Jump to content


Photo

Homebrewer Dilemn... Xclamp Removal On Working Vulnerable Console...


  • Please log in to reply
10 replies to this topic

#1 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 12 June 2007 - 03:49 PM

This thread is about :
Xclamp removal on a working vulnerable 360... and water cooling... and firmware swapping!
(Really a homebrewer topic, but strangely these actions are linked together. Read below!)

My vulnerable xbox360, with added rj11 serial link plug is working fine (a summer 2006 model).

But before I decide to spend hours and hours coding a graphic driver, for exemple, I have to decide what I will do the day the console dies. I have the feeling I will just drop it entirely if it happens, because it will be too painful to go again through all the process of building a homebrew compatible 360...

So... I have the possibility to remove the XClamps now to lower the probability of such a catastrophe...

'Com' brought an idea on page 29 of the famous thread related to RBJTech's XClamps removal method 1.
http://forums.xbox-s...howtopic=599217

I posted today to warn you that a nice new design (method 2) has emerged from that idea and schematic appears on page 29. It may not be as 'adjustable' as method 1, and thus may not be the right way to attempt to reverse the damage of a previous 'flex', but for a working console, for its purpose of just getting rid of the aberrant brutal forces applied by XClamps, I have the feeling it's just what we need.
So I post in development forum for people with working console that think about buying some 'insurance' rather than posting in hardware forum where people seek a way to 'repair' their console.

Method 1 is quite a specialist affair somehow, since you have to 'drill' and transform the big metallic heat sinks. The numerous pieces allow subtile adjustments. Heating is necessary.

Method 2 doesn't require drilling. Needs a low number of pieces. No heating needed (since console worked before).

Thanks to RBJTech & Com for the new method tutorial incoming...

Edited by openxdkman, 12 August 2007 - 03:36 PM.


#2 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 29 June 2007 - 07:20 AM

Finally, I realized it's the noise that is ruining my homebrew experience with xbox 360...
So, I saved some money (200 euros) and I've purchased "Reserator 1 Version 2".
It's a silent water cooling tower. I will go slow because I'm a newbie in this technology, but I will report my success or failure in my XClamps and thus, heat sinks, removal.
If that works, later, I will invest in the mod allowing to flash either vulnerable or lastest firmware (in order to be able to both code homebrew and play blue dragon...).

Edited by openxdkman, 12 August 2007 - 03:37 PM.


#3 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 03 July 2007 - 08:08 AM

I've received the "beast" (6.5Kg). I've created a thread in the proper forum (hardware mod) :

http://forums.xbox-s...howtopic=610938

I've put a link to the manufacturer site so you can see photographs.
I will post there about my progress in the water cooling mod, and will revert to here if I ever reach the "firmware reflashing" phase...


#4 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 22 July 2007 - 03:02 PM

My water cooling adventure ended this morning with... a success!!! (See link above for details)

I've received the Infectus modchip and ordered some kynar wires. When I receive them I will attempt the firmware swapping (with resistor in place, untouched). I.e, dump with Linux, dump with Infectus, compare dumps (to see if bad sectors are encoded and how), reflash with dump, upgrade to lastest firmware version (and gladly blow up efuse(s)), create a modified version of first dump that accepts blown efuse(s), re-encrypt it, reflash it. Then swap at will when I want to code homebrew or play lastest retail games (possibly with xD-picture 16 Mb memory cards).

Edited by openxdkman, 05 August 2007 - 08:13 AM.


#5 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 12 August 2007 - 03:22 PM

It's time to play with Infectus... (firmware version swapping)

There are two important things to know about Infectus modchip :
- Wires must be short. 15 cm is maximum. Affects more writing than reading.
- Spot V is absolutely required for lastest infectus software version.
(Spot V is a capacitor side, need extreme caution so you don't unsolder it)

I will take advantage of the fact that my 360 is now water-cooled :
There is room inside for the Infectus!
Effectively, Plastic shroud is no longer needed (and doesn't fit because of tubes).
So the area above the "Ana" chipset is quite free now.
If Infectus is located there, that should allow wires to not exceed 10 cm.
(Wires will cross MB through the four holes of the south bridge chipset)

So here are the properties of this Infectus installation :
- Infectus inside case
- Wires length : 10 cm max
- Unpluggable/Reusable Infectus (DB 25 male + DB25 female plugs)
- Thin usb 2.0 PSP cable going out through hard disk plug hole

Photograph below shows (sorry, it's blurry, my camera -or me- is silly) :
- Infectus mini board (put on top of X-Matic for this photograph)
- Standard thin usb 2.0 official PSP cable connected to infectus
- Near Infectus, a DB25 male (white) plugged into a DB25 female plug (black)
- Black electrical tape covering half the "Ana" chipset and nearby transistor
- The serial device wires (orange, J2B1 now covered with electrical tape)
- The X-matic water block (under the DB25's and the Infectus mini board)
- The tubes, disconnected from Water cooling tank, but full of water
- The Zalman flow indicator, in top left corner (part of the tubes circuit)
- "XCM High Speed Air Cooler" (blue fans, temperature probes under X-Matic)

IPB Image

My plastic prototype clamps worked nicely. The waterblock didn't move at all when I reopened my 360. So everything goes as intended so far...

As usual I want to avoid drilling thick metal... So I've noticed that the drive opening in front of console, has a tiny open slot at the bottom left corner. A thin usb 2.0 cable like the one sold officially as "Official PSP usb 2.0 cable" can fit in it. That way cable remains connected inside, goes out of metallic thick case from drive opening then you can have it reach the hard disk plug opening on left side by putting it between the metallic and the plastic case. It's thin so it can get squeezed against the hard disk female plug and go out.

The black DB25 female plug has vertical pins (going upward).
The white DB25 male plug has horizontal pins

With double sided tape, I will stick the white DB25 male plug on top of "Ana" chipset (left side). Black electrical tape below it will prevent electrical shortcuts. Wires will run from it and cross mother board through one or more of the four holes located at each corner of the South Bridge chipset (there is "XSB" written on it, under the XBOX 360 logo). I will stick Infectus board on top of the black female DB25 plug.

The whole thing will stay in place but will be flexible enough to allow the drive to come of top of it. Drive will push downward the usb 2.0 connector and Infectus won't be horizontal (right side will gently go down).
The distance between the interesting side of Infectus (the one used by 360 firmware flashing) and the vertical pins of the black female DB25 plug will be very close from each other. So close that you just have to bend a vertical pin and solder it to the Infectus mini-board.

Soldering all the wires will take time. Once it's done I will report success or failure as usual, with more -blurry- photographs!

Edited by openxdkman, 28 March 2009 - 09:47 PM.


#6 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 12 August 2007 - 10:42 PM

Most boring and critical part done...
(Soldering wires, having them cross MB through south bridge holes, putting labels on them...)

IPB Image

Edited by openxdkman, 28 March 2009 - 09:47 PM.


#7 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 13 August 2007 - 04:26 PM

Let's put back our beloved decorative screw caps bases (MkII) over the 8 black screws...
Mother board back in place in metallic bottom case... Lets put back other screws, face button, etc...

Now, that we are on the other face of motherboard we have all wires with labels on it.
Time to solder them to the DB25 male white connector :

CODE

.N P Q T V 7 6 5 3 2 1 0. (12 pins)
M O     U       4     + - (13 pins)

So a maximum of wires match the DB 25 female black connector vertical first pins raw, the closest to the Infectus mini-board (just need to bend them and solder to spot). Only 6 wires are to "extend" from second pins raw with a bit of metallic wire. You can see soldered bent pins in upper right corner of the photograph (Infectus mini-board stuck on top of female black DB25 connector with a double-sided tape).

(See photograph below)

IPB Image

Now we plug the DB25 male into the female. We put some electrical tape above Infectus mini-board (since drive will come on top and push it downward. Let's fix white male connector with a double sided tape (two layers, so it gets some flexibility), on top of the "Ana" chipset (covered with electrical tape), so the whole thing can bend under the drive, but not just run wildly anywhere inside the console case...

We also connect the thin PSP usb2.0 cable (may not be official after all, brand name is BigBen interactive) to the Infectus mini-board and take it all the way to the little slot of drive opening (so we can reach easily hard disk plug hole by running it between metal case and plastic case).

(See photograph below)
IPB Image


Put back drive on top of all this mess and power up!

Notes (skip them, it's just my few bad attempts to power up) :
- I got a "3rod" when I tried without the Infectus plugged. But I had "4" severed so it may have interfered with the firmware reading at boot time. I re-soldered "4" (D4) and pluggued Infectus and console could reboot correctly.
- I had Infectus Programmer software not able to recognize the Nand. After a check, it was "M" who was severed. After I resoldered it, all went ok, finally... Nand recognized as Hynix-something.


How to dump firmware :

From Infectus site you retrieve the PC driver for the device and the Programmer software (v0.0.3.4d).
When you connect the usb2 cable to your PC, you are asked for the driver twice. Select the files you downloaded and soon you have a new peripheral : Infectus Device.

When you start the software, you are warned you will have to update the Infectus mini board firmware and that you mustn't turn off power while such firmware update is in progress.

But the infectus firmware update doesn't start at all. You have first to select what you want.
Tools->Wizard helps you, but you can just select in menu "Actel firmware", the Nand programmer and start the update.
That will (I guess) put the firmware named "Loader 0.24" and the "Nand programmer" program in the Infectus mini board.

As said earlier, if you didn't wire the V spot, you are probably stuck at this point.
Programmer v0.0.3.4d seems to require V wire if you are to write into your Nand (according to posts seen in Infectus tech support forum), whereas previous versions could do it without it.

Once everything is ok, you should read the name of your 360 firmware Nand chipset at bottom of screen and the command "Read" is now available in the menu "Flash Command".

Dump your firmware (32768 sectors of 512+16 bytes each).
Note that the dump you get (even if you have bad sectors, revealed by statuses 0x0350 & 0x0310) is identical to the one you get with recent tmbinc's software dumper (tmbincdump.c with "writereg(COMMAND, 3);" -dump whatever is sector status but report bad ones with 0x0350 & 0x0310- instead of "writereg(COMMAND, 2);" -dump if not a bad sector and report unused/blank status 0x0380-) :
http://www.xboxhacke...p?topic=7290.20

I haven't tried to reflash my firmware yet.
I hope it will work (thanks to wires not exceeding 10cm).
I will wait a bit before trying it... That was too much emotion for a "week-end"...


About removing R6T3 resistor :

Pro : You can dump, upgrade, reflash to go back to previous firmware... Because new firmwares don't brick the 360 if the efuses they are supposed to blow up are still unharmed.

Con : What prevents M$ from releasing new firmwares that brick 360 if efuses are unharmed? Nothing. (And be prepared to find them, eventually, on retail discs of Halo 3 and Blue Dragon...)

But not touching the resistor means you know how to edit your old firmware image so it accepts new blown efuses... That's a complete adventure!

Edited by openxdkman, 28 March 2009 - 09:49 PM.


#8 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 28 August 2007 - 06:11 AM

About removing or not removing R6T3 resistor...

Some brainstorming is needed...

Current situation :

- R6T3 removal brings immediate benefit : the ability to swap between all dumped firmwares

Coming situation :

- A future kernel might require blown efuses in order to boot (bad for R6T3 removers).
- Some nasty blown efuses will prevent from booting older firmwares (bad for non removers).
(Lack of knowledge about how to edit previous firmwares in order to prevent this -in 2BL-)

How to detect incoming situation :

Since R6T3 removal pleases a lot of people right now, I can assume a few R6T3 removers will upgrade their 360 with incoming new firmwares. I guess a few of them have infectus installed and nothing bad will happen to them, except the joy of a bricked 360 (they will unbrick it easily with infectus) the day a new firmware is not happy to see all theoretically already blown up efuses, not blown up. So, when that day comes, we will hear about it for sure. Let's say that nasty firmware has number N+1 attached to it.

1888 => N => N+1 => infinite

Once N+1 is detected, that will mean (we assume you keep good firmwares dump for safety!) :

R6T3 removers will be able to swap between firmwares between 1888 and N safely.
If they go past N, the 360 gets bricked, but going backward is easy with Infectus (or other flashing devices).

Anyway in that case : The only firmwares you can play with are 1888 up to N. Not beyond N.
(Unless you upgrade to N+1, dump, and know how to edit N+1 fw? Smart! See below)


What about R6T3 non removers?

From that point I don't claim I fully understand all the issues, it's pretty complex...

For sure not to have to remove resistor is interesting if you don't have high precision skills (very small thing to solder/unsolder, definitely not a beginner's task) and if you wish to remain as stealth as possible...

There are 2 cases :

a ) You are a genius
b ) You aren't

a ) You are a genius
Alone or with help obtained from xbh site, you are able to edit previous firmwares dump and have them work with newly blown up efuses...
I may be wrong but it seems that a first row of efuses (refered as "lockdown counter", verified at boot time) can be modified at will with robinsod's program "flash dump tool". So currently, you may manage to keep resistor in place and swap firmwares (you have to keep in mind which new efuse you blow up and thus, which older firmwares dumps need to be edited)...
When N+1 will get detected, it's possible that a second row of efuses gets attacked by new firmware. That row seems to be verified by 2BL. Problem of stuff verified by signed code is that signing key is unknown and it's hard to recreate replacement code. Remaining possibility is to write a complete custom firmware... But that specific task can take a long time to accomplish and will be the beginning of the quite usual insane fw race...

Anyway in that case : You are a genius and you kept resistor, you can swap between all firmwares version (and you are completely stealth while playing with lastest firmware).

b ) You aren't
In that case I suggest you keep a vulnerable 360 with fw 4532 and play with another untouched 360.

There might be errors in my statements, feel free to correct me.

Edited by openxdkman, 03 September 2007 - 07:40 AM.


#9 Sonic-NKT

Sonic-NKT

    X-S Senior Member

  • Members
  • PipPip
  • 241 posts

Posted 29 August 2007 - 07:19 PM

nice work! would love to mod my 4532 360 the same way, but i dont have much money in the moment smile.gif

when you start writing an Graphic driver for homebrew.. do you mean linux or homebrew in general?

#10 openxdkman

openxdkman

    X-S Genius

  • Moderator
  • PipPipPipPip
  • 823 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 30 August 2007 - 06:10 AM

Low level graphic driver (like pbKit), thus homebrew in general. But no ETA at all.
(Then any volunteer can add upper layers on top of it, for linux easy usage)

But for now, I'm addicted to Blue Dragon...

IPB Image

You can't imagine how it's relaxing to play for hours and hours Blue Dragon with a temperature display that shows CPU and GPU under 50 degrees celcius all the time, even in hot summer... It's... refreshing! No more stress! (XClamps gone, no more insane pressure under processors)

Luckily, it made me upgrade only to the spring update (5759 upgrade on each of the 3 DVD's of the game). I'm talking about Blue Dragon currently on the shelves (If it gets re-edited, it might upgrade to a different firmware version). Mine is english/french/italian purchased on August 28th 2007.

Since I've dumped cpu key, 1bl.bin and fw_4532_for_infectus.bin (both infectus and software dump -Command 3- are the same), I think I won't have any problem to reflash 4532 (after I edit firmware image with robinsod's flash dump tool to put a correct "Lock Down Value" that matches the number of efuses blown up in my 360 currently -2-). I will write a tutorial later about that.
(Note : software dump -Command 3- didn't reveal any bad sector in my Nand)

I mean 5759<N+1 (The ultimate barrier that blows up an efuse from 2nd row. I fear for Halo 3.)

EDIT: Confirmed! 5759<N+1! I could downgrade from 5759 to 4532 with resistor in place!

EDIT :
ivc posted on xbh a complete set of downgrade tests!
http://www.xboxhacke...?topic=7691.120
You can downgrade from 5766 with resistor in place!
Thanks ivc for your courageous testing!

Conclusion :
5766<N+1! (Still plenty of hope for Halo 3!)

EDIT :
Even after NXE releases, you can switch firmwares at will. Just put back new current LDV in old firmware image with Robinsod's '360 Flash Tool' v0.81 for example.
However I suggest to use a brand new 256MB Memory Card dedicated to NXE.
More than half the memory card will be consumed by the NXE firmware and thus is paired with it.
When you switch to older firmwares, use older memory cards with it, etc...
If you switch among different NXE versions, keep the associated memory card with it, etc...
(you don't know how NXE may react if paired system files do not match on memory card...)

Edited by openxdkman, 28 March 2009 - 09:55 PM.


#11 DrPepperFan15

DrPepperFan15

    X-S Senior Member

  • Members
  • PipPip
  • 161 posts
  • Xbox Version:v1.0
  • 360 version:v1 (xenon)

Posted 31 August 2007 - 08:49 AM

I hope this graphic driver youre talkin about will give an opportunity for the 360 to get fully opened up and modded with a homebrew dashboard or something




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users