Lamprey board

[LEo]

Well we know this board can read write nand using a serial connection, and apparently can tinker with fuses on the cpu, It works on final hardware.

So any more info on this, that one sentence is pretty much all I know of it.

[hacker360]

the rol debug headers plug into the 2 black ones and it only needs one serial port to write to nand. would you be interested in selling this, i can put it to good use. thanks

thats why it shows argon program board

o and it doesnt blow the fuses, it is a similar device in production that they use to just write to flash and program the rols. when the console first boots they have a usb cabke blugged in into a mfr boot xex because on first boot the random cpu key is generated

[LEo]

Not mine^ I have high res pictures of it given by a friend that owns one. The point of this thread is inorder to know what else this does with an xbox.

Also the titan board is that thing beta 1 kits had. I know alot of rumors about these boards, Im going to ask some friends to give me permission to show some high res pictures of the lamprey along with some info of what was done with them behind the scenes.

[hacker360]

the argon is the codename of the rol. would i possibly be able to ahve hires pics thanks

aim ericmarsi@live.com

ive also heard that it can flash the 1bl

[LEo]

the argon is the codename of the rol. would i possibly be able to ahve hires pics thanks

Stop spamming the thread.

Argon is the daughter board that Xedks had, check speedy22 early documents about the 360 hardware

edit shit, it was titan board.

[hacker360]

Stop spamming the thread.

Argon is the daughter board that Xedks had, check speedy22 early documents about the 360 hardware

edit shit, it was titan board.

lol sorry about the multiple post. id like to ask you some questions in private. please pm me thanks

[TheFallen93]

ive also heard that it can flash the 1bl

1BL is ROM (READY ONLY MEMORY)...

[KIWIDOGGIE]

1BL is ROM (READY ONLY MEMORY)...

1BL is RWOM

[hacker360]

I do remember a video from a long time ago for xbox Live Labs. it had like 50 lampreys hooked up heres the video and screenshots, you can see that only one serial port is used and the black long header shows out front, jsut some more pics nothing big

http://imgur.com/a/FiQv4

http://www.youtube.com/watch?v=EnSb3qY87e8

[CodeAsm]

highres front and back are intresting, also what U1 IC is that soic? 16

I asume the programs that they used are a bit more interesting, we already know alott about the internal headers. These boards are "just" the connections to "normal" connectors to mass programm Xboxes ? Maybe that IC containts fuses, or emulates some, or it just converts some protocol like i2c or SPI to serial.
My thoughts, donno if its of any value.

[kholdfuzion]

the ic is a max3232

[LEo]

the ic is a max3232

Its a serial converter. We actually attempted to make schematics for it a long time back, by looking at some pictures ;)

Well I have determined another use for this board was indeed to program early ROL boards with different firmware. Which would explain the argon pin header.

The function of the other serial conector is still on the air. I know people know what it does but simply dont care too much to share the information.

There was one document that was leaked where it talked about the lamprey and how you could use it to turn a retail board into a development board. Problem was that it probably documented the procedure used inorder to change a board that was still in MFC boot mode. Fact is, it defineatly involved using this hardware to do so.

This is a tibit from the document.

3.4 Jasper Platform
To build a Jasper Dev Console PCBA, one should look at the released Jasper DEV PCBA (X819115-001 - PCBA,JASPER,DEV KIT,ICS,HYNIX MEM,512MB FLSH). For debug and testing purposes on a retail PCBA, make the following changes to emulate 99% of a real DEV PCBA:
This is a small resistor, which makes me think this somehow changes the part numbers that are shown to the kernel(makes it think its a dev?)
1) Enable Debug Spew
 Stuff R1C4 with X800601-001 RES,S/M,LF,1.0KOHM,5%,1/16W,0402 (was NO-STUFF)
 Unstuff R1P2 (was X800590-001 RES,S/M,LF,10KOHM,5%,1/16W,0402)
Pin header locations on the lamprey board itself.
2) Populate Lamprey Headers

 Stuff J2B1 with X804259-001 CONN,HDR,TH,LF,2X7,DUAL-ROW,VERT, PIN 14 KEYED,2.4 TAILS
 Stuff J1D2 with X804260-001 CONN,HDR,TH,LF,2X5,DUAL-ROW,VERT, PIN 10 KEYED,2.4
This following part makes the changes for the nand type, depending on the configuration of the resistors near the flash it tells the console its size
3) Configure for 256MB Flash if PCBA is not ARCADE SKU (no need flash modification for ARCADE SKU)

 Stuff R2D6 with X800590-001 RES,S/M,LF,10KOHM,5%,1/16W,0402
 Stuff U2E1 with X809112-002 IC,S/M,LF,FLASH MEMORY,256MX8,K9F2G08U0A-P,TSOP-48 or X817006-001 IC,S/M,LF,FLASH MEMORY,256MX8,HY27UF082G2B,(57NM),TSOP-48
 Unstuff R2D5 with X800590-001 RES,S/M,LF,10KOHM,5%,1/16W,0402
 Unstuff R2D7 with X800590-001 RES,S/M,LF,10KOHM,5%,1/16W,0402
 Stuff R2D8 with X800590-001 RES,S/M,LF,10KOHM,5%,1/16W,0402
These are your typical LEDs that devs have on POST
4) CheckStop LED

 Stuff R8B6 with X800427-001 RES,S/M,LF,2KOHM,1%,1/16W,0402
 Stuff R8A5 with X800601-001 RES,S/M,LF,1.0KOHM,5%,1/16W,0402
 Stuff Q8B6 with X801037-001 BJT,S/M,LF,NPN,SWITCH,2N2222,SOT23
 Stuff D8B4 with X801078-001 LED,LF,GREEN,QTLP601C-AG,0603

Connecting the lamprey into their corresponding ports
5) When building into a console, stuff the following Lamprey cables following standard installation procedures:
 X801796-001 CABLE ASSEMBLY, MOBO, LAMPREY, SMC KERNEL DEBUG PORT
 X801797-001 CABLE ASSEMBLY, MOBO, LAMPREY, SPI PORT
Finally what we have no idea what the lamprey does, any member with more experience in 360 hardware could give us a rundown what or where this value is
6) Reset the console type from Retail to Dev (Agile doc H03710)
RETAIL 00000002
DEVELOPMENT 00000001

I should also add, the fact it says AGILE docs is because agile was a contract mfc for microsoft, they went under in 2007.

[deep3r]

Its a serial converter. We actually attempted to make schematics for it a long time back, by looking at some pictures

Well I have determined another use for this board was indeed to program early ROL boards with different firmware. Which would explain the argon pin header.

The function of the other serial conector is still on the air. I know people know what it does but simply dont care too much to share the information.

There was one document that was leaked where it talked about the lamprey and how you could use it to turn a retail board into a development board. Problem was that it probably documented the procedure used inorder to change a board that was still in MFC boot mode. Fact is, it defineatly involved using this hardware to do so.

This is a tibit from the document.

Wasnt there something released not long ago to put any kit into boot mode?

This

http://www.youtube.com/watch?v=kbQBJKgmta0

[TheFallen93]

6) Reset the console type from Retail to Dev (Agile doc H03710)
RETAIL 00000002
DEVELOPMENT 00000001

Those are just console certificate flags.

#define XE_CONSOLE_TYPE_DEVKIT 0x00000001
#define XE_CONSOLE_TYPE_RETAIL 0x00000002

[LEo]

Those are just console certificate flags.

#define XE_CONSOLE_TYPE_DEVKIT 0x00000001
#define XE_CONSOLE_TYPE_RETAIL 0x00000002

Edit provided by aim

little more detail on them?

[11:46] leorimolo: in the retail to dev document
[11:47] leorimolo: it talks about changing console type by changing some values used with resistors
[11:47] leorimolo: kinda like it reads what size nand it is by its resistors
[11:47] leorimolo: any chance the 1bl checks for that, and that right there is all it tells to change from retail to dev
[11:47] leorimolo: in the document one part said, populate (as in add a resistor conecting two points and remove another)
[11:48] leorimolo: to change some value given to the cpu
[11:48] fallen: lol no
[11:48] fallen: 1bl is very simple
[11:48] fallen: load 2bl from flash, authenticate, and jump
[11:49] fallen: non slim 2bls check the console type fuse
[11:49] fallen: if its wrong the console panics

Well ill stand by the theory that basically this document was an internal document used by AGILE co. contracted by MS to make devkits for them out of retail boards that still had not been exactly programmed or had any fuses burnt on them. It would make sense if it was this way, using this along with software for the lamprey probably burned the fuses needed to make a dev. This will not work on retails, ever. Even then, we won't ever get software for it.

So ill finish by saying, Lampreys can be used on retails/devs to read write the nand. It can be used to program proto Aragon (RoL) boards. Finally they could have been used at one point to use the cpu jtag to program fuses, and once that was done the cpu jtag was probably disabled. There is one more little tibit that these boards *might* have been able to read the 1bl off early Xedk proto kits.

[l_oliveira]

One thing I don't get is:

If it's THAT secure (since once programmed as retail an console cannot be changed) why so much secrecy about this stuff ? It's not some alien technology one could use to take on the world or similar stuff ... :P

[halo3]

One thing I don't get is:

If it's THAT secure (since once programmed as retail an console cannot be changed) why so much secrecy about this stuff ? It's not some alien technology one could use to take on the world or similar stuff ... :P

Because xbox 360 is the world's largest gaming console right now with millions of customers and massive amounts of revenue. If a bunch of private stuff on how to completely hack a retail 360 got out that would be bad since hackers always want to read backup games, and run unsigned code. This is bad for Microsoft and gaming companies since if a console can read copied games they make no money off a game; and reading unsigned code is bad since if it is online it ruins the online gaming experience costing Microsoft all their xbox live income...

[l_oliveira]

Because xbox 360 is the world's largest gaming console right now with millions of customers and massive amounts of revenue. If a bunch of private stuff on how to completely hack a retail 360 got out that would be bad since hackers always want to read backup games, and run unsigned code. This is bad for Microsoft and gaming companies since if a console can read copied games they make no money off a game; and reading unsigned code is bad since if it is online it ruins the online gaming experience costing Microsoft all their xbox live income...

Eh ... Actually the Reset Glitch Hack and the JTAG Hack do achieve to "hurt" all what you mentioned. I don't think anyone with a Lamprey board will do anything interesting besides making the RoL blink. That's my point.

[LEo]

Eh ... Actually the Reset Glitch Hack and the JTAG Hack do achieve to "hurt" all what you mentioned. I don't think anyone with a Lamprey board will do anything interesting besides making the RoL blink. That's my point.

Yeah this isn't the type of hardware a gaming company would want in the wild, considering it most likely is what they use to fix or debug Xbox in repair centers. So naturally yeah people would want to hide it. These have been around since the 360 came out in private hands.

[CodeAsm]

Its just a rs232 board is it? maybe a "programming" board. but very "dumb". I'm more interested into those Doc's ;-) and can we make a retail almost "clean" again and make a dev? for jtag? (maybe i just have to glitch my Jasper)