US Blaster | USB 7132 | JTAGulator - Grand Idea Studio

JTAGulator - Grand Idea Studio
Assisted Discovery of On-Chip Debug Interfaces
Joe Grand, Grand Idea Studio, Inc.
www.jtagulator.com
Agenda
•
•
•
•
•
•
•
•
•
•
Introduction
Inspiration / Other Art
Identifying Interfaces
Design Requirements
Hardware
Firmware
On-Chip Debug Interfaces
Examples / Demonstration
Limitations
Future Work
Introduction
•
On-chip debug interfaces are a well-known
attack vector
-
•
Used as a stepping stone to further an attack
Can provide chip-level control of a target device
Extract program code or data
Modify memory contents
Affect device operation on-the-fly
Inconvenient for vendor to remove functionality
-
Would prevent capability for legitimate personnel
Obfuscated or password protected instead
Introduction 2
•
Identifying OCD interfaces can sometimes be
difficult and/or time consuming
← http://spritesmods.com/?art=hddhack
Goals
•
Create an easy-to-use tool to simplify the
process
•
Attract non-HW folks to HW hacking
Inspiration
•
Hunz's JTAG Finder
-
•
JTAGenum & RS232enum
-
•
http://elinux.org/JTAG_Finder
http://deadhacker.com/tools/
DARPA Cyber Fast Track
-
www.cft.usma.edu
Other Art
•
An Open JTAG Debugger (GoodFET), Travis
Goodspeed, DEFCON 17
-
•
http://defcon.org/html/links/dc-archives/dc-17archive.html#Goodspeed2
Blackbox JTAG Reverse Engineering, Felix
Domke, 26C3
-
http://events.ccc.de/congress/2009/Fahrplan/
attachments/1435_JTAG.pdf
Other Art 2
•
Forensic Imaging of Embedded Systems using
JTAG, Marcel Breeuwsma (NFI), Digital
Investigation Journal, March 2006
-
http://www.sciencedirect.com/science/article/pii/
S174228760600003X
Identifying Interfaces: External
•
Accessible to the outside world
-
•
Device programming or final system test
Usually hidden or protected
-
•
Intended for engineers or manufacturers
Underneath batteries
Behind stickers/covers
May be a proprietary/non-standard connector
Identifying Interfaces: Internal
•
•
•
Test points or unpopulated pads
Silkscreen markings or notation
Easy-to-access locations
Identifying Interfaces: Internal 2
•
Familiar target or based on common pinout
-
Often single- or double-row footprint
JTAG: www.jtagtest.com/pinouts/
← www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack
→ www.nostarch.com/xboxfree
Identifying Interfaces: Internal 3
•
Can use PCB/design heuristics
-
Traces of similar function are grouped together (bus)
-
Test points usually placed on important/interesting
signals
Array of pull-up/pull-down resistors (to set static
state of pins)
← http://elinux.org/images/d/d6/Jtag.pdf
Identifying Interfaces: Internal 4
•
Might be covered by soldermask
← Linksys WRT54G2 v1.3
→ http://elinux.org/File:Peekjtag3.png
Identifying Interfaces: Internal 5
•
More difficult to locate when available only on
component pads
*** www.dd-wrt.com/wiki/index.php/JTAG_pinouts#Buffalo_WLA-G54C
Manually Determining Pin Function
•
•
•
Identify test points/connector & target device
Trace connections
-
Visually or w/ multimeter in continuity mode
-
Use data sheet to match pin number to function
For devices where pins aren't accessible (BGA),
remove device or use X-ray
Probe connections
-
Use oscilloscope or logic analyzer
Pull pins high or low, observe results, repeat
Logic state or number of pins can help to make
educated guesses
Manually Determining Pin Function 2
← http://forum.xda-developers.com/wiki/WallabyJTAG
Design Requirements
•
•
•
•
•
•
Open source/hackable/expandable
Simple command-based interface
Input protection
Adjustable target voltage
Off-the-shelf components
Hand solderable (if desired)
Hardware
Block Diagram
Status Indicator
WP59EGW
Host PC
USB Mini-B
Serial-to-USB
EEPROM
2 (I2C)
2
FT232RL
24LC512
MCU
Parallax Propeller
1.2V - 3.3V
~13mV/step
D/A
24
1 (PWM)
Voltage Level
Translator
Voltage Level
Translator
Voltage Level
Translator
TXS0108EPWR
TXS0108EPWR
TXS0108EPWR
1
AD8655
Input Protection
Circuitry
USB
5V
Power Switch
LDO
3.3V
MIC2025-2YM
LD1117S33TR
Target Device
PCB
Input protection
Target I/F (24 channels)
Level translation
Propeller
*** 2x5 headers compatible w/ Bus Pirate probes,
http://dangerousprototypes.com/docs/Bus_Pirate
Status
USB
Op-Amp/DAC
Assembly Drawing
Schematic: Main
To Host
USB Mini B
COL1
L1
UX60-MB-5S8
220R@100MHz
PIL102
OSCO
OSCI
TEST
PIP103
PIC102
PIP105
PIC101
COC1
C1
0.01uF
NLUSBDMPIU1016
USBDM
16
USBDM
NLUSBDPPIU1015
USBDP
15
USBDP
19
PIU1019
RESET
PIR102
COR1
R1
23
PIU1023
22
PIU1022
CBUS0
CBUS1
13
PIU1013 CBUS2
14
PIU1014 CBUS3
12
PIU1012 CBUS4
10k
PIR101
COU3
U3
VUSB
5V0
MIC2025-2YM
7
PIU307
1
PIU301
3
PIU303
IN
OUT
OUT
6
8
PIU308
EN
GND
FLG
GND
GND
GND
AGND
4
VCCIO
17
PIU1017 3V3OUT
PIU104
COC3
C3
0.1uF
PIU306
TXD
RXD
RTS
CTS
DTR
DSR
DCD
RI
PIC302
PIC301
COSW1
SW1
SPST
PIU1027
PISW102
1
PIU101
5
PIU105
3
PIU103
11
PIU1011
2
PIU102
9
PIU109
10
PIU1010
6
PIU106
COC2
C2
PISW101
PIQ103
0.01uF
PIC202
PIC201
PIQ102
PIR202
COR2
R2
10k
PIR201
PIQ10
COQ1
Q1
2N3904
21
18
PIU1018
7
25
PIU1025
PIU208
PIU2018
COY1
Y1
5.0MHz
3V3
COU4
U4
24LC512-I/SN
1
2
3
PIU403
6
PIU406
7
PIU407
PIU401
PIU402
4
PIU404
E0
E1
E2
SCL
WC
3V3
VCC
SDA
8
VDD
18
VDD
30
PIU2030 VDD
40
PIU2040 VDD
PIU107
2
PIU302
PIR302
COR3
R3
8
PIU408
PIR402
10k
PIR301
5
PIU405
COR4
R4
10k
28
PIU2028
PIR602
PIR601
PID103
1
PIR501
PID101
29
PIU2029
7
NLPROPRX
PROPRX
NLPROPTX
PROPTX
NLPROPSDA
PROPSDA
NLPROPSCL
PROPSCL
NLLEDR
LEDR
NLLEDG
LEDG
NLDACOUT
DACOUT
PIR401
PIR502
470
PIY10
PIY102
NL#RES
aRES
GND
COR5
R5
COU2
U2
PROPELLER (P8X32A-Q44)
3V3
PIU1021
2
PIP104
28
27
26
PIU1026
PIU1028
POTXSOE
TXSOE
COR6
R6
270
Red
COD1
D1
WP59EGW
COC4
C4
1000pF
Green
PIU507
2
PIU502
PID102
2
COR7 18k
R7
PIR902
PIR901
PIR702
COR8
R8
PIR701
8.2k
PIR802
COR9
R9
100k
RES
38
37
PIU2037
36
PIU2036
35
PIU2035
34
PIU2034
33
PIU2033
32
PIU2032
31
PIU2031
P31
P30
P29
P28
P27
P26
P25
P24
PIU2038
COC5
C5
470pF
PIC502
PIC501
1
PIU501
BOE
POP02300000
P[23...0]
41
42
43
PIU2043
44
PIU2044
1
PIU201
2
PIU202
3
PIU203
4
PIU204
NLP0
P0
NLP1
P1
NLP2
P2
NLP3
P3
NLP4
P4
NLP5
P5
NLP6
P6
NLP7
P7
9
10
11
PIU2011
12
PIU2012
13
PIU2013
14
PIU2014
15
PIU2015
16
PIU2016
NLP8
P8
NLP9
P9
NLP10
P10
NLP11
P11
NLP12
P12
NLP13
P13
NLP14
P14
NLP15
P15
19
20
21
PIU2021
22
PIU2022
23
PIU2023
24
PIU2024
25
PIU2025
26
PIU2026
NLP16
P16
NLP17
P17
NLP18
P18
NLP19
P19
NLP20
P20
NLP21
P21
NLP22
P22
NLP23
P23
P0
P1
P2
P3
P4
P5
P6
P7
PIU2041
P8
P9
P10
P11
P12
P13
P14
P15
PIU209
P16
P17
P18
P19
P20
P21
P22
P23
PIU2019
PIU2042
PIU2010
PIU2020
VADJ
6
PIU506
3
PIU503
PIR801
8
PIU508
XO
5
PIU205 VSS
17
PIU2017 VSS
27
PIU2027 VSS
39
PIU2039 VSS
5V0
PIC402
PIC401
XI
PIU207
6
PIU206
7
PIL101
PIP102
PIU504
5
PIU505
4
PIP101
COU1
U1
FT232RL
20
PIU1020 VCC
3
1
2
3
4
5
VUSB
1
COP1
P1
COU5
U5
AD8655ARZ
0-3.3V @ 256 steps
~13mV/step
~150mA max. Iout
NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESS
OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.
5V0
VUSB
PIC801
PIC802
VUSB
C8
COC8
4.7uF
PIC902
PIC901
5V0
C9
COC9
0.1uF
PIC10 1
PIC10 2
5V0
C10
COC10
4.7uF
PIC1 02
PIC1 01
3V3
C11
COC11
0.1uF
PIC1202
PIC1201
3V3
C12
COC12
0.1uF
PIC1302
PIC1301
3V3
C13
COC13
0.1uF
PIC1402
PIC1401
U6
COU6
LD1117S33
3V3
C14
COC14
0.1uF
PIC1502
PIC1501
3
C15
COC15
0.1uF
PIC602
PIC601
PIU603
VIN
C6
COC6
0.1uF
1
PIU601
GND
VO
VO
3V3
2
4
PIU604
PIU602
PIC701
PIC702
C7
COC7
10uF
TITLE
DaTE
JTAGulator: Main
FILENaME
SIZE
DRaWN BY
Schematic: Target Interface
Diode limiters for input protection
Vf must be < 0.5V to prevent damage to level translators
POTXSOE
TXSOE
PIR10 2
PIR10 1
COU7
U7
NUP4302MR6
VCCA <= VCCB
VCCA range: 1.2V to 3.6V
VCCB range: 1.7V to 5.5V
COR10
R10
10k
COU9
U9
TXS0108EPWR
3V3
19
POP02300000
P[23...0]
NLP0
P0
NLP1
P1
NLP2
P2
NLP3
P3
NLP4
P4
NLP5
P5
NLP6
P6
NLP7
P7
2
PIU702
PIU9019
VCCB
10
PIU9010
OE
20
PIU9020
18
PIU9018
17
PIU9017
16
PIU9016
15
PIU9015
14
PIU9014
13
PIU9013
12
PIU9012
VADJ
VCCA
B1
B2
B3
B4
B5
B6
B7
B8
A1
A2
A3
A4
A5
A6
A7
A8
GND
2
1
PIU701
3
PIU703
PIU902
19
PIU12019
10
NLP8
P8
NLP9
P9
NLP10
P10
NLP11
P11
NLP12
P12
NLP13
P13
NLP14
P14
OE
20
18
PIU12018
17
PIU12017
16
PIU12016
15
PIU12015
14
PIU12014
13
PIU12013
12
PIU12012
B1
B2
B3
B4
B5
B6
B7
B8
PIU12020
NLP15
P15
VCCB
PIU12010
VCCA
PIU802
I/O1
I/O4
PIU706
6
PIU801
I/O2
I/O3
4
PIU704
COU10
U10
NUP4302MR6
VADJ
2
PIU1202
2
1
3
PIU803
VADJ
5
GND
VCC
PIU805
I/O1
I/O4
PIU806
I/O2
I/O3
4
PIU804
To Target
6
1
PIU1001
3
PIU1003
COU11
U11
NUP4302MR6
VADJ
GND
VCC
PIU1005
5
PIU1102
2
I/O1
I/O4
PIU1006
6
PIU1101
I/O2
I/O3
PIU1004
4
PIU1103
1
3
GND
PIU12011
PIU1105
I/O1
I/O4
PIU1106
I/O2
I/O3
PIU1104
VADJ
2
1
PIU1301
3
PIU1303
PIU1502
1
3
4
PIU1504
5
PIU1505
6
PIU1506
7
PIU1507
8
PIU1508
9
PIU1509
I/O1
I/O2
VADJ
5
PIU1305
6
COU14
U14
NUP4302MR6
2
PIU1402 GND
VCC
1
I/O4
PIU1306
PIU1401
I/O3
4
PIU1304
3
PIU1403
I/O1
I/O2
8
PIR1108
4
COR12
R12
1K
1
2
PIR1202
3
PIR1203
4
PIR1204
5
PIR1205
6
PIR1206
7
PIR1207
8
PIR1208
PIR1201
I/O3
4
PIU1404
Red
Yellow
Blue
Grey
Black
Brown
Orange VADJ
Green
Purple
White
COP8
P8
961210-6404-AR
NLCH8
CH8
PIP801 1
2 PIP802NLCH9
CH9
PIP803 3
PIP804
4
NLCH10PIP805
NLCH11
CH10
CH11
6 PIP806NLCH13
NLCH12PIP807 5
CH12
CH13
8 PIP808NLCH15
NLCH14PIP809 7
CH14
CH15
9 10 PIP8010
PIP301
PIP302
PIP303
PIP304
PIP305
1
2
3
4
5
Red
Yellow
Blue
Grey
Black
Brown
Orange VADJ
Green
Purple
White
COP9
P9
961210-6404-AR
NLCH16
CH16
PIP901 1
2 PIP902
NLCH17
CH17
PIP903 3
4 PIP904
NLCH18PIP905
NLCH19
CH18
CH19
6 PIP906
NLCH20PIP907 5
NLCH21
CH20
CH21
8 PIP908
NLCH22PIP909 7
NLCH23
CH22
CH23
9 10 PIP9010
PIP401
PIP402
PIP403
PIP404
PIP405
1
2
3
4
5
Red
Yellow
Blue
Grey
Black
COP5
P5
TE 282834-5
CH14
CH15
CH16
CH17
CH18
6
PIU1406
1
2
3
4
5
COP4
P4
TE 282834-5
CH9
CH10
CH11
CH12
CH13
VADJ
5
PIU1405
I/O4
PIP201
PIP202
PIP203
PIP204
PIP205
COP3
P3
TE 282834-5
6
16
15
PIR12015
14
PIR12014
13
PIR12013
12
PIR12012
11
PIR12011
10
PIR12010
9
PIR1209
COU13
U13
NUP4302MR6
2
PIU1302 GND
VCC
CH0
CH1
CH2
CH3
CH4
CH5
CH6
CH7
CH8
PIR12016
11
1
PIR1101
2
PIR1102
3
PIR1103
4
PIR1104
5
PIR1105
6
PIR1106
7
PIR1107
VADJ
VCC
Brown
Orange VADJ
Green
Purple
White
COP7
P7
961210-6404-AR
NLCH0
CH0
PIP701 1
2 PIP702NLCH1
CH1
PIP703 3
4 PIP704NLCH3
NLCH2
CH2 PIP705
CH3
6 PIP706NLCH5
NLCH4 PIP707 5
CH4
CH5
8 PIP708NLCH7
NLCH6 PIP709 7
CH6
CH7
9 10 PIP7010
TE 282834-5
5
GND
Compatible w/ Bus Pirate 3.x probe/interface cable
COP2
P2
COR11
R11
1K
1
3
PIU1203
4
PIU1204
5
PIU1205
6
PIU1206
7
PIU1207
8
PIU1208
9
PIU1209
PIU1201
GND
5
9
PIR1109
11
PIU9011
3V3
NLP16
P16
NLP17
P17
NLP18
P18
NLP19
P19
NLP20
P20
NLP21
P21
NLP22
P22
NLP23
P23
PIU705
9
PIU909
A1
A2
A3
A4
A5
A6
A7
A8
COU15
U15
TXS0108EPWR
19
PIU15019 VCCB
VCCA
10
PIU15010 OE
20
PIU15020 B1
A1
18
PIU15018 B2
A2
17
PIU15017 B3
A3
16
PIU15016 B4
A4
15
PIU15015 B5
A5
14
PIU15014 B6
A6
13
PIU15013 B7
A7
12
PIU15012 B8
A8
VCC
16
PIR11016
15
PIR11015
14
PIR11014
13
PIR11013
12
PIR11012
11
PIR11011
10
PIR11010
2
3V3
GND
1
PIU901
3
PIU903
4
PIU904
5
PIU905
6
PIU906
7
PIU907
8
PIU908
PIU1002
COU12
U12
TXS0108EPWR
COU8
U8
NUP4302MR6
VADJ
PIP501
PIP502
PIP503
PIP504
PIP505
COR13
R13
1K
16
15
14
PIR13014
13
PIR13013
12
PIR13012
11
PIR13011
10
PIR13010
9
PIR1309
1
2
3
PIR1303
4
PIR1304
5
PIR1305
6
PIR1306
7
PIR1307
8
PIR1308
PIU1501
PIR13016
PIR1301
PIU1503
PIR13015
PIR1302
1
2
3
4
5
COP6
P6
TE 282834-5
CH19
CH20
CH21
CH22
CH23
PIP601
PIP602
PIP603
PIP604
PIP605
1
2
3
4
5
11
PIU15011
NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESS
OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.
3V3
3V3
3V3
VADJ
VADJ
PIC1702
PIC1701
PIC1802
PIC1801
PIC1902
PIC1901
PIC20 2
PIC20 1
PIC2102
PIC2101
C17
COC17
0.1uF
C18
COC18
0.1uF
C19
COC19
0.1uF
C20
COC20
0.1uF
VADJ
C21
COC21
0.1uF
PIC2 02
PIC2 01
C22
COC22
0.1uF
TITLE
JTAGulator: Target Interface
Development
Propeller/Core
•
•
•
Completely custom, ground up, open source
8 parallel 32-bit processors (cogs)
Code in Spin, ASM, or C
*** INFORMATION: www.parallax.com/propeller/
*** DISCUSSION FORUMS: http://forums.parallax.com
*** OBJECT EXCHANGE: http://obex.parallax.com
Propeller/Core 2
•
•
•
•
•
Clock: DC to 128MHz (80MHz recommended)
Global (hub) memory: 32KB RAM, 32KB ROM
Cog memory: 2KB RAM each
GPIO: 32 @ 40mA sink/source per pin
Program code loaded from external EEPROM on
power-up
Propeller/Core 3
•
Standard development using Propeller Tool &
Parallax Serial Terminal (Windows)
•
Programmable via serial interface (usually in
conjunction w/ USB-to-serial IC)
Propeller/Core 4
Propeller/Core 5
USB Interface
•
•
•
Allows for Propeller programming & UI
Powers JTAGulator from bus (5V)
FT232RL USB-to-Serial UART
-
•
Entire USB protocol handled on-chip
Host will recognize as a virtual serial port (Windows,
OS X, Linux)
MIC2025 Power Distribution Switch
-
Internal current limiting, thermal shutdown
Let the FT232 enumerate first (@ < 100mA), then
enable system load
USB Interface 2
Adjustable Target Voltage (VADJ)
•
PWM from Propeller
-
•
Duty cycle corresponds to output voltage
Look-up table in 0.1V increments (1.2V-3.3V)
AD8655 Low Noise, Precision CMOS Amplifier
-
Single supply, rail-to-rail
Voltage follower configuration
~150mA output current @ Vo = 1.2V-3.3V
Level Translation
•
Allows 3.3V signals from Propeller to be
converted to VADJ
•
Prevents potential damage due to over-voltage
on target device's unknown connections
•
TXS0108E Bidirectional Voltage-Level Translator
-
Designed for both open drain and push-pull interfaces
-
Automatic signal direction detection
Internal pull-up resistors (40kΩ when driving low, 4kΩ
when high)
High-Z outputs when OE low -> will not interfere with
target when not in use
Level Translation 2
Input Protection
•
Prevent high voltages/spikes on unknown pins
from damaging JTAGulator
•
•
Diode limiter clamps input if needed
Vf must be < 0.5V to protect TXS0108Es
Input Protection 2
•
NUP4302MR6 Schottky Diode Array
-
Vf @ 1mA = 0.2V typ., 0.35V max.
Vf @ 10mA = 0.25V typ., 0.45V max.
Alternate: SD103ASDM
Bill-of-Materials
JTAGulator
Bill-of-Materials
HW B, Document 1.0, April 19, 2013
Item
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
Quantity Reference
2
C1, C2
C3, C6, C9, C11, C12, C13, C14, C15,
14
C17, C18, C19, C20, C21, C22
1
C4
1
C5
1
C7
2
C8, C10
1
D1
1
L1
1
P1
5
P2, P3, P4, P5, P6
3
P7, P8, P9
1
Q1
5
R1, R2, R3, R4, R10
1
R5
1
R6
1
R7
1
R8
1
R9
3
R11, R12, R13
1
SW1
1
U1
1
U2
1
U3
1
U4
1
U5
1
U6
6
U7, U8, U10, U11, U13, U14
3
U9, U12, U15
1
Y1
1
PCB
•
•
Manufacturer
Kemet
Manuf. Part #
C1206C103K5RACTU
Distributor
Digi-Key
Distrib. Part #
399-1234-1-ND
Description
Capacitor, 0.01uF ceramic, 10%, 50V, X7R, 1206
Kemet
Yageo
Yageo
Kemet
Kemet
Kingbright
TDK
Hirose Electric
TE Connectivity
3M
Fairchild
Any
Any
Any
Any
Any
Any
Bourns
C&K
FTDI
Parallax
Micrel
Microchip
Analog Devices
ST Microelectronics
ON Semiconductor
Texas Instruments
ECS
Any
C1206C104K5RACTU
CC1206KRX7R9BB102
CC1206KRX7R9BB471
T491A106M016AS
T491A475K016AT
WP59EGW
MPZ2012S221A
UX60-MB-5S8
282834-5
961210-6404-AR
MMBT3904
Any
Any
Any
Any
Any
Any
4816P-1-102LF
KSC201JLFS
FT232RL-REEL
P8X32A-Q44
MIC2025-2YM
24LC512-I/SN
AD8655ARZ
LD1117S33CTR
NUP4302MR6T1G
TXS0108EPWR
ECS-50-18-4XEN
JTAG B
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
Digi-Key
N/A
399-1249-1-ND
311-1170-1-ND
311-1167-1-ND
399-3687-1-ND
399-3697-1-ND
754-1232-ND
445-1568-1-ND
H2960CT-ND
A98336-ND
3M9460-ND
MMBT3904FSCT-ND
P10KECT-ND
P470ECT-ND
P270ECT-ND
P18.0KFCT-ND
P8.20KFCT-ND
P100KECT-ND
4816P-1-102LFCT-ND
401-1756-1-ND
768-1007-1-ND
P8X32A-Q44-ND
576-1058-ND
24LC512-I/SN-ND
AD8655ARZ-ND
497-1241-1-ND
NUP4302MR6T1GOSCT-ND
296-23011-1-ND
XC1738-ND
N/A
Capacitor, 0.1uF ceramic, 10%, 50V, X7R, 1206
Capacitor, 1000pF ceramic, 10%, 50V, X7R, 1206
Capacitor, 470pF ceramic, 10%, 50V, X7R, 1206
Capacitor, 10uF tantalum, 20%, 16V, size A
Capacitor, 4.7uF tantalum, 10%, 16V, size A
LED, Red/Green Bi-Color, T-1 3/4 (5mm)
Inductor, Ferrite Bead, 220R@100MHz, 3A, 0805
Connector, Mini-USB, 5-pin, SMT w/ PCB mount
Connector, Terminal Block, 5-pin, side entry, 0.1” P
Header, Dual row, Vertical header, 2x5-pin, 0.1” P
Transistor, NPN, 40V, 200mA, SOT23-3
Resistor, 10k, 5%, 1/4W, 1206
Resistor, 470 ohm, 5%, 1/4W, 1206
Resistor, 270 ohm, 5%, 1/4W, 1206
Resistor, 18k, 1%, 1/4W, 1206
Resistor, 8.2k, 1%, 1/4W, 1206
Resistor, 100k, 5%, 1/4W, 1206
Resistor, Array, 8 isolated, 1k, 2%, 1/6W, SOIC16
Switch, SPST, Momentary, 120gf, 6.2 x 6.2mm, J-Lead
IC, USB-to-UART Bridge, SSOP28
IC, Microcontroller, Propeller, LQFP44
IC, Power Distribution Switch, Single-channel, SOIC8
IC, Memory, Serial EEPROM, 64KB, SOIC8
IC, Op. Amp., CMOS, Rail-to-rail, 220mA Iout, SOIC8
IC, Voltage Regulator, LDO, 3.3V@800mA, SOT223
IC, Schottky Diode Array, 4 channel, TSOP6
IC, Level Translator, Bi-directional, TSSOP20
Crystal, 5.0MHz, 18pF, HC49/US
PCB, Fabrication
All components from Digi-Key
Total cost per unit = $50.73
Firmware (as of v1.2.1)
Source Tree
Cogs
•
•
•
•
Spin Interpreter (Cog 0)
PropSerial (fork of Parallax Serial Terminal) (ser)
RealRandom (rr)
JDCogSerial (uart)
Propeller Resources
On-Chip Debug Interfaces
•
•
JTAG
UART
JTAG
•
Industry-standard interface (IEEE 1149.1)
-
Created for chip- and system-level testing
-
http://en.wikipedia.org/wiki/Joint_Test_Action_Group
•
Defines low-level functionality of finite state machine/
Test Access Port (TAP)
Provides a direct interface to hardware
-
Can "hijack" all pins on the device (Boundary scan/
test)
-
Can access other devices connected to target chip
Programming/debug interface (access to Flash, RAM)
Vendor-defined functions/test modes might be
available
JTAG 2
•
Multiple devices can be "chained" together for
communication to all via a single JTAG port
-
•
Even multiple dies within the same chip package
Different vendors may not play well together
Development environments abstract low-level
functionality from the user
-
Implementations are device- or family-specific
As long as we can locate the interface/pinout, let
other tools do the rest
JTAG 3
*** ruxconbreakpoint.com/assets/slides/pres_sprite_tm.pdf
JTAG: Architecture
•
Synchronous serial interface
→
←
→
→
→
•
TDI = Data In (to target device)
TDO = Data Out (from target device)
TMS = Test Mode Select
TCK = Test Clock
/TRST = Test Reset (optional for async reset)
Test Access Port (TAP) w/ Shift Registers
-
Instruction (>= 2 bit wide)
Data
-
Bypass (1 bit)
Boundary Scan (variable)
Device ID (32 bit) (optional)
JTAG: Architecture 2
JTAG: TAP Controller
*** State transitions occur on
rising edge of TCK based on
current state and value of TMS
*** TAP provides 4 major
operations: Reset, Run-Test,
Scan DR, Scan IR
*** Can move to Reset state
from any other state w/ TMS
high for 5x TCK
*** 3 primary steps in Scan:
Capture, Shift, Update
*** Data held in "shadow"
latch until Update state
JTAG: Instructions
┌───────────┬─────────────┬──────────┬───────────────────────────────────────────────────────────────────────┐
│
Name
│ Required? │ Opcode │
Description
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│
BYPASS │
Y
│ All 1s │
Bypass on-chip system logic. Allows serial data to be transferred
│
│
│
│
│
from TDI to TDO without affecting operation of the IC.
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│
SAMPRE │
Y
│ Varies │
Used for controlling (preload) or observing (sample) the signals at │
│
│
│
│
device pins. Enables the boundary scan register.
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│
EXTEST │
Y
│ All 0s │
Places the IC in external boundary test mode. Used to test device
│
│
│
│
│
interconnections. Enables the boundary scan register.
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│
INTEST │
N
│ Varies │
Used for static testing of internal device logic in a single-step
│
│
│
│
│
mode. Enables the boundary scan register.
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│
RUNBIST │
N
│ Varies │
Places the IC in a self-test mode and selects a user-specified data │
│
│
│
│
register to be enabled.
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│
CLAMP
│
N
│ Varies │
Sets the IC outputs to logic levels as defined in the boundary scan │
│
│
│
│
register. Enables the bypass register.
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│
HIGHZ
│
N
│ Varies │
Sets all IC outputs to a disabled (high impedance) state. Enables
│
│
│
│
│
the bypass register.
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│
IDCODE │
N
│ Varies │
Enables the 32-bit device identification register. Does not affect │
│
│
│
│
operation of the IC.
│
├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤
│ USERCODE │
N
│ Varies │
Places user-defined information into the 32-bit device
│
│
│
│
│
identification register. Does not affect operation of the IC.
│
└───────────┴─────────────┴──────────┴───────────────────────────────────────────────────────────────────────┘
JTAG: SW Tools
•
OpenOCD (Open On-Chip Debugger)
-
•
http://openocd.sourceforge.net
UrJTAG (Universal JTAG Library)
-
www.urjtag.org
JTAG: HW Tools
•
Bus Blaster (open source)
-
•
Wiggler or compatible (parallel port)
-
•
•
http://dangerousprototypes.com/docs/Bus_Blaster
ftp://www.keith-koep.com/pub/arm-tools/jtag/
jtag05_sch.pdf
SEGGER J-Link
-
www.segger.com/debug-probes.html
H-JTAG
-
www.hjtag.com/en/
JTAG: HW Tools 2
•
Arium + SourcePoint
-
•
RIFF Box
-
•
www.arium.com
www.jtagbox.com
Many Others...
-
http://openocd.sourceforge.net/doc/html/DebugAdapter-Hardware.html
JTAG: Protection
•
•
Implementation specific
Security fuse physically blown prior to release
-
•
Could be repaired w/ silicon die attack
Password required to enable functionality
-
•
Ex.: Flash erased after n attempts (so perform n-1),
then reset and continue
May allow BYPASS, but prevent higher level
functionality
-
Ex.: TI MSP430
IDCODE Scan
•
32-bit Device ID (if available) is in the DR on
TAP reset or IC power-up
-
Otherwise, TAP will reset to BYPASS (LSB = 0)
Can simply enter Shift-DR state and clock out on TDO
TDI not required/used during IDCODE acquisition
LSB
IDCODE Scan 2
•
Device ID values vary with part/family/vendor
-
•
Locate in data sheets, BSDL files, reference code,
etc.
Manufacturer ID provided by JEDEC
-
Each manufacturer assigned a unique identifier
-
http://www.jedec.org/standards-documents/
results/jep106
Can use to help validate that proper IDCODE was
retrieved
IDCODE Scan 3
•
•
Ask user for number of channels to use
For every possible pin permutation (except TDI)
-
Set unused channels to output high (in case of any
active low reset pins)
-
Configure JTAG pins to use on the Propeller
Reset the TAP
Try to get the Device ID by reading the DR
If Device ID is 0xFFFFFFFF or if bit 0 != 1, ignore
Otherwise...
-
Display potentially valid JTAG pinout
Try remaining permutations to locate /TRST by
setting each pin low and checking if Device ID can
still be retrieved
BYPASS Scan
•
In BYPASS, data shifted into TDI is received on
TDO delayed by one clock cycle
BYPASS Scan 2
•
Can determine how many devices (if any)
are in the chain via "blind interrogation"
-
Force device(s) into BYPASS (IR of all 1s)
Send 1s to fill DRs
Send a 0 and count until it is output on TDO
BYPASS Scan 3
•
•
Ask user for number of channels to use
For every possible pin permutation
-
Set unused channels to output high (in case of any
active low reset pins)
-
Configure JTAG pins to use on the Propeller
Reset the TAP
Perform blind interrogation
If number of detected devices > 0...
Otherwise...
-
Display potentially valid JTAG pinout
Try remaining permutations to locate /TRST by
setting each pin low and checking if device(s) can
still be detected
JTAG: Scan Timing
•
•
IDCODE
-
TDI ignored since we're only shifting data out of DR
~264 permutations/second
BYPASS
-
Many bits/permutation needed to account for
multiple devices in chain and varying IR lengths
-
~13.37 permutations/second
# of
Channels
4
8
16
24
IDCODE
Permutations
24
336
3360
12144
IDCODE
(mm:ss)
< 00:01
00:02
00:13
00:46
BYPASS
Permutations
24
1680
43680
255024
BYPASS
(mm:ss)
00:02
02:05
54:27
317:54
JTAG: Examples
DEFCON 17 Badge
•
Freescale MC56F8006 Digital Signal Controller
-
ID = 0x01C0601D
www.bsdl.info/details.htm?sid=e82c74686c7522e
888ca59b002289d77
MSB
LSB
┌───────┬───────────────┬─────────────┬─────────────────┬─────────────────┬───────┐
│ Ver. │ Design Center │ Core Number | Chip Derivative | Manufacturer ID │ Fixed │
└───────┴───────────────┴─────────────┴─────────────────┴─────────────────┴───────┘
31...28
27...22
21...17
16...12
11...1
0
0000
000111
00000 (DSP56300)
00110
00000001110 (0x0E)
1
Linksys WRT54G v1.1
•
Broadcom BCM4702 (also contains BCM4306)
-
ID = 0x0471017F
https://github.com/notch/tjtag/blob/master/tjtag.c
MSB
LSB
┌───────┬──────────────────────────────────┬────────────────────────┬───────┐
│ Ver. │
Part Number
|
Manufacturer ID
│ Fixed │
└───────┴──────────────────────────────────┴────────────────────────┴───────┘
31...28
27...12
11...1
0
0000
0100011100010000 (BCM4702 rev. 1)
00010111111 (0xBF)
1
*** www.jtagtest.com/pinouts/wrt54
D-Link DWL-900AP+
•
Samsung S3C4510B01-QER0 CPU (ARM7TDMI)
-
ID = 0x1F0F0F0F
http://pdf1.alldatasheet.com/datasheet-pdf/view/
37744/SAMSUNG/S3C4510B.html (Appendix A)
*** www.jtagtest.com/pinouts/arm14
D-Link DWL-900AP+ 2
•
Lattice ispMACH iM4A3-32 CPLD (TQFP-48)
-
ID = 0x17437157
www.latticesemi.com/lit/docs/bsdl/mach4a3/
m4a032t8l_isc.bsm
Samsung SCH-i910
•
Marvell PXA312 (Intel XScale/ARM5)
-
ID = 0x2E649013
http://docs.toradex.com/100197-colibri-arm-sompxa3xx-dm-vol-1.pdf (Table 9)
-
•
TDI = 3 (Grey), TMS = 4 (Pink), TCK = 5 (Blue), TDO = 6
(Orange), GND = 8 (Black)
JTAG disabled when external power supplied or
phone is "on" via battery
BlackBerry 7250
•
Qualcomm MSM6500 chipset (ARM926EJ-S)
-
ID = 0x6003C0E1
VCC = 2.6V
MSB
LSB
┌───────┬──────────────────────────────────┬────────────────────────┬───────┐
│ Ver. │
Part Number
|
Manufacturer ID
│ Fixed │
└───────┴──────────────────────────────────┴────────────────────────┴───────┘
31...28
27...12
11...1
0
0110
0000000000111100
00001110000 (0x70)
1
BlackBerry 7290
•
•
AD6529 "Hermes" DSP (ARM7TDMI)
AD6521 "Pegasus" Analog Baseband
-
IDs = 0x027831CB and 0x027B51CB
Unknown which ID is for which device
TDO1 = Only one device
TDO2 = Both devices in the chain
MSB
LSB
┌───────┬──────────┬────────────┬────────┬───────────────┬─────────────────┬───────┐
│ Ver. │ Core ID │ Capability | Family | Device Number | Manufacturer ID │ Fixed │
└───────┴──────────┴────────────┴────────┴───────────────┴─────────────────┴───────┘
31...28
27
26...24
23...20
19...12
11...1
0
0000
0000
0 (ARM)
0 (ARM)
010 (Reserved) 0111 (ARM7)
010 (Reserved) 0111 (ARM7)
10000011
01010001
00011100101 (0xE5)
00011100101 (0xE5)
*** http://infocenter.arm.com/help/topic/com.arm.doc.dai0099c/
DAI0099C_core_type_rev_id.pdf
1
1
BlackBerry 7290 2
UART
•
Universal Asynchronous Receiver/Transmitter
-
No external clock needed
Data bits sent LSB first (D0)
NRZ (Non-Return-To-Zero) coding
Transfer speed (bits/second) = 1 / bit width
http://en.wikipedia.org/wiki/Asynchronous_serial_
communication
*** Start bit + Data bits + Parity (optional) + Stop bit(s)
UART 2
•
Asynchronous serial interface
→ TXD = Transmit data (to target device)
← RXD = Receive data (from target device)
DTR, DSR, RTS, CTS, RI, DCD = Control signals
(uncommon for modern implementations)
•
Many embedded systems use UART as debug
output/console/root shell
UART 3
Mark (Idle)
Space
Bit width
= ~8.7uS
UART Scan
•
•
8 data bits, no parity, 1 stop bit (8N1)
Baud rates stored in look-up table
-
75, 110, 150, 300, 900, 1200, 1800, 2400, 3600,
4800, 7200, 9600, 14400, 19200, 28800, 31250,
38400, 57600, 76800, 115200, 153600, 230400,
250000, 307200
UART Scan 2
•
Ask user for desired output string (up to 16
bytes or 8 bytes in hex using \x prefix)
Ask user for number of channels to use
For every possible pin permutation
•
•
-
Configure UART pins to use on the Propeller
Set baud rate
Send user string
Wait to receive data (20ms maximum per byte)
If any bytes received, display potentially valid UART
pinout and data (up to 16 bytes)
UART Scan 3
UART: Scan Timing
•
•
•
Only need to locate two pins (TXD/RXD)
24 baud rates/permutation
~1 permutation/second
# of
Channels
4
8
16
24
UART
Permutations
12
56
240
552
Time
(mm:ss)
00:12
00:57
4:04
9:22
UART: Examples
Linksys WRT54G v2 rXH (w/ DD-WRT)
•
Broadcom BCM4712
-
ID = 0x1471217F
https://github.com/notch/tjtag/blob/master/tjtag.c
UART: JP1 (TXD = 4, RXD = 6) @ 115200, 8N1
*** www.jtagtest.com/pinouts/wrt54
Apex STB236 Set Top Box
•
Bootloader + U-Boot
-
UART @ 115200, 8N1
Apex STB236 Set Top Box 2
--------------------------------------------------------------------- STB222 Lite Primary Bootloader 0.1-3847, NI (04:00:34, Feb 17 2009)
-- Andre McCurdy, NXP Semiconductors
-------------------------------------------------------------------Device: PNX8335 M1
Secure boot: disabled, keysel: 0, vid: 0 (expecting 2)
Poly10: 0x00000000
RNG: enabled
RSA keyhide: enabled
UID: 0000000000000000
AES key: 00000000000000000000000000000000
KC status: 0x00000000
Flash config: 7 (omni: 8bit NAND), timing: 0x0C
CPU clock: 320 MHz
DRAM: 200 MHz, 1 x 1 64MByte 16bit device (SIF0): 64 MBytes
NAND: RDY polling disabled
NAND: (AD76) Hynix SLC, pagesize 512, blocksize 16k, 64 MBytes
NAND 0x00020000: valid header
NAND 0x00020000: valid image
aboot exec time: 179602 uSec
U-Boot 1.2.0.dev (Secondary Bootloader) (Jul 31 2009 - 02:53:01)
CPU: PNX????
Secure boot: disabled
DRAM: 64 MB
NAND: nCS0 (force asserted legacy mode)
NAND: Hynix 64MiB 3,3V 8-bit
NAND 0x02a3c000: bad block
NAND 0x030bc000: bad block
NAND 0x03478000: bad block
NAND 0x0385c000: bad block
Board Opts: SCART PAL
Splash: done
u-boot startup time so far: 1012 msec
Hit any key to stop autoboot: 1 ... 0
STB225v1 nand#
General Commands
•
•
•
•
•
Set target system voltage (V) (1.2V-3.3V)
Read all channels (R)
Write all channels (W)
Display version information (J)
Display available commands (H)
JTAG Commands
•
•
•
•
Identify JTAG pinout via IDCODE scan (I)
Identify JTAG pinout via BYPASS scan (B)
Get Device IDs (D) (w/ known pinout)
Test BYPASS (T) (w/ known pinout)
UART Commands
•
•
Identify UART pinout (U)
UART pass through (P) (w/ known pinout)
Possible Limitations
•
•
No OCD interface exists
OCD interface is physically disconnected
-
•
OCD interface isn't being properly enabled
-
•
•
Cut traces, missing jumpers/0 ohm resistors
System requires other pin settings
Password protected
Strong pull resistors on target prevent JTAGulator
from setting/receiving proper logic levels
Could cause target to behave abnormally due to
"fuzzing" unknown pins
*** Additional reverse engineering will be necessary
Future Work
•
Other interfaces
-
•
•
TI Spy-Bi-Wire, ARM Serial Wire Debug,
Microchip ICSP, Atmel AVR ISP, Freescale BDM,
LPC Bus, Flash memory
Support for OpenOCD
-
Would allow direct manipulation of target device
after JTAG pinout detection
Logic analyzer
-
•
Interface w/ sigrok
Level-shifting module?
-
Target voltage > 5V for industrial/SCADA
equipment
Get It
•
www.jtagulator.com
*** Schematics, source code, BOM, block diagram,
Gerber plots, photos, videos, other documentation
•
www.parallax.com
*** Assembled units, accessories
•
http://oshpark.com/profiles/joegrand
*** Bare boards
A Poem
The End.
Was this manual useful for you? yes no
Thank you for your participation!

* Your assessment is very important for improving the work of artificial intelligence, which forms the content of this project

Download PDF

advertising