Cracking the Xbox DVR Code: What Really Happens When You Reverse Engineer Microsoft's Game Clips
๐ฎ The Mission
Well for people who don't know, the Xbox One allows you to record and share game clips and screenshots. Cool right?
I bought an Xbox One and play it most nights while listening to podcasts. While listening to the Rooster Teeth podcast episode 355, they were talking about being able to share and view each other's videos and that it was impossible to see the stuff the user doesn't share (private ones).
Well I got a moment of madness and started to make a JavaScript script and website that would allow you to get the videos and game clips of users by their gamertag.
My goals:
- Decode Xbox's API structure
- Build a tool to fetch any player's content
- Create what Microsoft wouldn't, a way to see friends' clips
- See if "private" really meant private (spoiler: it didn't)
Let's walk through how two hours of late-night coding led to a tool that got Major Nelson's attention.
๐ The Initial Discovery: Inspecting Xbox's Website
I started by opening the official Xbox website where your own game clips are stored. Time to dig into Chrome DevTools.
After poking around the Network tab, I found something interesting. Xbox was loading JSON files directly in the browser. The URL looked like this:
https://account.xbox.com/en-us/gameclips/loadByUser?gamerTag=YOUR_GAMERTAG
The kicker? No authentication required. Just swap out the gamertag, and you could fetch anyone's clips.
๐ง Breaking Down the JSON Structure
Here's what the API returned:
{
"result": true,
"data": {
"ContinuationToken": null,
"Screenshots": [
{
"Id": "9e8a5803-a495-4a29-b21a-c64602434393",
"Uri": "http://screenshotscontent-t5002.xboxlive.com/...",
"Preview": "http://screenshotscontent-t5002.xboxlive.com/.../Thumbnail_Large.PNG",
"Thumbnail": "http://screenshotscontent-t5002.xboxlive.com/.../Thumbnail_Small.PNG",
"CaptureTime": "Uploaded 8/5/2015",
"ViewCount": 4,
"TitleName": "FIFA 14",
"OwnerGamerTag": null
}
]
}
}
Key findings:
Uri: Direct link to the full-resolution screenshot/videoContinuationToken: Used for pagination (12 items per batch)ViewCount: Shows how many times it's been viewedTitleName: The game it's from
The continuation token was particularly interesting โ if someone had more than 12 clips, you needed to chain requests:
// Fetch next batch using the token
const nextBatch = `https://account.xbox.com/en-us/gameclips/loadByUser?gamerTag=${tag}&ContinuationToken=${token}`;
๐ ๏ธ Building the Extraction Tool
Two hours and several energy drinks later, I had a working JavaScript library. Quick disclaimer: this is the original code from 2015, so it might not be the prettiest thing you've ever seen! ๐
Here's the core functionality:
class XboxMediaFetcher {
constructor(gamerTag) {
this.gamerTag = encodeURIComponent(gamerTag);
this.baseUrl = 'https://account.xbox.com/en-us/';
}
async fetchClips(type = 'gameclips', continuationToken = null) {
let url = `${this.baseUrl}${type}/loadByUser?gamerTag=${this.gamerTag}`;
if (continuationToken) {
url += `&ContinuationToken=${continuationToken}`;
}
try {
const response = await fetch(url);
const data = await response.json();
if (data.result) {
return {
items: data.data[type === 'gameclips' ? 'GameClips' : 'Screenshots'],
nextToken: data.data.ContinuationToken
};
}
} catch (error) {
console.error('Failed to fetch:', error);
}
}
async getAllContent() {
let allClips = [];
let allScreenshots = [];
let token = null;
// Fetch all game clips
do {
const result = await this.fetchClips('gameclips', token);
if (result) {
allClips = allClips.concat(result.items);
token = result.nextToken;
}
} while (token);
// Reset for screenshots
token = null;
// Fetch all screenshots
do {
const result = await this.fetchClips('screenshots', token);
if (result) {
allScreenshots = allScreenshots.concat(result.items);
token = result.nextToken;
}
} while (token);
return { clips: allClips, screenshots: allScreenshots };
}
}
๐ฌ Making It User-Friendly
I wrapped this in a simple web interface with configurable parameters:
// Configuration flags
const config = {
flag: 1, // 1 = all content, 0 = random item
type: 'both', // 'screenshots', 'gameclips', or 'both'
gamerTag: '', // Target gamertag
width: 854, // Player width
height: 480, // Player height
limit: 50 // Max items to fetch
};
// Usage example
const fetcher = new XboxMediaFetcher('Major Nelson');
const content = await fetcher.getAllContent();
console.log(`Found ${content.clips.length} clips and ${content.screenshots.length} screenshots`);
๐ The Launch: Reddit Goes Wild
I posted my creation on r/roosterteeth at 2 AM with the title "Listened to Podcast 335, Made an Xbox One Video Downloader."
The response was immediate and overwhelming:
- 500+ upvotes overnight
- Dozens of comments from excited users
- People finally able to see their friends' clips
- Compilations being created left and right
- And one comment thread that would change everything
The community loved it. They were finally able to do what the Rooster Teeth hosts had wished for โ see their friends' game clips and screenshots without jumping through hoops.
๐ Major Nelson Enters the Chat
Here's where things got interesting. In the Reddit thread, someone jokingly suggested summoning Major Nelson (Larry Hryb, Xbox's Director of Programming and community manager at the time) by typing his username three times:
/u/majornelson
/u/majornelson
/u/majornelson
And then... he actually showed up.
Major Nelson himself commented: "That's cool - but it's scraping Xbox.com right? The web team won't like that :|"
Someone asked him about embedding game clips on other websites, and he replied that the only official way was through OneDrive sharing. The thread had caught the attention of Xbox's most visible community figure, and suddenly my little project was on Microsoft's radar.
๐ฅ The Plot Twist: Xbox Strikes Back
Four months after launch, everything stopped working.
The JSON endpoints now returned:
{
"error": "Authorization required",
"code": 401
}
Xbox had added authentication to the API. The timing wasn't coincidental โ several gaming news sites had picked up the story about my tool.
โ What Actually Worked
Before the shutdown, the tool could:
- Fetch any public Xbox One game clip or screenshot
- Bypass "private" settings (they weren't actually private)
- Download full-resolution media files
- Chain requests to get entire libraries
- Generate direct links that worked without Xbox Live
Here's the thing: Xbox's privacy settings were more like suggestions. The API didn't respect them at all.
๐ What Xbox Changed
After my tool gained traction, Microsoft implemented:
- OAuth authentication for all API endpoints
- Proper privacy controls that actually worked
- Rate limiting to prevent mass scraping
- Token expiration on media URLs
Essentially, they rebuilt their entire media API security model.
๐ฏ Conclusions and Takeaways
- Xbox's original API had zero authentication (seriously, none)
- Privacy settings were client-side only
- A single Reddit post can spark major security changes
- Sometimes annoying big companies leads to better security for everyone
Was this a clever hack? Not really โ the door was wide open.
Was it fun watching Microsoft scramble to fix it? Absolutely.
Did I technically help improve Xbox Live security? I'd like to think so. ๐ซก
๐งต The Legacy
The code still lives on GitHub as a monument to simpler, less secure times. You can't use it anymore, but it's a fun piece of gaming history.
While Major Nelson was polite in the Reddit thread, the fact that the API got locked down shortly after he acknowledged the tool... well, the message was received loud and clear. The Xbox web team definitely wasn't happy!
Want more stories about accidental exploits and late-night coding adventures? Find me on Twitter.
And remember: always check if your "private" settings actually do anything. You might be surprised. ๐ฎ