RGH 3.0 (Xbox 360)
In order to install RGH 3.0 on your Xbox 360 there are several steps. This guide will go in order of what you need to do.
The first thing you need is a flasher to flash the NAND chip on the Xbox 360.
For this I recommend simply getting a Raspberry Pi Pico. It couldn't be any simpler than plugging in the Raspberry Pi Pico to your PC while holding the boot button, then copy/pasting the PicoFlasher.uf2 file onto the Raspberry Pi folder that opens up when you connect it to the PC.
Download the PicoFlasher from here.
Fully disassemble the console following the Disassembly guide. You will need to get it right down to the bare motherboard.
At this stage I would recommend cleaning off the old thermal paste and applying new to the CPU.
Read the Identify Model article to know which model you have. So long as it is not a Winchester you are good to go.
For all Phat models the wiring is the same, connect up the wires from the PicoFlasher to the following pins.
For Trinity use the following pins:
For Corona, use the following wiring:
Here is an example of the PicoFlasher wired up to a Corona.
For any Corona consoles V3 or higher, you will need to rebuild the header pins that we soldered the Raspberry Pi Pico to as they are missing.
To check if you have a V3 or higher, check the area under the X-Clamp by the CPU.
The V3 onwards have no space between the STP501 and STP502 silkscreen, whereas the older versions not requiring the fix have a gap.
For V3+ look under the debug header where we soldered the prorgamming wires. You need to bridge R2C10 (remove the resistor and bridge it or add a wire over the resistor).
On top of that, if the resistors R2C7 and/or R2C6 are no present, bridge the pads.
Here is an unmodified header that you can see is not missing R2C6 or 7, so nothing needs to be done there. But we do need to bridge R2C10 still.
And here it is shorted.
If you lose the resistor or ever want to undo the work, it is originally a 100 ohm resistor of size 0402.
In order to glitch the console you will need to short a pair of pads, and add a resistor between another set of pads.
The first one you will need is a short between POST1 and SMC_POST1. This point varies depending on console.
The other point you will need to join is SMC_PLL to PLL_BYPASS. You will join these together with a resistor not directly. So place a resistor inline with the wire you are using to short them together.
Depending on version the resistor value differs.
For the Phat as well as the resistor, it is also advised (but not needed) to add a diode inline with the POST wire. This means you would have a resistor inline on the PLL wire and a diode inline on the POST wire.
The diode enables faster boot. Place a 1N4148 or similar general fast rectifying diode with the cathode end (black banded end) on POST1 and the anode (positive) side to the SMC_POST pad.
Use a 22k resistor in line with the PLL wire.
Here is the top PLL point.
Use between a 3k and 10k resistor in line with the PLL wire.
Use a 1k resistor in line with the PLL wire.
Here is an example on a Corona V3 where I used an 0603 resistor inline with the PLL wire also.
Connect the power supply to the console but do not press any power button. We will be using only the 5V standby voltage.
If you do not have a power supply, you can power it from bench on the 5V rail. Shown here is also a Power On Sense resistor pulling it to the 5V rail which is optional and only needed if you are fully powering the console from bench (with the power button when fully booting).
Simply connect 5V and ground.
Connect the Raspberry Pi to the PC.
Download, extract and run JRunner.exe from here.
Click the ? button and confirm the J-Runner software can read the console type.
Next is to back up the NAND. Click Read Nand. This will read the Nand twice to confirm its correct.
Make sure the end text says Nands are the same.
Once done the backups are placed inside the output folder of the J-Runner software.
If you forget to add the diode/resistors or they are installed wrong, you will get a bad compare and an error message saying Header is wrong.
Now select Glitch2 and RGH3 then click Create ECC or Create XeLL.
If it says XeLL image created. click Write ECC or Write XeLL next to write the glitched file to the Xbox 360.
Once done make sure it says Write Successful.
Writing the custom ECC / XeLL file basically makes the Xbox 360 boot up until XeLL Reloaded when you power it on.
DO NOT UNPLUG THE CONSOLE while it is in the XeLL Reloaded glitch. Turn it off at the power button.
I have personally seen and had the console completely brick by disconnecting power not powering off. The symptom is then when applying power to the system the fan spins instantly without powering on and the 5V rail pulls 400mA.
You cannot connect to it via J-Runner and ultimately its completely bricked.
Connect the heat sink back onto the CPU (remembering to connect up the heat sink fan!), and the front power board. Connect up the console via HDMI to a TV.
You can power the console from a dual bench power supply if you like, with 5V and 12V. During this boot the 12V rail will pull 3.2A with peaks possibly of 4A. If your bench can't provide the 4A it won't fully turn on.
The 5V rail should pull 80mA until you power on then around 0.25A once running.
Remember all versions have different pinouts so check you have the correct Ground, 5V and 12V pins. This example is a Corona console.
Connect the front small PCB and then the power button ribbon and press the power on button to boot, and you should be presented with the XeLL Reloaded screen.
Alternatively, connect the front button ribbon and short these two pins to turn on.
Let it run, and as it does it should show you the CPU Key.
Write this down and type it into the CPU Key box of the J-Runner.
Once you do, you should see all the key information showing on the right in keyvault as it can now successfully decrypt the NAND we dumped earlier.
If you close the program or it crashes at any point, to get back to this stage simply select Load Source and select the nanddump1.bin and Load Extra selecting nanddump2.bin
Make sure to power off the console first (remove the power then connect it back up, without pressing power button) otherwise the next step will say successful but it won't work.
Now you have the NAND decrypted it is a simple case of clicking Create XeBuild and wait until you see Nand Initialization Finished.
Then click Write Nand to write the hacked image back to the console.
Remove the programming wires to the Raspberry Pi Pico but leave the PLL and POST wiring/resistors in place.
Keep the fan in place and test booting with thw power button to get to the stock dashboard or eject to get to XeLL Reloaded.
Build your console back up fully. We are done with the hardware modding.
Now you are free to install Aurora or anything else you like.
An important step is to back up your original dumps in case your system ever needs them.
Copy the folder inside the J-Runner software that was created.
The folder will be the consoles serial number.
Inside the folder are the backup files.
The nanddump1.bin and nanddump2.bin are your stock retail NAND dumps.
The updflash.bin is the hacked NAND you are now running on the console.
The key files contain all the important keys.
If you want to flash stock retail back on you have to write the nanddump files back to the NAND then remove the RGH wires/resistors/diodes (otherwise you will get red ring of death).
īģŋ
