**** BEGIN LOGGING AT Tue Feb 23 02:59:58 2010
Feb 23 18:04:15 <hackish> How common is it to be able to read or write the contents of a processor via jtag?
Feb 23 18:04:42 <hackish> I've been looking at commercial tools and they cost like $10k easily.
Feb 23 18:05:04 <hackish> Basically I have a processor on an embedded controller and I want to read the firmware off it's onboard flash.
Feb 23 18:05:13 <hackish> Any ideas?
Feb 23 18:22:36 <roxfan> there are plenty of cheap dongles
Feb 23 18:22:45 <roxfan> ftdi based and such
Feb 23 18:23:02 <roxfan> or even a five-resistor lpt wiggler
Feb 23 18:23:19 <roxfan> but you need to know the jtag pins on the board
Feb 23 18:44:45 <hackish> jtag pins on the board are easy
Feb 23 18:46:13 <hackish> Trouble so far has been finding any info on it. I have the data sheets for the processor and they show boundary scan and somthing called tap.
Feb 23 18:46:49 <roxfan> tap means test access point
Feb 23 18:47:08 <roxfan> basically the thing that handles jtag communication
Feb 23 18:47:40 <hackish> ah. My problem is you don't find anyone talking about reading/writing the device memory or flash via jtag
Feb 23 18:48:03 <roxfan> well, there are two ways
Feb 23 18:48:15 <roxfan> 1) boundary scan (used by urjtag)
Feb 23 18:48:39 <roxfan> you just sort of ignore the cpu and use boundary scan register to toggle pins connected to the flash
Feb 23 18:49:02 <roxfan> pretty slow and you need to know the BSR layout
Feb 23 18:49:11 <gronsaken> is that possible with an internal flash?
Feb 23 18:49:17 <hackish> the flash I'm thinking of is internal to the processor
Feb 23 18:49:19 <roxfan> ah, internal
Feb 23 18:49:21 <roxfan> hmm
Feb 23 18:49:35 <roxfan> well, then second approach might work
Feb 23 18:49:48 <roxfan> 2) ask cpu to read data (used by openocd)
Feb 23 18:50:18 <roxfan> use jtag to write a read instruction to the instruction cache, execute it, read the filled in cpu register
Feb 23 18:50:32 <roxfan> needs support from the cpu for such stuff
Feb 23 18:51:11 <roxfan> btw many mcus with embedded flash have a serial bootloader for initial programming'
Feb 23 18:51:24 <roxfan> and sometimes it allows reading, not just writing
Feb 23 18:52:00 <hackish> This has a serial bootloader but my challenge is to get the flash out because the serial bootloader requires a password.
Feb 23 18:52:22 <roxfan> ah
Feb 23 18:52:30 <hackish> I know it's possible because others have somehow read it. I assume through the jtag port.
Feb 23 18:52:44 <gronsaken> which mcu is it?
Feb 23 18:52:50 <hackish> m32r
Feb 23 18:52:51 <roxfan> read the docs, see if there are extra jtag commands
Feb 23 18:53:11 <hackish> the docs don't talk about any extra commands
Feb 23 18:53:33 <hackish> I suspect they'd be undocumented.
Feb 23 18:54:26 <roxfan> iirc urjtag can discover extra commands
Feb 23 18:54:35 <roxfan> or try this http://deadhacker.com/2010/02/03/jtag-enumeration/
Feb 23 18:56:31 <roxfan> hmm http://www.activeboard.com/forum.spark?aBID=99460&p=3&topicID=25151801&page=1
Feb 23 18:57:10 <hackish> Ok. I will read the jtag-enumeration stuff. I don't mind reading docs - have done a lot of that but sometimes it's easier to find out if I'm wasting my time at the outset.
Feb 23 18:57:50 <hackish> yes the activeboard stuff. At some point he says he read it via the debug port.
Feb 23 18:58:05 <roxfan> i wonder if that UFLA32R has a password inside
Feb 23 18:58:43 <hackish> nope. It doesn't have the pwd inside.
Feb 23 18:59:13 <hackish> Once you discover the password it's the same for most ECUs
Feb 23 19:01:24 <roxfan> hmm i see something called "Real-Time Debugger (RTD)" in the datasheet
Feb 23 19:02:58 <hackish> yes there is also the RTD. I was thinking if I kick the chip into bootloader mode possibly the RTD could be used to read all the RAM and I may find the bootloader password has been loaded into ram.
Feb 23 19:04:08 <hackish> If a programmer had security in mind they'd disable the RTD the second the bootloader starts... however in my experience these guys seldom have security at the top of their list.
Feb 23 19:04:22 <roxfan> can it be disabled?
Feb 23 19:05:54 <roxfan> btw i don't see any limits for "read ram" command mentioned... so maybe it can access flash as well
Feb 23 19:06:06 <hackish> never thought about that.
Feb 23 19:06:30 <hackish> I assume it can be disabled but have never tried that...
Feb 23 19:06:49 <hackish> I haven't yet worked out how to read/write stuff on the RTD port.
Feb 23 19:07:11 <hackish> a simple USB serial converter seemed like a good idea but it also requires a clock signal.
Feb 23 19:08:21 <roxfan> ftdi chips seem to provide a pretty flexible way to work with many synchronous protocols
Feb 23 19:08:29 <roxfan> but i'd just use some microcontroller
Feb 23 19:10:07 <roxfan> it looks pretty close to spi
Feb 23 19:56:27 <hackish> I suppose I could get a micro to bit-bang the protocol but man, I hate writing stuff like that if there is a way to do it otherwise.
Feb 23 20:08:13 <roxfan> well, you could ask that guy :)
Feb 23 20:09:17 <hackish> Tried contacting him. No go on that. These guys usually don't like to let any info out.
Feb 23 20:29:03 <roxfan> gotta do it yourself then
**** ENDING LOGGING AT Wed Feb 24 03:00:02 2010