TouchingVirus Registered User

I get a few private messages and there are plenty of posts here on the forum about the xbox 360 JTAG. With that in mind, here's a condensed version of what you need to know, and what you need to do to get up and running with your very own JTAG.

Please note that a more thorough/complete guide is available here.

Can my console be JTAG'd?

The key to the JTAG is the version of the console's 2nd level bootloader (CB). Certain bootloaders are vulnerable to exploitation, others are not. A massive indicator as to the eligibility of the console for the JTAG is the dashboard version you are running. Go to the System Settings menu, then Console Settings and then System Information. You will see the "Dashboard version" on the right. You need a dashboard version of 2.0.7371 or lower before you begin. If the dashboard version is higher (e.g. 2.0.8955, 2.0.9199 etc) then you cannot JTAG.

Following the dashboard check, you need to check the console's manufacturing date/service date which is printed on a sticker above the A/V or HDMI ports. Microsoft began updating the bootloader to an unexploitable version on new consoles in June 2009. So if your console has a manufacturing date or service date before June 2009 (in addition to the dashboard version of 2.0.7371 or lower) then it's almost a certainty that you can JTAG.

There are a few exceptions to the June 2009 general rule. I have a console here that was sent to Microsoft for an RROD repair and came back with the date July 28th 2009 and it had dashboard 2.0.7371 and the old bootloader - it is JTAG'd. I also have one that came back dated August 5th 2009 with dashboard 2.0.7371 but it has the new bootloader and cannot be JTAG'd. I have consoles here with manufacturing dates of 10th June 2009 and 16th June 2009, both of which are JTAG'd. Even still, purchasing a June 2009 console for the JTAG is risky and I would strongly advise against it. If you must purchase one, purchase one with a date as early into June as you can.

I have the right dashboard version but the date is June/July 2009, what now?

There's a very high chance you cannot JTAG. The only way to be 100% sure is to read the xbox 360's memory, and use a program called 360 Flash Tool to get your 2BL (bootloader, CB) version if you took a full memory dump, or a hex editor if you took a 2MB dump.

I have the wrong dashboard version, what now?

It's the end of the road for that console. It took years to figure the first exploit out, and now that it's patched there is very little chance of finding another one. I definitely wouldn't be holding my breath. Go find another console.

Reading/Writing to the Xbox 360's NAND (memory)

Reading the 360's memory is done over LPT port or USB.

LPT is an ancient standard and many newer computers (and laptops) do not have LPT ports. You need what's known as a "native" port, that is one that's built into the laptop or motherboard. There may be sporadic reports of somebody buying an LPT expansion card and that working but it is taking a risk, it probably won't work. LPT is slow, much slower than USB. A 16mb memory dump over LPT takes approximately 40 minutes. For arcade consoles (256MB/512MB internal storage) you need to dump the first 64MB, which will take 3 hours over LPT. LPT is also prone to problems caused by poor soldering, interference and device polling. That isn't to say it can't be done, my first JTAG was performed over LPT.

USB is much faster than LPT. Dumping with a PIC18F2555 board with a 12MHz crystal and a 64MB nand takes 35-40 minutes and a 16MB nand takes 6 minutes. There are faster solutions out there, like the Nand-X by Xecutor that can dump a 16MB nand in around 2 minutes. USB is less affected by interference and is generally less fussy than the LPT reader in a "It just works" kinda way.

Personally I would recommend USB, though that usually involves a pricey enough sum to buy the USB reader/flasher - €25-€30, or more in the case of the Nand-X. You can try build your own PIC-based USB flasher, but I've tried and failed, as have a few others on here - maybe we're crap builders

The guide I linked to has information about LPT/USB readers and how to build them.

There are two headers on the xbox 360 motherboard, they are labelled J1D2 and J2B1. You need to solder 4 wires to J1D2 and 2 wires to J2B1, no matter what method you choose. In addition to this, you need a ground wire which can be taken from any ground point. I choose to use the little thin stems from the outside of any xbox 360 connector port (e.g. the AV port, the hard drive port, the memory unit port). This is because heating them up to flow the solder is much easier than heating other suggested ground points (for example J1D2.6, or J2B1.12).

Up-close look at J1D2, complete with numbering for the nand reader:

This is J2B1:

Here's a picture of a Falcon motherboard hooked up to my nand reader:


So you've hooked up a nand reader. Your next step is to get a copy of Nandpro, the latest version at the time of writing is 2.0e. Put the power plug into your console, but do not turn it on. You just want the console in standby mode.

To begin the JTAG you need to take a backup of some data off your console, including the all important keyvault.

To do this there are two ways, one is to take a dump of the first 2MB of memory, install Xellous and then take a dump of the rest by hooking up the xbox and computer with a network cable. The other is to take a full backup from your reader (highly recommended for all consoles). I'm going to go with dumping the first 2MB of the nand and checking the CB version first to see if the console is JTAGable. I'll follow with a full backup after that. If you want to try dumping the rest of the nand over HTTP (may or may not work) then go to the next section after dumping the first 2MB and the Keyvault, you can skip the bit about dumping 16 or 64MB. If the HTTP dump doesn't work, come back here and take the full backup.

Open a command prompt (Start->Run->cmd.exe) and change directory to to wherever you extracted nandpro (e.g. "cd c:\xbox\nandpro") and type the following (replace usb: with lpt: where necessary)

nandpro usb: -r2 2mb_dump1.bin

This will use USB to read the first 2MB of your nand into the file 2mb_dump1.bin.

If you get an error about "Could not detect flash controller" there is a problem with your reader so check your soldering with a multimeter, ensure you have the right drivers installed for USB etc etc. This isn't a troubleshooting guide so start your own thread here on the forum and we'll try help, or check out the big guide at the top of the post. If you have any bad blocks within the first 50 blocks of your nand when reading it, then you may have issues getting Xellous working so create your own thread and we'll look at your problem. Make sure to create a thread if you've got a bad block at block #1 (your Keyvault). If you have more than 32 bad blocks, something is wrong with your reader.

What you should see is something like the following image which is from my first JTAG (using LPT):

Keep an eye on the FlashConfig value, valid ones are : 01198010, 00AA3020 and 00023010. Google any other value to see if it's common or a problem. You don't want to take a botched dump.

Run the same command again changing dump1 to dump2. Do not unplug the console between dumps. Now you've two separate reads of the nand. Next, run the following command:

fc 2mb_dump1.bin 2mb_dump2.bin

This will compare the two files to each other. They need to be the same. FC should state no file differences found. If they are not the same, and FC reports a few changes between the files then dump a third time, checking your wires etc for problems. You need matching dumps. If they don't match, re-check your wires and reader and dump again until you have two (or ideally 3) matching dumps. That way you can be pretty sure you got a valid dump.

Open up a hex editor and then open up your 2MB nand dump. Press the find button, make sure ASCII is selected, and type CB. It should bring you to line number 8400 where there first two numbers are 43 42 (which is CB in Hex). Take note of the next two numbers. In the following picture, they are 1a 43:


Open up the Windows Calculator (Start->Run->calc.exe) then press View->Programmer. Make sure the radio button for Hex is pressed, then type in the numbers you have (no space required). Then click DEC to convert it into decimal. 1a43 converts to 6723 in decimal, which is a vulnerable CB.

Exploitable CB versions

Xenon: 1921 or lower is Exploitable (exception: 8192 IS EXPLOITABLE)
Zephyr: 4558 or lower is Exploitable (exception: 4580 IS EXPLOITABLE but needs falcon version of Free60)
Falcon: 5770 or lower is Exploitable
Jasper 16mb: 6712 or lower is Exploitable
Jasper Arcade (256/512): 6723 or lower is Exploitable

If your CB is not here, it isn't exploitable. Put your console back together, the dream is over. But if the show must go on...

The full backup via NANDpro

This tells nandpro to use the USB reader, -r means read so -r16 = read 16MB and xbox_backup.bin is the file it's going to read to.

nandpro usb: -r16 xbox_backup1.bin

There are 3 types of memory size in use in xbox consoles, 16MB, 256MB and 512MB. Most older consoles have 16MB only, so the -r16 switch is fine. The arcade consoles need a different command

nandpro usb: -r256 xbox_backup1.bin 0 1000

Change 256 to 512MB where required. This tells nandpro to read from 0 (first block of memory to block 0x1000). The dump should be approximately 64MB in size. There is no need to dump all 256MB or 512MB of memory, anything after block 0x0FFF (i.e. 0x1000 or higher) is on-board storage, and you have already backed that up, right?

When that dump is completed, run the same command again, but change the filename to xbox_backup2.bin.

Once that's done, type the following:

fc xbox_backup1.bin xbox_backup2.bin

Again, you don't want any differences between the dumps. I dump my nand 3 times to make extra sure.

Flashing Xellous

So you either have a full backup of your nand now, or you're going to try take it via HTTP once you get Xellous running.

The first thing you need to do is read your Keyvault from the nand

nandpro usb: -r1 keyvault_1.bin 1 1

This will read your keyvault (which is located at block 1, and ends at block 1, hence the 1 1 at the end of the command so don't forget this). Again, dump it a second time to a different file and compare them. Make sure they're the same.

Now you need to grab Xellous. The file you want depends on your motherboard revision. If you don't know what it is, then consult this image

I'm putting the links here, the code is not copyrighted by Microsoft so it's fair game. Other mirrors are in the guide.

Xenon - Mirror 1
Falcon/Zephyr/Opus/Jasper - Mirror 1

Extract xenon_hack_xellous.bin or <falcon/zephyr/opus/jasper>.xellous.smc.bin to the nandpro directory.

Rename it to free60.bin for simplicity. You're now going to write it to your console.

nandpro usb: -w2 free60.bin 0

The above command can be interpreted as write via USB, 2MB of data from free60.bin to the nand starting at block 0. Make sure this is the command you're using, only changing USB to LPT where necessary.

Once nandpro has flashed Xellous, you need to write your keyvault to the nand or it won't boot.

nandpro usb: -w1 keyvault_1.bin 1 1

This command can be interpreted as write (with a limit of 1MB maximum) keyvault_1.bin to the nand, starting at block 1 and only write 1 block (which is all the keyvault is, one block).

Now that it's done you can desolder your reader. I don't, just in case I run into a problem that might mean flashed back the original nand for testing but you can do it if you want because if this works you're finished with the nand flashing

Either way, take out the power plug and disconnect the reader from your computer, it's time to solder the actual JTAG


All this mucking around with the nand doesn't make stuff happen. You need to solder a few more wires to get the code you've just flashed to the nand to actually work. This is the heart of the JTAG, the wiring that unleashes the xbox.

For the Xenon model, you will need 2x1N4148 diodes or 2xSchottky BAT41 diodes and 3 wires. For all other models you will need 7 wires, 2x10k resistors and 2x2N3904 NPN transistors.


The diode should be soldered directly to the motherboard at J1F1.3 and J1F1.4 with the thick black line on it nearest the board. Do not solder wire->diode->wire, this may cause problems.


Click here for bigger image. The 2N304 transistor has a flat back with a curved front as in the small image. With the legs facing you and the transistor on it's back the legs go C, B, E.

Please take special note of the location of AUD_CLAMP. There is another transistor (Q2N3) to the right of Q2N1, you do not want to solder there so check and double-check that you're nailing Q2N1's right side leg and nothing else. The wire from Q2N1 can be run through the hole just south of it (the black hole in the image) which will bring it to the other side of the board in a much neater fashion than around the edge of the board. The blue line on J2D2 does connect pads 4 and 7, so there is a jumper wire there. I suggest all 3 wires connecting to pad 7 are twisted together, and soldered in one go with plenty of excess on the other end for trimming to length. Soldering one at a time is a pain and the last thing you want is a fleck of hot solder from the wire you just soldered there hitting your skin while you try to solder the next one.

DB1F1 is tiny and almost always has no solder on the top side. I suggest liberal use of flux and don't forget to put solder on the point before trying to solder wire to it. Apply flux, heat up the pad, apply solder, remove, wait for the pad to cool down, apply flux, apply wire, heat and apply more solder to wire & pad and you're done. Always let the pad cool down, it can be tricky but don't rush it. All of the alternative points to DB1F1 are more difficult so you really don't want to lift the pad. Also, make sure you're putting the right transistor c-leg the the right pad (1 or 2) on J2D2. Mixing up the two C-legs on J2D2 leads to an E79

Here is a picture of the above wiring in action:

15 people have thanked this post
TouchingVirus Registered User

Starting Xellous

So now that you're done soldering, double checking with the schematic, checking for shorts etc it is time to start it up. Put in the power and the AV cable, and the fan and power on the console. You should see Xellous starting up with a nice blue screen

If there is any problem, double check your wires and test your parts. Honestly, most of the time is the wires or dodgy parts that cause issues.

If you only get a black screen but the tv is receiving input then make sure you've flashed your keyvault properly. If you get a blank screen and your TV is still awaiting a signal, then there are a few things you can try. First on the list is a reflash. Secondly, if you own a Big Block console (Jasper with onboard storage) you can try these Xellous files instead (Try flash xellous.jasperbb mana100.bin instead of free60.bin then flash your keyvault. If that fails, try jasper_6723_hack_for_256mb_512mb.TMS.Patched.bin and then your keyvault. If you have to use the second bin file, copy updxell.bin to a USB stick, put it in and boot into Xell to upgrade to Xellous. There is no need to do this if the first bin file works). After each reflash, remove the power to the console for 30 seconds before reconnecting it and turning it on.

After booting up into Xellous, you need to take down your CPU Key. This is the key to your console. It is unique, so keep it private and don't post it on the internet unless you want Microsoft to be aware you're raping their console! It's also very important, you can do all sorts of things with it so do keep it safe too. It's also required for the next step. The CPU key is hexademical, so the only possible values are 0-9 and A-F. There are no other letters, so there is no letter O, that's a zero.

This step is not necessary if you took a full backup already but if you want to take a backup of your nand over HTTP (which I've found to be rather unreliable myself, but many others have had success) then connect the console up to a computer with a network cable, assign your network adapter to a similar IP address to the one Xellous shows (httpd address in the above image) (e.g. - google how to do that if you need to) and type in in your browser's address bar and click download beside "Raw Flash".

This can take a while, but make sure what you download is the size it's meant to be. 16MB (or 16.5mb as reported by Windows) or 256MB/512MB. There is just one more thing to do with this full backup, that is you need to restore the first 2MB of the original nand - remember, the first 2MB of that full backup you just took has Xellous in it. To do this you need Nandpro 2.0b - this is the last working version of nandpro where you can do the following command. Put rawflash.bin (or whatever you named the full backup into the nandpro 2.0b directory, and put in the dump of the first 2mb too. Then run the following

nandpro rawflash.bin: -w2 first2mb_1.bin 0

Nandpro will open rawflash.bin and write the first 2MB of first2mb_1.bin into rawflash.bin from block 0 (i.e. the start). When it's done rawflash.bin will be a full backup of what was originally on your xbox memory. Keep it safe

Verify that CPU Key

So now, one way or another, you have a backup of your entire xbox memory as it was before you messed around with it. And you have your CPU key from Xellous wrote down. Verify the CPU key with 360 Flash Tool (latest version v0.97) as follows:

Open 360 Flash Tool, Click Settings, Click Keys. Enter the CPU Key into the CPU key box. In the UserInfo box I put in the console serial number as found on the back sticker. Then Click Add-CPU Key, then click OK. Now open up your full xbox backup. You should see something like the following (I've edited out keys and other sensitive information). If you can see your DVD Key and OSIG data instead of "Bad K/V" then you've got a valid dump, and a valid CPU Key.


Freeboot has gotten easier to install with the invention of BestPig's Freeboot Toolbox (Don't worry, it is in English )

All you need is a copy of your nand backup and your CPU Key. If you're JTAGing a Xenon you're set, if you're not then you need one other file - the appropriate SMC file from the Xellous archive you downloaded earlier (i.e. Jasper.smc.bin for 16MB Jaspers, Zephyr.smc.bin etc etc). Don't forget that if you had to use that special version of Xellous for Big-Block Jaspers (by mana100) then you need to use that smc.bin file.

So fire up Bestpig's toolbox, type in your CPU key or copy it from the keys section in the 360 flash tool, check the option for updflash.bin instead of freeBOOT.bin in Destination and if you're doing a Xenon click Generate, if you're doing any other make sure to check the box for Custom Freeboot and if you're doing a Jasper make sure to also uncheck the auto-detect box and choose the right Jasper (16MB/256MB/512MB) model in the version box under the CPU key and then click Generate.

A box will pop up, asking you to open file. So find your full nand backup and double-click it. It will say something like "Jasper 16MB, CB Version xxxx - is this correct?" and you click yes after verifying the details in 360 Flash tool.

If you're on a Xenon, it will generate freeboot in a file called updflash.bin almost immediately.

If you're not then a window will pop up with a few folders - this is the temporary directory for building freeboot. You need to copy your <model-name>.smc.bin file into the data directory here, delete the existing smc.bin file and rename <model-name>.smc.bin file to smc.bin. Finally, if you are running a 256MB/512MB Jasper, you need download a file here, and copy over patches_jasper.bin from that file to the bin folder, overwriting the existing patches_jasper.bin.

Once you are done, go back to Bestpig's utlity, and click OK on the prompt there. The window will disappear and freeboot will be generated as updflash.bin in the directory where your nand file was.

Copy updflash.bin to a USB stick, put it into the console and power it on. Xellous will start, but will scan your USB stick for updflash.bin and will tell you it found an update. You have 15 second to prevent the update by turning off the console, so don't

Xellous will then read the file, this can take up to 5 minutes for slow USB sticks, and then it will flash your nand. It's incredibly fast once it gets going and when it's over you will be asked to remove the update (USB stick) and power cycle the console. So turn it off, pull the plug, wait 30 seconds and put it back in again. When you turn on the console, you should see the xbox 360 logo and be presented with the language choice screen.

Efuses - the last straw

Now that you're up and running, the last thing you want to do is accidentally update or run a game update which would flash the console but burn an efuse. When an efuse is burned, there is no way back. The burning of the efuse with the 2.0.8955 dashboard update in 2009 killed the JTAG by changing the bootloader and burning the fuse so there was no going back. Even the next update to 2.0.9199 burned another fuse, so there's no downgrading to dashboard 8955 from 9199. It really is the last thing you want to happen.

So what do you do? Well you remove the power to the efuse burning circuit of course. This is some seriously small soldering and because I don't have a digital microscope handy there will be blurriness. But you'll get the idea.

You have 3 options to disable efuses:

1) Remove the R6T3 resistor. It's a 10k resistor almost eyelash size on the underside of the motherboard. It can be tough to remove as you will have to heat both sides simultaneously. I used to do this, now I go for one of the other ways below

2) If U6T1 is installed, and it is in the above picture, you can bridge the second and third pins where U6T2 is labelled (circled with the blue arrow).

3) If U6T2 is installed, you can bridge the same pins where U6T1 is installed in the picture. Bridge the same pins, (i.e. the bottom right and bottom middle pin).

Once that's done and tested with a multimeter, reassemble and enjoy your JTAG

1 person has thanked this post
TouchingVirus Registered User

Xbox Live?

NO. The dashboard patches that make it possible to run unsigned code (homebrew) are easily detectable. It won't be long before you get banned. And why needlessly waste the keyvault? If your JTAG breaks you could sell the keyvault off it to people who were banned from xbox live, or you could unban a console with the keyvault from your JTAG console. I'm not suggesting you do this, I'm just using this to illustrate the point that connecting your JTAG to XBL is shooting yourself in the foot.


NO. The JTAG does not allow you to run games burned onto DVD-R media.

So I've been JTAG'd, what now?

Well you can install any 2.5" hard drive you like into an enclosure (I run a 500GB hard drive) and the console will detect it as a proper hard drive and allow you to use all of it for installing games. The fun really starts when you get tools like XeXMenu which will allow you to run unsigned (homebrew) applications.

To get it on to your hard drive you need a transfer cable to copy the application over to /Partition3/Content/0000000000000000/C0DE9999/ or you can run it from a CD and then use XeXMenu's file manager to copy the application from a USB stick to the right directory.

Once XeXMenu is installed properly (read the instructions) it should appear as a Game Demo in the dashboard. Next thing I'd do is increase the fan speed to 70%, you can find XeX files for doing this on xbins.

Next you should look at alternate dashboards like Freestyle dash, and Quickboot which creates shortcuts to your homebrew applications so you can get to them from the NXE dashboard instead of having to go into NXE, then XeXMenu, find the location of your application with the file manager and then launch your homebrew application.

Maybe even look at dashlaunch which will auto-launch an application (might I suggest freestyle dash) on boot up - win!

And with that, off you go and explore the JTAG

Here are some things which will get you and your jtag off on the right foot.

9 people have thanked this post

Assuming your finished, in my opinion thats the best post I've ever seen on this forum. I hope everyone will appreciate the time & effort you put into that, as it really shows. Well done TouchingVirus, fantastic guide

1 person has thanked this post
docentore Registered User

veeeery nice mate.

can we have it stocked please?

1 person has thanked this post

Excellent write up will be using as a guide for all future jtags

1 person has thanked this post
.E_C_K_S. Registered User

Man that is some unbelievable guide. Fair play!!

1 person has thanked this post
TouchingVirus Registered User

My thanks to whoever stickied this thread


Wasn't me, so it must have been WMN. There's a spot in his Console Modding FAQ sticky for a nice 'TouchingVirus' Complete JTAG Tutorial' link to your own thread though

1 person has thanked this post
TouchingVirus Registered User

Just updated the guide a small bit there, referencing the lack of ability to play backups or use xbox live with a JTAG. People probably knew it already, but no harm in having it in the guide.

kevin-46 Registered User

this is easyer that se7sins thanks tv for helping me out with my xbox i have a 250gb in mine with all my games and doing mw2 lobbies will be gettin the other xbox up to u soon for jtaging.

docentore Registered User

kevin-46 said:
this is easyer that se7sins thanks tv for helping me out with my xbox i have a 250gb in mine with all my games and doing mw2 lobbies will be gettin the other xbox up to u soon for jtaging.

thats why people (I mean developers and hackers) lost interest in Xbox homebrew. Hosting hacked MW2 lobbies to boost your stats in games - is that what we where waiting all those years?


Xellous is taking it's time giving me the Raw Flash how long does this normally take on a Xenon?

kevin-46 Registered User

What you using LTP or USB i used usb took 15 mins less tv helped me out


I'm connected to the Xbox through firefox and I am attempting to dump the Raw Flash with Xellous

Want to share your thoughts?

Login here to discuss!