You are viewing our Forum Archives. To view or take place in current topics click here.
Was this helpful
Yes
89.44% (305 votes)
89.44% (305 votes)
No
10.56% (36 votes)
10.56% (36 votes)
Total Votes: 341
Odd's ultimate jtag guide!
Posted:
Odd's ultimate jtag guide!Posted:
Status: Offline
Joined: Apr 28, 201014Year Member
Posts: 2,708
Reputation Power: 128
Stickied by SPEED - Dec. 24, 2010
NinjaDefuse Edit: Moved to JTAG Tech/Guides
ToxxicJtag's infectable mod menu on cod4:
ToxxicJtag Thread
My partner:
ToxxicJtag
ToxxicJtag account
How to put a patch onto your jtag.
Some extra info on jtags.
Vouches.
WHAT JTAGS CAN DO OTHER THAN HOST TENTH LOBBIES
History of jtags.
How did jtags all start.
How to JTAG your Xbox 360 and run homebrew
Finding out if your Xbox is exploitable
Getting your parts
Soldering the cable
Dumping the nand
Testing if it's exploitable
Extracting the keyvault, injecting and flashing XBR
My avatar is only a silhouette!
As most of you all know jtags are patched online but this is just to help offline and what not please comment and thank if this help( YOU DONT HAVE TO THANK OPINIONAL)
JTAGS
What a Jtag is
How to get Xex menu
You need the Xex menu download > [ Register or Signin to view external links. ] <
A content folder on your HDD.
Flashing your KV
Updating to the Kinect Dashboard:
How to extract a .iso and play it
Getting around AP2.5
How to put DLC on a Jtag
Retrieving our license key
Adding emulators to your jtag
Installing Roms to your Emulators
Mw2
Cod black ops.
Jtagged xbox 360
Black ops on your HDD
A modded.xex
The cfg's
1. Get your modded Xex and your cfg's .
2. One by one drag them into your Black Ops folder.Do this on the computer
3. Plug your HDD back into your Jtag
4. Go to Xex menu , games , black ops and load the modded.xex
5. Go to system link ( you need internet connection not xbox livr . Can be done with a banned jtag )
6. Create match , change map and game mode .
7. Start.
Note - depending on what patch you have it will be different so I cant put how to get it to work as there are different patches that work differently .
Free style dash
Framework 4 net installor.
How to .map Mod Halo 2 on a JTAG'd Xbox 360.
Image below look.
Then you are done have fun and enjoy by callum.
Left for dead 2 modded using USB/TRANSFER CABLE
Controls are as follows:
Have fun hope you enjoy this tut
If you need help with anything pm me or and i will do my best.
NinjaDefuse Edit: Moved to JTAG Tech/Guides
ToxxicJtag's infectable mod menu on cod4:
ToxxicJtag Thread
My partner:
ToxxicJtag
ToxxicJtag account
How to put a patch onto your jtag.
Requirments:
1.A usb flash drive
2.A patch_mp from your desktop.
In this tutorial i will be telling you the correct way to do it.
First open up your USB folder on your computer.
On your computer do the following,
- Go to My Computer
- Click your USB
Next step,
You will need to drag your patch into your USB folder. Nothing fancy, just drag and drop the patch_mp.ff
Something i do is put each patch into a folder, labeled with the name of each patch.
Each folder contains the correct file ( Patch_mp.ff )
NOTE ~ You CAN put folders on your JTAG.
Now remove your USB from your computer and plug it into your JTAG.
Next, load up XEX loader.
Next, if your USB isn't showing, press ~X~. It should give you a list of Memory Devices to choose from.
-USB1
-HDD1
-HDD2
-I forget this one ( I'll update later )
Go to USB and highlight the patch_mp.
Next, you need to highlight the patch_mp.ff and press ~Y~
- Once you've pressed ~Y~ a list comes up something along the lines of this.
-Copy
-Delete
-Paste
-There's more, but thats the general idea. ( Will update later )
Once you are there, you want to copy the patch.
After you copy there should be a thing in the top screen that says USB/COPY/patch_mp
- When you see that then you know you copied it.
After that you will click the right bumper until you find HDD1.
Next, Click ~X~ again to prompt you with the memory devices.
- Click HDD1
After that, find your MW2 folder. I have my MW2 folder located in content. ( Don't ask me why, i just do )
Once you clicked MW2 folder, you should have a lot of junk there. That's good, now paste your patch_mp.ff into that folder. ( Press ~Y~ for list again )
It should prompt you asking if "you want to confirm this crap"
Obviously click ~CONFIRM~
credit is giving to ..TheModdingHut-
1.A usb flash drive
2.A patch_mp from your desktop.
In this tutorial i will be telling you the correct way to do it.
First open up your USB folder on your computer.
On your computer do the following,
- Go to My Computer
- Click your USB
Next step,
You will need to drag your patch into your USB folder. Nothing fancy, just drag and drop the patch_mp.ff
Something i do is put each patch into a folder, labeled with the name of each patch.
Each folder contains the correct file ( Patch_mp.ff )
NOTE ~ You CAN put folders on your JTAG.
Now remove your USB from your computer and plug it into your JTAG.
Next, load up XEX loader.
Next, if your USB isn't showing, press ~X~. It should give you a list of Memory Devices to choose from.
-USB1
-HDD1
-HDD2
-I forget this one ( I'll update later )
Go to USB and highlight the patch_mp.
Next, you need to highlight the patch_mp.ff and press ~Y~
- Once you've pressed ~Y~ a list comes up something along the lines of this.
-Copy
-Delete
-Paste
-There's more, but thats the general idea. ( Will update later )
Once you are there, you want to copy the patch.
After you copy there should be a thing in the top screen that says USB/COPY/patch_mp
- When you see that then you know you copied it.
After that you will click the right bumper until you find HDD1.
Next, Click ~X~ again to prompt you with the memory devices.
- Click HDD1
After that, find your MW2 folder. I have my MW2 folder located in content. ( Don't ask me why, i just do )
Once you clicked MW2 folder, you should have a lot of junk there. That's good, now paste your patch_mp.ff into that folder. ( Press ~Y~ for list again )
It should prompt you asking if "you want to confirm this crap"
Obviously click ~CONFIRM~
credit is giving to ..TheModdingHut-
Some extra info on jtags.
What's the best Jtag to get?
If you are looking for a Jtag, and you don't know what type to get, I have made this list of Jtags and abilities.
I have seen a few questions of which Jtag to get. I have also seen "Can I Jtag my Xbox with a USB?"
This is not possible as a Jtag runs and unsigned code which allows you to do whatever you like to the game, which is run emulators, run homebrew games, RTH (Real Time Halo), CoD 4 lobbies. There is a lot to do with Jtag's
Let me get started to get with the Jtags:
Xenon: Probably the most commonly used Jtag, reason being that it takes Type 1 and Type 2 KeyVaults. Tends to heat up too much, not recommended for offline use. Microsoft's first Xbox to launch, uses 203W PSU.
Zephyr: Related motherboard of the Xenon, but has an HDMI video output for better quality, Zephyr doesn't really have a great name considering it heats up as much as an Xenon.
Falcon: Big impact on the RRoD fix, tends to not heat up as much. uses 175W Power Supply Unit (PSU). Recommended for offline use, but still eligible for online use.
Opus: This motherboard is not really sold as a Jtag as they were replacements for unfixable Xenons. Although this Xbox lacks of it's HDMI output, this is very similar to the Falcon.
Jasper: Most reliable Jtag to get as these are very rare and go for a lot of money
How can I tell what KVs my Jtag take?
There are only two types of KeyVaults...Type 1 and Type 2.
Xenon: Only Jtag that can take Type 1 and Type 2 KeyVaults, this is the reason why Xenon's are so very popular with online use.
Zephyr: Takes only Type 2 KeyVaults (Although, someone here stated that their Zephyr can take Type 1 and Type 2?)
Falcon/Opus/Jasper: These Jtags take only Type 2 KeyVaults, most people use these for offline use and rarely online use.
Can I downgrade my Xbox?
No, this has been asked so many times, you cannot downgrade a retail xbox from 9199 dashboard to a <7371 dashboard. Why? Because the 8498 kernal blows your e-fuses.
How much do different Jtags cost?
Various types of Jtag costs different amount.
1. Xenon
Banned $140 - $160 (Various on the seller)
Unbanned $160 - $200
2. Zephyr
Banned $160 - $210
Unbanned $210 - $250
3. Falcon
Banned (Possibly the same as Zephyr)
Unbanned (Possibly the same as Zephyr)
4. Jasper
Banned $250 - $300
Unbanned $300 - $400
I am going to get a Jtag so I can host Modern Warfare 2 lobbies
This is NOT recommended considering that, you can do much much more with a Jtag. If you are going to get one for MW2, you will just be wasting money. There are plenty of other games you can mod and have fun with. Also, try to be familiar with Xexmenu/how to use patches/etc. before actually buying a Jtag, because I see way too many people buy a Jtag and ask questions later.
hope this clears up confusion.
If you are looking for a Jtag, and you don't know what type to get, I have made this list of Jtags and abilities.
I have seen a few questions of which Jtag to get. I have also seen "Can I Jtag my Xbox with a USB?"
This is not possible as a Jtag runs and unsigned code which allows you to do whatever you like to the game, which is run emulators, run homebrew games, RTH (Real Time Halo), CoD 4 lobbies. There is a lot to do with Jtag's
Let me get started to get with the Jtags:
Xenon: Probably the most commonly used Jtag, reason being that it takes Type 1 and Type 2 KeyVaults. Tends to heat up too much, not recommended for offline use. Microsoft's first Xbox to launch, uses 203W PSU.
Zephyr: Related motherboard of the Xenon, but has an HDMI video output for better quality, Zephyr doesn't really have a great name considering it heats up as much as an Xenon.
Falcon: Big impact on the RRoD fix, tends to not heat up as much. uses 175W Power Supply Unit (PSU). Recommended for offline use, but still eligible for online use.
Opus: This motherboard is not really sold as a Jtag as they were replacements for unfixable Xenons. Although this Xbox lacks of it's HDMI output, this is very similar to the Falcon.
Jasper: Most reliable Jtag to get as these are very rare and go for a lot of money
How can I tell what KVs my Jtag take?
There are only two types of KeyVaults...Type 1 and Type 2.
Xenon: Only Jtag that can take Type 1 and Type 2 KeyVaults, this is the reason why Xenon's are so very popular with online use.
Zephyr: Takes only Type 2 KeyVaults (Although, someone here stated that their Zephyr can take Type 1 and Type 2?)
Falcon/Opus/Jasper: These Jtags take only Type 2 KeyVaults, most people use these for offline use and rarely online use.
Can I downgrade my Xbox?
No, this has been asked so many times, you cannot downgrade a retail xbox from 9199 dashboard to a <7371 dashboard. Why? Because the 8498 kernal blows your e-fuses.
How much do different Jtags cost?
Various types of Jtag costs different amount.
1. Xenon
Banned $140 - $160 (Various on the seller)
Unbanned $160 - $200
2. Zephyr
Banned $160 - $210
Unbanned $210 - $250
3. Falcon
Banned (Possibly the same as Zephyr)
Unbanned (Possibly the same as Zephyr)
4. Jasper
Banned $250 - $300
Unbanned $300 - $400
I am going to get a Jtag so I can host Modern Warfare 2 lobbies
This is NOT recommended considering that, you can do much much more with a Jtag. If you are going to get one for MW2, you will just be wasting money. There are plenty of other games you can mod and have fun with. Also, try to be familiar with Xexmenu/how to use patches/etc. before actually buying a Jtag, because I see way too many people buy a Jtag and ask questions later.
hope this clears up confusion.
Vouches.
TTG_GawLey wrote very nice info post bro, hope you get some thanks for it
Very good Post I hope you get stickied this could really help some people !
TTG_RANGER wrote Very nice post. :thumbsup:
JakeUK wrote Amazing work dude, I'm shocked! :O
Never knew you were capable of this.
Keep it up bro, and keep it updated!
Great job, I'll say it again quite happily. 8)
iCobra wrote Nice post bro! Good job!
TTGxM40SNIPES wrote Very good post i think we need a sticky on how to jtag your xbox, i would sticky this if i was a mod. + info
bradleyw wrote nice post thanked nice job on gettin stickied
Blaze_k2 wrote woww nice post STICKED
-HAX0R- wrote Someone deserves a sticky!!!!!!!!!!
KRoNiKzMoDzZ wrote great post dude keep it up thanks for helpin the community
vSonicZ wrote holy crap, this needs a sticky. amazing tut. keep it up bro. Thanked topic.
WHAT JTAGS CAN DO OTHER THAN HOST TENTH LOBBIES
They can have custuom dashs such as the free style dash which can be downloaded below.
They can change the speed of the fan with free style dash.
They can modify accounts and certain files by hard drive.
They can share certain modifactions made to a game with other people i.e infections and you all know tenth as well.)
They can copy games and play them with no disc inserted.
They can download trail games from xblm and unlock them fully for free.
They can mod any game played on a jtag i.e GTA BO, MW2 , COD 4.
They can customise the leds with free style dash they can change to all red organge ect..
They can classic emulators such as gameboy colour, gameboy advanced , nintendo ds ect...
They can copy full movies to the hard drive and never use the disc again.
They can orginial xbox games without a hard drive.
They can unban you after being banned by ms.
They can add content to games that would not be there normally
They can ftp your jtag through free stle dash.
credit goes to TTG_DeEste for this thanks for the help .
They can change the speed of the fan with free style dash.
They can modify accounts and certain files by hard drive.
They can share certain modifactions made to a game with other people i.e infections and you all know tenth as well.)
They can copy games and play them with no disc inserted.
They can download trail games from xblm and unlock them fully for free.
They can mod any game played on a jtag i.e GTA BO, MW2 , COD 4.
They can customise the leds with free style dash they can change to all red organge ect..
They can classic emulators such as gameboy colour, gameboy advanced , nintendo ds ect...
They can copy full movies to the hard drive and never use the disc again.
They can orginial xbox games without a hard drive.
They can unban you after being banned by ms.
They can add content to games that would not be there normally
They can ftp your jtag through free stle dash.
credit goes to TTG_DeEste for this thanks for the help .
History of jtags.
All credit goes to Jeffrey42360 for letting me use this.
free60 project came up with the original SMC hack.
it took them 4-5 years to present, what we now know as SMC hack.
the xbox360 was launched early 2006. free60 project was able to present the original exploit on 23c3 in dec.2006
free60's goal was to run linux, not to sport piracy.
therefore (iirc) they got in touch with microsoft in order to convice them to hand out some sort of linux boot dvd.
if MS would accept, free60 would not release the hack (to prevent piracy).
MS refused and fixed the exploit (which by that time was known as KK-exploit (King Kong)).
around that time, Microsoft made first use of the EFuses (which they kept as an option countermeasuere hacks) to prevent downgrading to a vulnerable system dash (kk-exploit).
it took the free60 project ~3 (summer 2009) more years to find another security hole.
this new vulnerability is based on the original KK-Exploit.
they announced the new hack, yet they were lacking a practical use.
~oct/nov 2009 xell was released. (purpose = linux)
about that time the first rebooter showed up (xbr).
the intention was to use the benefits of both worlds. boot into linux and still be able to play games.
in the end it iss mainly used for piracy.
free60 project was disappointed with the rebooter release (goal = linux)
and some more famous members left.
i dont know details about the whole free60 project team,
they had some more/less popular members which showed up on
conventions and hold presentations. again their goal was to enable
linux on the xbox360 WITHOUT enabling piracy.
most popular members of free60 are
Felix Domke(tmbinc) and Michael Steil.
free60 project came up with the original SMC hack.
it took them 4-5 years to present, what we now know as SMC hack.
the xbox360 was launched early 2006. free60 project was able to present the original exploit on 23c3 in dec.2006
free60's goal was to run linux, not to sport piracy.
therefore (iirc) they got in touch with microsoft in order to convice them to hand out some sort of linux boot dvd.
if MS would accept, free60 would not release the hack (to prevent piracy).
MS refused and fixed the exploit (which by that time was known as KK-exploit (King Kong)).
around that time, Microsoft made first use of the EFuses (which they kept as an option countermeasuere hacks) to prevent downgrading to a vulnerable system dash (kk-exploit).
it took the free60 project ~3 (summer 2009) more years to find another security hole.
this new vulnerability is based on the original KK-Exploit.
they announced the new hack, yet they were lacking a practical use.
~oct/nov 2009 xell was released. (purpose = linux)
about that time the first rebooter showed up (xbr).
the intention was to use the benefits of both worlds. boot into linux and still be able to play games.
in the end it iss mainly used for piracy.
free60 project was disappointed with the rebooter release (goal = linux)
and some more famous members left.
i dont know details about the whole free60 project team,
they had some more/less popular members which showed up on
conventions and hold presentations. again their goal was to enable
linux on the xbox360 WITHOUT enabling piracy.
most popular members of free60 are
Felix Domke(tmbinc) and Michael Steil.
How did jtags all start.
Note only read if you can be bother theres a lot credit goes to xbox-360 hacks.com.
How does this all work?
To understand this new hack, let's first look at what made the KK exploit possible: A fatal bug in the Hypervisor's Syscall Handler, introduced in the 4532 kernel update.
The KK exploit exploited the kernel bug by modifying an unsigned shader to do a series of so-called memory exports, an operation where the GPU can write the results of a pixel or vertex shader into physical memory. The shader was written to overwrite the Idle-thread context to make the kernel jump at a certain position in memory, with some registers under our control.
In order to control all registers, a second step was necessary, this time by jumping into the interrupt restore handler. This finally allows all CPU general purpose registers to be filled with determined values. The program counter could be restored to a syscall instruction in the kernel, with register values prefilled so that they would trigger the exploit.
The exploit basically allows jumping into any 32-bit address in hypervisor space. To jump into an arbitrary location, we just used a "mtctr, bctr"-register pair in hypervisor, which would redirect execution flow into any 64-bit address. This is important, since we need to clear the upper 32bit (i.e., set the MSB to disable the HRMO), since the code we want to jump to is in unencrypted memory.
This code would usually load a second-stage loader, for example XeLL, into memory, and start it. XeLL would then attempt to catch all cpu threads (because just the primary thread is affected by our exploit), and load the user code, for example from DVD.
So, the following memory areas are involved:
- Idle Thread context, at 00130360 in physical memory
This stores the stack pointer (and some other stuff) when the idle thread was suspended. By changing the stack pointer, and then waiting for the kernel to switch to the idle thread, the stack pointer can be brought into our control. Part of the context switch is also a context restore, based on the new stack pointer.
- Context restore, part 1, arbitrary location, KK expl. uses 80130AF0
The thread-context restore doesn't restore all registers, but let's us control the NIP (the "next instruction" pointer). We setup NIP to point to the interrupt context restore, which does a SP-relative load of most registers.
- Context restore, part 2, same base location as part 1
We just re-use the same stack pointer, because the areas where the first context restore and the interrupt context restore load from do not overlap. The second context restore allows us to pre-set all registers with arbitrary 64 bit values.
- The HV offset, at 00002080 for syscall 0x46 on 4532
Because of the HV bug, we can write this offset into unencrypted memory, giving us the possibility to jump into any location in the hypervisor space (i.e. with a certain "encryption prefix"). We usually write 00000350 here, which points to a "mtctr %r4; bctr" instruction pair in hypervisor, which lets us jump to %r4.
- Our loader code, at an arbitrary location
This code will be executed from hypervisor. It's the first of our code which will be executed. %r4 on the syscall entry has to point to this code.
Only the the idle thread context and the HV offset have fixed addresses. It's easily possible to merge this so that only two distinct blocks needs to be written into memory, but it's not possible to merge this into a single block.
Fortunately, the NAND controller allows doing DMA reads where the payload data is split from the "ECC"-data. Each page has 512 bytes of payload, and 16 bytes of ECC data. Thus, a single DMA read can be used to load all required memory addresses. We chose the Payload to read the Idle Thread Context, the Context Restores and the loader code. The ECC data will carry the HV offset.
To to a DMA read, the following NAND registers need to be written:
ea00c01c Address for Payload
ea00c020 Adresss for ECC
ea00c00c address inside NAND
ea00c008 command: read DMA (07)
The System Management Controller (SMC) is a 8051 core inside the Southbridge. It manages the power sequencing, and is always active when the Xbox 360 has (standby or full) power applied. It controls the frontpanel buttons, has a Realtime clock, decodes IR, controls temperatures and fans and the DVDROM tray. It talks with the frontpanel board to set the LEDs. When the system is running, the kernel can communicate with the SMC, for example to query the realtime clock, open the dvd-tray etc. This happens over a bidirectional FIFO (at ea001080 / ea001090). See the XeLL SMC code for details.
The SMC can read the NAND, because it requires access to a special NAND page which contains a SMC config block. This block contains calibration information for the thermal diodes, and the thermal targets etc. The 8051 core has access to NAND registers, which are mapped into the 8051 SFRs. It uses the same protocol as the kernel uses, so it writes an address, does a "READ" command, and then reads the data out of the "DATA" registers.
It could also do a "READ (DMA)"-command. So by hacking the SMC, we could make the box do the exploit, without any shader - the SMC can access the NAND controller all the time, even when the kernel is running (though it will likely interfere with the kernel). So, just we just trigger the DMA read when the kernel has been loaded, and everything is fine.
Right?
Well, that would be too easy. While most NAND registers are mapped, the DMA address registers (1c, 20) are not. We can DMA, but only to the default address of zero (or wherever the kernel last DMAed into). Fail.
The GPU, the (H)ANA (the "scaler" - which in fact doesn't scale at all, it's "just" a set of DACs, and, since Zephyr, a DVI/HDMI encoder), the Southbridge and the CPU have their JTAG ports exposed on the board. They are unpopulated headers, but the signals are there. CPU JTAG is a different (complex) story, and SB JTAG doesn't offset much funcationality. ANA JTAG is boring since the ANA doesn't sit on any interesting bus. That leaves GPU JTAG.
GPU JTAG was reverse-engineered until a point where arbitrary PCI writes are possible, up to a certain point. So that makes it possible to talk to each PCI device in the system, including the NAND controller. So we can simply use THAT instead of the SMC to start the DMA?
Right?
Well, not quite. The problem is that the "VM code", the code which does a lot of system initialization, like the memory (that code is also responsible for generating the 01xx "RROD"-Errors), sets a certain bit in some GPU register, which disables the JTAG interface. The VM code is executed way before the kernel is active. So this is fail, too.
But the combination works - by programming the DMA target address via JTAG, and launching the attack via SMC. The attack can be launched as soon as the kernel is running, and quite early, it does query the SMC for the RTC. We abuse this call to start the attack instead, which is a perfect point for us.
But how do we run an exploitable kernel at all? Most machines are updated already. Let me refresh your knowledge about the boot process again:
1BL (Bootrom)
Buried deep inside the CPU die, this ~32kb of ROM code is responsible for
reading the 2BL from NAND-flash and decrypts it into the embedded SRAM in the
CPU. It verifies the hash of the decrypted image with a signed block at the
beginning of the 2BL, and will stop execution of this hash mismatches. This
code also contains a number of test functions, which can be activated by
pulling the 5 "POST IN"-pins, which are available on the backside of the
PCB. None of these tests looks particulary interesting (from an exploitation
perspective) - they mostly seem to be related to the FSB (the bus between
CPU and GPU). This code is fixed, and all systems use identical code here.
2BL ("CB")
This code is usually located at 0x8000 in NAND flash. It's decrypted by 1BL,
and runs from internal SRAM.
It does a basic hardware initialization, and contains the "fuse check code",
which verifies the "2BL version". The fuses store the expected version.
The 2BL stores a "Version" and a "AllowedMask" (=bitfield), and
this is usually stored at address 0x3B1 / 0x3B2..0x3B3.
Xenon Zephyr Falcon Jasper
2 0003 1888, 1901, 1902
4 1920 "new zeropair code"
5 0010 1921 4558 5760,5761,5770 6712 TA-fixed
It then verifies the pairing information stored in the 2BL header. Part of
this verification is a checksum check of the NAND area which was used to
load the SMC code from.
It also contains a virtual machine and some
code to run on this machine. The virtual machine code, which is pretty
complicated, does the following things:
- Initialisation of the PCI-Bridge
- Disable the GPU PCIE JTAG test port
- initialize the serial port
- talk to the SMC to clear the "handshake"-bit
- initialize memory
- hopefully not: generate RROD if memory init fails
After that, the external (512MB) memory will be initialized and usable. 2BL
then decrypts the 4BL into this memory. Memory encryption will already be
enabled - no executable code is *ever* written unencrypted.
4BL ("CD")
This code is responsible for checking and unpacking 5BL, as well as applying
update patches. First, the fuses are read to determine the console "Update
Sequence", a number which basically counts the number of updates installed.
Since updates are, in the same way as 2BL, paired to a console, this allows
to configure the console in a way that no old update will be used. So each
update slot stores the maximum value of burned fuses (well, essentially the
exact value). The base kernel also has an associated value, usually zero,
but this can be changed in the 2BL pairing data block. This is what the
timing-attack increments, in order to revert to the 1888 kernel.
5BL ("HV/Kernel")
The HV and kernel are merged into a single image, which is compressed with a
proprietary algorithm (LDIC).
6BL ("CF"), 7BL ("CG")
This is part of a system upgrade. Each console has a so-called "Base
Kernel", which is the 1888 kernel which was available on launch back in
2005. Then there are two "update slots" - areas of 64k each (128k on
Jasper), which contain a 6BL and 7BL. 6BL is code which applies the
update, using a clever delta-compression. 7BL is the actual delta-compressed
update, essentially a binary diff.
Oh, updates are >64k. So only the first 64k are actually stored in the
update slots, the rest is stored in the filesystem as a special file. Since
6BL doesn't contain a filesystem parser, a blockmap is added in 6BL which
points to the sectors which contain the rest of the update.
Zero-Pairing
Now there is a special situation: If the 2BL pairing block is all-zero, the
pairing block will not be checked. However, a bit is set so that the kernel
doesn't boot the dashboard binary, but a special binary called
"MfgBootLauncher", where "Mfg" probably stands for "Manufacturing". So this
is a leftover of the production process, where the flash image is used on
all hardware, probably also before any CPU-key has been programmed.
By abusing this feature, this allows us easily to produce a flash image
which runs on all hardware. However, 4BL won't look at update slots when it
detects this mode, so we end up in the 1888 base kernel. And we can't run
the dashboard, so it's impossible to escape this mode.
Previously, this has been deemed very uninteresting, because first the 1888
isn't exploitable by the KK exploit, and second because it's impossible to
run the KK game anyway.
However, starting with 2BL version 1920, an interesting thing happened:
The encryption key for 4BL is generated with the help of the CPU-key now.
That means that without the CPU-key, it's not possible to decrypt the 4BL
anymore. Note that each 2BL has exactly a single valid 4BL binary - 2BL
contains a hardcoded hash for the 4BL, and doesn't use RSA.
However, zero'ed pairing data is detected, the CPU-key is NOT used in this
process, like it was previously. That also means that you cannot just zero-out
the pairing data anymore - the 4BL would be decrypted with the wrong key
then. Instead you need to decrypt the 4BL (which requires knowing the CPU
key), and re-encrypt it with the old algorithm.
However, 1920 was suspecible to the timing attack - so a CPU-key recovery
was possible on one console, which allowed us to decrypt the 1920 4BL. That
4BL shows a very intersting change: Whenever zero-pairing is detected, the
update slots are not ignored anymore. Instead, if the update-slots are
zero-paired as well, they are applied.
This change allows us to boot any kernel, provided we have a (1920 and up)
2BL/4BL set which runs on that machine. This is very important, because we
can build up an image now which runs into the 4532 kernel, regardless on how
many update fuses are set. However, the 2BL revocation process must be
passed, so we are not completely independent of the fuses, still. But since
we use zero-pairing, the SMC hash doesn't matter anymore (there are other
ways to work around the SMC hash problem, like the TA, but we get this for
free). Still, we boot into the MfgBootLauncher (into the 4532 version now,
which does a red/green blinking thingie - you'll notice once you see it,
it's very unique and doesn't look like any RROD or so). But thanks to the
SMC/JTAG hack described above, this allows us to launch our attack from this
state.
Newer consoles (which have the TA fix) don't run 1920 anymore. They run, for
example, 1921. The problem is that we cannot run HV code on these machines,
so we don't know the CPU key. However, when comparing the 1921 and 1920 2BL
(which we can still decrypt), the only change is the addition of the timing
attack fix (i.e. replacing two memcmp instances with a memdiff function).
Also, we know the expected hash value of the decrypted 4BL. Based on a 1920
4BL, and the guess what has changed functionally, and the new size of the
4BL, we were able to guess the modifications, which yields an image which
passes the 2BL hash check. Note that this is not a hash collision - we did
merely derive the exact image by applying the changes between 1920 2BL and 1921
2BL into 1920 4BL, yielding the 1921 4BL.
The 1921 2BL theoretically runs on all machines so far, even TA-proof ones.
But it crashes on Zephyr, Falcon and Jasper. The reason is the VM code,
which doesn't cover the different GPUs (Xenon has 90nm GPU, Zephyr and
Falcon have 80nm, Jasper has 60nm, so there are 3 GPU revisions in total).
But the step from 1921 to, say, 4558, is even smaller. It's just the
different version number, plus a slight difference in the memcpy code, which
again can be ported over from 2BL.
Jasper's 67xx is a different thing, since this code adds support for the
largeblock flash used in "Arcade"-Jasper units. We have used some magic to
retrieve this code.
So we now have ALL 4BL versions. Isn't that great? It means that ALL
machines can run the 4532 kernel. The good news is also that the 4532 kernel
supports falcon consoles, and runs long enough to also work on jasper
consoles (because we exploit way before the different GPU is touched at
all).
How does this all work?
To understand this new hack, let's first look at what made the KK exploit possible: A fatal bug in the Hypervisor's Syscall Handler, introduced in the 4532 kernel update.
The KK exploit exploited the kernel bug by modifying an unsigned shader to do a series of so-called memory exports, an operation where the GPU can write the results of a pixel or vertex shader into physical memory. The shader was written to overwrite the Idle-thread context to make the kernel jump at a certain position in memory, with some registers under our control.
In order to control all registers, a second step was necessary, this time by jumping into the interrupt restore handler. This finally allows all CPU general purpose registers to be filled with determined values. The program counter could be restored to a syscall instruction in the kernel, with register values prefilled so that they would trigger the exploit.
The exploit basically allows jumping into any 32-bit address in hypervisor space. To jump into an arbitrary location, we just used a "mtctr, bctr"-register pair in hypervisor, which would redirect execution flow into any 64-bit address. This is important, since we need to clear the upper 32bit (i.e., set the MSB to disable the HRMO), since the code we want to jump to is in unencrypted memory.
This code would usually load a second-stage loader, for example XeLL, into memory, and start it. XeLL would then attempt to catch all cpu threads (because just the primary thread is affected by our exploit), and load the user code, for example from DVD.
So, the following memory areas are involved:
- Idle Thread context, at 00130360 in physical memory
This stores the stack pointer (and some other stuff) when the idle thread was suspended. By changing the stack pointer, and then waiting for the kernel to switch to the idle thread, the stack pointer can be brought into our control. Part of the context switch is also a context restore, based on the new stack pointer.
- Context restore, part 1, arbitrary location, KK expl. uses 80130AF0
The thread-context restore doesn't restore all registers, but let's us control the NIP (the "next instruction" pointer). We setup NIP to point to the interrupt context restore, which does a SP-relative load of most registers.
- Context restore, part 2, same base location as part 1
We just re-use the same stack pointer, because the areas where the first context restore and the interrupt context restore load from do not overlap. The second context restore allows us to pre-set all registers with arbitrary 64 bit values.
- The HV offset, at 00002080 for syscall 0x46 on 4532
Because of the HV bug, we can write this offset into unencrypted memory, giving us the possibility to jump into any location in the hypervisor space (i.e. with a certain "encryption prefix"). We usually write 00000350 here, which points to a "mtctr %r4; bctr" instruction pair in hypervisor, which lets us jump to %r4.
- Our loader code, at an arbitrary location
This code will be executed from hypervisor. It's the first of our code which will be executed. %r4 on the syscall entry has to point to this code.
Only the the idle thread context and the HV offset have fixed addresses. It's easily possible to merge this so that only two distinct blocks needs to be written into memory, but it's not possible to merge this into a single block.
Fortunately, the NAND controller allows doing DMA reads where the payload data is split from the "ECC"-data. Each page has 512 bytes of payload, and 16 bytes of ECC data. Thus, a single DMA read can be used to load all required memory addresses. We chose the Payload to read the Idle Thread Context, the Context Restores and the loader code. The ECC data will carry the HV offset.
To to a DMA read, the following NAND registers need to be written:
ea00c01c Address for Payload
ea00c020 Adresss for ECC
ea00c00c address inside NAND
ea00c008 command: read DMA (07)
The System Management Controller (SMC) is a 8051 core inside the Southbridge. It manages the power sequencing, and is always active when the Xbox 360 has (standby or full) power applied. It controls the frontpanel buttons, has a Realtime clock, decodes IR, controls temperatures and fans and the DVDROM tray. It talks with the frontpanel board to set the LEDs. When the system is running, the kernel can communicate with the SMC, for example to query the realtime clock, open the dvd-tray etc. This happens over a bidirectional FIFO (at ea001080 / ea001090). See the XeLL SMC code for details.
The SMC can read the NAND, because it requires access to a special NAND page which contains a SMC config block. This block contains calibration information for the thermal diodes, and the thermal targets etc. The 8051 core has access to NAND registers, which are mapped into the 8051 SFRs. It uses the same protocol as the kernel uses, so it writes an address, does a "READ" command, and then reads the data out of the "DATA" registers.
It could also do a "READ (DMA)"-command. So by hacking the SMC, we could make the box do the exploit, without any shader - the SMC can access the NAND controller all the time, even when the kernel is running (though it will likely interfere with the kernel). So, just we just trigger the DMA read when the kernel has been loaded, and everything is fine.
Right?
Well, that would be too easy. While most NAND registers are mapped, the DMA address registers (1c, 20) are not. We can DMA, but only to the default address of zero (or wherever the kernel last DMAed into). Fail.
The GPU, the (H)ANA (the "scaler" - which in fact doesn't scale at all, it's "just" a set of DACs, and, since Zephyr, a DVI/HDMI encoder), the Southbridge and the CPU have their JTAG ports exposed on the board. They are unpopulated headers, but the signals are there. CPU JTAG is a different (complex) story, and SB JTAG doesn't offset much funcationality. ANA JTAG is boring since the ANA doesn't sit on any interesting bus. That leaves GPU JTAG.
GPU JTAG was reverse-engineered until a point where arbitrary PCI writes are possible, up to a certain point. So that makes it possible to talk to each PCI device in the system, including the NAND controller. So we can simply use THAT instead of the SMC to start the DMA?
Right?
Well, not quite. The problem is that the "VM code", the code which does a lot of system initialization, like the memory (that code is also responsible for generating the 01xx "RROD"-Errors), sets a certain bit in some GPU register, which disables the JTAG interface. The VM code is executed way before the kernel is active. So this is fail, too.
But the combination works - by programming the DMA target address via JTAG, and launching the attack via SMC. The attack can be launched as soon as the kernel is running, and quite early, it does query the SMC for the RTC. We abuse this call to start the attack instead, which is a perfect point for us.
But how do we run an exploitable kernel at all? Most machines are updated already. Let me refresh your knowledge about the boot process again:
1BL (Bootrom)
Buried deep inside the CPU die, this ~32kb of ROM code is responsible for
reading the 2BL from NAND-flash and decrypts it into the embedded SRAM in the
CPU. It verifies the hash of the decrypted image with a signed block at the
beginning of the 2BL, and will stop execution of this hash mismatches. This
code also contains a number of test functions, which can be activated by
pulling the 5 "POST IN"-pins, which are available on the backside of the
PCB. None of these tests looks particulary interesting (from an exploitation
perspective) - they mostly seem to be related to the FSB (the bus between
CPU and GPU). This code is fixed, and all systems use identical code here.
2BL ("CB")
This code is usually located at 0x8000 in NAND flash. It's decrypted by 1BL,
and runs from internal SRAM.
It does a basic hardware initialization, and contains the "fuse check code",
which verifies the "2BL version". The fuses store the expected version.
The 2BL stores a "Version" and a "AllowedMask" (=bitfield), and
this is usually stored at address 0x3B1 / 0x3B2..0x3B3.
Xenon Zephyr Falcon Jasper
2 0003 1888, 1901, 1902
4 1920 "new zeropair code"
5 0010 1921 4558 5760,5761,5770 6712 TA-fixed
It then verifies the pairing information stored in the 2BL header. Part of
this verification is a checksum check of the NAND area which was used to
load the SMC code from.
It also contains a virtual machine and some
code to run on this machine. The virtual machine code, which is pretty
complicated, does the following things:
- Initialisation of the PCI-Bridge
- Disable the GPU PCIE JTAG test port
- initialize the serial port
- talk to the SMC to clear the "handshake"-bit
- initialize memory
- hopefully not: generate RROD if memory init fails
After that, the external (512MB) memory will be initialized and usable. 2BL
then decrypts the 4BL into this memory. Memory encryption will already be
enabled - no executable code is *ever* written unencrypted.
4BL ("CD")
This code is responsible for checking and unpacking 5BL, as well as applying
update patches. First, the fuses are read to determine the console "Update
Sequence", a number which basically counts the number of updates installed.
Since updates are, in the same way as 2BL, paired to a console, this allows
to configure the console in a way that no old update will be used. So each
update slot stores the maximum value of burned fuses (well, essentially the
exact value). The base kernel also has an associated value, usually zero,
but this can be changed in the 2BL pairing data block. This is what the
timing-attack increments, in order to revert to the 1888 kernel.
5BL ("HV/Kernel")
The HV and kernel are merged into a single image, which is compressed with a
proprietary algorithm (LDIC).
6BL ("CF"), 7BL ("CG")
This is part of a system upgrade. Each console has a so-called "Base
Kernel", which is the 1888 kernel which was available on launch back in
2005. Then there are two "update slots" - areas of 64k each (128k on
Jasper), which contain a 6BL and 7BL. 6BL is code which applies the
update, using a clever delta-compression. 7BL is the actual delta-compressed
update, essentially a binary diff.
Oh, updates are >64k. So only the first 64k are actually stored in the
update slots, the rest is stored in the filesystem as a special file. Since
6BL doesn't contain a filesystem parser, a blockmap is added in 6BL which
points to the sectors which contain the rest of the update.
Zero-Pairing
Now there is a special situation: If the 2BL pairing block is all-zero, the
pairing block will not be checked. However, a bit is set so that the kernel
doesn't boot the dashboard binary, but a special binary called
"MfgBootLauncher", where "Mfg" probably stands for "Manufacturing". So this
is a leftover of the production process, where the flash image is used on
all hardware, probably also before any CPU-key has been programmed.
By abusing this feature, this allows us easily to produce a flash image
which runs on all hardware. However, 4BL won't look at update slots when it
detects this mode, so we end up in the 1888 base kernel. And we can't run
the dashboard, so it's impossible to escape this mode.
Previously, this has been deemed very uninteresting, because first the 1888
isn't exploitable by the KK exploit, and second because it's impossible to
run the KK game anyway.
However, starting with 2BL version 1920, an interesting thing happened:
The encryption key for 4BL is generated with the help of the CPU-key now.
That means that without the CPU-key, it's not possible to decrypt the 4BL
anymore. Note that each 2BL has exactly a single valid 4BL binary - 2BL
contains a hardcoded hash for the 4BL, and doesn't use RSA.
However, zero'ed pairing data is detected, the CPU-key is NOT used in this
process, like it was previously. That also means that you cannot just zero-out
the pairing data anymore - the 4BL would be decrypted with the wrong key
then. Instead you need to decrypt the 4BL (which requires knowing the CPU
key), and re-encrypt it with the old algorithm.
However, 1920 was suspecible to the timing attack - so a CPU-key recovery
was possible on one console, which allowed us to decrypt the 1920 4BL. That
4BL shows a very intersting change: Whenever zero-pairing is detected, the
update slots are not ignored anymore. Instead, if the update-slots are
zero-paired as well, they are applied.
This change allows us to boot any kernel, provided we have a (1920 and up)
2BL/4BL set which runs on that machine. This is very important, because we
can build up an image now which runs into the 4532 kernel, regardless on how
many update fuses are set. However, the 2BL revocation process must be
passed, so we are not completely independent of the fuses, still. But since
we use zero-pairing, the SMC hash doesn't matter anymore (there are other
ways to work around the SMC hash problem, like the TA, but we get this for
free). Still, we boot into the MfgBootLauncher (into the 4532 version now,
which does a red/green blinking thingie - you'll notice once you see it,
it's very unique and doesn't look like any RROD or so). But thanks to the
SMC/JTAG hack described above, this allows us to launch our attack from this
state.
Newer consoles (which have the TA fix) don't run 1920 anymore. They run, for
example, 1921. The problem is that we cannot run HV code on these machines,
so we don't know the CPU key. However, when comparing the 1921 and 1920 2BL
(which we can still decrypt), the only change is the addition of the timing
attack fix (i.e. replacing two memcmp instances with a memdiff function).
Also, we know the expected hash value of the decrypted 4BL. Based on a 1920
4BL, and the guess what has changed functionally, and the new size of the
4BL, we were able to guess the modifications, which yields an image which
passes the 2BL hash check. Note that this is not a hash collision - we did
merely derive the exact image by applying the changes between 1920 2BL and 1921
2BL into 1920 4BL, yielding the 1921 4BL.
The 1921 2BL theoretically runs on all machines so far, even TA-proof ones.
But it crashes on Zephyr, Falcon and Jasper. The reason is the VM code,
which doesn't cover the different GPUs (Xenon has 90nm GPU, Zephyr and
Falcon have 80nm, Jasper has 60nm, so there are 3 GPU revisions in total).
But the step from 1921 to, say, 4558, is even smaller. It's just the
different version number, plus a slight difference in the memcpy code, which
again can be ported over from 2BL.
Jasper's 67xx is a different thing, since this code adds support for the
largeblock flash used in "Arcade"-Jasper units. We have used some magic to
retrieve this code.
So we now have ALL 4BL versions. Isn't that great? It means that ALL
machines can run the 4532 kernel. The good news is also that the 4532 kernel
supports falcon consoles, and runs long enough to also work on jasper
consoles (because we exploit way before the different GPU is touched at
all).
How to JTAG your Xbox 360 and run homebrew
I will be going over how to install XBR and Xell onto your Xbox 360. Installing XBR allows you to do many things such run unsigned code(homebrew), install any sized hard drive(even 3.5in desktop hdds!), ftp into your box, and custom dashboards. There are endless possibilities with being able to run any code you want. You are able to modify Xbox 360 games to run custom maps and cheats. You can also launch games off the hard drive without a disc. It should cost you around $5 in parts, maybe even free if you have the parts already.
Finding out if your Xbox is exploitable
Your kernel must be kernel 2.0.7371.0 or lower for this to work. You can do this by opening up the system info tab. After there is one more step to check if it still is exploitable, but you have to build your cable to dump your nand first.
Getting your parts
Tools
Soldering iron
Solder
Computer with LPT port.
Parts
1x 25 pin d-sub connector (male or female depending on which kind of cable you have)
Digikey # 225FE-ND
1x 25 pin d-sub cable (lpt cable) You can actually skip the cable if you buy a male connector and make your wires long enough to extend from your xbox to the computer
Digikey # AE9863-ND
3x 330 ohm resistors (only for Xenon motherboards)
Digikey # P330BBCT-ND
1x 1n4148 switching diode (if you have Zephyr, Falcon, Opus or a Jasper get 3x of these)
Refer to the image below to tell what kind of 360 you have.
There has been a new update to the standard wiring you should use for the JTAG wiring on Xenon's which requires just 2x 1n4148 diodes. I've never used this method before so I can't really help as much if you have problems. But I would suggest going with it instead since it is supposed to be electrically superior and uses less parts so less room for failure I guess.
Soldering iron
Solder
Computer with LPT port.
Parts
1x 25 pin d-sub connector (male or female depending on which kind of cable you have)
Digikey # 225FE-ND
1x 25 pin d-sub cable (lpt cable) You can actually skip the cable if you buy a male connector and make your wires long enough to extend from your xbox to the computer
Digikey # AE9863-ND
3x 330 ohm resistors (only for Xenon motherboards)
Digikey # P330BBCT-ND
1x 1n4148 switching diode (if you have Zephyr, Falcon, Opus or a Jasper get 3x of these)
Refer to the image below to tell what kind of 360 you have.
There has been a new update to the standard wiring you should use for the JTAG wiring on Xenon's which requires just 2x 1n4148 diodes. I've never used this method before so I can't really help as much if you have problems. But I would suggest going with it instead since it is supposed to be electrically superior and uses less parts so less room for failure I guess.
Soldering the cable
Soldering is generally pretty straight forward. You actually don't need any solder for the motherboard end, as the holes all have solder in them. So you just need need to heat it up and slide the wire through. I suggest using at least a 30w iron as a 15w will have trouble getting the lead free solder hot enough. All resistors on the connector are optional, it's just to prevent damage as some ports are 5v and the motherboard is 3.3v.
Here are some bigger pictures
Xenon
All others
Recently there has been a new way to wire Xenons that is supposed to be better, I have never tried it but I have included the diagram on how to wire it.
Here are some bigger pictures
Xenon
All others
Recently there has been a new way to wire Xenons that is supposed to be better, I have never tried it but I have included the diagram on how to wire it.
Dumping the nand
Download the files here (I forgot to include nandpro get that here )
Extract the rar, and open up the nandpro folder
install port95nt.exe (if running vista or 7 set it for compatibility mode for xp.)
Plug your Xbox 360 in, but don't power it on.
Plug the lpt cable in
Pop open cmd and change directories to your nandpro folder
type nandpro lpt: -r16 nand.bin
It will start to dump, this will take 35 minutes
Type nandpro lpt: -r16 nand2.bin and dump it a second time.
If during the dump it has trouble reading blocks, don't worry. You only have a problem if can't read block after block, which means something went wrong in the middle of the dump and you have to restart it again.
If you are having issues having nandpro detecting it, go over and double check all of your soldering. If you skipped out on the diode, try adding one, and just restarting your computer has fixed the issue quite a few times for me. You also want to make sure your cable is short as possible.
Extract the rar, and open up the nandpro folder
install port95nt.exe (if running vista or 7 set it for compatibility mode for xp.)
Plug your Xbox 360 in, but don't power it on.
Plug the lpt cable in
Pop open cmd and change directories to your nandpro folder
type nandpro lpt: -r16 nand.bin
It will start to dump, this will take 35 minutes
Type nandpro lpt: -r16 nand2.bin and dump it a second time.
If during the dump it has trouble reading blocks, don't worry. You only have a problem if can't read block after block, which means something went wrong in the middle of the dump and you have to restart it again.
If you are having issues having nandpro detecting it, go over and double check all of your soldering. If you skipped out on the diode, try adding one, and just restarting your computer has fixed the issue quite a few times for me. You also want to make sure your cable is short as possible.
Testing if it's exploitable
You're going to want to open up degraded included in the file pack. Go to settings and under 1BL key make sure it says DD88AD0C9ED669E7B56794FB68563EFA and is checked. You are also going to want to change file system start to 39.
Open up your nand dump and look at the CB version
If your CB is the following you're in luck!
Xenon: 888, 1902, 1903, 1920,1921, 8192
Zephyr: 4558, 4580
Falcon: 5761, 5766, 5770
Jasper: 6712, 6723
Jasper Arcade (256/512): 6723 or lower is Exploitable
If you are unsure if yours is exploitable, you can also check if CD = 8453, if it does you're out of luck.
Open up your nand dump and look at the CB version
If your CB is the following you're in luck!
Xenon: 888, 1902, 1903, 1920,1921, 8192
Zephyr: 4558, 4580
Falcon: 5761, 5766, 5770
Jasper: 6712, 6723
Jasper Arcade (256/512): 6723 or lower is Exploitable
If you are unsure if yours is exploitable, you can also check if CD = 8453, if it does you're out of luck.
Extracting the keyvault, injecting and flashing XBR
Select the proper XBR for your motherboard included in the rar file and put it in your nandpro folder. Rename it to xbr.bin to make things easier.
Open up cmd, navigate to your nandpro folder and type
nandpro nand.bin: -r16 kv.bin 1 1
nandpro nand.bin: -r16 config.bin 3de 2
Then typenandpro xbr.bin: -w16 kv.bin 1 1
nandpro xbr.bin: -w16 config.bin 3de 2
Now for the flashing!
Just type and wait 35 minutes
nandpro lpt: -w16 xbr.bin
Getting your CPU key
Reassemble your 360, and boot your 360 with the DVD drive ejected. Or if you don't have a DVD drive you can plug in a wired controller into the back usb port.
You should see a blue screen pop up and whole bunch of things fly by. When it says CPU fuses, your either going to want to write really fast or snap a picture.
fuseset 3 and 5 or 4 and 6 is your cpu key.
So if it said
fuseset 03: xxxxxxxxxxxxxxxx
fuseset 05: yyyyyyyyyyyyyyyy
My CPU key would be xxxxxxxxxxxxxxxxyyyyyyyyyyyyyyyy
It should 32 characters.
Installing a 3.5 in desktop HDD
This requires you to cut the end off a sata cable and solder it under the HDD connector.
Wiring goes as follows
Pin 1: SATA Signal GND
Pin 2: SATA Signal A+
Pin 3: SATA Signal A-
Pin 4: SATA Signal GND
Pin 5: SATA Signal B+
Pin 6: SATA Signal B-
Pin 7: SATA Signal GND
The side of the sate cable with the writing goes up, and you start left from right. You only have to solder the white shielded cables inside as these are the data cables. Just wire the rest of the ground wires some where else.
Where to get my 12v?
There are many spots on the Xbox motherboard where you can get 12v of power from, I picked the power connector on the bottom of the board as I'm not soldering onto any other connectors or anything.
How to wire up the sata power connector
Yellow: 12v
Red: 5v
Black: GND
Hard drives have been tested up to 2tb and worked successfully
Open up cmd, navigate to your nandpro folder and type
nandpro nand.bin: -r16 kv.bin 1 1
nandpro nand.bin: -r16 config.bin 3de 2
Then typenandpro xbr.bin: -w16 kv.bin 1 1
nandpro xbr.bin: -w16 config.bin 3de 2
Now for the flashing!
Just type and wait 35 minutes
nandpro lpt: -w16 xbr.bin
Getting your CPU key
Reassemble your 360, and boot your 360 with the DVD drive ejected. Or if you don't have a DVD drive you can plug in a wired controller into the back usb port.
You should see a blue screen pop up and whole bunch of things fly by. When it says CPU fuses, your either going to want to write really fast or snap a picture.
fuseset 3 and 5 or 4 and 6 is your cpu key.
So if it said
fuseset 03: xxxxxxxxxxxxxxxx
fuseset 05: yyyyyyyyyyyyyyyy
My CPU key would be xxxxxxxxxxxxxxxxyyyyyyyyyyyyyyyy
It should 32 characters.
Installing a 3.5 in desktop HDD
This requires you to cut the end off a sata cable and solder it under the HDD connector.
Wiring goes as follows
Pin 1: SATA Signal GND
Pin 2: SATA Signal A+
Pin 3: SATA Signal A-
Pin 4: SATA Signal GND
Pin 5: SATA Signal B+
Pin 6: SATA Signal B-
Pin 7: SATA Signal GND
The side of the sate cable with the writing goes up, and you start left from right. You only have to solder the white shielded cables inside as these are the data cables. Just wire the rest of the ground wires some where else.
Where to get my 12v?
There are many spots on the Xbox motherboard where you can get 12v of power from, I picked the power connector on the bottom of the board as I'm not soldering onto any other connectors or anything.
How to wire up the sata power connector
Yellow: 12v
Red: 5v
Black: GND
Hard drives have been tested up to 2tb and worked successfully
My avatar is only a silhouette!
Usually your avatar will be a blank silhouette and it will tell you, you need to install an update to use them. All you need to do is download this update file, and place it on a USB flash drive, and plug it into the back usb port of your xbox. Your 360 should detect it and install it. Make sure you extract it first and the root of the drive is the $SystemUpdate folder. You can also burn it to a CD to update.
If you're paranoid you will brick your console because microsoft is out to get you and ruin your homebrew, you can look at the picture about removing the r6t3 resistor to keep from having your fuses blown.
If you're paranoid you will brick your console because microsoft is out to get you and ruin your homebrew, you can look at the picture about removing the r6t3 resistor to keep from having your fuses blown.
As most of you all know jtags are patched online but this is just to help offline and what not please comment and thank if this help( YOU DONT HAVE TO THANK OPINIONAL)
JTAGS
What a Jtag is
A jtag is an xbox 360 that runs unsigned codes. It allows you to access everything the xbox 360 has to offer , unlike a normal xbox which only gives you part.
If you run Xex menu . You can play xbox 360 games and emulators from it. You must have the games saved to your Hard drive device , which can be done by copying the dvd to your HDD or by extracting the .iso of a game and putting that on your HDD.
This also allows you to modify games that you have by changing the default.xex or default.mp.xex . For example , 10th lobbies for MW2 were made by modifying the game and loading them on a jtag via the default(.mp).xex.
You can also run custom made dashboards . Freestyle dash is one of them .These are a new dashboard layout for jtags . On a version of Freestyle dash I have you have the option to change the LED lights from Green - Orange - Red . . You can also change the fan speed and see the temperature of the CPU and the GPU .
A jtag is worth getting as in the long term they are a good investment if you buy games regually , for solo mode , as you dont have to purchase them .
If you run Xex menu . You can play xbox 360 games and emulators from it. You must have the games saved to your Hard drive device , which can be done by copying the dvd to your HDD or by extracting the .iso of a game and putting that on your HDD.
This also allows you to modify games that you have by changing the default.xex or default.mp.xex . For example , 10th lobbies for MW2 were made by modifying the game and loading them on a jtag via the default(.mp).xex.
You can also run custom made dashboards . Freestyle dash is one of them .These are a new dashboard layout for jtags . On a version of Freestyle dash I have you have the option to change the LED lights from Green - Orange - Red . . You can also change the fan speed and see the temperature of the CPU and the GPU .
A jtag is worth getting as in the long term they are a good investment if you buy games regually , for solo mode , as you dont have to purchase them .
How to get Xex menu
You need the Xex menu download > [ Register or Signin to view external links. ] <
A content folder on your HDD.
If using a USB do this . If using a xbox HDD start at [ 5.]
1. Format your USB on your xbox 360
2. Plug your USB into your computer.
3. In the root of the drive create a folder called content.
4. Then another called 0000000000000000 . Thats 16 0's .
5. Put the CODE999 into the 000000000000000 folder. Using xport360 or xplore360 ( if using a xbox HDD )
6. Remove your device from your computer .
7. Plug your device into your Jtag.
8. Go to games and Xex menu should be there.
9. Load Xex menu.
10. It should look like this . Picture Up soon.
How to run a game on Xex menu
What you need:
- 1 Jtagged console of any type and enough space on the HDD.
- A copy of the disc you want to copy.
- Xexmenu installed and functioning.
Lets get started.
1. Turn on your jtag normally with no disc inserted.
2. Navigate through the dashboard like so : Games library > Xexmenu and start the application.
3. Navigate yourself into your HDD directory.
4. When in the directory, press "Y" to bring up an options list and select "Create". Enter in a name and this will create a new folder for your game to be copied into.
5. Enter the folder by pressing "A" then once inside press "Y" and select the "Copy Dvd" option from the list.
VERY IMPORTANT FOLLOW THESE NEXT STEPS CAREFULLY.
6. This will eject your disc tray and prompt you with a confirmation screen.
7. Insert the disc and close the tray WITH YOUR HAND not the eject button.
8. Wait 5 - 10 seconds until you can feel the disc start spinning and then click the confirm button. Many people miss this step and it wont work if you do.
9. The game will now start copying. MAKE SURE THAT YOUR CONTROLLER DOES NOT TURN OFF DURING THIS PROCESS. If it does the copying of the ISO will stop and youre going to have to start all over again.
10. When its done copying, you have successfully completed the game installation congrats!
1. Format your USB on your xbox 360
2. Plug your USB into your computer.
3. In the root of the drive create a folder called content.
4. Then another called 0000000000000000 . Thats 16 0's .
5. Put the CODE999 into the 000000000000000 folder. Using xport360 or xplore360 ( if using a xbox HDD )
6. Remove your device from your computer .
7. Plug your device into your Jtag.
8. Go to games and Xex menu should be there.
9. Load Xex menu.
10. It should look like this . Picture Up soon.
How to run a game on Xex menu
What you need:
- 1 Jtagged console of any type and enough space on the HDD.
- A copy of the disc you want to copy.
- Xexmenu installed and functioning.
Lets get started.
1. Turn on your jtag normally with no disc inserted.
2. Navigate through the dashboard like so : Games library > Xexmenu and start the application.
3. Navigate yourself into your HDD directory.
4. When in the directory, press "Y" to bring up an options list and select "Create". Enter in a name and this will create a new folder for your game to be copied into.
5. Enter the folder by pressing "A" then once inside press "Y" and select the "Copy Dvd" option from the list.
VERY IMPORTANT FOLLOW THESE NEXT STEPS CAREFULLY.
6. This will eject your disc tray and prompt you with a confirmation screen.
7. Insert the disc and close the tray WITH YOUR HAND not the eject button.
8. Wait 5 - 10 seconds until you can feel the disc start spinning and then click the confirm button. Many people miss this step and it wont work if you do.
9. The game will now start copying. MAKE SURE THAT YOUR CONTROLLER DOES NOT TURN OFF DURING THIS PROCESS. If it does the copying of the ISO will stop and youre going to have to start all over again.
10. When its done copying, you have successfully completed the game installation congrats!
Flashing your KV
You Will Also Need Your Flash dmp.bin , CPU Key , DVD Key, And DVD Drive Info. And Obviously A KV!
The First Thing You Wanna Do Is Open Flash 360. Hit Settings , Keys , Then Where It Says CPU Key Check The Box + Copy + Paste Your Key Into There.
Next, Open Your Flashdmp.bin Then Hit Import Click Your Keyvault And Then Hit Ok. Save It As.... (You Can Save It As Anything.)
3rd, Open That File You Just Saved, Hit Patch, Patch Key Vault Then Copy And Paste *YOUR* DVD Key In There And Put Your DVD Drive In There AND DO NOT CHANGE THE REGION. Save It As Updflash.bin & Put On Your USB And FLASH IT!
The First Thing You Wanna Do Is Open Flash 360. Hit Settings , Keys , Then Where It Says CPU Key Check The Box + Copy + Paste Your Key Into There.
Next, Open Your Flashdmp.bin Then Hit Import Click Your Keyvault And Then Hit Ok. Save It As.... (You Can Save It As Anything.)
3rd, Open That File You Just Saved, Hit Patch, Patch Key Vault Then Copy And Paste *YOUR* DVD Key In There And Put Your DVD Drive In There AND DO NOT CHANGE THE REGION. Save It As Updflash.bin & Put On Your USB And FLASH IT!
Updating to the Kinect Dashboard:
Preparation
FreeBoot > [ Register or Signin to view external links. ] <
A Jtagged xbox 360
A USB memory device
Flash360 on your jtag
Your CPU
9199 Nand
1. Open EFB.exe it is located in the Freeboot folder.
2. Click Create image
3. Select the nand for you 9199 dashboard.
4. Enter your CPU .
5. Wait for the CMD to finish , once finished hit the enter key twice . Updflash will now be saved to your computer.
6. Put Updflash on your USB
7.Go to Flash360 , which is on Xex menu.
8. Flash by pressing a,b,start,start,a
9. Unplug the power cable from your Jtag . DONT TURN OFF WITH THE BUTTON
10. Plug Power cable back in , the go through the new dashboard set up .
11. Go to system settings and now see your Jtag is at 12611 kernel.
How to get kinect to work
If you have the 12611 kernel when you plug kinect to your Jtag , you will be prompted to update . Update no harm can be done as it is only for avatar support.
If you cant update because you are banned or for any other reason .
Download this > Link available soon <
Put the $System Update in the root of your USB then when you turn your Jtag on it will update.
You can burn this to a disc and install through Xell as well .
FreeBoot > [ Register or Signin to view external links. ] <
A Jtagged xbox 360
A USB memory device
Flash360 on your jtag
Your CPU
9199 Nand
1. Open EFB.exe it is located in the Freeboot folder.
2. Click Create image
3. Select the nand for you 9199 dashboard.
4. Enter your CPU .
5. Wait for the CMD to finish , once finished hit the enter key twice . Updflash will now be saved to your computer.
6. Put Updflash on your USB
7.Go to Flash360 , which is on Xex menu.
8. Flash by pressing a,b,start,start,a
9. Unplug the power cable from your Jtag . DONT TURN OFF WITH THE BUTTON
10. Plug Power cable back in , the go through the new dashboard set up .
11. Go to system settings and now see your Jtag is at 12611 kernel.
How to get kinect to work
If you have the 12611 kernel when you plug kinect to your Jtag , you will be prompted to update . Update no harm can be done as it is only for avatar support.
If you cant update because you are banned or for any other reason .
Download this > Link available soon <
Put the $System Update in the root of your USB then when you turn your Jtag on it will update.
You can burn this to a disc and install through Xell as well .
How to extract a .iso and play it
1. Download or get the .iso you want . Example Need For Speed Hot pursuit.
2. Download then Open Xbox Image Browser. Download here >
[ Register or Signin to view external links. ] <
3. Open the .iso by clicking , file , open image file ( on Xbox image browser )
4. Right click the title of the game and click extract .
5. Choose a location . A folder on your desktop called anything that tells you its the game .iso . I have called mine NFS HP.
6. Drag the folder ( NFS HP ) to a usb with 8gb Min space left.
7. Open Xex menu , copy the game to your HDD via Xex menu .
8. Go to your game , default.xex and play it
2. Download then Open Xbox Image Browser. Download here >
[ Register or Signin to view external links. ] <
3. Open the .iso by clicking , file , open image file ( on Xbox image browser )
4. Right click the title of the game and click extract .
5. Choose a location . A folder on your desktop called anything that tells you its the game .iso . I have called mine NFS HP.
6. Drag the folder ( NFS HP ) to a usb with 8gb Min space left.
7. Open Xex menu , copy the game to your HDD via Xex menu .
8. Go to your game , default.xex and play it
Getting around AP2.5
As in the above tutorial how to extract a .iso.
1.When you have extracted the .iso via Xbox Image browser , locate the game files.
2. Delete $System update .
3. Open Create iso.
4. Create iso. > [ Register or Signin to view external links. ] <
5. Open ISO2GOD . > [ Register or Signin to view external links. ] <
6. Open rebuilt ISO then extract with ISO2GOD.
7. Get the folder , example 5136gh78
8. Put the folder into the 16 0's folder in content.
9. Go to games libary and play the game. ON your Jtag .
Pictures Coming soon .
1.When you have extracted the .iso via Xbox Image browser , locate the game files.
2. Delete $System update .
3. Open Create iso.
4. Create iso. > [ Register or Signin to view external links. ] <
5. Open ISO2GOD . > [ Register or Signin to view external links. ] <
6. Open rebuilt ISO then extract with ISO2GOD.
7. Get the folder , example 5136gh78
8. Put the folder into the 16 0's folder in content.
9. Go to games libary and play the game. ON your Jtag .
Pictures Coming soon .
How to put DLC on a Jtag
The DLC you want: get it off a friend or look at these links i setup: Here (Just a txt doc with links in it)
DLC you downloaded on your own XBL account (can be free)
A Jtaged xbox
The latest TU for the game your DLC is for (found in cache folder on xbox HDD (if game has the update)) - MW2 TU5: Rapidshare
A stock xbox (to download DLC from your profile)
Internet
DLC you downloaded on your own XBL account (can be free)
A Jtaged xbox
The latest TU for the game your DLC is for (found in cache folder on xbox HDD (if game has the update)) - MW2 TU5: Rapidshare
A stock xbox (to download DLC from your profile)
Internet
Retrieving our license key
First off you want to open DLCPatcher.exe and click open file and locate the DLC what you own.
[ Register or Signin to view external links. ]
on the second line down you will see some numbers and letters (i hid half of mine). That is your license, its tied to your XBL account and the DLC needs that licence to work on your account so make a note of this as you will need it later.
Getting the DLC ready to put your key into
Now you need to Yaris Swap the DLC before you put your key into it, This may already be done if you downloaded it from the internet but to check load up the DLC in DLC patcher and it will look like this:
[ Register or Signin to view external links. ]
Now we need to get our DLC to look like like that so if it already does you can move onto the next spoiler, if it doesn't keep reading.
Open up YarisSwap.exe and locate the DLC you want
[ Register or Signin to view external links. ]
Then hit the "Hex mod - Yaris Swap" button (its hard to miss)
[ Register or Signin to view external links. ]
Now you have Yaris swapped the file, if you open it in DLC Patcher you will see the FFFF's
[ Register or Signin to view external links. ]
Hexing in your own license
[ Register or Signin to view external links. ]
Now we have to enter our own license what we found earlier into the DLC we want.
To do this we need to open our DLC in a hex editor
Now use Ctrl+F to start a search and key in:
ff ff ff ff ff ff ff ff
make sure type is selected as Hex!
[ Register or Signin to view external links. ]
when you click find you should see something like this:
The parts of the HEX are color coded with the parts you saw in the DLC Patcher.
[ Register or Signin to view external links. ]
what you now want to do is replace the RED and YELLOWFFFFFFFF's with your license.
For example, if ,my license was a1 00 00 2e 9d 4e 00 e1 it would look like this:
[ Register or Signin to view external links. ]
Then you will click save and it should save within a couple of seconds.
[ Register or Signin to view external links. ]
If something like this appeared for a long period of time it means that you have added extra data not overwritten it so you should quit the HEX editor and load a fresh copy
Now, once you have successfully saved the file, if you open it up in DLC Patcher again you should see something like this where a100002e9d4e00e1 would be your license:
[ Register or Signin to view external links. ]
Then you should be done.
[ Register or Signin to view external links. ]
on the second line down you will see some numbers and letters (i hid half of mine). That is your license, its tied to your XBL account and the DLC needs that licence to work on your account so make a note of this as you will need it later.
Getting the DLC ready to put your key into
Now you need to Yaris Swap the DLC before you put your key into it, This may already be done if you downloaded it from the internet but to check load up the DLC in DLC patcher and it will look like this:
[ Register or Signin to view external links. ]
Now we need to get our DLC to look like like that so if it already does you can move onto the next spoiler, if it doesn't keep reading.
Open up YarisSwap.exe and locate the DLC you want
[ Register or Signin to view external links. ]
Then hit the "Hex mod - Yaris Swap" button (its hard to miss)
[ Register or Signin to view external links. ]
Now you have Yaris swapped the file, if you open it in DLC Patcher you will see the FFFF's
[ Register or Signin to view external links. ]
Hexing in your own license
[ Register or Signin to view external links. ]
Now we have to enter our own license what we found earlier into the DLC we want.
To do this we need to open our DLC in a hex editor
Now use Ctrl+F to start a search and key in:
ff ff ff ff ff ff ff ff
make sure type is selected as Hex!
[ Register or Signin to view external links. ]
when you click find you should see something like this:
The parts of the HEX are color coded with the parts you saw in the DLC Patcher.
[ Register or Signin to view external links. ]
what you now want to do is replace the RED and YELLOWFFFFFFFF's with your license.
For example, if ,my license was a1 00 00 2e 9d 4e 00 e1 it would look like this:
[ Register or Signin to view external links. ]
Then you will click save and it should save within a couple of seconds.
[ Register or Signin to view external links. ]
If something like this appeared for a long period of time it means that you have added extra data not overwritten it so you should quit the HEX editor and load a fresh copy
Now, once you have successfully saved the file, if you open it up in DLC Patcher again you should see something like this where a100002e9d4e00e1 would be your license:
[ Register or Signin to view external links. ]
Then you should be done.
Adding emulators to your jtag
Requirements
Jtagged xbox 360
5gb space on HDD
An external HDD ( 360 as well is better )
SNES360
Genesis360
Both can be downloaded here
1. Download SNES360 and Genesis360
2. Put them here on the HDD . Hdd1:/content/0000000000000000/HERE
3. Make a folder on the root of the external hdd called _Emus underscore needed.
4. Then in _Emus make another folder called Genesis360 then put roms inside that.
It should look like this _Emus/Genesis360/Roms/
5. Any roms go in the roms folder .
6. Repeat the Process of 4-5 but with SNES360 instead of Genesis 360 . Still the same folders and still inside _Emus.
You can find SNES360 and Genesis360 on your NXE dashboard by going to , Games Library.
Jtagged xbox 360
5gb space on HDD
An external HDD ( 360 as well is better )
SNES360
Genesis360
Both can be downloaded here
1. Download SNES360 and Genesis360
2. Put them here on the HDD . Hdd1:/content/0000000000000000/HERE
3. Make a folder on the root of the external hdd called _Emus underscore needed.
4. Then in _Emus make another folder called Genesis360 then put roms inside that.
It should look like this _Emus/Genesis360/Roms/
5. Any roms go in the roms folder .
6. Repeat the Process of 4-5 but with SNES360 instead of Genesis 360 . Still the same folders and still inside _Emus.
You can find SNES360 and Genesis360 on your NXE dashboard by going to , Games Library.
Installing Roms to your Emulators
1. Download any roms from here > [ Register or Signin to view external links. ] <
2. Put the Rom in HDD/_Emus/SNES360 ( Or Genesis360 ) /Roms/Put the roms here.
3. The load up the Emulator you saved the rom to.
4. On the Emulator go to games
5. Press RB to change the memory device until you find your device
6. Play the Rom
You can do this with any rom from the site listed above .
2. Put the Rom in HDD/_Emus/SNES360 ( Or Genesis360 ) /Roms/Put the roms here.
3. The load up the Emulator you saved the rom to.
4. On the Emulator go to games
5. Press RB to change the memory device until you find your device
6. Play the Rom
You can do this with any rom from the site listed above .
Mw2
Requirements
Jtagged xbox360
Cod4 saved to your HDD
A patch ( located below )
1.Get your patch ( patch_mp.ff
2. Copy your patch to your HDD where the cod4 is saved.
3. Overwrite the patch_mp.ff with the new one ( the patch )
4. Go to your Jtag
5. Open xex menu
6. Go to your games folder , cod4 and load deafult__mp.xex ( make sure it is default_MP.xex)
7. Go to system link change the map and gamemode then start the game .
8. If you want to go online then you can but I would recommend it at this time. ( To go online go to xbox live instead of system link )
Info - Some patches require you to have a certain button layout , I will list it next to the patches if they need it.
Jtagged xbox360
Cod4 saved to your HDD
A patch ( located below )
1.Get your patch ( patch_mp.ff
2. Copy your patch to your HDD where the cod4 is saved.
3. Overwrite the patch_mp.ff with the new one ( the patch )
4. Go to your Jtag
5. Open xex menu
6. Go to your games folder , cod4 and load deafult__mp.xex ( make sure it is default_MP.xex)
7. Go to system link change the map and gamemode then start the game .
8. If you want to go online then you can but I would recommend it at this time. ( To go online go to xbox live instead of system link )
Info - Some patches require you to have a certain button layout , I will list it next to the patches if they need it.
Cod black ops.
Jtagged xbox 360
Black ops on your HDD
A modded.xex
The cfg's
1. Get your modded Xex and your cfg's .
2. One by one drag them into your Black Ops folder.Do this on the computer
3. Plug your HDD back into your Jtag
4. Go to Xex menu , games , black ops and load the modded.xex
5. Go to system link ( you need internet connection not xbox livr . Can be done with a banned jtag )
6. Create match , change map and game mode .
7. Start.
Note - depending on what patch you have it will be different so I cant put how to get it to work as there are different patches that work differently .
Free style dash
Requirements
Jtagged xbox360
Freestyle Dash Download here > link up soon <
USB
HDD
1. Put your USB external HDD into the back usb port
2. Copy the 4 folders ( freestyle, source, launch, and FSDindexer ) to the root of the device . The HDD must be formated to FAT32
3. Load by going to the Freestyle folder and loading the Xex
To get Freestyle dash on Games library
1. Get the freestyle-usb located in launch folder
2. Put the freestyle-usb here Hdd1:\Content\0000000000000000\CODE9999\00007000\here
3. Go to games library and load it , if its not there check recent games or quick launch.
Patch editor pro (download)
[spoil] [ Register or Signin to view external links. ]
Jtagged xbox360
Freestyle Dash Download here > link up soon <
USB
HDD
1. Put your USB external HDD into the back usb port
2. Copy the 4 folders ( freestyle, source, launch, and FSDindexer ) to the root of the device . The HDD must be formated to FAT32
3. Load by going to the Freestyle folder and loading the Xex
To get Freestyle dash on Games library
1. Get the freestyle-usb located in launch folder
2. Put the freestyle-usb here Hdd1:\Content\0000000000000000\CODE9999\00007000\here
3. Go to games library and load it , if its not there check recent games or quick launch.
Patch editor pro (download)
[spoil] [ Register or Signin to view external links. ]
Framework 4 net installor.
How to .map Mod Halo 2 on a JTAG'd Xbox 360.
Requirements:
A JTAG'd Xbox 360
A Microsoft Manufactured Xbox 360 HDD
Halo 2 ISO(or the actual game)
A Transfer Cable
Mainmenu Serenity patch
Serenity 3.3
Mainmenu.map
Compatibility Emulator Files
A Resigner
Xport 360 or Xplorer360
All Halo 2's DLC maps
1. Connect your Microsoft Xbox 360 HDD to your computer via transfer cable.
2. Open XPort 360 or Xplorer 360 and navigate to your partition 2 > Compatibility folder. Copy all of those files in that directory, and make a backup somewhere you will keep safe and not lose. Next, delete all of the files in the compatibility folder. Next extract the compatibility emulator files given in the download link which will contain the files you need. Once extracted highlight ALL of the files in there, and drag/insert to Partition 2 > Compatibility Folder.
3. Then unplug your HDD from your computer and connect it back to your JTAG. Go to XeXmenu and navigate to Content > 0000000000000000 > Games(create this folder if you don't have it already) > make a folder here called Halo 2.
4. In the Halo 2 folder press Y and go to the 'Copy DVD' option. Click that option and your disc trey should open. Put your Halo 2 disc in and manually close the tray. Once you start to here your disc spin, then click confirm on the message that is on your screen. Your disc image should start to rip onto your HDD. It should take about 20 minutes.
5. Now, in the meantime while your Halo 2 disc is ripping to your HDD, go over to your computer. On your computer, open the Serenity RAR and extract all of its contents to one folder.
6. Then Once Serenity is extracted open Serenity. Go to the Apply tab. For the 'Patch:' box click the '...' and navigate to where your 'MainMenuAllNewMaps.serenity' patch is and open that. Then for your 'Source Map:' click the '...' and navigate to where your 'mainmenu.map' map is and open that. And finally for your 'Output Map:' click the '...' and find a directory that you like and put the filename as mainmenu.map and then click the 'Apply Patch' button.
7. Now close Serenity and open your resigner. Your main page of your resigner should look like this(if you're using FeudalNate's resigner that is):
8. In the resigner, click the 'Open Map' button and search for your 'mainmenu.map' map. Then once it is open in the resigner, click the 'Resign Map' button. It should take a couple seconds to resign it.
9. Now click over to the 'Multiple Maps' tab. It should look like this(except without any maps open):
A JTAG'd Xbox 360
A Microsoft Manufactured Xbox 360 HDD
Halo 2 ISO(or the actual game)
A Transfer Cable
Mainmenu Serenity patch
Serenity 3.3
Mainmenu.map
Compatibility Emulator Files
A Resigner
Xport 360 or Xplorer360
All Halo 2's DLC maps
1. Connect your Microsoft Xbox 360 HDD to your computer via transfer cable.
2. Open XPort 360 or Xplorer 360 and navigate to your partition 2 > Compatibility folder. Copy all of those files in that directory, and make a backup somewhere you will keep safe and not lose. Next, delete all of the files in the compatibility folder. Next extract the compatibility emulator files given in the download link which will contain the files you need. Once extracted highlight ALL of the files in there, and drag/insert to Partition 2 > Compatibility Folder.
3. Then unplug your HDD from your computer and connect it back to your JTAG. Go to XeXmenu and navigate to Content > 0000000000000000 > Games(create this folder if you don't have it already) > make a folder here called Halo 2.
4. In the Halo 2 folder press Y and go to the 'Copy DVD' option. Click that option and your disc trey should open. Put your Halo 2 disc in and manually close the tray. Once you start to here your disc spin, then click confirm on the message that is on your screen. Your disc image should start to rip onto your HDD. It should take about 20 minutes.
5. Now, in the meantime while your Halo 2 disc is ripping to your HDD, go over to your computer. On your computer, open the Serenity RAR and extract all of its contents to one folder.
6. Then Once Serenity is extracted open Serenity. Go to the Apply tab. For the 'Patch:' box click the '...' and navigate to where your 'MainMenuAllNewMaps.serenity' patch is and open that. Then for your 'Source Map:' click the '...' and navigate to where your 'mainmenu.map' map is and open that. And finally for your 'Output Map:' click the '...' and find a directory that you like and put the filename as mainmenu.map and then click the 'Apply Patch' button.
7. Now close Serenity and open your resigner. Your main page of your resigner should look like this(if you're using FeudalNate's resigner that is):
8. In the resigner, click the 'Open Map' button and search for your 'mainmenu.map' map. Then once it is open in the resigner, click the 'Resign Map' button. It should take a couple seconds to resign it.
9. Now click over to the 'Multiple Maps' tab. It should look like this(except without any maps open):
Image below look.
10. Now open all of the Halo 2 new DLC maps that I told you to download in the description. To add open the maps click the 'Add Maps' button and add all of the maps. Then click the 'Resign All' button. It should take a couple minutes or at least a minute to complete resigning all of them.
11. Once it is done resigning all the maps, close the resigner. Now go check and see if your JTAG is done ripping your Halo 2 disc to your HDD. If it is, then connect your HDD to your computer again via transfer cable.
12. Now open XPort or any other FATX device that you are using and navigate to Partition 3 > Content > 0000000000000000 > Games > Halo 2 > maps.
13. In the Halo 2 maps directory replace your mainmenu.map with the one that we ran through FeudalNate's resigner. Then add all of your DLC maps that we also ran through the resigner.
14. Once all files have been placed on your HDD, disconnect your HDD and plug it back into your JTAG. Then go to XeXmenu and go to Content > 0000000000000000 > Games > Halo 2 > and load the default.xbe
15. The game should launch and go to the mainmenu. Then go to Custom Games and check your maps. Make sure you have maps like Warlock, Containment, Sanctuary, Turf, Terminal, Gemini, Desolation, etc. Then load a couple of them and start games on them just to make sure they aren't corrupt. If you do run into a corrupt map, then go resign that one and add it back to your maps directory. That should fix the problem.
16. Now to actually modify some maps you may want to download some modded maps or map packs Once you have a good map or map pack, then just put the map into FeudalNate's resigner and resign the map(s). Then put them into your Halo 2 map directory and if necessary replace the original map in that directory.
11. Once it is done resigning all the maps, close the resigner. Now go check and see if your JTAG is done ripping your Halo 2 disc to your HDD. If it is, then connect your HDD to your computer again via transfer cable.
12. Now open XPort or any other FATX device that you are using and navigate to Partition 3 > Content > 0000000000000000 > Games > Halo 2 > maps.
13. In the Halo 2 maps directory replace your mainmenu.map with the one that we ran through FeudalNate's resigner. Then add all of your DLC maps that we also ran through the resigner.
14. Once all files have been placed on your HDD, disconnect your HDD and plug it back into your JTAG. Then go to XeXmenu and go to Content > 0000000000000000 > Games > Halo 2 > and load the default.xbe
15. The game should launch and go to the mainmenu. Then go to Custom Games and check your maps. Make sure you have maps like Warlock, Containment, Sanctuary, Turf, Terminal, Gemini, Desolation, etc. Then load a couple of them and start games on them just to make sure they aren't corrupt. If you do run into a corrupt map, then go resign that one and add it back to your maps directory. That should fix the problem.
16. Now to actually modify some maps you may want to download some modded maps or map packs Once you have a good map or map pack, then just put the map into FeudalNate's resigner and resign the map(s). Then put them into your Halo 2 map directory and if necessary replace the original map in that directory.
Left for dead 2 modded using USB/TRANSFER CABLE
To begin you need:
Modio (google should be from gametuts.com you need to register in order to download)
Left 4 Dead 2 UserSettings [ Register or Signin to view external links. ]
1.First Open up Modio (run as administrator on Vista and '7'. Once you have it opened goto Explore my device (keep this open you will need it later). You obviously need your HDD or memory unit plugged in.
2.Open your device. Go to Partition 3
3.Go to content and find the profile you want to use the mods on. Extract the profile to desktop.
4.Drag and Drop the profile into Modio and you'll see a window come up and it should display Profile ID and Device ID. Once thats done you remember the UserSettings you downloaded? Yeah, take that and Drag and Drop it into Modio also. Once both of the files are open in Modio Copy the Profile ID and the Device ID from your profile into the UserSettings box for Profile and Device ID's. Once done Rehash and Resign the UserSettings.
5.Once again go back into your device and browse to your profile once again then locate the Left 4 Dead game saves. Open them and inside there should already be a UserSettings file. Right click and Delete it and insert the UserSettings that you made in modio and your done! Now for the Xbox part.
6.When you get on xbox and make a PRIVATE game. Go to game settings and set it to local server. Set it to private game first and then public game. Wait for people to join and then have fun!
Modio (google should be from gametuts.com you need to register in order to download)
Left 4 Dead 2 UserSettings [ Register or Signin to view external links. ]
1.First Open up Modio (run as administrator on Vista and '7'. Once you have it opened goto Explore my device (keep this open you will need it later). You obviously need your HDD or memory unit plugged in.
2.Open your device. Go to Partition 3
3.Go to content and find the profile you want to use the mods on. Extract the profile to desktop.
4.Drag and Drop the profile into Modio and you'll see a window come up and it should display Profile ID and Device ID. Once thats done you remember the UserSettings you downloaded? Yeah, take that and Drag and Drop it into Modio also. Once both of the files are open in Modio Copy the Profile ID and the Device ID from your profile into the UserSettings box for Profile and Device ID's. Once done Rehash and Resign the UserSettings.
5.Once again go back into your device and browse to your profile once again then locate the Left 4 Dead game saves. Open them and inside there should already be a UserSettings file. Right click and Delete it and insert the UserSettings that you made in modio and your done! Now for the Xbox part.
6.When you get on xbox and make a PRIVATE game. Go to game settings and set it to local server. Set it to private game first and then public game. Wait for people to join and then have fun!
Controls are as follows:
A = Normal
B =Reload(Normal) + Warp Everyone Far from you to where you are pointing
X = Normal
Y = Switch Weapons
Left Bumper = Pick Up Objects or People
Right Bumper = God Mode On
Back = Spawn Tank And Witch
Start = Normal
Left Stick(Clicked Down) = Noclip On And Off
Right Stick(Clicked Down) = Remove Any objects You Are Looking
DPAD UP = Activate Infinite Ammo, Incendiary Ammo, Explosive Ammo, Show Radius Of Explosive Ammo
DPAD Right = Give Defibrillator, Give adrenaline, Give First Aid Kit
DPAD Down = Normal, Infinite Ammo Off, God Mode Off
DPAD Left = Drop Picked Up Object Or Person
Right Trigger = Normal
Left Trigger = Normal, Drop Active Pipebomb
B =Reload(Normal) + Warp Everyone Far from you to where you are pointing
X = Normal
Y = Switch Weapons
Left Bumper = Pick Up Objects or People
Right Bumper = God Mode On
Back = Spawn Tank And Witch
Start = Normal
Left Stick(Clicked Down) = Noclip On And Off
Right Stick(Clicked Down) = Remove Any objects You Are Looking
DPAD UP = Activate Infinite Ammo, Incendiary Ammo, Explosive Ammo, Show Radius Of Explosive Ammo
DPAD Right = Give Defibrillator, Give adrenaline, Give First Aid Kit
DPAD Down = Normal, Infinite Ammo Off, God Mode Off
DPAD Left = Drop Picked Up Object Or Person
Right Trigger = Normal
Left Trigger = Normal, Drop Active Pipebomb
Have fun hope you enjoy this tut
If you need help with anything pm me or and i will do my best.
Last edited by Odd ; edited 80 times in total
The following 193 users thanked Odd for this useful post:
HeyMrRager (03-11-2012), SWAG_TU7 (03-05-2012), colbstar (02-19-2012), mugspanky (02-14-2012), geebob7 (01-21-2012), Hazz2011 (01-18-2012), Michael1811 (01-16-2012), -GoonBoy- (01-05-2012), XeX_Brandon (12-22-2011), Mish (12-14-2011), GotSwaggzz (12-10-2011), M0d (12-04-2011), Expo (11-30-2011), higuy (11-27-2011), momo1251 (10-21-2011), Forest (10-06-2011), kooliobeast (10-06-2011), IKr0n1xXI (09-30-2011), -Hunter (09-21-2011), PJOLLIS (09-20-2011), noneed4aname (09-18-2011), minimoo567 (08-30-2011), Helix-Nebula (08-23-2011), 100Thieves (08-22-2011), ECS (08-22-2011), KingCantona7 (08-22-2011), thinkablesaucer (08-16-2011), rhuller (08-14-2011), BeastZzz (08-12-2011), -iPod (08-12-2011), DLT (08-11-2011), Kick (08-10-2011), grimmm321 (08-09-2011), ratfat (08-08-2011), Debian (08-08-2011), chromeskull (08-08-2011), zZSpArKsZz (08-07-2011), wr3k (08-03-2011), darkski001 (08-02-2011), -March- (07-27-2011), jimbobjo (07-27-2011), FaTalxSamurai (07-26-2011), jiv3turk3y94 (07-26-2011), SovietRussia (07-25-2011), Flaze (07-20-2011), Roar (07-18-2011), Pixburg (07-18-2011), Uncle_Adolf (07-16-2011), Simply_Dope (07-15-2011), Bold (07-14-2011), MTGoSTUDIOz (07-13-2011), GTJeffreyjam (07-06-2011), Tobacco (07-01-2011), Sass (06-27-2011), funyalex (06-14-2011), prokilla74V2 (06-13-2011), Nucleur0116 (06-12-2011), KillerBulborb (06-10-2011), PhonixAngle (06-05-2011), Agger- (06-04-2011), RF_Module (06-04-2011), Console (06-04-2011), gamer88 (06-03-2011), Oldies (06-03-2011), OLI-xD (05-29-2011), TTG_Husky (05-29-2011), ALEGITMUFASA (05-28-2011), TTG_IHATER (05-25-2011), MoDd3r77 (05-23-2011), Adapt0rDi3 (05-17-2011), gingeh (05-14-2011), G7G7S7 (05-12-2011), AaronMS (05-11-2011), Husqvarna_701 (05-08-2011), tej (05-08-2011), sp0rts (05-04-2011), -DANIHACK- (05-04-2011), nugg3tm4n (05-04-2011), dolan9465 (05-01-2011), Bulletin (04-30-2011), sultehh (04-29-2011), -JTM- (04-24-2011), ControllerCentral (04-24-2011), -Rochester- (04-21-2011), RsDxPhOeNixX (04-19-2011), Mega_Modder (04-19-2011), -Terminator (04-18-2011), jerbo (04-15-2011), TTG-GiantBryant (04-14-2011), FaK (04-08-2011), wma (04-08-2011), ElusivePatches (04-07-2011), RexySmexy (03-25-2011), 5KMods (03-25-2011), FinancialChad (03-24-2011), mitchh2012 (03-22-2011), blackhawk1539 (03-22-2011), lkihazzard (03-22-2011), homegrownjeff (03-22-2011), ModderFreak1238 (03-21-2011) and 93 other members.
iPatobo (03-20-2011), SCUB8ST3V3 (03-19-2011), kylethedude (03-12-2011), GBJake6 (03-12-2011), TTG_Lame (03-09-2011), oldbrad (02-25-2011), TTG-Bradders (02-24-2011), Pugg (02-24-2011), Blueberry-_- (02-17-2011), TTGxFreeB00T_Fanboy (02-16-2011), SneakyBadger (02-15-2011), doug15 (02-09-2011), J3rkMyTurk3y (02-01-2011), Jappleack (01-23-2011), -iBooM- (01-23-2011), STFxST3ALTH (01-23-2011), AGL_MegaDeth (01-21-2011), TooKlutch (01-20-2011), robochode629 (01-20-2011), RedTigerModz (01-20-2011), TheMatty1996 (01-20-2011), Cknox7 (01-19-2011), Killer_Kontrollers (01-18-2011), Extricate (01-18-2011), efuf4334 (01-17-2011), iJarH3ad (01-17-2011), ozziebayeh (01-17-2011), Warheart (01-16-2011), zurree (01-16-2011), liamh (01-16-2011), SBISFTW (01-13-2011), Drunkizix (01-12-2011), iTz-Zachu24 (01-10-2011), BULLETSTORM (01-03-2011), Natanomore (01-03-2011), TTG-KarLos (01-02-2011), Jokers (01-02-2011), TTGiKiiNG (01-02-2011), xEvilMysteryx (01-01-2011), DylanBarrera (12-31-2010), TTG_xMG (12-31-2010), Bap (12-31-2010), JME (12-31-2010), -MaGNeTic_MaN- (12-30-2010), -vJohn- (12-30-2010), TTG_MRskeem (12-30-2010), -TTG_MoDzz- (12-29-2010), -Yoshi (12-29-2010), Cole0wnz (12-29-2010), Jawa (12-28-2010), XStormbreakerX (12-28-2010), SkullZ (12-28-2010), MrFunEGUY (12-28-2010), TheDirtyRebel (12-27-2010), qXRyan (12-27-2010), sakemodz69 (12-27-2010), Tums (12-27-2010), Hender (12-27-2010), XboxElement (12-27-2010), akfalcon (12-26-2010), -Vawter- (12-26-2010), Wagner2319 (12-26-2010), RickyRice12 (12-26-2010), jeffdartz (12-25-2010), Portland (12-25-2010), THECARJACKER (12-25-2010), JayL (12-25-2010), smashingeddie (12-24-2010), NmGxEditionz (12-24-2010), diggitydog41 (12-24-2010), Iowa (12-24-2010), CrysisYT (12-24-2010), Sexyy (12-24-2010), SwaggModzLobbys (12-24-2010), speed (12-24-2010), WmS-x-CuDi (12-23-2010), Saga (12-23-2010), MikeyPal (12-23-2010), unholyrev (12-23-2010), Sail (12-23-2010), SnowysModz (12-23-2010), Yizzy (12-22-2010), -AskingAlexandria- (12-21-2010), TTG_TWiiSTED (12-21-2010), IMOD_CoD (12-21-2010), vSonicZ (12-21-2010), Stevs (12-20-2010), Jamy (12-20-2010), Bone-Marrow (12-20-2010), InterModder (12-20-2010), MatthewUK (12-18-2010), IndigenousPineal (12-18-2010), JohnTheProd (12-18-2010)
#2. Posted:
Status: Offline
Joined: Apr 28, 201014Year Member
Posts: 2,708
Reputation Power: 128
Hope i helped any of you's. ..?
- 9useful
- 1not useful
#3. Posted:
Status: Offline
Joined: Apr 28, 201014Year Member
Posts: 2,708
Reputation Power: 128
Did this help anyone at all
- 6useful
- 2not useful
#4. Posted:
Status: Offline
Joined: Mar 27, 201014Year Member
Posts: 9,760
Reputation Power: 0
Status: Offline
Joined: Mar 27, 201014Year Member
Posts: 9,760
Reputation Power: 0
very nice info post bro, hope you get some thanks for it
- 4useful
- 1not useful
#5. Posted:
Status: Offline
Joined: Apr 28, 201014Year Member
Posts: 2,708
Reputation Power: 128
TTG_GawLey wrote very nice info post bro, hope you get some thanks for it
Thanks gawley really appericate it
-CallumUK-
merry xmas to u sir
- 4useful
- 1not useful
#6. Posted:
Status: Offline
Joined: Nov 06, 201014Year Member
Posts: 1,227
Reputation Power: 50
Status: Offline
Joined: Nov 06, 201014Year Member
Posts: 1,227
Reputation Power: 50
nice post bro ill be making a jtag in a couple of days
- 3useful
- 1not useful
#7. Posted:
Status: Offline
Joined: Apr 28, 201014Year Member
Posts: 2,708
Reputation Power: 128
-BLITZ- wrote nice post bro ill be making a jtag in a couple of days
thanks man and i hope some.of this comes in useful
- 2useful
- 1not useful
#8. Posted:
Status: Offline
Joined: Apr 28, 201014Year Member
Posts: 2,708
Reputation Power: 128
I can promise that i will make.more gd tut but i wnt.to know people will appericate it also go check out my tut on gerneral disscussion called ultimate ttg user guide. Updated and edited its either on page one or two thnks
- 1useful
- 1not useful
#9. Posted:
Status: Offline
Joined: Apr 28, 201014Year Member
Posts: 2,708
Reputation Power: 128
Anyone find this helpful at all please tell me.if.you do and i have nearly finshed making another.tut.on how to hotswap tjen i am going.to go on and.make one on how to upload xex via usb
- 2useful
- 1not useful
#10. Posted:
Status: Offline
Joined: Mar 27, 201014Year Member
Posts: 1,855
Reputation Power: 81
Status: Offline
Joined: Mar 27, 201014Year Member
Posts: 1,855
Reputation Power: 81
This deserves a sticky. That is only if you didn't steal it?
- 1useful
- 5not useful
You are viewing our Forum Archives. To view or take place in current topics click here.