关于XBOX360 4G版 9.6A CORONA主板的破解可行性猜测 理论

关于目前9.6A的机器已经能破解了 不过毕竟250G的还是比较少的 广大劳动人民还是希望4G版的能破解 目前 4G的最大障碍是在4G NAND芯片的读取, 4G的主板 NAND芯片为4GB焊接在主板的背后 这个和16M NAND的主机是有所区别的。 4G主板上面正面是一颗加密芯片,用2148能读取4G的NAND内容 不过由于有加密芯片的影响 读取出来的NAND文件用HEX打开全是FFF 也就是说不能正确的被读取,小亮想的办法就是吹下NAND芯片 用编程器直接读取!

clip_image001

这个就是加密芯片的位置
clip_image002

4G NAND芯片在后面的位置。
clip_image003

先用一块烂主板测试。。
clip_image004

取好了。
clip_image005

把取下来的NAND芯片放进 编程器的读取座。。
目前遇到的最大困难 就是编程器 我自己的编程器不支持这个芯片查了一下 支持这个NAND芯片的编程器 比如西尔特 5000E 淘宝最便宜都要3900多 尼玛 坑爹啊 希望有网友能提供信息那里能有这种编程器可以帮组我提取NAND
说一下我的思路 提取4G NAND芯片 用固件去合成ECC 写入到一个16M的NAND里再把写好ECC的16M NAND焊回主板 启动XELL得到CPUKEY (A9上的zhangjiangyi007已经证实可行)然后提取固件的KV 写入到一个同CB的16M CORONA的NAND文件里再用这个NAND文件去合成自制固件 写入焊接在主机上的16M的NAND里 由于没有找到能读写360 NAND芯片的编程器 暂时无法证实。

NAND刷DEX厚机也不再是梦了!!!

由于小弟的英文不敢恭维,所以还得各位机友找各种翻译啦!!!!

以下就是NAND刷DEX厚机的教程了!!!!

COMPLETE NAND PS3 CEX-TO-DEX GUIDE (by CaptainCPS-X)
THANKS TO:
PS3DevWiki devs, PS3 Scene Devs (past & present), JaiCrab, @butnut , @GraVoX959 , @bleh , Gunner54, DeanK and anyone else I forgot.
SPECIAL THANKS TO:
Any dev who were involved in the original CEX-2-DEX conversion method.
ABOUT MY CEX-2-DEX PACKAGE:
Each guide Step has its own directory, and any needed file(s) will be located there.
UPDATE: New smaller package uploaded in 2 parts to Mediafire.
NAND_CEX2DEX_PACK_v2_CaptainCPSX.part1.rar (199 MB) (MD5: 72845FAD1B23F1A2D7453847684F4576)
NAND_CEX2DEX_PACK_v2_CaptainCPSX.part2.rar (162 MB) (MD5: 600A93E7C7F8D57C008EF84DCB59A8DE)
Red Ribbon RC5 must be downloaded from here:
http://sourceforge.net/projects/redr…5.rar/download
The package includes:
– OtherOS++ CFW 3.55 (SS Patches)(1/2 HDD)
– Petitboot PKG / BIN files
– CEX2DEX (by Gunner54)
– Red Ribbon RC5 ( REMOVED IN NEW PACKAGE, LOOK ABOVE FOR INFO )
– Factory Service Mode Tool v2
– Jaicrab Preloader Advance v3.1
– DEX OFW 4.11

Everything has been structured into directories named as: STEP_1, STEP_2, etc…for easy handling of files depending on the Guide step you are located in.
ABOUT THIS GUIDE:
This guide is for NAND PS3 models only. I have done every step on my CECHE01 NAND PS3 console. And everything went well. Please don’t skip any step, and read very carefully. If you don’t read English very well, don’t use Google Translate, or any other tool, you could end up bricking your PS3.
UPDATE: This guide has verified and updated information, the one I included as a text file in the RAR package should be used only as reference, consult this guide “online” for precise information.
WHAT PS3 MODELS HAVE NAND?

Code:

CECHA 	COK-001  2x 128MB NAND 	60GB
CECHA 	COK-001  2x 128MB NAND 	60GB
CECHB 	COK-001  2x 128MB NAND 	20GB
CECHB 	COK-001  2x 128MB NAND 	20GB
CECHC 	COK-002  2x 128MB NAND 	60GB
CECHC 	COK-002  2x 128MB NAND 	60GB
CECHE 	COK-002  2x 128MB NAND 	80GB
CECHE	COK-002W 2x 128MB NAND 	80GB
CECHG 	SEM-001  2x 128MB NAND 	40GB

More info here: http://www.ps3devwiki.com/wiki/SKU_Models
ARE YOU GOING TO WRITE A NOR GUIDE?
I will probably make one based on other NOR guides, IF I can make sure it will not fail. I don’t want to lead people to bricks.
WHAT “CAN” BE DONE IF I CONVERT MY CEX TO DEX ?
– more info coming soon, I am currently testing xD LOL! –
WHAT “CANNOT” BE DONE IF I CONVERT MY CEX TO DEX ?
– more info coming soon as well… –
CAN I GO BACK TO CEX AFTER CONVERTING TO DEX ?
– Keep reading below please.
MY DEX-TO-CEX BRICK
– Installed MFW 3.55 DEX (With Peek & Poke enabled)
– Used “Factory Service Mode Tool v2” to put my console in FSM.
– A file was automatically created specifically for DEX to get out of FSM, called “Lv2diag_exit.self”
– I copied my old NAND flash dump “Backuprflash.bin” to my USB device and renamed it to “rflash.bin”
– Copied “JaiCrab Preloader Advance v3.1” files (Lv2diag.self, advance.cfg) to restore “rflash.bin” to my NAND.
– Connected the USB device to my PS3 turned it ON
– Everything went fine, I was on CEX now, the system started was in FSM, so I turned it off.
– I connected my USB device to my PC and deleted “JaiCrab Preloader Advance” files (Lv2diag.self, advance.cfg)
-Renamed the “Lv2diag_exit.self” specifically for DEX to “Lv2diag.self” to exit factory mode.
-Connected the USB device to my PS3 and turned it ON.
– PS3 supposedly went out of FSM based on the generated “factory.txt” log file, but then I got a Blinking Red Light.
– PS3 got bricked “apparently” by using the wrong “Lv2diag.self” to exit FSM, I was supposed to use the one for CEX, not DEX.
NEW UPDATE: Brick apparently didn’t happen because of the Lv2diag.self, both PKG files (DEX / CEX) from FMS Tool v2 are the same Lv2diag.self. Apparently after flashing my NAND back to CEX I had to install a CEX FW from Factory Service Mode. By exiting FSM before I had installed a CEX FW, bricked my NAND PS3.
My recommendation is that if you go to DEX, stay on DEX until it is officially confirmed that you can safely go back to CEX on NANDs.
REQUIREMENTS:
1- NAND PS3 model running on CFW/OFW 3.55 or less.
2- My CEX-2-DEX Package (it includes everything you will need) (NEW LINKS)
* NAND_CEX2DEX_PACK_v2_CaptainCPSX.part1.rar (199 MB) (MD5: 72845FAD1B23F1A2D7453847684F4576)
* NAND_CEX2DEX_PACK_v2_CaptainCPSX.part2.rar (162 MB) (MD5: 600A93E7C7F8D57C008EF84DCB59A8DE)
3- USB Keyboard / Mouse
4- USB Storage Device (FAT32) (with at least 2GB just in case)
5- Patience, Time and the will to convert your PS3 to DEX.
ADVICE: DO NOT SKIP ANY STEP!. EVERY STEP AND SUB-STEP IS IMPORTANT!!!
STEP 1 :: INSTALLING OTHEROS++ CFW 3.55
1- Backup important data from PS3 (saves, images, videos, etc…).
2- Verify and remove any disc inserted on the PS3.
3- Turn off your PS3.
4- Connect a USB Storage Device to your PC (FAT32).
5- Copy the directory from “CFW_355_OTHEROS++” to the root of the USB Storage Device.
6- Connect the USB Storage Device to the PS3.
7- Turn on the PS3 in ‘Recovery Mode’ (press power button for 8 seconds, then again until it beeps).
8- Select “System Update” and follow on-screen instructions.
9- After installation is done, turn off your PS3.
10- Turn on the PS3 in ‘Recovery Mode’ (press power button for 8 seconds, then again until it beeps).
11- Choose “Restore PS3 System”.
STEP 2 :: GOING INTO FACTORY SERVICE MODE
1- Connect the USB Storage Device to the PC.
2- Copy the files from “FACTORY_SERVICE_MODE_TOOL_v02” to the root of a USB storage device.
3- Connect the USB Storage Device to the PS3 and install “FactoryServiceMode.gnpdrm.pkg”.
4- Run “Factory Service Mode Tool” from the XMB Game column.
5- If you hear 3 beeps, try it again, it should beep once now and reboot into Factory Service Mode.
6- You can turn off your PS3 for now.
Note: In your USB storage device there will be a file called “Lv2diag_exit.self”, this will be used later to exit FSM.
STEP 3 :: GETTING FLASH DUMP
1- Copy the files from “JAICRAB_PRELOADER_ADVANCE_v31” to the root of the USB Storage Device.
2- Connect the USB Storage Device to the PS3 (to the last USB slot on the right).
3- Turn the PS3 on, and wait until it completely turn off, this could take a few minutes.
4- NAND Flash dump will be located in the USB Storage Device as “Backuprflash.bin”
5- Connect the USB Storage Device to your PC.
6- Remove “Lv2diag.self” and “advance.cfg” from the root of your USB Storage Device.
7- Rename “Lv2diag_exit.self” to “Lv2diag.self”.
8- Connect the USB Storage Device to your PS3 and turn it on.
9- Your PS3 should be out of Factory Service Mode.
10- Connect the USB Storage Device to your PC.
11- Remove the “Lv2diag.self” from the USB Storage Device.
UPDATE: If you use Windows, and you cannot see the flash dump on your USB Storage Device.
* Click on the windows explorer menu “Tools -> Folder Options”.
* On the new window click the top Tab “View”.
* Select “Show hidden files, folders, and drives”.
* Un-ckeck “Hide protected Operative System files”.
* Click “OK”.
Now you should see the flash dump “Backuprflash.bin” on the root of your USB Storage Device.

关于刷机ITAG接口

什么是JTAG接口?

JTAG(Joint Test Action Group;联合测试行动小组)是一种国际标准测试协议(IEEE 1149.1兼容),主要用于芯片内部测试现在多数的高级器件都支持JTAG协议,如DSP、FPGA器件等。标准的JTAG接口是4线:TMS、TCK、TDI、TDO,分别为模式选择、时钟、数据输入和数据输出线。 
JTAG最初是用来对芯片进行测试的,JTAG的基本原理是在器件内部定义一个TAP(Test Access Port;测试访问口)通过专用的JTAG测试工具对进行内部节点进行测试。JTAG测试允许多个器件通过JTAG接口串联在一起,形成一个JTAG链,能实现对各个器件分别测试。现在,JTAG接口还常用于实现ISP(In-System Programmable�在线编程),对FLASH等器件进行编程。 
JTAG编程方式是在线编程,传统生产流程中先对芯片进行预编程现再装到板上因此而改变,简化的流程为先固定器件到电路板上,再用JTAG编程,从而大大加快工程进度。JTAG接口可对PSD芯片内部的所有部件进行编程.

什么是自制系统?

XBReboot是国外黑客制作的 Xbox360 的自制固件系统,通过它可以实现以下的功能:

1、突破360对硬盘容量的限制:目前360官方最大支持容量为250G,XBR 支持通过硬盘盒或USB接口连接和使用任意容量的硬盘(理论上支持无限大。。。)来安装和进行游戏。

2、支持免光盘游戏:可以将光盘游戏安装或复制(这两种方式有区别)到硬盘,并在游戏启动时不需要放入光盘,彻底的解放光驱,减少发热量。

3、支持自制程序:第三方开发的游戏、软件、模拟器可在 XBR 上运行,360的功能可以无限的扩展了!

4、永远的防 BAN 硬盘功能!

5、通过第三方软件可以连 KAI:360玩家都不敢上LIVE,怕被BAN机。现在有了这个KAI,非官方的,免费的联机平台。

个人建议:XBR是一把双刃剑,支持无限大的硬盘、免盘游戏、kai联机都无疑为玩家降低了相当大的支出。但由于刷写不像psp的自制一样简单,需要拆机以及改动硬件,还需要特定系统版本的主机才可以刷写,所以可以刷写自制系统的主机价格略高。而且刷写的技术含量比较高,不建议一般玩家动手刷写。能live的xbox360才拥有100%的乐趣,有实力的玩家还是入手正版吧。

刷 XBR 前必备条件

并不是任何 360 都可以刷 XBR,这里有些限制条件:

1、系统固件版本必须是7371或以下,因为以上的版本已经封堵 JTAG 漏洞,而 XBR 的运行需要 JTAG 漏洞。最新的秋更或玩一些提示需要升级系统才能运行的新游戏(例如铁拳6),您的系统会升级到8955版本,那 XBR 暂时与您无缘了。

2、7371满足了并不等于一定可以运行 XBR,还需要一个叫 CB 版本的东西,JTAG 连线需要 CB 版本的支持。注意,CB 版本只有读取出 NAND 中的内容后才可以查看(就是必须拆机,焊电路,再加上RP)。后面将详细介绍 CB 版本的查看方法。

似乎可以不用完全读出NAND也能查看CB版本:

nandpro usb: -r16 CB.bin 2 1

能刷自制的 CB 版本如下(也就可能利用JTAG漏洞的):

支持的 CB 版本:

Xenon(双90nm,无hdmi):1888, 1902, 1903, 1920,1921

Zephyr(双90nm,有hdmi):4558

Falcon(单65nm):5761, 5766, 5770

Jasper(双65nm):6712, 6723

不能刷的如下:

不支持的 CB 版本 (CD = 8453 所有这些)

Xenon(双90nm,无hdmi): 1922, 1923, 1940

Zephyr(双90nm,有hdmi): 4571, 4572, 4578, 4579

Falcon/Opus(单65nm): 5771

Jasper(双65nm): 6750