Saturday, April 30, 2011

Recovering an Xbox 360 from a bad NAND flash

Many moons ago, I bought an xbox 360 for cheap that I was hoping to hack to play homebrew games on. A hack was discovered for xbox 360's ("the jtag hack12625") that allowed them to run unsigned code on the consoles. However, microsoft released a software update that permanently stopped this hack, and stopped the consoles from being downgraded to an earlier, hack-friendly software version. They did this utilising "efuses", developed by IBM for the 360's Xenon CPU. IBM had originally developed efuses as a method to "reroute chip logic, much the way highway traffic patterns can be altered by opening and closing new lanes". The idea was that a chip could regulate speed or power consumption issues by simply tripping a fuse, or more impressively, "repair unexpected, potentially costly flaws". 

Microsoft, who had one of the first implementation of this technology, had a more sinister plan when it utilised this efuses. Microsoft were "blowing" efuses after a significant software/kernal update. This would prevent hackers from downgrading to a previous version of the Xbox OS and exploiting potential bugs. The console's security measures relied on the status of these eFuses; attempt to run an older software revision, and those checks would fail. Therefore only xbox 360's that had the kernel version of 2.0.7371.0 or below could be exploited with the jtag hack. 

So if I just dont update the software on my jtag hacked xbox 360, I will be fine, right?  -> No, unfortunately its not that simple. I wanted to play the new "Portal: 2" game on the xbox. When I went to try and play the game, I just got a blank screen. After reading up a bit, it turns out that the newer games require the newer software/kernel/dashboard on the xbox. The newest in this case was dashboard version 12625. Well I cant update the dashboard as this will blow the efuses thus breaking my jtag hack, so what to do? 
Well, as it turns out, another hack was discovered a while ago called a "re-booter". To put it simply, this allows you to upgrade your dashboard to the latest version while still keeping your jtag hack. The latest version is employed in a piece of software called "Easy Freeboot 5.10". So to get your jtag hacked xbox running the latest dashboard, you will need to do the following:

 First off, you will meed to disable the ability for microsoft to burn the efuses. This is done by removing a resistor labelled r6t3 on the motherboard that supplies the power to burn the efuses, or disabling it as shown in the image.
 
Then, upgrade the dash by following the same guide here:
http://www.instructables.com/id/How-to-JTAG-your-Xbox-360-and-run-homebrew/

..until you get to step 6. Instead of doing this step (where you put an older dashboard on the xbox), download a program called Easy Freeboot 5.10. This program will create a NAND image that has the newest dashboard on it (it will only run on windows vista/windows 7). You will need your CPU key and original NAND for this. Once you have created your newNAND image, just flash it onto the xbox using the command:

nandpro lpt: -w16 newNAND.bin

(taken from the instructables guide). Because of the speed of the parallel port, it usually takes anywhere between 30min to 90min to flash the xbox.

Overall, its not too difficult, just a bit of work. The only really important step is to make sure that you get a good NAND dump before you put the replacement on it. You should have a the latest dashboard on your xbox 360 then. 


Except, that first time around, it didnt work for me. Because of a bad flash (probably caused by a loose cable and moving the xbox while it was being flashed, the memory on the NAND was corrupted. When i tried to turn on the xbox, it wouldnt even turn on. I knew i needed to reflash the NAND chip, except that it wasnt being recognised by nandpro now. According to this guide, I needed to reset the NAND chip. Unfortunately, after numerous attempts, I could not get either method in the guide to work. In the end, I tried running the command to erase the NAND:

nandpro lpt: -e16 0 400 

over and over again while plugging in the xbox 360. I was hoping to catch the NAND chip just as it was powering up. After another couple attempts, it recognised the chip, and began to erase it. Then it was just a simple case of flashing the newNAND image to the xbox again with the command: 

nandpro lpt: -w16 newNAND.bin

When it was done, i unplugged the xbox for a minute, put it all back together, turned it back on, and was greeted to the new dashboard splash screen!. As well as that Portal 2 ran without any issues.