Using lflash to flash XBReboot??

[WildChild]

got it going ok thanks to tuxuser

[jelle2503]

gotta say n00b pretty smart trick to check if lflash will read/write your entire nand without having to worry about brickage

[n00bpwner360]

gotta say n00b pretty smart trick to check if lflash will read/write your entire nand without having to worry about brickage

Thanks man!

[Eiji]

Also, I tried flashing to the NAND the file that I read from it, (just writing the same thing over one another) and it says illegal logical block on a lot of things, I didn't copy them down though, will do later.

Did the console work after these error messages and the flash?

Can't you just partial flash future versions of XBReboot and leave the blocks that contain the Xell Backup, that way you can avoid a brick if anything goes wrong since you still have access to Xell?

EDIT: Looks like Redline is working on a new Xell flasher - http://www.xboxhacker.net/index.php?topic=12513.60

[Mad_Gouki]

http://pastebin.com/m52b28a7f
This is what I got when I used lflash to flash xbr onto my xenon box.  What does it mean, how do I fix it?
Should I just go with LPT?

[jz_5_3]

that means you have flashed the nand successfully.

[Mad_Gouki]

this means I flashed it correctly?

Code:

* detected RAW nand file, flashing in raw mode.
 * illegal logical block 00f80000
 * illegal logical block 00f84000
 * illegal logical block 00f88000
 * illegal logical block 00f8c000
 * illegal logical block 00f90000
 * illegal logical block 00f94000
 * illegal logical block 00f98000
 * illegal logical block 00f9c000
 * illegal logical block 00fa0000
 * illegal logical block 00fa4000
 * illegal logical block 00fa8000
 * illegal logical block 00fac000
 * illegal logical block 00fb0000
 * illegal logical block 00fb4000
 * illegal logical block 00fb8000
 * illegal logical block 00fbc000
 * illegal logical block 00fc0000
 * illegal logical block 00fc4000
 * illegal logical block 00fc8000
 * illegal logical block 00fcc000
 * illegal logical block 00fd0000
 * illegal logical block 00fd4000
 * illegal logical block 00fd8000
 * illegal logical block 00fdc000
 * illegal logical block 00fe0000
 * illegal logical block 00fe4000
 * illegal logical block 00fe8000
 * illegal logical block 00fec000
 * illegal logical block 00ff0000
 * illegal logical block 00ff4000
 * illegal logical block 00ff8000
 * illegal logical block 00ffc000

Also... when I start it I don't get any video or lights for a minute or so and then it does christmas lights.

[n00bpwner360]

this means I flashed it correctly?

Code:

* detected RAW nand file, flashing in raw mode.
 * illegal logical block 00f80000
 * illegal logical block 00f84000
 * illegal logical block 00f88000
 * illegal logical block 00f8c000
 * illegal logical block 00f90000
 * illegal logical block 00f94000
 * illegal logical block 00f98000
 * illegal logical block 00f9c000
 * illegal logical block 00fa0000
 * illegal logical block 00fa4000
 * illegal logical block 00fa8000
 * illegal logical block 00fac000
 * illegal logical block 00fb0000
 * illegal logical block 00fb4000
 * illegal logical block 00fb8000
 * illegal logical block 00fbc000
 * illegal logical block 00fc0000
 * illegal logical block 00fc4000
 * illegal logical block 00fc8000
 * illegal logical block 00fcc000
 * illegal logical block 00fd0000
 * illegal logical block 00fd4000
 * illegal logical block 00fd8000
 * illegal logical block 00fdc000
 * illegal logical block 00fe0000
 * illegal logical block 00fe4000
 * illegal logical block 00fe8000
 * illegal logical block 00fec000
 * illegal logical block 00ff0000
 * illegal logical block 00ff4000
 * illegal logical block 00ff8000
 * illegal logical block 00ffc000

Also... when I start it I don't get any video or lights for a minute or so and then it does christmas lights.

Those are the same illegal logical blocks I got back, however I never tried flashing anything other than what I had dumped so I can't say if it works or not.

[Mad_Gouki]

Those are the same illegal logical blocks I got back, however I never tried flashing anything other than what I had dumped so I can't say if it works or not.

well, did your xbr work?
If so, I can probably assume that I built xbr wrong or something.

edit: and you didn't wind up having any bad blocks, right?  I don't have any bad blocks according to degraded tool.

[phonsey]

ok for ppl getting chrismas lights that means you have injected your kv file wrong and thats your problem!

with your orig nand open it up in hexeditor (HxD)
Press Ctrl + G and enter 4200
Copy sectors 4200 to 83FF ( RAW KV )
Now open ur XBR image in hexeditor and Paste them sectors from ur orig nand into the same address above!
Flash ur image to xbox
Finished!

this is 90% of the time the problem as nandpro and 360 flash tool doesnt inject the Kv correctly into xbr images as i have done alot of tests and helped alot of ppl and it seems the best way to make ur xbr image is to do it manually!

360 Flash Tool 0.91 only Extracts 4000 blocks
Nandpro Injects 4210!

hope this helps!

[X-QlusioN]

For those that have illegal logical block errors, don't know if they are normal but I've had them and XBR boots fine (no bad blocks on nand though)

[Mad_Gouki]

Wasn't the wrong kv file, it was that I needed the 1921 file.
Also, the errors were nothing it seems, other people got them too and had no problem.
My xbr works fine (as fine as xbr can work I suppose).

[Bydox]

Those are the same illegal logical blocks I got back, however I never tried flashing anything other than what I had dumped so I can't say if it works or not.

Looking at the source code, I think you can ignore those illegal logical block warnings.  It's a bug in the code but irrelevant for flashing because it's actually coming from code that reads the NAND.  The part writing the NAND is fine - this is why the verify passes 100%  I'm not sure why it's even there in the middle of the flashing function.  It's passing raw physical addresses on a logical read so those addresses are out of range.  Don't worry about it.

Edit:
This code is only used with non-raw flash images to remap bad sectors for you.  Since all the XBR images are raw and have bad sectors already mapped, it's not needed.

To fix the bug, move the line with "readsector(sector_flash, i, 0);" to be inside the "if (!raw) block below it.  Something like this:

Code:

printf("%08x\r", i);
fflush(stdout);

//readsector(sector_flash, i, 0); //move this down -bydox

int phys_pos;

if (!raw)
{
readsector(sector_flash, i, 0); //moved this from above -bydox

phys_pos = sfcx_readreg(PHYSICAL);

[vintage_guitar]

I've successfully dumped the first 2mb of my 512mb jasper nand, and successfully flashed xell through LPT. Would it be possible to use lflash to simply dump my 512mb nand without flashing anything, to avoid a 16 hour LPT dump? Later, would I possibly be able to inject my original 2mb dump i did from LPT into the 512mb dump i get from lflash? This would save me and a lot of others some time if it is possible.

[littlestevie360]

did this yesterday to a xenon console, dumped using tmbincdump_read3 patched up an XBR image with kv (left the config off as this unit didnt have a jtag wired in and thats what gave me grief with my console) flashed it, worked perfectly, and was faster than using the USB SPI flasher, (obv once in linux)

[n00bpwner360]

I've successfully dumped the first 2mb of my 512mb jasper nand, and successfully flashed xell through LPT. Would it be possible to use lflash to simply dump my 512mb nand without flashing anything, to avoid a 16 hour LPT dump? Later, would I possibly be able to inject my original 2mb dump i did from LPT into the 512mb dump i get from lflash? This would save me and a lot of others some time if it is possible.

When doing a 512MB NAND, isn't the first 16MB used for the good stuff and the rest for save games? I'd assume you can just do nandpro lpt: -r16 nand.bin and it would only take 40 minutes not 16 hours.

[Redline99]

When doing a 512MB NAND, isn't the first 16MB used for the good stuff and the rest for save games? I'd assume you can just do nandpro lpt: -r16 nand.bin and it would only take 40 minutes not 16 hours.

No, on 256 and 512, its the first 64MB not 16MB.

[vintage_guitar]

According to the lflash readme, it does not support large block jasper. So I shouldn't even bother trying to dump it at all? Has anybody tried lflash with large block jasper? Yeah, hmm "unknown flash config 00aa3020". Guess it doesn't read it either.

Code:

if (sfcx_readreg(0) != 0x01198010)
{
printf(" * unknown flash config %08x\n", sfcx_readreg(0));
return 1;
}

obviously is what halts the reading if it doesn't find the flash config to be 0x01198010. Would it be Ok to edit this to get it to read regardless of the config values? (seeing as how the 512 jasper gives 00aa3020) Or is there a different structure involved with the nand so this wouldn't work anyway?

[vintage_guitar]

Well, it worked, albeit somewhat. It dumped the first 16mb of my 512 in about 30 seconds time. heh. I there a way to modify the code further to dump the entire 512mb? After a while It started to give tons of errors saying "ignoring bad sector at xx", but the first good bit of it looks to be ok upon opening in hex editor.. Yeah, my entire xell.bin file matches exactly with what i just dumped though.. weird. It appears to have just given up immediately afterword on reading. Ok, some more progress. I edit the code some more and got it to dump a lot of the NAND without errors, around 400MB or so but it froze up after a while. This dumps the NAND ridiculously fast
[EDIT] ok froze again, but this time at 519,632 KB. Beginning of file appears ok.. not bad so far.. 6 minutes for 507mb

[vintage_guitar]

This is what I've got so far. NOTE: for 512mb jasper only, as i've hardcoded it to only accept the 512 flash config.

Code:

/* placed in public domain, written by Felix Domke <tmbinc@elitedvb.net> */
/* USE ON YOUR OWN RISK. */
#include <stdio.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
#include <byteswap.h>
#include <string.h>

extern void *mmap64 (void *__addr, size_t __len, int __prot, int __flags, int __fd, __off64_t __offset) __THROW;

volatile void * ioremap(unsigned long long physaddr, unsigned size, int sync)
{
int axs_mem_fd = -1;
unsigned long long page_addr, ofs_addr, reg, pgmask;
void* reg_mem = NULL;

/*
* looks like mmap wants aligned addresses?
*/
pgmask = getpagesize()-1;
page_addr = physaddr & ~pgmask;
ofs_addr  = physaddr & pgmask;

/*
* Don't forget O_SYNC, esp. if address is in RAM region.
* Note: if you do know you'll access in Read Only mode,
* pass O_RDONLY to open, and PROT_READ only to mmap
*/
if (axs_mem_fd == -1) {
axs_mem_fd = open("/dev/mem", O_RDWR|(sync ? O_SYNC : 0));
if (axs_mem_fd < 0) {
perror("AXS: can't open /dev/mem");
return NULL;
}
}

/* memory map */
reg_mem = mmap64(
(caddr_t)reg_mem,
size+ofs_addr,
PROT_READ|PROT_WRITE,
MAP_SHARED,
axs_mem_fd,
page_addr
);
if (reg_mem == MAP_FAILED) {
perror("AXS: mmap error");
close(axs_mem_fd);
return NULL;
}

reg = (unsigned long )reg_mem + ofs_addr;
return (volatile void *)reg;
}

int iounmap(volatile void *start, size_t length)
{
unsigned long ofs_addr;
ofs_addr = (unsigned long)start & (getpagesize()-1);

/* do some cleanup when you're done with it */
return munmap((unsigned char*)start-ofs_addr, length+ofs_addr);
}

#define STATUS  1
#define COMMAND 2
#define ADDRESS 3
#define DATA    4
#define LOGICAL 5
#define PHYSICAL 6

volatile unsigned int *flash;

void sfcx_writereg(int reg, int value)
{
flash[reg] = bswap_32(value);
}

unsigned int sfcx_readreg(int reg)
{
return bswap_32(flash[reg]);
}

void readsector(unsigned char *data, int sector, int raw)
{
int status;
sfcx_writereg(STATUS, sfcx_readreg(STATUS));
sfcx_writereg(ADDRESS, sector);
sfcx_writereg(COMMAND, raw ? 3 : 2);

while ((status = sfcx_readreg(STATUS))&1);
 
if (status != 0x200)
{
if (status & 0x40)
printf(" * Bad block found at %08x\n", sector);
else if (status & 0x1c)
printf(" * (corrected) ECC error %08x: %08x\n", sector, status);
else if (!raw)
printf(" * illegal logical block %08x\n", sector);
else
printf(" * Unknown error at %08x: %08x. Please worry.\n", sector, status);
}

sfcx_writereg(ADDRESS, 0);

int i;
for (i = 0; i < 0x210; i+=4)
{
sfcx_writereg(COMMAND, 0);
*(int*)(data + i) = bswap_32(sfcx_readreg(DATA));
}
}

void flash_erase(int address)
{
sfcx_writereg(0, sfcx_readreg(0) | 8);
sfcx_writereg(STATUS, 0xFF);
sfcx_writereg(ADDRESS, address);
while (sfcx_readreg(STATUS) & 1);
sfcx_writereg(COMMAND, 0xAA);
sfcx_writereg(COMMAND, 0x55);
while (sfcx_readreg(STATUS) & 1);
sfcx_writereg(COMMAND, 0x5);
while (sfcx_readreg(STATUS) & 1);
int status = sfcx_readreg(STATUS);
if (status != 0x200)
printf("[%08x]", status);
sfcx_writereg(STATUS, 0xFF);
sfcx_writereg(0, sfcx_readreg(0) & ~8);
}

void write_page(int address, unsigned char *data)
{
sfcx_writereg(STATUS, 0xFF);
sfcx_writereg(0, sfcx_readreg(0) | 8);

sfcx_writereg(ADDRESS, 0);

int i;

for (i = 0; i < 0x210; i+=4)
{
sfcx_writereg(DATA, bswap_32(*(int*)(data + i)));
sfcx_writereg(COMMAND, 1);
}

sfcx_writereg(ADDRESS, address);
sfcx_writereg(COMMAND, 0x55);
while (sfcx_readreg(STATUS) & 1);
sfcx_writereg(COMMAND, 0xAA);
while (sfcx_readreg(STATUS) & 1);
sfcx_writereg(COMMAND, 0x4);
while (sfcx_readreg(STATUS) & 1);
int status = sfcx_readreg(STATUS);
if (status != 0x200)
printf("[%08x]", status);
sfcx_writereg(0, sfcx_readreg(0) & ~8);
}



extern volatile void * ioremap(unsigned long long physaddr, unsigned size, int sync);
extern int iounmap(volatile void *start, size_t length);

int dump_flash_to_file(const char *filename)
{
printf(" * Dumping to %s...\n", filename);

FILE *f = fopen(filename, "wb");

int i;
for (i = 0; i < 512*1024*1024; i += 0x200)
{
unsigned char sector[0x210];
readsector(sector, i, 1);
if (!(i&0x3fff))
{
printf("%08x\r", i);
fflush(stdout);
}
if (fwrite(sector, 1, 0x210, f) != 0x210)
return -1;
}
printf("done!   \n");
fclose(f);
return 0;
}

int verify_flash_with_file(const char *filename, int raw)
{
FILE *f = fopen(filename, "rb");
if (!f)
return -1;

if (raw == -1) /* auto */
{
fseek(f, 0, SEEK_END);

if (ftell(f) == 512*1024*1024 / 0x200 * 0x210)
{
raw = 1;
printf(" * detected RAW nand file, verifying in raw mode.\n");
} else
{
raw = 0;
printf(" * detected short nand file, verifying in cooked mode.\n");
}
fseek(f, 0, SEEK_SET);
}

printf(" * Verifying flash with %s...\n", filename);

int i;
for (i = 0; i < 512*1024*1024; i += 0x200)
{
unsigned char sector[0x210], sector_flash[0x210];
if (!(i&0x3fff))
{
printf("%08x\r", i);
fflush(stdout);
}
if (fread(sector, 1, 0x210, f) != 0x210)
return i;
readsector(sector_flash, i, raw);
if (sector_flash[0x205] != 0xFF) /* bad sector */
{
printf(" * ignoring bad sector at %08x\n", i);
continue;
}
if (memcmp(sector, sector_flash, 0x210))
{
printf(" * VERIFY error at %08x\n", i);
return -2;
}
}
printf("done!   \n");
fclose(f);
return i;
}

int flash_from_file(const char *filename, int raw)
{
printf(" * Flashing from %s...\n", filename);

FILE *f = fopen(filename, "rb");
if (!f)
return -1;

if (raw == -1) /* auto */
{
fseek(f, 0, SEEK_END);

if (ftell(f) == 512*1024*1024 / 0x200 * 0x210)
{
raw = 1;
printf(" * detected RAW nand file, flashing in raw mode.\n");
} else
{
raw = 0;
printf(" * detected short nand file, flashing in cooked mode.\n");
}
fseek(f, 0, SEEK_SET);
}

int i;
for (i = 0; i < 512*1024*1024; i += 0x4000)
{
unsigned char sector[0x210*32], sector_flash[0x210*32];
memset(sector, 0xFF, sizeof(sector));
if (!fread(sector, 1, 0x210*32, f))
return i;

printf("%08x\r", i);
fflush(stdout);

readsector(sector_flash, i, 0);

int phys_pos;

if (!raw)
{
phys_pos = sfcx_readreg(PHYSICAL);

if (!(phys_pos & 0x04000000)) /* shouldn't happen, unless the existing image is broken. just assume the sector is okay. */
{
printf(" * Uh, oh, don't know. Reading at %08x failed.\n", i);
phys_pos = i;
}
phys_pos &= 0x3fffe00;

if (phys_pos != i)
printf(" * relocating sector %08x to %08x...\n", i, phys_pos);
} else
phys_pos = i;

flash_erase(phys_pos);
int j;
for (j = 0; j < 32; ++j)
write_page(phys_pos + j * 0x200, sector + j * 0x210);
}
return 0;
}

int main(int argc, char **argv)
{
flash = ioremap(0xea00c000, 0x1000, 1);

printf(" * flash config: %08x\n", sfcx_readreg(0));

sfcx_writereg(0, sfcx_readreg(0) &~ (4|8|0x3c0));

if (sfcx_readreg(0) != 0x00AA3020)
{
printf(" * unknown flash config %08x\n", sfcx_readreg(0));
return 1;
}

if (argc != 2 && argc != 3)
{
printf("usage: %s <current> [<new>]\n", *argv);
return 2;
}

const char *orig = argv[1];
int res = verify_flash_with_file(orig, 1);
if (res == -1)
{
dump_flash_to_file(orig);
res = verify_flash_with_file(orig, 1);
}

if (res != 512*1024*1024)
{
if (res == -2)
printf(" * verify failed!\n");
else if (res > 0)
printf(" * verified correctly, but only %d bytes.\n", res);
else
printf(" * original image invalid\n");
printf(" * I won't flash if you don't have a full, working backup, sorry.\n");
return 1;
}
printf(" * verify ok.\n");

if (argc > 2)
{
const char *image = argv[2];

flash_from_file(image, -1);
res = verify_flash_with_file(image, -1);
if (res > 0)
printf(" * verified %d bytes ok\n", res);
else
printf(" * verify failed! (%d)\n", res);
}
return 0;
}

any suggestions?