Hacking the Original Xbox JTAG Interface

The original Microsoft Xbox was somewhat unique among consoles of the era because it was essentially just a PC. That enabled all kinds of hacks, including modchips that would let players run bootleg games and alternative operating systems. But, of course, Microsoft wasn't too keen on that kind of activity and they attempted to lock down the hardware. The basis of that security was a secret 512-byte bootrom that the system needed to read during startup. That was sniffed out with an FPGA back when the Xbox was new, but Markus Gaasedelen just performed an alternative hack through the JTAG interface.

This hack has limited practical utility, because the secret bootrom is already known. But it is still an interesting experiment in true hardware hacking. It is an alternative to Bunnie's famous FPGA hack and shows what could have been achieved at the time.

Because the original Xbox was just a PC with an Intel Pentium III CPU, it included a JTAG interface for debugging. Gaasedelen suspected that he could read the secret bootrom through the JTAG if he could access it. But Microsoft wanted to prevent exactly that, so they hid the TRST# pin for the JTAG underneath the CPU where nobody could interact with it while the system was operational. To perform this hack, Gaasedelen needed a way to access that pin while the Xbox booted normally.

The key to achieving that access was a special "interposer" board that sits between the CPU and the Xbox mainboard. That custom PCB lets most CPU signals pass right through to the mainboard, but provides external access to the JTAG TRST# pin via a System 50 connector. As far as the Xbox is concerned, the CPU is in place as it should be. But the interposer board let Gaasedelen reach the TRST# pin. With a standard CodeTAP hardware debugger and the appropriate software, he should have been able to sniff the relevant data during startup.

But there was a problem and the system was failing its startup checks. It expects to receive an "okay" from a PIC16 microcontroller within 200ms, but the debugging hardware slowed that down. To get around that check, Gaasedelen used an Arduino Uno development board to spoof the "okay" signal and bypass the PIC16 self-check.

With that workaround, Gaasedelen was able to read all 512 bytes of the secret bootrom. If Gaasedelen had achieved that two decades ago, it would be massive news and he would be a hero in the mod scene. But even today, this is a very impressive accomplishment and a fantastic lesson in hardware hacking.