(adsbygoogle = window.adsbygoogle || []).push({}); This is NOT my tutorial , I did copy and paste , All credit goes to Xbox Scene!

Not alot of people on this forum will know about/ or how to do this , But for the people who do , this is a step by step tut.

Anyone who knows anything about Jtag-ing and the XeX files , This is using Linux also.

First before you can run any of this you need to have a console which can be exploited using the hypervisor vulnerability (kernel 4532 or 454, a flashed DVD drive to run the Xell patched King Kong disc (ATM Hitachi works fine, Samsung has little to no support, sometimes boots from USB), and you need to boot to Linux via a Live disc (not sure on some of the Live disc stuff, read the bottom for more info) or from the HDD (see Ubuntu HDD install). Once you are booting linux you need to open a terminal window.

Basically you need to find the NAND address using lspci. Type this command in your terminal:

    lspci -v

And it will dump each of the slots. You need to look for the one that says "FLASH memory: Microsoft Corporation Unknown device 580b", then look at the 2nd line starting with "Memory", it should have a line similar to " Memory at 200c8000000 (32-bit, non-prefetchable) [size=16M]", you want the line that has the "16M" in it as that will be our 16MB NAND flash. Here is what my slot looked like:

[php]00:08.0 FLASH memory: Microsoft Corporation Unknown device 580b
Flags: bus master, medium devsel, latency 0, IRQ 24
Memory at 200ea00c000 (32-bit, non-prefetchable) [size=1K]
Memory at 200c8000000 (32-bit, non-prefetchable) [size=16M]
[/php]

My address matched one of the guys addresses on XBH and was "c8000000".

Then you need to copy this code into a new document (code was created by Pec of XBH):

[php]/*
* Usage:
* volatile void *p = ioremap(MY_HARD_REG_ADDR, 4096);
* ...
* out_8(p, state ^= 0x1);
*
*
* Copyright (C) 2003 Stephane Fillod
*/


#include <stdio.h>
#include <stdlib.h>

#include <sys/types.h>
#include <sys/stat.h>
#include <fcntl.h>
#include <unistd.h>
#include <sys/mman.h>
#include <memory.h>

#define BUFSIZE 16777216

#ifdef __PPC__
extern inline void out_8(volatile unsigned char *addr, unsigned val)
{
__asm__ __volatile__("stb%U0%X0 %1,%0; eieio" : "=m" (*addr) : "r" (val));
}
/* etc., cf asm/io.h */
#else
extern inline void out_8(volatile unsigned char *addr, unsigned val)
{
*addr = val & 0xff;
}
#endif

volatile void * ioremap(unsigned long physaddr, unsigned size)
{
static int axs_mem_fd = -1;
unsigned long page_addr, ofs_addr, reg, pgmask;
void* reg_mem = NULL;

/*
* looks like mmap wants aligned addresses?
*/
pgmask = getpagesize()-1;
page_addr = physaddr & ~pgmask;
ofs_addr = physaddr & pgmask;

/*
* Don't forget O_SYNC, esp. if address is in RAM region.
* Note: if you do know you'll access in Read Only mode,
* pass O_RDONLY to open, and PROT_READ only to mmap
*/
if (axs_mem_fd == -1) {
axs_mem_fd = open("/dev/mem", O_RDWR|O_SYNC);
if (axs_mem_fd < 0) {
perror("AXS: can't open /dev/mem");
return NULL;
}
}

/* memory map */
reg_mem = mmap(
(caddr_t)reg_mem,
size+ofs_addr,
PROT_READ|PROT_WRITE,
MAP_SHARED,
axs_mem_fd,
page_addr
);
if (reg_mem == MAP_FAILED) {
perror("AXS: mmap error");
close(axs_mem_fd);
return NULL;
}

reg = (unsigned long )reg_mem + ofs_addr;
return (volatile void *)reg;
}

int iounmap(volatile void *start, size_t length)
{
unsigned long ofs_addr;
ofs_addr = (unsigned long)start & (getpagesize()-1);

/* do some cleanup when you're done with it */
return munmap((unsigned char*)start-ofs_addr, length+ofs_addr);
}

main(int argc, char *argv[])
{
int fd = open("./flashdump", O_RDWR | O_CREAT, 0644);
volatile void *d_PtrA = ioremap(0xc8000000, BUFSIZE);
char *buffer = malloc(BUFSIZE);
memcpy((void*)buffer, d_PtrA, BUFSIZE);
int ret = write( fd, buffer, BUFSIZE );
close(fd);
return 0;
}[/php]

Once you have pasted the code into your new document you need to change "MY_HARD_REG_ADDR" to the address of your NAND, in my case it was "c8000000", so here is the first part of the code:

[php]/*
* Usage:
* volatile void *p = ioremap(c8000000, 4096);
* ...
* out_8(p, state ^= 0x1);
*
*
*/[/php]

Once you have changed the address in the document close it and save it. Now rename the document to "memdump.c"

Then you need to compile the memdump.c source into a program by using the following command:

[php]gcc -I=/usr/include/ -O memdump.c[/php]

"/usr/include/" is the path of where you have memdump.c stored

Once the code is compiled you will get a "a.out" file, which is your program to dump the NAND with. You can then run the program and it should create a 16MB filed called "FLASHDUMP". I recommend you just rename it to "FLASHDUMP.bin" to make the rest of this guide easy.

Once you have "FLASHDUMP.bin" you can browse it using a hex editor. The first few lines on the right you should see the text string say "2004-2005 Microsoft Corporation. All rights reserved."

Also you can extract any files from the "FLASHDUMP.bin" using a great tool by "Probutus" of XBH called "NAND Tool v0.2" (I don't think it contains any copywrite code, but I'm not posting a link to it).

You need to run the NAND Tool from a command prompt. Here is the command to dump all of the files from the "FLASHDUMP.bin":

[php]readflash FLASHDUMP.bin all[/php]

That will dump all the files from the NAND into the folder you are running NAND Tool from.

Now you have your NAND dumped and all the files contained inside.

*Note* I did this on my system which I have Ubuntu installed to the HDD, so I was able to easily save the "FLASHDUMP" to the HDD, with a Live CD I don't think you have access to the HDD (unless you format and partition it)

Credits go to XBH, which is where I found the info to do this, Pec (of XBH) for the source code and his info in that thread, and anyone in that thread that contributed information on doing this.[/size]

This is only for people considering Jtagging it themselves.