The Xenon JTAG Guide

When it comes to old school JTAG mod aka the SMC Hack,
there are Xenon motherboards and then there is everything else
aka non-Xenons (zephyr, falcon, jasper).   

It is important that you follow the appropriate guide for your motherboard model.


Modding Supplies: 

  • 2qty 1N4148 Diodes
  • A way to read/write the nand of your console.  This could be a LPT cable, JR Programmer, Nand-X, or other device.

Software Needed: 

You can use 2 1N4148 diodes for this - they are cheap!

High Level Overview of Process:

  1. Open console, prepare motherboard (fiberglass scratch pen, flux paste)
  2. Solder in the nand reading/writing device (probably JRP or Nandx)
  3. Read the original nands
  4. Write the Xell Reloaded file to the console
  5. Install the two 1N4148 diodes, and the jumper wire per the image below.
  6. Boot the console and obtain the CPU key from Xell
  7. Use the CPU key in Jrunner to build a full hacked nand image (updflash.bin)
  8. Write the updflash.bin file to the console
  9. Remove nand reading/writing device
  10. Done - your console is now SMC Hacked aka JTAG'd


The video tutorial that accompanies this written guide:


Detailed Tutorial: 

  1. Open console, prepare motherboard

    Identify the J1D2 and J2B1 headers on the consoles motherboard
    Gently use a fiberglass scratch pen to remove the coating. The points should become shiny.  Apply flux paste and pre-tin each of the areas  that will have a wire soldered to them. 

  2. Solder in the nand reading/writing device

    Default assumption is that you're using a JR Programmer or a Nand-X, both devices were produced by Team-Xecuter and use the same cable and  color coded wires to connect to the 360.

    Solder them in according to the image, and then use the Jrunner software to read the nand.  

  3. Read the original nands

    Within Jrunner this is just the "Read Nand" option in Jrunner.  You'll need to supply standby power to the console with the nand programmer attached in order to successfully read the nand. 

    The "Reads" selector to the left of "Read Nand" should be set to at least 2.   It's important here that at the end of the nand reading you get "Nands are the same", that is the indication that the two copies were compared and are the same.   

    It's a really good idea right here to use Jrunners "show working forlder" and then to copy your nanddump1/2.bin files to some backup location for safekeeping.  Those are the original retail version of your console - save them!!!

    *You might see notes about a few bad blocks in the Jrunner output, if you do the important thing to look for is a message that says "bad blocks remapped successfully" and that you still see the "Nands are the same" message. 

  4. Write Xell Reloaded to the console

    After you have good nand reads, you need to use the "Create Xell-Reloaded" button in Jrunner. You should see a message that is "XeLL file created Successfully xenon.bin".  You can then select the "Write Xell-Reloaded" option. 

    Once the file is done writing, disconnect your reader/writer from the nand wires and unplug the console from standby power. 

  5. Install the two 1N4148 Diodes, and the jumper wire per the image below:

  6. Boot the console and obtain the CPU key from Xell

    When your console boots it will display the 32 character CPU key on screen, you can enter this manually in JRunner.  As long as it is entered correctly you should get a message like "CPU Key correct" and it should reveal the "KV Info" blanks with actual information within Jrunner. 

    If you have an ethernet cable connected Xell will also start up a small webserver on the Xbox.  You can access that web page by going to the IP of the xbox in a browser on your same network or by entering that IP into the JRunner "get CPU Key" area.

    Xell will show the IP on screen, usually something like 192.168.1.## or 10.10.10.## depending on your network.  

  7. Use the CPU key in Xell to build a hacked nand image

    Once you have the CPU key entered, you can proceed with generating the final hacked image. Ensure your original nanddump1.bin file is loaded in the "Load Source" blank in Jrunner, that your CPU key is populated and correct.  Under the XeBuild options on the right select your targeted dashboard version - anything newer than the original dash version the console came on. Current version at the time of this writing is 17559.  Select the JTAG radio button, and leave the Aud_Clamp?  box UNchecked unless you are doing that and know what you are doing.

    After the create process ends, you should have a new updflash.bin file, and it should be in the "load source" blank within Jrunner.

  8. Write the hacked nand image

    Ensuring that the just created updflash.bin file is in the "load source" blank in Jrunner re-connect your nand reader/writer cable and re-apply standby power to the console then select the "Write-Nand" option and let it finish. 

  9. Remove nand reader/writer device & cleanup

    You can de-solder the nand reader/writer device now.  Do NOT remove the diodes or jumper wire. 

    Future re-writes of the nand image can be done via Xell directly, or using other software tools.  If you ever did write a "bad" nand file it may be necessary to re-solder in your reader/writer in order to recover the console. 

    You might choose to leave the wires soldered in but tuck them out of the way if you anticipate needing to recover the console often enough that would be a convenience. Team-Xecuter actually released a little kit that externalized the connection to the nand to make it really easy but I don't think they're sold anymore. 

  10. Done - your console is now SMC Hacked aka JTAG

    Now you can install XexMenu, FreeStyle Dashboard, Aurora Dashboard, DashLaunch, any stealth service you want...