What's new
  • Howdy, Guest!

    We have issued a forced password reset on all user accounts, meaning you will not be able to login until this process is complete. Instructions will be displayed when you login with your previous credentials, however if for any reason you do not have access to your associated email address, you will need to contact us at [email protected].

    For more information, please read this Important Announcement

    Thank you for being awesome!

Tutorial RGH 3.0 Guide - Phat + Slim - Includes Quick Tool!

A

arxxor

Newbie
Messages
2
Reaction score
0
Points
10
Sin$
7
Hey there,
can I find any details about the rgh3. Like how the rgh3 acually works or what the wireing acually does?
 
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Administrator
Hidden Devils
MotM 10th Anniversary Mr. Nice Guy
Messages
1,967
Solutions
6
Reaction score
722
Points
1,135
Sin$
-7
Hey there,
can I find any details about the rgh3. Like how the rgh3 acually works or what the wireing acually does?
You're best off looking into understanding how the "Reset Glitch Hack" works in the first place.
There's writeups about this online on the ConsoleMods wiki and a few other locations.
Essentially, RGH3 works in the same way as any other Reset Glitch Hack using timings, but instead of using an external mod chip with clock generation to apply the reset to glitch the CPU, we use the SMC built into the console instead. This is achieved by injecting some extra code into the bootloader.
 
A

arxxor

Newbie
Messages
2
Reaction score
0
Points
10
Sin$
7
You're best off looking into understanding how the "Reset Glitch Hack" works in the first place.
There's writeups about this online on the ConsoleMods wiki and a few other locations.
Essentially, RGH3 works in the same way as any other Reset Glitch Hack using timings, but instead of using an external mod chip with clock generation to apply the reset to glitch the CPU, we use the SMC built into the console instead. This is achieved by injecting some extra code into the bootloader.

Thanks for your help, man.

So essentially, we use the POST Bus to identify the exact moment where the CPU starts checking the code signature. This is done by the SMC. Once we know that, we slow down the CPU-Clock using the PLL. This way, we can precisely time the exact moment to send our CPU-RST signal and glitch the signature verification. All this is done by the SMC. What I don't understand is:

- How can we change the behavior of the SMC before we actually glitch the signature checks?

- How exactly does the PLL work.
 
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Administrator
Hidden Devils
MotM 10th Anniversary Mr. Nice Guy
Messages
1,967
Solutions
6
Reaction score
722
Points
1,135
Sin$
-7
Thanks for your help, man.

So essentially, we use the POST Bus to identify the exact moment where the CPU starts checking the code signature. This is done by the SMC. Once we know that, we slow down the CPU-Clock using the PLL. This way, we can precisely time the exact moment to send our CPU-RST signal and glitch the signature verification. All this is done by the SMC. What I don't understand is:

- How can we change the behavior of the SMC before we actually glitch the signature checks?

- How exactly does the PLL work.
The behaviour of the SMC is determined by a modified section of code in the early stage bootloader, the code is basically what would usually be on a mod chip.
The early phase isn't protected against much modification, as far as I understand it, so it can within reason be pushed to do some things.

PLL = Phase Locked Line, this is essentially the point of reference for the CPU's Clock Generator to generate the clock speed called at any point, so by interrupting the signal we can slow down the CPU and pulse CPU-RST in the hopes it "hops" over the sigcheck and pulls a true result, allowing the console to proceed to boot the modified 2BL, and go from there.
 
G

gordsa

Newbie
Messages
19
Reaction score
0
Points
35
Sin$
7
Harvested a 10k resistor from a faulty acev3 and couldent get my trinity to boot. found an old ps4 slim psu and pulled a 4.7k resistor from it and instantly got consistant insta-boots. Very Happy.
 
D

deavon

Newbie
Messages
1
Reaction score
0
Points
10
Sin$
7
I am getting "Console Not Found" on two Trinity consoles. PLEASE HELP!

Octal450’s J-Runner with Extras v3.2.2-r3
PicoFlasher v3.0 (2022-02-23)
Pi Pico W

I have verified continuity w/ my multimeter on all NAND leads from board underside NAND traces to the Pico GPIO end. Same w/ Post & PLL.

Running JRunner w/ Pico connected to PC & Trinity console w/ passive Xbox power, I click the ? and Jrunner gives me 0xFFFFF... + Console Not Found.

Thanks!

EDIT: Clicking image below sometimes doesn't show image. To fix, copy the page URL and load into a new window / tab.
EDIT2: Sorry! Just saw the support rules, but can't delete this post. You all are brilliant, BTW.

 
Last edited:
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Administrator
Hidden Devils
MotM 10th Anniversary Mr. Nice Guy
Messages
1,967
Solutions
6
Reaction score
722
Points
1,135
Sin$
-7
I am getting "Console Not Found" on two Trinity consoles. PLEASE HELP!

Octal450’s J-Runner with Extras v3.2.2-r3
PicoFlasher v3.0 (2022-02-23)
Pi Pico W

I have verified continuity w/ my multimeter on all NAND leads from board underside NAND traces to the Pico GPIO end. Same w/ Post & PLL.

Running JRunner w/ Pico connected to PC & Trinity console w/ passive Xbox power, I click the ? and Jrunner gives me 0xFFFFF... + Console Not Found.

Thanks!

EDIT: Clicking image below sometimes doesn't show image. To fix, copy the page URL and load into a new window / tab.
EDIT2: Sorry! Just saw the support rules, but can't delete this post. You all are brilliant, BTW.


It's a common problem with attempting to use Picoflasher. it's not very stable even if you have perfect installation of wires to appropriate points.
I ended using an XFlasher, but you can use one of the 4GB NAND to SD Readers if you want to do it on the cheap, that method is tried and tested.
 
B

Benjjzxcv

Enthusiast
Messages
68
Reaction score
5
Points
55
Sin$
7
Best method yet !!
Post automatically merged:

I am getting "Console Not Found" on two Trinity consoles. PLEASE HELP!

Octal450’s J-Runner with Extras v3.2.2-r3
PicoFlasher v3.0 (2022-02-23)
Pi Pico W

I have verified continuity w/ my multimeter on all NAND leads from board underside NAND traces to the Pico GPIO end. Same w/ Post & PLL.

Running JRunner w/ Pico connected to PC & Trinity console w/ passive Xbox power, I click the ? and Jrunner gives me 0xFFFFF... + Console Not Found.

Thanks!

EDIT: Clicking image below sometimes doesn't show image. To fix, copy the page URL and load into a new window / tab.
EDIT2: Sorry! Just saw the support rules, but can't delete this post. You all are brilliant, BTW.


Go with a xflasher perfect every time or Mtx flasher
 
QuantumOfSolace

QuantumOfSolace

Newbie
Messages
8
Reaction score
1
Points
45
Sin$
7
You can also try and trim the wires down to 10cm on the PicoFlasher.
I've also had issues with it and found that trimming the wires to be no longer than 10cm did the trick for most of the units I've read nands from (14 so far, mostly Falcons and Xenons but every once in a while I'd get a Jasper in). Before that, I'd also get bogus NAND reads or no console detection at all unless I was keeping the Pico at a awkward angle (USB-C version) enough for it to detect the console.
 
J

juthegame

Enthusiast
Messages
92
Reaction score
2
Points
55
Sin$
7
Thanks for the tutorial, just want to know how reliable this method is compared to 2.1
 
QuantumOfSolace

QuantumOfSolace

Newbie
Messages
8
Reaction score
1
Points
45
Sin$
7
The most I've seen about RGH is if it's a phat, stick with 1.2 or EXT_CLK, if slim go for RGH3.
Reason is that RGH3 tends to stop glitching on phats - not sure what causes this?

So the quick answer would be that if phat - 1.2v2, if slim - 3.
 
Last edited:
xXBeefyDjXx

xXBeefyDjXx

Long time Sinner
Administrator
Hidden Devils
MotM 10th Anniversary Mr. Nice Guy
Messages
1,967
Solutions
6
Reaction score
722
Points
1,135
Sin$
-7
The most I've seen about RGH is if it's a phat, stick with 1.2 or EXT_CLK, if slim go for RGH3.
Reason is that RGH3 tends to stop glitching on phats - not sure what causes this?

So the quick answer would be that if phat - 1.2v2, if slim - 3.
There's 3 major players in the RGH:
Wires: Shorter the better, but also placement. Unshielded wires placed in busy areas are often less reliable due to interference.
Resistance: Limits current mainly to smooth out signal and also helps to protect the circuits.
Timings: Every board type has slightly different timings. Due to the nature of the exploit, the timings are generalized to board type but should be "tuned" for that particular console. This isn't really done too much now, and only really matters if you really want to fine tune that instaboot.

Some CPUs are more prone to exploitation than others, too. It's a silicon lottery.
 
M

Manaboy

Newbie
Messages
1
Reaction score
0
Points
10
Sin$
7
Need some help guys, from the identification I have identified I have the trace existing Corona version 2 4GB, tiny nand thing on top and the actual nand flash underneath, trouble is, the Nand reading and flashing points dont look the same as in the guild
 
S

scottD1503

Enthusiast
Messages
71
Solutions
2
Reaction score
18
Points
120
Sin$
7
Need some help guys, from the identification I have identified I have the trace existing Corona version 2 4GB, tiny nand thing on top and the actual nand flash underneath, trouble is, the Nand reading and flashing points dont look the same as in the guild
postg some pics of your install and mobo and someone will advise
 
S

soilengreen

Newbie
Messages
1
Reaction score
1
Points
45
Sin$
7
Optimized installation RGH3 Trinity

WMNiGlh.jpg
DhF2DD9.jpg
 
B

bzaah

Newbie
Messages
1
Reaction score
0
Points
10
Sin$
0
i found a alternative to soldering to the via below the APU if you prefer DB5R4 is the Reference Its the Through hole Point With the big trace next to the Diode on Trinity CPU_PLL_BYPASS

finder VOIDZP / Bzaah
 
Top Bottom
Login
Register