JTAG Falcon JTAG KV Issue

[BaDvs3viL]

Hello everyone,

I got my hands on a Falcon system that was JTAG'd. The wiring looked bad so I re-solered new diodes and wires.

The system will E79 if booted normal, but will boot into Xell with eject. If I let Xell load I notice that it has a failure with decypting the KV as it appears that this KV isnt the correct one as the CPU key can't decrypt it.

What can I do at this point? I have no idea where it came from. No backups of any kind.

If I use the CPU key that Xell gives me, I cannot decrypt the nand with any app like 360 flash tool, jtag tool.

I also noticed when reading the nand using my NAND-X that there is a bad block at 017. I'm not sure if this may have something to do with it.

Any ideas?

 

[BaDvs3viL]

Anyone?

 

[BaDvs3viL]

Help please.

 

[Martin C]

You've already said what the problem is: The KV is the wrong one for the NAND.

You will need a donor KV (decrypted) to inject into the NAND.

 

[BaDvs3viL]

Martin C , I figured I would hear from you on this at some point. Thanks sir. I guess the only question that I have is... Doesn't the donor KV have to match the system? I have plenty of them here from backups of other jtag'd systems.

 

[BaDvs3viL]

You've already said what the problem is: The KV is the wrong one for the NAND.

You will need a donor KV (decrypted) to inject into the NAND.

Ok, I must be lost at some point and sorry for asking so many questions...

I have another falcon that I did an RGH on. I extracted the KV from that backup. I then used Keyvault modder to encrypt that extracted KV using the CPU key from the falcon I am working on. Once that was done, I imported that new KV into the nand that I have use 360 flash tool. Once completed, I opened that new nand in JTAG tool and went to KV info and popped in the key for this box and bam, I now have KV info showing up and no error about having the wrong key.

Well, I then took that nand and used MB0.5 to create myself a new FB image to flash with.

I get an error when it is building that it cannot extract the KV.

I said ok... I took the nand that I made without changing anything besides the new KV and flashed that to the box. The box still E79 with the power button but will go into Xell with eject. I let Xell boot all the way and still get an error about reading the KV.

I know I am close!

 

[BaDvs3viL]

I also just took a decrypted KV and injected it directly into the nand that is on the box. using nandpro with -r16 mykv.bin 1 1

Doing it this way, Xell comes up with the power button and I get nothing with the eject button. Once Xell is booted I still get the same error that it cannot read the KV.

 

[WestCoastConsoles]

Use a program called bincrypt2 use rawflash option search for a tutorial. You need to encrypt with your CPU key

Add your CPU key in at the bottom

When you start you will be prompted twice first for NAND and second for kv.

This program will encrypt your new kv with your CPU key and create your image for you.

I have had a ton of success with this prog. Google for tutorial.

 

[BaDvs3viL]

The more I mess with this I am noticing more issues.

What would happen in this senerio....

Someone didn't know what they were doing and flash a totaly wrong full nand to this box? So I have nothing from the original nand.

I am now noticing when I go in to JTAG Tool and build a FB image with this nand that I now have a working KV in, I get 2 more errors but the image still builds out.

Errors are crl is either crypted or damaged and extended KV was missing or invalid.

I took decrypted file of both the crl and ext kv from my donor nand from a falcon and imported those in and now I dont get those errors and the images builds out. But after flashing that new image, I got no Xell and no boot.

 

[Martin C]

ok - stop messing with the NAND as it's clear you're just throwing stuff at a wall to see what sticks.

You don't have a valid KV so there's no point you doing anything other than the below:

1. Take a Donor NAND with CPU key. This NAND should be from the same console type and same country (if you want a like-for-like, but you can mess with the config later if it's not).

2. Open this NAND in 360 Flash Dump Tool after adding it's CPU key into settings.

3. Click Patch and enter YOUR CPU key at the bottom (encrypt to new CPU key).

4. Save the file as nanddump.bin.

5. Use this and the cpukey to build a freeboot image. Flash to the console.

That should be it.

 

[BaDvs3viL]

ok - stop messing with the NAND as it's clear you're just throwing stuff at a wall to see what sticks.

You don't have a valid KV so there's no point you doing anything other than the below:

1. Take a Donor NAND with CPU key. This NAND should be from the same console type and same country (if you want a like-for-like, but you can mess with the config later if it's not).

2. Open this NAND in 360 Flash Dump Tool after adding it's CPU key into settings.

3. Click Patch and enter YOUR CPU key at the bottom (encrypt to new CPU key).

4. Save the file as nanddump.bin.

5. Use this and the cpukey to build a freeboot image. Flash to the console.

That should be it.

Thanks again sir for you help.

I didn't have the newest verison of 360 flash tool that had that option...

So I got it, took the orig donor nand and patch it to this key. Ran it through MB and created my FB. I then read block 17 and patched it into 3FF and then flashed it to the box.

Now I get Xell when I eject. When I power on normal I get E74.

I assume I need a reflow at this point?

Thanks again for all of your help!

 

[M AzeeM K]

Proper Reflow needed!

 

[Martin C]

Thanks again sir for you help.

I didn't have the newest verison of 360 flash tool that had that option...

So I got it, took the orig donor nand and patch it to this key. Ran it through MB and created my FB. I then read block 17 and patched it into 3FF and then flashed it to the box.

Now I get Xell when I eject. When I power on normal I get E74.

I assume I need a reflow at this point?

Thanks again for all of your help!

You didn't need to do the part I put in bold. open the log file and you'll see that multi_builder does it for you.

If you're still getting E74 then either a reflow or a new GPU is needed.

 

[BaDvs3viL]

I figured I had to do the BB myself as the donor nand I used didnt have any BB's.

 

[Martin C]

The way to check is after flashing it to the NAND, dump it again and see what the southbridge is saying about your flash device.

 

[BaDvs3viL]

The way to check is after flashing it to the NAND, dump it again and see what the southbridge is saying about your flash device.

Ok I think this answers that. I went ahead and flashed the nand I created without doing the remapping. Tried the box for giggles and get RROD 0022 with normal and eject. Read the nand back and checked it, it shows a bad block but its not remapped.

So I guess its reflow time.

Thanks again for your help!

 

[Martin C]

No worries - you only had to dump the content to see if there was a bad block being remapped

 

[BaDvs3viL]

Well, I just reflowed it. Will see what it does once its cool.