Tutorial [RGH/JTAG] How to recover from losing dumps + erasing/corrupting the NAND

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
Alternate Title; How to Build a bootable hacked nand image from scratch.

This is a "ONE SIZE FIT ALL" solution.

This tutorial is only for those of you who; lost all of their original and hacked nand dumps + erased/corrupted the nand /flash the wrong image to the nand.


If you find yourself in this situation then this tutorial will walk you step by step to make your hacked console boot again.

Take note that since you lost all your nand dumps, you won't be able to restore your console to retail ever again and you will be unable to use your dvd drive until you extract it's key.



Before getting started you will need the following;
  1. USB SPI Nand programmer/eMMC R/W kit (nand-x, jr-programmer, R/W kit for carona 4gb)
  2. J-Runner the ultimate JTAG/RGH app DOWNLOAD
  3. Extracted nand files that match you motherboard model (download below)

Step 1; Recovery of cpu key

  • Download one of the clean extracted .bin pack according to your motherboard model and extract the containing folder to the location of your choice;
Don't use these files to unban your jtag/rgh, first you don't have the original cpu key and second they are all coming from banned consoles. You have been warned!

XENON
ZEPHYR
OPUS/FALCON
JASPER SB
JASPER BB
TRINITY
TRINITY No FCRT
CORONA
CORONA 4gb


  • Open J-Runner app an click on "show working folder" button located at the bottom right



  • Open the folder name "data" located inside /J-Runner/xeBuild/ folders
  • Open your extracted nand files folder and copy and paste KV.bin, SMC.bin, smc_config.bin and fcrt.bin(if required) to data folder. It should look like this.


  • In J-Runner, copy and paste this cpu key F37C0CD50B928F4E67614ACD548A4E49 in the cpu key section.
  • Choose dashboard version according your hack type (for JTAG choose 7371 - for phat rgh1 choose 14699 - for R-JTAG choose 15574 - for phat RGH2 choose 14719 - for slim choose anything above 14719)
  • Select your motherboard nand type.
  • Select retail as your image type.
  • It should look like this.
  • In J-Runner under the Advanced tab click on Create an image without nanddump.bin

  • Then you will be ask to enter LDV just enter any number between 1 and 80 and click ok.


  • At this point the dummy image should be successfully created and automatically loaded in the "Load Source" section.
  • Now with your nand programmer properly connected to both you pc and motherboard click on "Write Nand".
  • Wait until J-Runner is finish writing the nand and select your "hack type" then click on "Create ECC" for rgh machine or "Create Xell-Reloaded" for JTAG/R-JTAG machine.
  • Now click on "Write ECC" or "Write Xell-Reloaded" depending on your hack type.



  • You are now ready to boot xell and recover your cpu key.
  • Disconnect the nand wires from the nand programmer and Power on your console and wait for xell to boot.
  • Once xell has booted, write down your cpu key, fuseset 02 and fuseset 07, 08, 09, 10 and 11
 
Last edited:

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
Understanding and calculating LDV's
  • Calculating cf/cg ldv is fairly simple. Just count the number of "F" in fuseset 07 to fuseset 11. So in the example above we have a cf/cg lock down value of 2.
  • Understanding cf/cg LDV; This value is directly reflected by the number of dashboard update a console has had.
  • Calculating cb LDV can be a little bit more trickier. You have to take the right-most "F" and calculate how many character it is from the left. In the example above the right-most "F" is 5 characters from the left so we have a cb lock down value of 5.
  • Understanding cb LDV; Quote from Martin C @ TX
  • This value is NOT updated every dashboard version and is not directly reflected in any apps. However, the value can be translated to a CB/dashboard version. You cannot 'edit' your image to use a different CB for a retail NAND. It MUST match the entry as found in XeLL, otherwise it'll fail to boot.
  • The example above is from a Jasper with a cb ldv cseq of 5 and by looking at the chart below we can determine that the highest compatible dashboard version for building a retail image is 7371.




Step 2; Building the fake OG nand image

  • Now back in J-Runner, enter your cpu key in the cpu key section.
  • Select your dashboard according to your CB LDV cseq (use the above chart to help you)
  • Select Retail as Image type.
  • Select Motherboard nand type.
  • Click on the "Advanced" tab and on "create an image without nanddump.bin"


  • You will be ask for LDV, this is the cf/cg LDV so you enter what you have in fuseset 07 to 11 and click "OK"

  • You have now created a fake original nand image. Even though you won't be able to boot your console with this image it would still be a good idea to keep it somewhere safe.
  • With your new image loaded in the "Load Source" section and your cpu key in the "Cpu Key" section click on the "kv info" tab. You will noticed that the info in there are obviously not from your console. So now would be a good time, for those who can, to extract your dvd drive key and patch the key vault with the appropriate dvd key.
  • (OPTIONAL) - Once your dvd key recovered -> Click on the "XB Settings" tab, click on "Advanced XeBuild Options", paste your dvd key in the "dvdkey" section, click "OK" then tick the "Use Edited Options" check box.

  • For DG16D5S and DLN10N owners ONLY - to make your dvd drive function you can;
Install a TX LTU 2 pcb and build LTU firmware using c-r.bin and key.bin which can be extracted from the nand image that we just created.(a DG16D2S pcb works also)
OR
Replace your original drive with a DG16D4S and enable the NO "firmware challenge/response table" "check" (nofcrt) Xebuild patch and you can either flash the D4S drive with the DVD key found in the KV or dump your DVD drive key and patch the KV with this key. (A Phat xbox 360 DVD drive would also work even though form factor is an issue, it can be easily overcome.)
 
Last edited:

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
Final Part; Building/writing the hacked image

  • With your new fake original nand image loaded in the "Load Source" section and cpu key in the "Cpu Key" section select your hack image type(Jtag - rgh - rgh2 - r-jtag), select your desired dashboard(should be the latest which is 17150 at the moment), select your motherboard nand type. You can also edit dashlaunch and xeBuild options at this point.
  • Click on "Create XeBuild Image". You will see 3 or 4 warning messages appear on screen which will ask you if you want to delete kv.bin, smc.bin, smc_config.bin and fcrt.bin(if present). Click yes on all of them.



  • With your nand programmer properly connected to both your console and pc click on "Write Nand"
  • Boot your console and have fun with home-brews again.
 
Last edited:

Pulse

GatorCheats.com
Verified
Premium
Messages
8,866
Reaction score
5,825
Really helpful tutorial. I'll keep my eye on this.
 

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
Really helpful tutorial. I'll keep my eye on this.

Thanks for taking your time to read it.
Although this situation rarely occur it's always good to know how to get out of this mess.
 

Tag Nation

Enthusiast
Messages
215
Reaction score
46
After I complete the whole process and create a new hacked image will the dvd drive key match the nands dvd key? I have already flashed the dvd drive and want to know if it will work with the new image
 

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
After I complete the whole process and create a new hacked image will the dvd drive key match the nands dvd key? I have already flashed the dvd drive and want to know if it will work with the new image

If you already know your dvd drive key then follow these simple steps prior building the final hack image.

  • (OPTIONAL) - Once your dvd key recovered -> Click on the "XB Settings" tab, click on "Advanced XeBuild Options", paste your dvd key in the "dvdkey" section, click "OK" then tick the "Use Edited Options" check box.


If you don't have your dvd drive key then you can either dump it using jungle flasher and follow the steps above or you can use the dvd key found in the donor kv and flash your dvd drive with this key.
 

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
i followed this tut and it took a few tries but i got it working, now when my dvd drive is plugged in it wont boot to dashboard or xell, but when i unplug it it boots fine, i know its not the drive cuz i did it with a different drive and it did the same thing (i put in new drive info to jtag before trying)
Console model? DVD drive model?
 

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
well i tried more and it doesnt boot with anything plugged, if i try to boot it with hdd plugged in it give me E68

i tried with my orig dvd drive thats a benq and it gives me E64, i tried it with a different benq and flashed jtag to that info and still E64, and last i tried a lite on and i flashed my jtag to that drive info and still E64
Have you tried to replace your dvd drive power and sata cable? E64 usually point to a bad sata cable or a bad flash.
Do you have another HDD to test on this console or another console to test this HDD? E68 usually means that the HDD is defective.
 

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
Yes i used different drive cables i used the x360usb v2 cables so i know they work and yes i used 2 different hdds and one of them i use all the time so i know its not defective
Does the console boot with a usb stick/drive connected? If yes does the console detect it.

Might be a long shot but replacing the southbridge could fix this. SATA and USB buses are managed by the southbridge.
 

kroppdogg

Enthusiast
Messages
139
Reaction score
30
This such a great tut. Im running into a issue tho, when i try to make retail image with 7371 i get an error , something about crucial firmware files missing and couldnt read bootxam.xex or something like that. When i look at yur pics above, in the data folder, i have every file except xenon.elf. could that b the issue? Cant find that file anywhere. Also i dont have internet atm so all files ive downloaded to my phone and transfered to my pc. Also if i choose dash 15574 it will work and build image butnot boot up console. I have a xenon jtag. Thanks in advance for any help
 

kroppdogg

Enthusiast
Messages
139
Reaction score
30
Ya im ready to run my head thru a wall. No matter what i do i cannot make retail 7371 image in part one of this tut. If anyone has any suggestions please let me know. I have a xenon jtag. Not sure what dssh it was on and ive lost all orig dumps i think i have cpu key. Idk. Very frustrated. Thanks
 

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
Ya im ready to run my head thru a wall. No matter what i do i cannot make retail 7371 image in part one of this tut. If anyone has any suggestions please let me know. I have a xenon jtag. Not sure what dssh it was on and ive lost all orig dumps i think i have cpu key. Idk. Very frustrated. Thanks
Can you download files through your phone? If yes I'll provide you a download link for the 7371 xebuild files.
 

kroppdogg

Enthusiast
Messages
139
Reaction score
30
Yes i can. I have the 7371 files but maybe they are incomplete.def wanna see what u got/link me to. Also i started working on another console to get a break from this one and was using jungle flasher like i have a million times b4 and i started getting these unhandled exception errors like i was on j runner. I literally used JF thousands of times probly and have never ever had any kind of problems with it. Wouldnt detect my drive or via port for that matter. Even blue screen crashed my pc twice. So now im starting to think its my pc, like something has gone wrong somehow. Im in the process of switching out pc's and will see what happens. Im using a 64 bit pc switching to 32. See if that helps. Still want to check out the files u are talking about tho. It would b much appreciated. Thank u for the reply
 

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
Yes i can. I have the 7371 files but maybe they are incomplete.def wanna see what u got/link me to. Also i started working on another console to get a break from this one and was using jungle flasher like i have a million times b4 and i started getting these unhandled exception errors like i was on j runner. I literally used JF thousands of times probly and have never ever had any kind of problems with it. Wouldnt detect my drive or via port for that matter. Even blue screen crashed my pc twice. So now im starting to think its my pc, like something has gone wrong somehow. Im in the process of switching out pc's and will see what happens. Im using a 64 bit pc switching to 32. See if that helps. Still want to check out the files u are talking about tho. It would b much appreciated. Thank u for the reply

http://www.mediafire.com/download/dk9r59a9auariuk/J-Runner.rar
 

kroppdogg

Enthusiast
Messages
139
Reaction score
30
Ahh dude, thank u so much. I have nothing like that and a couple of those files i dont have. Cant wait to get home and try these. Again thank u.
 

JeEnYuS

Gee! and why us?
Messages
599
Reaction score
244
Ahh dude, thank u so much. I have nothing like that and a couple of those files i dont have. Cant wait to get home and try these. Again thank u.
I'm curious, did you manage to fix your J-Runner problem?
 
Top Bottom