Assisted Discovery of On-Chip Debug InterfacesJoe Grand (@joegrand)

Agenda

• Introduction• Inspiration / Other Art

• Traditional HW RE Techniques• On-Chip Debug Interfaces• Design Requirements• Hardware• Firmware• Examples / Demonstration• Limitations• Future Work

Introduction

• On-chip debug interfaces are a well-known attack vector

- Can provide chip-level control of a target device- Extract program code or data- Modify memory contents- Affect device operation on-the-fly- Gain insight into system operation

• Inconvenient for vendor to remove functionality- Would prevent capability for legitimate personnel- Weak obfuscation instead (hidden or unmarked

signals/connectors)

- May be password protected (if supported by device)

Introduction 2

• Identifying OCD interfaces can sometimes be difficult and/or time consuming

Goals

• Create an easy-to-use tool to simplify the process

• Attract non-HW folks to HW hacking

• Hunz's JTAG Finder- http://elinux.org/JTAG_Finder

• JTAGenum & RS232enum- http://deadhacker.com/tools/

• Cyber Fast Track- www.cft.usma.edu

Inspiration

Other Art

• An Open JTAG Debugger (GoodFET), Travis Goodspeed, DEFCON 17

- http://defcon.org/html/links/dc-archives/dc-17-archive.html#Goodspeed2

• Blackbox JTAG Reverse Engineering, Felix Domke, 26C3

- http://events.ccc.de/congress/2009/Fahrplan/attachments/1435_JTAG.pdf

Other Art 2

• Forensic Imaging of Embedded Systems using JTAG, Marcel Breeuwsma (NFI), Digital Investigation Journal, March 2006

- http://www.sciencedirect.com/science/article/pii/S174228760600003X

Identifying Interfaces: External

• Accessible to the outside world- Intended for engineers or manufacturers- Device programming or final system test

• Usually hidden or protected- Underneath batteries- Behind stickers/covers

• May be a proprietary/non-standard connector

Identifying Interfaces: Internal

• Test points or unpopulated pads

• Silkscreen markings or notation

• Easy-to-access locations

Identifying Interfaces: Internal 2

• Familiar target or based on common pinouts- Often single- or double-row footprint- JTAG: www.jtagtest.com/pinouts/

← www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack→ www.nostarch.com/xboxfree

Identifying Interfaces: Internal 3

• Can use PCB/design heuristics- Traces of similar function are grouped together (bus)- Array of pull-up/pull-down resistors (to set static

state of pins)- Test points usually placed on important/interesting

signals

← http://elinux.org/images/d/d6/Jtag.pdf

Identifying Interfaces: Internal 4

• More difficult to locate when available only on component pads or tented vias

*** www.dd-wrt.com/wiki/index.php/JTAG_pinouts#Buffalo_WLA-G54C

Determining Pin Function

• Identify test points/connector & target device

• Trace connections- Visually or w/ multimeter in continuity mode- For devices where pins aren't accessible (BGA),

remove device or use X-ray- Use data sheet to match pin number to function

• Probe connections- Use oscilloscope or logic analyzer- Ignore any points that already have active signals- Pull pins high or low, observe results, repeat- Logic state or number of pins can help to make

educated guesses

Determining Pin Function 2

← http://forum.xda-developers.com/wiki/WallabyJTAG

On-Chip Debug Interfaces

• JTAG

• UART

JTAG

• Industry-standard interface (IEEE 1149.1)- Created for chip- and system-level testing- Defines low-level functionality of finite state machine/

Test Access Port (TAP)

- http://en.wikipedia.org/wiki/Joint_Test_Action_Group

• Provides a direct interface to hardware- Can "hijack" all pins on the device (Boundary scan/

test)- Can access other devices connected to target chip- Programming/debug interface (access to Flash, RAM)- Vendor-defined functions/test modes might be

available

JTAG 2

• Multiple devices can be "chained" together for communication to all via a single JTAG port

- Even multiple dies within the same chip package - Different vendors may not play well together

• Development environments abstract low-level functionality from the user

- Implementations are device- or family-specific- As long as we can locate the interface/pinout, let

other tools do the rest

JTAG: Architecture

• Synchronous serial interface→ TDI = Data In (to target device)← TDO = Data Out (from target device) → TMS = Test Mode Select → TCK = Test Clock → /TRST = Test Reset (optional for async reset)

• Test Access Port (TAP) w/ Shift Registers- Instruction (>= 2 bit wide)- Data

- Bypass (1 bit)- Boundary Scan (variable)- Device ID (32 bit) (optional)

JTAG: Architecture 2

JTAG: TAP Controller*** State transitions occur on rising edge of TCK based on current state and value of TMS

*** TAP provides 4 major operations: Reset, Run-Test, Scan DR, Scan IR

*** Can move to Reset state from any other state w/ TMS high for 5x TCK

*** 3 primary steps in Scan: Capture, Shift, Update

*** Data held in "shadow" latch until Update state

JTAG: Instructions ┌───────────┬─────────────┬──────────┬───────────────────────────────────────────────────────────────────────┐ │ Name │ Required? │ Opcode │ Description │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ BYPASS │ Y │ All 1s │ Bypass on-chip system logic. Allows serial data to be transferred │ │ │ │ │ from TDI to TDO without affecting operation of the IC. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ SAMPRE │ Y │ Varies │ Used for controlling (preload) or observing (sample) the signals at │ │ │ │ │ device pins. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ EXTEST │ Y │ All 0s │ Places the IC in external boundary test mode. Used to test device │ │ │ │ │ interconnections. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ INTEST │ N │ Varies │ Used for static testing of internal device logic in a single-step │ │ │ │ │ mode. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ RUNBIST │ N │ Varies │ Places the IC in a self-test mode and selects a user-specified data │ │ │ │ │ register to be enabled. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ CLAMP │ N │ Varies │ Sets the IC outputs to logic levels as defined in the boundary scan │ │ │ │ │ register. Enables the bypass register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ HIGHZ │ N │ Varies │ Sets all IC outputs to a disabled (high impedance) state. Enables │ │ │ │ │ the bypass register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ IDCODE │ N │ Varies │ Enables the 32-bit device identification register. Does not affect │ │ │ │ │ operation of the IC. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ USERCODE │ N │ Varies │ Places user-defined information into the 32-bit device │ │ │ │ │ identification register. Does not affect operation of the IC. │ └───────────┴─────────────┴──────────┴───────────────────────────────────────────────────────────────────────┘

JTAG: Protection

• Implementation specific

• Security fuse physically blown prior to release- Could be repaired w/ silicon die attack

• Password required to enable functionality- Ex.: Flash erased after n attempts (so perform n-1),

then reset and continue

• May allow BYPASS, but prevent higher level functionality

- Ex.: TI MSP430

JTAG: HW Tools

• RIFF Box- www.jtagbox.com

• H-JTAG- www.hjtag.com/en/

• Bus Blaster (open source)- http://dangerousprototypes.com/docs/Bus_Blaster

• Wiggler or compatible (parallel port)- ftp://www.keith-koep.com/pub/arm-tools/jtag/

jtag05_sch.pdf

JTAG: SW Tools

• OpenOCD (Open On-Chip Debugger)- http://openocd.sourceforge.net

• UrJTAG (Universal JTAG Library)- www.urjtag.org

UART

• Universal Asynchronous Receiver/Transmitter- No external clock needed

- Data bits sent LSB first (D0)- NRZ (Non-Return-To-Zero) coding- Transfer speed (bits/second) = 1 / bit width

- http://en.wikipedia.org/wiki/Asynchronous_serial_ communication

*** Start bit + Data bits + Parity (optional) + Stop bit(s)

UART 2

• Asynchronous serial interface→ TXD = Transmit data (to target device)← RXD = Receive data (from target device)↔ DTR, DSR, RTS, CTS, RI, DCD = Control signals (uncommon for modern implementations)

• Many embedded systems use UART as debug output/console

UART 3

Bit width = ~8.7uS

Mark (Idle)

Space

Hardware

Design Requirements

• Open source/hackable/expandable• Simple command-based interface

• Proper input protection• Adjustable target voltage• Off-the-shelf components• Hand solderable (if desired)

Block Diagram

MCU

Parallax Propeller

EEPROM

24LC5122 (I2C)

Power Switch

MIC2025-2YM

LDO

LD1117S33TRUSB5V 3.3V

D/A

AD86551.2V - 3.3V

~13mV/step

Serial-to-USB

FT232RL2

1 (PWM)

Host PCUSB Mini-B

Voltage Level Translator

TXS0108EPWR

Voltage Level Translator

TXS0108EPWR

Voltage Level Translator

TXS0108EPWR

Input Protection Circuitry

24

Target Device

1

Status Indicator

WP59EGW

Development

PCB

*** 2x5 headers compatible w/ Bus Pirate probes, http://dangerousprototypes.com/docs/Bus_Pirate

Target I/F (24 channels)

Propeller USB

Input protection

Level translationStatus

Op-Amp/DAC

Assembly Drawing

Schematic: Main

NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESSOTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.

3V3

E01

E12

E23

GND4

SDA 5SCL6

WC7

VCC 8

U424LC512-I/SN

12

Y15.0MHz

3V3

3V3

aRES

PROPRXPROPTXPROPSDAPROPSCL

JTAGulator: MainSIZEDaTE

TITLE

DRaWN BYFILENaME

10kR4

10kR3

3V3

10uFC7

VIN3 VO 2

GND1

VO 4

U6LD1117S33

0.1uFC6

5V0 3V3

470R5

270R6

Red Green

LEDRLEDG

3V3 3V3 3V3

P0P1P2P3P4P5P6P7

VSS39

VDD8

VSS27

P3138

P3037

P2936

P2835

P2633 P2734

VDD18

VSS17 VSS5

VDD30

VDD40

XI28

XO29

RES7

BOE6

P2532

P2431

P7 4P6 3P5 2P4 1

P2 43

P3 44

P1 42P0 41

P15 16P14 15P13 14P12 13

P10 11

P11 12

P9 10P8 9

P23 26P22 25P21 24P20 23

P18 21

P19 22

P17 20P16 19

U2PROPELLER (P8X32A-Q44)

To Host

TEST 26

RTS 3

DCD 10

RI 6

GND 18GND 21

VCC20

TXD 1

CTS 11

CBUS023

3V3OUT17

DTR 2

RXD 5

CBUS122

OSCI 27

DSR 9

USBDM16

OSCO 28

USBDP15

VCCIO4

RESET19

AGND 25GND 7

CBUS213

CBUS314

CBUS412

U1FT232RL

12345

P1UX60-MB-5S8

0.1uFC3

USBDM

USBDP

USB Mini B

8

53

26

741

U5AD8655ARZ

5V0

0.1uFC11

5V0

1

2

3

D1WP59EGW

0.1uFC12

0.1uFC13

0.1uFC14

0.1uFC15

100kR9

18kR7 8.2kR8

1000pFC4

470pFC5

VADJ

DACOUT

4.7uFC8

VUSB

0.01uFC1

SW1 SPST

0.01uFC2

10kR2

Q12N3904

P8P9P10P11P12P13P14P15

P16P17P18P19P20P21P22P23

0.1uFC9

VUSB

220R@100MHzL1

0-3.3V @ 256 steps~13mV/step~150mA max. Iout

IN7 OUT 6

EN1

FLG 2GND3

OUT 8

U3MIC2025-2YM 5V0VUSB

10kR1

4.7uFC10

5V0

VUSB

TXSOE

P[23...0]

PIC101PIC102 COC1

PIC201PIC202

COC2

PIC301PIC302COC3

PIC401PIC402COC4

PIC501PIC502COC5

PIC601PIC602 COC6 PIC701

PIC702COC7PIC801

PIC802COC8

PIC901PIC902 COC9 PIC1001

PIC1002COC10

PIC1101PIC1102 COC11

PIC1201PIC1202 COC12

PIC1301PIC1302 COC13

PIC1401PIC1402 COC14

PIC1501PIC1502 COC15

PID101

PID102

PID103 COD1

PIL101 PIL102

COL1

PIP101

PIP102

PIP103

PIP104

PIP105

COP1

PIQ101PIQ102

PIQ103COQ1

PIR101

PIR102COR1

PIR201

PIR202COR2

PIR301

PIR302COR3

PIR401

PIR402 COR4

PIR501

PIR502COR5

PIR601

PIR602COR6

PIR701PIR702

COR7PIR801PIR802

COR8

PIR901

PIR902COR9

PISW101PISW102

COSW1

PIU101

PIU102

PIU103

PIU104

PIU105

PIU106

PIU107

PIU109

PIU1010

PIU1011

PIU1012

PIU1013

PIU1014

PIU1015

PIU1016

PIU1017

PIU1018

PIU1019

PIU1020

PIU1021

PIU1022

PIU1023

PIU1025

PIU1026

PIU1027

PIU1028

COU1

PIU201

PIU202

PIU203

PIU204

PIU205

PIU206

PIU207

PIU208

PIU209

PIU2010

PIU2011

PIU2012

PIU2013

PIU2014

PIU2015

PIU2016

PIU2017

PIU2018

PIU2019

PIU2020

PIU2021

PIU2022

PIU2023

PIU2024

PIU2025

PIU2026

PIU2027

PIU2028

PIU2029

PIU2030

PIU2031

PIU2032

PIU2033

PIU2034

PIU2035

PIU2036

PIU2037

PIU2038

PIU2039

PIU2040

PIU2041

PIU2042

PIU2043

PIU2044

COU2

PIU301

PIU302PIU303

PIU306PIU307

PIU308

COU3

PIU401

PIU402

PIU403

PIU404

PIU405PIU406

PIU407

PIU408

COU4

PIU501

PIU502

PIU503

PIU504 PIU505

PIU506

PIU507PIU508

COU5

PIU601

PIU602PIU603

PIU604

COU6

PIY101PIY102

COY1

PIQ103

PISW101

PIU207NL#RES

PIC701PIC1202 PIC1302 PIC1402 PIC1502

PIR302 PIR402

PIU208

PIU2018

PIU2030

PIU2040

PIU408

PIU602

PIU604PIC602PIC1001 PIC1102

PIU306

PIU308

PIU507

PIU603

PIR702

PIR902

PIU2032NLDACOUT

PIC101

PIC301

PIC501

PIC601 PIC702PIC802 PIC901 PIC1002 PIC1101 PIC1201 PIC1301 PIC1401 PIC1501

PID102

PIP105

PIQ101PIR201

PIR901

PISW102

PIU107

PIU1018

PIU1021

PIU1025

PIU1026

PIU205

PIU206

PIU2017

PIU2027

PIU2039

PIU303

PIU401

PIU402

PIU403

PIU404

PIU407

PIU504

PIU601

PIR602

PIU2033NLLEDG

PIR502

PIU2034NLLEDR

PIC102

PIL101PIP101

PIC201 PIQ102

PIR202PIC202PIU102

PIC302

PIR102

PIU104

PIU1017

PIC401

PIR701 PIR802

PIC502

PIR801 PIU503

PID101PIR501

PID103PIR601

PIP104

PIR101 PIU1014

PIU301

PIU103

PIU106

PIU109

PIU1010

PIU1011

PIU1012

PIU1013

PIU1019

PIU1022

PIU1023

PIU1027

PIU1028

PIU2028

PIY101

PIU2029PIY102

PIU2031POTXSOE

PIU302

PIU501

PIU505

PIU508

PIU2041NLP0

PIU2042NLP1

PIU2043NLP2

PIU2044NLP3

PIU201NLP4

PIU202NLP5

PIU203NLP6

PIU204NLP7

PIU209NLP8

PIU2010NLP9

PIU2011NLP10

PIU2012NLP11

PIU2013NLP12

PIU2014NLP13

PIU2015NLP14

PIU2016NLP15

PIU2019NLP16

PIU2020NLP17

PIU2021NLP18

PIU2022NLP19

PIU2023NLP20

PIU2024NLP21

PIU2025NLP22

PIU2026NLP23

PIU101

PIU2038NLPROPRX

PIR401PIU2035

PIU406NLPROPSCL

PIR301PIU2036PIU405

NLPROPSDA

PIU105

PIU2037NLPROPTX

PIP102

PIU1016NLUSBDMPIP103

PIU1015NLUSBDP

PIC402

PIU502

PIU506

PIC801 PIC902

PIL102 PIU1020

PIU307

POP02300000

POTXSOE

Schematic: Target Interface

NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESSOTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.

3V3 VADJ

JTAGulator: Target InterfaceTITLE

0.1uFC19

0.1uFC20

P0P1P2P3P4P5P6P7

P8P9P10P11P12P13P14P15

P16P17P18P19P20P21P22P23

12345

P2TE 282834-5

CH0CH1CH2CH3

12345

P3TE 282834-5

12345

P4TE 282834-5

12345

P5TE 282834-5

12345

P6TE 282834-5

CH4CH5CH6CH7CH8

CH9CH10CH11CH12CH13

CH14CH15CH16CH17CH18

CH19CH20CH21CH22CH23

I/O11

GND2

I/O23 I/O3 4

VCC 5

I/O4 6

U8NUP4302MR6 VADJ

I/O11

GND2

I/O23 I/O3 4

VCC 5

I/O4 6

U7NUP4302MR6 VADJ

I/O11

GND2

I/O23 I/O3 4

VCC 5

I/O4 6

U11NUP4302MR6 VADJ

I/O11

GND2

I/O23 I/O3 4

VCC 5

I/O4 6

U10NUP4302MR6 VADJ

I/O11

GND2

I/O23 I/O3 4

VCC 5

I/O4 6

U14NUP4302MR6 VADJ

I/O11

GND2

I/O23 I/O3 4

VCC 5

I/O4 6

U13NUP4302MR6 VADJ

3V3 VADJ

0.1uFC18

0.1uFC22

3V3 VADJ

0.1uFC17

0.1uFC21

10kR10

TXSOE

VADJ3V3

VADJ3V3

VADJ3V3

P[23...0]

Diode limiters for input protectionVf must be < 0.5V to prevent damage to level translators

VCCA <= VCCBVCCA range: 1.2V to 3.6VVCCB range: 1.7V to 5.5V

VCCA 2

A2 3

A3 4

A1 1

A4 5

A5 6

A6 7

A7 8

A8 9

OE10

GND 11B812 B713 B614 B515 B416 B317 B218

VCCB19

B120

U9TXS0108EPWR

VCCA 2

A2 3

A3 4

A1 1

A4 5

A5 6

A6 7

A7 8

A8 9

OE10

GND 11B812 B713 B614 B515 B416 B317 B218

VCCB19

B120

U12TXS0108EPWR

VCCA 2

A2 3

A3 4

A1 1

A4 5

A5 6

A6 7

A7 8

A8 9

OE10

GND 11B812 B713 B614 B515 B416 B317 B218

VCCB19

B120

U15TXS0108EPWR

To Target Compatible w/ Bus Pirate 3.x probe/interface cable

1 23 45 67 89 10

P7961210-6404-AR

CH0CH1

CH2 CH3CH4 CH5CH6 CH7

RedYellowBlueGreyBlack

BrownOrange VADJGreenPurpleWhite

CH8CH9

CH10 CH11CH12 CH13CH14 CH15

RedYellowBlueGreyBlack

BrownOrange VADJGreenPurpleWhite

CH17CH18 CH19CH20 CH21CH22 CH23

RedYellowBlueGreyBlack

BrownOrange VADJGreenPurpleWhite

1 23 45 67 89 10

P8961210-6404-AR

1 23 45 67 89 10

P9961210-6404-AR

CH16

12345678

161514131211109

1KR11

12345678

161514131211109

1KR12

12345678

161514131211109

1KR13

PIC1701PIC1702 COC17

PIC1801PIC1802 COC18

PIC1901PIC1902 COC19

PIC2001PIC2002 COC20

PIC2101PIC2102 COC21

PIC2201PIC2202 COC22

PIP201

PIP202

PIP203

PIP204

PIP205

COP2

PIP301

PIP302

PIP303

PIP304

PIP305

COP3

PIP401

PIP402

PIP403

PIP404

PIP405

COP4

PIP501

PIP502

PIP503

PIP504

PIP505

COP5

PIP601

PIP602

PIP603

PIP604

PIP605

COP6

PIP701 PIP702

PIP703 PIP704

PIP705 PIP706

PIP707 PIP708

PIP709 PIP7010

COP7

PIP801 PIP802

PIP803 PIP804

PIP805 PIP806

PIP807 PIP808

PIP809 PIP8010

COP8

PIP901 PIP902

PIP903 PIP904

PIP905 PIP906

PIP907 PIP908

PIP909 PIP9010

COP9

PIR1001

PIR1002COR10

PIR1101

PIR1102

PIR1103

PIR1104

PIR1105

PIR1106

PIR1107PIR1108PIR1109

PIR11010

PIR11011

PIR11012

PIR11013

PIR11014

PIR11015

PIR11016

COR11

PIR1201

PIR1202

PIR1203

PIR1204

PIR1205

PIR1206

PIR1207

PIR1208PIR1209

PIR12010

PIR12011

PIR12012

PIR12013

PIR12014

PIR12015

PIR12016

COR12

PIR1301

PIR1302

PIR1303

PIR1304

PIR1305

PIR1306

PIR1307

PIR1308PIR1309PIR13010

PIR13011

PIR13012

PIR13013

PIR13014

PIR13015

PIR13016

COR13

PIU701

PIU702

PIU703 PIU704

PIU705

PIU706

COU7

PIU801

PIU802

PIU803 PIU804

PIU805

PIU806

COU8

PIU901

PIU902

PIU903

PIU904

PIU905

PIU906

PIU907

PIU908PIU909

PIU9010

PIU9011

PIU9012

PIU9013

PIU9014

PIU9015

PIU9016

PIU9017

PIU9018

PIU9019

PIU9020

COU9

PIU1001

PIU1002

PIU1003 PIU1004

PIU1005

PIU1006

COU10

PIU1101

PIU1102

PIU1103 PIU1104

PIU1105

PIU1106

COU11

PIU1201

PIU1202

PIU1203

PIU1204

PIU1205

PIU1206

PIU1207

PIU1208

PIU1209

PIU12010

PIU12011

PIU12012

PIU12013

PIU12014

PIU12015

PIU12016

PIU12017

PIU12018

PIU12019

PIU12020

COU12

PIU1301

PIU1302

PIU1303 PIU1304

PIU1305

PIU1306

COU13

PIU1401

PIU1402

PIU1403 PIU1404

PIU1405

PIU1406

COU14

PIU1501

PIU1502

PIU1503

PIU1504

PIU1505

PIU1506

PIU1507

PIU1508

PIU1509

PIU15010

PIU15011

PIU15012PIU15013

PIU15014

PIU15015

PIU15016

PIU15017

PIU15018

PIU15019

PIU15020

COU15

PIC1702 PIC1802 PIC1902

PIU9019

PIU12019

PIU15019

PIP202

PIP702

PIR1101

NLCH0

PIP203

PIP704

PIR1102

NLCH1

PIP204

PIP705

PIR1103

NLCH2

PIP205

PIP706

PIR1104

NLCH3

PIP301

PIP707

PIR1105

NLCH4

PIP302

PIP708

PIR1106

NLCH5

PIP303

PIP709

PIR1107

NLCH6

PIP304

PIP7010

PIR1108

NLCH7

PIP305

PIP802

PIR1201

NLCH8

PIP401

PIP804

PIR1202

NLCH9

PIP402

PIP805

PIR1203

NLCH10

PIP403

PIP806

PIR1204

NLCH11

PIP404

PIP807

PIR1205

NLCH12

PIP405

PIP808

PIR1206

NLCH13

PIP501

PIP809

PIR1207

NLCH14

PIP502

PIP8010

PIR1208

NLCH15

PIP503

PIP902

PIR1301

NLCH16

PIP504

PIP904

PIR1302

NLCH17

PIP505

PIP905

PIR1303

NLCH18

PIP601

PIP906

PIR1304

NLCH19

PIP602

PIP907

PIR1305

NLCH20

PIP603

PIP908

PIR1306

NLCH21

PIP604

PIP909

PIR1307

NLCH22

PIP605

PIP9010

PIR1308

NLCH23

PIC1701 PIC1801 PIC1901 PIC2001 PIC2101 PIC2201

PIP201 PIP701

PIP801

PIP901

PIR1001 PIU702 PIU802

PIU9011

PIU1002 PIU1102

PIU12011

PIU1302 PIU1402

PIU15011

PIR1002

PIU9010

PIU12010

PIU15010

POTXSOE

PIR1109

PIU703

PIU909

PIR11010

PIU701

PIU908

PIR11011

PIU706

PIU907

PIR11012

PIU704

PIU906

PIR11013

PIU803

PIU905

PIR11014

PIU801

PIU904

PIR11015

PIU804

PIU903

PIR11016

PIU806

PIU901

PIR1209

PIU1006

PIU1209

PIR12010

PIU1004

PIU1208

PIR12011

PIU1003

PIU1207

PIR12012

PIU1001

PIU1206

PIR12013

PIU1103

PIU1205

PIR12014

PIU1101

PIU1204

PIR12015

PIU1106

PIU1203

PIR12016

PIU1104

PIU1201

PIR1309

PIU1304

PIU1509PIR13010

PIU1306

PIU1508

PIR13011

PIU1303

PIU1507

PIR13012

PIU1301

PIU1506

PIR13013

PIU1406

PIU1505

PIR13014

PIU1404

PIU1504

PIR13015

PIU1403

PIU1503

PIR13016

PIU1401

PIU1501

PIU9020NLP0

PIU9018NLP1

PIU9017NLP2

PIU9016NLP3

PIU9015NLP4

PIU9014NLP5

PIU9013NLP6

PIU9012NLP7

PIU12020NLP8

PIU12018NLP9

PIU12017NLP10

PIU12016NLP11

PIU12015NLP12

PIU12014NLP13

PIU12013NLP14

PIU12012NLP15

PIU15020NLP16

PIU15018NLP17

PIU15017NLP18

PIU15016NLP19

PIU15015NLP20

PIU15014NLP21

PIU15013NLP22

PIU15012NLP23

PIC2002 PIC2102 PIC2202

PIP703

PIP803

PIP903

PIU705 PIU805

PIU902

PIU1005 PIU1105

PIU1202

PIU1305 PIU1405

PIU1502

POP02300000

POTXSOE

*** INFORMATION: www.parallax.com/propeller/

*** DISCUSSION FORUMS: http://forums.parallax.com

*** OBJECT EXCHANGE: http://obex.parallax.com

• Completely custom, ground up design

• 8 independent cogs @ 20 MIPS each

• Code in Spin, ASM, or C

Propeller/Core

• Clock: DC to 128MHz (80MHz recommended)

• Global (hub) memory: 32KB RAM, 32KB ROM

• Cog memory: 2KB RAM each

• GPIO: 32 @ 40mA sink/source per pin

• Program code loaded from external EEPROM on power-up

Propeller/Core 2

Propeller/Core 3

• Standard development using Propeller Tool & Parallax Serial Terminal (Windows)

• Programmable via serial interface (usually in conjunction w/ USB-to-serial IC)

Propeller/Core 4

Propeller/Core 5

USB Interface

• Allows for Propeller programming & UI

• Powers JTAGulator from bus (5V)

• FT232RL USB-to-Serial UART- Entire USB protocol handled on-chip- Host will recognize as a virtual serial port (Windows,

OS X, Linux)

• MIC2025 Power Distribution Switch- Internal current limiting, thermal shutdown- Let the FT232 enumerate first (@ < 100mA), then

enable system load

USB Interface 2

Adjustable Target Voltage• PWM from Propeller- Duty cycle corresponds to output voltage (VADJ)- Look-up table for values in 0.1V increments

• AD8655 Low Noise, Precision CMOS Amplifier- Single supply, rail-to-rail- 220mA output current (~150mA @ Vo = 1.2V-3.3V)- Voltage follower configuration to serve as DAC buffer

Level Translation

• Allows 3.3V signals from Propeller to be converted to VADJ (1.2V-3.3V)

• Prevents potential damage due to over-voltage on target device's unknown connections

• TXS0108E Bidirectional Voltage-Level Translator- Designed for both open drain and push-pull interfaces- Internal pull-up resistors (40kΩ when driving low, 4kΩ

when high)

- Automatic signal direction detection- High-Z outputs when OE low -> will not interfere with

target when not in use

Level Translation 2

Input Protection

• Prevent high voltages/spikes on unknown pins from damaging JTAGulator

• Diode limiter clamps input if needed

• Vf must be < 0.5V to protect TXS0108Es

Input Protection 2

• NUP4302MR6 Schottky Diode Array- Vf @ 1mA = 0.2V typ., 0.35V max.- Vf @ 10mA = 0.25V typ., 0.45V max.- Alternate: SD103ASDM

Bill-of-Materials

• All components from Digi-Key

• Total cost per unit = $50.73

JTAGulatorJTAGulatorBill-of-MaterialsBill-of-MaterialsBill-of-MaterialsHW B, Document 1.0, April 19, 2013HW B, Document 1.0, April 19, 2013HW B, Document 1.0, April 19, 2013

Item Quantity Reference Manufacturer Manuf. Part # Distributor Distrib. Part # Description1 2 C1, C2 Kemet C1206C103K5RACTU Digi-Key 399-1234-1-ND Capacitor, 0.01uF ceramic, 10%, 50V, X7R, 1206

2 14C3, C6, C9, C11, C12, C13, C14, C15, C17, C18, C19, C20, C21, C22 Kemet C1206C104K5RACTU Digi-Key 399-1249-1-ND Capacitor, 0.1uF ceramic, 10%, 50V, X7R, 1206

3 1 C4 Yageo CC1206KRX7R9BB102 Digi-Key 311-1170-1-ND Capacitor, 1000pF ceramic, 10%, 50V, X7R, 12064 1 C5 Yageo CC1206KRX7R9BB471 Digi-Key 311-1167-1-ND Capacitor, 470pF ceramic, 10%, 50V, X7R, 12065 1 C7 Kemet T491A106M016AS Digi-Key 399-3687-1-ND Capacitor, 10uF tantalum, 20%, 16V, size A6 2 C8, C10 Kemet T491A475K016AT Digi-Key 399-3697-1-ND Capacitor, 4.7uF tantalum, 10%, 16V, size A7 1 D1 Kingbright WP59EGW Digi-Key 754-1232-ND LED, Red/Green Bi-Color, T-1 3/4 (5mm)8 1 L1 TDK MPZ2012S221A Digi-Key 445-1568-1-ND Inductor, Ferrite Bead, 220R@100MHz, 3A, 08059 1 P1 Hirose Electric UX60-MB-5S8 Digi-Key H2960CT-ND Connector, Mini-USB, 5-pin, SMT w/ PCB mount10 5 P2, P3, P4, P5, P6 TE Connectivity 282834-5 Digi-Key A98336-ND Connector, Terminal Block, 5-pin, side entry, 0.1” P11 3 P7, P8, P9 3M 961210-6404-AR Digi-Key 3M9460-ND Header, Dual row, Vertical header, 2x5-pin, 0.1” P12 1 Q1 Fairchild MMBT3904 Digi-Key MMBT3904FSCT-ND Transistor, NPN, 40V, 200mA, SOT23-313 5 R1, R2, R3, R4, R10 Any Any Digi-Key P10KECT-ND Resistor, 10k, 5%, 1/4W, 120614 1 R5 Any Any Digi-Key P470ECT-ND Resistor, 470 ohm, 5%, 1/4W, 120615 1 R6 Any Any Digi-Key P270ECT-ND Resistor, 270 ohm, 5%, 1/4W, 120616 1 R7 Any Any Digi-Key P18.0KFCT-ND Resistor, 18k, 1%, 1/4W, 120617 1 R8 Any Any Digi-Key P8.20KFCT-ND Resistor, 8.2k, 1%, 1/4W, 120618 1 R9 Any Any Digi-Key P100KECT-ND Resistor, 100k, 5%, 1/4W, 120619 3 R11, R12, R13 Bourns 4816P-1-102LF Digi-Key 4816P-1-102LFCT-ND Resistor, Array, 8 isolated, 1k, 2%, 1/6W, SOIC1620 1 SW1 C&K KSC201JLFS Digi-Key 401-1756-1-ND Switch, SPST, Momentary, 120gf, 6.2 x 6.2mm, J-Lead21 1 U1 FTDI FT232RL-REEL Digi-Key 768-1007-1-ND IC, USB-to-UART Bridge, SSOP2822 1 U2 Parallax P8X32A-Q44 Digi-Key P8X32A-Q44-ND IC, Microcontroller, Propeller, LQFP4423 1 U3 Micrel MIC2025-2YM Digi-Key 576-1058-ND IC, Power Distribution Switch, Single-channel, SOIC824 1 U4 Microchip 24LC512-I/SN Digi-Key 24LC512-I/SN-ND IC, Memory, Serial EEPROM, 64KB, SOIC825 1 U5 Analog Devices AD8655ARZ Digi-Key AD8655ARZ-ND IC, Op. Amp., CMOS, Rail-to-rail, 220mA Iout, SOIC826 1 U6 ST Microelectronics LD1117S33CTR Digi-Key 497-1241-1-ND IC, Voltage Regulator, LDO, 3.3V@800mA, SOT22327 6 U7, U8, U10, U11, U13, U14 ON Semiconductor NUP4302MR6T1G Digi-Key NUP4302MR6T1GOSCT-ND IC, Schottky Diode Array, 4 channel, TSOP628 3 U9, U12, U15 Texas Instruments TXS0108EPWR Digi-Key 296-23011-1-ND IC, Level Translator, Bi-directional, TSSOP2029 1 Y1 ECS ECS-50-18-4XEN Digi-Key XC1738-ND Crystal, 5.0MHz, 18pF, HC49/US30 1 PCB Any JTAG B N/A N/A PCB, Fabrication

Firmware

Source Tree

Cogs

• Spin Interpreter (Cog 0)• Parallax Serial Terminal (ser)

• Real Random (rr)• JDCogSerial (uart)

Propeller Resources

General Commands

• Set target system voltage (V) (1.2V-3.3V)• Read all channels (R)

• Write all channels (W)• Print available commands (H)

JTAG Commands

• Identify JTAG pinout via IDCODE scan (I)• Identify JTAG pinout via BYPASS scan (B)

• Get Device IDs (D) (w/ known pinout)• Test BYPASS (T) (w/ known pinout)

IDCODE Scan

• 32-bit Device ID (if available) is in the DR on TAP reset or IC power-up

- Otherwise, TAP will reset to BYPASS (LSB = 0)- Can simply enter Shift-DR state and clock out on TDO- TDI not required/used during IDCODE aquisition

LSB

IDCODE Scan 2

• Device ID values vary with part/family/vendor- Locate in data sheets, BSDL files, reference code,

etc.

• Manufacturer ID provided by JEDEC- Each manufacturer assigned a unique identifier - Can use to help validate that proper IDCODE was

retrieved- http://www.jedec.org/standards-documents/

results/jep106

IDCODE Scan 3

• Ask user for number of channels to use

• For every possible pin permutation (except TDI)- Set unused channels to output high (in case of any

active low reset pins)

- Configure JTAG pins to use on the Propeller- Reset the TAP- Try to get the Device ID by reading the DR- If Device ID is 0xFFFFFFFF or if bit 0 != 1, ignore- Otherwise, display potentially valid JTAG pinout

BYPASS Scan

• In BYPASS, data shifted into TDI is received on TDO delayed by one clock cycle

BYPASS Scan 2

• Can determine how many devices (if any) are in the chain via "blind interrogation"

- Force device(s) into BYPASS (IR of all 1s)- Send 1s to fill DRs- Send a 0 and count until it is output on TDO

BYPASS Scan 3

• Ask user for number of channels to use

• For every possible pin permutation- Set unused channels to output high (in case of any

active low reset pins)

- Configure JTAG pins to use on the Propeller- Reset the TAP- Perform blind interrogation- If number of detected devices > 0, display potentially

valid JTAG pinout

DEFCON 17 Badge

• Freescale MC56F8006 Digital Signal Controller- ID = 0x01C0601D- www.bsdl.info/details.htm?sid=e82c74686c7522e

888ca59b002289d77 MSB LSB ┌───────┬───────────────┬─────────────┬─────────────────┬─────────────────┬───────┐ │ Ver. │ Design Center │ Core Number | Chip Derivative | Manufacturer ID │ Fixed │ └───────┴───────────────┴─────────────┴─────────────────┴─────────────────┴───────┘ 31...28 27...22 21...17 16...12 11...1 0

0000 000111 00000 (DSP56300) 00110 00000001110 (0x0E) 1

• Marvell PXA312 (Intel XScale/ARM5)- ID = 0x2E649013- http://docs.toradex.com/100197-colibri-arm-som-

pxa3xx-dm-vol-1.pdf (Table 9) - TCK = 5 (Blue), TMS = 4 (Pink), TDI = 3 (Grey), TDO = 6

(Orange), GND = 8 (Black)

• JTAG disabled when external power supplied or phone is "on" via battery

Samsung SCH-i910

BlackBerry 7290

• AD6529 "Hermes" DSP (ARM7TDMI)• AD6521 "Pegasus" Analog Baseband- IDs = 0x027831CB and 0x027B51CB- Unknown which ID is for which device- TDO1 = Only one device- TDO2 = Both devices in the chain

MSB LSB ┌───────┬──────────┬────────────┬────────┬───────────────┬─────────────────┬───────┐ │ Ver. │ Core ID │ Capability | Family | Device Number | Manufacturer ID │ Fixed │ └───────┴──────────┴────────────┴────────┴───────────────┴─────────────────┴───────┘ 31...28 27 26...24 23...20 19...12 11...1 0

0000 0 (ARM) 010 (Reserved) 0111 (ARM7) 10000011 00011100101 (0xE5) 1 0000 0 (ARM) 010 (Reserved) 0111 (ARM7) 01010001 00011100101 (0xE5) 1

*** http://infocenter.arm.com/help/topic/com.arm.doc.dai0099c/DAI0099C_core_type_rev_id.pdf

BlackBerry 7290 2

UART Commands

• Identify UART pinout (U)• UART pass through (P) (w/ known pinout)

UART Scan

• Ask user for desired output string (up to 16 bytes)

• Ask user for number of channels to use

• For every possible pin permutation- Configure UART pins to use on the Propeller

- Set baud rate

- Send user string- Wait to receive data (20ms maximum per byte)- If any bytes received, display potentially valid UART

pinout and data (up to 16 bytes)

UART Scan 2

• 8 data bits, no parity, 1 stop bit (8N1)

• Baud rates stored in look-up table- 75, 110, 150, 300, 900, 1200, 1800, 2400, 3600,

4800, 7200, 9600, 14400, 19200, 28800, 31250, 38400, 57600, 76800, 115200, 153600, 230400, 250000, 307200

UART Scan 3

Linksys WRT54G v2 rXH (w/ DD-WRT)• Broadcom BCM4712- ID = 0x1471217F- https://github.com/notch/tjtag/blob/master/tjtag.c- UART: JP1 (TXD = 4, RXD = 6) @ 115200, 8N1

*** www.jtagtest.com/pinouts/wrt54

Scan Timing

# of Channels

IDCODEPermutations

IDCODE(mm:ss)

BYPASSPermutations

BYPASS(mm:ss)

4 24 < 00:01 24 00:028 336 00:02 1680 02:0516 3360 00:13 43680 54:2724 12144 00:46 255024 317:54

• IDCODE- TDI ignored since we're only shifting data out of DR- ~264 permutations/second

• BYPASS- Many bits/permutation needed to account for

multiple devices in chain and varying IR lengths- ~13.37 permutations/second

Scan Timing 2

# of Channels

UARTPermutations

Time(mm:ss)

4 12 00:128 56 00:5716 240 4:0424 552 9:22

• UART - Only need to locate two pins (TXD/RXD)- 24 baud rates/permutation- ~1 permutation/second

Demonstration

Potential Limitations

• Could cause target to behave abnormally due to "fuzzing" unknown pins

• OCD interface isn't being properly enabled- Non-standard configuration- Password protected- System expects defined reset sequence or pin setting

• OCD interface is physically disconnected- Cut traces, missing jumpers/0 ohm resistors

• No OCD interface exists

*** Additional reverse engineering will be necessary to determine the problem or discover pinout

Future Work

• Add support for other interfaces- TI Spy-Bi-Wire, ARM Serial Wire Debug,

Microchip ICSP, Atmel AVR ISP

Other Uses

• Propeller development board• Logic analyzer

• Inter-chip communication/probing ala Bus Pirate or GoodFET

• ???

Get It

• www.jtagulator.com

*** Schematics, firmware, BOM, block diagram, Gerber plots, photos, other engineering documentation

• www.parallax.com

*** Assembled units, bare boards, accessories

A Poem

Let's JTAGulate!