New XBOX360 JTAG Hack?

XBOX NAND rad/write.
Post Reply
d0
Junior Member
Posts: 177
Joined: Thu Feb 26, 2009 9:50 am
Location: S FL
Contact:

New XBOX360 JTAG Hack?

Post by d0 »

mixelpixx
Junior Member
Posts: 6
Joined: Fri Jun 26, 2009 12:55 pm
Location: r00t

Post by mixelpixx »

here are some files, but does not include the SMC Hack file -- which will be needed to do the hack. This hack is still in it's infancy, but TMBINC has SNES9x EMU running on a 360 so this is pretty damn amazing.

When rest is released.. it will be posted.

Code: Select all

http://www.megaupload.com/?d=ERGKRCFB
d0
Junior Member
Posts: 177
Joined: Thu Feb 26, 2009 9:50 am
Location: S FL
Contact:

Post by d0 »

d0
Junior Member
Posts: 177
Joined: Thu Feb 26, 2009 9:50 am
Location: S FL
Contact:

Post by d0 »

these jtag headers are not used for the hack.

Here is the JTAG and SPI ports.
These are in the .PDF in the second link above.

PAGE 12
J8C1
CPU JTAG Header


PAGE 19
J7F1
CPU SPI EEPROM Header


Xbox 360 Flash Info and Datasheets
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

Looks interesting. Maybe I can open another forum to discuss this "jtaging"
dayday
Junior Member
Posts: 17
Joined: Tue Apr 22, 2008 1:20 pm

Post by dayday »

usbbdm wrote:Looks interesting. Maybe I can open another forum to discuss this "jtaging"
That would be awesome,the current speed for reading and writing to the nand right now with the lpt sucks,so this would be great.
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

I think it is PSI. But not a lot of information other than two pins of data.
I can confirm that read SPI will be about 900KB/s which means read the 16MB will be about 18 seconds. Again I have little knowledge about those boxes. Any more information might help me understand better.
virus.b
Junior Member
Posts: 207
Joined: Fri Feb 01, 2008 10:20 pm

Re: Xbox

Post by virus.b »

In that case, I will try to get a hold of an old Xbox from garage sale and send it to you for analysis.
d0
Junior Member
Posts: 177
Joined: Thu Feb 26, 2009 9:50 am
Location: S FL
Contact:

Post by d0 »

what would be needed to run the SMC hack through USB Jtag? I think a new program would be needed to run a code like nandpro2 modified for the USBJTAG??
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

ak4d7 wrote:what would be needed to run the SMC hack through USB Jtag? I think a new program would be needed to run a code like nandpro2 modified for the USBJTAG??
Yes. A complete new code needs to be written to support this device.
The NAND chip used in the box is NOT SPI but somehow the SPI interface can be used to access the chip. So I am not sure if we can use full speed (12MHz) to read the chip.
d0
Junior Member
Posts: 177
Joined: Thu Feb 26, 2009 9:50 am
Location: S FL
Contact:

Post by d0 »

I do not have a parallel printer port on my computer. if it is possible i would like to Use the USBJTAG NT for connecting Xbox 360.
I am willing to try USBJTAG on the ports that are being used for nandpro2. i just need the pinouts for the parallel cable so i can compare them with the USBJTAG NT Cable.
d0
Junior Member
Posts: 177
Joined: Thu Feb 26, 2009 9:50 am
Location: S FL
Contact:

Post by d0 »

Would this be the code that is needed?
  • CODE 1-
    if (A == 1) goto CMD_01;
    else if (A == 4) goto CMD_04;
    else if (A == 7) goto CMD_07;
    else if (A == 0xa) goto CMD_0A;
    else if (A == 0xF) goto CMD_0F;
    ...
  • CODE 2
    free_space equ 02DC0h ;open space in the bin to place our new code
    test_rtc equ 00851h ;Patch location to intercept test
    check_next_cmd equ test_rtc+5 ;next test after query_rtc
    query_rtc equ 008ACh ;function address for query_rtc
    sfc_cmd_reg equ 0F5h ;SFR Address for SFC command reg

    ;==============================================================================
    ; Intercept query rtc condition test
    ;==============================================================================
    org test_rtc
    ljmp hack_trigger ;Call Main Payload SetupHook (smc cmd 0x4)


    ;==============================================================================
    ; Main Payload Section
    ;==============================================================================
    org free_space
    hack_trigger:
    ;a = smc command byte
    cjne a,#004h,not_cmd ;0x4 = query_rtc smc cmd check
    ljmp do_dma ;
    ;
    ;
    not_cmd:
    ljmp check_next_cmd ;<< Jump out >> Not command 4 (query_rtc)
    ;
    do_dma:
    ;NOTE: This is only an example on how to setup for a trigger
    ; the address registers still need to be setup prior to this (via jtag)
    mov sfc_cmd_reg,#007h ;0x7 = Data Physical Address Command (DMA transfer)
    ljmp query_rtc ;<< Jump out >> It was command 4, so pass back
    ; to normal code path
    ;
    ;==============================================================================
    ;==============================================================================

    end ;dont forget me :)
Could this be executed with a script
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

ak4d7 had donated a XBOX and the programming attempt of XBOX will soon begin if I can get the power supply this weekend.
I started to read the data sheet of the NAND flash. Strange that the HW modified it to serial data. To me this is another SPI like programming but software needs to be written to support this device.
afterhoursalex
Junior Member
Posts: 71
Joined: Sat Jan 12, 2008 7:03 pm

xbox360

Post by afterhoursalex »

thanks usb
usbbdm
Junior Member
Posts: 8962
Joined: Mon Jul 18, 2005 9:33 pm

Post by usbbdm »

The power supply available is not compatible with the XBOX I got. I still need to search another power supply.
Post Reply

Who is online

Users browsing this forum: No registered users and 5 guests