About  Project Blog Resources

Resources

People often ask me "How did you learn how to hack?" The answer: by reading. This page is a collection of the blog posts and other articles that I have accumulated over the years of my journey. Enjoy!

JTAG 'Hacking' the Original XBOX in 2023- 1220

Markus Gaasedelen - RET2Posted 2 Years Ago
  • The original XBox was pwned hard very soon after its release through various methods. One method that was thrown out early on was the idea of using JTAG. This was a gold mine if possible though; this would give amazing debugging that has never been possible on it.
  • There were two reasons for this. First, the TRST# line was holding the chain in reset under the chip, making it difficult to remove. Second, reverse engineering the JTAG interface would have been non-trivial as well. But, it's 2023! So, the authors gave it a try.
  • Instead of modifying the hardware to get JTAG working, the author decided to remove the chip entirely. By creating a breakout PCB, they could isolate the JTAG signals from the CPU signals. This would drastically help out in the reverse engineering process. This costed them $20 USD, which is super cheap.
  • What's an interposer board? Great question! For the BGA chip, the idea is to add the CPU on the top part of the chip. Then, solder the interposer board onto the original CPU location. This would allow for the CPU to function normally, with the ability to see and interact with the JTAG signals from breakout pads.
  • There are not one but TWO reflows here. This is incredibly complex to do correctly. From there, they purchased a Pentium III JTAG debugger to attempt to connect.
  • This did not work straight away because the System Management Controller (MCU) on the original XBox expects the CPU to pass a set of integrity tests at the beginning of boot. the debugger continuing upon attaching was not fast enough to pass these checks. So, the author setup a Arduino sketch on the I2C bus to fulfill these actions.
  • With that, they had a JTAG debuggable system. Extracting the secret ROM was now a trivial feat. Overall, an interesting feat in its own right. I enjoyed the interposer board setup and guide to performing this. Awesome post!

Maxwell DulinEmail me!TwitterGithubAdminBlog RSS FeedResources RSS Feed