Need help reverting zephyr jtag to stock...

[Norcal Reballer 707]

Sounds weird, right?

Have a jtag here that I just want to use online. It had original smc wiring going but was shoddy and threw up e79 non stop when I got it. I rewired it with aud_clamp&dvd tray and it booted every time.

Anyways, I'm trying to flash it back to stock and don't have the original nand of course. Every time I do that though I get 0022... It boots fine with jtagged nand/wiring.

Downloaded the clean nand from jtag tool. CB matches and smc is 1.10 so should be fine...

CB is 4558 and LDV is 4

I tried using nandpro to extract the rawkv and rawconfig then injected them into the clean nand to no avail.... Also tried jtag tool but of course did the same thing.

Even tried messing with the smc version(noob status never needed to..)

Tried patching the ldv to 4. The clean nand says 6 and 7 so I thought it would work since its higher than 4 although, I did change it to 4 and it didn't work... Also changed to 3 and 4. Haven't messed with LDV too much. Only for going from rgh to retail but had zero problems with that.

Please keep in mind that I'm not a complete noob. I know this is a weird question though. Any help would be greatly appreciated, thanks!

 

[Martin C]

What you're trying will not work. Use your jtag image to make a retail image in multi builder, taking care that your LDV matches. Job done.

 

[Norcal Reballer 707]

Thanks for the quick reply. I actually tried multibuilder first. Problem with that is that it makes the nand with a cb or 4578 or 4579 and I got 0022 with that as well. This one is still exploitable. I read somewhere that I would need to make an original with 7371 of less due to the cb.

Dude, I even went as far as retagging it and trying to run the official 14699 update thinking it would patch the cb but it wouldn't update. Sounds so goofy. Definitely not something I've ever thought of before lol.

I know this whole thing sounds stupid and I appreciate your help.

 

[Martin C]

Thanks for the quick reply. I actually tried multibuilder first. Problem with that is that it makes the nand with a cb or 4578 or 4579 and I got 0022 with that as well. This one is still exploitable. I read somewhere that I would need to make an original with 7371 of less due to the cb.

Dude, I even went as far as retagging it and trying to run the official 14699 update thinking it would patch the cb but it wouldn't update. Sounds so goofy. Definitely not something I've ever thought of before lol.

I know this whole thing sounds stupid and I appreciate your help.

What exactly did you try with multi-builder?

 

[Norcal Reballer 707]

Used a clean nand with my cpukey and kv and made a retail nand.

I've done it a few times with no problems but all the consoles were 13604+.

Is there something else you have to do for less than 7371? I can post my files. Thanks again

 

[Martin C]

So what LDV does your JTAG image have and what is XeLL telling you?

If they're different, how are you correcting it?

 

[Norcal Reballer 707]

Xell says LDV=4 Multibuilder says 4 when its done so I know my setting is right.

I tried multibuilder .4 first but clearly says for zephyr its either cb 4578 or cb 4579. The nand it built had 4578 cb. Same thing when I used multibuilder .7.

Is this the goofiest way to spend time or what? I've done this with update errors(non flashed consoles)with rgh and it worked just fine every time with multibuilder.

I'm thinking its the cb and the fact the efuse stuff is still intact? The cb matched when I rebuilt the retail with the clean nand I downloaded from jtag tool. The ldv didn't. Thats when I tried to use 360 flash tool to patch the ldv and says it worked but still 0022. I've never used any of the patch functions in 360 flash tool.

Thanks again dude.

 

[Martin C]

ok, so you need a 7371 donor NAND from a zephyr complete with CPU key.

decrypt your kv and inject into the donor NAND. Do the smc-config while you're there.
re-encrypt the NAND with your CPU key and change the pairing data/LDV to match your console.

When flashed it should boot.

 

[Norcal Reballer 707]

Thanks again dude! Do I use nandpro for that? That sounds exactly like what I dis before... How do you patch ldv correctly?

You're talking about getting rawkv and rawconfig with nandpro then writing those to the donor 7371 nand correct? On my phone ap I'm all over the place sorry...

I'm a bit of a reverting Noob lolol.

 

[Norcal Reballer 707]

BTW, smc is 2.3 on jtag nand and 1.10 on stock. Not sure if that matters.

EDIT:Crap.. I see now. I was on my phone and in a rush... So I actually need a clean nand WITH the matching cpu key then inject the new info like I did before? My noob status is kicking in again. I'll do some research. Not sure what to do after that even though what you said made perfect sense.

I'll check it out. Thanks again and sorry for wasting posts...

EDIT2:I also don't know the original pairing data.. Its all 0's on the hacked image. I'm only going to go a little farther with it. Luckily, my business is slow lol. I'd sell it if it wasn't a POS.

 

[Martin C]

You may not need the PD to match, as long as the donor NAND's PD location has the right CF details (if it's from a working console then it should be ok).

Forget about SMC versions as the hacked SMC for JTAG consoles is universal per console type.

Everything you need to do should be in 360 Flash Dump Tool.

A 7371 donor NAND should work. A 7371 donor NAND with the same CB would be better.

 

[Norcal Reballer 707]

Cool thanks. I'll try it and post back. Thanks again for all your help.

EDIT:Tried again. All the nand info looks perfect but still 0022. I'll retag it and just keep it like that. I appreciate the help.