Jump to content


Photo

How To Flash Slim 9504,0225,0272,0401 Update 13599 - No 360lizard Or U


  • Please log in to reply
13 replies to this topic

#1 DazEB

DazEB

    X-S Enthusiast

  • Members
  • 5 posts

Posted 13 August 2011 - 02:42 AM

This tutorial was created for the WINBOND chip. For MXIC you can follow the Russian hack. All images were created by me and all the text was written by me unless specified.

Flash 0225,0272,0401 Xbox360 Slim AFTER update 13599 WINBOND GEREMIA iXtreme LT+1.91 using ONBOARD SATA no 360Lizard or 360USB.

PDF Version Download
CODE
[URL]http://www.megaupload.com/?d=CUZ1E3Y7[/URL]
THIS MOD IS NOT NOOB FRIENDLY, ITS NICKNAMED THE KAMIKAZE HACK FOR A REASON. DO NOT COME CRYING TO ME WHEN YOU HAVE DRILLED TOO DEEP OR YOUR DRIVE IS DEAD

If you do not already have the key from your Xbox360 Slim and you mess this up you could be left with a brick for a long time or until someone figures out how to unbrick a slim drive.

Things you will need:

Compatible sata chipset or Lizard360 or 360USBPRO.
Motherboard Bios set to Legacy/compatible mode.
External power source for slim drive.
100ohm resistor connected to 3.3v

Software


unlockSPI
CODE
http://www.multiupload.com/GT0SVZPA3M
DosFlash
CODE
http://www.multiupload.com/P696UUDFUA
Jungleflasher 1.86 beta (267) INCLUDES SLIM FIRMWARE FILES
CODE
http://www.multiupload.com/93GG23Z55E
Windows XP, Vista, 7.

Compatible Onboard Chipset's
  • AMD SB6XX
  • AMD SB7XX
  • INTEL ICH9R
  • INTEL ICH8
  • INTEL ICH9
  • INTEL ICH10
  • VIA 6421a MUST have ide to sata converter or use PMT probe to set vendor mode
  • 360Lizard
  • 360USBPRO

NOT Compatible
  • INTEL ICH7
  • Nvidia nForce

STEPS TO PERFORM THE HACK
  1. Cleaning resin from the chip
  2. Marking up the chip
  3. Get drive into Vendor Mode
  4. Drilling the chip and unlocking using unlockSPI
  5. Read original firmware (optional depending if you have previously read the FW from your drive)
  6. Create custom firmware
  7. Write custom firmware
  8. Re-Locking the drive

CLEANING THE RESIN FROM THE CHIP

This is not always required but it does allow more accuracy when marking the lines on the chip.

To clean the resin from the chip it must be heated so it becomes brittle. You can use a hairdryer and a scalpel or similar. Heat the resin for around 30 seconds, try not to overheat the resin. You will know when the resin is hot enough as it will become brittle and easy to remove.

MARKING UP THE CHIP

When doing this hack you should always mark up the chip as shown and DO NOT go by the logo printed on the chip as they are not all the same

IPB Image

Once you have marked up the chip you are able to move onto vendor mode


VENDOR MODE

There are a couple of different ways to achieve this. The main thing to remember that you MUST reboot your PC after every failed or successfull vendor mode! Failure to do this will result in Status 0x51.

Method 1
Turn off PC
Turn off DVD Drive
Reboot
Press F8 at boot of windows to disable driver signature enforcement for Windows 7 (if required)
Open DosFlash32
DosFlash will send the commands to the drive and enter vendor mode - proceed to unlockSPI, leave Dosflash OPEN
If Dosflash asks to resend vendor intro then it has failed. You must reboot and try again.

If you see this image without dosflash asking you to power cycle then your drive is in vendor mode.
IPB Image

Method 2
Turn off PC
Turn off DVD Drive
Reboot
Press F8 at boot of windows to disable driver signature enforcement for Windows 7 (if required)
Open Jungleflasher
Select MTKFlash tab
Click Intro
Jungleflasher will send commands to the drive and enter vendor mode - proceed to unlockSPI, leave Jungleflasher OPEN

Method 3

Vendor Mode using PMT probe - should work with most chipsets but requires soldering.

1. Run JF
2. Power on drive
3. Press Intro Device ID
4. Put the PMT on MPX01
5. MTK Vendor -> Yes
6. Power off then on
7. done!! Vendor Mode

Once Vendor Mode is achieved by either method you then move onto unlockSPI.exe below.

DRILLING THE CHIP AND UNLOCKING USING UNLOCKSPI.EXE

There are various different ways of drilling the chip and i have not done them all but here are two videos showing both the soldering iron method and the Dremel method
DREMEL


Soldering Iron
Dont use the 100ohm resistor when doing this method. Doing so may cause damage.


After you have decided what method to use to drill proceed to unlockSPI

First open a command window in the folder where unlockSPI is located by holding SHIFT+Right click>select "open command window here"

IPB Image

Now you should be presented with the cmd window.
Type unlockSPI XXXX - where XXXX is your port number and can be found in dosflash.
Press ENTER
IPB Image

You should now see this:

IPB Image

Press y and hit ENTER.

unlockSPI will do a sound test, make sure your speakers are up loud enough.

You will be presented with this below. This is where you would start to drill the chip. There are a few ways to drill the hole either by xacto knife/dremel/large pin/soldering iron all have been reported to work. The key is patience. Go very slow. As soon as you hear the siren sound, STOP.

IPB Image

You should be presented with a window that looks like this. Congratulations you have unlocked your slim drive.
IPB Image

Your drive will now stay UNLOCKED even if you power cycle the drive or your pc. After flashing you can relock it using various methods or by running unlockSPI command again it will tell you that the drive is UNLOCKED and do you wish to LOCK it. Press Y and hit ENTER. Your drive is now LOCKED.

You can UNLOCK the drive again by touching the hole with a 100ohm resistor connected to 3.3v, using an electric lighter or by using isopropyl alcohol.

READING YOUR FIRMWARE (optional)

After you have unlocked your drive you can proceed to read the firmware from the drive. You may need to reboot your PC to re-enable vendor mode. Then open Jungleflasher or DosFlash to read your FW.

CREATING CUSTOM FIRMWARE

Open Jungleflasher
Select your original firmware dump as source firmware.
iXtreme will auto load the correct firmware for you and spoof to target.

IF YOU HAVE A SLIM DRIVE WHICH HAS 9504 ON THE COVER BUT WAS ACTUALLY 0225 THEN YOU MUST SELECT NO TO AUTOLOAD AND USE FIRMWARE LTPlus-0225-v1.91u.bin

FLASHING CUSTOM FIRMWARE AND LOCKING THE DRIVE

To flash the drive simply enter vendor mode again. You may be required to reboot your PC again. This time use Jungleflasher for vendor mode.
Select your custom firmware as target, go to MTKFlash32 tab and hit WRITE.

You should get something like this:
CODE
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
JungleFlasher 0.1.86 Beta (267)
Session Started Fri Aug 12 00:23:22 2011

This is a Wow 64 process running on 2 x 64 bit CPUs
portio64.sys Driver Installed
portio64.sys Driver Started, thanks Schtrom !
Found 6 I/O Ports.
Found 2 Com Ports.
Found 6 windows drives C: D: E: F: G: H:
Found 0 CD/DVD drives

Drive is Slim Lite-On..

Key found in KeyDB at record (1 - SLIM CROW)
Key is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key has been tested and verified, thanks C4eva !
Loading firmware file C:\Users\Home\Desktop\JungleFlasher v0.1.86 Beta (267)\SLIM CROW\Dummy.bin
MD5 hash:  945bbd9e9365fde57fc7bd200e3108bc
Inquiry string found
Identify string found
Drive key @ 0xA030 xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Firmware Osig: [PLDS    DG-16D4S        0225]
Firmware is:  SlimKey Extract                
Auto-Loading firmware file C:\Users\Home\Desktop\JungleFlasher v0.1.86 Beta (267)\firmware\LTPlus-0225-v1.91.bin
MD5 hash:  5a14a34b933602a94f8375f9ce88f803
Genuine LT plus v1.91
Drive key @ n/a xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Firmware Osig: [PLDS    DG-16D4S        0225]
Firmware is:  LT-Plus 1.91                    
Spoofing Target
DVD Key copied to target
Key Sector copied from Source to Target
Target is LT - ID strings not copied to Target

Sending Vendor Intro to port 0x0170

Serial flash found with Status 0x72

Sending Device ID request to port 0x0170
Spi Status: 0x00
Manufacturer ID: 0xEF
Device ID: 0x11
Flash Name:  Winbond/NEX(W25P20/NX25P20)
Flash Size:  262144 bytes

Getting Status from port 0x0170
SPi flash found with Status 0x72

Sending Chip Erase to Port 0x0170
Erasing:
Writing target buffer to flash
Writing Bank 0: ................
Writing Bank 1: ................
Writing Bank 2: ................
Writing Bank 3: ................
............
Flash Verification Test !
Reading Bank 0: ................
Reading Bank 1: ................
Reading Bank 2: ................
Reading Bank 3: ................
Dumped in 1814mS

Write verified OK !

Restoring sector 0x3E000.

Sending Sector Erase to Port 0x0170
Erasing: 0x3E000
Writing: 0x3E000
............
Authorised !
................
Restore verified OK !
Drive is Slim Lite-On..

Key found in KeyDB at record (1 - SLIM CROW)
Key is: xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Key has been tested and verified, thanks C4eva !
Locking the drive

To lock the drive just re-enter vendor mode, open unlockSPI and send the command "unlockSPI XXXX - where XXXX is your port number.

unlockSPI will report the drive as being unlocked and will ask you do you wish to lock the drive.

Press Y and hit ENTER

Your drive is now locked and finished. You can put everything back together and test.

Credits to Geremia, Maximus, and all those who made this hack possible.

Edited by DazEB, 13 August 2011 - 03:15 AM.


#2 alanewake

alanewake

    X-S Member

  • Members
  • Pip
  • 61 posts

Posted 13 August 2011 - 03:03 AM

Thanks a lot man, very good tuto biggrin.gif biggrin.gif smile.gif smile.gif

#3 BigSteel

BigSteel

    X-S Hacker

  • Members
  • PipPipPipPipPipPip
  • 2,103 posts
  • Location:Calgary, Canada
  • Xbox Version:unk

Posted 13 August 2011 - 04:42 AM

So I finally decided that tonight is the night I try this and I thought hmmm....need to find a good video tutorial and BAM here it is. Followed the tutorial to the tee and it worked perfectly. Alot easier than I thought tongue.gif I used a soldering iron, x360USB and I removed the epoxy with heat gun and xacto knife.

#4 xiaoyan848

xiaoyan848

    X-S Enthusiast

  • Members
  • 6 posts

Posted 13 August 2011 - 10:07 AM

great post ! thank you for sharing....










Edited by BoNg420, 15 August 2011 - 04:07 PM.


#5 DazEB

DazEB

    X-S Enthusiast

  • Members
  • 5 posts

Posted 13 August 2011 - 01:38 PM

No problem guys, hope it helps.

#6 FoneFreak

FoneFreak

    X-S Young Member

  • Members
  • Pip
  • 44 posts

Posted 15 August 2011 - 03:57 PM

Brilliant guide, just a quick question. Can you use a dremal without 3.3 resistor?, will spiunlock still show correctly or does it need the 3.3 100ohm resistor to know when the hole is right? also some other posts have different pinouts for the chip ie 4 up etc (yours says 3 up) pls help

Edited by FoneFreak, 15 August 2011 - 04:04 PM.


#7 DazEB

DazEB

    X-S Enthusiast

  • Members
  • 5 posts

Posted 15 August 2011 - 11:59 PM

QUOTE(FoneFreak @ Aug 15 2011, 03:57 PM)  

Brilliant guide, just a quick question. Can you use a dremal without 3.3 resistor?, will spiunlock still show correctly or does it need the 3.3 100ohm resistor to know when the hole is right? also some other posts have different pinouts for the chip ie 4 up etc (yours says 3 up) pls help


I have heard about people using the dremel without 100ohm resistor connected to 3.3v but it was insucessfull for me. As soon as i attached the resistor and wire to the dremel and started drilling, unlockSPI gave me the siren sound, where as before it would just instantly go to status 51.

The actual point is inbetween 3 and 4 but the space is so tiny its hardly noticeable, anywhere inbetween 3 and 4 should be perfect

#8 FoneFreak

FoneFreak

    X-S Young Member

  • Members
  • Pip
  • 44 posts

Posted 17 August 2011 - 04:25 PM

QUOTE(DazEB @ Aug 15 2011, 11:59 PM)  

I have heard about people using the dremel without 100ohm resistor connected to 3.3v but it was insucessfull for me. As soon as i attached the resistor and wire to the dremel and started drilling, unlockSPI gave me the siren sound, where as before it would just instantly go to status 51.

The actual point is inbetween 3 and 4 but the space is so tiny its hardly noticeable, anywhere inbetween 3 and 4 should be perfect

Thanks very much friend.

BTW is there a similar guide for 9504 1.9lt Flashed (not locked) I want to flash BACK to ofw (stock) there is soo much conflicting information and not neat straight forward guide like this!

Apreciate any helps or links.

thanks

#9 DazEB

DazEB

    X-S Enthusiast

  • Members
  • 5 posts

Posted 17 August 2011 - 08:21 PM

QUOTE(FoneFreak @ Aug 17 2011, 04:25 PM)  

Thanks very much friend.

BTW is there a similar guide for 9504 1.9lt Flashed (not locked) I want to flash BACK to ofw (stock) there is soo much conflicting information and not neat straight forward guide like this!

Apreciate any helps or links.

thanks


Just use Jungleflasher guide for unlocked 9504. www.jungleflasher.net

smile.gif

#10 ArKineX

ArKineX

    X-S Member

  • Members
  • Pip
  • 67 posts
  • Xbox Version:v1.6
  • 360 version:v5.0 (360S - trinity)

Posted 26 August 2011 - 09:02 PM

Excellent Tutorial!

#11 360newb617

360newb617

    X-S Member

  • Members
  • Pip
  • 70 posts

Posted 29 August 2011 - 09:35 PM

i read somewhere in the JF tutorial that you could use esata, but it does not elaborate, so can i use the esata port on my laptop with this?if so then what would i have to do ?

#12 dragon45801

dragon45801

    X-S Member

  • Members
  • Pip
  • 84 posts
  • Xbox Version:unk
  • 360 version:unknown

Posted 30 August 2011 - 06:42 AM

Thanks for the tut man, greatly appreciated. A few questions:

Why is the resistor not needed with a soldering iron?

I am also curious as to what exactly the purpose of drilling the chip is and how to tell if you have winbond or macronix? Thanks again

#13 alanewake

alanewake

    X-S Member

  • Members
  • Pip
  • 61 posts

Posted 30 August 2011 - 11:13 AM

QUOTE(360newb617 @ Aug 29 2011, 09:35 PM)  

i read somewhere in the JF tutorial that you could use esata, but it does not elaborate, so can i use the esata port on my laptop with this?if so then what would i have to do ?


most likly, it won't work but you can tray huh.gif

#14 360newb617

360newb617

    X-S Member

  • Members
  • Pip
  • 70 posts

Posted 31 August 2011 - 07:17 AM

anyone know of where to find a good tutorial or any info on using JF with esata in general?
i dont even know what the esata is really, i mean i cant plug a regular sata cable into it , do i need an adaptor or just a esata to sata cable?
i dont know why it says its possible to use it in the JF tutorial pdf but then it says nothing else about it
i have no clue what esata even is or is supposed to be for ,it seems like it is a useless POS to me ,what even uses it? or what can it be used for/with? is there an ieee/firewire to esata cable/adaptor?or a usb 3.0 to esata cable.adaptor? i take i would need some sort of esata to regular sata cable to use it or an adaptor right?
i think the one on my laptop doubles as a usb port , but only 2.0 not 3.o ,but im not really even sure, seems useless to me, never seen anything that can even connect to it,




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users