lucky and it still isnt.. The only way to find out is to do a pre dump CB Check to be 100% sure... So Dashboard 7371 or below & a MFR of before 1st June 2009 = 100% Jtaggable If you have that mfr after 1st June 2009 you can take the risk but be prepared for a possible let down... So an overview of the above... This is what you need: x6 100 ohm Resistors (dependant on your computer (get them to be safe)) x3 Switching Diodes 1m of Cat 5 ethernet cable A PC with a LPT port Some soldier and a soldering iron Now you are ready to jtag your console... So, we have the parts we need? lets get to installing the new exploit wiring If you are using NandX, Look at the below spoiler, If you are using LPT then skip the NandX one Setting Up console for NandX Spoiler Installing NAND-X QSB Jtag Wiring Spoiler First off we need to install the JTAG wiring (two diodes and a jumper) what are included in official NAND-X bundles, This is simply two QSB's (Quick Solder Boards) and a cable, you can see it here: Spoiler Now, we need to soldier these onto the motherboard, Here is a picture of where the QSB's need to go: Spoiler first off, remove the sticky pad on the back and stick them where i do below: Make sure you align them with the holes on the motherboard! Spoiler So now the motherboard should look a little like this: Spoiler Now with your super slick soldering skills, Connect the connectors on the QSB with the holes under it: Spoiler Now, you have soldiered on the QSB we can no add that blue and yellow wire, so connect it up Now we need to configure the switch and jumper. Here is a quote from the team-xecuter So i am going to go by what they say, i have switched the switch to the setting closest to the jumper (0) and removed the jumper. If i get errors later i will do what they say and change it if needed. So it should look like this (i blu tacked my jumper to the console for safe keeping :)) Spoiler So that is the jtag wiring part done :) Now we need to install the NAND read/write points. I will also be using the QSB to do this as well. It is very simular to the above one so i recommend that your read that bit first as i may go a bit quick through this one... Installing NAND Read/Write NAND-X QSB: Spoiler As i mentioned above, read through the Installing jtag wiring spoiler first... Now we need to do the same as we did above but in two different places... i am just going to whiz through here and show you where they need to go... So these are the two QSB's we have(sorry, i already used these ones so there a little dirty) Spoiler Now as mentioned earlier, install them into these locations: Spoiler Once you have installed them two, connect up the three pin headers to the two QSB's. Now i like to be a bit of a perfectionist so i wired mine back out to the outer shell of the case :) Spoiler Now we have all this connected we can begin to dump our nand, so connect the cable up and move on.. Now that we have it all setup we can get ready to dump, mod and write nand... this is also a lot easier than the LPT method. Setting Up console for LPT Spoiler Installing JTAG Wiring Spoiler So first off we need to open the xbox and remove the motherboard from the casing... the console i have had RROD so i will remove the heatsinks as well but you dont need to do that. To open the XBOX you will need a T8 and a T10 Screwdriver along with a very small (1.2MM) Flathead screwdriver... i do not have a tut on how to open it but if anyone has a good video feel free to post it and i will use it. Spoiler now you removed the motherboard, chuck all the junk of your clean workspace and put the motherboard on there... first off we want to know where we are working... look at this picture below: Spoiler wiring is spelt like this <<< i am aware lol That is the area where we will be working and i added some quick lines (took me ages really :P) to show where we will have to soldier to for the jtag hack to work. Now we are going to install the two diodes and the jump wire. If you look at this close up you will see what needs doing Spoiler You can see the I< on the two diodes wires... thats the end the black end points towards! it has to be that way! so it will look like this: Spoiler And the jumper (Green line) couldn't be more easier... all you need to do is short them two pins together. So we can begin soldiering to the motherboard! You will need some soldiering skills and a steady hand here, My best method of soldiering into these little sockets is to turn the board onto its side and press the soldiering iron onto the rear of the hole melting it so that you can slide the cable into the whole. A picture: Spoiler so using that tip, some wire (just ~3cm from the CAT5 cable) and the above installation instructions it should look like this: Spoiler Once its done and secure i would recommend you cover it in insulation tape to stop any shorting. but thats it! you console can now run the JTAG hack... all we need to do is install the LPT cable and write to the nand. So now we have our JTAG hack diodes installed we now need to get the console ready for writing to the nand. Making and installing the LPT cable Spoiler So now we have our Jtag wiring installed we now need to write the modded image (freeboot) but before we can do that we need to install the connection from our computer to the console... this will require more soldiering btw. so lets begin, first off, this can be done in two ways, install a permanent cable (im not going to go into it) or a temporary one (what im gona do) This cable is only needed once for reading and writing to the nand the modded image. For more experienced modders who will try loads of hacks to booting ect i would recomend that you use your brain and create a socket what lets you write to the nand with the console closed up (most common method is get an ethernet coupler and make a hole under the HDD... this will be more clearer later on in this spoiler.) anyway, the temporary method: (i will do a more permanent method later if i get a client who requests it) Right first... we need to get our cat5 cable and cut it down so it is no more than 40cm (anything more and it will corrupt the data giving bad nand dumps, some PC's may need it shorter) Spoiler Now you want to cut about 9cm of the outer insulation (in my case the blue bit) so you can see 9cm of the 8 wires in side Spoiler now we only need 7 wires so pick a colour and get rid of it Spoiler Now because i jtag alot of consoles i want a more long lasting cable so i am attaching stronger bits of metal to the end of my cable so i can solider and disorder easily. If you want to copy me all i did was dug out some heat shrink tubing (2.4MM) and some old resistors (using the metal from each end of it) and did this (below) to each side: Spoiler so now you have the cable made (if you dont want my fancy add on just strip the wires down and neaten it up ready to soldier into the holes) we can no get ready to soldier on the console motherboard. take a look at this picture, the coloured dots are where you need to soldier to, these will also be matched with a corresponding colour slot in on the LPT port of the PC: Spoiler and they need to connect to here: Spoiler Now unless you have a multimeter and can test the voltage the PC outputs to the LPT, i would install the 5 100 ohm resistors to cables; Orange, Orange/White, Green, Blue and Blue/White. The only way to tell if these are needed is if we get an error later on trying to read the nand, if we do we will take them off. I know in my case i don't need them so i wont bother with them but you all should. so now you know where you need to soldier to (We are only soldering to the motherboard, we only have to slide the cables into the PC port) we can get soldering! here is a pic of what it should look like when were done: Spoiler Now we have the cable wired on we are now ready to connect it up to out PC! lets move on! So now we have our wiring done we now need to prepare our computer (the one with the LPT port) for dumping, making and writing to the nand... lets begin Setting up the computer Spoiler first off we need a working os (unlike mine) Spoiler Once you have a 64 Bit OS (Win XP, Vista or 7) Now we need to put the jtag files somewhere where iHc Toolbox can see them.. If you open the Jtag files rar you downloaded from one of the mirrors you will see a folder named 'nandtool' In there is all the dependencies that iHc NandTool needs.. Just simply copy the 'nandtool' folder into the same directory where iHc Toolbox.exe exists then load iHc Toolbox. iHc Toolbox should look a little like this when it loads To load up iHc NandTool, Click the arrow to the right of 'Xbox 360 Jtag / Dev Kit' Section and then click on 'iHc Nand Tool' It should look like this when it loads: If the console displays: Code (Text): iHc NandTool> Checking for Freeboot and its dependencies... iHc NandTool> Some dependencies for freeboot could not be found, Please ensure they exist iHc NandTool> File descovery complete, total of 3 errors. it means that it could not find one or more file in the nandtool folder that is needed. Make sure the folder exists in teh same directory as the exe! Now we have loaded nand tool and have the files in the right place we are ready to start! First we need to find out what console revision we have... Hover over each of the 'Console Revison' Buttons and compare the information with your console.. When you have found your revision click on it. Now we need to set up our Connection Type.. If you are using LPT select 'LPT Connection' and if you are using USB select 'USB Connection' Now we are ready to start! LPT Setup Spoiler so first off get the console near to the LPT port and plug it into its power pack Spoiler Now going back to earlier: Spoiler you need to connect the console up to the LPT port... this is what it should look like: Spoiler so now we have our wireing done, the program is in place... means its time to dump the nand! USB Setup Spoiler This one is simple... Connect your Nand-X/ SPI Nand Flasher to your computer and plug your consoles power supply in! So we have the Jtag connected up to the computer, we can start! so lets go! PreDump CB Check (Make sure we can jtag) Spoiler This pre-dump CB check is a handy feature as the only way tou be 100% sure you can jtag is to check the CB version... now if you are using a LPT your dumps can take a VERY long time... this pre-dump CB check only dumps 33KB instead of 16Mb,256Mb or 512Mb to possibly be let down... anyway lets do this shizzles! Once you have your settings in place, Head over to the 'Nand Pro' Tab and click on Read CB. If it can make a connection OK and read the block of your nand containing the CB then you should see a response in the console similar to this: Code (Text): CB Checker> Loading file... CB Checker> Your CB Version is: 1903. Checking for exploitability... CB Checker> Consoles CB is exploitable for the 'jtag hack'. Consoles motherboard revision is: Xenon (1903) If it states that your console IS exploitable for the 'jtag hack' you can continue.. If you get a response like so: Code (Text): CB Checker> Consoles CB is NOT exploitable for the 'jtag hack'. Consoles motherboard revision is: Xenon (1940) Then unfortunately you cannot jtag your console so if you have a jtaggable console, move on... if you dont... sorry you just waisted your time but this is the only way of being 100% sure you can dump so now if we have passed the CB check stage... we can now dump our nand! Dumping the nand Spoiler This is just as simple.. Press the 'Read Nand' Button in the 'Nand Pro' tab and a CMD window will pop out, It will begin the dumping process of the Nand, It has to dump up to blocks 03FF, Once its done the console should say 'Press any key to continue'... Do as it says and if the nand was dumped correctly a save file dialogue will appear, Save your nand image as OrigDump1.bin or something like that to a SAFE location then repeat the above 2 more times so we have 3 Copys of your nand (to compare) Now you should have 3 Dumps, Hopefully they are all the same size If for some reason you receive any sort of error messages when dumping the nand they will be read into the built in console You can post the error and i will try to help you.. if you have 3 dumps then you can move on. So now we have 3 copies of our original nand? lets check them!!! Checking the nand images Spoiler right... now this couldn't be any easier, on iHc NandTool go to the 'Nand Tools' tab and click 'Dump Compare' and it will load a open file dialogue.. select the first dump then press open... then another box will popup, select your 2nd dump... once you click OK it will run the check process through: If the console reads something similar to this: Code (Text): Dump Compare> 1024 blocks checked... The two dumps are identicle! Then you are good to go! feel free to move onto the next spoiler.. However if you get a response like so: Code (Text): Dump Compare> 1024 blocks checked... 1 Different block found... The two dumps are NOT identicle It shows that one of your dumps was corrupted in the dumping process... Just try different combinations of the 3 dumps until you get identical ones... If you keep getting corruption try make sure the LPT connection is as short as possible and that the ground wire IS connected. So you got a good dump? lets double check that is okay to jtag this consols Checking the CB version (Make sure we can jtag) Spoiler if you did a predump CB check then you don't need to do this... move on But if you didn't then go to the 'Nand Tools' tab and click 'CB Check' It will load a Open file dialogue, Select one of them 'good' nands (what was identical with another one) then press OK, it will do its magic... if you get a response like so: Code (Text): CB Checker> Loading file... CB Checker> Your CB Version is: 1903. Checking for exploitability... CB Checker> Consoles CB is exploitable for the 'jtag hack'. Consoles motherboard revision is: Xenon (1903) If it states that your console IS exploitable for the 'jtag hack' you can continue.. If you get a response like so: Code (Text): CB Checker> Consoles CB is NOT exploitable for the 'jtag hack'. Consoles motherboard revision is: Xenon (1940) Then unfortunately you cannot jtag your console so if you have a jtaggable console, move on... if you dont... sorry you just waisted your time but this is the only way of being 100% sure you can dump Now we know for certian that our console can be jtaged, lets flash xell to the console Installing Xell to get the CPU key Spoiler right, go back to iHc NandTool navigate to the 'Nand Tools' tab, You will see a 'Write Xellous' Button.. Press it and a command window will pop up (it may be pushed to the back to have a look) Don't ignore the warning! if you overwrite your nand without backups your console is useless! Press any key then it will do its work Check the console log to make sure it has wrote... if there are any errors then it hasn't worked so find out why! Got xellous on your xbox? now you can get your CPU key for the console, Obtaining your CPU key Spoiler Right, so now you have xell installed to your xbox, turn your console on via the eject key, plugged into a tv and not the LPT port you should get a blue screen. Now get a camera handy and when you turn it on, you should see this: Spoiler now wait a second and you will see something like this Spoiler Now thats ^^^ is what you want to take a picture of. The console fusesets.... if you look you will see set's 3&4 and 5&6 are identical... now take either set 3&4 and 5&6 and put them together. This makes your CPU key. So mine are Set 4: AF39DF25B0CD3878 Set 5: 36C083CF14E6E4D6 So my CPU key is: AF39DF25B0CD387836C083CF14E6E4D6 Note that down and save it! you will need it in the future! Now its safe to turn off your xbox once you get your key. Now we have everything we need to build our Freeboot 0.032 image... lets move on So we have our CPU key and original image, we can now make our freeboot image what will actually carry the hack Making the FbBuild image (Kinect Dash) Spoiler Right, there are three things we need to make this image: Your CPU key Your original nand dump iHc NandTool Version 2 If you have them continue, If not look above for info on getting them! Now, lets make our image... Head over to the 'Freeboot' Tab, you should see something like this: put your CPU key what you got from xellous in the 'CPU Key:' Text field. Now we need the 1BL Key of the xbox, I cannot provide this but this can help you find it: https://encrypted.google.com/search...L Key&aq=0p&aqi=p-p2g8&aql=&oq=xbox &gs_rfai= The 1BL key is a 32 Character HEX key what will look similar to the CPU key, Once you have it put it in the '1BL Key:' Text field Now lets customise our build... If you want dashlanunch patches obviously select the 'DashLaunch Patches' Button, I recommend these but they sill are optional If your console does not have a DVD drive then select 'No DVD Drive' if it has one then select 'Use DVD Drive' (simples) Now if your console is using the wiring methods shown by me in the guide (for jtag wiring) Then select 'No Aud_Clamp Fix' But if you use the Aud_Clamp wiring method then select 'Aud_Clamp_fix' For the patched SMC Now we have customised it it should look a little like so: Now press Build then an open file dialogue will pop up, Select one of the good original nand images and press Open Now just simply let it do its stuff! The console will be very active over the next few seconds but when its done if all went well an save file dialogue will appear, Save the file and something like FbBuild.bin then just check that the console looks similar to this: If it does you are all good to go! You move on So your nearly there... made your image, now lets write it back. Writing freeboot image back to xbox Spoiler Right, were nearly there, you should be able to smell the ability to hack shizzles! We just need to get the modded freeboot image back onto the console, now just go back to the 'NandPro' tab and click 'write nand', then you will need to select the newly made freeBOOT image and click open Another window will pop up again, read the warning and press any key.. now let it do its writing.. Once its done it will say 'Press any key to continue' once it has write fully you have no jtagged your xbox! congrats! once its done, unplug the console from the computer, desoldier the LPT cable. NOT THE TWO DIODES AND JUMPER! Just the 7 that go into the pc, unless you want to keep them of course and you xbox will now officially be jtaged! Well done for doing it yourself and not going off to buy one!