Xbox 360 Programmed CPU (all fuse sets are 0 except Fuse00)

Discussion in 'Xbox 360 Support' started by devilhunter1990, Apr 4, 2019 with 22 replies and 807 views.

  1. devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    Greetings,

    A 4-5 months ago I posted a thread (now it has been archived https://www.se7ensins.com/forums/threads/new-xbox-cpu-with-0-efuses-all-fuses.1736634/) on how to setup a unprogrammed Xbox 360 (phat) as a dev unit, Im redoing the same but to make it as retail with 0 LDV, in other words you can run a blade dash / NXE retail and possibly run Jtag hack on it! Long story short, I was shocked when I found ebay listing for old dashboard consoles being sold 300$+ and decided to buy the CPU for 20$ and try it myself.

    Now Im trying to boot a retail dashboard for this new CPU but with no avail, I can however, run devkit image through RGH2 . I assume this has to do with LDV and CFLDV .





    Note that my CB LDV looks like FuseSet 02: 00000000F

    Even though the recovery disk is dated in NOV 2008, it setup my cpu with CB LDV 8, now I believe Im stuck.

    Here is the steps I followed,

    1- RGH 1.2 or RGH2 install
    2- Run a devkit image (use Xecuter's Fusion 1.09)
    3- Insert XenonRecoveryDisk once the dashboard is booted ( it wont launch otherwise and kernel panic)
    4- You can now set the console as devkit or as a retail (press Y for retail)
    5- The console now will reboot
    6- If you are using a slim console then you are fine, if you are running it on FAT, the console now is bricked (black screen) .
    7-Creat ECC for RGH2 and write it
    8-you will be greeted with Xell with all with a new CPU key ( CPU fuse line isnt 0 now)
    9- ???????


    This is where Im stuck, I do have all information but cant run any retail dashboard.


    please share your thoughts.

    Many thanks!

    =============P.S=============

    at step 4, if you go for a dev option, Fuse02 will be intact and reports all 0s. and you can run any remote recovery or recovery disk and install the latest leaked ver. of XDK. You can also remove all wires for both glitcher and nand reader.

    I have one last unprogrammed CPU at hand if someone have a clue on how to modify recovery disk to burn certain fuseline.
     
    • Like Like x 4
    Last edited: Jun 10, 2019
  2. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    If I can run say any dashboard 7371 or below through RGH2 then I use a retail update, will it fail the CB LDV?

    I also tried to run it with R-Jtop (R-Jtag) with AUD_Clamp, it doesnt work at all.
     
    Last edited: Apr 4, 2019
  3. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
  4. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    Will do something in the near future, have to get some extra time
     
  5. truemaster

    truemaster Newbie

    Messages:
    18
    Ratings:
    7
    thats cool. a real way to downgrade xbox 360 and make it jtagable.i would like to know more. how to burn efusses for retail one? the cpu key? can i manualy burn an exact same one like the rgh2 cpu i have? or a new one will be created here an exaple of what i mean
    my current one
    fuseset 00: c0ffffffffffffff
    fuseset 01: 0f0f0f0f0f0f0ff0 retail flag
    fuseset 02: 000000f00f0f0000 3f means rgh1.2-rgh2-r-jtag
    fuseset 03: 1111111111111111 not my real key obviously
    fuseset 04: 1111111111111111 not my real key obviously
    fuseset 05: 2222222222222222 not my real key obviously
    fuseset 06: 2222222222222222 not my real key obviously
    fuseset 07: ffffffffffffffff f here nean burn efusses
    fuseset 08: ffffffff00000000 total 24f=ldv24
    fuseset 09: 0000000000000000
    fuseset 10: 0000000000000000
    fuseset 11: 0000000000000000

    and i aim for this
    fuseset 00: c0ffffffffffffff
    fuseset 01: 0f0f0f0f0f0f0ff0 retail flag
    fuseset 02: 000000f000000000 1f for jtag
    fuseset 03: 1111111111111111
    fuseset 04: 1111111111111111
    fuseset 05: 2222222222222222 if possible the same cpu key as my old cpu
    fuseset 06: 2222222222222222
    fuseset 07: f000000000000000 1f=ldv1 up to 7371 official dash i think
    fuseset 08: 0000000000000000
    fuseset 09: 0000000000000000
    fuseset 10: 0000000000000000
    fuseset 11: 0000000000000000

    but if there is no way to generate an exact cpu key how to create a new kv? and were i can find 0ldv cpus?
    i just cant stand people sell unoppen consoles really high in prize just because are jtagable. tis find is amazing
     
    • Like Like x 1
  6. truemaster

    truemaster Newbie

    Messages:
    18
    Ratings:
    7
    ive made a little research. since there is no kv for your new cpu you cant run retail only hacked image. there is a tautorial for that its called how to create a new nand when lost everything. your fuseset 02 has retail flag and 03 has 1 f that means a jtag and a jtag hacked image with 0 ldv would work i believe
     
  7. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    There are two LDV(s)

    1- CB LDV & the second is CF LDV.

    The original SMC hack "J-tag" is based on a bug in CB part of the boot loader, my approach doesn't tackle burning CB LDV fuse value through using Xell ; for example. Unprogrammed Xbox 360 CPU (all values are 0) can boot either a special manufacturer mode through which CPU key is undefined and all values are 0s. But, it can only boot a dev kernel and possible a debug kernel if it ever exists. I should also note recovery disk has the algorithm to generate a valid CPU key for your CPU and also if you have DVD rom connected, the key is regenerated and the DVD rom is remarried.

    The first line Fuse 01 determines whether your console is dev or retail, the third line is CB LDV and the rest is CPU key and CF LDV, if you can manage to run a dev dashboard like TX Fusion's through RGH2 / RGH1 of course , then by rnning a dev recovery disk then you get the option to either set the CPU as Dev or Retail , going for dev will leave CB LDV fuse line intact and it will burn the Fuse01 as a dev unit. If you however set it as a retail, it will set the CPU accordingly but CB LDV is determined by the hacked image you can use (in my case Fusions, and this fusion is running dashboard 13xxx and thus I got CB LDV of 8). If this CB LDV can be modified in the memory during the update , then yes you can have a blade dash running on this new CPU.

    Note that you cant run a retail dashboard even through building a patched retail dashboard using Xebuild the console simply RROD.

    To program those CPUs to run a retail low dashboard requires you to either run a very old and patched Dev Dashboard then run recovery disk , or maybe patch XeBuild image to bypass Fuse01 that of retail/Devkit (Im not really sure if Xebuild by passes fuse01 already).

    I found a 7371 with patched bootloaders to run on RGH1, will test this and hope it can run this crazy CPU ( I still have one in my inventory).
    My goal is to reduce the number of ebay listing of 300$ + Jasper consoles running blade dash / NXE dashboards.

    Id rather to play some Xbox 360 games than figuring out how to run this **** XD
     
  8. truemaster

    truemaster Newbie

    Messages:
    18
    Ratings:
    7
    i cant agree more 300 for a blade dash or nxe box is overpriced. i have a jasper rgh1.2 that works fine. and a falcon rgh1 i would like to do some play and this cpu swap on falcon but only if can became jtgable. the way i see it that method make rgh1 cpu not jtag sadly but maybe xell can but dont know how to make it burn fusses as desired
     
    Last edited: Apr 21, 2019
  9. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    I bought a console for 10$ , it was a jasper with mfg 11th June 2009 with a damaged case to swap the cpu and redo the same but

    [​IMG]

    [​IMG]

    It has an exploitable cb....

    The drive was stuck firmly, got it fixed and the console is hardly been used, the poor kid tried to dismantle the Xbox.

    The irony is I could t find jtagable xbox when I was looking for one !
     
    Last edited: May 22, 2019
  10. truemaster

    truemaster Newbie

    Messages:
    18
    Ratings:
    7
    ha irony indeed. but if you mange to make any xbox phat jtagable with cpu swap let meknow
     
  11. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    Once again I bought another console, swapped the CPU and I tried to flash it with a devkit nand dump to see how it will behave, still getting an RROD, you cant pass CB identification confirming what ddxcb had previously mentioned.

    I wonder what will happen if you bridge the points responsible to blow e-fuses or remove resistor R6T3 and then you run devkit recovery disk? in my understanding R6T3 is only responsible for CB LDV or other parts of e-fuses?


    The 0 CPU can only boots dev kernel for some reason, I read somewhere in Free60 that there is a special kernel for the 0 CPU to load. For some reason, dev kernel doesnt halt 0 CPU to load.

    I can load retail kernel if you "shadowboot" with a retail kernel bear in mind it will halt in XAM as well & also when you update your kernel when using shadow boot, the CB counter will increase according to the Nand CB not the shadowboot's. In other words, an RGH dev kernel of Dashboard 6xxx or 7xxx is needed to burn e-fuses & CB correctly.

    I will be stuck here for a while I guess.
     
    • Like Like x 1
  12. ddxcb

    ddxcb Contributor

    Messages:
    1,639
    Ratings:
    262
    The R6T3 is for the eFuse for all the fuses.

    the reason retail fails to boot if the fuses isnt set up correctly. dev ignore most of the checks, hence it can boot with mostly blanked fuses.
     
    • Like Like x 1
  13. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    actually Jtag Xell is working on this 0 CPU. Im trying to build a devkit img with of course a jtagable CB and then if I run the recovery disk it wont screw up my CB LDV again.

    Benjamin Rush

    there is no need for you to use RGH-2 on a your console (zephyr) when Xell (jtag img) can load normally even when the CB LDV is 0.
     
  14. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    And thanks a lot sir, you saved me lot of trouble.

    How you have this much insight of the subject !?

    Clever boy
     
  15. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    Got a question here, any idea how to reassign a KV of a devkit image with a 0 KV? RGL sadly refuses to build an image with 0 CPU key in it. Also, why an RGH2 0 KV Devkit image boots normally when a Jtag 0 KV devkit image stucks somewhere? I tried R-Jtag to by pass old CB authentication still fails and yields black screen (Xell works however)
     
  16. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    Update:

    Managed to create a Dev img using Xebuild, I have used the provided sample dev ini, but I used the latest dev bootloaders and patched the latest file system.

    I tried it the system gives E79

     
  17. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    Update:

    I can now run a recovery disk on this 0 CPU, I have to take a a nand dump of an OLD DevKit Image and rebuild it so that when I select retail option via recovery disk the new CB will be Jtagable and aslo can run "blade dash" and older firmware.

    For those who have bricked there XDK, they can flash this image and through recovery disk, make sure to insert the disk before powering on the console.

    Also as a bonus, you can have my xebuild dev image folder and if you want to build your own image.

    [Click here to view the link]

    Devkit Xebuild folder (just place it in xebuild folder)

    [Click here to view the link]
     
    Last edited: Jun 13, 2019
  18. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    Finally Im able to run 6719 Dev Kernel on this crazy unprogrammed CPU.

    This is Xebuild output & dashboard pictures, note for some reason BootAnimation.xex is crashing, thus you have to wait for the xbox to run Xam then you can insert the recovery disk.

     
  19. OP
    devilhunter1990

    devilhunter1990 Enthusiast

    Messages:
    276
    Ratings:
    32
    But for whatever reason, the devkit recovery disk gives you the option to flash your console as Retail Or Devkit, I have selected Retail but then this has happened



    it burnt Fuse01 as a devkit for some bulls*** reason.

    at this point custom patches for xebuild is required to build retail CB with sc,sd,se dev bootloaders and file system; this has been done by Xecuter Fusion's team.

    I tried fusion's Jtag img on 0 CPU and it just black screen no post and console doesnt reboot. and I dont think recovery disk was booting.
     
  20. ddxcb

    ddxcb Contributor

    Messages:
    1,639
    Ratings:
    262
    I thought the recovery disk option for either dev/retail was just modifying dashboard.xbx (might get the name wrong) to set to xshell.xex for dev or dash.xex for retail.
     
    • Like Like x 1

Share This Page