I. Introduction
================
freeBOOT is a rebooter for the Microsoft Xbox 360. This version of freeBOOT
allows you to reboot into kernel 2.0.8955 on all Xenon, Zephyr, Falcon, and
Jasper consoles with 16MB flashes, which are vulnerable to the JTAG hack.
Support for Opus and Jasper consoles with larger flashes will follow soon.
As freeBOOT needs a second flash memory to store kernel 2.0.8955 and
associated data, either a Cygnos360 or an xD card mod is required at the
moment.
II. Bug Fixes
=============
- Harddisk installation and save game/profile issues have been fixed
III. New Features
=================
- updated to kernel 8955
- additional support for Zephyr and Jasper consoles with 16MB flashes
- support for xD card mod and Cygnos360 V1 added
- Harddisk authentication disabled
The Xbox 360 will now accept any SATA harddisk.
- removed XEX signature checks
Execution of unsigned devkit and retail XEXes is now possible. Encrypted
devkit XEXes must be decrypted with XexTool prior to use.
- removed LIVE/PIRS signature checks
The dashboard will now run applications from unsigned LIVE/PIRS
containers.
- extendable patch system
Researchers/hackers can now try new patches easily. Please refer to
"src\patches_kernel_8955.S" for more information.
IV. Instructions
================
Read these instructions carefully and follow them exactly. Failing to do so
may render your Xbox 360 unusable!
1. Extract the contents of this archive to a directory of your choice. All
file and directory names in the proceeding steps will be given relative
to that directory.
2. Update your Xbox 360 to kernel 2.0.7371 (Fall 08 Update). If your Xbox 360
has already been updated to a newer kernel, you can proceed to the next
step. The update process will not succeed with resistor R6T3 desoldered.
Resolder resistor R6T3 in that case before starting the update process.
*************************************************************************
*** Make sure you do *NOT* update to kernel 2.0.8xxx, since this will ***
*** fix the JTAG hack vulnerability. Check the update before! ***
*************************************************************************
3. *************************************************************************
*** If present, desolder resistor R6T3 to prevent any accidentally ***
*** applied update fixing the JTAG hack vulnerability. ***
*************************************************************************
4. Save an image of your flash memory to the file "bin\7371.bin".
5. In case you don't already know your Xbox 360's CPU key, retrieve it now.
There are various ways to accomplish this, but they will not be covered
here.
6. Extract the contents of your "bin\7371.bin" image with ibuild now. Launch
ibuild with the following parameters:
> ibuild x -d data\ -b <1BL key> -p <CPU key> bin\7371.bin
Replace <1BL key> with the 1BL key and <CPU key> with the CPU key matching
your "bin/7371.bin" image. Enter both 16 byte keys as hexadecimal numbers
without leading "0x". Data previously extracted with 360 Flash Tool can
no longer be used.
7. Delete all files from the "data" directory except:
- crl.bin
- crl.bin.meta
- extended.bin
- extended.bin.meta
- kv.bin
- odd.bin
- odd.bin.meta
- secdata.bin
- secdata.bin.meta
- smc.bin
- smc_config.bin
8. The remaining files necessary to build an image with kernel 2.0.8955 must
be extracted from an image of an updated Xbox 360, further on referred to
as "bin\other8955.bin". Please do *NOT* update your Xbox 360 to kernel
2.0.8955, otherwise you will loose the ability to run the JTAG hack and
freeBOOT.
Launch ibuild with the following parameters:
> ibuild x -d tmp\ -b <1BL key> -p <CPU key> bin\other8955.bin
Replace <1BL key> with the 1BL key and <CPU key> with the CPU key matching
the "bin/other8955.bin" image.
9. Copy the following files from the "tmp" to the "data" directory:
- aac.xexp[1,2]
- aac.xexp[1,2].meta
- bootanim.xex
- bootanim.xex.meta
- bootanim.xexp[1,2]
- bootanim.xexp[1,2].meta
- cb_[1940, 4579, 5771, 6750].bin
- cd_8453.bin
- ce_1888.bin
- cf_8498.bin
- cg_8498.bin
- createprofile.xex
- createprofile.xex.meta
- createprofile.xexp[1,2]
- createprofile.xexp[1,2].meta
- dash.xex
- dash.xex.meta
- deviceselector.xex
- deviceselector.xex.meta
- deviceselector.xexp[1,2]
- deviceselector.xexp[1,2].meta
- gamerprofile.xex
- gamerprofile.xex.meta
- gamerprofile.xexp[1,2]
- gamerprofile.xexp[1,2].meta
- hud.xex
- hud.xex.meta
- hud.xexp[1,2]
- hud.xexp[1,2].meta
- huduiskin.xex
- huduiskin.xex.meta
- mfgbootlauncher.xex
- mfgbootlauncher.xex.meta
- mfgbootlauncher.xexp[1,2]
- mfgbootlauncher.xexp[1,2].meta
- minimediaplayer.xex
- minimediaplayer.xex.meta
- minimediaplayer.xexp[1,2]
- minimediaplayer.xexp[1,2].meta
- nomni.xexp1
- nomni.xexp1.meta
- nomnifwm.xexp1
- nomnifwm.xexp1.meta
- signin.xex
- signin.xex.meta
- signin.xexp[1,2]
- signin.xexp[1,2].meta
- updater.xex
- updater.xex.meta
- updater.xexp[1,2]
- updater.xexp[1,2].meta
- vk.xex
- vk.xex.meta
- vk.xexp[1,2]
- vk.xexp[1,2].meta
- xam.xex
- xam.xex.meta
- xam.xexp[1,2]
- xam.xexp[1,2].meta
- xenonclatin.xtt
- xenonclatin.xtt.meta
- xenonclatin.xttp[1,2]
- xenonclatin.xttp[1,2].meta
- xenonjklatin.xtt
- xenonjklatin.xtt.meta
- xenonjklatin.xttp[1,2]
- xenonjklatin.xttp[1,2].meta
- ximecore.xex
- ximecore.xex.meta
- ximedic.xex
- ximedic.xex.meta
- ximedic.xexp[1,2]
- ximedic.xexp[1,2].meta
"[A, B]" means the file name contains either "A" or "B" at that position.
10. Now you can build your kernel 2.0.8955 image with ibuild. To do so,
launch ibuild with the following parameters:
> ibuild c -c <console> -d data/ -b <1BL key> -p <CPU key>
./bin/my8955.bin ./bin/fuses.bin
Replace <1BL key> with the 1BL key and <CPU key> with the CPU key
matching your "bin/7371.bin" image. Since ibuild currently does neither
support Opus consoles nor Jasper consoles with large flashes, valid
parameters for <console> at the moment are "xenon", "zephyr", "falcon",
and "jasper". When ibuild completes successfully, you will find two new
files in the "bin" directory. The file "bin\my8955.bin" contains your
newly built kernel 2.0.8955 image, that will be booted by freeBOOT. The
file "bin\fuses.bin" contains the virtual fuse settings used by freeBOOT.
11. In order to build the freeBOOT image, Python is needed. If you already
have Python installed, you can proceed to step 12.
The easiest way to run Python scripts under Windows is to install Cygwin.
You can download the Cygwin setup from here:
http://www.cygwin.org/cygwin/
Install Cygwin to any directory of your choice along with the these
packages:
- python
- python-crypto
12. Open "build.py" with a text editor and look for these two lines:
# you need to fill in this
secret_1BL = None
Replace "None" with the 1BL key. This example shows you the format
in which the key has to be entered. The key itself is wrong.
secret_1BL = "\x01\x0F\x0E\x0C\x0E\xD6\x69\xE7\xB5\x67\x94\xFB\x68\x56\x3E\xFA"
13. The freeBOOT image can now be built. Open a Cygwin shell and change to the
directory where you extracted the contents of this archive into. Launch
the Python build script with the following parameters:
> python build.py bin/<console>_hack.bin smc.bin
The "bin\<console>_hack.bin" image is a standard JTAG hack image and can
be found at the usual places. The "smc.bin" is a patched SMC generated
by the Cygnos toolbox. When the build process finishes successfully, a new
image "bin\hack.bin" can be found.
14. Program "bin\my8955.bin" to the Cygnos360 flash memory and "bin\hack.bin"
to the Xbox 360 flash memory.
15. Power on your Xbox 360. If everything went correctly, you should see the
blue LED light up a few seconds later, followed by the usual boot
animation. If you power on your Xbox 360 with the DVD tray eject button,
XeLL will be loaded instead.
VI. What's Next
===============
- support for Opus consoles and Jasper consoles with large flashes
- further removal of security system restrictions
- easier build process
VII. Credits
============
My gratitude goes to all those who helped me get this new release done.
-----
ikari, 2009/11/21
