Help needed - going back to original dash

[jhonnyp0lak]

Solution to the problem: http://www.xboxhacker.net/index.php?topic=12265.msg81244#msg81244

Hi everyone,

I thought I'd start a new thread as i've been writing a lot in the "method for extracting dvd key" thread, however, this is no longer applicable and got that post off topic.

So, here's a breakdown of what I've managed to do and what I cant seem to do.

I dumped my nand flash image (lets call it nand_orig.bin)
I then flashed my nand with xenon_hacked.bin
I got my CPU key, 1BL key
I then flashed my nand_orig.bin file back to my nand, and I've got no video output and after about 30 seconds i get a RRoD.

The backed up nand_orig.bin seems fine as FlashTool displays a DVD Key, my serial number and region correctly.

I've tried creating a downgraded 1888 image using my nand_orig.bin file as the basis, however when i flash it to my 360, i get the same exact error. BLack screen, no picture, and you know how the 4 lights on the console usually light up 1 after the other, this doesn't happen

I can flash my console with xenon_hacked.bin anytime and it works just fine.

Any ideas on how i can get my console back to a usable dash ?

[Shaun]

sounds as tho your original dump is corrupt, do you have access to a different dump, as you could try using that and transplanting your kv to it, preferably 1888

[jhonnyp0lak]

I have access to a friend's dump. It is 1888. How do i inject my KV into it ?

FlashTool won't let me do it, neither will the Degrader tool

[jhonnyp0lak]

I've injected my kv into the 1888 dump. I used an older version of Flash Tool for this. Version 0.88 won't allow me to do it, but 0.81 did

However it didnt work

[jhonnyp0lak]

Ok i've been doing a bit of reading and i think that my pairing data is corrupt.

One of the best pieces of evidence of this is that the xbox turns on, and then about 20 seconds later it goes to RRoD (which is what is described in the infectus manual as the state the xbox needs to be in to begin pairing)

So i think the reason its not working when i try a 1888 dump is because my pairing key has been incremented.

The dump that got corrupt is:

CB: 1903   Pairing: 0xA202CF
CD: 1888   Patch 0: 4552
CE: 1888   Patch 1: 4548

Whilst the 1888 image i was trying to patch was:

CB: 1888   Pairing: 0x9E8CE4
CD: 1888   Patch 0: 7371
CE: 1888   Patch 1: 7363

If anyone out there has a nand image with patch 0: 4552 and patch 1: 4548,  would you please pm me a link to it ?
I think this is what is stopping me from getting my console to boot.
My understanding is that i must use my pairing code as its tied to my CPU. And my pairing code is limited to a certain CB and Patch level. So therefore any attempts to patch an older image are futile as the pairing code won't calculate.

Is there any way of getting other than running IDGtool and and infectus chip ? Is there a tool that works with the parallel cable ?

[B1N4RY]

Unless you have the CPUkey of the dump you are getting from to decrypt it, it will not work.

[jhonnyp0lak]

I do have the CPU key from my original dump.

[jhonnyp0lak]

Gents I did it !!!!! Its working. The missing component was LVD values !!!

I'll write it up tomorrow, now its bed time, gotta go to work tomorrow and its 4:50 am :/

[Xb0xGuru]

Gents I did it !!!!! Its working. The missing component was LVD values !!!

I'll write it up tomorrow, now its bed time, gotta go to work tomorrow and its 4:50 am :/

I'm eager to know what you did to resolve this as I'm having the exact same issue as you - Cx data looks corrupt on the dump, but I do have my CPU key.

[B1N4RY]

Judging on what he said, his LDV value was off  due to updating. You can correct it easily using 360 Flash Tool

[jhonnyp0lak]

You will need:

- your original corrupt nand (nand.bin)
- your CPU key (you can get this by loading Xell xenon_hacked.bin on your 360)
- Degraded v1.1 (Degraded_v1.1.rar) *
- 1888 File System (1888.FS.rar) *
- 360 Flash Tool v0.88b *

* tool is available from "the usual places"


Firstly we will build a new nand image.

- Open Degraded 1.1
- Click "..."
- Find your corrupt nand.bin file
- Click Open
- Click Settings
- For the 1BL Key enter: DD88AD0C9ED669E7B56794FB68563EFA
- Tick the Valid box next to the entry
- Enter your CPU key
- Tick the valid box next to the entry
- In the 1888 File System section click "..."
- Specify where your extracted 1888 File System is and click OK
- Set File System Start to 39
- Click OK
- Click Build v1888 image
- Specify a save name: temporary.bin and click Save
- Close Degraded

- Open 360 Flash Tool
- Click "..."
- Find your corrupt nand.bin file
- Take note of the following values:
   - Pairing
   - CB LDV
   - CD LDV
   - CE LDV
- Close 360 Flash Tool

- Determine your maximum LDV value. From the previous step you noted three LDV values. For example they could be: 0, 1, 2. Therefore your maximum LDV value is 2. If your values are 0, 7, 3. Your maximum LDV value is 7.

Now patch your new image with the right Pairing and LDV values

- Open 360 Flash Tool
- Click "..."
- Find your temporary.bin file
- Make sure your Pairing value is correct to what you noted in the previous step
- Now for the important step. You will notice your CD and CE LDV values are greyed out, this is because you're downgrading to a base dashboard therefore there aren't any patches applicable and no Lockdown Values (LDV's) applicable.
- Now click Patch
- Put a tick in the Patch Headers checkbox
- In the LDV text box for CB type in your maximum LDV value
- In the Pairing data text box for CB type in your Pairing Data value.
(Both these values are crucial. If you dont get them right, your xbox will turn on, but you'll get no image and a RRoD after 20 seconds)
- Click OK
- 360 Flash Tool will now automatically ask you to save
- Provide a name for your new nand image: e.g. myclean1888.bin

- Make sure your Key Vault values are correct. If they're not and you have your valid kv.bin file you can inject it now using the Patch button. To do this:
- Click Patch
- Check the Patch KeyVault checkbox
- Put a tick in the Patch KeyVault checkbox
- Select Import KV and click "..."
- Find your KV.bin file and click Open
- click OK
- Provide a name for your new nand image: e.g. myclean1888.bin (you can overwrite your previously saved file at this point in time)

Change the Region of your console (THIS IS OPTIONAL):

You can change the region of your console from PAL->NTSC or vice versa. To do this:
 - Click Patch
- Check the Patch KeyVault checkbox
- Select the Patch KV option
- Change the Region from the drop down box to the desired region.
- Click OK
- Provide a name for your new nand image: e.g. myclean1888.bin (you can overwrite your previously saved file at this point in time)

You can now flash the image to your xbox.
I would suggest running the following command before hand, it will erase your entire nand of any possible garbage.

nandpro.exe lpt: -e16 0x000000

(Thanks to Gee99x for this command)

then flash your xbox with:

nandpro.exe lpt: -w16 myclean1888.bin

[Gee99x]

Nice write-up. This should help a few guys. Saved for future reference!

[Xb0xGuru]

Excellent - many thanks

Now for the bad news - somehow I'm not able to boot my 360 at all. More worryingly, I can only address up to block 0x1FF (effectively making it an 8mbyte NAND). Any attempt to write above this block give me an error 280 reply. My FlashConfig is returning 1198000 instead of 1198010. Before I post this as a separate thread, does anyone have any idea what's happened?

[jhonnyp0lak]

If you try:

nandpro.exe lpt: -e16 0x000000

What happens ?

Also i found that EPP and SPP settings worked on my computer, however had occasional errors. ECP works flawlessly

[Xb0xGuru]

If you try:

nandpro.exe lpt: -e16 0x000000

What happens ?

Also i found that EPP and SPP settings worked on my computer, however had occasional errors. ECP works flawlessly

If I try to erase the NAND, it manages to erase up to 0x1FF, then spits out the rest as error 280.

It *was* working fine previously - I was getting 1198010 and doing a full NAND dump with no issues (with the exception of this particular 360, but that's a by-the-by).

I originally dumped this with my LPT JTAG cable, but as I wanted to try a couple of writes whilst playing with the LDV / KV values, I fitted my Infectus2. Again, this worked up to a point and even with the write verify disabled, it looked to be doing something.

[Gee99x]

I have found that a simple reboot of the PC fixes such errors. Also power-cycling the console (pulling the power cable, and plugging it back in) between dumps/flashes seems to help as well.

Have you disabled the printer port polling if you're using XP?

[Xb0xGuru]

I have found that a simple reboot of the PC fixes such errors. Also power-cycling the console (pulling the power cable, and plugging it back in) between dumps/flashes seems to help as well.

Have you disabled the printer port polling if you're using XP?

The hardware configuration of my machine has not changed between this working and not. I've also rebooted it between attempts, as well as power cycling the 360.

[jhonnyp0lak]

That's a tough one buddy. The nand does have a limited life span. I believe i read somewhere its 100,000 operations. I hope you haven't tried flahsing it that many times
The problem with that is, the nand could be defective. We've seen many people upgrade their xboxes to the latest dash and get all sorts of Exx errors for various reasons. Those reasons could be their nand's didn't take a liking to being flashed and were defective. For some weird reason yours seems to be "defective" exactly half way !!! ....... hmmmm ....

Here's some food for thought. When i started playing around with this JTAG hack i had my printer port setup to SPP. I thought it was working right. I dumped my nand and then managed to install Xell. During this process the nandpro tool didnt give me any errors whatsoever. As I found out later, my nand was actually corrupt. So perhaps you need to play around with your LPT settings as nandpro may have not been working correctly in the first place. Currently im running my LPT in ECP mode and it works beautifully. Now when i go back to SPP i get errors (even though i didnt get them previously)

[Xb0xGuru]

Prior to this 360 having problems, I managed to dump the NAND from another one with no errors whatsoever. If it was configuration related, I would have experienced them the first time around. I've tried other settings (for $#!ts and giggles) in the BIOS and EPP/ECP seem to give me the best results. FTR, I'm using an HP NC6000 laptop.

Something tmbinc wrote in the forums a while ago is that it's possible to mis-report a TSOP as 16MB by using resistors. This got me thinking if it's possible I might have a blown resistor somewhere. I agree that it's too much of a coincidence that it's crapping out exactly halfway every time and this combined with the FlashConfig being one number out definitely ties in with my initial suspicion of it being misreported. I've another NAND from another 360 here - I'm now wondering if it's worth me removing this one and swapping it out?

BTW, I've definitely not managed over 100,000 cycles (more like 10 max)

[thczero]

hehe finnally you got it

trial and error

nice that i helped you on your way