Zephyr RGH - 5 Resets and then Error 0022

[tankertux]

I'm attempting to glitch my Zephyr console, but I get rr 0022 when I try to boot.  I've added an LED to the Debug pin and I see the CPLD send the reset signal 5 times before the console red rings, at which point the CPLD debug goes quiet.  I think this means that my CMOD is programmed correctly and that my connections are good. 

Are there any suggestions for next steps in troubleshooting? 

I've read about SMC being a problem for some FATs, but I'm not sure how to go about corrective action with regard to it.

More details:
I have a Zephyr Xbox that I've wired up with a Digilent CMOD.  I've programmed the CPDL using a Bus Pirate and flashed the ecc after verifying that I had 3 identical nand dumps. I've tried both BestPig's Glitch generator and the build.py in RGH 1.1 to generate my ecc.  I have tried reflashing my original nand and verified I am able to boot the original dash still.  I've gone over my wiring several times and am certain that I've got it wired correctly (I had fried one CMOD with bad wiring, but have verified original dash still boots since).

[peshkohacka]

Your SMC is not patched, the patch is needed to stop RROD after more than 5 resets. If nothing works, try patching it manually.

[tankertux]

Thanks for the info!  Like I mentioned, the SMC patch is a bit confusing to me.  How do I get my SMC.bin?  I think I can get one from xbins, but don't know which project to look in.  I've found the SMC Utility 1.2 and I gather that I will need to change the io in my SMC since I have an HDMI console. 

Does this mean I need to do some more soldering? If so, no problem, I just don't want to f*** this up!

[tankertux]

I found that I can extract my SMC using 360 Flash Dump Tool.  Now to patch it!  Will someone please confirm/deny that I will need to do additional soldering for this to work?

[radddogg]

No soldering required.

To get right SMC file for building of zephyr, etc fat xells, do the following:
1. Download http://www.megaupload.com/?d=9O2ZCC9W (thanks go to oliagyok360 for that)
2. Load nand.bin file into 360 Flash Tool v0.97. Can be found here: http://dwl.xbox-scene.com/xbox360pc/nandtools/360_Flash_Tool_v0.97.rar
3. Press Extract, check SMC, select folder and press OK.
4. You will get SMC folder with the file: SMC_dec.bin

Use this file to build xell for fats like that:
c:\Python27>python common\imgbuild\build.py nand.bin SMC_dec.bin common\cdxell\CDjasper common\xell\xell-gggggg.bin

PS: Don't forget to change build.py if you are building for fats too.
You need to change secret_1BL = "" to secret_1BL = "\xDD\x88\xAD\x0C\x9E\xD6\x69\xE7\xB5\x67\x94\xFB\x68\x56\x3E\xFA"

[tankertux]

Thanks very much. Your solution works for me to remove the rr 0022 error.  Now if this Zephyr will quit resetting and glitch already...  

My capacitor is 100 nanofarads, like the diagram in RGH 1.1, but the following post from gligli makes me think I need to swap it for a 220pf cap. http://www.xboxhacker.org/index.php?topic=16949.msg126271#msg126271

Is the 220pf cap only needed for slims?

[Arakon]

Yep, just slims.

[tankertux]

Crap, well that leaves me out of ideas.    The console continues to reboot indefinitely.  I've waited 15 min for it without it glitching, so something is wrong.  I will erase/reflash to stock this evening, verify the console is still good, and reflash this new ECC to make sure that there were no write errors to the NAND.  I may end up wiring leds to the CPU_PLL_BYPASS and POST_OUT to watch the glitch sequence more closely.

Please post with any suggestions and thanks for the help so far!

[Xumpy]

Just as a tip, my zephyr only glitches 1 out of 2 times.

So just try to turn the console off and on again. It worked for me!

[radddogg]

What CPLD board are you using? can you post pictures of your board and the connections you have soldered?

I used the ngzhang coolrunner 2 board and the resistors to remove and bridge were different to those in gligli's diagram.

[tankertux]

I will post pics when I get home, but I'm using a Digilent CMOD board as I mentioned before. I have removed R2 and shorted R3 as in the RGH readme.  I had tried shorting R2 to R1 as in the slim hack before, but no dice.  This couldn't damage the CPLD could it?

@Xumpy I realize that the whole procedure exploits a glitch, which by its very nature is unreliable, so I have tried booting many times before posting again.  Thanks.

[se_guru]

Thanks very much. Your solution works for me to remove the rr 0022 error.  Now if this Zephyr will quit resetting and glitch already...  

My capacitor is 100 nanofarads, like the diagram in RGH 1.1, but the following post from gligli makes me think I need to swap it for a 220pf cap. http://www.xboxhacker.org/index.php?topic=16949.msg126271#msg126271

Is the 220pf cap only needed for slims?

How do you tell exactly what they are doing?

[tankertux]

I would like to update that I have reworked all my connections to be positive they are good.  I have gone up from 30 AWG wire to 24 AWG on all connections and shortened them as much as possible. I have reflashed to stock and back.

 I still cannot get this Zephyr to glitch.  Sorry, I haven't gotten around to photos, but I'm confident in my soldering.  I took some, but I can't get them in focus or well lit. I included my ECC generation log in case anyone spots errors.

 I have yet to wire POST_OUT and CPU_PLL_BYPASS with LEDs.

Code:

C:\Users\Jordan\Documents\My Dropbox\Reset HAck>python common\imgbuild\build.py
nand6.bin SMC_dec.bin common\cdxell\CDjasper common\xell\xell-gggggg.bin
 * found flash image, unpacking...
ECC'ed - will unecc.
Found 2BL (build 4578) at 00008000
Found 4BL (build 8453) at 0000ff20
Found 5BL (build 1888) at 000156a0
 * found decrypted SMC
 * found decrypted CD
 * found XeLL binary, must be linked to 1c000000
 * we found the following parts:
SMC: 1.10
CB_A: 4578
CB_B: missing
CD (image): 8453
CD (decrypted): 8453
 * checking for proper 1BL key... ok
 * decrypting...
 * checking if all files decrypted properly... ok
 * checking required versions... ok
 * this image will be valid *only* for: zephyr
 * patching SMC...
CRC32: 9ad5b7ee
patchset "Zephyr, version 1.10" matches, 1 patch(es)
 * zero-pairing...
 * constructing new image...
 * base size: 6c000
 * No separate recovery Xell available!
 * Flash Layout:
0x00000000..0x000001ff (0x00000200 bytes) Header
0x00000200..0x00000fff (0x00000e00 bytes) Padding
0x00001000..0x00003fff (0x00003000 bytes) SMC
0x00004000..0x00007fff (0x00004000 bytes) Keyvault
0x00008000..0x0000ff1f (0x00007f20 bytes) CB_A 4578
0x0000ff20..0x00015f1f (0x00006000 bytes) CD 8453
0x00015f20..0x000bffff (0x000aa0e0 bytes) Padding
0x000c0000..0x000fffff (0x00040000 bytes) Xell (backup)
0x00100000..0x0013ffff (0x00040000 bytes) Xell (main)
 * Encoding ECC...
------------- Written into output/image_00000000.ecc

How do you tell exactly what they are doing?

I'm sorry, I don't understand your question.