1.  

[JTAG/RGH/R-JTAG] Xbox 360 Ultimate Exploit Guide

Discussion in 'Modding Tutorials' started by oblivioncth, Oct 25, 2012 with 756 replies and 447,311 views.

  1. oblivioncth

    oblivioncth Mr. Cloth

    Messages:
    6,978
    Likes Received:
    1,920
    Xbox 360 Ultimate Exploit Guide
    (Semi-Noob Friendly)
    By: oblivioncth
    Current Guide Status:
    Mostly up to date. I still need to add the points for Corona V5s and V6s and integrate the Slim Proto pictures instead of just linking to the TX forums but otherwise everything here is accurate.

    :D (Trust me this will change very quickly when something changes)​

    I have created this tutorial based on questions I frequently see and parts of guides that I have found tend to be unclear or outdated. I know there are many guides that cover the content in this thread but I thought it was about time to make another super guide that covered many things. Also, what I mean by "Semi-Noob Friendly" is that I have included every step and have tried to make it comprehensive, but I have not dumb-ed it down to the lowest level possible and have not included every picture possible. I included any picture that is even partially important but not pictures of steps that aren't really needed. You will need some basic skill above just commonsense, and a little bit of intuition in order to follow this.
    Each base hack method, program, or other form of work in this tutorial is not mine and credit goes to their respective creators (such as Team-Xecuter, Boxxdr, Team XeBuild, OggyUK, etc.). I have only explained to you why/how to do these methods, and added my own touch/explanation to them so that you could get the most out of them.
    Please excuse any typos because parts of this were made at very late/early hours and I may have missed some while correcting them. Feel free to post a reply quoting the typo and I will fix it. Also please notify me if any links or pictures go down. I will be glad to fix them.

    Tired of massive amount of tutorials on the subject of RGH/JTAG consoles? No luck finding a thread that has up-to-date information that fully explains the differences between the exploits and which one is good for you? Can't find a general guide that covers every part of the setup process, and can only find things about specific parts. Sick of seeing old and now incorrect tutorials with missing pictures? Then this tutorial is for you. There are too many bits and pieces missing from many tutorials and specifics for certain setups (like zephyr consoles) that are not covered. This tutorial is an attempt to bring it all together, clear up confusion, and show every reasonable (some just are old, not worth it, or pointless) option possible. It covers everything you need to know about both exploits, shows you which one is right for you, and walks you through each step for how to do them (for the standard hacks. If you need something specific like using the console without the DVD drive, or ROL board then this is not for you, however you can use this as a base and then at any point do things differently based on your needs).
    I will try to update this thread as things change and as time moves forward. Also you may feel some pictures are too small for you to see very small pieces, so in case you didn't know you can click the pictures to make them their full size, and then again to reduce them.
    Spoilers are nice but I want this to be a mostly full depth guide that isn't cluttered so I kept the spoilers as low as I could. I have the ones I have to keep it clean, so expand the sections that only apply to you.
    Right now this tutorial is at dash 16747 (meaning the custom freeboot dash that you can update to once the console is exploited. An older dash might still needed to exploit the console in the first place. Refer to section 4 for this) which is the most recent dash.
    This tutorial is going to be broken down into steps as follows:
    1. What is the point of exploiting your console, and is it safe?
    2. Do you have the skills/tools/materials to exploit your console?
    3. Explanation of the hack methods, and their pros/cons
    -Step 1: NAND dumping methods
    -Step 2a: JTAG
    -Step 2b: RGH
    4. Determining which method to use
    5. Modding tutorial for each method:
    -Step 0: QSB or no QSB?
    -Step 1: NAND dumping methods
    -Step 2a: JTAG
    -Step 2b: RGH
    -Step 2c: R-JTAG
    -Step 3: Xell
    6. While your in there...
    7. Software Setup
    -Step 1: XEXmenu
    -Step 2: Freestyle dash
    -Step 3: Dashlaunch
    -Step4 : XBOX1 Emulator
    8. Afterwards

    NOTE: Some items for particular methods are listed under their sections and not before hand. So if you want to order everything you will need before you get started, read through each section that corresponds to what you will be doing so that you know every part you will need.
    Part 1: What is the point of exploiting your console, and is it safe?
    Have you ever seen those crazy YouTube videos with people modding games like Halo, COD, and Just Cause 2 in ways you never thought was possible? Or do you want to go retro and play some old school games from your childhood or from before your time? Exploiting your Xbox 360 in this fashion will allow you to do things just like this. Exploiting your console involves making physical modifications to its internal hardware in order to circumvent Microsoft's security system. This must be done because by default Microsoft has limited what code can be run on Xbox's to only programs that are signed digitally by them and their partners. This was done for preventing piracy, online cheating, copyright infringement, avoiding fees (if you want to make a game for Xbox you have to pay fees to Microsoft, and this goes for all other companies), and other issues. The problem is that very fun and not so bad things can be done on a console that is not limited by a security system, but Microsoft and other console makers don't want to take the risk of the bad things happening. This is why console hackers exist, and this is why things are reversed engineered, so that you the end user can enjoy your devices to their maximum potential.
    This is the list of all the things you can do with a JTAG/RGH exploited xbox:
    *As I cannot remember ever single thing this list is somewhat incomplete and I will add to it as I remember or find new things that can be done​
    • Play almost any Xbox 360, original Xbox, or arcade game for free (though I won't tell you how to do this)
    • Get any DLC for free (though I won't tell you how to do this)
    • Use custom dashboards with many features over the original and customize their look
    • Use any sized hard drive in the hard drive port OR any sized external hard drive through USB (I HIGHLY RECOMMEND USING A LAPTOP DRIVE INSTEAD OF AN EXTERNAL USB BECAUSE IT MAKES THINGS EASIER, AS YOU CANNOT PUT DLC, ARCADE GAMES, OR ANYTHING ELSE THAT GOES IN THE "CONTENT" FOLDER ON AN EXTERNAL USB DRIVE! Though you can format part of an external USB drive as an Xbox MU but that is inefficient)
    • Mod many games in ways that can't be done on a retail with save game or other mods
    • Use custom apps created by the community to play movies, music, etc.
    • Play custom games made by the community that aren't available on a retail console
    • Take screenshots or video of your console without a capture card
    • Make your console run the same software (or a hybrid of) as development kits
    • Rip games to your hard drive and never need the discs
    • Play ANY original Xbox game instead of being limited by the retail emulator (though some games don't run very well)
    • Run linux on your xbox
    • Play a variety of emulators such as: MAME, Atari LYNX, SNES, NES, N64, Dreamcast, Sega Genesis, Intellivsion, Colecovison, DosBox, PS1, ScummVM, Amiga, NeoGeo, Gameboy, Gameboy Color, Gameboy Advance, and PCengine
    • Recover your DVD key
    • (RGH ONLY) Use a DemoN to do a dual NAND setup and have two consoles in one. One that can go on LIVE like a stock console, and one that is exploited and can do all of the above (DOESN"T WORK ON CORONA V2's/V4's)
    On the topic of the exploitation being safe there are two are dangers. One danger is with the law. This is a very small danger but I am noting it for your safety and to cover ANY possible things that MAY happen. The chance that you will get in trouble legally is slim to none and you must do certain things to even have a remote chance at doing so. The two main things you need to worry about is piracy and sales. Piracy is possible with these modifications and is illegal, however it is unlikely you will get caught. Still, you are taking a chance if you pirate software. Also, if you start modifying tons of consoles and sell them on the wrong places (such as eBay) there is a slight possibility you will be reported. Under general use of an exploited console you are totally 99.99% safe and do not need to worry about any trouble with the law. Microsoft doesn't have time to care about every little person with an exploitable console and only cares about people who are big names in the hacking world, so you as a end user are fine as long as you don't do anything stupid. Even though the chances are extremely low I am not responsible for any trouble you get yourself into.​

    On the other hand is the danger of breaking your console. It is in a sense hard to do so, but in another it is easy. If you do not have the proper skills to do these modifications you will most likely break your console. If you do not properly follow instructions you will most likely break your console. If you are not careful with your expensive merchandise you will most likely break your console. If you are horribly unlucky your console can also break. I mention that last part because there are some consoles that are so warped due to Microsoft's poor original design (phat consoles) that the simple action of disassembling your console can break it. You can get around this with even some of the weakest consoles by being very careful, but there are some that are just going to break when you open them and get extremely unlucky. AGAIN, the chance is very small but note it is a possibility. As long as you are careful and follow instructions you should be fine.

    Part 2: Do you have the skills/tools/materials to exploit your console?

    If you are experienced with soldering and have a wide array of tools then you can stop right here you are good to go. If not keep reading. In order to make these modifications you need to be decent at soldering and have a general mechanical sense like for dissembling the console and remembering where everything goes. It is not particularly hard and as a soldering job is arguably a 4-5/10 but if you have very little or zero experience it could still be hard for you. There are a few points that are decently small and require precision and the overall project requires accuracy as well, so make sure you are not in over your head. I would not attempt this if you have no soldering experience (though I would be a hypocrite if I told you I did the same ;) as my 2nd JTAG was my first time soldering), but if you are one of those people that picks things up quickly, are a tech-y person, and you understand the risks then go for it if you want. If you really want to do this but feel too nervous about your skills, practice on some old PCB boards (things you don't care about like old VCR's, etc.) by just soldering wires in random places. It also helps to have experience using tools like pliers, and a multimeter, and having experience stripping wires (which you should have if your experienced in soldering).

    Simply, understand the risks involved and evaluate yourself before moving forward.

    I also have a guide on soldering if you want to check it out: http://www.se7ensins.com/forums/threads/jtag-rgh-general-how-to-solder-properly-relative-to-the-xbox-360.919050/

    These are the tools you will need to do these exploits:
    *Tools in black are absolutely required, and tools in blue are highly recommended
    • A Soldering iron (preferably one that isn't complete crap and has a good tip)
    • Solder (with rosin core)
    • Solder Sucker/De-soldering Braid (if you screw up or need to change something, which is highly possible)
    • Torx 10 and 8 screwdriver
    • Flat head screwdriver (pretty small with the head being about a little less than a cm)
    • A case opening tool like this: http://www.xecuter-ck3.co.uk/case-opening-tools.html (you don't need it but if you have extra cash it helps)
    • Flux (flux pens are nice, also absolutely needed if you don't have rosin core solder)
    • Multi-meter
    • Pliers (needle nose)
    • Box cutter knife/Exacto knife
    • Wire strippers (you can use a knife or scissors if you don't have any)
    • Hot glue gun
    • A lighter/Heat-gun (if your going to use heat-shrink)
    • A Windows XP/Vista/7 computer
    These are the materials you will need to do these exploits:
    *Materials in black are absolutely required, materials in blue are highly recommended, and specific materials need for each method will be listed under their respective section
    • Some form of wire (kynar is best and Radio Shacks "hook-up wire" isn't bad, also it is possible to have a combination of a setup that requires no extra wire but it is good to have just in case you mess up a wire; around 22-30 AWG is good)
    • Heat-shrink/Electrical Tape (helps keep things clean)
    • Isopropyl alcohol (helps to clean off points on the motherboard)
    • Q-tips (for using with the alcohol)
    • Thermal Paste (if you remove the heatsink. Arctic Silver is a good buy. Here is how to apply it: http://www.hardwaresecrets.com/article/How-To-Correctly-Apply-Thermal-Paste/274/3)
    Also as a general note, you may need more supplies for your method. These can be picked up at Radio Shack or a similar electronic hobby store (unless otherwise noted).

    Part 3: Explanation of the hack methods, and their pros/cons

    *You may notice Step 0 and Step 3 have no explanations. This is simply because they are just parts you have to do and need no explanation.

    Each of the hack methods effectively acheive the same results but have a few differences in their preparation and execution. There are two parts to each hack: One is dumping your NAND which is basically making a copy of your Xbox's OS/BIOS on your computer, and two is the actual hack itself that circumvents the security system. The methods of dumping your NAND are the same with both the RGH/JTAG/R-JTAG hack methods so they will be covered first.

    *Pros are in blue, cons are in red

    Step1: NAND dumping methods
    There are four ways to dump your NAND. The LPT method, the USB-SPI method (there are a few devices that are of this type but for this tutorial I be covering Team Xecuters NAND-X and J-R Programmer as they are the best out there), the NAND R/W kit for 4GB Coronas only, and the DemoN for those who are installing it. If you are doing a dual NAND setup and installing the DemoN it has its own way to read/write to the NAND so you will be using that, and if you have a Corona V2/V4 you HAVE to use the Corona R/W KIT (SD Card Method). So if you don't have a Corona V2/V4, and aren't using a DemoN, here is the comparison.

    -LPT Method:
    • Cheap: the materials only cost around 7 dollars
    • Involves soldering 7 wires to the Xbox and an LPT (the old purple printer port) plug with some resistors and a diode in between
    • Slow: Takes at least 30min to read your NAND AND is usually longer due to your OS configuration AND can be much more depending on your console
    • Takes some more time because you have to make it (you can buy one though if you want)
    -NAND-X/J-R Programmer Method
    • Expensive: Costs around 40 dollars (NAND-X)/20 dollars (J-R Programmer)
    • Involves soldering a few wires/pins (7) into just the Xbox. The other end plugs into the device (and if your doing the RGH method and get the QSB's- you'll see what those are later- then you don't even have to solder, as it just plugs in on both sides)
    • Fast: Takes at least 5 minutes to read your NAND and can be a bit longer depending on your console
    • If you plan to do more than just one console it is worth the investment
    Now for the exploit methods themselves:

    JTAG
    • Easier to install, only requires 3 wires and a diode
    • Cheap: Only cost is a diode, and wires.
    • Normal boot times
    • Can only be done on phats (more likely to RROD) with the dashboard 7371 or earlier
    • Cannot run Xecuter Fusion (a custom NAND that is a hybrid of a dev NAND and retail NAND, but there are alternatives)
    RGH
    • Harder to install, requires a chip and 6-7 wires, also some smaller points
    • Expensive: Chip with wires costs around 30 dollars, and addons for certain setups that can add up to much more
    • Longer boot times: Best being around 5 seconds with average being around 15-30 seconds and worst being 1-2 minutes
    • Can be done on phats (but better to use R-JTAG) or slims (very unlikely to RROD) with any dashboard
    • Can run Xecuter Fusion
    • Can use DemoN to do a dual NAND setup (about an extra 50-60 dollars) (DOESN'T WORK ON CORONA V2's/V4's)
    R-JTAG
    • Harder to install, requires a chip and 6-7 wires, also some smaller points
    • Expensive: Chip with wires costs around 35 dollars, and addons for certain setups that can add up to much more
    • Decent Boot Times: On average they are around 10 seconds, sometimes instant boot
    • Can only be used on phats of any dash version
    • Can run Xecuter Fusion
    • Can use DemoN to do a dual NAND setup (about an extra 50-60 dollars) (DOESN'T WORK ON CORONA V2's/V4's)
    Part 4: Determining which method to use

    Now that you understand the differences between the methods, it is time to determine which one is right for you. The general rule of thumb is that if you can get your hands on a slim then RGH it as it will last you much longer. If you can only get a phat and it is above 7371 then your only choice is to RGH/R-JTAG it. If you have a phat that is at 7371 you have the choice of JTAG'ing or RGH'ing/R-JTAG'ing it, but due to the cons of the RGH/R-TAG without the benefit of it being a slim it makes more sense to JTAG it.

    Also what is important is the motherboard type. When it comes to JTAG'ing every motherboard type is exploitable (as long as it has the right dash and is a phat) but each motherboards life span average is not the same. So if you are able to choose the type do so in this order: Jasper, Falcon, Opus, Zephyr, Xenon (listed in order of decreasing average life span). When it comes to RGH'ing/R-JTAG'ing every motherboard type is exploitable except for Xenon's (unless you just want your DVD key, because the boot time for Xenon's are so long it is impractical for everyday use). The average lifespan decrease still applies so if you can choose do so in this order: Trinity/Corona (both are the same in terms of life span and are slims), Jasper (phat), Falcon (phat), Opus (phat), Zephyr (phat), Xenon (phat).

    Also note that if your on exactly 7371 there is a chance your CB was already patched which means it is not exploitable, and the only way to know for sure is to dump your NAND (this will be discussed after you have dumped your NAND)

    Additionally when it comes to the RGH exploit there are actually two versions. RGH1 has better boot times but it stopped working after dash 14699 and only works on phat consoles (also some refurbs on this dash had their CB patched so that they cannot use RGH1 either). If you are on dash 14699 exactly you will have to check under the RGH section to see if your CB was patched and whether you can use the RGH1 wiring or not. Also, Zephyrs suck on both the RGH1 and 2 wiring so the best bet is to just R-JTAG them.

    If you are buying a JTAG'able/RGH'able/R-JTAG'able then use the above to help you choose. If you just have a console sitting around or a friend has a spare etc., use the following to check if it is exploitable:

    Check your motherboard revision with this:
    [​IMG]
    If you have a slim and it is 10.83A and made before August 2011 you have a Trinity, and if it is 9.86A and made in or after August 2011 you have a Corona. There are reportedly some Trinitys that are 9.86A so use the date as a double check (even if it is 9.86A if it was before Aug 2011 it is a Trinity). If you have a Corona and it was made in-between August 2011 and June 2012 and is the 250GB model it is a V1, and if it is a 4GB model it is a V2. If it was made in-between July 2012 and now and is the 250GB it is a V3, and if it is a 4GB model it is a V4. The NAND dumping processes on V2s/V4s is a little more complicated.

    Also if you have a Jasper you need to determine what its internal memory is. If you have no internal memory unit (as in when you go to memory there is no MU with no hard drive or external MU plugged in) then you have a normal Jasper. But if you have a MU that is close to 256MBs when empty then you have a Jasper BB 256MB, and if your MU is close to 512MBs when empty than you have a Jasper BB 512MB.

    Slim Identification Double Check:
    The above dates from slims are about 95% reliable and have been estimated based on tons of users MFG date submissions. However, the only way to be 100% sure what kind of console you have is to open it and look at the motherboard since the power cable plugs are the same for all of them. So if you want to do so now or come back and check this once you know what you have to buy, check the spoiler for pictures of the slim motherboards
    Trinity:
    The Trinity has a HANA chip that was removed on all Coronas. If yours has a HANA chip it is definitely a Trinity
    [​IMG]
    Corona:
    Look at the picture and focus on the "1" point. Use the 4 pictures and descriptions bellow the main picture to determine which version Corona you have
    [​IMG]
    Then go to System>Console Settings>System info to determine your dashboard version (your only interested in the bold part: 2.0.XXXXX.0)

    Then use this flow chart to determine which method to use:
    [​IMG]
    Remember from this your motherboard type, dash version, and what exploit you are to use.

    Also download J-runner: http://team-xecuter.com/forums/showthread.php/82434-J-Runner-The-Ultimate-JTAG-RGH-App-*LATEST-DOWNLOAD-HERE*-%28288%29 and extract it to your desktop as a folder named "J-Runner" (so that the folder hierarchy is J-Runner/JRunner.exe)
    It is an excellent app provided by Team J-Runner that combines functions of many programs into one. We will be using it many times.

    ALSO, if you have a phat and are planning on getting a DemoN for it you will have to R-JTAG regardless of what the chart says if you want to be able to use LIVE on the stock NAND because that requires at least dash 14719. If you don't plan on using LIVE you can use the RGH1 wiring with the DemoN. So if you plant to go online with your DemoN go update your console to 14719 now. DON'T try to update over LIVE, use the official USB/CD method: http://digiex.net/downloads/download-center-2-0/xbox-360-content/dashboard-system-updates/10243-xbox-360-dashboard-update-2-0-14719-0-download.html

    If you are planning to RGH a Xenon to recover a DVD key it will work but take forever. I seriously suggest you wait for the R-JTAG hack for Xenons to be released. If you still want to do it though, just use the RGH1 wiring if you are at or bellow dash 14699 and the RGH2 wiring if you are above that.

    If you find that you need to use the R-JTAG method, there is a kit that contains everything you will need (Chip, QSBs, and J-R Programmer) and will save you a few bucks so I recommend getting it: https://www.modchipcentral.com/store/product.php?productid=17924

    Part 5: Modding tutorial for each method

    OK! So this is the part where you see what exactly you need for your methods and when you actually get down to work. You will need to open your console at this point, which you can see how to do at these places:

    Phat: http://www.instructables.com/id/How-to-Disassemble-a-Xbox-360/step4/ScrewsDVD-Drive/
    Slim: http://www.xboxmb.com/forum/24-xbox-360-hardware-mods/9859-how-open-xbox-360-slim.html

    When removing your motherboard don't grab it by the heatsinks!

    NOTE! I will not be telling you how to ACTUALLY solder the points as you should already know how to do that! Just remember to be patient but quick, keep it clean, use flux where needed, etc.

    First I will show you how to dump your NAND, and then I will show you how to install the exploit you need.

    Step 0: QSB or no QSB?
    Note that if the RGH is your exploit you need to decide now whether you want to buy the QSBs for your console, and if you want the QSBs you also need to do the NAND-X/J-R Programmer dump method as there isn't much reason to get the QSB's without the NAND-X/J-R Programmer . QSBs are a little board that goes on your console that makes wiring a little easier and reading your NAND a little easier, but they cost some money (around 10 bucks each). If you have a Corona V2/V4 you NEED the QSB for it, if you are using the R-JTAG hack you NEED the QSBs for the console (the starter and ultimate kit comes with them though), and if you have a Xenon there are no QSBs for you. Also, if you are getting a QSB for your console make sure it is the V3 one (The Corona V2/V4 QSB latest is V4)! (the links I provide are only examples, you don't need to buy them there, and this goes for future product links).

    For RGH, skip if JTAG/R-JTAG is your method

    QSB V3s for phat (except Xenon) (there are 2 pieces but it comes with both): http://www.xconsoles.com/products/tx-jrp-nandx-cr-phat-qsb-v3.html
    RGH QSB V3 for Trinity: http://www.vgcrepairs.biz/xilink-dev-tools/adapters/trinity-qsb-v3?cPath=124_2_86
    *There is a POST QSB for Trinitys (a 2nd QSB that goes on the bottom) but it doesn't really make a big difference so I will not talk about it
    (CR3 Lite Only!) QSB V3 for Corona V1/V3: http://www.vgcrepairs.biz/xilink-dev-tools/adapters/jrp-nandx-cr-corona-qsb-v3 (see the upcoming note about the Coolrunner Rev C)
    QSB V3 for Corona V2/V4: http://www.ozmodchips.com/corona-4gb-nand-reader-from-team-x-p-445.html AND http://www.modsupplier.com/catalog/xecuter-corona-4gb-rw-qsb-v4-p-1074.html (They aren't selling the new ones in a kit yet so you have to buy the old one to get the cable. You only need the 2nd one if you have a V4 and want it to fit perfectly)

    NOTE: If you are getting a Coolrunner Rev C because you cannot find a CR3 Lite or do not want one you will have to get the Crystal QSB since it doesn't come with the Rev C like it does on the CR3 Lite. ALSO if you are using a Rev C and have a corona v2/v4 you will need to install BOTH QSBs (The NAND R/W kit and the one with the Crystal). Under the RGH section I have a link to a Rev C bundle that comes with the Crystal QSB and more for just an extra 3 dollars. I highly recommend you get that, but here is the link for just the QSB with the Crystal: http://www.xconsoles.com/products/corona-qsb-cr-upgrade.html


    The QSBs install like this (ignore wires/white arrows and only focus how the QSBs are soldered to the motherboard):
    Phats:
    -QSB 1
    [​IMG]
    -QSB 2
    [​IMG]
    Trinity:
    [​IMG]
    Corona V1/V3 (the Crystal one looks a little different but installs the same):
    [​IMG]
    Corona V2/V4 (this is on the bottom, pictures show a V4 but the spot is the same for V2s):
    [​IMG]

    I know these pictures aren't the greatest but that is all there is on the net. Just remember that anywhere there is a solder pad that is on the edge of a QSB something most-likely needs to be soldered to it. The solder pads that are not on the edges are not used until later.

    Step 1: NAND dumping methods
    The hope is to leave this section with a Orig.bin image.

    First look at these pictures, because in each method (LPT, NAND-X, and J-R Programmer only; Corona R/W Kit and DemoN don't use these pictures and use their own which you will find under their sections) I will reference points to solder to on the board and these are those points. For each point I will refer to them by color. The colors are the same for both each so just apply it to whether you have a phat or a slim. If you have a Corona V2 the QSB is how you are going to read your NAND so that should have already be installed, and you can ignore these pictures. Additionally, if you have a Corona V3 or V4 you will need to bridge some points so make sure you visit that section first.

    [​IMG]

    If within this part you see your NAND has bad blocks, don't worry as J-Runner remaps them for you!

    Resistor Bridging (for Corona V3s/V4s):
    *SKIP THIS IF YOU DON'T HAVE A CORONA V3/V4.


    You need to bridge point R2C10 if you have a V3, and points R2C6/R2C7 if you have a V3 or V4 (if the resistors are missing there):
    [​IMG]
    LPT
    This is the cheapest but longest method. You are going to need the following:
    • (5x) 100 ohm 1/2W Resistors
    • 1N914/4148 Switching Diode
    • 25-Position Male D-Sub Connector
    • 25-Position D-Sub Connector Hood (not needed but keeps it clean and safe from shorts external shorts)
    • Wire (from material list)
    • A computer with the old school 25pin purple printer/LPT port
    The 25pin Male D-Sub Connector has a side with pins recessed and a side with pins that stick out and have holes. The following picture shows the side with holes, and on this side you are going to solder 1 of the 100K ohm 1/2W resistors to pink, light blue, yellow, blue, and red (direction does not mater).

    [​IMG]
    Then you are going to solder a wire from each of the points/resistors ends (for the points that now have resistors) on the 25pin plug to their corresponding colors (just match them with the ones on the board), EXCEPT that the wire coming the the orange point will have the 1N914/4148 Switching Diode on it. The diode has a black line on it that is slightly closer to one side, and that side is the one that MUST be soldered to the motherboard, while the other side will be soldered to the wire coming from the orange point on the 25pin plug. Keep the wires as short as you can while still having enough length to reach from the Xbox to your computers port without putting too much tension on the wires.

    Now that you have done this, you simply need plug the 25pin plug into your computer (while having your Xbox resting on some surface), and then plug in your Xbox's power brick but DO NOT turn the console on.

    Then download the following:
    -Nandpro V3.0a: http://dwl.xbox-scene.com/xbox360pc/nandtools/Nandpro30.rar
    -If you have a 64bit system you also need this: http://www.highrez.co.uk/scripts/download.asp?package=InpOutBinaries

    Extract Nandpro into a folder (called Nandpro30) on your desktop (you need WinRAR/7zip to do this) and if you have a 64bit OS extract InpOutx64.dll from the 2nd file into that folder as well, and if you have a 32bit OS once you extract the folder you must run port95.exe and install it. Then open a command prompt by searching (Windows 7/Vista) for "cmd" it or going to Run (All Windows) and entering "cmd". Then you are going to type "cd desktop\Nandpro30" and press enter, and then run this command:
    Code (Text):
    nandpro lpt: -rX nand.bin
    where X is based on your console. If you have a Xenon, Zephyr, Opus, Falcon, Jasper, Trinity, or Corona V1 then X=16 If you have a Jasper BB 256MB or 512MB then X=64 (this can take a VERY long time for BB Jaspers)

    In the end you will end up with something like this:
    [​IMG]

    Now simply press enter and it should start reading, which you can see by the the 4digit alphanumeric code at the bottom that starts at 0000 and will slowly go up by 1. Once it reaches 03FF (more for BB Jaspers) it will stop and show another command line. If it didn't work then 1)You didn't run port95 or copy in InpOutx64.dll or 2) You didn't solder correctly or 3) Your Xbox's power isn't plugged in

    Now you are going to run the command again except instead of "nand.bin" at the end you are going to have "nand2.bin". This is to get 2 dumps and compare them to make sure they match, which guarantees that it is correct (lots of waiting for Jasper BBs). Now open J-runner and click the "..." next to "source file" and select nand.bin and for the "..." next to "additional file" select nand2.bin (these are both in the nandpro30 folder). It should tell you it is an exact match in the log. If not keep dumping until you get two that match and once you get a pair that matches backup one of them somewhere as "Orig_NAND.bin" and keep it safe. Then rename the other matching dump to nanddump1.bin and move it to the "output" folder within the "J-Runner" folder that is on your desktop. Then open J-Runner and click the "..." next to "Source File" and open the nanddump1.bin you just moved.

    Keep your Xbox plugged into your computer and it's power, and keep J-Runner open but close Nandpro. Then move on to Part 2a if you are using the JTAG method or Part 2b if you are using the RGH method.

    NAND-X/J-R Programmer
    This is the fastest and easiest method, but you need one of these: http://www.modsupplier.com/catalog/xecuter-nandx-rgh-edition-jtag-kit-v3-p-916.html

    When you receive your NAND-X/J-R Programmer it will come with a plug that simply has wires or has black plastic with legs at the end, and a plug that has wires with a few ends that are colored green, blue, and white.
    If you have the QSB's installed you simply plug the wire with the colored ends into your NAND-X//J-R Programmer (bottom port if your facing the top of it) and then the colored ends into their respective plugs on the QSBs (the colors match, though the blue and green can be a bit hard to tell apart so look carefully, AND there are 2 white plugs, one with 2 pins which isn't the one you want and one with 3 pins which is the one you want) and skip the next paragraph.

    If you don't have the QSBs or you are JTAG'ing you need to solder the wires/legs (depending on what yours comes with) directly to the points. Use the following picture to see what wires/legs to solder to which points:

    [​IMG]
    It is possible that your cable will have different colors (though unlikely). If that is the case simply match the wires based on where they connect to the white end. For example, if the cable that is blue in my picture is green for you, still match it with the blue point on the board

    Then plug the other end into your NAND-X/J-R Programmer (bottom port if your facing the top).

    Plug in your NAND-X/J-R Programmer with the mini-USB cable to your computer. Now you need to install your NAND-X/J-R Programmer drivers. Use this page to do that: http://www.team-xecuter.com/forums/showthread.php?t=85709

    Then open J-Runner. Now click "Read Nand" at the top. It should auto detect your console type and start reading. If it doesn't and instead brings up a list, select your console type, and JasperBB owners it will bring up a prompt where you must select your MU size (256MB or 512MB), and then click OK. It should start reading. If it doesn't in either cases then check your soldering, make sure your drivers are installed, and make sure everything is plugged in. When it is done reading twice it should automatically add your nand dumps to the "Source File" and "Additional File" fields and compare them which you can see by the text "NANDs are the same" in the log. If they are not the same keep trying until they are (you might have to restart the program to do this). Then make a backup (copy don't move) of the "nanddump1.bin" file (this is in the "output folder" within your "J-Runner" folder on your desktop) as "Orig_NAND.bin" and keep it safe.

    Keep your Xbox plugged into your computer and its power, and keep J-Runner open. Then move on to Part 2a if you are using the JTAG method, Part 2b if you are using the RGH method, or Part 2c if you are using the R-JTAG method.

    SD-Card (Corona V2/V4)
    You will need an SD-Card reader for this.

    This is relativity simple since your QSB is already in. Simply attach the cable and "SD-Card", plug it into your reader, and then plug in the Xbox's power supply but DO NOT TURN IT ON.
    Then open J-Runner

    Click the small box with the text "NAND Type". Then select "Corona 4GB". Then click the button towards the top that says "Read NAND". You should now be here:
    [​IMG]
    Select your device in the list, then click Read. Once it is done it should read a second one for you and then automatically compare them in the log which you can see by the text "NANDs are the same". If not change the output file name to nanddump2.bin and do it again, and then manually add both nand dumps (These files are in your "output" folder within your "J-Runner folder" on your desktop) to the "source file" and "additional file" fields, and then click "Nand Compare". You should get the "NANDs are the same" message. If in either case if the NAND's don't match try again until they do (you might have to restart the program to do this). Then make a backup (copy don't move) of the "nanddump1.bin" file as "Orig_NAND.bin" and keep it safe.

    Keep your Xbox plugged into your computer and it's power, and keep J-Runner open. Then move on to Part 2b since you are using the RGH method.

    DemoN
    *NOTE: This DemoN tutorial assumes that you are using the DemoN so that you can have a stock image that can go on LIVE. If you want to do something else with the other NAND then substitute the LIVE NAND in the tutorial with whatever you want to use
    If you went with a dual NAND setup and are installing the DemoN then you will being using it to dump your NAND image.

    What you need:
    Phat Install:
    Overall it is going to look like this:
    [​IMG]

    First, if you are using a BB Japser solder on the conversion kit like so:
    [​IMG]

    Then, use the following diagram/pictures to solder the DemoN to the underside of the board. Pink spots are where the DemoN is anchored directly to the board, and the other colors are places for wires to run so just match the colors/numbers. Orange and brown wires don't have labels on the 1st diagram but you can see where they go in the other pictures. They are the optional remote power and sync wires respectively:
    [​IMG]
    [​IMG]
    [​IMG]
    *Ignore the Yellow wire here. Its part of the Coolrunner.

    Trinity (Slim) Install:
    Overall this is what it is gonna look like, but ignore the QSB with the thick white cable and yellow cable (its something you wont be installing):
    [​IMG]

    Use the following diagram/pictures to solder the DemoN to the underside of the board. Pink spots are where the DemoN is anchored directly to the board, and the other colors are places for wires to run so just match the colors/numbers. Orange and brown wires don't have labels on the 1st diagram but you can see where they go in the other pictures. They are the optional remote power and sync wires respectively:
    [​IMG]
    [​IMG]
    [​IMG]
    Corona V1/V3 (Slim) Install:
    *Thanks ZerOneX for some of these pictures
    First, in order to make the DemoN fit on the Corona, you are going to have to install the QSB.

    Install the QSB here. All the points that are labeled where it is soldered to the board, and the unlabeled ones are where you solder the DemoN to it:
    [​IMG]

    Then the DemoN goes on top of it like this:
    [​IMG]

    Now overall it is gonna look like this:
    [​IMG]

    Use the following pictures to solder the DemoN to the board. There is no diagram, but the pictures should suffice. Also you might want to tape down the side of the board with the orange wires because it lacks a solder joint so it isn't held down on that side (some people use part of the Coolrunners adhesive pad):
    [​IMG]
    [​IMG]
    *This wire wasn't in the previous picture, but you can see it in the overall one. It goes right next to the orange wire

    Now that your DemoN has been installed, it is time to get a dump of your NAND, but MAKE SURE THAT THE SWITCH IS ON "Xbox". First you will need to plug in the thing so you will need to temporarily plug in the ribbon cable (that goes to the daughterboard) and the daughterboard (you may also want to ground the daughterboard temporarily to be safe. Then plug your mini-USB cable into that, and the other end into your PC.

    Open J-Runner. It should detected your DemoN. You will know it did because you will get an extra drop-down menu at the top labeled "DemoN", and it will show the DemoN logo. Next, make sure that in the lower right coroner where it says "Flash" it shows "Xbox360" not "DemoN", and if it does show "DemoN" simply click the "DemoN" menu and select "Toggle NAND" and it will switch. Now click "Read Nand" at the top. It should auto detect your console type and start reading. If it doesn't and instead brings up a list, select your console type, and JasperBB owners it will bring up a prompt where you must select your MU size (256MB or 512MB), and then click OK. It should start reading. If it doesn't in either cases then check your soldering, make sure your drivers are installed, and make sure everything is plugged in. When it is done reading twice it should automatically add your NAND dumps to the "Source File" and "Additional File" fields and compare them which you can see by the text "NANDs are the same" in the log. If they are not the same keep trying until they are (you might have to restart the program to do this). Then make a backup (copy don't move) of the "nanddump1.bin" file (this is in the "output folder" within your "J-Runner" folder on your desktop) as "Orig_NAND.bin" and keep it safe.

    Now that you have a NAND backup, keep your DemoN plugged move onto Step 2b: RGH if you are using the RGH method or Step 2c: R-JTAG if you are using the R-JTAG method
    Step 2a: JTAG
    Now if you are on exactly dash 7371 (and therefore trying to JTAG) it is time to find out if you Xbox is JTAG'able. If this doesn't apply to you skip this. In J-Runner (it should still be open with your motherboard type selected and your NAND dump selected under "Source File") look over the the middle right and check out in the "Nand Info" section where is says "2BL [CB]". Look at what your CB is and see if it is in this list:
    -Xenon: 1922, 1923, 1940, 7373
    -Zephyr: 4571, 4572, 4578, 4579, 4580
    -Falcon/Opus: 5771
    -Jasper: 6750

    If your CB is on this list it is patched and not JTAG'able. If it is not on this list you are good to go.

    Checklist:
    • Your here because you found in the flow chart that your exploit method is the JTAG method (dash is 7371 or less and console is a phat)
    • You have Orig.bin NAND dump backed up
    • Your CB is not on the list of patched CBs
    There are three main ways to JTAG your console:
    1. The Xenon Method (only for Xenon consoles)
    2. The Boxxdr Method (Zephyrs, Opus, Falcon, and Jasper)
    3. The Boxxdr Method plus DVD Tray (Zephyrs, Opus, Falcon, and Jasper)

    There are more variations of these methods but these are the only ones you need to care about as the Boxxdr method is the most stable. If you have a Xenon motherboard you do its one and only method, if you have any other motherboard you do the 2nd method (Boxxdr). In general the default method should work for you so go for it, but some consoles will rarely require the Boxxdr Method plus the DVD tray point. So if you get to the part with booting Xell and the console doesn't boot, you frequently get E79's, or you have problems with HDMI and really want it come back here and check out the 3rd method.

    Method 1 (Xenon):
    What you need:
    • Wire (from materials list)
    • (2x)1N914/4148 Switching Diode
    In J-Runner (it should still be open with your motherboard type selected and your NAND dump selected under "Source File") in the upper right section titled "XeBuildOptions" click the drop down and select "Add Dash". In the window that appears check off "16747" and click "Add Dashes". Then in the same drop down select "16747" as it will now be in the list, and then select "JTAG" so it's bubble is filled. Now back in the upper left click "Create Xell-Reloaded". The log should say "Xell File Created Successfully xenon.bin".

    Now follow which one applies to you:
    A) You used the LPT method to dump your NAND
    B) You used the NAND-X/J-R Programmer method you dump your NAND

    A) Keep J-Runner open, and copy the xenon.bin file from the output folder in the J-Runner folder on your desktop into the Nandpro30 folder. The open a Command Prompt again ("cmd") and type "cd desktop\Nandpro30" and press enter, and then type in this command:
    Code (Text):
    nandpro lpt: -w16 xenon.bin
    You will end up with something like this:
    [​IMG]

    Now simply press enter and it should start writing, which you can see by the the 4digit alphanumeric code at the bottom that starts at 0000 and will slowly go up by 1. Once it reaches 004F (more for BB Jaspers) it will stop and show another command line. If it didn't work then 1)Check your soldering or 2) Your Xbox's power isn't plugged in

    Now that this is done you can close Nandpro and remove your LPT plug from your computer and your Xbox. We won't be needing it any longer. Also, unplug the Xbox's power.
    ---END OF A---
    B) In J-Runner click "Write Xell Reloaded" and you should see it start writing in the log. If not then make sure your NAND-X/J-R Programmer is still connected to your computer and the motherboard and the Xbox's power is plugged in. When it reaches 03FF it will complete.

    Now that this is done you can disconnect the NAND-X/J-R Programmer from your computer and your Xbox. Also, unplug the Xbox's power.
    --END OF B--

    Now use this diagram to solder the actual JTAG wires:
    [​IMG]
    The red line is a simple jumper wire while the yellow and blue are bridging wires with one switching diode each. For both the blue and yellow wires, the end of the diode that has the black line closer to it MUST be soldered to the motherboard by J1F1, while the wire is soldered to the other end of the diode and then to its respective point by J2D2. Once this is done, put your Xbox back to together to the point where the motherboard is in the metal shell, the fans are in and the fan shroud is on, and the front Ring of Light board is plugged in. Then move on to Step 3.

    Method 2 (Boxxdr - All other consoles):
    What you need:
    • Wire (from materials list)
    • (2x) 10K Ohm 1/2watt or 1/4watt Resistors
    • (2x) 2N3904 Transistors
    • Heat shrink is a must here
    In J-Runner (it should still be open with your motherboard type selected and your NAND dump selected under "Source File") in the upper right section titled "XeBuildOptions" click the drop down and select "Add Dash". In the window that appears check off "16747" and click "Add Dashes". Then in the same drop down select "16747" as it will now be in the list, and then select "JTAG" so it's bubble is filled. Also check off the "Aud_Clamp?" option. Now back in the upper left click "Create Xell-Reloaded". The log should say "Xell File Created Successfully [motherboard type]_hack_aud_clamp.bin".

    Now follow which one applies to you:
    A) You used the LPT method to dump your NAND
    B) You used the NAND-X/J-R Programmer method you dump your NAND

    A) Keep J-Runner open, and copy the [motherboard type]_hack_aud_clamp.bin file from the output folder in the J-Runner folder on your desktop into the Nandpro30 folder. The open a Command Prompt again ("cmd") and type "cd desktop\Nandpro30" and press enter, and then type in this command:
    Code (Text):
    nandpro lpt: -wX  [motherboard type]_hack_aud_clamp.bin
    where X is based on your console. If you have a Xenon, Zephyr, Opus, Falcon, or Jasper then X=16 If you have a Jasper BB 256MB or 512MB then X=64 (this can take a VERY long time for BB Jaspers)

    In the end you will end up with something like this:
    [​IMG]

    Now simply press enter and it should start writing, which you can see by the the 4digit alphanumeric code at the bottom that starts at 0000 and will slowly go up by 1. Once it reaches 004F it will stop and show another command line. If it didn't work then 1)Check your soldering or 2) Your Xbox's power isn't plugged in

    Now that this is done you can close Nandpro and remove your LPT plug from your computer and your Xbox. We won't be needing it any longer. Also, unplug the Xbox's power.
    ---END OF A---
    B) In J-Runner click "Write Xell Reloaded" and you should see it start writing in the log. If not then make sure your NAND-X/J-R Programmer is still connected to your computer and the motherboard and the Xbox's power is plugged in. When it reaches 03FF (more for BB Jaspers) it will complete.

    Now that this is done you can disconnect the NAND-X/J-R Programmer from your computer and your Xbox. Also, unplug the Xbox's power.
    --END OF B--

    For the actual soldering this is the area of the board you will be focusing on, and you can either remove the solder from these points (like in the picture), or push the legs of the components through them:
    [​IMG]

    You need to insert the resistors into the points shown and bend their legs back like such,but leave enough of the legs sticking out the bottom so that you can fold them together like in the next picture:
    [​IMG]
    [​IMG]

    Now you are going to solder in the transistors so that their labels are facing away from the heatsink, their bottom legs are in their respective holes, their middle legs are soldered to the bent back legs of the resistors, and their top legs have nothing. It will look like this:
    [​IMG]

    Then you are going to solder one wire to the top leg of each transistor and feed them through the shown holes in the board. Make sure you use heat shrink on these so they don't short with the other legs:
    [​IMG]

    Then you are going to solder each wire to their respective point on the bottom in these pictures:
    [​IMG]
    [​IMG]

    Once this is done, put your Xbox back to together to the point where the motherboard is in the metal shell, the fans are in and the fan shroud is on, and the front Ring of Light board is plugged in. Then move on to Step 3.

    Method 3 (Boxxdr plus DVD tray):
    If you have had troubles with booting, freezing, or HDMI then you should be returning here. It is extremely rare that a person needs this wiring so I will not be directly disusing it (this tutorial is long enough) so check out this page and find the section about "Open_tray" if you really need it:
    http://www.team-xecuter.com/forums/showthread.php?t=55189

    CONTINUED ON NEXT POST
    Last edited: Apr 21, 2014 at 7:10 PM
  2. oblivioncth

    oblivioncth Mr. Cloth

    Messages:
    6,978
    Likes Received:
    1,920
    Step 2b: RGH
    Checklist:
    • Your here because you found in the flow chart that your exploit method is the RGH method (dash higher than 7371, and console is a slim or a Xenon)
    • You have Orig.bin NAND dump backed up
    What you need now:
    • Slim Proto Chip: This is the best method to use for slim consoles. It is the easiest to get working and has the best boot times. The other instructions for slims are here if you get your hands on some old chips but otherwise there is no reason you shouldn't use a Slim Proto. There is a V1 and a V2. The V2 is a bit better and easy to find (while the V1s are rare) but a V1 will work fine if you get your hands on one.
    • Coolrunner: There are basically two ways to go with the Coolrunners if you can't get a Slim Proto or have a phat that you want to RGH1. A CR3 Lite or a Coolrunner Rev C with its addons. The CR3 Lite is essentially the rev C and its addons so it is a lot easier to use but there are 2 problems with it. First, it doesn't work as well as the rev C on Trinitys, and second TX has stopped making them so they are hard to get. Basically if you can get a CR3 Lite and don't have a Trinity get it. Otherwise if you have a Trinity or cannot find a CR3 Lite then get a Coolrunner Rev C.
    Slim Proto V2: http://www.modsupplier.com/catalog/xecuter-slim-proto-v2-tx-p-1093.html
    CR3 Lite - http://www.xconsoles.com/products/tx-cr3-lite.html
    Coolrunner Rev C - http://www.xconsoles.com/products/cr-rev-c-mega-bundle-1.html or http://www.modchipcentral.com/store/product.php?productid=17959
    NOTE: There is another Coolrunner, the CR3 Pro that is available for purchase. I will not be talking about it in this guide however because its setup is a bit different and it is intended for advance users. Plus the Proto is better anyway

    Now if you are on dash 14699 exactly and you have a phat you need to check your CB version (skip if you are above or bellow this dash) to see if you can use the RGH1 method for faster boot times. In J-Runner simply look to the right under "NAND info" and check your "2BL [CB]" version. If your CB version is any of the following or higher than you unfortunately need to use the R-JTAG method:
    - Zephyr CB 4577, 4575
    - Falcon/Opus CB 5772, 5773
    - Jasper CB 6752, 6753

    In J-Runner (it should still be open with your motherboard type selected and your NAND dump selected under "Source File") in the upper right section titled "XeBuildOptions" click the drop down and select "Add Dash". In the window that appears check off "16747" and click "Add Dashes". Then in the same drop down select "16747" as it will now be in the list, and then select "Glitch" so it's bubble is filled. Then look in the drop down just bellow that where it says "RGH". If you are using the RGH1 wiring then leave it as is, but if you are using the RGH2 wiring then change it to RGH2.

    Now there are four scenarios you could have at this point:
    1) You have a NAND-X/J-R Programmer and used it to read your NAND
    2) You don't have the NAND-X/J-R Programmer and read your NAND with LPT
    3) You have a Corona V2/V4 and therefore don't own a NAND-X/J-R Programmer
    4) You have a DemoN and used that to read your NAND

    NOTE!: You'll know if your Coolrunner is getting power if the red and green lights come on, and the green light will turn off once it programs. Additionally, if for some reason J-Runner does not automatically select the right .xsvf files for you and brings up the selection prompt you must select the timing file manually. If you have a Falcon select "Falcon" and if you have a Trinity select "Trinity". If you have any other console you can use A, B or C (and if you want try each one to see which gives the best boot times. Also if you are using a DemoN make sure you check off "DemoN Installed" at the bottom.

    NOTE2: Even if you have a Corona V2/V4 if you want to spend the extra money you can buy a NAND-X/J-R Programmer and use that to program the Coolrunner instead of the LPT cable. Just follow number one instead.

    NOTE3: If you are using a Slim Proto chip follow the next steps normally but SKIP any part that talks about programming the chip/coolrunner as they come pre-programmed.


    Also, if you are above dash 14719 the "Create ECC" button is probably greyed for you. If this is the case just skip that and go right to pressing "Write ECC". If that doesn't work you can always use the "Write ECC for >14719" function under the advance tab.

    1)
    If you have the NAND-X/J-R Programmer simply plug in the Coolrunner to it with the NAND-X to coolrunner cable, and then plug the NAND-X/J-R Programmer into your computer like so (in the picture is the coolrunner rev c. but the Coolrunner plugs in the same way):
    [​IMG]
    Now once both are plugged in make sure "USB" is selected under "CoolRunner Programming" in the upper left, the Coolrunner switch is set to PRG, and unplug the NAND reading cable that is in the side of your NAND-X/J-R Programmer (don't deattach/desolder it from the board!) and then click "Flash CoolRunner". Once it is done you can detach the Coolrunner and "NAND-X/J-R Programmer to Coolrunner Cable" and set them aside.Now plug the NAND reading cable back into the NAND-X/J-R Programmer. Now, in J-Runner click "Create ECC" in the upper left, and make sure there are no errors in the log (there really shouldn't be so if you get one google it). Then click "Write ECC" in the upper left and wait for it to finish. Then you can disconnect the NAND-X/J-R Programmer from your console and computer and move onto the next step. Also, unplug the Xbox's power.
    --END OF 1--

    2)
    If you don't have the NAND-X/J-R Programmer you need to attach the LPT cable you bought or made to your cool runner. If you bought the pre-made one it connects so that you can see the metal contacts (so they are facing up), and if you made one wire it up as shown in the schematic. Usually the pre-made cable comes with a sticker so you can make sure its facing the right way. Yours may be different. Also if you bought the pre-made one you will see that it doesn't have an external power source like the homemade one. Some computers LPT ports provide enough power on their own but if it doesn't work you have to connect the included 2 wire power cable to the Coolrunner and the cut the plug of the other end and get 3.3v from the xbox's DVD port (you can go strait from the port-but if you do don't solder or you may never get the plug back in-or use an old DVD drive power cable). You wire the black to ground and the red to the 3.3v pin. Then simply plug in the xbox's power brick (but don't turn it on) and it should power your Coolrunner while on standby.

    DVD port power:
    [​IMG]

    Then make sure the switch is set to NOR, and "LPT" is selected under "CoolRunner Programming".
    You also need to specify your LPT port, though usually the default value is correct. If the default doesn't work you need to go to the "Device Manager" in windows, find your LPT port in it, which will look something like this:
    [​IMG]
    and then right click on it and select "Properties" and then go to the resources tab. For the number you find ignore the "0x" and just put the rest in. Now click "Flash CoolRunner" and when it finishes you can unplug the coolrunner and its power and set them aside. Now, in J-Runner click "Create ECC" in the upper left and make sure there are no errors (there really shouldn't be so if you get one google it). Now open your J-Runner folder and then "output" in their copy the "image_00000000.ecc" file to the Nandpro30 folder. Then reopen a command prompt and cd to your Nandpro30 folder again (you should know how to do this now) and then type this command:
    Code (Text):
    nandpro lpt: +w16 image_00000000.ecc
    It will look like this:
    [​IMG]
    Then press enter and it will write up to 004F so it should go fast. When done disconnect the LPT cable and move onto the next step. Also, unplug the Xbox's power.
    --END OF 2--

    3)
    If you have a Corona V2/V4 you will be following a method similar to scenario 1:
    Attach the LPT cable you bought or made to program your cool runner. If you bought the pre-made one it connects so that you cannot see the metal contacts (so they are facing down), and if you made one wire it up as shown in the schematic. Also if you bought the pre-made one you will see that it doesn't have an external power source like the homemade one. Some computers LPT ports provide enough power on their own but if it doesn't work you have to connect the included 2 wire power cable to the Coolrunner and the cut the plug of the other end and get 3.3v from the xbox's DVD port (you can go strait from the port-but if you do don't solder or you may never get the plug back in-or use an old DVD drive power cable). You wire the black to ground and the red to the 3.3v pin. Then simply plug in the xbox's power brick (but don't turn it on) and it should power your Coolrunner while on standby.

    DVD port power:
    [​IMG]

    Then make sure the switch is set to NOR, and "LPT" is selected under "CoolRunner Programming".
    You also need to specify your LPT port, though usually the default value is correct. If the default doesn't work you need to go to the "Device Manager" in windows, find your LPT port in it, which will look something like this:
    [​IMG]
    and then right click on it and select "Properties" and then go to the resources tab. For the number you find ignore the "0x" and just put the rest in. Now click "Flash CoolRunner" and when it finishes you can unplug the Coolrunner and its power and set them aside. Now, in J-Runner click "Create ECC" in the upper left, and make sure there are no errors in the log (there really shouldn't be so if you get one google it). Then click "Write ECC" in the upper left. It will pop-up with that special read/write menu, and if it didn't start writing automatically just make sure the ECC is loaded into the bar and click "Write" and wait for it to finish. Then you can disconnect the R/W Kit cable from your Xbox and computer, and move onto the next step. Also, unplug the Xbox's power.
    --END OF 3--

    4)
    Luckily for you the DemoN can be used to program the Coolrunner as well as read the NAND.
    Plug in the Coolrunner to the DemoN using the included ribbon cable. There are two cables but one is smaller than the other so it is easy to tell which one is the right one. Now once that is plugged in make sure "USB" is selected under "CoolRunner Programming" in the upper left, the Coolrunner switch is set to PRG, and the DemoN and Coolrunners power lights are on. Then click "Flash CoolRunner". Once it is done you can detach the Coolrunner from the DemoN and set it aside. Now, in J-Runner click "Create ECC" in the upper left, and make sure there are no errors in the log (there really shouldn't be so if you get one Google it). Then in the DemoN drop down menu click "Toggle NAND" and then make sure that at the bottom of J-Runner it shows that the DemoNs NAND is selected. Now click "Write ECC" in the upper left and wait for it to finish. Then you can disconnect the DemoN's USB cable from your computer, switch the device switch to "Xbox" instead of "PC", and move onto the next step

    NOTE: If you went with a Coolrunner Rev C follow the same steps as above, but you must modify the Coolrunner so that it can connect to the DemoN in this fashion (the board that plugs into the Coolrunner Rev C comes with the DemoN):
    [​IMG]
    Plug the board in and then solder the EN connection from the board to the Coolrunner

    NOTE2: There are some users who have reported that they aren't able to program the DemoN until the Coolrunner is soldered into the motherboard. If you cannot program the DemoN now continue on and once you have installed the Coolrunner into the board then try programming it.
    --END OF 4--

    Installing the POST_OUT fix (for Corona V3s/V4s):
    *SKIP THIS IF YOU DON'T HAVE A CORONA V3/V4.


    If you have a Corona V3/V4 you will need to install the POST_OUT fix on order to regain the yellow wire/C connection. You have to remove the heatsink in order to do this (see the slim opening guide you used to open the console) It goes on relatively simply like so (use the solder anchors to fix it in place):
    [​IMG]

    Wiring/Jumper Settings for Coolrunner:
    The wiring/jumper settings will differ depending on whether you have a phat, a trinity, or a corona v1/v2. Standard soldering rules apply, simply make all the connections in the pictures and place the Coolrunner where indicated. Also you may run into a wire being too short. If that is the case, extend it with your own wire. Additionally you will notice that for each of these diagrams the "Ground" location points to the AV port. Simply solder the ground wire in-between the top of the port and next to one of the prongs that sticks up (in the corner they create). Any arrows you see pointing to a hole means that the wires of that color are to be sent through it to the other side of the board.

    NOTE: If you have a Coolrunner Rev C and its addons instead of a Coolrunner Lite you will need to wire in the addons so I will go over these now.

    CPU Signal Cleaner (RGH1 and 2):
    *Can be used with the RGH1 or 2 wiring but isn't really needed on RGH1 setups. Highly recommended for RGH2 setups!

    As you can see this is where to place the cleaner on either system type:
    [​IMG]
    [​IMG]
    Just cut off a small part of your blue CPU_RST cable and use it to solder "D" on the Coolrunner to "D" on the CPU Signal Cleaner and then solder "CPU_RST" on the cleaner to the actual CPU_RST point on the motherboard with the rest of the blue cable. Switch settings will be shown under each motherboards (Phat, Trinity, Corona) sections.

    Multi-Cap Addon (RGH1 ONLY):
    This only applies to RGH1 setups so if you are using the RGH2 wiring leave it off.
    This is how you install the addon:
    [​IMG]
    Switch settings will be shown under each motherboards (Phat, Trinity, Corona) sections.

    Phat:
    Wiring:
    Place the Coolrunner with its sticky pad here (it is on the AV port; Rev C is smaller but goes in same place):
    [​IMG]

    RGH 1:

    There are now two possibilities. You either have the QSB's or you don't. Whatever you have you are going to refer to the same diagrams, but for QSB owners you are going to wire the 3V3, and B wires to the points labeled on the QSB's instead (for the 3V3 wire it is the one with the large text not the small text):
    [​IMG]

    RGH 2:
    Since you have a Xenon you must install the wires alone to these points:
    [​IMG]
    If you have trouble soldering to B (if you aren't using the QSBs and only wires), here is a good alternate point for both RGH1 and RGH2 Wiring (pictures provided by pinkfloydviste):

    FT3N2
    [​IMG]

    If you have trouble booting, here are different techniques for laying wires: http://team-xecuter.com/forums/showthread.php?t=82208



    If you have trouble with a Zephyr: http://team-xecuter.com/forums/showthread.php?t=84048


    It is important that your run CPU_RST along the bottom of the board because the top has too much interference.
    Jumper Settings:

    CR3 Lite:
    Refer to the following picture:
    [​IMG]

    For non-Jaspers:
    LK1 - Short the points
    LK2 - Leave alone
    LK3 - Leave Alone (Short if using RGH1 wiring)
    LK4 - Leave alone

    For Jaspers:
    LK1 - Short the points
    LK2 - Short the points
    LK3 - Leave Alone (Short if using RGH1 wiring)
    LK4 - Leave alone

    For all phats:
    -8 switch (S2) dip: Set one and five on (up position) and the rest off. Then later try combos of 2,3, and 4, and 6,7,8 (2 on at a time) if you want to try to improve glitch times.
    -6 switch (S4) dip: Set 1 on and the rest off. Then later try different ones on (one at a time) if you want to try to improve glitch times.
    -Set the operation switch to "Phat" (if you have slow times try "Slim" later)


    Coolrunner Rev C:
    Refer to the following picture:
    [​IMG]
    Jumper 1: JP closed for RGH1, open for RGH2
    Jumper 2: Try both and see what works best for you
    Jumper 3: Usually needed on only Jasper, but you can try it on any phat

    Rev C Addons:

    CPU Signal Cleaner -
    [​IMG]
    Try combos of 1 on for each dip switch (i.e. 1K and 470p, not 1K and 2K). Only one on at a time!

    Multi-Cap Addon -
    [​IMG]
    Try just one on at a time.

    Now, put the motherboard back into the metal shell, reattach the heatsink if you removed it (remember to use thermal paste), and plug in the front ROL board, then move on to Step 3: Xell
    [/Spoiler]

    Trinity:
    I will integrate these instructions when I get the chance but for now here is how to use the Slim Proto: http://team-xecuter.com/forums/showthread.php?t=139308

    Everything else in this section is for the older methods.
    Wiring:
    Place the Coolrunner with its sticky pad here (it is on the AV port; Rev C is smaller but goes in same place):
    [​IMG]

    There are now two possibilities. You either have the QSB's or you don't. Whatever you have you are going to refer to the same diagrams, but for QSB owners you are going to wire the 3V3, B, E, and F wires to the points labeled on the QSB's instead:
    [​IMG]
    If you have trouble soldering to B (if you aren't using the QSBs and only wires), here is a good alternate point (pictures provided by pinkfloydviste):

    FT2R2
    [​IMG]

    If you have trouble booting, here are different techniques for laying wires, and other helpful info: http://www.team-xecuter.com/forums/showthread.php?t=86641

    Jumper Settings:

    CR3 Lite:
    Refer to the following picture:
    [​IMG]a
    For Trinity:
    LK1 - Short the points
    LK2 - Short the points
    LK3 - Leave alone
    LK4 - Short the points 1&2 (or if you have trouble/bad boot times try desoldering the points)
    -8 switch (S2) dip: Set one and five on (up position) and the rest off. Then later try combos of 2,3, and 4, and 6,7,8 (2 on at a time) if you want to try to improve glitch times.
    -6 switch (S4) dip: Set 1 on and the rest off. Then later try different ones on (one at a time) if you want to try to improve glitch times.
    -Set the operation switch to "Phat" (if you have slow times try "Slim" later)

    Coolrunner Rev C:
    Refer to the following picture:
    [​IMG]
    Jumper 1: Leave open since you have to be using RGH2
    Jumper 2: Try both and see what works best for you
    Jumper 3: Leave open since it doesn't apply to Slims

    Rev C Addons:

    CPU Signal Cleaner -
    [​IMG]
    Try combos of 1 on for each dip switch (i.e. 1K and 470p, not 1K and 2K). Only one on at a time!


    Now, put the motherboard back into the metal shell, reattach the heatsink if you removed it (remember to use thermal paste), and plug in the front ROL board, then move on to Step 3: Xell
    Corona:
    I will integrate these instructions when I get the chance but for now here is how to use the Slim Proto: http://team-xecuter.com/forums/showthread.php?t=139308

    Everything else in this section is for the older methods.

    Wiring:
    Place the Coolrunner with its sticky pad here (it is on the AV port; Rev C is smaller but goes in same place):
    [​IMG]

    There are now two possibilities. You either have the QSB's or you don't, or have a Corona V2/V4. Whatever you have you are going to refer to the same diagrams, but for QSB owners you are going to wire the 3V3, E, and F wires to the points labeled on the QSB's instead. Additionally, if you have a V3/V4 you are going to solder C to the "POST 1" point of the POST_OUT fix instead. Also, use the yellow wire from the "Phat Kit" because the slim one is too short, and D is a very small point so be careful. If you are too afraid to use this point or don't have a thin enough tip, you can use another point (see alt point) but it requires that you remove the X-Clamp and fan which I am not going to talk about here. Additionally wrap up the 50cm blue wire into a coil (it is supposed to be that long, do not cut it). Plus, if you have a Corona V3/V4 the wire for "C" is going to go to "POST 1" on the fix instead :
    [​IMG]

    If you have trouble booting, here are different techniques for laying wires, and other helpful info: http://www.team-xecuter.com/forums/showthread.php?t=86641
    Jumper Settings:
    Refer to the following picture:
    [​IMG]
    For Corona:
    LK1 - Leave Alone
    LK2 - Short the points
    LK3 - Leave alone
    LK4 - Short the points 1&2 (or if you have trouble/bad boot times try shorting 2&3, or un-shorting all of them)
    -6 switch (S4) dip: Set 1 on and the rest off. Then later try different ones on (one at a time) if you want to try to improve glitch times.
    -8 switch (S2) dip: Set one and five on (up position) and the rest off. Then later try combos of 2,3, and 4, and 6,7,8 (2 on at a time) if you want to try to improve glitch times.
    -Set the operation switch to "Slim" (if you have slow times try "Phat" later)

    Coolrunner Rev C:
    Refer to the following picture:
    [​IMG]
    Jumper 1: Leave open since you have to be using RGH2
    Jumper 2: Try both and see what works best for you
    Jumper 3: Leave open since it doesn't apply to Slims

    Rev C Addons:

    CPU Signal Cleaner -
    [​IMG]
    Try combos of 1 on for each dip switch (i.e. 1K and 470p, not 1K and 2K). Only one on at a time!

    Now, put the motherboard back into the metal shell, reattach the heatsink if you removed it (remember to use thermal paste), and plug in the front ROL board, then move on to Step 3: Xell

    Step 2c: R-JTAG
    Checklist:
    • Your here because you found in the flow chart that your exploit method is the R-JTAG method (dash higher than 7371 but less than 15572 if you have a phat, and console is a phat or slim)
    • You have Orig.bin NAND dump backed up
    What you need now:
    The R-JTAG hack only works if your console is on dash 15574 or higher, so if you are not on that dash you need to update to it: http://digiex.net/downloads/downloa...60-dashboard-update-2-0-15574-0-download.html

    The are two ways to setup the R-JTAG hack: The regular way, and the AUD_CLAMP way. Because the AUD_CLAMP method proved to be so reliable on the original JTAG hack that will be the method I am showing you how to do.

    In J-Runner (it should still be open with your motherboard type selected and your NAND dump selected under "Source File") in the upper right section titled "XeBuildOptions" click the drop down and select "Add Dash". In the window that appears check off "16747" and click "Add Dashes". Then in the same drop down select "16747" as it will now be in the list, and then select "Jtag" so it's bubble is filled. Also, tick off "R-JTAG" and tick off "Aud_Clamp?"

    Now there are three scenarios you could have at this point:
    1) You have a NAND-X/J-R Programmer and used it to read your NAND
    2) You don't have the NAND-X/J-R Programmer and read your NAND with LPT
    4) You have a DemoN and used that to read your NAND

    (3 is not applicable for this hack since Coronas are slims)

    1)
    If you have the NAND-X/J-R Programmer Now, in J-Runner click "Create Xell-Reloaded" in the upper left, and make sure there are no errors in the log (there really shouldn't be so if you get one google it). Then click "Write Xell-Reloaded" in the upper left and wait for it to finish. Then you can disconnect the NAND-X/J-R Programmer from your console and computer and move onto the next step. Also, unplug the Xbox's power.
    --END OF 1--

    2)
    If you don't have the NAND-X/J-R Programmer Now, in J-Runner click "Create Xell-
    Reloaded" in the upper left and make sure there are no errors (there really shouldn't be so if you get one google it). Now open your J-Runner folder and then "output" in their copy the "[Your Console Mobo].bin" file to the Nandpro30 folder. Then reopen a command prompt and cd to your Nandpro30 folder again (you should know how to do this now) and then type this command:
    Code (Text):
    nandpro lpt: -w16 [Your Console Mobo]_hack_aud_clamp.bin
    It will look like this:
    [​IMG]
    Then press enter and it will write up to 004F so it should go fast. When done disconnect the LPT cable and move onto the next step. Also, unplug the Xbox's power.
    --END OF 2--

    4)
    In J-Runner click "Create Xell-Reloaded" in the upper left, and make sure there are no errors in the log (there really shouldn't be so if you get one Google it). Then in the DemoN drop down menu click "Toggle NAND" and then make sure that at the bottom of J-Runner it shows that the DemoNs NAND is selected. Now click "Write ECC" in the upper left and wait for it to finish. Then you can disconnect the DemoN's USB cable from your computer, switch the device switch to "Xbox" instead of "PC", and move onto the next step. MAKE SURE THAT IF AT ANYTIME YOU NEED TO WRITE/READ SOMETHING TO/FROM YOUR DEMON AFTER THIS THAT YOU MOVE THE SWITCH BACK TO "PC", UNLESS YOU ARE WRITING/READING THE NAND USING THE DAUGHTER-BOARD THAT IS INSTALLED TO THE BACK OF THE CONSOLE
    --END OF 4--

    Wiring/Jumper Settings for the R-JTAG Chip:
    The wiring/jumper settings will be the same for all consoles since they are all phats. Standard soldering rules apply, simply make all the connections in the pictures. Also you may run into a wire being too short. If that is the case, extend it with your own wire. Additionally you will notice that for each of these diagrams the "Ground" location points to the AV port. Simply solder the ground wire in-between the top of the port and next to one of the prongs that sticks up (in the corner they create). Any arrows you see pointing to a hole means that the wires of that color are to be sent through it to the other side of the board.

    Wiring:

    Temporarily sit the R-JTAG chip were it is on this picture but down onto the board as if the DVD drive isn't there and wire it up in that position:
    [​IMG]
    When you are done wiring it this is where it will go, so at the end of the task when you are putting the DVD drive back it pull of the sticky pad protector and place the device down onto the DVD drive.

    Refer to the following diagrams to install the wiring:
    [​IMG]

    Jumper/Dip Settings:
    First, refer to the following picture and dip switch:
    [​IMG]
    Make sure that all of the dips are off at first, and then do the following based on mobo:

    Jasper:
    7 - On
    8 - On
    4/5 - Try one of these on at a time and see which one gives better boot times
    Rest - Keep off

    Falcon:
    7 - On
    3/4/5 - Try one of these on at a time and see which one gives better boot times
    Rest - Keep off

    Zephyr:
    8 - On
    3 - On

    Then, refer to this picture:
    [​IMG]

    1:
    Short 1 and 3 (ignore picture)

    2:
    Switch to the ON position

    3:
    Switch to the middle position (470 ohms) and then later try the left position (330 ohms) if you have bad boot times

    Now, connect the R-JTAG chip to the Post_QSB using the provided cable:
    [​IMG]

    Finally, put the motherboard back into the metal shell, reattach the heatsink if you removed it (remember to use thermal paste), and plug in the front ROL board, then move on to Step 3: Xell


    Step 3: Xell
    Blue Screen (for what it looks like):
    [​IMG]

    Now that your Xbox is somewhat back together, it is time to get what is called your "CPU key". Your CPU key and a NAND dump (which you already have) is what you ultimately need to exploit your console.

    If you are using the RGH method move the "SLIM/PHAT" switch to whichever console you have, and move the "PRG/NOR" switch to "NOR"

    Now plug in your consoles power supply and video cable (preferably not HDMI as there can be problems with it). If you have a DemoN your console will default to the DemoN NAND so don't worry about changing it. Now change your TV to the proper input and turn on your console with either the button or a controller.

    (NOTE RGH Xenons, will take a VERY long time to boot) If you are using the RGH/R-JTAG method you should see the green light on the Coolrunner/R-TAG chip flash every few seconds and eventually stop and a blue screen should show, and you should not see the Red Light of Death. If you are using the JTAG method blue screen should show relatively quickly and you should not see the RROD. Once the screen is up, it will start going through some things and scrolling down. Eventually you will see: "your cpu key:" and then a long alphanumeric code. Write this code down this is your CPU key. If you want your DVD key it is right bellow that. Now turn your console off and in J-Runner input your CPU key into the "CPU Key" box on the left. J-Runner should output "CPU Key is correct".

    If you know the console booted because the Coolrunner Lite stopped flashing or the optical out port is red, but you didn't get any image on screen, turn off the console and check this:
    IP Scanning Method:
    Plug in an Ethernet cable to your console and make sure it is connected to your router properly, then turn the console on. You should see the green light on the Coolrunner/R-JTAG chip flash every few seconds and eventually stop, and when it does you should not hear the fan clicking, the optical port will turn red, and you should not see the Red Light of Death; however, you will not see anything on the screen. This is because the Corona motherboards AV output crashes due to the Coolrunner sometimes, which is normal OR your console just doesn't like the exact setup you used (which is also normal). In order to get your CPU key, you will need to return to J-Runner, which should still be open. Though first you need to find out what your IP address subnet is by opening a CMD prompt (start->search/run "cmd") and typing in "ipconfig" then pressing enter. You may see multiple adapters, but what you are looking for is the section called something like "Ethernet adapter Local Area Connection" if you have a wired internet connection to your computer, or Wireless adapter Local Area Connection" if you have a wireless internet connection to your computer. Now under that section you should see an entry called "IPv4 Address" that is something like "192.168.x.y" and X is most likely 1,2, or 0. Write down what that X value is. Now in J-Runner at the top click "Settings" and look at the right where it says "IP settings". For "IP Default" enter "192.168.x.2" (were x is the value you wrote down), for "IP Range Start" enter "192.168.x.2", and for "IP Range Finish" enter "192.168.x.199". Now click OK at the bottom middle. Now in the bottom right of J-Runner click "Scan IP Range", it should find your Xbox and grab your CPU key, which will appear in the log and the box on the left, and you can be sure of this by clicking the "KV Info" tab to the right. You should see all the info filled in. If you want your DVD key it will also be listed under that tab.Turn your console off.

    STOP! If your console didn't turn on, boot, RROD'ed, RLOD'ed, the green light didn't flash (if you are RGH'ing/R-JTAGing), or something unexpected happened, check your wiring, wire placement, retrace your steps, etc (usually the green light not flashing is wire placement). There are too many things to check so I can't list all the scenarios, so simply retrace your steps. If you have a RGH/R-JTAG and you got slow boot times (more than 10-30sec, 1min on stubborn console, for seconds on a non-Xenon RGH, and more than 10-20sec for an R-JTAG) then go back to your section and try different Jumper settings/CPU_RST wire/wire positioning. If you did all of this but you are still stuck try posting your problem here in the Xbox 360 support forum, or over at Team Xecuter's Forums.

    If this all worked, continue on.

    Now in J-Runner click "Create Image" in the upper left and it should succeed, and the source box bellow should change to a new file. Find that file in the J-Runner "output" folder and rename it to updflash.bin if it isn't already named that and reload it into your source box.

    Consoles that used the TV to get their key, and don't have a DemoN:
    Now place that file on a FAT32 formatted flash drive, OR burn it to a blank CD/DVD. Insert which ever you used into your console and boot it up again. The blue screen will appear again and have a message about flashing your NAND. Let it finish and when done it should power off or at least say it completed the flash. You are now officially exploited :). Move on to part 6.

    Consoles that used IP Scanning to get their key, and don't have a DemoN:
    Reattach whatever device you used to read your NAND and in J-Runner click "Write NAND" (if you have a Corona v2 that box will come up) or if you used LPT flash the updflash.bin with Nandpro (you can do this on your own by now I believe in you :), just check the command example above if you can't remember and just use "updflash.bin" this time). When it is done you are officially exploited :). Move on to part 6.

    Consoles that have a DemoN period:
    Move the DemoN's device switch back to "PC" and reattach the DemoN's USB cable. Then in J-Runner click "Write NAND" in J-Runner and wait till it is done. Now just move the device switch on the DemoN back to "Xbox". You are now officially exploited :). Move on to part 6 .

    Part 6: While you're in there...

    While your console is open, you may want to consider a few other mods such as:

    Now whether you do any of these or not, reassemble your entire console. DemoN owners here is how you connect it to everything:

    Phat:
    [​IMG]
    [​IMG]
    [​IMG]
    *Here it shows the Coolrunner Rev 3 with an addon board. The CR3 Lite has its own port already which you will be using. Also if you are using the R-JTAG hack the wire plugs into this:
    [​IMG]
    ^Ignore if not using R-JTAG method

    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    *Here you have to remove the cover of the one MU. You obviously don't have to use TX's tool. A flat head screwdriver or something similar will suffice.
    [​IMG]
    Slim:
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    [​IMG]
    *Use the adhesive pad to keep it in place
    [​IMG]
    [​IMG]
    [​IMG]

    Also if you want to use your laptop drive as your hard drive refer to this tutorial on how to open the phat's drive shell:http://www.afterdawn.com/guides/archive/disassemble_xbox_360_console_hdd_adapter.cfm OR if you have a slim you can just slide the hard drive in (it is hard to line up with the port) and hold it in place with a packing peanut or something (OR you can buy a custom slim HDD case that opens OR crack one you own open). Once you get to where you turn your Xbox on, it will show up as a normal MS hard drive would so just format it normally through the "Memory" section in settings.

    Part 7: Software Setup

    You may be done all of the hardware changes, but not the software. This part will get you started with using your Xbox's new capabilities. When you turn it on you'll have to go through the setup crap.

    Step 1: XEXmenu
    First you are going to get XEXmenu. It is a replacement dash and the way you must first run custom code/programs until you setup everything else. Download XEXmenu 1.2 here: http://www.mediafire.com/?37qni84y3m4w7r1 OR if you don't have a flash drive download the ISO version here (you will need a CD) http://www63.zippyshare.com/v/35199471/file.html.

    If you got the USB drive version, plug a flash drive into your Xbox, turn the Xbox on, and format the flash drive as a memory card. Then plug the flash drive into your computer. Download USBXTAFv44: http://digiex.net/downloads/downloa...e-explorer-xplorer-xtaf-v44-new-download.html Now open it, and click "File" in the top left, and then "Open First USB Drive". In the column on the left, right click on the "Data Partition" folder and click "New Folder" and name it "Content". Then right click on the "Content" folder and click "New Folder" and name it "0000000000000000" (that's 16 zeros). Now click on the 0s folder you just created so it is highlighted. Extract the XEXMenu1.2 archieve so that the "CODE9999" folder is on your desktop. Now drag the "CODE9999" folder into the right plane in USBXTAF. Once it is inserted remove the flash drive and plug it back into your console.

    If you got the ISO version simply extract the ISO and burn it to a CD, and then insert it into your console.

    Now back on your console you are going to go to the demos if you got the USB version and you should see XEXmenu so launch it. If you got the ISO version it will show up as a game so just launch the DVD drive on the dashboard.

    You should now be in XEXmenu, so press the back button to familiarize your self with the controls, and refer back to them if you forget.

    If you have an internal hard drive you can now copy XEX menu to it by going to your USB drive/ the CD drive, pressing Y on the "CODE9999" folder and hitting copy. Then paste it in the "Content" folder on your hard drive. If you are just going to use an external USB you will have to keep it on the USB drive or make a 16GB partition on your external USB drive, format it as a MU, and move XEXmenu there.

    Now in the next few sections you can launch .XEX files by pressing A on them in XEXmenu. Also when you need to move files around you can either use XEXmenu by placing the files on a flash drive formatted as FAT32 (if Xell is on your flash drive because you didn't move it you can use CD's, another flash drive, or an external USB drive) OR FTP. FTP is a way to copy files from your computer to your Xbox over your local network. You must download a FTP client (such as FlashFXP) and have your Xbox connected to your router. Then you find out your Xbox's IP address by going to Network settings on the main dashboard, and then on your FTP client you connect to your Xbox (it is the lightening bolt on FlashFXP) by going to the connect menu and inserting your Xbox's IP and "xbox" for the username and password.You browse through your Xbox, which will be on the right, like files on a computer, yours will be on the left and you simply drag files to and from your Xbox and computer. HDD1:\ is the internal hard drive, USB0:\ is a flash drive, USBMU:\ is a MU formatted flash drive. NOTE, in order to use FTP you must have XEXmenu (or Freestyle dash which we will setup later) open on your Xbox.

    I will assume from now on you know how to move files around.

    Also you will want to create the following folders on your hard drive: Games, Xbox1, Emulators, and Apps (placing any files of these sorts into their appropriate folder, with "Games" being Xbox 360 Games)

    Step 2: Freestlye dash
    Freestyle dash is the latest and greatest replacement dash that is fully customizable, looks nice, and has tons of features. If you want to you can stick with just XEXmenu but I highly recommend FSD You can download it here: http://www.realmodscene.com/index.php?/topic/2090-f3-rev-775/, and see a video of it here:


    My head hurts enough from writing this so I won't fully explain how to use it, but you can figure it out easily by looking around it in. Just extract it into a folder called FSD3 on your HDD or USBHDD in the root (Hdd1:\FSD3 or USB0:\FSD3) and run the default.xex to get into it. Once your in it you setup everything in the "Settings" option where you can change the theme colors etc., and in order to add games to your library you must FTP/copy them into the folder of their type (Games/Xbox1/Emulators/Apps) and then add those folders to the scan list (you do this in settings). It also has a file browser you can use to move files and launch .XEXs with. Also you can FTP while FSD is running. If you need help with it ask in the Support forum or search Google.

    Step 3: Dashlaunch
    Dashlaunch comes with a bunch of nice features such as auto-patching your arcade games that you downloaded, but its main feature is changing where your "Xbox Home" button in the Xbox guide points to. This way you can have Freestyle dash/XEXmenu as your default dashboard. Even if you don't want that it is good to have Dashlaunch anyway as you don't have to set a default dash.

    Download it here: http://www.realmodscene.com/index.php?/topic/3228-dashlaunch-312/

    Get the installer default.xex onto your Xbox and run it. You use LB and RB to change sections, and the left thumb-stick to navigate a section. If you need to know the controls for something just idle over it and the controls help will slide out.

    Get to this section:
    [​IMG]
    Then press A on "Paths" to expand it and it will look like this (minus the French):
    [​IMG]

    Press A on "Default" and you will enter a file browser. Navigate to either your Freestyle Dash .xex (should be in something like HDD1:\FSD or Freestyledash or Freestyle) or your XEXmenu.xex (should be in [device]:\content\0000000000000000\CODE9999...) and press A on it. Also do this for the "Guide" entry. If you want to you can set stuff for the BUT_A/B/X/Y buttons which means that if you hold that button when you are turning your console on or pressing "Xbox Home" in the guide you will launch that .xex instead of the default one.

    NOTE!: Any time you want to go to the normal dashboard just hold RB while booting/hitting "Xbox Home" in the guide.

    Now go to this section of Dashlaunch:
    [​IMG]

    Move down so "Flash" is highlighted, then press X. This will save your settings. Now turn your console off and back on. It should go to the dash you assigned to default. You can return to the Installer.xex anytime to change settings.

    Step 4 : XBOX1 Emulator
    This will get original Xbox games working as the are broken by default, and will get you the hacked emulator files so that you can play any original Xbox game (some may run poorly).

    Download HDD CPF: www.download.digiex.net/Consoles/Xbox360/Jtag/harddrive.zip

    Extract it and get the .xex file onto your Xbox and run it. Go through the on screen instructions (just pressing A a few times, don't mind the warnings) and when it is done return to FSD/XEXmenu by simply dashboarding with the "Xbox Home" button in the guide.

    Download the 2007 hacked emulator files: http://digiex.net/downloads/downloa...mpatibility-v5829-november-2007-download.html

    Now extract the folder and copy the "Compatibility" folder to the HDDX:\ folder on your Xbox overwriting anything that is already there.

    You can now play any original Xbox game or homebrew.

    Part 8: Afterwards
    Now that you have an exploited console these are some things you might want to try:
    Also any time you need to update your exploited Xbox to a newer dash, simply download the latest version of J-Runner (it should auto-update), input your CPU key and browse for you Orig.bin NAND dump, add the dash your are updating to in the drop down in the upper left, and click"Create Image" in the upper left. Then simply place the updflash.bin on a FAT32 flash drive and update with Xell again (by turning the console on with eject with the flash drive in). Corona V2 users you will have to manually flash the NAND with the QSB SD Card reader adapter (it sucks).

    You are now off to experiment with your new console on your own. I hope this was of use to you :D

    P.S. In case you are interested, here is the link to just the picture album. Just to see the number of pictures (lol) and for easier distribution: http://s1139.photobucket.com/albums/n554/oblivioncth/Se7ensins/Ultimate Exploit Tutorial/#!cpZZ1QQtppZZ20

    What I think I will be adding next: Future R-JTAG addons/revisions
    Change Log:
    10/25/12 - Original Post
    10/27/12 - Updated to support 16197
    11/10/12 - Added instructions for using J-R programmer (I was being lazy not including it :D )
    11/25/12 - Clarified information about dashboard versions
    12/9/12 - Added information on upcoming DGX Addon
    12/10/12 - Updated to support 16202, fixed typos
    12/17/12 - Added information on Corona V3/4, Fixed flow chart type, prepared tut for DGX and POST_OUT Fix release
    12/27/12 - Added info on how to use the DGX, will add Corona V3/V4 soon
    12/29/12 - Changed LPT resistors from 100K ohms to 100 ohms (typo - thanks deathmind)
    12/30/12 - Updated the link for dashlaunch from 3.05 to 3.06
    1/5/13 - Added info for Corona V3s/V4s
    1/13/13 - Changed FSD3 link to the latest version, and added video directly to thread.
    1/21/13 - Finished adding DemoN install instructions, corrected typos
    1/28/13 - Corrected incorrect value for RGH selection for Corona boards in J-Runner (thanks Komano)
    2/4/13 - Added pictures for motherboard identification double check, fixed typo about NAND-X
    2/19/13 -Added info for the RGH1 wiring method for those eligible (since the boot times are faster), and added info about the Demon BB Conversion Kit.
    2/20/13 - Updated to support 16203
    2/24/13 - Updated the link for dashlaunch from 3.06 to 3.07
    2/25/13 - Changed 100K ohms for LPT to 100ohms... again. Somehow didn't stick last time.
    2/28/13 - Changed pictures source to Dropbox. Hopefully they stay. EDIT: Didn't work :|
    2/28/13
    - Images have actually been fixed now. Should stay since Imgur doesn't have bandwidth limits
    3/4/13 - Updated guide to include the new ECCs. Also added new "Guide Status" at the top.
    3/9/13 - Updated FSD link to the latest version (Rev735 and LiNK Beta 3)
    3/10/13 - Changed the "Creating ECC" step so that it only needed J-Runner and no manually addition of the ECCs since J-Runner was updated and now has then included
    4/22/13 - Added point "B" alternate for those having trouble with it (thanks pinkfloydviste for the pictures!)
    4/30/13 - Remove "B" alternate under Corona (accidental addition). Thanks Tormios
    5/11/13 - Added tip about the possibility of having to install the CR3 Lite before you can program it with the DemoN, and simplified some of the steps with the DemoN
    5/17/13 - Added the R-JTAG method for phats, removed RGH method for phats except for Xenons
    6/7/13 - Changed the way the user connects the DemoN to their PC to a more foolproof method.
    6/8/13 - Added option for Coolrunner Rev C since it tends to get better glitch times on Trinitys
    7/6/13 - Fixed incorrect statement that the R-JTAG starter kit did not come with the QSBs (Thanks Lamb Chops!)
    7/25/13 - Added more info about the Coolrunner Rev C since TX stopped making the CR3 Lites
    8/10/13 - Corrected some info on programming Coolrunner with an LPT cable.
    12/2/13 - Fixed some typos and broken links
    *This post was removed for spacing so I put it back here:
    Thank you! I have always wanted to write one of these massive ones :D
    Last edited: Apr 21, 2014 at 7:08 PM
  3. Cakes

    Cakes #EmbraceNixFifty Premium

    Messages:
    8,666
    Likes Received:
    6,244
    This must have taken ages to write. Deserves a sticky or something.
  4. fat pat 666

    fat pat 666 Lucifixture

    Messages:
    10,268
    Likes Received:
    4,174
    damn man that's alot of information. good job.
  5. oblivioncth

    oblivioncth Mr. Cloth

    Messages:
    6,978
    Likes Received:
    1,920
    Lol thanks. It took about 10 days with about 5hr sessions each. Lol. I don't like to be selfish but it would be nice if this was stickied.

    Also I'm still fixing typos now, lol.
  6. Fanboy

    Fanboy Bowyang Premium

    Messages:
    7,006
    Likes Received:
    2,801
    Source ?


    Or made by self ?
  7. oblivioncth

    oblivioncth Mr. Cloth

    Messages:
    6,978
    Likes Received:
    1,920
    I mean as you can see i took some pictures from things like Team Xecuter's Diagrams, and I got one or two pictures for things like dash launch or Xell online at random sites, but I mean you can't really call those "one persons pictures" because they are the same looking for every one. The important ones have the creators logo watermarked on it, and the ones that didn't I put credit for at the top or in the picture.

    Other wise the text and some pictures are totally self made.
  8. xDeagleModz

    xDeagleModz Youtube Guru ツ

    Messages:
    3,980
    Likes Received:
    1,759
    Pfft pfft, could be way more in detail! Only took me about 8 hours of reading...

    lol jk, great & detailed tut! Deserves to be pinned IMO :)
  9. Ryan Reynolds

    Ryan Reynolds That Sh!t Cray

    Messages:
    1,868
    Likes Received:
    914
    Stupid question... But how do I put 2 disc games in a GOD format for my jtag?
  10. Ryan Reynolds

    Ryan Reynolds That Sh!t Cray

    Messages:
    1,868
    Likes Received:
    914
    How do I record a video with a capture card? I didn't know that was possible with a JTAG lol.
    Liam John Fenwick likes this.
  11. oblivioncth

    oblivioncth Mr. Cloth

    Messages:
    6,978
    Likes Received:
    1,920
    You have to rip a copy to your pc which only works with an iHas drive OR download a copy of it online. Then use a program called ISO2GOD.
  12. oblivioncth

    oblivioncth Mr. Cloth

    Messages:
    6,978
    Likes Received:
    1,920
    You need to get rghloader it makes your console like dev kit which has that ability.
  13. Ryan Reynolds

    Ryan Reynolds That Sh!t Cray

    Messages:
    1,868
    Likes Received:
    914
    Yea I use ISO2GOD to convert all of my downloaded ISOs. But how do I do it when it's 2 discs?
  14. oblivioncth

    oblivioncth Mr. Cloth

    Messages:
    6,978
    Likes Received:
    1,920
    Oh I didn't know what you meant. You convert both discs and put them in the same tittle id folder for the game. Should work.
  15. BRAND0N

    BRAND0N W.T.F.W.D.P.D.? Premium

    Messages:
    7,613
    Likes Received:
    3,225
    what game? I may be able to help you out..
  16. Ryan Reynolds

    Ryan Reynolds That Sh!t Cray

    Messages:
    1,868
    Likes Received:
    914
    Okay awesome thanks :)
  17. Ryan Reynolds

    Ryan Reynolds That Sh!t Cray

    Messages:
    1,868
    Likes Received:
    914
    Assassin's Creed 3.
  18. BRAND0N

    BRAND0N W.T.F.W.D.P.D.? Premium

    Messages:
    7,613
    Likes Received:
    3,225
    I heard you only need the 1st disc, because the second is multiplayer, which I doubt you will be playing on your jtag before release haha. So just convert the 1st disc and put it in the hdd/ content / 000000000000000 and it will pop up in your game library.
  19. Ryan Reynolds

    Ryan Reynolds That Sh!t Cray

    Messages:
    1,868
    Likes Received:
    914
    No the campaign uses both discs. It asks to switch in the middle of the game.
  20. BRAND0N

    BRAND0N W.T.F.W.D.P.D.? Premium

    Messages:
    7,613
    Likes Received:
    3,225
    ok, when you convert the games in iso2god you can change the title. So change the title to the first one to - Assassins Creed III disc 1, and the same thing for the second disc (but call it disc 2 of course) than install both the GOD packages (probably just one package in the end) and both discs will show up in your game library.