Hi, I have a banned console and was looking into the JTAG hack, turns out my box is not compatible because my firmware is too new. Is there a way to downgrade or is there any chance of there being a hack for newer versions in the future?
Originally posted by Shaun from XBH: So, the xell exploit exists and works for the following reasons.
45xx kernel can be made to boot by applying the patch data to a zeropaired image.
Once the 45xx kernel is in place, the modified smc patches the kernel (aka king kong exploit) and we take hold of the system to do what we like.
For historic purposes, I mention that the exploit can ONLY work on the 45xx kernel.
Also, dashboard updates blow an EFUSE aka LDV (lock down value) which is 1 TYPE of efuse, there are several more.
There is also a 2nd efuse row which is used for making sure only the type of CB which is meant for your system can be loaded.
This is present IN ALL VERSIONS OF CB.
The version of this counter is hard programmed into the CB version and it checks the value in the CPU to make sure it is allowed to boot as soon as it is ran.
This is what stops a 1920 or below CB running on a >= 1921 CB system (this was when the timing attack was disabled)
Previously, the version of CB only ever changed at time of manufacture or when a faulty system was sent to a repair centre.
However, in the summer, the 8xxx update was released which also updated the CB on every console hardware type as well as the dashboard.
So this means it blows 2 efuses. One on row 1 which is an increment to the LDV, and one to the 2nd fuseline which disables ALL other versions of CB from booting.
There is NO WAY we can get an unallowed CB version to boot without having the key which M$ signs the code with to enable us to modify the CB, or by removing a blown efuse - either way, it just cant happen.
What this CB does is specifically revoke all 45xx kernel versions (which are the only ones which contain the HV vulnerability)
You cannot get 45xx to boot on a console with CB >= 8xxx EVER
I believe that the jtag ability does exist still, but it is worthless at this point because it cannot do anything (the kk exploit does not exist so we cannot patch or take control of the system)
In future the jtag ability may be removed completely.
With some luck this may get read and understood by people who have just updated their vulnerable consoles to 8xxx or beyond.
The simplest solution if you want to keep an exploitable console, is to remove the R6T3 resistor which permanently disables efuse blowing.
