JTAG Attempt - Stumped

[Johnny8675309]

I recently acquired a JTAG-able Zephyr 360 Mfg in 2007 running 2.0.7371.0 with a CB of 4558. Initially I built the cable and kept getting sequential read errors even though it was talking to the NAND. I re-did all of the wiring about 4 times resulting in the most recent 5th being run through a breadboard so it would be easier to check continuity throughout the entire circuit. Sure enough the most recent revision worked and I dumped the NAND using Nandpro 20d numerous times with different file names ex Nand1, Nand2... and so on I checked them for consistency using and the first few tries didn't match up how ever two sequential dumps further down the line were identical, Keep in mind I didn't receive any errors from any of the NAND dumps.

I tried to open one of the two matching dumps in Degraded 1.1 and got the file error so I changed the 2007 to 2005 and it opened right up resulting in me finding out it was an exploitable CB. I extracted the KV as well as the Config and injected them into XBR for the zephyr the first time I used one from the Instructables guide and wrote that to the NAND. This resulted in a single red light in the bottom right of the ring of light - E79. I assumed it was a bad flash so I tried it a few more times with the same XBR and got the same thing. So then I used Xbins to get the XBR under "Xbox 360/development/XBRebooter/" and injected the key into that followed by a flash and this time I received the all too common RRoD which I believe is another bad flash. Now I'm stuck with something like 15 NAND dumps a few of which are identical with the exception of the 2007 to 2005 edit. I have 3 KV dumps which are identical as well as 2 identical config dumps. I've tried flashing back to the matching NAND dumps and get the E79 at this point I'm thinking I'm completely screwed with a brick. If anyone could help me figure out how to complete the JTAG or at the very least back to a stock NAND I would greatly appreciate it.

 

[Martin C]

"I re-did all of the wiring about 4 times resulting in the most recent 5th being run through a breadboard so it would be easier to check continuity throughout the entire circuit. Sure enough the most recent revision worked and I dumped the NAND using Nandpro 20d numerous times with different file names ex Nand1, Nand2... and so on I checked them for consistency using and the first few tries didn't match up how ever two sequential dumps further down the line were identical, Keep in mind I didn't receive any errors from any of the NAND dumps"


Here's the problem. Your read/write equipment is obviously at fault. Think of it this way - if it took you this many reads to get a consistent read, how can you be sure you're writing back ok? I would have stopped after I couldn't get a consistent dump easily.

E79 and single red light are not synonymous when it comes to JTAG. if you're not seeing anything on screen, then it's possible the SMC isn't firing it up. What JTAG wiring are you using?

Remember that Zephyrs are the most problematic version for JTAG'ing. You would need to think about the AUD_CLAMP SMC patch and wire it accordingly. Normal wiring should work with it though, so you should get something.

Before you go any further though, get yourself a proper USB SPI flasher. It will save you hours of frustration.

 

[siiNNiiSTer]

ye trust me from exp.... lpt method sux! i have a falcon mobo here that wuz my first attempt @ jtagging and i almost ruined it. im waiting on my tax return to buy a nand -X kit. u should look into getting one yourself itll save u the headache of trying to redo soldering eventually u might damage something from all the soldering. n try the alt jtag points as they're more reliable

 

[Johnny8675309]

Yeah sorry forgot to mention it was the LPT method. I'll order one on Monday but my only concern now is if my cable was at fault and all of those dumps are bad even though a few match as well as the kv and config files am I in trouble since I might not have any good original nand to dump back as the recovery method mentioned in many different tuts? I just don't want to have waste money if the 360 is a lost cause.

 

[Martin C]

Yeah sorry forgot to mention it was the LPT method. I'll order one on Monday but my only concern now is if my cable was at fault and all of those dumps are bad even though a few match as well as the kv and config files am I in trouble since I might not have any good original nand to dump back as the recovery method mentioned in many different tuts? I just don't want to have waste money if the 360 is a lost cause.

If it's JTAG'able, it's still salvageable. Remember, you don't need a working KV to get into XeLL. Once you have the CPU key, you can look at using it to extract one of the good NAND dumps you have or at least encrypt a donor KV. If you removed R6T3, you should still be ok.

BTW, you didn't mention what JTAG wiring method you're using.

 

[Johnny8675309]

http://mod360s.com/jtag-tutorial.html?start=1

That is what I started off with even added the diodes in the correct direction. At this point I have a breadboard in between the two cables with the resistors and diode connecting the wires.

 

[Martin C]

http://mod360s.com/jtag-tutorial.html?start=1

That is what I started off with even added the diodes in the correct direction. At this point I have a breadboard in between the two cables with the resistors and diode connecting the wires.

Yes, but you still need to fit the JTAG wiring to the motherboard. This is just for reading/writing of the NAND. Which method have you gone for?

 

[Johnny8675309]

I added a jumper on J2D2 between 4 and 7. Ran an IN4118 diode from J2D2 pin 1 to DBF1 and another from J2D2 pin 2 to pin 2 on the ROL board. Now that I'm looking over it I saw that I had the two diodes going to the wrong places. Pin 1 goes to pin 2 on the ROL and Pin 2 goes to DBF1. Could that be the reason I kept getting an error when trying to boot into Xell?

 

[Martin C]

I added a jumper on J2D2 between 4 and 7. Ran an IN4118 diode from J2D2 pin 1 to DBF1 and another from J2D2 pin 2 to pin 2 on the ROL board. Now that I'm looking over it I saw that I had the two diodes going to the wrong places. Pin 1 goes to pin 2 on the ROL and Pin 2 goes to DBF1. Could that be the reason I kept getting an error when trying to boot into Xell?

No, J2D2.1 goes to DB1F1 and J2D2.2 goes to the ROL board as you have it. However, the Diodes must be the right way round, so the 'band' on the diode is the opposite end of what's connected to J2D2.

 

[Johnny8675309]

My mistake I misspoke on the diagram I'm looking at they're wired the way you described. I had the two swapped around. While I have the 360 out of the case do you recommend I remove R6T3? I flashed one of the matching NANDs back to the 360 and now it boots back up as if nothing was ever changed. Does it matter at which point in the JTAG process I remove R6T3?

 

[Martin C]

Yep, remove R6T3 as you don't need it now. It doesn't matter when you remove it, just make sure you don't try and update a new dashboard with it there (even while it's JTAG'd).

So it's working again now? Excellent! You might want to look at using this diagram instead of the Diode method. It also mentions using AUD_CLAMP which is far more reliable on Zephyrs than the standard way.

http://www.boxxdr.com/boxxdrjtag.html

Remember that IF you go for the AUD_CLAMP method, to ensure whatever way you build the JTAG image, you choose the option for AUD_CLAMP SMC patching.

 

[Johnny8675309]

Yeah I saw that a while ago when determining which tutorial I would follow but wasn't sure if it was needed as many tuts use the diode method. Thank you so much I can't thank you enough. I'm so relieved I didn't ruin it. I'll see if I have the parts at my local Radioshack.

 

[Martin C]

I'm glad you've gotten it working again