Falcon 3.0 flashed with Zephyr nand!!!

[HiGhLaNdeR]

Hey all.
I have an exploitable xbox and no good skills of soldering. I went to a guy who has and asked him to make a jtag.
He got it to work but the thing is that it boots 7 out of 10 and the controller can't power up the xbox (and won't turn off the controller when you power it down).
I have the Original Nand and the hacked\flashed one.

After running the 360 flash tool to check both orig and hacked I found out this:

Original
Falcon 3.0 16MB
CB and CD: 5761
CE: 1888
Patch 0: 7371
Patch 1: 6717

Hacked
Zephyr 2.0 16MB
CB and CD: 4558
CE: 1888
Patch 0: 4532
Patch 1: 12611

He tried several hacked flashes as Falcon (which it is originally) but he failed to make it run, he tried several circuits with aud_clamps, transistors, etc. All gave E79 or wouldn't even power up.
The only way to make it run was to make it a Zephyr and without any special circuit, he used the original jtag circuit. He didn't even patch anything and just injected the original kv into the updflash using pig.

What can be done to at least fix the power up and power down with controller?
If I want to upgrade the nand I will have to make it a Zephyr right and inject the original kv decrypted?

Cheers and thanks.

[yifanlu]

Wow, looks like you got the wrong guy to flash your console. I don't know if you're using a falcon smc or zephyr smc. I'm suprised this even boots, but if you used the wrong smc, then lots of things won't work properly.

[neonpolaris]

I would suggest building the image with fbBuild (currently 0.11) and not other tools like bestpig's toolbox.  Really, it's not hard.  You can patch your original SMC extracted from your original NAND with Blackaddr's SMC Utility, so you know that you have the right SMC for your board.

[HiGhLaNdeR]

Thanks for the input.
I'll research a bit more and rebuild the flash without pig.
I have all the tools and I just need to get time.
I just hope I don't need to wire it again if it's a bad flash :p heh
How to extract the smc.bin from the original nand? I extracted the kv.bin and the config.bin using 360 flash tool but the smc checkbox is grayed out...?? Is there any other tool\way to do it?
Found out how, had to check the 1BL key

Processing ANALYSIS section of smc_util.ini

DMA_READ_HACK: not found
GPU_JTAG: not found
PCI_MASK_BUG: not found
TMS_PATCH: not found
TDI_PATCH_0_of_3: not found
TDI_PATCH_1_of_3: not found
TDI_PATCH_2_of_3: not found
TDI_PATCH_3_of_3: not found
PNC_CHARGE: not found
PNC_NO_CHARGE: not found

Seems virgin

Cheers!

[HiGhLaNdeR]

Hey all.

After reading the smc_dec.bin from updflash.bin that was flashed into my nand I found out that the options used were these:

*** Xbox 360 SMC Utility ***
*** Version 1.2 by Blackaddr  ***

*** Xbox 360 SMC I/O Config Utility ***
*** Version 0.3a by Blackaddr  ***


INTERACTIVE MODE

1 - ARGON_DATA (Ring of light board)
2 - DB1F1 or alternate
3 - AUD_CLAMP (Q2N1)
4 - TRAY_OPEN (DVD power cable or connector)

Which I/O for TMS? [1-4]: 1
...using 83
Which I/O for TDI? [1-4]: 2
...using C0

Now, since i'm a bit clueless about the wiring, which options should I use for TMS and TDI? from the top of the board I only see a wire which might be between J2D2.4 and J2D2.7 that has to stay in the end of reading the nand right? (need to open the xbox again to double check).

[bluespace77]

@ yifanlu

If you take a look at the SMC's floating around, all these 'JTAG tools' use only 2 SMC's. One for the Xenon, and another for Zephyr's/ Falcon's/ Jasper's. While they may have seperate SMC's for these consoles, compare the CRC32's.

Because he's used one of these tools; Falcon or Zephyr, it still would have used the same SMC.

Only by using blackaddr's tool and a clean SMC from your original NAND dump will you get a true SMC for your console.

@ HiGhLaNdeR

I believe TDI (J2D2.1) is the one nearest to the heaksink and TMS (J2D2.8) is the one nearest the NAND IC. There's a PDF in the SMC_UTIL archive which details it.

For each you need to choose each wire has been soldered to. If you get it wrong, you'll get an E79 until your SMC configuration and wiring layout match.

He's probably followed a guide from the Internet so it's likely he's used ARGON_DATA or AUD_CLAMP for TMS, and DB1F1 for TDI. If he used a NAND-X, he may have used TRAY_OPEN for TDI as that's what the guide on their forums suggests to use.

L_ has Falcon's, so should be able to help you.

[HiGhLaNdeR]

Thanks for input bluespace77.
I've been building the nand files, everything is in place besides the smc.bin which I need to encrypt before I put it in "mydata". I need help on encrypt it back, I have bincrypt2 but I don't see the SMC option there. I guess a little research won't give me hard time.

About the schematics I need to contact the guy and ask him which points he used, I know for a fact that J2D2.1 was used, same with DB1F1. Didn't see anything on the ROL but it can be bellow the board.

Thanks again.

[bluespace77]

I know blackaddr's tool tells that you need to re-encrypt the SMC, but when used with fbBuild you don't. I'm presuming you're using fbBuild from the 'mydata directory'. fbBuild should re-encrypt it when it builds the image.

I just put the raw smc.bin from blackaddr's tool in the data directory and build it with fbBuild. You should be using iBuild/ fbBuild directly to build your image and not these 'JTAG tools'.

I believe you only need to reencypt the SMC if you flash it directly back to the NAND using NANDPro, or inject it into a prebuilt image. That's probably how people like blackaddr and L_ (blackaddr's tester) update their SMC rather than reflashing the entire NAND.

[l_oliveira]

Wow ... Blackaddr tool tell people to use the original SMC from the original IMAGE (MS image from before hacking) and that being the decrypted version of it as extracted by flashtool.

@ OP are you sure you weren't scammed ?  You gave the guy an Falcon and got an Zephyr in return ?


Anyway, if it's still your console and it's really running with an Zephyr image in a Falcon board, then you will have some annoying issues.


First, Falcon SMC is version 1.6 and pigsty tool uses SMC 2.3 (Japser) when a mobo is of HDMI type.

In a Zephyr that's really half of the trouble.

The other half of the problem is using the data bus for the RoL  (Ring of Light) for patching the GPU.

There's plenty of info on this forum about how to make your console work properly.

[HiGhLaNdeR]

I double checked the board and yes it's still my Falcon HDMI

I extracted the smc.bin from the hacked flash (updflash.bin) and used black's tool to analyze it.
I assume that the info from that smc.bin can tell me which point he used to jtag or am I wrong?

HACKED smc.bin (and you were right l_oliveira, it's jasper smc from pig's):
Looking for SMC version...
SMC Version: 2.3

Processing ANALYSIS section of smc_util.ini

DMA_READ_HACK: found at 0x2D73
GPU_JTAG: found at 0x2DAD
PCI_MASK_BUG: found at 0x2E9C
TMS_PATCH: found at 0x2DC2 : TMS_value_is 0x83
TDI_PATCH_0_of_3: found at 0x2E20 : TDI_value_is 0xC0
TDI_PATCH_1_of_3: found at 0x2E46 : TDI_value_is 0xC0
TDI_PATCH_2_of_3: found at 0x2E5D : TDI_value_is 0xC0
TDI_PATCH_3_of_3: not found
PNC_CHARGE: not found
PNC_NO_CHARGE: not found


Seems he used for TMS the ROL (0x83) and TDI DB1F1 (0xC0) correct?


New SMC I made:
*** Xbox 360 SMC Utility ***
*** Version 1.2 by Blackaddr  ***

Looking for SMC version...
SMC Version: 1.6

Processing ANALYSIS section of smc_util.ini

DMA_READ_HACK: found at 0x2E62
GPU_JTAG: found at 0x2EA1
PCI_MASK_BUG: not found
TMS_PATCH: found at 0x2D4B : TMS_value_is 0x83
TDI_PATCH_0_of_3: found at 0x2DA9 : TDI_value_is 0xC0
TDI_PATCH_1_of_3: found at 0x2DCF : TDI_value_is 0xC0
TDI_PATCH_2_of_3: found at 0x2DE6 : TDI_value_is 0xC0
TDI_PATCH_3_of_3: found at 0x2EA7 : TDI_value_is 0xC0
PNC_CHARGE: found at 0x2E4F
PNC_NO_CHARGE: not found

Am I in the correct path?

Thanks for helping!

meanwhile...
mydata contains:
cpukey.txt -> myinfo :p
crl.bin -> extracted using ibuild
crl.bin.meta -> extracted using ibuild
extended.bin -> extracted using ibuild
extended.bin.meta -> extracted using ibuild

kv.bin (decrypted) -> extracted using 360 flash tool <---- If I fc with the one extracted with ibuild it won't match (yes used the kv_enc.bin from 360flashtool). Shouldn't them be exactly the same?

MobileB.dat -> extracted using mobileExtract
odd.bin -> extracted using ibuild
odd.bin.meta -> extracted using ibuild
secdata.bin -> extracted using ibuild
secdata.bin.meta -> extracted using ibuild
smc.bin (decrypted) -> extracted using 360 flash tool and modified like I show in this post with black's tool
smc_config.bin -> extracted using ibuild


Anything I should add?

[HiGhLaNdeR]

I was going to flash it with flash360 but I get a kv mismatch warning... I used the kv extracted from original nand with ibuild. (FIXED! I was using the one extracted using 360 flash tool)

Should I continue? (Going to retry).

Or should I flash using Xellous?

Advice please.

[l_oliveira]

It will aways give kv mismatch when you try to flash because of the "Salt" or pairing value being saved on the decrypted KV before it's encrypted and written to the flash image.

[HiGhLaNdeR]

Ok thanks!

Gonna flash it, crossing fingers :p

[HiGhLaNdeR]

Flashed successfully but the problem of the 3RROD 3 out of 10 still happens plus the controller not turning the xbox on and the controller won't go off with console shutdown.
Here is the pic of the nand dump:


The smc is now falcon 3.0 but same behavior!!
What can I do next??

HELP!

[janvkem]

I have had similar problems (controller not turning off after shutdown and console not able to turn on by the controller) after trying the boxxdr method (not the transistor method, but the method of installing the wires underneath the board like this) for the first time on a jasper model.
The problem was (which I found out only after measuring all points with a multimeter), that the resistor r2p12 was making bad contact to the trace leading to the ring of light. I completely removed the resistor and replaced it with r6t3 (both resistors are 10K) which resolved the problem. That however is not recommended to try if you are not good in soldering as these resistors are small. Which method was used in your xbox?

[HiGhLaNdeR]

Hey,

as far as I know he used the simple method, without any fancy stuff.
after this problem happened he tried all kind of methods but the only one that he could get the xbox to work was the simple (original mode) with smc.bin of a zephyr he said (after I found out it was a jasper smc as you can see in my first posts).
TMS -> ROL (bellow the board) (0x83) and TDI -> DB1F1 (0xC0)

Tomorrow I'm going to try the 330 OHM between the bridge.
I'm trying not to rewire the jtag...

[HiGhLaNdeR]

Thanks all!
Everything is now running smooth. (At least till now).

Solution:
330 OHM 1/4w resistor in the bridge.
2x diodes 1N4148 between the 2 wires (TMS & TDI, done on the bottom of the board).
Wouldn't start with the HDD on, E71.
Reflashed the nand, with my hand made updflash.
Reinstalled  Dash Launch 2.07.
Everything back to normal, FreeStyleDash.

No more RROD's in 3 out of 10 turn on's.
Controller now turns the xbox on and controller goes off when you turn console off.

CHEERS!!

[l_oliveira]

I usually recommend a diode from pin 7 to pin 4 with the cathode connected to pin 4.  I didn't recall of that.  Good to know you have your trouble solved.

[HiGhLaNdeR]

In what is working I never touch but I'll keep the diode in mind if anything goes wrong
Thanks for all your help L_