XNandHealer Step-by-Step Guide to RGH your 360

Please only 360 guide here
Post Reply
User avatar
yamackbuddy4
Possible Ally of Robinhood
Possible Ally of Robinhood
Posts: 83
Joined: Sun Apr 11, 2010 5:52 pm

XNandHealer Step-by-Step Guide to RGH your 360

Post by yamackbuddy4 »

Credit to tingedace

SUMMARY

XNandHealer is a tool to help with various tasks including:
- Perform multiple reads of your NAND in one go
- Verify the integrity of each dump and check that all dumps match
- Quickly fix a misread NAND dump by re-reading any blocks that were not read correctly first time round (ecc error blocks)
- Do a quick analysis on any NAND image to find out motherboard type, block size, bad blocks, CB version and whether or not the console is suitable for RGH/JTAG
- Create ecc image (XeLL Reloaded) and flash it to your console
- Read CPU key/fuses.txt back over LAN from console booted into XeLL Reloaded.
- Create (Multibuilder equivalent) xeBuild glitch image and flash it to your console

XNandHealer DOES NOT:
- do any content checking or analysis of the NAND image (like 360 Flash Tool)


REQUIREMENTS

Software
1. XNandHealer 0.74 Download Here
2. Nandpro 2.0b or later + associated drivers Download Here
3. Multibuilder 0.7 Download Here

Hardware
1. A ‘glitchable’ Xbox 360 with programmed glitch hardware properly installed e.g. TX Coolrunner
2. NAND flasher hardware e.g. TX NAND-X or LPT cable.

INITIAL SETUP

1. Install Nandpro (portio) drivers if you haven’t already
2. Unpack Multibuilder 0.7 to a folder of your choice e.g. “C:\Nandpro\Multibuilder”
3. Launch XNandHealer and click “Settings” on the main form. Make sure the file locations are setup correctly:

Image

These settings will be retained between sessions and between different versions of XNandHealer.

Note 1: python and xeBuild are in the “Data\” folder, so that’s what you need to provide here
Note 2: FindSecData is used for uncrippling, and not needed for RGH.

MAIN PROCEDURE

1. Set a working directory for the current console

Image

It’s a good idea to have a separate folder for each console you work on. After you’re finished, the folder will contain all the files specific to that console.

· Multiple dumps of your original NAND
· Your image_00000000.ecc (XeLL Reloaded) image
· Your full glitch_image.bin as built be xeBuild
· Your xeBuild log file glitch_image.bin.log
· A copy of your fuses.txt
· A copy of your launch.ini (if used)

2. Select your NAND reading interface of choice and click “Detect” to make sure the NAND can be detected
If successful, the connection status area will be populated with the details of your NAND.

Image

Note that Xenon, Zephyr , Opus and Falcon all share the same flashconfig. Collectively they are referred to here as “Pre-Jasper”.

3. Now you can go ahead and read the NAND up to 4 times. Click “Read Selected...”
A dialog will pop up, which allows you to specify how many times to read the NAND (one NAND read per slot).

Image

The default size for your NAND will be displayed, which is always what you’ll want to choose here when the size is 16MB.
For Jasper consoles (256MB or 512MB), you need only read the first 64MB, but you can read the lot if you want!

Image


4. Click OK and the NAND will be dumped the required number of times. By default and for convenience they will be auto-named nand1.bin, nand2.bin etc,
as per the names in the 4 slots on the main form.

Case A – Good reads of a good NAND

Once read, you’ll see the filenames appear in bold to indicate a file present and the block status alongside to indicate if there are any bad blocks or ecc error blocks. If all reads were done properly you will see in the “Compare all NANDs” section that the selected file matches the other dumps.

Image


Case B – Good reads of a NAND containing bad (relocated) blocks

The NAND dumps are identical but they contain bad blocks

Image

Case C – Bad read of a good NAND

An error reading the NAND results in a corrupt dump. The red cross indicates an ECC error.

Image

Note: An ECC error block is a block containing corrupt data. The block was not read correctly from the NAND and needs to be re-read.
A bad block is a block of the NAND chip that is marked as not in use. There is no point in trying to re-read a bad block.

5. Next, we go to the “NAND Info” tab. We want to know if the console has a ‘glitchable’ CB and be aware of any bad blocks, so select and image:

Image

This example is pretty nasty! Since it has a bad block within the first 0x50, generating the ecc image (using the usual tools) won’t always work without remapping first.

6. Not to worry, we can go to the “Build XeLL Reloaded” tab and after selecting the image, one click will do the remapping and then build a valid ecc image:

Image

In this case, here is the log of what happened before and during the build:

Code: Select all

Building XeLLous glitch image for Falcon...
 
Reading block 165 from location 3FC...Done
Reading block 14C from location 3FD...Done
Reading block 055 from location 3FE...Done
Reading block 004 from location 3FF...Done
Writing block 004 to location 004...Done
Writing block 055 to location 055...Done
Writing block 14C to location 14C...Done
Writing block 165 to location 165...Done
0xFF filling block 3FC for 4200 bytes...Done
0xFF filling block 3FD for 4200 bytes...Done
0xFF filling block 3FE for 4200 bytes...Done
0xFF filling block 3FF for 4200 bytes...Done
 
python build.py nand1.bin_remap CD xell-gggggg.bin
* found flash image, unpacking...
ECC'ed - will unecc.
Found 2BL (build 5771) at 00008000
 
[CB] version [5771] found !!
 
This CB version can be for a Falcon or an Opus
 
N.B:
If you have programmed your CPLD chip with the Falcon.jed file
and it's not glitching, then you can try using the Opus.jed file
 
 
Found 4BL (build 8453) at 00011340
Found 5BL (build 1888) at 00016ac0
* found decrypted CD
* found XeLL binary, must be linked to 1c000000
* we found the following parts:
SMC: 1.6
CB_A: 5771
CB_B: missing
CD (image): 8453
CD (decrypted): 8453
* checking for proper 1BL key... ok
* decrypting...
* checking if all files decrypted properly... ok
* checking required versions... ok
* this image will be valid *only* for: falcon/CB_5771
* patching SMC...
CRC32: 1d0c613e
patchset "Falcon, version 1.6" matches, 1 patch(es)
* zero-pairing...
* constructing new image...
* base size: 70000
* No separate recovery Xell available!
* Flash Layout:
0x00000000..0x000001ff (0x00000200 bytes) Header
0x00000200..0x00000fff (0x00000e00 bytes) Padding
0x00001000..0x00003fff (0x00003000 bytes) SMC
0x00004000..0x00007fff (0x00004000 bytes) Keyvault
0x00008000..0x0001133f (0x00009340 bytes) CB_A 5771
0x00011340..0x0001733f (0x00006000 bytes) CD 8453
0x00017340..0x000bffff (0x000a8cc0 bytes) Padding
0x000c0000..0x000fffff (0x00040000 bytes) Xell (backup)
0x00100000..0x0013ffff (0x00040000 bytes) Xell (main)
* Encoding ECC, please wait ...
------------- Written into image_00000000.ecc
========================================
Processing bad blocks in the XeLL Region
========================================
> Dumping block 0x004 of image_00000000.ecc to file ecc004.bin...Done
Zero-ing block 0x004 of image_00000000.ecc...Done
 
[b]NOTE:[/b] Clicking "Write XeLL to NAND" will write XeLL, then write the bad block(s) individually

7. Now that we have the ecc image built, it can be flashed to your console by clicking “Write XeLL to Nand”.

Image


In the case where there are bad blocks in the first 0x50, those will be automatically written to the correct location as follows:

Image



8. Disconnect your NAND reader, boot to XeLL with LAN cable connected and note your DHCP IP address.

9. Back to XNandhealer and on to “Build Glitch Image” tab. Type the IP address in the box:

Image

Click “Key from IP” to get the key over the LAN and also dump fuses.txt to your working directory.

10. Then, new in version 0.74 is the ability to configure your launch.ini file. With “Dashlaunch Patches” checked, click “Config” and you can choose a preset or make a custom one.

Image

Click OK and your launch.ini will be saved to your working directory and subsequently included in the image.

11. Now choose your Dash type and click “Build Image” back on the main form and you should see the following

Image

Note 1: This will create an image equivalent to that of Multibuilder. You can compare the output logs from xeBuild (Multibuilder vs. XNandhealer) with something like KDiff3 if you have any doubts ;-)

Note 2: There is no need to remap blocks in the resulting image. If there are any bad blocks in your original NAND, they will already have been remapped as part of the build.

12. Finally, click “Write Image to NAND” and you’re done.

Image

That’s just about worth doing for 16MB images, but for BB Jaspers I use xenon.elf and a USB stick i.e. copy xenon.elf (from Multibuilder\Data folder) and your glitch_image.bin (renamed to nandflash.bin) to the root of a FAT32 formatted USB stick, and boot to XeLL with the USB stick inserted in your console.
Your image will be flashed in a jiffy!

13. Enjoy your newly created RGH Console[/color]
Image
Post Reply

Return to “Xbox360 guides go here”