Here is a guide :
A guide for newbies trying to get ready for homebrew on Xbox360
Purpose : Obtain CPU key in order to be ready for future 360 homebrew
and more, eventually...
Table of Contents :
I) How to start Gentoo LiveCD Xenon Beta v2
II) How to get the ethernet connection
III) How to get comfortable under 1080i
IV) How to switch to your country keyboard layout
V) How to explore folders
VI) How to surf on internet
VII) How to get CPU key or compile/run remotely from your PC
VIII)Thanks
A) Links
Guide :
I) How to start Gentoo LiveCD Xenon Beta v2
You need :
- Vulnerable Xbox360 (fw 4532 or 4548). It can be a core (no harddisk)
- Retail King Kong (first edition, get one for your region -Pal or NTSC-)
- Flashed Drive fw (allowing you to play a backup of your retail KK)
- (OPTIONAL) serial device cable (RS232 -12V/12V <=> 360 port 0/3.3V)
- Cpas's "serial kk patcher v2" or xorloser's patcher (if no serial)
- A blank Verbatim DVD+R Double Layer 8.5Gb
- A DVD DL burner compatible with 360 backups creation
- Some USB keyboard and mouse
Create the special KK backup disc :
- extract .dvd or .iso file from KK original (see other tutorials)
- patch it with kk patcher (xorloser's one if you don't solder serial plug)
- burn .dvd or .iso file
If you have serial device (can use standard sat decoder flash cable) :
- Plug usb keyboard & mouse
- Boot KK. Play start. You will see a boat. Game will freeze. Ok.
- With a terminal (for example, ZOC 5). Upload xell_choice (rom.bin)
- When it offers choice (1 or 2), eject, put Gentoo live cd. Press 2.
If no serial device :
- Plug usb keyboard & mouse
- Boot KK. Play start. It should eject disc.
- Insert Gentoo live cd and pray (I haven't tested this method myself).
(OPTIONAL)
This is where serial device is to be soldered (top left corner of MB):
CODE
RX
|
J2B1 1 3 5 7 9 11 13
X X O O O O X
X X X X X X
2 4 6 8 10 12
| | |
TX +3.3v GND
In ZOC 5, configure speed and type of serial link : 115200 8N1
You will get an orange full ring of light up Leds when Gentoo is started.
Don't worry that's not the "red ring of death"...
You should see the "efuses list" (At least you have it in ZOC 5 window).
Try to write it down and keep it in a safe place.
A part of it is the CPU key that may get you ready for future 360 homebrew,
whatever firmware you will have in future.
If you don't have CPU key at this step, don't worry, we will catch it later.
If you have it you can, eventually stop this guide here.
II) How to get the ethernet connection
The clue is to have the Xbox360 connected to a machine or hub.
This machine (or a machine through the hub) must act as a DHCP server.
The most easy way is to activate "Internet Connection Sharing" on XP.
It's not called this way though. In network configuration on left side,
you should be offered the option to create a local network.
You won't be warned, but that will turn the ethernet plug you choose
to dedicate to ICS into a static IP address 192.168.0.1.
Now each time Gentoo boots, it will get a dynamic address from PC.
If PC is connected to internet, Gentoo will take advantage of it.
You can see if Gentoo got a valid address by going in top menu
(bottom menu for me, see below), and follow the path :
Applications->System tools->Network tools.
- Be sure to look at the "Devices" tab.
- The default device currently selected is "Loopback Interface (l0)".
- Change it and select "Ethernet Interface (eth0)".
- You should read IP address=192.168.0.n (n is decided by your PC).
(If you have something like 127.0.0.1, it's game over. Change your PC config, cables, etc... and reboot as many times as needed. Understand dhcp!)
III) How to get comfortable under 1080i
I'm using a vga box on a vulnerable xbox360 set to 1080i.
On my plasma screen I can't see the very top of screen.
If you don't see top of screen in 1080i :
Move mouse cursor to top right of screen and drag to top bottom.
That will move top bar to bottom of screen
Keyboard shortcuts to know :
(if you can't reach top right controls of a specific window)
Alt+F4 : Close window (quit)
Alt+F5 : Normal state (with it you can get rid of maximized state)
Alt+F6 : Select active window (same as Alt+Tab under Windows)
Alt+F7 : Move window (with arrow keys or mouse, then enter or esc)
Alt+F8 : Resize window (with arrow keys or mouse, then enter or esc)
Alt+F9 : Iconified state (bring it back with Alt+F6)
Alt+F10 : Maximized state (window will cover all screen)
IV) How to switch to your country keyboard layout
- Launch System->Preferences->Keyboard
- Select "Layouts" tab
- Click "Add"
- Select your country. Click "OK".
- Move up and check in your country layout. Click "Close".
V) How to explore folders
- Launch Applications->System Tools->File browser
- In the little combo list on left, replace "Places" with "Tree"
- Go in Edit->Preferences, View tab, replace "Icon view" with "List view"
Now you will have the look and feel of Windows explorer, somehow.
VI) How to surf on internet
- Launch Applications->Internet->Epiphany Web Browser
- Hit Alt+F5 to get rid of maximized window state, if you like
If you are using ICS on XP, if your XP was not connected to internet,
now it is (it connected itself automatically when Gentoo needed it).
VII) How to get CPU key or compile/run remotely from your PC
- Launch Applications->Accessories->Terminal
(I write below : the prompt, the command you have to type in, the results)
gentoo@livecd ~ $ sudo passwd
New UNIX password : mylongpwd
Retype new UNIX password : mylongpwd
passwd: password updated successfully
gentoo@livecd ~ $ sudo /usr/sbin/sshd
Now that ssh daemon is running, on your PC, launch WinSCP (winscp.net)
Fill in the field in order to establish the network link with ssh daemon
Hostname : livecd.mshome.net (or the IP address of the console)
UserID : root
Password : mylongpwd
Confirm you accept the link without warranty (click Yes)
You are asked to change password : type in "mysecondpwd" twice
WinSCP window is now opened and link is established.
You can transfert files at will and start remote sessions in order to compile.
Ctrl+T is the shortcut that creates a remote session.
(Never forget files in LiveCD are stored in RAM. If you shutdown console you lose them. You have to transfert your creations back to your PC each time. However some usb storage devices worked. PSP for example.)
Copy Arnezami's dump32 from your PC harddisk into /var/tmp
(or copy its source and recompile it with "gcc -o dump32 dump32.c")
Open session with Ctrl+T then type in these commands :
chmod u+x ./dump32
sudo ./dump32
After a few seconds it should end (we don't care about returned values)
3 files appear in /var/tmp : Fuses.txt, 1BL.BIN (32Kb), NAND.BIN (16Mb)
(you need to hit refresh button in WinSCP to see them)
If program hangs while dumping firmware, you may have bad sectors.
In that case try that software dumper :
http://www.xboxhacker.net/index.php?topic=7290.20(Try command 2 & command 3 variant, or avoid dumping bad sectors)
EDIT: I strongly recommand to dump a full physical image of firmware with the software dumper above, with command 3. Also write down the possible list of bad sectors it will reveal. The dump made with command 3 is larger than NAND.BIN because of additional control values (+16 bytes for each sector of 512 bytes of data) and will allow Infectus (or any other tool) later to reflash your firmware (after or without editing depending if you removed or not R6T3). For example give it a significant name like FW_4532_FOR_INFECTUS.bin. And this image is specific to this console. You can't re-use other console firmware images without editing. So if you decide to upgrade to play games, avoid going beyond 5766, if possible (especially if you did not remove R6T3 resistor) and be sure you have : cpu key (efuses list), 1bl.bin, nand.bin and FW_4532_FOR_INFECTUS.bin. Keep them in a safe place! Duplicate them! And watercool & remove xclamps so you don't lose everything with the death of your console... FW_4532_FOR_INFECTUS.bin will have same size as dumps created by Infectus, so you can compare them, which is a good way to be sure wires have been correctly wired to infectus.
EDIT :
ivc posted on xbh a complete set of downgrade tests!
http://www.xboxhacker.net/index.php?topic=7691.120You can downgrade from 5766 with resistor in place!
Thanks ivc for your courageous testing!
(Hint : The file inside ivc's .gz file is a .tar file holding tmbinc software dumper, command 2 and 3)
Copy Fuses.txt to your PC harddisk (backup it several times !)
Its content shows :
CODE
00: c0ffffffffffffff
01: 0f0f0f0f0f0f0ff0
02: 0f00000000000000
03: xxxxxxxxxxxxxxxx
04: xxxxxxxxxxxxxxxx
05: yyyyyyyyyyyyyyyy
06: yyyyyyyyyyyyyyyy
07: f000000000000000
08: 0000000000000000
09: 0000000000000000
0a: 0000000000000000
0b: 0000000000000000
03=04, 05=06 and (03,05) is your CPU Key. Never lose it!
Even if you upgrade to lastest firmware (even if you keep R6T3 resistor), it's quite possible that downgrades become possible assuming you have it.
But dump32 created 2 other interesting files... (Keep them too, who knows)
Copy 1BL.BIN to your hard disk.
1BL.BIN is "the first boot looder". It was stored inside CPU too (I think).
That thing is able to decipher the 2nd boot loader which is in the firmware.
Copy NAND.BIN to your hard disk.
That's the firmware image of your console!
But you can't reflash your NAND (the chipset that stores firmware) with that image (yet). For that you should use a physical firmware image. A physical firmware image can be obtained with infectus, olympus mausb-10 or by unsoldering NAND and using any NAND reader/flasher.
Copy FW_4532_FOR_INFECTUS.BIN to your hard disk
Difference between Nand.bin and this last one is the management of bad blocks and the fact that 360 hardware inner parts may change data on the fly. Sometimes there are blocks (NAND memory is divided into sectors) that are sectors that are damaged (32768 sectors of 512 bytes each). For each sector 16 extra bytes can be obtained in order to control the validity of the sector's data. Reasearches are currently in progress in order to create a clean software firmware reading and flashing.
If dump32 hangs it may be because of damaged sectors. Try to change the loop in order to skip the damaged sectors (M$ tolerates a little number of damaged sectors in the Nand they purchase for 360 manufacturing).
Robinsod has made a nice program that extracts the code modules from firmware image.
It's named Flash dump tool 0.81
But if you got cpu keys and can't wait any longer to play lastest games, you can upgrade firmware now. You still keep good chances for homebrew.
If you can wait more, try to play a bit more with your firmware. If you are good, you may end up, for example, with warpjavier's nice mod that allows to swap firmwares just by inserting xD-picture 16Mb memory cards...
I may try that later myself.
Don't lose your CPU Keys now!
Final piece of advise : Water cool your 360 and remove XClamps!
(since it's better to keep with you the 360 you have the CPU keys for!)
VIII) Thanks
Thanks to tmbinc & anonymous friends, Bunny, Cpas, Arnezami, Takires, TheSpecialist, GaryOPA, Warpjavier, SeventhSon, Robinsod...
(Sorry for not writing all the other good hackers names...)
Your (public) progress in improving the utility of xbox360 is great!
Thanks for sharing your knowledge with us!
A) Links
- Gentoo LiveCD Xenon Beta v2
http://xbins.org (see other tutorials about how to enter xbins repository)
- Xorloser's KK patcher (for people without the serial device link)
http://xbins.org (see other tutorials about how to enter xbins repository)
The full name of the patcher is :
"King Kong Shader Exploit for the XELL Loader (No Serial Cable Required) "
- Cpas's "serial kk patcher v2" (for people who soldered a serial device link)
http://www.360mods.net/Downloads/details/id=79.html- Cpas's xell_choice (rom.bin and its source) :
http://mydedibox.homelinux.com/downloads/x...l_choice.tar.gz(It's tmbinc's -and friends- xell loader with some nice choice in it :
read cd or boot stuff through tftp)
- WinSCP (allows you to transfert files and open remote sessions)
http://winscp.net- Arnezami's dump32 utility (get CPU keys, 1BL & NAND with LiveCD!)
Binary:
http://rs24.rapidshare.com/files/39038675/dump32.htmlSource:
http://rs24.rapidshare.com/files/39038437/dump32.c.htmlYou can follow the progress of these heroes on their favorite site :
http://xboxhacker.netBut, please, just read, don't post there, unless you contribute significantly.
You can make usual comment in this thread instead. They will read it surely.
This post has been edited by openxdkman: Jan 19 2009, 08:36 PM
faint_u How To Dump The Cpu Key With Kk Exploit Aug 5 2007, 05:55 AM
How To Dump The Cpu Key With Kk Exploit
Aug 5 2007, 05:55 AM
