jtagulator: assisted discovery of on-chip debug interfaces
Post on 10-Feb-2017
221 Views
Preview:
TRANSCRIPT
Assisted Discovery of On-Chip Debug InterfacesJoe Grand, Grand Idea Studio, Inc.
www.jtagulator.com
Agenda
• Introduction• Inspiration / Other Art
• Identifying Interfaces• Design Requirements• Hardware• Firmware• On-Chip Debug Interfaces• Examples / Demonstration• Limitations• Future Work
Introduction
• On-chip debug interfaces are a well-known attack vector
- Used as a stepping stone to further an attack- Can provide chip-level control of a target device- Extract program code or data- Modify memory contents- Affect device operation on-the-fly
• Inconvenient for vendor to remove functionality- Would prevent capability for legitimate personnel- Obfuscated or password protected instead
Introduction 2
• Identifying OCD interfaces can sometimes be difficult and/or time consuming
← http://spritesmods.com/?art=hddhack
Goals
• Create an easy-to-use tool to simplify the process
• Attract non-HW folks to HW hacking
• Hunz's JTAG Finder- http://elinux.org/JTAG_Finder
• JTAGenum & RS232enum- http://deadhacker.com/tools/
• DARPA Cyber Fast Track- www.cft.usma.edu
Inspiration
Other Art
• An Open JTAG Debugger (GoodFET), Travis Goodspeed, DEFCON 17
- http://defcon.org/html/links/dc-archives/dc-17-archive.html#Goodspeed2
• Blackbox JTAG Reverse Engineering, Felix Domke, 26C3
- http://events.ccc.de/congress/2009/Fahrplan/attachments/1435_JTAG.pdf
Other Art 2
• Forensic Imaging of Embedded Systems using JTAG, Marcel Breeuwsma (NFI), Digital Investigation Journal, March 2006
- http://www.sciencedirect.com/science/article/pii/S174228760600003X
Identifying Interfaces: External
• Accessible to the outside world- Intended for engineers or manufacturers- Device programming or final system test
• Usually hidden or protected- Underneath batteries- Behind stickers/covers
• May be a proprietary/non-standard connector
Identifying Interfaces: Internal
• Test points or unpopulated pads
• Silkscreen markings or notation
• Easy-to-access locations
Identifying Interfaces: Internal 2
• Familiar target or based on common pinout- Often single- or double-row footprint- JTAG: www.jtagtest.com/pinouts/
← www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack→ www.nostarch.com/xboxfree
Identifying Interfaces: Internal 3
• Can use PCB/design heuristics- Traces of similar function are grouped together (bus)- Array of pull-up/pull-down resistors (to set static
state of pins)- Test points usually placed on important/interesting
signals
← http://elinux.org/images/d/d6/Jtag.pdf
Identifying Interfaces: Internal 4
• Might be covered by soldermask
← Linksys WRT54G2 v1.3→ http://elinux.org/File:Peekjtag3.png
Identifying Interfaces: Internal 5
• More difficult to locate when available only on component pads
*** www.dd-wrt.com/wiki/index.php/JTAG_pinouts#Buffalo_WLA-G54C
Manually Determining Pin Function
• Identify test points/connector & target device
• Trace connections- Visually or w/ multimeter in continuity mode- For devices where pins aren't accessible (BGA),
remove device or use X-ray- Use data sheet to match pin number to function
• Probe connections- Use oscilloscope or logic analyzer- Pull pins high or low, observe results, repeat- Logic state or number of pins can help to make
educated guesses
Manually Determining Pin Function 2
← http://forum.xda-developers.com/wiki/WallabyJTAG
Design Requirements
• Open source/hackable/expandable• Simple command-based interface
• Input protection• Adjustable target voltage• Off-the-shelf components• Hand solderable (if desired)
Hardware
Block Diagram
MCU
Parallax Propeller
EEPROM
24LC5122 (I2C)
Power Switch
MIC2025-2YM
LDO
LD1117S33TRUSB5V 3.3V
D/A
AD86551.2V - 3.3V
~13mV/step
Serial-to-USB
FT232RL2
1 (PWM)
Host PCUSB Mini-B
Voltage Level Translator
TXS0108EPWR
Voltage Level Translator
TXS0108EPWR
Voltage Level Translator
TXS0108EPWR
Input Protection Circuitry
24
Target Device
1
Status Indicator
WP59EGW
PCB
*** 2x5 headers compatible w/ Bus Pirate probes, http://dangerousprototypes.com/docs/Bus_Pirate
Target I/F (24 channels)
Propeller USB
Input protection
Level translationStatus
Op-Amp/DAC
Assembly Drawing
Schematic: Main
NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESSOTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.
3V3
E01
E12
E23
GND4
SDA 5SCL6
WC7
VCC 8
U424LC512-I/SN
12
Y15.0MHz
3V3
3V3
aRES
PROPRXPROPTXPROPSDAPROPSCL
JTAGulator: MainSIZEDaTE
TITLE
DRaWN BYFILENaME
10kR4
10kR3
3V3
10uFC7
VIN3 VO 2
GND1
VO 4
U6LD1117S33
0.1uFC6
5V0 3V3
470R5
270R6
Red Green
LEDRLEDG
3V3 3V3 3V3
P0P1P2P3P4P5P6P7
VSS39
VDD8
VSS27
P3138
P3037
P2936
P2835
P2633 P2734
VDD18
VSS17 VSS5
VDD30
VDD40
XI28
XO29
RES7
BOE6
P2532
P2431
P7 4P6 3P5 2P4 1
P2 43
P3 44
P1 42P0 41
P15 16P14 15P13 14P12 13
P10 11
P11 12
P9 10P8 9
P23 26P22 25P21 24P20 23
P18 21
P19 22
P17 20P16 19
U2PROPELLER (P8X32A-Q44)
To Host
TEST 26
RTS 3
DCD 10
RI 6
GND 18GND 21
VCC20
TXD 1
CTS 11
CBUS023
3V3OUT17
DTR 2
RXD 5
CBUS122
OSCI 27
DSR 9
USBDM16
OSCO 28
USBDP15
VCCIO4
RESET19
AGND 25GND 7
CBUS213
CBUS314
CBUS412
U1FT232RL
12345
P1UX60-MB-5S8
0.1uFC3
USBDM
USBDP
USB Mini B
8
53
26
741
U5AD8655ARZ
5V0
0.1uFC11
5V0
1
2
3
D1WP59EGW
0.1uFC12
0.1uFC13
0.1uFC14
0.1uFC15
100kR9
18kR7 8.2kR8
1000pFC4
470pFC5
VADJ
DACOUT
4.7uFC8
VUSB
0.01uFC1
SW1 SPST
0.01uFC2
10kR2
Q12N3904
P8P9P10P11P12P13P14P15
P16P17P18P19P20P21P22P23
0.1uFC9
VUSB
220R@100MHzL1
0-3.3V @ 256 steps~13mV/step~150mA max. Iout
IN7 OUT 6
EN1
FLG 2GND3
OUT 8
U3MIC2025-2YM 5V0VUSB
10kR1
4.7uFC10
5V0
VUSB
TXSOE
P[23...0]
PIC101PIC102 COC1
PIC201PIC202
COC2
PIC301PIC302COC3
PIC401PIC402COC4
PIC501PIC502COC5
PIC601PIC602 COC6 PIC701
PIC702COC7PIC801
PIC802COC8
PIC901PIC902 COC9 PIC1001
PIC1002COC10
PIC1101PIC1102 COC11
PIC1201PIC1202 COC12
PIC1301PIC1302 COC13
PIC1401PIC1402 COC14
PIC1501PIC1502 COC15
PID101
PID102
PID103 COD1
PIL101 PIL102
COL1
PIP101
PIP102
PIP103
PIP104
PIP105
COP1
PIQ101PIQ102
PIQ103COQ1
PIR101
PIR102COR1
PIR201
PIR202COR2
PIR301
PIR302COR3
PIR401
PIR402 COR4
PIR501
PIR502COR5
PIR601
PIR602COR6
PIR701PIR702
COR7PIR801PIR802
COR8
PIR901
PIR902COR9
PISW101PISW102
COSW1
PIU101
PIU102
PIU103
PIU104
PIU105
PIU106
PIU107
PIU109
PIU1010
PIU1011
PIU1012
PIU1013
PIU1014
PIU1015
PIU1016
PIU1017
PIU1018
PIU1019
PIU1020
PIU1021
PIU1022
PIU1023
PIU1025
PIU1026
PIU1027
PIU1028
COU1
PIU201
PIU202
PIU203
PIU204
PIU205
PIU206
PIU207
PIU208
PIU209
PIU2010
PIU2011
PIU2012
PIU2013
PIU2014
PIU2015
PIU2016
PIU2017
PIU2018
PIU2019
PIU2020
PIU2021
PIU2022
PIU2023
PIU2024
PIU2025
PIU2026
PIU2027
PIU2028
PIU2029
PIU2030
PIU2031
PIU2032
PIU2033
PIU2034
PIU2035
PIU2036
PIU2037
PIU2038
PIU2039
PIU2040
PIU2041
PIU2042
PIU2043
PIU2044
COU2
PIU301
PIU302PIU303
PIU306PIU307
PIU308
COU3
PIU401
PIU402
PIU403
PIU404
PIU405PIU406
PIU407
PIU408
COU4
PIU501
PIU502
PIU503
PIU504 PIU505
PIU506
PIU507PIU508
COU5
PIU601
PIU602PIU603
PIU604
COU6
PIY101PIY102
COY1
PIQ103
PISW101
PIU207NL#RES
PIC701PIC1202 PIC1302 PIC1402 PIC1502
PIR302 PIR402
PIU208
PIU2018
PIU2030
PIU2040
PIU408
PIU602
PIU604PIC602PIC1001 PIC1102
PIU306
PIU308
PIU507
PIU603
PIR702
PIR902
PIU2032NLDACOUT
PIC101
PIC301
PIC501
PIC601 PIC702PIC802 PIC901 PIC1002 PIC1101 PIC1201 PIC1301 PIC1401 PIC1501
PID102
PIP105
PIQ101PIR201
PIR901
PISW102
PIU107
PIU1018
PIU1021
PIU1025
PIU1026
PIU205
PIU206
PIU2017
PIU2027
PIU2039
PIU303
PIU401
PIU402
PIU403
PIU404
PIU407
PIU504
PIU601
PIR602
PIU2033NLLEDG
PIR502
PIU2034NLLEDR
PIC102
PIL101PIP101
PIC201 PIQ102
PIR202PIC202PIU102
PIC302
PIR102
PIU104
PIU1017
PIC401
PIR701 PIR802
PIC502
PIR801 PIU503
PID101PIR501
PID103PIR601
PIP104
PIR101 PIU1014
PIU301
PIU103
PIU106
PIU109
PIU1010
PIU1011
PIU1012
PIU1013
PIU1019
PIU1022
PIU1023
PIU1027
PIU1028
PIU2028
PIY101
PIU2029PIY102
PIU2031POTXSOE
PIU302
PIU501
PIU505
PIU508
PIU2041NLP0
PIU2042NLP1
PIU2043NLP2
PIU2044NLP3
PIU201NLP4
PIU202NLP5
PIU203NLP6
PIU204NLP7
PIU209NLP8
PIU2010NLP9
PIU2011NLP10
PIU2012NLP11
PIU2013NLP12
PIU2014NLP13
PIU2015NLP14
PIU2016NLP15
PIU2019NLP16
PIU2020NLP17
PIU2021NLP18
PIU2022NLP19
PIU2023NLP20
PIU2024NLP21
PIU2025NLP22
PIU2026NLP23
PIU101
PIU2038NLPROPRX
PIR401PIU2035
PIU406NLPROPSCL
PIR301PIU2036PIU405
NLPROPSDA
PIU105
PIU2037NLPROPTX
PIP102
PIU1016NLUSBDMPIP103
PIU1015NLUSBDP
PIC402
PIU502
PIU506
PIC801 PIC902
PIL102 PIU1020
PIU307
POP02300000
POTXSOE
Schematic: Target Interface
NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESSOTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.
3V3 VADJ
JTAGulator: Target InterfaceTITLE
0.1uFC19
0.1uFC20
P0P1P2P3P4P5P6P7
P8P9P10P11P12P13P14P15
P16P17P18P19P20P21P22P23
12345
P2TE 282834-5
CH0CH1CH2CH3
12345
P3TE 282834-5
12345
P4TE 282834-5
12345
P5TE 282834-5
12345
P6TE 282834-5
CH4CH5CH6CH7CH8
CH9CH10CH11CH12CH13
CH14CH15CH16CH17CH18
CH19CH20CH21CH22CH23
I/O11
GND2
I/O23 I/O3 4
VCC 5
I/O4 6
U8NUP4302MR6 VADJ
I/O11
GND2
I/O23 I/O3 4
VCC 5
I/O4 6
U7NUP4302MR6 VADJ
I/O11
GND2
I/O23 I/O3 4
VCC 5
I/O4 6
U11NUP4302MR6 VADJ
I/O11
GND2
I/O23 I/O3 4
VCC 5
I/O4 6
U10NUP4302MR6 VADJ
I/O11
GND2
I/O23 I/O3 4
VCC 5
I/O4 6
U14NUP4302MR6 VADJ
I/O11
GND2
I/O23 I/O3 4
VCC 5
I/O4 6
U13NUP4302MR6 VADJ
3V3 VADJ
0.1uFC18
0.1uFC22
3V3 VADJ
0.1uFC17
0.1uFC21
10kR10
TXSOE
VADJ3V3
VADJ3V3
VADJ3V3
P[23...0]
Diode limiters for input protectionVf must be < 0.5V to prevent damage to level translators
VCCA <= VCCBVCCA range: 1.2V to 3.6VVCCB range: 1.7V to 5.5V
VCCA 2
A2 3
A3 4
A1 1
A4 5
A5 6
A6 7
A7 8
A8 9
OE10
GND 11B812 B713 B614 B515 B416 B317 B218
VCCB19
B120
U9TXS0108EPWR
VCCA 2
A2 3
A3 4
A1 1
A4 5
A5 6
A6 7
A7 8
A8 9
OE10
GND 11B812 B713 B614 B515 B416 B317 B218
VCCB19
B120
U12TXS0108EPWR
VCCA 2
A2 3
A3 4
A1 1
A4 5
A5 6
A6 7
A7 8
A8 9
OE10
GND 11B812 B713 B614 B515 B416 B317 B218
VCCB19
B120
U15TXS0108EPWR
To Target Compatible w/ Bus Pirate 3.x probe/interface cable
1 23 45 67 89 10
P7961210-6404-AR
CH0CH1
CH2 CH3CH4 CH5CH6 CH7
RedYellowBlueGreyBlack
BrownOrange VADJGreenPurpleWhite
CH8CH9
CH10 CH11CH12 CH13CH14 CH15
RedYellowBlueGreyBlack
BrownOrange VADJGreenPurpleWhite
CH17CH18 CH19CH20 CH21CH22 CH23
RedYellowBlueGreyBlack
BrownOrange VADJGreenPurpleWhite
1 23 45 67 89 10
P8961210-6404-AR
1 23 45 67 89 10
P9961210-6404-AR
CH16
12345678
161514131211109
1KR11
12345678
161514131211109
1KR12
12345678
161514131211109
1KR13
PIC1701PIC1702 COC17
PIC1801PIC1802 COC18
PIC1901PIC1902 COC19
PIC2001PIC2002 COC20
PIC2101PIC2102 COC21
PIC2201PIC2202 COC22
PIP201
PIP202
PIP203
PIP204
PIP205
COP2
PIP301
PIP302
PIP303
PIP304
PIP305
COP3
PIP401
PIP402
PIP403
PIP404
PIP405
COP4
PIP501
PIP502
PIP503
PIP504
PIP505
COP5
PIP601
PIP602
PIP603
PIP604
PIP605
COP6
PIP701 PIP702
PIP703 PIP704
PIP705 PIP706
PIP707 PIP708
PIP709 PIP7010
COP7
PIP801 PIP802
PIP803 PIP804
PIP805 PIP806
PIP807 PIP808
PIP809 PIP8010
COP8
PIP901 PIP902
PIP903 PIP904
PIP905 PIP906
PIP907 PIP908
PIP909 PIP9010
COP9
PIR1001
PIR1002COR10
PIR1101
PIR1102
PIR1103
PIR1104
PIR1105
PIR1106
PIR1107PIR1108PIR1109
PIR11010
PIR11011
PIR11012
PIR11013
PIR11014
PIR11015
PIR11016
COR11
PIR1201
PIR1202
PIR1203
PIR1204
PIR1205
PIR1206
PIR1207
PIR1208PIR1209
PIR12010
PIR12011
PIR12012
PIR12013
PIR12014
PIR12015
PIR12016
COR12
PIR1301
PIR1302
PIR1303
PIR1304
PIR1305
PIR1306
PIR1307
PIR1308PIR1309PIR13010
PIR13011
PIR13012
PIR13013
PIR13014
PIR13015
PIR13016
COR13
PIU701
PIU702
PIU703 PIU704
PIU705
PIU706
COU7
PIU801
PIU802
PIU803 PIU804
PIU805
PIU806
COU8
PIU901
PIU902
PIU903
PIU904
PIU905
PIU906
PIU907
PIU908PIU909
PIU9010
PIU9011
PIU9012
PIU9013
PIU9014
PIU9015
PIU9016
PIU9017
PIU9018
PIU9019
PIU9020
COU9
PIU1001
PIU1002
PIU1003 PIU1004
PIU1005
PIU1006
COU10
PIU1101
PIU1102
PIU1103 PIU1104
PIU1105
PIU1106
COU11
PIU1201
PIU1202
PIU1203
PIU1204
PIU1205
PIU1206
PIU1207
PIU1208
PIU1209
PIU12010
PIU12011
PIU12012
PIU12013
PIU12014
PIU12015
PIU12016
PIU12017
PIU12018
PIU12019
PIU12020
COU12
PIU1301
PIU1302
PIU1303 PIU1304
PIU1305
PIU1306
COU13
PIU1401
PIU1402
PIU1403 PIU1404
PIU1405
PIU1406
COU14
PIU1501
PIU1502
PIU1503
PIU1504
PIU1505
PIU1506
PIU1507
PIU1508
PIU1509
PIU15010
PIU15011
PIU15012PIU15013
PIU15014
PIU15015
PIU15016
PIU15017
PIU15018
PIU15019
PIU15020
COU15
PIC1702 PIC1802 PIC1902
PIU9019
PIU12019
PIU15019
PIP202
PIP702
PIR1101
NLCH0
PIP203
PIP704
PIR1102
NLCH1
PIP204
PIP705
PIR1103
NLCH2
PIP205
PIP706
PIR1104
NLCH3
PIP301
PIP707
PIR1105
NLCH4
PIP302
PIP708
PIR1106
NLCH5
PIP303
PIP709
PIR1107
NLCH6
PIP304
PIP7010
PIR1108
NLCH7
PIP305
PIP802
PIR1201
NLCH8
PIP401
PIP804
PIR1202
NLCH9
PIP402
PIP805
PIR1203
NLCH10
PIP403
PIP806
PIR1204
NLCH11
PIP404
PIP807
PIR1205
NLCH12
PIP405
PIP808
PIR1206
NLCH13
PIP501
PIP809
PIR1207
NLCH14
PIP502
PIP8010
PIR1208
NLCH15
PIP503
PIP902
PIR1301
NLCH16
PIP504
PIP904
PIR1302
NLCH17
PIP505
PIP905
PIR1303
NLCH18
PIP601
PIP906
PIR1304
NLCH19
PIP602
PIP907
PIR1305
NLCH20
PIP603
PIP908
PIR1306
NLCH21
PIP604
PIP909
PIR1307
NLCH22
PIP605
PIP9010
PIR1308
NLCH23
PIC1701 PIC1801 PIC1901 PIC2001 PIC2101 PIC2201
PIP201 PIP701
PIP801
PIP901
PIR1001 PIU702 PIU802
PIU9011
PIU1002 PIU1102
PIU12011
PIU1302 PIU1402
PIU15011
PIR1002
PIU9010
PIU12010
PIU15010
POTXSOE
PIR1109
PIU703
PIU909
PIR11010
PIU701
PIU908
PIR11011
PIU706
PIU907
PIR11012
PIU704
PIU906
PIR11013
PIU803
PIU905
PIR11014
PIU801
PIU904
PIR11015
PIU804
PIU903
PIR11016
PIU806
PIU901
PIR1209
PIU1006
PIU1209
PIR12010
PIU1004
PIU1208
PIR12011
PIU1003
PIU1207
PIR12012
PIU1001
PIU1206
PIR12013
PIU1103
PIU1205
PIR12014
PIU1101
PIU1204
PIR12015
PIU1106
PIU1203
PIR12016
PIU1104
PIU1201
PIR1309
PIU1304
PIU1509PIR13010
PIU1306
PIU1508
PIR13011
PIU1303
PIU1507
PIR13012
PIU1301
PIU1506
PIR13013
PIU1406
PIU1505
PIR13014
PIU1404
PIU1504
PIR13015
PIU1403
PIU1503
PIR13016
PIU1401
PIU1501
PIU9020NLP0
PIU9018NLP1
PIU9017NLP2
PIU9016NLP3
PIU9015NLP4
PIU9014NLP5
PIU9013NLP6
PIU9012NLP7
PIU12020NLP8
PIU12018NLP9
PIU12017NLP10
PIU12016NLP11
PIU12015NLP12
PIU12014NLP13
PIU12013NLP14
PIU12012NLP15
PIU15020NLP16
PIU15018NLP17
PIU15017NLP18
PIU15016NLP19
PIU15015NLP20
PIU15014NLP21
PIU15013NLP22
PIU15012NLP23
PIC2002 PIC2102 PIC2202
PIP703
PIP803
PIP903
PIU705 PIU805
PIU902
PIU1005 PIU1105
PIU1202
PIU1305 PIU1405
PIU1502
POP02300000
POTXSOE
Development
*** INFORMATION: www.parallax.com/propeller/
*** DISCUSSION FORUMS: http://forums.parallax.com
*** OBJECT EXCHANGE: http://obex.parallax.com
• Completely custom, ground up, open source
• 8 parallel 32-bit processors (cogs)
• Code in Spin, ASM, or C
Propeller/Core
• Clock: DC to 128MHz (80MHz recommended)
• Global (hub) memory: 32KB RAM, 32KB ROM
• Cog memory: 2KB RAM each
• GPIO: 32 @ 40mA sink/source per pin
• Program code loaded from external EEPROM on power-up
Propeller/Core 2
• Standard development using Propeller Tool & Parallax Serial Terminal (Windows)
• Programmable via serial interface (usually in conjunction w/ USB-to-serial IC)
Propeller/Core 3
Propeller/Core 4
Propeller/Core 5
USB Interface
• Allows for Propeller programming & UI
• Powers JTAGulator from bus (5V)
• FT232RL USB-to-Serial UART- Entire USB protocol handled on-chip- Host will recognize as a virtual serial port (Windows,
OS X, Linux)
• MIC2025 Power Distribution Switch- Internal current limiting, thermal shutdown- Let the FT232 enumerate first (@ < 100mA), then
enable system load
USB Interface 2
Adjustable Target Voltage (VADJ)• PWM from Propeller- Duty cycle corresponds to output voltage- Look-up table in 0.1V increments (1.2V-3.3V)
• AD8655 Low Noise, Precision CMOS Amplifier- Single supply, rail-to-rail- Voltage follower configuration- ~150mA output current @ Vo = 1.2V-3.3V
Level Translation
• Allows 3.3V signals from Propeller to be converted to VADJ
• Prevents potential damage due to over-voltage on target device's unknown connections
• TXS0108E Bidirectional Voltage-Level Translator- Designed for both open drain and push-pull interfaces- Internal pull-up resistors (40kΩ when driving low, 4kΩ
when high)
- Automatic signal direction detection- High-Z outputs when OE low -> will not interfere with
target when not in use
Level Translation 2
Input Protection
• Prevent high voltages/spikes on unknown pins from damaging JTAGulator
• Diode limiter clamps input if needed
• Vf must be < 0.5V to protect TXS0108Es
Input Protection 2
• NUP4302MR6 Schottky Diode Array- Vf @ 1mA = 0.2V typ., 0.35V max.- Vf @ 10mA = 0.25V typ., 0.45V max.- Alternate: SD103ASDM
Bill-of-Materials
• All components from Digi-Key
• Total cost per unit = $50.73
JTAGulatorJTAGulatorBill-of-MaterialsBill-of-MaterialsBill-of-MaterialsHW B, Document 1.0, April 19, 2013HW B, Document 1.0, April 19, 2013HW B, Document 1.0, April 19, 2013
Item Quantity Reference Manufacturer Manuf. Part # Distributor Distrib. Part # Description1 2 C1, C2 Kemet C1206C103K5RACTU Digi-Key 399-1234-1-ND Capacitor, 0.01uF ceramic, 10%, 50V, X7R, 1206
2 14C3, C6, C9, C11, C12, C13, C14, C15, C17, C18, C19, C20, C21, C22 Kemet C1206C104K5RACTU Digi-Key 399-1249-1-ND Capacitor, 0.1uF ceramic, 10%, 50V, X7R, 1206
3 1 C4 Yageo CC1206KRX7R9BB102 Digi-Key 311-1170-1-ND Capacitor, 1000pF ceramic, 10%, 50V, X7R, 12064 1 C5 Yageo CC1206KRX7R9BB471 Digi-Key 311-1167-1-ND Capacitor, 470pF ceramic, 10%, 50V, X7R, 12065 1 C7 Kemet T491A106M016AS Digi-Key 399-3687-1-ND Capacitor, 10uF tantalum, 20%, 16V, size A6 2 C8, C10 Kemet T491A475K016AT Digi-Key 399-3697-1-ND Capacitor, 4.7uF tantalum, 10%, 16V, size A7 1 D1 Kingbright WP59EGW Digi-Key 754-1232-ND LED, Red/Green Bi-Color, T-1 3/4 (5mm)8 1 L1 TDK MPZ2012S221A Digi-Key 445-1568-1-ND Inductor, Ferrite Bead, 220R@100MHz, 3A, 08059 1 P1 Hirose Electric UX60-MB-5S8 Digi-Key H2960CT-ND Connector, Mini-USB, 5-pin, SMT w/ PCB mount10 5 P2, P3, P4, P5, P6 TE Connectivity 282834-5 Digi-Key A98336-ND Connector, Terminal Block, 5-pin, side entry, 0.1” P11 3 P7, P8, P9 3M 961210-6404-AR Digi-Key 3M9460-ND Header, Dual row, Vertical header, 2x5-pin, 0.1” P12 1 Q1 Fairchild MMBT3904 Digi-Key MMBT3904FSCT-ND Transistor, NPN, 40V, 200mA, SOT23-313 5 R1, R2, R3, R4, R10 Any Any Digi-Key P10KECT-ND Resistor, 10k, 5%, 1/4W, 120614 1 R5 Any Any Digi-Key P470ECT-ND Resistor, 470 ohm, 5%, 1/4W, 120615 1 R6 Any Any Digi-Key P270ECT-ND Resistor, 270 ohm, 5%, 1/4W, 120616 1 R7 Any Any Digi-Key P18.0KFCT-ND Resistor, 18k, 1%, 1/4W, 120617 1 R8 Any Any Digi-Key P8.20KFCT-ND Resistor, 8.2k, 1%, 1/4W, 120618 1 R9 Any Any Digi-Key P100KECT-ND Resistor, 100k, 5%, 1/4W, 120619 3 R11, R12, R13 Bourns 4816P-1-102LF Digi-Key 4816P-1-102LFCT-ND Resistor, Array, 8 isolated, 1k, 2%, 1/6W, SOIC1620 1 SW1 C&K KSC201JLFS Digi-Key 401-1756-1-ND Switch, SPST, Momentary, 120gf, 6.2 x 6.2mm, J-Lead21 1 U1 FTDI FT232RL-REEL Digi-Key 768-1007-1-ND IC, USB-to-UART Bridge, SSOP2822 1 U2 Parallax P8X32A-Q44 Digi-Key P8X32A-Q44-ND IC, Microcontroller, Propeller, LQFP4423 1 U3 Micrel MIC2025-2YM Digi-Key 576-1058-ND IC, Power Distribution Switch, Single-channel, SOIC824 1 U4 Microchip 24LC512-I/SN Digi-Key 24LC512-I/SN-ND IC, Memory, Serial EEPROM, 64KB, SOIC825 1 U5 Analog Devices AD8655ARZ Digi-Key AD8655ARZ-ND IC, Op. Amp., CMOS, Rail-to-rail, 220mA Iout, SOIC826 1 U6 ST Microelectronics LD1117S33CTR Digi-Key 497-1241-1-ND IC, Voltage Regulator, LDO, 3.3V@800mA, SOT22327 6 U7, U8, U10, U11, U13, U14 ON Semiconductor NUP4302MR6T1G Digi-Key NUP4302MR6T1GOSCT-ND IC, Schottky Diode Array, 4 channel, TSOP628 3 U9, U12, U15 Texas Instruments TXS0108EPWR Digi-Key 296-23011-1-ND IC, Level Translator, Bi-directional, TSSOP2029 1 Y1 ECS ECS-50-18-4XEN Digi-Key XC1738-ND Crystal, 5.0MHz, 18pF, HC49/US30 1 PCB Any JTAG B N/A N/A PCB, Fabrication
Firmware (as of v1.2.1)
Source Tree
Cogs
• Spin Interpreter (Cog 0)• PropSerial (fork of Parallax Serial Terminal) (ser)
• RealRandom (rr)• JDCogSerial (uart)
Propeller Resources
On-Chip Debug Interfaces
• JTAG
• UART
JTAG
• Industry-standard interface (IEEE 1149.1)- Created for chip- and system-level testing- Defines low-level functionality of finite state machine/
Test Access Port (TAP)
- http://en.wikipedia.org/wiki/Joint_Test_Action_Group
• Provides a direct interface to hardware- Can "hijack" all pins on the device (Boundary scan/
test)- Can access other devices connected to target chip- Programming/debug interface (access to Flash, RAM)- Vendor-defined functions/test modes might be
available
JTAG 2
• Multiple devices can be "chained" together for communication to all via a single JTAG port
- Even multiple dies within the same chip package - Different vendors may not play well together
• Development environments abstract low-level functionality from the user
- Implementations are device- or family-specific- As long as we can locate the interface/pinout, let
other tools do the rest
JTAG 3
*** ruxconbreakpoint.com/assets/slides/pres_sprite_tm.pdf
JTAG: Architecture
• Synchronous serial interface→ TDI = Data In (to target device)← TDO = Data Out (from target device) → TMS = Test Mode Select → TCK = Test Clock → /TRST = Test Reset (optional for async reset)
• Test Access Port (TAP) w/ Shift Registers- Instruction (>= 2 bit wide)- Data
- Bypass (1 bit)- Boundary Scan (variable)- Device ID (32 bit) (optional)
JTAG: Architecture 2
JTAG: TAP Controller*** State transitions occur on rising edge of TCK based on current state and value of TMS
*** TAP provides 4 major operations: Reset, Run-Test, Scan DR, Scan IR
*** Can move to Reset state from any other state w/ TMS high for 5x TCK
*** 3 primary steps in Scan: Capture, Shift, Update
*** Data held in "shadow" latch until Update state
JTAG: Instructions ┌───────────┬─────────────┬──────────┬───────────────────────────────────────────────────────────────────────┐ │ Name │ Required? │ Opcode │ Description │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ BYPASS │ Y │ All 1s │ Bypass on-chip system logic. Allows serial data to be transferred │ │ │ │ │ from TDI to TDO without affecting operation of the IC. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ SAMPRE │ Y │ Varies │ Used for controlling (preload) or observing (sample) the signals at │ │ │ │ │ device pins. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ EXTEST │ Y │ All 0s │ Places the IC in external boundary test mode. Used to test device │ │ │ │ │ interconnections. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ INTEST │ N │ Varies │ Used for static testing of internal device logic in a single-step │ │ │ │ │ mode. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ RUNBIST │ N │ Varies │ Places the IC in a self-test mode and selects a user-specified data │ │ │ │ │ register to be enabled. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ CLAMP │ N │ Varies │ Sets the IC outputs to logic levels as defined in the boundary scan │ │ │ │ │ register. Enables the bypass register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ HIGHZ │ N │ Varies │ Sets all IC outputs to a disabled (high impedance) state. Enables │ │ │ │ │ the bypass register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ IDCODE │ N │ Varies │ Enables the 32-bit device identification register. Does not affect │ │ │ │ │ operation of the IC. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ USERCODE │ N │ Varies │ Places user-defined information into the 32-bit device │ │ │ │ │ identification register. Does not affect operation of the IC. │ └───────────┴─────────────┴──────────┴───────────────────────────────────────────────────────────────────────┘
JTAG: SW Tools
• OpenOCD (Open On-Chip Debugger)- http://openocd.sourceforge.net
• UrJTAG (Universal JTAG Library)- www.urjtag.org
JTAG: HW Tools
• Bus Blaster (open source)- http://dangerousprototypes.com/docs/Bus_Blaster
• Wiggler or compatible (parallel port)- ftp://www.keith-koep.com/pub/arm-tools/jtag/
jtag05_sch.pdf
• SEGGER J-Link - www.segger.com/debug-probes.html
• H-JTAG- www.hjtag.com/en/
JTAG: HW Tools 2
• Arium + SourcePoint- www.arium.com
• RIFF Box- www.jtagbox.com
• Many Others...- http://openocd.sourceforge.net/doc/html/Debug-
Adapter-Hardware.html
JTAG: Protection
• Implementation specific
• Security fuse physically blown prior to release- Could be repaired w/ silicon die attack
• Password required to enable functionality- Ex.: Flash erased after n attempts (so perform n-1),
then reset and continue
• May allow BYPASS, but prevent higher level functionality
- Ex.: TI MSP430
IDCODE Scan
• 32-bit Device ID (if available) is in the DR on TAP reset or IC power-up
- Otherwise, TAP will reset to BYPASS (LSB = 0)- Can simply enter Shift-DR state and clock out on TDO- TDI not required/used during IDCODE acquisition
LSB
IDCODE Scan 2
• Device ID values vary with part/family/vendor- Locate in data sheets, BSDL files, reference code,
etc.
• Manufacturer ID provided by JEDEC- Each manufacturer assigned a unique identifier - Can use to help validate that proper IDCODE was
retrieved- http://www.jedec.org/standards-documents/
results/jep106
IDCODE Scan 3
• Ask user for number of channels to use
• For every possible pin permutation (except TDI)- Set unused channels to output high (in case of any
active low reset pins)
- Configure JTAG pins to use on the Propeller- Reset the TAP- Try to get the Device ID by reading the DR- If Device ID is 0xFFFFFFFF or if bit 0 != 1, ignore- Otherwise...
- Display potentially valid JTAG pinout- Try remaining permutations to locate /TRST by
setting each pin low and checking if Device ID can still be retrieved
BYPASS Scan
• In BYPASS, data shifted into TDI is received on TDO delayed by one clock cycle
BYPASS Scan 2
• Can determine how many devices (if any) are in the chain via "blind interrogation"
- Force device(s) into BYPASS (IR of all 1s)- Send 1s to fill DRs- Send a 0 and count until it is output on TDO
BYPASS Scan 3
• Ask user for number of channels to use
• For every possible pin permutation- Set unused channels to output high (in case of any
active low reset pins)
- Configure JTAG pins to use on the Propeller- Reset the TAP- Perform blind interrogation- If number of detected devices > 0...- Otherwise...
- Display potentially valid JTAG pinout- Try remaining permutations to locate /TRST by
setting each pin low and checking if device(s) can still be detected
JTAG: Scan Timing
# of Channels
IDCODEPermutations
IDCODE(mm:ss)
BYPASSPermutations
BYPASS(mm:ss)
4 24 < 00:01 24 00:028 336 00:02 1680 02:0516 3360 00:13 43680 54:2724 12144 00:46 255024 317:54
• IDCODE- TDI ignored since we're only shifting data out of DR- ~264 permutations/second
• BYPASS- Many bits/permutation needed to account for
multiple devices in chain and varying IR lengths- ~13.37 permutations/second
JTAG: Examples
DEFCON 17 Badge
• Freescale MC56F8006 Digital Signal Controller- ID = 0x01C0601D- www.bsdl.info/details.htm?sid=e82c74686c7522e
888ca59b002289d77 MSB LSB ┌───────┬───────────────┬─────────────┬─────────────────┬─────────────────┬───────┐ │ Ver. │ Design Center │ Core Number | Chip Derivative | Manufacturer ID │ Fixed │ └───────┴───────────────┴─────────────┴─────────────────┴─────────────────┴───────┘ 31...28 27...22 21...17 16...12 11...1 0
0000 000111 00000 (DSP56300) 00110 00000001110 (0x0E) 1
Linksys WRT54G v1.1
• Broadcom BCM4702 (also contains BCM4306)- ID = 0x0471017F- https://github.com/notch/tjtag/blob/master/tjtag.c
MSB LSB ┌───────┬──────────────────────────────────┬────────────────────────┬───────┐ │ Ver. │ Part Number | Manufacturer ID │ Fixed │ └───────┴──────────────────────────────────┴────────────────────────┴───────┘ 31...28 27...12 11...1 0
0000 0100011100010000 (BCM4702 rev. 1) 00010111111 (0xBF) 1
*** www.jtagtest.com/pinouts/wrt54
D-Link DWL-900AP+
• Samsung S3C4510B01-QER0 CPU (ARM7TDMI)- ID = 0x1F0F0F0F- http://pdf1.alldatasheet.com/datasheet-pdf/view/
37744/SAMSUNG/S3C4510B.html (Appendix A)
*** www.jtagtest.com/pinouts/arm14
D-Link DWL-900AP+ 2
• Lattice ispMACH iM4A3-32 CPLD (TQFP-48)- ID = 0x17437157- www.latticesemi.com/lit/docs/bsdl/mach4a3/
m4a032t8l_isc.bsm
• Marvell PXA312 (Intel XScale/ARM5)- ID = 0x2E649013- http://docs.toradex.com/100197-colibri-arm-som-
pxa3xx-dm-vol-1.pdf (Table 9) - TDI = 3 (Grey), TMS = 4 (Pink), TCK = 5 (Blue), TDO = 6
(Orange), GND = 8 (Black)
• JTAG disabled when external power supplied or phone is "on" via battery
Samsung SCH-i910
BlackBerry 7250
• Qualcomm MSM6500 chipset (ARM926EJ-S)- ID = 0x6003C0E1- VCC = 2.6V
MSB LSB ┌───────┬──────────────────────────────────┬────────────────────────┬───────┐ │ Ver. │ Part Number | Manufacturer ID │ Fixed │ └───────┴──────────────────────────────────┴────────────────────────┴───────┘ 31...28 27...12 11...1 0
0110 0000000000111100 00001110000 (0x70) 1
BlackBerry 7290
• AD6529 "Hermes" DSP (ARM7TDMI)• AD6521 "Pegasus" Analog Baseband- IDs = 0x027831CB and 0x027B51CB- Unknown which ID is for which device- TDO1 = Only one device- TDO2 = Both devices in the chain
MSB LSB ┌───────┬──────────┬────────────┬────────┬───────────────┬─────────────────┬───────┐ │ Ver. │ Core ID │ Capability | Family | Device Number | Manufacturer ID │ Fixed │ └───────┴──────────┴────────────┴────────┴───────────────┴─────────────────┴───────┘ 31...28 27 26...24 23...20 19...12 11...1 0
0000 0 (ARM) 010 (Reserved) 0111 (ARM7) 10000011 00011100101 (0xE5) 1 0000 0 (ARM) 010 (Reserved) 0111 (ARM7) 01010001 00011100101 (0xE5) 1
*** http://infocenter.arm.com/help/topic/com.arm.doc.dai0099c/DAI0099C_core_type_rev_id.pdf
BlackBerry 7290 2
UART
• Universal Asynchronous Receiver/Transmitter- No external clock needed
- Data bits sent LSB first (D0)- NRZ (Non-Return-To-Zero) coding- Transfer speed (bits/second) = 1 / bit width
- http://en.wikipedia.org/wiki/Asynchronous_serial_ communication
*** Start bit + Data bits + Parity (optional) + Stop bit(s)
UART 2
• Asynchronous serial interface→ TXD = Transmit data (to target device)← RXD = Receive data (from target device)↔ DTR, DSR, RTS, CTS, RI, DCD = Control signals (uncommon for modern implementations)
• Many embedded systems use UART as debug output/console/root shell
UART 3
Bit width = ~8.7uS
Mark (Idle)
Space
UART Scan
• 8 data bits, no parity, 1 stop bit (8N1)
• Baud rates stored in look-up table- 75, 110, 150, 300, 900, 1200, 1800, 2400, 3600,
4800, 7200, 9600, 14400, 19200, 28800, 31250, 38400, 57600, 76800, 115200, 153600, 230400, 250000, 307200
UART Scan 2
• Ask user for desired output string (up to 16 bytes or 8 bytes in hex using \x prefix)
• Ask user for number of channels to use
• For every possible pin permutation- Configure UART pins to use on the Propeller
- Set baud rate
- Send user string- Wait to receive data (20ms maximum per byte)- If any bytes received, display potentially valid UART
pinout and data (up to 16 bytes)
UART Scan 3
UART: Scan Timing
# of Channels
UARTPermutations
Time(mm:ss)
4 12 00:128 56 00:5716 240 4:0424 552 9:22
• Only need to locate two pins (TXD/RXD)• 24 baud rates/permutation
• ~1 permutation/second
UART: Examples
Linksys WRT54G v2 rXH (w/ DD-WRT)• Broadcom BCM4712- ID = 0x1471217F- https://github.com/notch/tjtag/blob/master/tjtag.c- UART: JP1 (TXD = 4, RXD = 6) @ 115200, 8N1
*** www.jtagtest.com/pinouts/wrt54
Apex STB236 Set Top Box• Bootloader + U-Boot- UART @ 115200, 8N1
Apex STB236 Set Top Box 2---------------------------------------------------------------------- STB222 Lite Primary Bootloader 0.1-3847, NI (04:00:34, Feb 17 2009)-- Andre McCurdy, NXP Semiconductors--------------------------------------------------------------------Device: PNX8335 M1Secure boot: disabled, keysel: 0, vid: 0 (expecting 2)Poly10: 0x00000000RNG: enabledRSA keyhide: enabledUID: 0000000000000000AES key: 00000000000000000000000000000000KC status: 0x00000000Flash config: 7 (omni: 8bit NAND), timing: 0x0CCPU clock: 320 MHzDRAM: 200 MHz, 1 x 1 64MByte 16bit device (SIF0): 64 MBytesNAND: RDY polling disabledNAND: (AD76) Hynix SLC, pagesize 512, blocksize 16k, 64 MBytesNAND 0x00020000: valid headerNAND 0x00020000: valid imageaboot exec time: 179602 uSec
U-Boot 1.2.0.dev (Secondary Bootloader) (Jul 31 2009 - 02:53:01)
CPU: PNX????Secure boot: disabledDRAM: 64 MBNAND: nCS0 (force asserted legacy mode)NAND: Hynix 64MiB 3,3V 8-bitNAND 0x02a3c000: bad blockNAND 0x030bc000: bad blockNAND 0x03478000: bad blockNAND 0x0385c000: bad blockBoard Opts: SCART PALSplash: doneu-boot startup time so far: 1012 msecHit any key to stop autoboot: 1 ... 0
STB225v1 nand#
General Commands
• Set target system voltage (V) (1.2V-3.3V)• Read all channels (R)
• Write all channels (W)• Display version information (J)• Display available commands (H)
JTAG Commands
• Identify JTAG pinout via IDCODE scan (I)• Identify JTAG pinout via BYPASS scan (B)
• Get Device IDs (D) (w/ known pinout)• Test BYPASS (T) (w/ known pinout)
UART Commands
• Identify UART pinout (U)• UART pass through (P) (w/ known pinout)
Possible Limitations
• No OCD interface exists
• OCD interface is physically disconnected- Cut traces, missing jumpers/0 ohm resistors
• OCD interface isn't being properly enabled- System requires other pin settings- Password protected
• Strong pull resistors on target prevent JTAGulator from setting/receiving proper logic levels
• Could cause target to behave abnormally due to "fuzzing" unknown pins
*** Additional reverse engineering will be necessary
Future Work
• Other interfaces- TI Spy-Bi-Wire, ARM Serial Wire Debug,
Microchip ICSP, Atmel AVR ISP, Freescale BDM, LPC Bus, Flash memory
• Support for OpenOCD- Would allow direct manipulation of target device
after JTAG pinout detection
• Logic analyzer- Interface w/ sigrok
• Level-shifting module?- Target voltage > 5V for industrial/SCADA
equipment
Get It
• www.jtagulator.com
*** Schematics, source code, BOM, block diagram, Gerber plots, photos, videos, other documentation
• www.parallax.com*** Assembled units, accessories
• http://oshpark.com/profiles/joegrand*** Bare boards
A Poem
The End.
top related