Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand) - - PowerPoint PPT Presentation

SLIDE 1

Assisted Discovery of On-Chip Debug Interfaces Joe Grand (@joegrand)

SLIDE 2

Agenda

• Introduction
• Inspiration / Other Art
• Traditional HW RE Techniques
• On-Chip Debug Interfaces
• Design Requirements
• Hardware
• Firmware
• Examples / Demonstration
• Limitations
• Future Work

SLIDE 3

Introduction

• On-chip debug interfaces are a well-known

attack vector

• Can provide chip-level control of a target device
• Extract program code or data
• Modify memory contents
• Afgect device operation on-the-fly
• Gain insight into system operation
• Inconvenient for vendor to remove functionality
• Would prevent capability for legitimate personnel
• Weak obfuscation instead (hidden or unmarked

signals/connectors)

• May be password protected (if supported by device)

SLIDE 4

Introduction 2

• Identifying OCD interfaces can sometimes be

difficult and/or time consuming

SLIDE 5

Goals

• Create an easy-to-use tool to simplify the

process

• Attract non-HW folks to HW hacking

SLIDE 6

• Hunz's JTAG Finder
• http://elinux.org/JTAG_Finder
• JTAGenum & RS232enum
• http://deadhacker.com/tools/
• Cyber Fast Track
• www.cft.usma.edu

Inspiration

SLIDE 7

Other Art

• An Open JTAG Debugger (GoodFET), Travis

Goodspeed, DEFCON 17

• http://defcon.org/html/links/dc-archives/dc-17-

archive.html#Goodspeed2

• Blackbox JTAG Reverse Engineering, Felix

Domke, 26C3

• http://events.ccc.de/congress/2009/Fahrplan/

attachments/1435_JTAG.pdf

SLIDE 8

Other Art 2

• Forensic Imaging of Embedded Systems using

JTAG, Marcel Breeuwsma (NFI), Digital Investigation Journal, March 2006

• http://www.sciencedirect.com/science/article/pii/

S174228760600003X

SLIDE 9

Identifying Interfaces: External

• Accessible to the outside world
• Intended for engineers or manufacturers
• Device programming or final system test
• Usually hidden or protected
• Underneath batteries
• Behind stickers/covers
• May be a proprietary/non-standard connector

SLIDE 10

Identifying Interfaces: Internal

• Test points or unpopulated pads
• Silkscreen markings or notation
• Easy-to-access locations

SLIDE 11

Identifying Interfaces: Internal 2

• Familiar target or based on common pinouts
• Often single- or double-row footprint
• JTAG: www.jtagtest.com/pinouts/

← www.blackhat.com/html/bh-us-10/bh-us-10-archives.html#Jack → www.nostarch.com/xboxfree

SLIDE 12

Identifying Interfaces: Internal 3

• Can use PCB/design heuristics
• Traces of similar function are grouped together (bus)
• Array of pull-up/pull-down resistors (to set static

state of pins)

• Test points usually placed on important/interesting

signals

← http://elinux.org/images/d/d6/Jtag.pdf

SLIDE 13

Identifying Interfaces: Internal 4

• More difficult to locate when available only on

component pads or tented vias

*** www.dd-wrt.com/wiki/index.php/JTAG_pinouts#Buffalo_WLA-G54C

SLIDE 14

Determining Pin Function

• Identify test points/connector & target device
• Trace connections
• Visually or w/ multimeter in continuity mode
• For devices where pins aren't accessible (BGA),

remove device or use X-ray

• Use data sheet to match pin number to function
• Probe connections
• Use oscilloscope or logic analyzer
• Ignore any points that already have active signals
• Pull pins high or low, observe results, repeat
• Logic state or number of pins can help to make

educated guesses

SLIDE 15

Determining Pin Function 2

← http://forum.xda-developers.com/wiki/WallabyJTAG

SLIDE 16

On-Chip Debug Interfaces

• JTAG
• UART

SLIDE 17

JTAG

• Industry-standard interface (IEEE 1149.1)
• Created for chip- and system-level testing
• Defines low-level functionality of finite state machine/

Test Access Port (TAP)

• http://en.wikipedia.org/wiki/Joint_Test_Action_Group
• Provides a direct interface to hardware
• Can "hijack" all pins on the device (Boundary scan/

test)

• Can access other devices connected to target chip
• Programming/debug interface (access to Flash, RAM)
• Vendor-defined functions/test modes might be

available

SLIDE 18

JTAG 2

• Multiple devices can be "chained" together for

communication to all via a single JTAG port

• Even multiple dies within the same chip package
• Difgerent vendors may not play well together
• Development environments abstract low-level

functionality from the user

• Implementations are device- or family-specific
• As long as we can locate the interface/pinout, let
• ther tools do the rest

SLIDE 19

JTAG: Architecture

• Synchronous serial interface

→ TDI = Data In (to target device) ← TDO = Data Out (from target device) → TMS = Test Mode Select → TCK = Test Clock → /TRST = Test Reset (optional for async reset)

• Test Access Port (TAP) w/ Shift Registers
• Instruction (>= 2 bit wide)
• Data
• Bypass (1 bit)
• Boundary Scan (variable)
• Device ID (32 bit) (optional)

SLIDE 20

JTAG: Architecture 2

SLIDE 21

JTAG: TAP Controller

*** State transitions occur on rising edge of TCK based on current state and value of TMS *** TAP provides 4 major

• perations: Reset, Run-Test,

Scan DR, Scan IR *** Can move to Reset state from any other state w/ TMS high for 5x TCK *** 3 primary steps in Scan: Capture, Shift, Update *** Data held in "shadow" latch until Update state

SLIDE 22

JTAG: Instructions

┌───────────┬─────────────┬──────────┬───────────────────────────────────────────────────────────────────────┐ │ Name │ Required? │ Opcode │ Description │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ BYPASS │ Y │ All 1s │ Bypass on-chip system logic. Allows serial data to be transferred │ │ │ │ │ from TDI to TDO without affecting operation of the IC. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ SAMPRE │ Y │ Varies │ Used for controlling (preload) or observing (sample) the signals at │ │ │ │ │ device pins. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ EXTEST │ Y │ All 0s │ Places the IC in external boundary test mode. Used to test device │ │ │ │ │ interconnections. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ INTEST │ N │ Varies │ Used for static testing of internal device logic in a single-step │ │ │ │ │ mode. Enables the boundary scan register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ RUNBIST │ N │ Varies │ Places the IC in a self-test mode and selects a user-specified data │ │ │ │ │ register to be enabled. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ CLAMP │ N │ Varies │ Sets the IC outputs to logic levels as defined in the boundary scan │ │ │ │ │ register. Enables the bypass register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ HIGHZ │ N │ Varies │ Sets all IC outputs to a disabled (high impedance) state. Enables │ │ │ │ │ the bypass register. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ IDCODE │ N │ Varies │ Enables the 32-bit device identification register. Does not affect │ │ │ │ │ operation of the IC. │ ├───────────┼─────────────┼──────────┼───────────────────────────────────────────────────────────────────────┤ │ USERCODE │ N │ Varies │ Places user-defined information into the 32-bit device │ │ │ │ │ identification register. Does not affect operation of the IC. │ └───────────┴─────────────┴──────────┴───────────────────────────────────────────────────────────────────────┘

SLIDE 23

JTAG: Protection

• Implementation specific
• Security fuse physically blown prior to release
• Could be repaired w/ silicon die attack
• Password required to enable functionality
• Ex.: Flash erased after n attempts (so perform n-1),

then reset and continue

• May allow BYPASS, but prevent higher level

functionality

• Ex.: TI MSP430

SLIDE 24

JTAG: HW Tools

• RIFF Box
• www.jtagbox.com
• H-JTAG
• www.hjtag.com/en/
• Bus Blaster (open source)
• http://dangerousprototypes.com/docs/Bus_Blaster
• Wiggler or compatible (parallel port)
• ftp://www.keith-koep.com/pub/arm-tools/jtag/

jtag05_sch.pdf

SLIDE 25

JTAG: SW Tools

• OpenOCD (Open On-Chip Debugger)
• http://openocd.sourceforge.net
• UrJTAG (Universal JTAG Library)
• www.urjtag.org

SLIDE 26

UART

• Universal Asynchronous Receiver/Transmitter
• No external clock needed
• Data bits sent LSB first (D0)
• NRZ (Non-Return-To-Zero) coding
• Transfer speed (bits/second) = 1 / bit width
• http://en.wikipedia.org/wiki/Asynchronous_serial_

communication *** Start bit + Data bits + Parity (optional) + Stop bit(s)

SLIDE 27

UART 2

• Asynchronous serial interface

→ TXD = Transmit data (to target device) ← RXD = Receive data (from target device)

↔ DTR, DSR, RTS, CTS, RI, DCD = Control signals

(uncommon for modern implementations)

• Many embedded systems use UART as debug
• utput/console

SLIDE 28

UART 3

Bit width = ~8.7uS Mark (Idle) Space

SLIDE 29

Hardware

SLIDE 30

Design Requirements

• Open source/hackable/expandable
• Simple command-based interface
• Proper input protection
• Adjustable target voltage
• Off-the-shelf components
• Hand solderable (if desired)

SLIDE 31

Block Diagram

MCU Parallax Propeller EEPROM 24LC512

2 (I2C)

Power Switch MIC2025-2YM LDO LD1117S33TR USB 5V 3.3V D/A AD8655 1.2V - 3.3V ~13mV/step Serial-to-USB FT232RL

2 1 (PWM)

Host PC USB Mini-B Voltage Level Translator TXS0108EPWR Voltage Level Translator TXS0108EPWR Voltage Level Translator TXS0108EPWR Input Protection Circuitry

24

Target Device

1

Status Indicator WP59EGW

SLIDE 32

Development

SLIDE 33

PCB

*** 2x5 headers compatible w/ Bus Pirate probes, http://dangerousprototypes.com/docs/Bus_Pirate

Target I/F (24 channels) Propeller USB Input protection Level translation Status Op-Amp/DAC

SLIDE 34

Assembly Drawing

SLIDE 35

Schematic: Main

NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESS OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.

3V3 E0 1 E1 2 E2 3 GND 4 SDA 5 SCL 6 WC 7 VCC 8 U4 24LC512-I/SN 1 2 Y1 5.0MHz 3V3 3V3 aRES PROPRX PROPTX PROPSDA PROPSCL

JTAGulato r: Main

SIZE DaTE TITLE DRaWN BY FILENaME

10k R4 10k R3 3V3 10uF C7 VIN 3 VO 2 GND 1 VO 4 U6 LD1117S33 0.1uF C6 5V0 3V3 470 R5 270 R6 Red Green LEDR LEDG 3V3 3V3 3V3 P0 P1 P2 P3 P4 P5 P6 P7 VSS 39 VDD 8 VSS 27 P31 38 P30 37 P29 36 P28 35 P26 33 P27 34 VDD 18 VSS 17 VSS 5 VDD 30 VDD 40 X I 28 X O 29 RES 7 BOE 6 P25 32 P24 31 P7 4 P6 3 P5 2 P4 1 P2 43 P3 44 P1 42 P0 41 P15 16 P14 15 P13 14 P12 13 P10 11 P11 12 P9 10 P8 9 P23 26 P22 25 P21 24 P20 23 P18 21 P19 22 P17 20 P16 19 U2 PROPELLER (P8X 32A-Q44) To Ho st TEST 26 RTS 3 DCD 10 RI 6 GND 18 GND 21 VCC 20 TX D 1 CTS 11 CBUS0 23 3V3OUT 17 DTR 2 RX D 5 CBUS1 22 OSCI 27 DSR 9 USBDM 16 OSCO 28 USBDP 15 VCCIO 4 RESET 19 AGND 25 GND 7 CBUS2 13 CBUS3 14 CBUS4 12 U1 FT232RL 1 2 3 4 5 P1 UX 60-MB-5S8 0.1uF C3 USBDM USBDP USB Mini B 8 5 3 2 6 7 4 1 U5 AD8655ARZ 5V0 0.1uF C11 5V0 1 2 3 D1 WP59EGW 0.1uF C12 0.1uF C13 0.1uF C14 0.1uF C15 100k R9 18k R7 8.2k R8 1000pF C4 470pF C5 VADJ DACOUT 4.7uF C8 VUSB 0.01uF C1 SW1 SPST 0.01uF C2 10k R2 Q1 2N3904 P8 P9 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 0.1uF C9 VUSB 220R@100MHz L1 0-3.3V @ 256 steps ~13mV/step ~150mA max. Io ut IN 7 OUT 6 EN 1 FLG 2 GND 3 OUT 8 U3 MIC2025-2YM 5V0 VUSB 10k R1 4.7uF C10 5V0 VUSB TX SOE P[23...0]

PIC101 PIC102 COC1 PIC201 PIC202 COC2 PIC301 PIC302 COC3 PIC401 PIC402 COC4 PIC501 PIC502 COC5 PIC601 PIC602 COC6 PIC701 PIC702 COC7 PIC801 PIC802 COC8 PIC901 PIC902 COC9 PIC1001 PIC1002 COC10 PIC1101 PIC1102 COC11 PIC1201 PIC1202 COC12 PIC1301 PIC1302 COC13 PIC1401 PIC1402 COC14 PIC1501 PIC1502 COC15 PID101 PID102 PID103 COD1 PIL101 PIL102 COL1 PIP101 PIP102 PIP103 PIP104 PIP105 COP1 PIQ101 PIQ102 PIQ103 COQ1 PIR101 PIR102 COR1 PIR201 PIR202 COR2 PIR301 PIR302 COR3 PIR401 PIR402 COR4 PIR501 PIR502 COR5 PIR601 PIR602 COR6 PIR701 PIR702 COR7 PIR801 PIR802 COR8 PIR901 PIR902 COR9 PISW101 PISW102

COSW1 PIU101 PIU102 PIU103 PIU104 PIU105 PIU106 PIU107 PIU109 PIU1010 PIU1011 PIU1012 PIU1013 PIU1014

PIU1015 PIU1016 PIU1017 PIU1018 PIU1019 PIU1020 PIU1021 PIU1022 PIU1023 PIU1025 PIU1026 PIU1027 PIU1028 COU1 PIU201 PIU202 PIU203 PIU204 PIU205 PIU206 PIU207 PIU208 PIU209 PIU2010 PIU2011 PIU2012 PIU2013 PIU2014 PIU2015 PIU2016 PIU2017 PIU2018 PIU2019 PIU2020 PIU2021 PIU2022 PIU2023 PIU2024 PIU2025 PIU2026 PIU2027 PIU2028 PIU2029 PIU2030 PIU2031 PIU2032 PIU2033 PIU2034 PIU2035 PIU2036 PIU2037 PIU2038 PIU2039 PIU2040 PIU2041 PIU2042 PIU2043 PIU2044 COU2 PIU301 PIU302 PIU303 PIU306 PIU307 PIU308 COU3 PIU401 PIU402 PIU403 PIU404 PIU405 PIU406 PIU407 PIU408 COU4 PIU501 PIU502 PIU503 PIU504 PIU505 PIU506 PIU507 PIU508 COU5 PIU601 PIU602 PIU603 PIU604 COU6 PIY101 PIY102 COY1 PIQ103 PISW101 PIU207 NL#RES PIC701 PIC1202 PIC1302 PIC1402 PIC1502 PIR302 PIR402 PIU208 PIU2018 PIU2030 PIU2040 PIU408 PIU602 PIU604 PIC602 PIC1001 PIC1102 PIU306 PIU308 PIU507 PIU603 PIR702 PIR902 PIU2032

NLDACOUT

PIC101 PIC301 PIC501 PIC601 PIC702 PIC802 PIC901 PIC1002 PIC1101 PIC1201 PIC1301 PIC1401 PIC1501 PID102 PIP105 PIQ101 PIR201 PIR901 PISW102 PIU107 PIU1018 PIU1021 PIU1025 PIU1026 PIU205 PIU206 PIU2017 PIU2027 PIU2039 PIU303 PIU401 PIU402 PIU403 PIU404 PIU407 PIU504 PIU601 PIR602 PIU2033

NLLEDG

PIR502 PIU2034

NLLEDR

PIC102 PIL101 PIP101 PIC201 PIQ102 PIR202 PIC202

PIU102

PIC302 PIR102 PIU104 PIU1017 PIC401 PIR701 PIR802 PIC502 PIR801 PIU503 PID101 PIR501 PID103 PIR601 PIP104 PIR101 PIU1014 PIU301 PIU103 PIU106 PIU109 PIU1010 PIU1011 PIU1012 PIU1013 PIU1019 PIU1022 PIU1023 PIU1027 PIU1028 PIU2028 PIY101 PIU2029 PIY102 PIU2031

POTXSOE

PIU302 PIU501 PIU505 PIU508 PIU2041 NLP0 PIU2042 NLP1 PIU2043 NLP2 PIU2044 NLP3 PIU201 NLP4 PIU202 NLP5 PIU203 NLP6 PIU204 NLP7 PIU209 NLP8 PIU2010 NLP9 PIU2011 NLP10 PIU2012 NLP11 PIU2013 NLP12 PIU2014 NLP13 PIU2015 NLP14 PIU2016 NLP15 PIU2019 NLP16 PIU2020 NLP17 PIU2021 NLP18 PIU2022 NLP19 PIU2023 NLP20 PIU2024 NLP21 PIU2025 NLP22 PIU2026 NLP23 PIU101 PIU2038

NLPROPRX

PIR401 PIU2035 PIU406

NLPROPSCL

PIR301 PIU2036 PIU405

NLPROPSDA

PIU105 PIU2037

NLPROPTX

PIP102 PIU1016

NLUSBDM

PIP103 PIU1015

NLUSBDP

PIC402 PIU502 PIU506 PIC801 PIC902 PIL102 PIU1020 PIU307

POP02300000

POTXSOE

SLIDE 36

Schematic: Target Interface

NOTE: RESISTORS ARE IN OHMS +/- 5a AND CAPACITORS ARE IN MICROFARADS UNLESS OTHERWISE NOTED. SEE BOM FOR ACTUAL VOLTAGE AND SPECIFICATION.

3V3 VADJ

JTAGulato r: Target Interface

TITLE

0.1uF C19 0.1uF C20 P0 P1 P2 P3 P4 P5 P6 P7 P8 P9 P10 P11 P12 P13 P14 P15 P16 P17 P18 P19 P20 P21 P22 P23 1 2 3 4 5 P2 TE 282834-5 CH0 CH1 CH2 CH3 1 2 3 4 5 P3 TE 282834-5 1 2 3 4 5 P4 TE 282834-5 1 2 3 4 5 P5 TE 282834-5 1 2 3 4 5 P6 TE 282834-5 CH4 CH5 CH6 CH7 CH8 CH9 CH10 CH11 CH12 CH13 CH14 CH15 CH16 CH17 CH18 CH19 CH20 CH21 CH22 CH23 I/O1 1 GND 2 I/O2 3 I/O3 4 VCC 5 I/O4 6 U8 NUP4302MR6 VADJ I/O1 1 GND 2 I/O2 3 I/O3 4 VCC 5 I/O4 6 U7 NUP4302MR6 VADJ I/O1 1 GND 2 I/O2 3 I/O3 4 VCC 5 I/O4 6 U11 NUP4302MR6 VADJ I/O1 1 GND 2 I/O2 3 I/O3 4 VCC 5 I/O4 6 U10 NUP4302MR6 VADJ I/O1 1 GND 2 I/O2 3 I/O3 4 VCC 5 I/O4 6 U14 NUP4302MR6 VADJ I/O1 1 GND 2 I/O2 3 I/O3 4 VCC 5 I/O4 6 U13 NUP4302MR6 VADJ 3V3 VADJ 0.1uF C18 0.1uF C22 3V3 VADJ 0.1uF C17 0.1uF C21 10k R10 TX SOE VADJ 3V3 VADJ 3V3 VADJ 3V3 P[23...0] Dio de limiters fo r input pro tectio n Vf must be < 0.5V to prevent damage to level translato rs VCCA <= VCCB VCCA range: 1.2V to 3.6V VCCB range: 1.7V to 5.5V VCCA 2 A2 3 A3 4 A1 1 A4 5 A5 6 A6 7 A7 8 A8 9 OE 10 GND 11 B8 12 B7 13 B6 14 B5 15 B4 16 B3 17 B2 18 VCCB 19 B1 20 U9 TX S0108EPWR VCCA 2 A2 3 A3 4 A1 1 A4 5 A5 6 A6 7 A7 8 A8 9 OE 10 GND 11 B8 12 B7 13 B6 14 B5 15 B4 16 B3 17 B2 18 VCCB 19 B1 20 U12 TX S0108EPWR VCCA 2 A2 3 A3 4 A1 1 A4 5 A5 6 A6 7 A7 8 A8 9 OE 10 GND 11 B8 12 B7 13 B6 14 B5 15 B4 16 B3 17 B2 18 VCCB 19 B1 20 U15 TX S0108EPWR To Target Co mpatible w/ Bus Pirate 3.x pro be/interface cable 1 2 3 4 5 6 7 8 9 10 P7 961210-6404-AR CH0 CH1 CH2 CH3 CH4 CH5 CH6 CH7 Red Yello w Blue Grey Black Bro wn Orange VADJ Green Purple White CH8 CH9 CH10 CH11 CH12 CH13 CH14 CH15 Red Yello w Blue Grey Black Bro wn Orange VADJ Green Purple White CH17 CH18 CH19 CH20 CH21 CH22 CH23 Red Yello w Blue Grey Black Bro wn Orange VADJ Green Purple White 1 2 3 4 5 6 7 8 9 10 P8 961210-6404-AR 1 2 3 4 5 6 7 8 9 10 P9 961210-6404-AR CH16 1 2 3 4 5 6 7 8 16 15 14 13 12 11 10 9 1K R11 1 2 3 4 5 6 7 8 16 15 14 13 12 11 10 9 1K R12 1 2 3 4 5 6 7 8 16 15 14 13 12 11 10 9 1K R13

PIC1701 PIC1702 COC17 PIC1801 PIC1802 COC18 PIC1901 PIC1902 COC19 PIC2001 PIC2002 COC20 PIC2101 PIC2102 COC21 PIC2201 PIC2202 COC22 PIP201 PIP202 PIP203 PIP204 PIP205 COP2 PIP301 PIP302 PIP303 PIP304 PIP305 COP3 PIP401 PIP402 PIP403 PIP404 PIP405 COP4 PIP501 PIP502 PIP503 PIP504 PIP505 COP5 PIP601 PIP602 PIP603 PIP604 PIP605 COP6 PIP701 PIP702 PIP703 PIP704 PIP705 PIP706 PIP707 PIP708 PIP709 PIP7010 COP7 PIP801 PIP802 PIP803 PIP804 PIP805 PIP806 PIP807 PIP808 PIP809 PIP8010 COP8 PIP901 PIP902 PIP903 PIP904 PIP905 PIP906 PIP907 PIP908 PIP909 PIP9010 COP9 PIR1001 PIR1002 COR10 PIR1101 PIR1102 PIR1103 PIR1104 PIR1105 PIR1106 PIR1107 PIR1108 PIR1109 PIR11010 PIR11011 PIR11012 PIR11013 PIR11014 PIR11015 PIR11016 COR11 PIR1201 PIR1202 PIR1203 PIR1204 PIR1205 PIR1206 PIR1207 PIR1208 PIR1209 PIR12010 PIR12011 PIR12012 PIR12013 PIR12014 PIR12015 PIR12016 COR12 PIR1301 PIR1302 PIR1303 PIR1304 PIR1305 PIR1306 PIR1307 PIR1308 PIR1309 PIR13010 PIR13011 PIR13012 PIR13013 PIR13014 PIR13015 PIR13016 COR13 PIU701 PIU702 PIU703 PIU704 PIU705 PIU706 COU7 PIU801 PIU802 PIU803 PIU804 PIU805 PIU806 COU8

PIU901 PIU902 PIU903 PIU904 PIU905 PIU906 PIU907 PIU908 PIU909 PIU9010

PIU9011 PIU9012 PIU9013 PIU9014 PIU9015 PIU9016 PIU9017 PIU9018 PIU9019 PIU9020 COU9 PIU1001 PIU1002 PIU1003 PIU1004 PIU1005 PIU1006 COU10 PIU1101 PIU1102 PIU1103 PIU1104 PIU1105 PIU1106 COU11 PIU1201 PIU1202 PIU1203 PIU1204 PIU1205 PIU1206 PIU1207 PIU1208 PIU1209 PIU12010 PIU12011 PIU12012 PIU12013 PIU12014 PIU12015 PIU12016 PIU12017 PIU12018 PIU12019 PIU12020 COU12 PIU1301 PIU1302 PIU1303 PIU1304 PIU1305 PIU1306 COU13 PIU1401 PIU1402 PIU1403 PIU1404 PIU1405 PIU1406 COU14 PIU1501 PIU1502 PIU1503 PIU1504 PIU1505 PIU1506 PIU1507 PIU1508 PIU1509 PIU15010 PIU15011 PIU15012 PIU15013 PIU15014 PIU15015 PIU15016 PIU15017 PIU15018 PIU15019 PIU15020 COU15 PIC1702 PIC1802 PIC1902 PIU9019 PIU12019 PIU15019 PIP202 PIP702 PIR1101 NLCH0 PIP203 PIP704 PIR1102 NLCH1 PIP204 PIP705 PIR1103 NLCH2 PIP205 PIP706 PIR1104 NLCH3 PIP301 PIP707 PIR1105 NLCH4 PIP302 PIP708 PIR1106 NLCH5 PIP303 PIP709 PIR1107 NLCH6 PIP304 PIP7010 PIR1108 NLCH7 PIP305 PIP802 PIR1201 NLCH8 PIP401 PIP804 PIR1202 NLCH9 PIP402 PIP805 PIR1203

NLCH10

PIP403 PIP806 PIR1204

NLCH11

PIP404 PIP807 PIR1205

NLCH12

PIP405 PIP808 PIR1206

NLCH13

PIP501 PIP809 PIR1207

NLCH14

PIP502 PIP8010 PIR1208

NLCH15

PIP503 PIP902 PIR1301

NLCH16

PIP504 PIP904 PIR1302

NLCH17

PIP505 PIP905 PIR1303

NLCH18

PIP601 PIP906 PIR1304

NLCH19

PIP602 PIP907 PIR1305

NLCH20

PIP603 PIP908 PIR1306

NLCH21

PIP604 PIP909 PIR1307

NLCH22

PIP605 PIP9010 PIR1308

NLCH23

PIC1701 PIC1801 PIC1901 PIC2001 PIC2101 PIC2201 PIP201 PIP701 PIP801 PIP901 PIR1001 PIU702 PIU802 PIU9011 PIU1002 PIU1102 PIU12011 PIU1302 PIU1402 PIU15011 PIR1002 PIU9010 PIU12010 PIU15010

POTXSOE

PIR1109 PIU703 PIU909 PIR11010 PIU701

PIU908

PIR11011 PIU706

PIU907

PIR11012 PIU704

PIU906

PIR11013 PIU803

PIU905

PIR11014 PIU801

PIU904

PIR11015 PIU804

PIU903

PIR11016 PIU806

PIU901

PIR1209 PIU1006 PIU1209 PIR12010 PIU1004 PIU1208 PIR12011 PIU1003 PIU1207 PIR12012 PIU1001 PIU1206 PIR12013 PIU1103 PIU1205 PIR12014 PIU1101 PIU1204 PIR12015 PIU1106 PIU1203 PIR12016 PIU1104 PIU1201 PIR1309 PIU1304 PIU1509 PIR13010 PIU1306 PIU1508 PIR13011 PIU1303 PIU1507 PIR13012 PIU1301 PIU1506 PIR13013 PIU1406 PIU1505 PIR13014 PIU1404 PIU1504 PIR13015 PIU1403 PIU1503 PIR13016 PIU1401 PIU1501 PIU9020 NLP0 PIU9018 NLP1 PIU9017 NLP2 PIU9016 NLP3 PIU9015 NLP4 PIU9014 NLP5 PIU9013 NLP6 PIU9012 NLP7 PIU12020 NLP8 PIU12018 NLP9 PIU12017 NLP10 PIU12016 NLP11 PIU12015 NLP12 PIU12014 NLP13 PIU12013 NLP14 PIU12012 NLP15 PIU15020 NLP16 PIU15018 NLP17 PIU15017 NLP18 PIU15016 NLP19 PIU15015 NLP20 PIU15014 NLP21 PIU15013 NLP22 PIU15012 NLP23 PIC2002 PIC2102 PIC2202 PIP703 PIP803 PIP903 PIU705 PIU805 PIU902 PIU1005 PIU1105 PIU1202 PIU1305 PIU1405 PIU1502

POP02300000

POTXSOE

SLIDE 37

*** INFORMATION: www.parallax.com/propeller/ *** DISCUSSION FORUMS: http://forums.parallax.com *** OBJECT EXCHANGE: http://obex.parallax.com

• Completely custom, ground up design
• 8 independent cogs @ 20 MIPS each
• Code in Spin, ASM, or C

Propeller/Core

SLIDE 38

• Clock: DC to 128MHz (80MHz recommended)
• Global (hub) memory: 32KB RAM, 32KB ROM
• Cog memory: 2KB RAM each
• GPIO: 32 @ 40mA sink/source per pin
• Program code loaded from external EEPROM on

power-up

Propeller/Core 2

SLIDE 39

Propeller/Core 3

SLIDE 40

• Standard development using Propeller Tool &

Parallax Serial Terminal (Windows)

• Programmable via serial interface (usually in

conjunction w/ USB-to-serial IC)

Propeller/Core 4

SLIDE 41

Propeller/Core 5

SLIDE 42

USB Interface

• Allows for Propeller programming & UI
• Powers JTAGulator from bus (5V)
• FT232RL USB-to-Serial UART
• Entire USB protocol handled on-chip
• Host will recognize as a virtual serial port (Windows,

OS X, Linux)

• MIC2025 Power Distribution Switch
• Internal current limiting, thermal shutdown
• Let the FT232 enumerate first (@ < 100mA), then

enable system load

SLIDE 43

USB Interface 2

SLIDE 44

Adjustable Target Voltage

• PWM from Propeller
• Duty cycle corresponds to output voltage (VADJ)
• Look-up table for values in 0.1V increments
• AD8655 Low Noise, Precision CMOS Amplifier
• Single supply, rail-to-rail
• 220mA output current (~150mA @ Vo = 1.2V-3.3V)
• Voltage follower configuration to serve as DAC bufger

SLIDE 45

Level Translation

• Allows 3.3V signals from Propeller to be

converted to VADJ (1.2V-3.3V)

• Prevents potential damage due to over-voltage
• n target device's unknown connections
• TXS0108E Bidirectional

Voltage-Level Translator

• Designed for both open drain and push-pull interfaces
• Internal pull-up resistors (40kΩ when driving low, 4kΩ

when high)

• Automatic signal direction detection
• High-Z outputs when OE low -> will not interfere with

target when not in use

SLIDE 46

Level Translation 2

SLIDE 47

Input Protection

• Prevent high voltages/spikes on unknown pins

from damaging JTAGulator

• Diode limiter clamps input if needed
• Vf must be < 0.5V to protect TXS0108Es

SLIDE 48

Input Protection 2

• NUP4302MR6 Schottky Diode Array
• Vf @ 1mA = 0.2V typ., 0.35V max.
• Vf @ 10mA = 0.25V typ., 0.45V max.
• Alternate: SD103ASDM

SLIDE 49

Bill-of-Materials

• All components from Digi-Key
• Total cost per unit = $50.73

Item Quantity Reference Manufacturer

• Manuf. Part #

Distributor

• Distrib. Part #

Description 1 2 C1, C2 Kemet C1206C103K5RACTU Digi-Key 399-1234-1-ND Capacitor, 0.01uF ceramic, 10%, 50V, X7R, 1206 2 14 C3, C6, C9, C11, C12, C13, C14, C15, C17, C18, C19, C20, C21, C22 Kemet C1206C104K5RACTU Digi-Key 399-1249-1-ND Capacitor, 0.1uF ceramic, 10%, 50V, X7R, 1206 3 1 C4 Yageo CC1206KRX7R9BB102 Digi-Key 311-1170-1-ND Capacitor, 1000pF ceramic, 10%, 50V, X7R, 1206 4 1 C5 Yageo CC1206KRX7R9BB471 Digi-Key 311-1167-1-ND Capacitor, 470pF ceramic, 10%, 50V, X7R, 1206 5 1 C7 Kemet T491A106M016AS Digi-Key 399-3687-1-ND Capacitor, 10uF tantalum, 20%, 16V, size A 6 2 C8, C10 Kemet T491A475K016AT Digi-Key 399-3697-1-ND Capacitor, 4.7uF tantalum, 10%, 16V, size A 7 1 D1 Kingbright WP59EGW Digi-Key 754-1232-ND LED, Red/Green Bi-Color, T-1 3/4 (5mm) 8 1 L1 TDK MPZ2012S221A Digi-Key 445-1568-1-ND Inductor, Ferrite Bead, 220R@100MHz, 3A, 0805 9 1 P1 Hirose Electric UX60-MB-5S8 Digi-Key H2960CT-ND Connector, Mini-USB, 5-pin, SMT w/ PCB mount 10 5 P2, P3, P4, P5, P6 TE Connectivity 282834-5 Digi-Key A98336-ND Connector, Terminal Block, 5-pin, side entry, 0.1” P 11 3 P7, P8, P9 3M 961210-6404-AR Digi-Key 3M9460-ND Header, Dual row, Vertical header, 2x5-pin, 0.1” P 12 1 Q1 Fairchild MMBT3904 Digi-Key MMBT3904FSCT-ND Transistor, NPN, 40V, 200mA, SOT23-3 13 5 R1, R2, R3, R4, R10 Any Any Digi-Key P10KECT-ND Resistor, 10k, 5%, 1/4W, 1206 14 1 R5 Any Any Digi-Key P470ECT-ND Resistor, 470 ohm, 5%, 1/4W, 1206 15 1 R6 Any Any Digi-Key P270ECT-ND Resistor, 270 ohm, 5%, 1/4W, 1206 16 1 R7 Any Any Digi-Key P18.0KFCT-ND Resistor, 18k, 1%, 1/4W, 1206 17 1 R8 Any Any Digi-Key P8.20KFCT-ND Resistor, 8.2k, 1%, 1/4W, 1206 18 1 R9 Any Any Digi-Key P100KECT-ND Resistor, 100k, 5%, 1/4W, 1206 19 3 R11, R12, R13 Bourns 4816P-1-102LF Digi-Key 4816P-1-102LFCT-ND Resistor, Array, 8 isolated, 1k, 2%, 1/6W, SOIC16 20 1 SW1 C&K KSC201JLFS Digi-Key 401-1756-1-ND Switch, SPST, Momentary, 120gf, 6.2 x 6.2mm, J-Lead 21 1 U1 FTDI FT232RL-REEL Digi-Key 768-1007-1-ND IC, USB-to-UART Bridge, SSOP28 22 1 U2 Parallax P8X32A-Q44 Digi-Key P8X32A-Q44-ND IC, Microcontroller, Propeller, LQFP44 23 1 U3 Micrel MIC2025-2YM Digi-Key 576-1058-ND IC, Power Distribution Switch, Single-channel, SOIC8 24 1 U4 Microchip 24LC512-I/SN Digi-Key 24LC512-I/SN-ND IC, Memory, Serial EEPROM, 64KB, SOIC8 25 1 U5 Analog Devices AD8655ARZ Digi-Key AD8655ARZ-ND IC, Op. Amp., CMOS, Rail-to-rail, 220mA Iout, SOIC8 26 1 U6 ST Microelectronics LD1117S33CTR Digi-Key 497-1241-1-ND IC, Voltage Regulator, LDO, 3.3V@800mA, SOT223 27 6 U7, U8, U10, U11, U13, U14 ON Semiconductor NUP4302MR6T1G Digi-Key NUP4302MR6T1GOSCT-ND IC, Schottky Diode Array, 4 channel, TSOP6 28 3 U9, U12, U15 Texas Instruments TXS0108EPWR Digi-Key 296-23011-1-ND IC, Level Translator, Bi-directional, TSSOP20 29 1 Y1 ECS ECS-50-18-4XEN Digi-Key XC1738-ND Crystal, 5.0MHz, 18pF, HC49/US 30 1 PCB Any JTAG B N/A N/A PCB, Fabrication

SLIDE 50

Firmware

SLIDE 51

Source Tree

SLIDE 52

Cogs

• Spin Interpreter (Cog 0)
• Parallax Serial Terminal (ser)
• Real Random (rr)
• JDCogSerial (uart)

SLIDE 53

Propeller Resources

SLIDE 54

General Commands

• Set target system voltage (V) (1.2V-3.3V)
• Read all channels (R)
• Write all channels (W)
• Print available commands (H)

SLIDE 55

JTAG Commands

• Identify JTAG pinout via IDCODE scan (I)
• Identify JTAG pinout via BYPASS scan (B)
• Get Device IDs (D) (w/ known pinout)
• Test BYPASS (T) (w/ known pinout)

SLIDE 56

IDCODE Scan

• 32-bit Device ID (if available) is in the DR on

TAP reset or IC power-up

• Otherwise, TAP will reset to BYPASS (LSB = 0)
• Can simply enter Shift-DR state and clock out on TDO
• TDI not required/used during IDCODE aquisition

LSB

SLIDE 57

IDCODE Scan 2

• Device ID values vary with part/family/vendor
• Locate in data sheets, BSDL files, reference code,

etc.

• Manufacturer ID provided by JEDEC
• Each manufacturer assigned a unique identifier
• Can use to help validate that proper IDCODE was

retrieved

• http://www.jedec.org/standards-documents/

results/jep106

SLIDE 58

IDCODE Scan 3

• Ask user for number of channels to use
• For every possible pin permutation (except TDI)
• Set unused channels to output high (in case of any

active low reset pins)

• Configure JTAG pins to use on the Propeller
• Reset the TAP
• Try to get the Device ID by reading the DR
• If Device ID is 0xFFFFFFFF or if bit 0 != 1, ignore
• Otherwise, display potentially valid JTAG pinout

SLIDE 59

BYPASS Scan

• In BYPASS, data shifted into TDI is received on

TDO delayed by one clock cycle

SLIDE 60

BYPASS Scan 2

• Can determine how many devices (if any)

are in the chain via "blind interrogation"

• Force device(s) into BYPASS (IR of all 1s)
• Send 1s to fill DRs
• Send a 0 and count until it is output on TDO

SLIDE 61

BYPASS Scan 3

• Ask user for number of channels to use
• For every possible pin permutation
• Set unused channels to output high (in case of any

active low reset pins)

• Configure JTAG pins to use on the Propeller
• Reset the TAP
• Perform blind interrogation
• If number of detected devices > 0, display potentially

valid JTAG pinout

SLIDE 62

DEFCON 17 Badge

• Freescale MC56F8006 Digital Signal Controller
• ID = 0x01C0601D
• www.bsdl.info/details.htm?sid=e82c74686c7522e

888ca59b002289d77

MSB LSB ┌───────┬───────────────┬─────────────┬─────────────────┬─────────────────┬───────┐ │ Ver. │ Design Center │ Core Number | Chip Derivative | Manufacturer ID │ Fixed │ └───────┴───────────────┴─────────────┴─────────────────┴─────────────────┴───────┘ 31...28 27...22 21...17 16...12 11...1 0 0000 000111 00000 (DSP56300) 00110 00000001110 (0x0E) 1

SLIDE 63

• Marvell PXA312 (Intel XScale/ARM5)
• ID = 0x2E649013
• http://docs.toradex.com/100197-colibri-arm-som-

pxa3xx-dm-vol-1.pdf (Table 9)

• TCK = 5 (Blue), TMS = 4 (Pink), TDI = 3 (Grey), TDO = 6

(Orange), GND = 8 (Black)

• JTAG disabled when external power supplied or

phone is "on" via battery

Samsung SCH-i910

SLIDE 64

BlackBerry 7290

• AD6529 "Hermes" DSP (ARM7TDMI)
• AD6521 "Pegasus" Analog Baseband
• IDs = 0x027831CB and 0x027B51CB
• Unknown which ID is for which device
• TDO1 = Only one device
• TDO2 = Both devices in the chain

MSB LSB ┌───────┬──────────┬────────────┬────────┬───────────────┬─────────────────┬───────┐ │ Ver. │ Core ID │ Capability | Family | Device Number | Manufacturer ID │ Fixed │ └───────┴──────────┴────────────┴────────┴───────────────┴─────────────────┴───────┘ 31...28 27 26...24 23...20 19...12 11...1 0 0000 0 (ARM) 010 (Reserved) 0111 (ARM7) 10000011 00011100101 (0xE5) 1 0000 0 (ARM) 010 (Reserved) 0111 (ARM7) 01010001 00011100101 (0xE5) 1

*** http://infocenter.arm.com/help/topic/com.arm.doc.dai0099c/ DAI0099C_core_type_rev_id.pdf

SLIDE 65

BlackBerry 7290 2

SLIDE 66

UART Commands

• Identify UART pinout (U)
• UART pass through (P) (w/ known pinout)

SLIDE 67

UART Scan

• Ask user for desired output string (up to 16

bytes)

• Ask user for number of channels to use
• For every possible pin permutation
• Configure UART pins to use on the Propeller
• Set baud rate
• Send user string
• Wait to receive data (20ms maximum per byte)
• If any bytes received, display potentially valid UART

pinout and data (up to 16 bytes)

SLIDE 68

UART Scan 2

• 8 data bits, no parity, 1 stop bit (8N1)
• Baud rates stored in look-up table
• 75, 110, 150, 300, 900, 1200, 1800, 2400, 3600,

4800, 7200, 9600, 14400, 19200, 28800, 31250, 38400, 57600, 76800, 115200, 153600, 230400, 250000, 307200

SLIDE 69

UART Scan 3

SLIDE 70

Linksys WRT54G v2 rXH (w/ DD-WRT)

• Broadcom BCM4712
• ID = 0x1471217F
• https://github.com/notch/tjtag/blob/master/tjtag.c
• UART: JP1 (TXD = 4, RXD = 6) @ 115200, 8N1

*** www.jtagtest.com/pinouts/wrt54

SLIDE 71

Scan Timing

# of Channels IDCODE Permutations IDCODE (mm:ss) BYPASS Permutations BYPASS (mm:ss) 4 24 < 00:01 24 00:02 8 336 00:02 1680 02:05 16 3360 00:13 43680 54:27 24 12144 00:46 255024 317:54

• IDCODE
• TDI ignored since we're only shifting data out of DR
• ~264 permutations/second
• BYPASS
• Many bits/permutation needed to account for

multiple devices in chain and varying IR lengths

• ~13.37 permutations/second

SLIDE 72

Scan Timing 2

# of Channels UART Permutations Time (mm:ss) 4 12 00:12 8 56 00:57 16 240 4:04 24 552 9:22

• UART
• Only need to locate two pins (TXD/RXD)
• 24 baud rates/permutation
• ~1 permutation/second

SLIDE 73

Demonstration

SLIDE 74

Potential Limitations

• Could cause target to behave abnormally due to

"fuzzing" unknown pins

• OCD interface isn't being properly enabled
• Non-standard configuration
• Password protected
• System expects defined reset sequence or pin setting
• OCD interface is physically disconnected
• Cut traces, missing jumpers/0 ohm resistors
• No OCD interface exists

*** Additional reverse engineering will be necessary to determine the problem or discover pinout

SLIDE 75

Future Work

• Add support for other interfaces
• TI Spy-Bi-Wire, ARM Serial Wire Debug,

Microchip ICSP, Atmel AVR ISP

SLIDE 76

Other Uses

• Propeller development board
• Logic analyzer
• Inter-chip communication/probing ala Bus

Pirate or GoodFET

• ???

SLIDE 77

Get It

• www.jtagulator.com

*** Schematics, firmware, BOM, block diagram, Gerber plots, photos, other engineering documentation

• www.parallax.com

*** Assembled units, bare boards, accessories

SLIDE 78

A Poem

SLIDE 79

Let's JTAGulate!