MaximusStinger

Reset Glitch HACK (RGH) Using the Maximus Nandflasher and Stinger

Credits: This tutorial is based on the excellent Reset Glitch Hack tutorial made by Razkar and Tuxuser

Required Hardware: Maximus Stinger Maximus Nandflasher or any other USB SPI [programmer to read/write the Consoles NAND. Xiling Jtag Programming Cable (USB or LPT) or a device running NANDpro 3.0a Soldering Material Patience

Required Software: Digilent Adept, Xilink iMpact or 360CGprog v1.1 Python and Python Crypto also there are many GUIs Available NandPro V 2.0e or greater (Nandpro 3.0a recommended)

Identify your NAND Size: As a first step we should identify the NAND size that is installed into the XBOX360. The skilled ones can simply read the NAND size directly from the code written on the NAND. The second solution is to go to the memory tab under the settings menu: If there is no memory unit shown there then you have a 16MB NAND. If there is a Memory Unit showing 214MB then you have a 256MB NAND. If there is a Memory Unit showing 451MB, then you have 512MB NAND.

How to Dump your NAND

Use the following diagram to solder your NAND Programmer (using the Maximus Slim QSB) The wire colors are printed directly on the QSB board.

Alternately you can directly solder the wires using the below Photo:

Connect the wires to the Maximus NAND Flasher and insert USB cable into Nandflasher Dump your NAND twice (example:
a. Nandpro usb: -r16 nand1.bin b. Nandpro usb: -r16 nand2.bin

\ Compare the two dumps with the following command (You can use MD5 Checksums also): fc /b nand1.bin nand2.bin

You should see something like FC: No differences found If you have a a 256mb or 512mb you replace the r16 with r256 or r512

Now that you have the Dump. Lets create the .ecc file needed to run the glitch. We recommend
using 360 Multi Builder v0.3. (at the time of this manual, check for updated version before proceeding) 360_Multi_Builder_v0.3 on 13/11/2011 What's new/fixed: ----------------- Updated Dashlaunch patches to latest version 2.26 / thanks cOz - Added the option to build the image without Dashlaunch patches too. - Added the option to build the Jtag image with SMC = AUD_CLAMP. - Added full checks of different CB versions to the Xell/ECC script. - Added RawFlash v3 / "xenon.elf" to "Data" folder with flashing note. - Fixed the Fans Speed back to auto (it was 70% in previous version). Download Here official site : www.tortuga-cove.com Older Versions..... 360_Multi_Builder_v0.2 on 03/11/2011 ---------------------------------------------------------------- Added Proper Support for Jasper with CB 6751 (where a donor CB 6750 will be used) - Please note that Jasper with CB 6752 are not Glitchable even if the image was created - Added Proper Support for Zephyr with CB 4578 (Program now supports both 4578 & 4579) - Added a notification to the Python Script about the Falcon CB 5772 being not Glitchable 360_Multi_Builder_v0.1 on 31/10/2011 ---------------------------------------------------------------- Updated "Easy ggBuilder" to "360 Multi Builder" with ECC/Jtag/Glitch & Retail image creation. - Added Auto-Build ECC Glitch image "image_00000000.ecc" when "cpukey.txt" is missing. - Added startup checks for "nanddump.bin" and "cpukey.txt" files existence. - Jtag/Freeboot 13604 image creation with built-in Dashlaunch v2.25 patches & Xell-Reloaded. - Glitch Hack 13604 image creation with built-in Dashlaunch v2.25 patches & Xell-Reloaded. Download HERE Credits to ggbuild/fbbuild/freeboot/360FlashTool & Dashlaunch teams and devs. Credits and big thanks to BestPig for sharing his awesome fcrt_extractor.exe program.

 Once you have the image_00000000.ecc created let write it to the NAND.
a.

Use the Following command to flash the image to your Consoles NAND.

nandpro usb: +w16 image_00000000.ecc nandpro usb: +w64 image_00000000.ecc (Jasper 256 and 512mb ONLY)
The flashed file has a size of 50 blocks so you should see 004F when done.

/!\Payattentionthatyouhavetousethe+w16or+w64switchandnotthew16orw64one/!\ Setting up the Stinger:

PHAT

SLIM

Program the glitcher (BEFORE YOU SOLDER INTO CONSOLE)

There are a few ways to program the Stinger the best method is to use a Digilent HS-1 USB jtag programmer with a minor modification to allow programming with no external power supply needed as seen below:

NOTE: ONCEYOUSETTHEJUMPERLIKEINTHEPICTURESYOUCANONLYPROGRAMINSTANDALONE THISMEANSTHEUSBCABLEISSUPPLYINGPOWERTOTHECONNECTEDDEVICEFORPROGRAMMINGITMEANSNEVER PLUGTOANALREADYPOWEREDDEVICE!

You can also use a Xilink LPT programing cable (requires external 3.3v and GND)

You can also use a Maximus Nandflasher. The Maximus Stinger includes the Adapter cable to program using a simple pin header for USB, but You can modify it like this.

Removethe2screwsandlifttopoff

Cut the end of the wire:

Solder the wires as Shown: (colors can vary from cable to cable, verify proper names)
Red M1 (3.3v) Black N3 (Ground)

Yellow A2 (TCK) Green C1 (TDI)

White B3 (TDO) Blue C2 (TMS)

Cut a Small notch in side of the Nandflasher and close the lid.

Program the Glitcher using NAND Pro:

================================================== =============================

SUPPORTED DEVICE INTERFACES

================================================== =============================

USB: LPC2148 and LPC2146 Olimex USB header board. High performance 16MB/2Mins. LibUsb driver. LPT: Parallel Printer Port, SPP mode. Low performance, 16MB/35mins (CPU dependent).

Dlportio printer port driver. XSVF: Subset device of USB. LPC2148 Olimex USB header board required. NOT for nand programming. This command line device type is for flashing .xsvf files to a Xilinx cpld. POST: Subset device of USB. LPC2148 or LPC2146 Olimex USB header board required. NOT for Nand programming. This command line device type is for monitoring Post codes only. The included .hex file supports both Nand SPI flash, Xilinx Programming, and Post Monitor all at the same time. The mode selected ie: Nand Flash/Xsvf/PostMon is determined by the command line.Previous .hex files as well as the "pic" version of hardware will not work. The Maximus "NANDFlasher" has an array of plated through holes to break out all the extra LPC2146 gpio. This product can be flashed with the new ArmV3.hex file for full comatibility with Nandpro. The wiring coordinates are included here for those who have this device. The included .jpg file shows the connections to flash this device with the Philips utility. An RS232 level shifter is also required for this purpose.
================================================== =============================

DRIVER AND HARDWARE INSTALLATION ================================================= ============================= USB Install: Flash the .hex file to the LPC2148 using the "Philips LPC2000 FlashUtility" or equivalent. Connect LPC2148 or LPC2146 to computer USB. Point "found new hardware" to the "custom.inf" Windows reports: "Your new hardware is ready to use" USB Hardware: Connect only wires from EXT connectors to MAINBRD where indicated. Connect only wires from EXT connectors to Xilinx jtag connector where indicated. No resistors or diodes at all. For sure! Do not add them!
================================================== =============================

COMMAND LINE USAGE

================================================== =============================

NandPro v3.0a by Tiros Useage: To invoke Xilinx xsvf flasher use: NandPro xsvf: Filename.xsvf To invoke USB post monitor use: NandPro post: PostLogFileName.txt
================================================== =============================

.XSVF CPLD CONNECTIONS AND OPERATION

================================================== =============================

Follow instructions for USB install. Make the following connections from the LPC2148 to the Xilinx device Jtag connector: Xilinx CPLD flashing typical command line: Flash a .xsvf file, created by Impact, to cpld:

Nandpro xsvf: filename.xsvf

The Xilinx Impact tool is used to create .xsvf files. The Xilinx Impact software records/redirects cpld operations into a binary file (.xsvf) that can be processed by Nandpro. IE: Nandpro does not flash .jed files, but .jed files may be directly converted to .xsvf by Impact. See the Xilinx Impact tool for details.

PHAT INSTALLATION:

Slim Installation

IfUsingtheQSB,SolderpadsB,C,DandEdirectlytoQSB boardandyouonlyneedtorunWiresP30andP40

Suggested Install placement: Slim:

Troubleshooting Tips: Problem: Console acts like dead after stinger install: This is commonly caused by a problem on the stdby_clk line here is the suggested path to try to fix: a) Check jumpers on stinger are set properly for slim or phat b) remove stinger and test if problem persist c) if problem persists try re-solder both sides of the tiny resistor on the stdby_clk line

Problem: All installed but stinger led goes green barely visible This is commonly caused by poor ground, try the following: If its a SLIM console: a) Install an extra ground wire on the Stinger "A" pad and the J3C1-Pin6 If its a phat console: a) Install an extra ground wire on the Stinger "A" pad and the J2B1-Pin12

Problem: On slim console led goes on visible every 3 seconds but cant make the console boot

Assuming you have generated and flashed properly the .ecc file then the problem could be solved by: a) Set the jumper J270 to select 270pf capacitor b) Change CPU_RESET (pad p40 on stinger) to a 32 cms wire c) Change the STBY_CLK (pad C on stinger) to a 10 cms wire

PDF to Word