Stepping Through Code on a Pace 4000 Set Top Box

virgin_pace_jtag1

[Lee] wrote in to tell us about a Set Top Box he hacked. Before the cable industry lawyers get out their flaming swords… he’s not stealing cable, or really doing much of anything. This is a hack just for the adventure and thrill of making someone else’s hardware design do your bidding without any kind of instructions.

He posted about the adventure in two parts. The first is finding the JTAG header and identifying the pins. Arduino to the rescue! No really, and this is the type of Arduino use we love. Using a package called JTAGenum the board becomes a quick tool for probing and identifying JTAG connections.

The image above shows a different piece of hardware. From looking at it we’re pretty sure this is a Bus Blaster which is specifically designed for JTAG debugging with ARM processors. This is the beginning of the second part of his documentation which involves code dumping and stepping through lines code (or instructions) using OpenOCD and GDB. It’s a chore to follow all that [Lee] discovered just to write his name to the display of the box. But we certainly found it interesting. The display has a convoluted addressing scheme. We assume that there are cascading shift registers driving the segments and that’s why it behaves the way it does. Take a look for yourself and let us know what you think in the comments.

Unbricking a Router With a Raspi

jtag

About a decade ago, [Mansour] learned of the Linksys WRT54G, a wireless router that’s been shoved into just about every project under the sun. After learning of this device’s power, he decided a firmware upgrade was in order. Unfortunately, he accidentally bricked this router and left it sitting on a shelf for a few years.

Idle devices are the devil’s playthings, and when [Mansour] discovered a Samsung hard drive with a an SDRAM that was compatible with the WRT54G, he decided he would have a go at repairing this ancient router. There was only one problem: the most popular utility for programming the router through the JTAG header required a PC parallel port.

No problem, then, as [Mansour] had a Raspberry Pi on hand. The parallel port utility bit-banged the new firmware over to the router, something the GPIO port on the Pi could do in spades. By adding Pi support to the debricking utility, [Mansour] had a functional WRT54G with just a little bit of patience and a few wires connecting the GPIO and JTAG header.

JTAGulator Finds Debug Interfaces

jtagulator

[Joe Grand] has come up with a tool which we think will be useful to anyone trying to hack a physical device: The JTAGulator. We touched on the JTAGulator briefly during our DEF CON coverage, but it really deserves a more in-depth feature. The JTAGulator is a way to discover On Chip Debug (OCD) interfaces on unfamiliar hardware.

Open any cell phone, router, or just about any moderately complex device today, and you’ll find test points. Quite often at least a few of these test points are the common JTAG / IEEE 1149.1 interface.

JTAG interfaces have 5 basic pins: TDI (Test Data In), TDO (Test Data Out), TCK (Test Clock), and TMS (Test Mode Select), /TRST (Test Reset) (optional).

If you’re looking at a PCB with many test points, which ones are the JTAG pins? Also which test points are which signals? Sometimes the PCB manufacturer will give clues on the silk screen. Other times you’re on your own. [Joe] designed the JTAGulator to help find these pins.

[Read more...]

Learn JTAG by writing a bit-banging programmer

j-tag-flow-chart

[Pesco] won one of Dangerous Prototypes’ PCB giveaways a few months ago. He opted for a CPLD breakout board. He just needed to put in a parts order and populate the components himself. But then what? He needed a JTAG programmer to work with the chip. Like any good autodidact he choose to make his own rather than buying one. He absorbed the JTAG specification and coded a bit banging programmer using an Arduino.

We’ve used JTAG many times to program ARM chips. But until now we never took the time to figure out how the specification works. If you’ve got an IEEE subscription you can download the whitepaper, but [Pesco] was also able to find one floating around on the interwebs. The flow chart on the left is the cheat sheet he put together based on his readings. From there he wrote the Arduino sketch which implements the programming standard, allowing him to interact with a chip through a minicom terminal window.

[via Dangerous Prototypes]

Evalbot as a JTAG programmer

evalbot-as-jtag-programmer

[Adarsh] needed a JTAG programmer to push code to a CPLD dev board he was working with. He knew he didn’t have a dedicated programmer but figured he could come up with something. Pictured above is his hack to use a Stellaris Evalbot as a programmer.

Long time readers will remember the Evalbot coupon code debacle of 2010. The kits were being offered with a $125 discount as part of a conference. We were tipped off about the code not know its restrictions, and the rest is history. We figure there’s a number of readers who have one collecting dust (except for people like [Adam] that used it as a webserver). Here’s your chance to pull it out again and have some fun.

A bit of soldering to test points on the board is all it takes. The connections are made on the J4 footprint which is an unpopulated ICDI header. On the software side [Adarsh] used OpenOCD with stock configuration and board files (specifics in his writeup) to connect to the white CPLD board using JTAG.

DEF CON: Tamper Evidence, Contests, and Embedded Talks

Tamper Evident Devices

For day two of DEF CON, I checked out tamper evident devices, the contests area, and a few embedded talks. Read all about it after the break.

[Read more...]

[Sprite_TM] OHM2013 Talk: Hacking hard drive controller chips

hacking-hard-drive-controllers

Even if he hadn’t done any firmware hacking on this hard drive [Sprite_TM's] digital exploration of the controller is fascinating. He gave a talk at this year’s Observe, Hack, Make (OHM2013) — a non-commercial community run event in the Netherlands and we can’t wait for the video. But all the information on how he hacked into the three-core controller chip is included in his write up.

[Sprite_TM] mentions that you’re not going to find datasheets for the controllers on these drives. He got his foot in the door after finding a JTAG pinout mentioned on a forum post. The image above shows his JTAG hardware which he’s controlling with OpenOCD. This led him to discover that there are three cores inside the controller, each used for a different purpose. The difference between [Sprite_TM's] work and that of mere mortals is that he has a knack for drawing surprisingly accurate conclusions from meager clues. To see what we mean check out the memory map for the second core which he posted on page 3 or his article.

Using JTAG he was able to inject a jump into the code (along with a filler word to keep the checksum valid) and run his own code. To begin the firmware hacking portion of the project he pulled the flash ROM off of the board and installed it on that little board sticking out on the left. This made it easy for him to backup and reflash the chip. Eventually this let him pull off the same proof of concept as a firmware-only hack (no JTAG necessary). He goes onto detail how an attacker who has root access could flash hacked firmware which compromises data without any indication to they system admin or user. But we also like his suggestion that you should try this out on your broken hard drives to see if you can reuse the controllers for embedded projects. That idea is a ton a fun!

When we were poking around the OHM2013 website (linked above) we noticed that the tickets are sold out; good for them! But if you were still able to buy them they take Bitcoin as one payment option. Are there any other conferences that allow Bitcoin for registration?

Follow

Get every new post delivered to your Inbox.

Join 94,651 other followers