What's new

Tutorial [DIY tutorial] Matrix SPI nand flasher upgrade to CPLD (coolrunner/glitch chip) programmer

  • Thread starter JoinTheResistance
  • Start date
  • Views 135,120
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,093
UPDATE: 09.16.2015 GUI for the xsvf app released!
I made this GUI, hopping to make the process of flashing a glitch chip with the modified nand flasher simpler. It's still in beta 0.2.1, so it still doesn't include some of the timing files, but the most used ones are there, plus it has an option to manually select a timing file. Just launch "XSVF_GUi.exe" and select the hack you want!
Download: [Click here to view this link]
Virus scan: Link
In this tutorial I'm going to cover converting a stock matrix nand spi nand flasher (and other similar devices) into a 2 in 1 nand flasher and cpld (coolrunner) programmer. Basically what this mod adds is the ability to program glitcher boards like the tx coolrunner, the matrix glitcher v1/v3 and all other similar devices. It sort of turns the matrix spi nand flasher into a low-end nand-x/j-r programmer.
Note: With this modification you can program only glitchers which are using a xc2c32a or a xc2c64a chip, examples of such glitchers are the matrix glitcher v1 and v3, cr3 lite, cr rev c/d... Boards like the x360 ace and the TX DGX/RGX, which use a xc2c128 chip, aren't supported as of yet, if you need to program such chips you will need to get a j-r programmer or a nand-x.

First, I would like to thank Nurox for posting the information and files needed to make this mod on 7s. I would also like to thank the person who came up with this mod.

This mod isn't very hard, but it can take a few hours from start to finish, depending on your skill level.
Things that you will need:

Hardware:
Soldering supplies like flux, solder, soldering iron...
A matrix SPI nand flasher, or another PIC18F2455/PIC18F2550 based nand flasher
1 300 or 400 ohm resistor
1 10uf capacitor (note that the capacitor should be 6.3V or more)
1 3.3V zener diode, like the 1n4728a. You can also use a 3.3V regulator, but it this tutorial I am going to be using a zener diode.
1 through-hole board (recommended, but to required)
A few wires

Software: [Click here to view this link]
Beta 0.1 - First release
Download: [Click here to view this link]
Beta 0.2 - Added an option for custom files and and exit button
Download: [Click here to view this link]
Beta 0.2.1 - Tidied up the main folder and fixed a few bugs
Download: [Click here to view this link]

A couple of people have requested the stock matrix firmware so I'll just post it here in case you need it.

First, what you need to do is make a small addon on a through-hole board (or just connect the components directly to the flasher if you're not using a separate board for the upgrade) following this schematic.
schematic_UPDATED.jpg

Note that there is another similar schematic in the pack I posted a link to above. The original diagram didn't include a 400 ohm resistor and and it had 3 regular diodes in it and I had a few problems using it. It did work, but it would sometimes give errors and the matrix nand flasher wasn't able to read nands. After adding the 400 ohm resistor and removing the 3 diodes all of those problems were fixed.

This is a diagram I have made to illustrate a few alternative points and to show what goes where on the matrix spi nand flasher. Of course you can solder directly onto the PIC chip, but to avoid messing it up I recommend using the alternative points.
diagram_Copy_2.jpg


diagram.jpg

Here are some more alternative points.
alternative_points.jpg


Ok, now let's move on to programming the PIC with the updated firmware.
The first thing that you will need to do is to enable the bootloader mode on the nand flasher. To do this short the "Boot" pad on the matrix nand flasher with a GND point, or the GND pad. You can just solder a small bridge only using solder or a wire. Another thing that you can do, which is what I actually did, is solder a switch between the boot pad and ground (GND). So after shorting the two points connect the nand flasher to your PC and install the drivers.
IMG_20150421_190556.jpg

DRIVER INSTALLATION

The flasher should show up in device manager as "Unknown device"
devicemng1.png

Right click on it and select "Update Driver Software"
bandicam_2015_04_21_19_12_49_329_Copy.jpg

Click on "Browse my computer for driver software"
bandicam_2015_04_21_19_12_52_910_Copy.jpg

Click "Browse" and point it to the "DRIVER" folder that's located inside the "PIC FIRMWARE" folder.

bandicam_2015_04_21_19_13_00_619_Copy.jpg

bandicam_2015_04_21_19_13_40_809.jpg

Click "OK", then next and it should install the driver.
After this it should show up under "Custom Usb Devices" as "Microchip Custom Usb Device".

Flashing the updated firmware

Go in the "PIC FIRMWARE" folder and launch PDFSUSB.exe. From the drop down menu select the device called "PICDEM FS USB 0 (BOOT)".
bandicam_2015_04_21_19_15_31_486.jpg

Click on "Read device" and then on "Save To HEX file", if you want to make a backup of the old firmware.
To flash the new firmware first click on "Erase Device" after it completes click on "Load HEX File" and then click on "Program device". After it's done you can disconnect the nand flasher from the PC and un-short the boot pad from ground. After the two points are disconnected from each other reconnect the flasher to the PC. If you have the drivers from nandpro installed, uninstall them, since they will not allow you to flash CPLDs. Instead use the the drivers in the "LIBUSB_DRIVER" which is located in the "XSVF" folder. To install them just follow the instructions from before, but this time point windows to the "LIBUSB_DRIVER" folder.
If it gives you a warning about the driver's signature click on "Install this driver software anyway"
bandicam_2015_04_21_19_23_03_818_Copy.jpg




How to use the device

If you try using the modified device with j-runner you will only be able to read and write to the nand with it, it will give you a "wrong arm version", if you try to program a glitcher (coolrunner).
What you need to use instead is the program that is included with the software pack posted in the beginning of this tutorial.

**NEW** You can now use the GUI I made, instead of the command prompt.

If you want to use the "old" command line method, here are the instructions for that:

To use it simply go in the "XSVF" folder and double click on the "prompt.bat" file, a cmd window should appear. Connect the chip that you want to flash and type in "xsvf.exe" followed by the name of the file you wish to flash and hit enter. Example: xsvf.exe jasper.xsvf
Unfortunately only RGH1 files are included with this bundle, but this isn't a big problem since the RGH2 files are included with j-runner. To use them go into the j-runner folder then go into common and then xsvf, inside you will find the xsvf files you need for RGH2, copy the files from that folder into the folder where the "prompt.bat" file is located. After this is done follow the same procedure to flash the files.
Here is what it should say after a successful flash.
bandicam_2015_04_21_19_25_35_802_Copy.jpg




I'm sorry if this tutorial is too confusing for you to follow. Please let me know if you need assistance or want me to explain something in a different way.
As always feedback is welcome!


Here this is how the addon looks like on a through-hole board. The pictures below show the modification with the old and unreliable diagram, so you can ignore the diodes.

IMG_20150418_140934.jpg

IMG_20150418_140953.jpg

IMG_20150418_191852.jpg

IMG_20150418_194504.jpg

IMG_20150421_181925.jpg
 
Last edited:
K

Kukeseen

Newbie
Messages
4
Reaction score
1
Hi!
First of all thanks for your tutorial!
I do not yet own any of the devices (I have a Falcon board 360, but not a Matrix SPI or a glitcher chip yet) necessary for the hack, but I would like to ask some questions to make it clear for myself before I start buying things.
Soldering of the added circuit seems quite easy, but I can see on one of the pictures that you have a plug at the end of the wires. Where did you get that?
Secondly, do I understand correctly, that for this hack I can use any Matrix SPI flasher and any Matrix glitcher chip?
Thirdly, the most confusing part is the actual using of the device. Could you elaborate on that? I would like to know what connections have to be soldered and so on. Do I understand correctly, that firstly I have to solder the SPI to certain points on the motherboard, then I can dump the NAND. But what happens then? How do I program the glitcher chip?

I hope I didn't ask too dumb questions. If you could point me in the right directions that would be great! Thanks again for the tutorial!
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,093
Hi!
First of all thanks for your tutorial!
I do not yet own any of the devices (I have a Falcon board 360, but not a Matrix SPI or a glitcher chip yet) necessary for the hack, but I would like to ask some questions to make it clear for myself before I start buying things.
Soldering of the added circuit seems quite easy, but I can see on one of the pictures that you have a plug at the end of the wires. Where did you get that?
Secondly, do I understand correctly, that for this hack I can use any Matrix SPI flasher and any Matrix glitcher chip?
Thirdly, the most confusing part is the actual using of the device. Could you elaborate on that? I would like to know what connections have to be soldered and so on. Do I understand correctly, that firstly I have to solder the SPI to certain points on the motherboard, then I can dump the NAND. But what happens then? How do I program the glitcher chip?

I hope I didn't ask too dumb questions. If you could point me in the right directions that would be great! Thanks again for the tutorial!
I got the plugs/headers form ebay, here. They are optional of course, but really useful.
Yes, you can use any matrix SPI nand flasher but only a matrix glitcher v1 or v3 will work. The v2 uses a different programmer, but it comes pre-programmed, so if you get that you probably won't need to reprogram it. Btw, if you want you can use other glitcher chips like the cr3 lite, which is a bit better than the matrix glitcher.
To flash the glitch chip you will need to use this diagram. On most glitchers there are points labeled VCC, GND, TDO, TCK, TMS and TDI. Here I've updated the diagram to help you understand.
This is the diagram for reading the nand.
To program the glitcher you need to do the following. Install the drivers from a folder called "LIBUSB_DRIVER", it's located in the "XSVF" folder in the software pack I have put a link to above. Then, download a program called j-runner from here. Extract it and in there you should have a folder called "common" in it you'll have a folder called "xsvf" in it are the timing files. These are the files that you need to program the glitcher with. Since you have a falcon console you will only need the phat rgh2 files. These are the RGH2_X_EN.xsvf, the X will be a replaced by letters from A to D. Since rgh results vary from console to console you will need to try each file one at a time to see which one gives you the best results. To actually flash these files you will need to first copy them into the XSVF folder from before, the one with the LIBUSB_DRIVER folder in it.
xsvf_files.png
Next what you need to do is start the "prompt.exe" when a cmd window pops up type in "xsvf.exe FILE NAME" and press enter. Example: xsvf.exe RGH2_A_EN.xsvf

About the last question, yes first you read the nand, create an ecc file and flash in onto the console. Then you flash the glitcher, solder it to the motherboard, get the CPU key, make a hacked nand image and flash it to the console.

I hope you find this helpful. If you need anything else let me know. :smile:
 
K

Kukeseen

Newbie
Messages
4
Reaction score
1
Thanks, it's a lot clearer now! I'll order the parts immediately, if only they'd arrive quicker from China :biggrin: .
But I still have some questions to make it even clearer. I read from this thread (http://www.se7ensins.com/forums/threads/jtag-rgh-r-jtag-xbox-360-ultimate-exploit-guide.804054/), from the flowchart, that if I have a 9199 dash Falcon, then I should do RGH1, not RGH 2. But you said RGH2, now I don't know who to believe :biggrin:
Secondly, so do I understand this correctly:
1. first I solder the NAND programmer to the MB according to this diagram, then I read the nand, create an ecc file and flash in onto the console (all that with J-runner).
2. Then I desolder the NAND flasher from the MB, do some soldering according to that diagram and flash the glitcher according to the info from your last post.
3. So now should come the point where I solder the glitcher to the MB. Where are the points on the motherboard necessary for that? And now I should get the CPU key, make a hacked nand image and flash it to the console. How do I do that? And I presume at this point the glitcher will be connected to the MB and the programmer will be connected to the glitcher? I'm sorry if it's a stupid question, I'm just a bit confused.

Also does my console have to be powered at any point in time during all this RGH stuff?

One more question, do the soldering points differ for RGH1 and RGH2?

Thanks, already you have been very helpful.
 
Last edited:
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,093
Yes, if you are on a dashboard version under 14699 you should go for RGH1. I said RGH2, because I thought that you had an updated console, since the 14699 dashboard is a few years old now.
1. Yes, do all of that with j-runner.
2. Yes. You can also solder the glitcher programming components before reading the nand. This modification doesn't prevent the matrix nand flasher from working as a regular nand flasher.
3. Use this diagram for soldering the matrix glitcher. The programmer needs to be connected to the glitcher only while you are programming it has to be disconnected when you have power going in the console.

Your console has to be plugged in but NOT powered on while you are reading the nand and writing to it.
Remember to never turn the console on while the nand flasher is connected to it or to the glitcher after it's soldered onto the motherboard.

This should help understand the process of getting the CPU key, creating the hacked image and RGH-ing a console in general. It's for a trinity motherboard and he uses different hardware, but the process is the same. The only differences are the points he solders to, the way he programs the glitcher and the fact that he selects trinity in j-runner instead of falcon.
Tell me if you need anything else.
 
K

Kukeseen

Newbie
Messages
4
Reaction score
1
One more thing, I think then I'll just have to wait for the parts to arrive so I could begin with all of this.
About the diodes, what would you recommend for their specs to be, is something like 1N4007 1000V 1A okay or does it matter at all or should I get something with a lower voltage rating?
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,093
One more thing, I think then I'll just have to wait for the parts to arrive so I could begin with all of this.
About the diodes, what would you recommend for their specs to be, is something like 1N4007 1000V 1A okay or does it matter at all or should I get something with a lower voltage rating?
The 1N4007 will work just fine. In fact I think I'm using something similar on my matrix nand flasher.
Just make sure that the zener diode that you are going to use is a 3.3V one, as a lower one probably won't work at all and a higher one may cause problems or even damage.
 
K

Kukeseen

Newbie
Messages
4
Reaction score
1
I'll ask this just in case, to not mess things up. I understand that the capacitor should be 10 uF and 6.3V or more. Then if I get a 10 uF 50 V capacitor, is that okay? The rated voltage is not too much?
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,093
I'll ask this just in case, to not mess things up. I understand that the capacitor should be 10 uF and 6.3V or more. Then if I get a 10 uF 50 V capacitor, is that okay? The rated voltage is not too much?
Yes, it is ok to use a 50V capacitor. The voltage rating of a capacitor states the maximum voltage it can operate at and not the one it actually works at. The voltage that will be going through it in this case is going to be 5V (3.3V actually when you add the zener diode), so as long as the capacitor has a buffer of a few volts it's going to work just fine, no matter if it's 6.3V, 10V, 16V or 50V.
 
Last edited:
B

Batoussai

Newbie
Messages
2
Reaction score
0
Note: DO NOT FLASH THE PICXBOOT.
It seems that the bootloader available in the everything you need pack doesn't get along with the matrix spi (at least not with mine).
When my computer crashed during the flashing of the chip with XSVF firmware I ended up with a board that couldn't be programmed from usb anymore. So I rigged up an arduino based programmer that receives the hex files through serial comunication and flash the pic18, the programmer recognizes the pic and succesfully write over it, but the usb interface doesn't seem to work by flashing the bootloader in the pack. It seems that the bootloader provided assumes that the lvp bit is disabled in the config bit of the mcu, so it expects you to conect the 26th pin of the pic to a pulldown and use it to enable the lvp (instead of using it as a IO). But in the mtx spi, it seems that the pin 26 is used as an IO that goes to one of the J1D2 pins, so things dont work very well.
I'm currently divided between just buying another nand flasher and trying to understand how to write a bootloader and modify the one provided to work with my flasher.

Any of you happened to make a backup of your matrixes before flashing the new firmware?
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,093
Note: DO NOT FLASH THE PICXBOOT.
It seems that the bootloader available in the everything you need pack doesn't get along with the matrix spi (at least not with mine).
When my computer crashed during the flashing of the chip with XSVF firmware I ended up with a board that couldn't be programmed from usb anymore. So I rigged up an arduino based programmer that receives the hex files through serial comunication and flash the pic18, the programmer recognizes the pic and succesfully write over it, but the usb interface doesn't seem to work by flashing the bootloader in the pack. It seems that the bootloader provided assumes that the lvp bit is disabled in the config bit of the mcu, so it expects you to conect the 26th pin of the pic to a pulldown and use it to enable the lvp (instead of using it as a IO). But in the mtx spi, it seems that the pin 26 is used as an IO that goes to one of the J1D2 pins, so things dont work very well.
I'm currently divided between just buying another nand flasher and trying to understand how to write a bootloader and modify the one provided to work with my flasher.

Any of you happened to make a backup of your matrixes before flashing the new firmware?
Yup, I'll upload mine in a sec. As for programming the bootloader, you can take a look at this and this programmer.
 
B

Batoussai

Newbie
Messages
2
Reaction score
0
Thanks!
I just discovered that the arduino programmer can't write on all the memory adresses with the software it's currently using. And my limited knowledge of PIC mcus and serial comunication mean that tomorow I'll drop by some store and get the components to make a lpt programmer that (hopefully) will write the bootloader and fw without getting me out of bounds errors.... and I guess my plans of finishing my xbox before the weekend were just blown.
 
frenknds

frenknds

Newbie
Messages
11
Reaction score
0
please help me i need original pic loader file for matrix usb spi ,i dont have ist erese please
 
Last edited:
D

djr2

Newbie
Messages
9
Reaction score
0
So, this upgrade to CPLD work or not.
UPDATE: DO NOT CONNECT THE THREE DIODES FROM THE DIAGRAM BELLOW. The zener diode should still be connected. If you're having problems without the diodes connect them, but put a 100 ohm resistor on TDI, TMS and TCK. And always check the voltage on the VCC rail, it should be 3.3V. I'll look into this a bit more and post my findings here later.
finally what parts I need.
1 zender diode or 3,3 regulator
10uf capacitor
100 ohm resistor on TDI, TMS and TCK
 
D

djr2

Newbie
Messages
9
Reaction score
0
finally what parts I need.
its big difference at this 2 configuration

1 zender diode or 3,3 regulator
10uf capacitor
100 ohm resistor on TDI, TMS and TCK
or
3 regular diodes
1 300 or 400 ohm resistor

1 10uf capacitor (note that the capacitor should be 6.3V or more)
1 3.3V zener diode, like the 1n4728a. or 3.3V regulator,


upgrade to CPLD work!!!!
how did your own programmer, maybe foto or scribe your comments,
it's gonna help me and everyone who read this

Yes, it is ok to use a 50V capacitor. The voltage rating of a capacitor states the maximum voltage it can operate at and not the one it actually works at. The voltage that will be going through it in this case is going to be 5V (3.3V actually when you add the zener diode), so as long as the capacitor has a buffer of a few volts it's going to work just fine, no matter if it's 6.3V, 10V, 16V or 50V.
can I use 100 uF capacitor?
 
Last edited:
frenknds

frenknds

Newbie
Messages
11
Reaction score
0
hi schemati work i use direct an the matrix oder mit capacitor work coolunner direct to matrix work yuor need direct punkt to matrix work great ,can you help me i need original matrix loader hex please mein matrix usb spi cannot reden nand xbox i need original matrix loader
 
J

JoinTheResistance

Dead to the world, alive for the journey...
Messages
4,670
Reaction score
1,093
hi schemati work i use direct an the matrix oder mit capacitor work coolunner direct to matrix work yuor need direct punkt to matrix work great ,can you help me i need original matrix loader hex please mein matrix usb spi cannot reden nand xbox i need original matrix loader
Use the diagram bellow, if you want to be able to both read nands and use it as a CPLD programmer.
diagram_Copy_2.jpg
 
finally what parts I need.
its big difference at this 2 configuration

1 zender diode or 3,3 regulator
10uf capacitor
100 ohm resistor on TDI, TMS and TCK
or
3 regular diodes
1 300 or 400 ohm resistor

1 10uf capacitor (note that the capacitor should be 6.3V or more)
1 3.3V zener diode, like the 1n4728a. or 3.3V regulator,



how did your own programmer, maybe foto or scribe your comments,
it's gonna help me and everyone who read this


can I use 100 uF capacitor?
It might work, but to be safe measure the voltage you get on VCC, it should be 3.25-3.3V. You can also try it without the cap.
 
D

djr2

Newbie
Messages
9
Reaction score
0
hi schemati work i use direct an the matrix oder mit capacitor work coolunner direct to matrix work yuor need direct punkt to matrix work great ,can you help me i need original matrix loader hex please mein matrix usb spi cannot reden nand xbox i need original matrix loader


[Click here to view this link] is the link to the stock matrix nand flasher firmware.

i have 1 ld33cv TO-220, and i'm gonna build like this diagram

in this case if put 3 regular diodes i need resistor on tms tck and tdi
of course check voltage on vcc
 
Last edited:
Top Bottom