Unbricking a Router With a Raspi

jtag

About a decade ago, [Mansour] learned of the Linksys WRT54G, a wireless router that’s been shoved into just about every project under the sun. After learning of this device’s power, he decided a firmware upgrade was in order. Unfortunately, he accidentally bricked this router and left it sitting on a shelf for a few years.

Idle devices are the devil’s playthings, and when [Mansour] discovered a Samsung hard drive with a an SDRAM that was compatible with the WRT54G, he decided he would have a go at repairing this ancient router. There was only one problem: the most popular utility for programming the router through the JTAG header required a PC parallel port.

No problem, then, as [Mansour] had a Raspberry Pi on hand. The parallel port utility bit-banged the new firmware over to the router, something the GPIO port on the Pi could do in spades. By adding Pi support to the debricking utility, [Mansour] had a functional WRT54G with just a little bit of patience and a few wires connecting the GPIO and JTAG header.

JTAGulator Finds Debug Interfaces

jtagulator

[Joe Grand] has come up with a tool which we think will be useful to anyone trying to hack a physical device: The JTAGulator. We touched on the JTAGulator briefly during our DEF CON coverage, but it really deserves a more in-depth feature. The JTAGulator is a way to discover On Chip Debug (OCD) interfaces on unfamiliar hardware.

Open any cell phone, router, or just about any moderately complex device today, and you’ll find test points. Quite often at least a few of these test points are the common JTAG / IEEE 1149.1 interface.

JTAG interfaces have 5 basic pins: TDI (Test Data In), TDO (Test Data Out), TCK (Test Clock), and TMS (Test Mode Select), /TRST (Test Reset) (optional).

If you’re looking at a PCB with many test points, which ones are the JTAG pins? Also which test points are which signals? Sometimes the PCB manufacturer will give clues on the silk screen. Other times you’re on your own. [Joe] designed the JTAGulator to help find these pins.

[Read more...]

Learn JTAG by writing a bit-banging programmer

j-tag-flow-chart

[Pesco] won one of Dangerous Prototypes’ PCB giveaways a few months ago. He opted for a CPLD breakout board. He just needed to put in a parts order and populate the components himself. But then what? He needed a JTAG programmer to work with the chip. Like any good autodidact he choose to make his own rather than buying one. He absorbed the JTAG specification and coded a bit banging programmer using an Arduino.

We’ve used JTAG many times to program ARM chips. But until now we never took the time to figure out how the specification works. If you’ve got an IEEE subscription you can download the whitepaper, but [Pesco] was also able to find one floating around on the interwebs. The flow chart on the left is the cheat sheet he put together based on his readings. From there he wrote the Arduino sketch which implements the programming standard, allowing him to interact with a chip through a minicom terminal window.

[via Dangerous Prototypes]

Evalbot as a JTAG programmer

evalbot-as-jtag-programmer

[Adarsh] needed a JTAG programmer to push code to a CPLD dev board he was working with. He knew he didn’t have a dedicated programmer but figured he could come up with something. Pictured above is his hack to use a Stellaris Evalbot as a programmer.

Long time readers will remember the Evalbot coupon code debacle of 2010. The kits were being offered with a $125 discount as part of a conference. We were tipped off about the code not know its restrictions, and the rest is history. We figure there’s a number of readers who have one collecting dust (except for people like [Adam] that used it as a webserver). Here’s your chance to pull it out again and have some fun.

A bit of soldering to test points on the board is all it takes. The connections are made on the J4 footprint which is an unpopulated ICDI header. On the software side [Adarsh] used OpenOCD with stock configuration and board files (specifics in his writeup) to connect to the white CPLD board using JTAG.

DEF CON: Tamper Evidence, Contests, and Embedded Talks

Tamper Evident Devices

For day two of DEF CON, I checked out tamper evident devices, the contests area, and a few embedded talks. Read all about it after the break.

[Read more...]

[Sprite_TM] OHM2013 Talk: Hacking hard drive controller chips

hacking-hard-drive-controllers

Even if he hadn’t done any firmware hacking on this hard drive [Sprite_TM's] digital exploration of the controller is fascinating. He gave a talk at this year’s Observe, Hack, Make (OHM2013) — a non-commercial community run event in the Netherlands and we can’t wait for the video. But all the information on how he hacked into the three-core controller chip is included in his write up.

[Sprite_TM] mentions that you’re not going to find datasheets for the controllers on these drives. He got his foot in the door after finding a JTAG pinout mentioned on a forum post. The image above shows his JTAG hardware which he’s controlling with OpenOCD. This led him to discover that there are three cores inside the controller, each used for a different purpose. The difference between [Sprite_TM's] work and that of mere mortals is that he has a knack for drawing surprisingly accurate conclusions from meager clues. To see what we mean check out the memory map for the second core which he posted on page 3 or his article.

Using JTAG he was able to inject a jump into the code (along with a filler word to keep the checksum valid) and run his own code. To begin the firmware hacking portion of the project he pulled the flash ROM off of the board and installed it on that little board sticking out on the left. This made it easy for him to backup and reflash the chip. Eventually this let him pull off the same proof of concept as a firmware-only hack (no JTAG necessary). He goes onto detail how an attacker who has root access could flash hacked firmware which compromises data without any indication to they system admin or user. But we also like his suggestion that you should try this out on your broken hard drives to see if you can reuse the controllers for embedded projects. That idea is a ton a fun!

When we were poking around the OHM2013 website (linked above) we noticed that the tickets are sold out; good for them! But if you were still able to buy them they take Bitcoin as one payment option. Are there any other conferences that allow Bitcoin for registration?

Etch your own CPLD development board

etch-your-own-cpld-breakout

Ever wanted to make the jump from microcontrollers to logic chips? Although not technically the same thing we consider FPGA and CPLD devices to be in similar categories. Like FPGAs, Complex Programmable Logic Devices let you build hardware inside of a chip. And if you’ve got the knack for etching circuit boards you can now build your own CPLD development module. Long-time Hackaday readers will remember our own offering in this area.

Our years of microcontroller experience have taught us a mantra: if it doesn’t work it’s a hardware problem. We have a knack for wasting hours trying to figure out why our code doesn’t work. The majority of the time it’s a hardware issue. And this is why you might not want to design your own dev tools when just starting out. But one thing this guide has going for it is incremental testing. After etching and inspecting the board, it is populated in stages. There is test code available for each stage that will help verify that the hardware is working as expected.

The CPLD is programmed using that 10-pin header. If you don’t have a programmer you can build your own that uses a parallel port. Included on the board is an ATtiny2313 which is a nice touch as it can simulate all kinds of different hardware to test with your VHDL code. There is also a row of LEDs, a set of DIP switches, and a few breakout headers to boot.

Follow

Get every new post delivered to your Inbox.

Join 92,278 other followers