E71 after JTAG attempt (ECC error blocks)

[janvkem]

A while ago someone came to me with a Xbox360 he had tried to jtag. He followed a tutorial (of course) and found that his version was below 7371 because the version on his xbox started with a 1. You can guess what happened next. He soldered up some wires to a LPT port and made 3 backups of his nand, from which 2 backups are wrong for certain (wrong size and most likely also wrong data). Fed up with attempts to get the jtag working, he brought it to me. Taking a look at his nand with the good size told me that he had no dashboard below 7371, but 12416 (which indeed starts with a 1). Also his cables for the LPT connection were way too long.

The nand backup he made can be opened in 360 Flash Dump Tool and shows 2 bad blocks at block 54 and 55. These bad blocks however are not remapped to the end of the nand. When opening the nand in XNandHealerGUI_0.6 (hever used that program before, as I don't trust it to 'fix' nand files), it showed no bad blocks, but ECC error blocks at block 54 and 55. A little search on the web told me that this is caused by faulty data in the block. I think it is due to his poor wiring. He however flashed the nand file back to his console (after trying to flash xell to it) and when I read it with a USB reader, I got a exact copy when compared in Hex Comparison.

Booting up the console takes the console to the xbox splash screen (where the logo comes up, don't know if it is called splash screen, but that used to be in the xbox 1 days, old I know ). Directly when the xbox logo appears, the xbox freezes and spits out a E71, which indicates problems in flash. As block 54 and 55 have bad ecc data, I think that the problem lies within dash.xex (start block 0x003A and length 0x005c6000 according to 360 Flash Dump Tool).

What I want to ask is whether it is possible or not to take the dash.xex from another nand file (12416 of course) and replace it with this nand files dash.xex. For as far as I know, dash.xex is not encrypted with the cpu key, because it can be extracted from the nand without knowing the cpu key, is that correct? If so, I would say it would be possible to repair this xbox by inserting the dash.xex using nandpro (hoping that this is the only problem with his nand backup). Can somebody comment on this thought? Furthermore, if this turns out to be possible, is there someone who has a 12416 nand for me to get the file from? CPU key is not needed ofcourse, as I don't need to extract any files encrypted by the CPU key.

[cory1492]

is possible or not to take the dash.xex from another nand file (12416 of course) and replace it with this nand files dash.xex

Yes, you are correct in thinking the system files are not encrypted per machine. All you really need to do is figure out what data in dash.xex is missing (extract dash.xex from an updater or a clean 12416 dump, binary compare and the incorrect data/data you need should stand out like a sore thumb), where in the nand it is, and replace it (remapping the blocks after if needed.) Also, as you are getting an E- error screen you know the boot data, the bits that are cpu key crypted, should at least be good.

[janvkem]

That is very good to hear! I am gonna try to replace the dash.xex. I never thought of extracting it from a dashboard update directly. Should be possible using LeFluffie I would say. Will keep you informed on progress! Thanks for the fast reply!

Update: Le Fluffie works excellent for extracting the dash.xex file. Overwriting the complete file looked like the easiest, as the extracted dash.xex has no ECC data. Comparing this dash.xex to the nands dash.xex is difficult when ecc data is missing on one of the two. The dash.xex file will have no ECC data I thought, so I tried:

Code:

nandpro nand.bin: +W16 dash.xex 3a

That should write dash.xex to block 3a while adding ECC data. Doing this gives the same result as the nand was doing before, but does not show bad blocks anymore in 360 Flash Dump Tool. The console still boots after a short time at the bootanimation to E71 however. I have tried a lot of other stuff. Removing ECC from the original nand, then find the start of dash.xex in hex. Copy paste dash.xex from the lefluffie extracted file into the nand with ECC removed. Write nand back to xbox while adding ECC data. No results. I have tried many more things, too much to write down here, as they all were unsuccessfull. I seem to be doing something wrong, but I can not figure out what is going wrong.

Update: Remapping block 54 and 55 did not work.

[janvkem]

Is there a possibility to take the nand from another xbox with the same dashboardversion. Strip it from its cpu encrypted data and place inside my (most likely bad) nand? This way, all non cpu key encrypted data should be inside my nand right? Or does anyone know an easier method to restore this nand?

[utar]

Is it possible to delete / add files to the filesystem using 360 Flash Dump Tool?  I personally can't remember, but if you can you may want to attempt to replace dash.xex this way.

[janvkem]

I did not find that option in 360 Flash Dump Tool, but I would say it would be possible using some other program, considering that the nand is made up of blocks of data (like for example dash.xex) and patches. If these blocks of data are not encrypted with the CPU key, it would be possible to replace them using nandpro for example. The start block and length are found using Flash Dump Tool. Nandpro can then replace the files and add ECC data.

I came across something else that I thought is strange. When I extract the 12416 FileSystem Raw in Flash Dump Tool and open the dash.xex with a hex editor, I find the text string "2004-2008 Microsoft Corporation. All rights reserved". Should this be in dash.xex?

[cory1492]

When I extract the 12416 FileSystem Raw in Flash Dump Tool and open the dash.xex with a hex editor, I find the text string "2004-2008 Microsoft Corporation. All rights reserved". Should this be in dash.xex?

Unfortunately it seems flash tool still does that sometimes... it's the contents of block0. I ran into a similar problem myself the other day, where padding the image to 256M for a big block seemed to solve it but still some files didn't extract properly. It could also be a damaged or incorrect FAT/LBA table, though...

If you use a hex compare and extract block sized chunks nandpro can inject the data. Basically you should be able to extract the file from the repaired image and get the proper one back out, so that it is binary 1:1 the same. Trying to overwrite the whole file may not work, files aren't required to be in sequential blocks for their entire span.

Also there is xtsynth, though no idea if that will help much (link, it's there).

Also, using a donor NAND for the FS (file system) will not work... CF and CG are too big for the 64k slots they are given, and overflow into fs files titled "systemupdate.xexp*", and as I said above there is no requirement for anything in the FS to be in any specific block. You would have to be extremely lucky, like go buy a lottery ticket lucky, to find a donor with the patch slot CG in the same spot so you could retain that data from your current dump.

[janvkem]

I have read about those problems with 360 Flash Dump Tool before I believe. It is not a big deal actually, as I know where my dash.xex begins. Lets just assume that my FAT/LBA table is correct, otherwise this is absolutely not possible

I just saw that I made a (stupid) mistake previously. It turns out that the dashboard version that is installed is not 12416, but 12413. All this time I was trying to inject the 12416 dash.xex in the nand, where it needed the 12413 dash.xex. This version is a BETA dashboard version. I have tried to download it, but using LeFlufie I am not able to find the dash.xex in the update (probably because it is a BETA version ripped from microsofts server.

Also there is xtsynth, though no idea if that will help much (link, it's there).

Tried it, but freezes on this nand file.

Also, using a donor NAND for the FS (file system) will not work... CF and CG are too big for the 64k slots they are given, and overflow into fs files titled "systemupdate.xexp*", and as I said above there is no requirement for anything in the FS to be in any specific block. You would have to be extremely lucky, like go buy a lottery ticket lucky, to find a donor with the patch slot CG in the same spot so you could retain that data from your current dump.

Thanks, did not know that. That makes it indeed almost impossible to use donor FS. I guess my best bet at the moment is to find an extracted dash.xex from the 12413 dashboard update and inject that using nandpro at block a3. Any tips on how to find 12413 dash.xex? I do have another regular xbox and multiple jtag xboxes that can be used. I think I will update the regular xbox to dashboard 12413. Take out the nand. Extract dash.xex using 360 flash dump tool (or xtsynth if flash dump tool is giving problems). Compare the extracted file with data in the original nand (size and position) and then inject the dash.xex in the damaged nand file using nandpro. Let's hope the dash.xex is one consecutive file in the nand. It's gonna be an interesting evening

[cory1492]

Once again, you only have to replace the damaged data in the blocks that contain the damaged sectors... this avoids any issues of scattered LBA's. If it's a small block NAND, old versions of flash tool even back as far as 0.88 or so give a summary of where files are in NAND for all their blocks in the log file.

The 12413 one (at least what I found for download publicly) seems to have been strictly a content file push from the looks of it, an incremental update to the things stored off-flash like avatars and similar.

[janvkem]

Once again, you only have to replace the damaged data in the blocks that contain the damaged sectors... this avoids any issues of scattered LBA's. If it's a small block NAND, old versions of flash tool even back as far as 0.88 or so give a summary of where files are in NAND for all their blocks in the log file.

The 12413 one (at least what I found for download publicly) seems to have been strictly a content file push from the looks of it, an incremental update to the things stored off-flash like avatars and similar.

Finally succes! I read your post again and this is what I did. I used the nand.bin that came with the console. Extracted block 54 and 55 (which showed ECC errors) without saving the ECC data. I opened the two files with a hex editor. In another window I opened dash.xex in a hex editor. I searched for the hex values of the first line of block 54 inside dash.xex. After that I selected the data for as far as block 54 would go (without ecc data). I then did the same to block 55. Now I had 2 blocks without ecc, so these needed to be written using nandpro to block 54 and 55 while adding ecc. This I used:

Code:

nandpro usb: +W16 54.bin 54 1
nandpro usb: +W16 55.bin 55 1

Tested the console and it is booting! I now also understand what I did wrong. I thought of just replacing the entire dash.xex, where I just had to replace the bad data (which cory1492 was telling all the time, but I was not seeing it or just stubborn). Thanks a lot for the help cory1492! Really appreciate that you wanted to look at it!

[cory1492]

Glad you got it sorted janvkem 

[mach1ne]

Hi everyone, first time poster to xboxhacker 
I have a wee problem which I hope someone can help me with...I hope I've posted it in the correct place.

My problem is this:

I have a brand new jasper 512mb xbox which I purchased so that i could JTAG it using the NAND X USB method.  I used the QSB to attach it to the mobo.  Using nandpro, I read my NAND 3 times and I got these errors:

Looking for usb interface devic
FlashConfig:00AA3020
512MB Nand Detected
Starting Block:0x000000
Ending   Block:0x007FFF
Configured for Large Block Nand
Reading
Error: 250 reading block 580
Error: 210 reading block 581
Error: 210 reading block 582
Error: 210 reading block 583
Error: 210 reading block 584
Error: 210 reading block 585
Error: 210 reading block 586
Error: 210 reading block 587
Error: 204 reading block E81
Error: 214 reading block E83
Error: 214 reading block E85
Error: 20C reading block E86
Error: 21C reading block E88
Error: 214 reading block E89
Error: 218 reading block E8A
Error: 218 reading block E8C
Error: 20C reading block E8D
Error: 21C reading block E8E
Error: 250 reading block 1178
Error: 250 reading block 2580
Error: 250 reading block 75A0
7FFF

I spoke to a friend regarding these errors and he said that as long as all three dumps were the same and they matched using a compare tool I'd be fine (I think this was bad advice....)

I carried on to the next step which was connecting the jtag wires, I had issues with the DB1f1 connections I think (although using a multitester tool i had a connection) as I could not get xell to load on to the nand, so I tried the alt jtag wire solution and connected the wire to the dvd cable AUD_CLAMP and the FT2R2.  I managed to get xell to work and using this method I obtained my cpu key and I thought I was on the home stretch as 360 flash tool sowed me my dvd key, cpu key and the correct xbox serial etc....Alas I was then faced with problems getting freeboot to work, I just could not get the jasper_hack_bigblock_xellous xbr to work ( i tried two or three other xellous files also) I used jtag tools also using the alt wiring option, but still no joy.  At this point I had spent 2 full days, dumping my original nand back on and trying the whole process again and again and was still unable to get it working.
Finally I gave up and thought that I'd put the original nand back on (which up to this point worked and would boot up to the dashboard) and send it to my friend (who told me to ignore the errors) and let him do it, but try as I might the original nand would not work.  Everytime I powered up the xbox it would have the green light in the center for 5 secs then the fan tone changed and I got 3 red lights (top left, bottom left and bottom right).  I removed the jtag wires and tried flashing again but still the same outcome.

I checked my nand using nandhealer and it told me that I had EEC error blocks 0x1d0 and 0x1d1 I tried fixing it (below)

Fixing ECC blocks
Step 1 of 2: Reading nand1_0E80.bin.............Read error(1), retrying....
Step 2 of 2: Reading nand1_0E88.bin.............Read error(1), retrying....

Can any of you guys help me or should I go shopping for a new xbox?

JANVKEM and CORY1492 seem to know their stuff, any suggestions??

Thanks for your time guys...

[janvkem]

Quickest solution is to create a fbbuild image using your original nand. As xell runs, fbbuild should also run. Extract the needed files from your nand backup using ibuild or 360 Flash Dump Tool and create a working 12611 fbbuild image. If extracting them from your nand is not possible you should use donor files. First however, try to use your own files as they contain data that is specific for your console like temperature profiles. Make sure to use the right smc (change your own smc (you extract it using ibuild or 360 Flash Dump Tool) using Blackaddr's smc utility 1.2) to the right wiring. Recommended wiring for hdmi models is aud_clamp and db1f1 (or ft1u2/ft2r2). Another point for db1f1 (or ft1u2/ft2r2) is given in this image by boxxdr: http://boxxdr.com/boxxdr_jtag.jpg. Make sure you have the right soldering skills before attempting this. Practice on old stuff first before messing with the xbox to make sure you don't have a problem with your soldering. Buy a small tip soldering machine if you don't have one or let someone else do it for you. If you did not successfully solder to db1f1 you will have problems soldering to any other point.

From your post I suppose you have already flashed your nand. What I would try is to erase the nand completely. Then write your fbbuild image. If that goes without write errors you are fine. If you get write errors then you need to remap those blocks that give you an error to the end of your nand file. First things first however: You need to get your fbbuild image and get it booting xell from the fbbuild image. That should be working without problems as you have no bad blocks in the first blocks of your nand chip.

[mach1ne]

thanks for the speedy reply...I'll try that now,  one other thing, I have an error 202 programming block 580.  Is that a problem?

[Arakon]

Likely just a bad block. You may have to remap it manually, but generally it should be done automatically by the apps you use.

[mach1ne]

no matter what i flash back to nand i get the same problem with 3 red lights after 5 secs of power up. the fan changes pitch and it red lights.
Been told it may be a short on the board somewhere?