Jump to content
RealModScene
Anonymous

[JTAG/RGH] How to build a new NAND when you lost everything

Recommended Posts

This tutorial is only for those of you who; lost all of their original and hack nand dumps + erased/corrupted the nand/flash the wrong image to the nand.

If you find yourself in this situation then this tutorial will walk you step by step to make your console boot hack dash again.

Take note that you won't be able to restore your console to retail ever again and you will be unable to use your dvd drive until you extract the key off of it.

Things you will need;

usb spi nand programmer(nand-x, jr-programmer, any will do(eMMC R/W kit for corona 4gb)

J-Runner the ultimate JTAG/RGH app DOWNLOAD

Extracted nand files that match you motherboard model (download below)

Step 1; Recovery of cpu key and LDV's

Download one of the clean extracted donor nand files according to your motherboard model and extract the containing folder to the location of your choice;

Don't use these files to unban your console, first you don't have the original cpu key and second they are all from ban consoles. You have been warned!

corona 4gb.rar

corona 16mb.rar

falcon opus.rar

jasper bb.rar

jasper sb.rar

trinity.rar

trinitynofcrt.rar

xenon.rar

zephyr.rar

Next you need to solder/plug in your nand programmer wires onto the motherboard

Open J-Runner app an click on "show working folder" button located at the bottom right

post-16724-0-48682000-1395833423_thumb.jpg

Open the folder name "data" located inside /J-Runner/xeBuild/ folders

Open your extracted nand files folder and copy and paste KV.bin, SMC.bin, smc_config.bin and fcrt.bin(if required) to data folder. It should look like this.

post-16724-0-65248000-1395833480_thumb.jpg

In J-Runner, copy and paste this cpu key F37C0CD50B928F4E67614ACD548A4E49 in the cpu key section.

Choose dashboard version according your hack type (for JTAG choose 7371 - for phat rgh1 choose 14699 - for R-JTAG choose 15574 - for phat RGH2 choose 14719 - for slim choose anything above 14719)

Select your motherboard nand type.

Select retail as your image type.

It should look like this.

post-16724-0-90877100-1395833526_thumb.jpg

In J-Runner under the Advanced tab click on Create an image without nanddump.bin

post-16724-0-16046200-1395833576_thumb.jpg

Then you will be ask to enter LDV just enter any number between 1 and 80 and click ok.

post-16724-0-00976100-1395833615_thumb.jpg

At this point the dummy image should be successfully created and automatically loaded in the "Load Source" section.

Now with your nand programmer properly connected to both you pc and motherboard click on "Write Nand".

Wait until J-Runner is finish writing the nand and select your "hack type" then click on "Create ECC" for rgh machine or "Create Xell-Reloaded" for JTAG/R-JTAG machine.

Now click on "Write ECC" or "Write Xell-Reloaded" depending on your hack type.

post-16724-0-32222600-1395833662_thumb.jpg

post-16724-0-28060600-1395833683_thumb.jpg

You are now ready to boot xell and recover your cpu key.

Power on your console and wait for xell to boot.

Once xell as booted write down your cpu key, fuseset 02 and fuseset 07

post-16724-0-41889900-1395833724_thumb.jpg

Understanding and calculating LDV's

Calculating CF/CG ldv is fairly simple. Just count the number of "F" in fuseset 07 to fuseset 11. So in the example above we have a cf/cg lock down value of 2.

Calculating CB LDV can be a little bit more trickier. You have to take the right-most "F" and calculate how many character it is from the left. In the example above the right-most "F" is 5 characters from the left so we have a cb lock down value of 5.

Understanding CB LDV; Quote from Martin C @ TX

Quote

This value is NOT updated every dashboard version and is not directly reflected in any apps. However, the value can be translated to a CB/dashboard version. You cannot 'edit' your image to use a different CB for a retail NAND. It MUST match the entry as found in XeLL, otherwise it'll fail to boot.

The example above is from a Jasper with a cb ldv cseq of 5 and by looking at the chart below we can determine that dashboard 7371 would be the highest version acceptable for this particular console.

post-16724-0-94820500-1395833852_thumb.jpg

Step 2; Building the fake OG nand image

Now back in J-Runner, enter your cpu key in the cpu key section.

Select your dashboard according to your CB LDV cseq

Select Retail as Image type.

Select Motherboard nand type.

Click on the "Advanced" tab and on "create an image without nanddump.bin"

post-16724-0-56410500-1395833891_thumb.jpg

You will be ask for LDV, this is the cf/cg LDV so you enter what you have in fuseset 07 and click "ok"

post-16724-0-38463900-1395833936_thumb.jpg

You have now created a fake original nand image. Even though you won't be able to boot your console with this image it would still be a good idea to keep it somewhere safe.

With your new image loaded in the "Load Source" section and your cpu key in the "Cpu Key" section click on the "kv info" tab. You will noticed that the info in there are obviously not from your console. So now would be a good time, for those who can, to extract your dvd drive key and patch the key vault with the appropriate dvd key.

Click on the "XB Settings" tab, click on "Advanced XeBuild Options", paste your dvd key in the "dvdkey" section, click "OK" then click the "Use Edited Options" check box.

post-16724-0-44151900-1395834004_thumb.jpg

For DG16D5S and DLN10N owners; the easiest and cheapest way to make your dvd drive functional would be to install a TX LTU 2 pcb.

Final Part; Building/writing your hack image

Back in J-Runner, with your new fake original nand image loaded in the "Load Source" section and cpu key in the "Cpu Key" section select hack image type(Jtag - rgh - rgh2 - r-jtag), select your desired dashboard(should be the latest which is 16537 at the moment of write), select motherboard nand type. You can also edit dashlaunch and xeBuild options at this point.

Click on create xeBuild image. You will see 3 or 4 warning messages poping up which will ask you if you want to delete kv.bin, smc.bin, fcrt.bin and smc_config.bin. Click yes on all of them.

post-16724-0-16106300-1395834054_thumb.jpg

With your nand programmer properly connected to both your console and pc click on "Write Nand"

​

Boot your console and have fun.

  • Like 11
  • Thanks 2

Share this post


Link to post
Share on other sites

Is the Jasper SB a Jasper RGH2?

You mean the data supplied? or?

Jasper consoles can be any of these: JTAG, RGH, RGH2, R-JTAG, RGH2+, R-JTAG+

The same goes for ANY phat console; Xenon, Zephyr, Falcon, Jasper (both SB and BB)

Trinity can be any of these: RGH, RGH2 (Basically the same as RGH1 on Trinity really), RGH2+

Corona can be any of these: RGH2, RGH2+

Share this post


Link to post
Share on other sites

Thanx for great tutorial,

can we  buid retail image with this guide for corona consoles while rgh2 nand is written?

No, retail requires your own data to be present... however, if you have a working image on your console you can just build a new retail using xeBuild GUI for instance... keep in mind tho, the retail have to be built using a compatible kernel (whatever was on your console when it was first hacked)

  • Like 1

Share this post


Link to post
Share on other sites

I don't find no update option for it. I wanna know does this software function online or offline, will it work? Here is a screenshot of what I have

post-43672-0-60267700-1422461416_thumb.png

 

I just wanna use to fix bad blocks on my nand

Share this post


Link to post
Share on other sites

I don't find no update option for it. I wanna know does this software function online or offline, will it work? Here is a screenshot of what I have

attachicon.gifUntitled.png

 

I just wanna use to fix bad blocks on my nand

Ahh, i see... it can't download as the server it's on is down...

Anyways, you cannot FIX bad blocks, they're there... they're normal... what you can do is deal with them by remapping

Share this post


Link to post
Share on other sites

followed  tutorial and this came up..?? not sure what i am doing wrong.

Saturday, February 21, 2015 12:13:36 AM

J-Runner v0.3 Beta (7) Started


WARNING! - Your selected working directory already contains files!
You can view these files by using 'Show Working Folder' Button


Version v0.3 Beta (7) is available for download.
Checking Files
Finished Checking Files
Downloaded *xeBuild/12611/_jtag.ini
Finished Checking Files
Downloaded *xeBuild/12625/_jtag.ini
Finished Checking Files
Downloaded *xeBuild/9199/_jtag.ini
Finished Checking Files
Zephyr Manually Selected
CpuKey is Correct
Load Files Initiliazation Finished
14699
Couldn't add dashlaunch patches to D:\Documents and Settings\Gixxxer\Desktop\JRunner\xeBuild\14699\_glitch2.ini
Couldn't add dashlaunch patches to D:\Documents and Settings\Gixxxer\Desktop\JRunner\xeBuild\14699\_glitch2m.ini
Started Creation of the 14699 xebuild image
---------------------------------------------------------------
     xeBuild v1.14.693
---------------------------------------------------------------
base path changed to D:\Documents and Settings\Gixxxer\Desktop\JRunner\xeBuild
---- { Image Build Mode } ----
building retail image



**** could not read cb.4571.bin (-1) ****

******* ERROR: critical bootloader files are missing, cannot proceed!



***** FATAL BUILD ERROR: -1 unable to complete NAND image

---------------------------------------------------------------
    xeBuild Finished. Have a nice day.
---------------------------------------------------------------
Failed
CpuKey is Correct
Load Files Initiliazation Finished
14699
Couldn't add dashlaunch patches to D:\Documents and Settings\Gixxxer\Desktop\JRunner\xeBuild\14699\_glitch2.ini
Couldn't add dashlaunch patches to D:\Documents and Settings\Gixxxer\Desktop\JRunner\xeBuild\14699\_glitch2m.ini
Started Creation of the 14699 xebuild image
---------------------------------------------------------------
     xeBuild v1.14.693
---------------------------------------------------------------
base path changed to D:\Documents and Settings\Gixxxer\Desktop\JRunner\xeBuild
---- { Image Build Mode } ----
building retail image



**** could not read cb.4571.bin (-1) ****

******* ERROR: critical bootloader files are missing, cannot proceed!



***** FATAL BUILD ERROR: -1 unable to complete NAND image

---------------------------------------------------------------
    xeBuild Finished. Have a nice day.
---------------------------------------------------------------
Failed

Share this post


Link to post
Share on other sites

fcrt.bin was not in .rar could that affect it?

FCRT.bin is one of the per-console files, so no that's not it... this error is strictly related to the bootloaders...

Share this post


Link to post
Share on other sites

any  idea where i can find what i am missing  by chance. im seriously bout  to scrap this console.

Send me your key and i'll make you a donor image during the day... oh, i will also be needing you to tell me what hack your zephyr have, if it really is a zephyr?

Share this post


Link to post
Share on other sites

i dont have a key. long story short this was my first attempt at rgh. backups was on a different computer, house burned down computer long with it. I had a nand dump  saved but it would not write ecc.  so i guessing nand dump was an over written file since i was never given option to overwrite. Therefor i ended up here trying to use a donor. Also just a heads up i am using a clone chip . If you need pics i will send them.

Share this post


Link to post
Share on other sites

i dont have a key. long story short this was my first attempt at rgh. backups was on a different computer, house burned down computer long with it. I had a nand dump  saved but it would not write ecc.  so i guessing nand dump was an over written file since i was never given option to overwrite. Therefor i ended up here trying to use a donor. Also just a heads up i am using a clone chip . If you need pics i will send them.

Ok, so you're at the stage where you need to make yourself a ecc? do you know what hack your console supports? if not; go with RGX... the pre-compiled RGH2 images, or R-JTAG (but that requires a new chip)

** Edit: **

Oh, and if you haven't written anything to your console yet, just dump your console again... Donor is really only for when you've f*cked up big time by overwriting the nand (the physical nand) with someone elses data and don't have a dump laying around...

Share this post


Link to post
Share on other sites

should be rgh 1 dash was in the 9xxx if i remember correctly.

i have kept a dump of the original nand that i dumped after picking this console back up to work on it again. however with that same nand i was unable to create ecc or boot to xell. I tried multiple times, resoldered ,nor was not receiving any weird flash config codes. From everythign i had read this lead me to believe i had overwritten my nand physically thats why i started searching for donor. I have overwritten my nand at least once with a donor however it didnt boot to xell so i reflashed back to the frst nand.

gimme a sec and i will rerun the whole rgh start process and post my jrunner

Share this post


Link to post
Share on other sites

Send me any dumps you do have and i'll try to help you build a working image, with RGH you can't really say "this image doesn't work" when it's your early days of hacking yourself, especially when using clones/pirated chips as they can be lower quality, if they even work at all...

Share this post


Link to post
Share on other sites

Saturday, February 21, 2015 1:27:35 AM

J-Runner v0.3 Beta (7) Started


WARNING! - Your selected working directory already contains files!
You can view these files by using 'Show Working Folder' Button


Checking Files
Finished Checking Files
Downloaded *xeBuild/9199/su20076000_00000000
Downloaded *xeBuild/9199/_jtag.ini
Finished Checking Files
Version: 01
Flash Config: 0x01198010
01198010
Xenon, Zephyr, Opus, Falcon
CB Version: 4578
Zephyr
Reading Nand to C:\Users\Gixxxer\Desktop\J-Runner v3 (5) Core Pack\J-Runner v3 (5) Core Pack\nanddump1.bin
Reading Nand
Done!
in 3:25 min:sec

Reading Nand to C:\Users\Gixxxer\Desktop\J-Runner v3 (5) Core Pack\J-Runner v3 (5) Core Pack\nanddump2.bin
Initializing nanddump1.bin..
Header is wrong..
Zephyr
Glitch Selected
Nand Initialization Finished
Reading Nand
Done!
in 3:25 min:sec

Comparing...
Nands are the same
Programming Coolrunner
C:\Users\Gixxxer\Desktop\J-Runner v3 (5) Core Pack\J-Runner v3 (5) Core Pack\common\xsvf\zephyr.xsvf
USB XSVF Player Initialized
Xilinx XC2C64A-VQ44 ......... [DETECTED]
Erase Succeeded
File: C:\Users\Gixxxer\Desktop\J-Runner v3 (5) Core Pack\J-Runner v3 (5) Core Pack\common\xsvf\zephyr.xsvf
Sending Out Packets .........
Success
Header is wrong..
Invalid Image
Failed to create ecc image
 

Share this post


Link to post
Share on other sites

understandable risk that i accepted with the clone. probrably not the best decision for first rgh but at the time i was broke. chip looks decent quality only thing that looks off besides the missing emblems is how the jumpers are done.

Share this post


Link to post
Share on other sites

Send me that dump and i'll check what exactly it contains, from the looks of it it contains the ECC patched thingymagoo... if that's the case, i can probably help you even tho JRunner refuses...

Share this post


Link to post
Share on other sites

Corona 4GB.rar missing KV.bin, how to fix?

Grab the other Corona.rar ;)

Share this post


Link to post
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

Loading...

×
×
  • Create New...