Over the last year or so we’ve noticed a definite uptick in the number of folks using OpenOCD on the Raspberry Pi. It’s a cheap and convenient solution for poking around with various microcontrollers and embedded devices, but not always the most elegant. Looking to improve on the situation somewhat, [Matthew Mets] has been working on a purpose-built JTAG Hat to clean things up a bit.
Onboard level shifters allow you connect to JTAG and SWD interfaces from 1.8 to 5 V, and if you power the target device from the Pi itself, there’s even support for measuring the voltage and current. To connect up to your target, the open hardware board features a “legacy” pin header perfect for jumper wires, as well as a dedicated 10-pin Cortex Debug Connector. Whether you spin up your own or buy one assembled, it certainly looks like a tool worth having around if you often find yourself working with the appropriate chips.
In addition to the design files for the hardware, [Matthew] has also provided some nice documentation on how to get the software side of things up and running. Starting with a blank SD card, it walks you through the initial setup of the Raspberry Pi all the way through the installation and configuration of a patched version of OpenOCD designed to support the JTAG Hat.
If you spend more time working with 8-bit AVR chips, don’t worry. Last year we covered a similar project to turn everyone’s favorite Linux SBC into an all-in-one microcontroller development powerhouse.
Last Fall [Kevin] wanted to program some newer TPI-only AVRs using an old USBasp he had kicking around his lab. Finding an “odd famine of information” and “forums filled with incorrect information and schematics”, he decided to set the record straight and document things correctly. He sleuthed out the details and succeeded in reprogramming the USBasp, although he did end up buying a second one in the process.
Designers who use AVR microcontrollers have no shortage of programming interfaces — we count at least five different methods: ISP/SPI, JTAG, TPI, PDI, and UPDI. We’re not sure whether this is variety is good or bad, but it is what it is. [Kevin] discovers that for the particular family of Attiny devices he is using, the ATtiny20, TPI is the only option available.
While he normally builds his designs around ARM Cortex-M chips, [Kevin] needed some glue logic and decided to go with an ATtiny20 despite its unique programming requirements. He observes that the price of the ATtiny20, $0.53 last Fall, was cheaper than the equivalent logic gates he needed. This particular chip is also quite small — only 3 mm square (a 20-pin VQFN). We would prefer not to use different MCUs and tool chains on a single board, but sometimes the convenience and economics steer the design in that direction.
If you’re not familiar with the USBasp, our own [Mike Szczys] covered the breaking story over ten years ago. And if you have a lot of free time on your hands, ditch all these nicely packaged solutions and program your chips using an old USB Hub and a 74HCT00 NAND gate as described in this bizarre hack by Teensy developer [Paul Stoffregen].
Have you ever wanted to watch someone reverse engineer a piece of hardware and pick up some tips? You can’t be there while [Jeremy] tears open a Netgear N300 router, but you can see his process step by step in some presentation charts, and you’ll get a few ideas for the next time you want to do something like this.
The first part of the presentation might be a little basic for most Hackaday readers, but presumably, the intended audience might not know much about soldering or multimeters. But we enjoyed the methodology used to work out the UART pins on the board. We would have read the baud rate with the scope, which [Jeremy] does, but he also mentions a script to work it out and create a minicom profile that looked interesting.
Continue reading “Hacking A Netgear Router”
Everyone who builds embedded systems wants tools to help build and debug systems faster, so it isn’t uncommon to see boards outfitted with various tools like serial port sniffers. We’ve seen a few incarnations and the latest is Glasgow. The small board uses an FPGA and claims to do the following:
- UART with automatic baud rate determination
- SPI or I2C
- Read and write common EEPROMs and flash chips
- Read and write common EPROMs including a data rescue function
- Program AVR chips via SPI
- Play back JTAG SVF files
- Debug ARC and some MIPS CPUs
- Program XC9500LX CPLDs
- Communicate to several wireless radios and CPUs
- Do sound synthesis
- Read raw data from floppy drives
The revC board is the first to be relatively functional and sports 16 I/O pins operating at up to 100 MHz, although the documentation hints that 6 MHz might be the top of what’s easily accomplished. The software is written in Python and the iCE40 FPGA toolchain that we’ve talked about many times in the past.
This already looks like a useful tool and the reconfigurable nature of FPGAs makes it a good platform to expand. The documentation discusses the difficulty in debugging things for the board, so the base software offers support such as a built-in logic analyzer to help.
We have seen dev boards become bench tools, like using the iCEstick as a logic analyzer. It’s nice to see dedicated tools like this one built up around the speed and versatility of FPGAs.
Continue reading “Glasgow Uses An FPGA As An Embedded Systems Multitool”
Amateur radio operators have always been at the top of their game when they’ve been hacking radios. A ham license gives you permission to open up a radio and modify it, or even to build a radio from scratch. True, as technology has advanced the opportunities for old school radio hacking have diminished, but that doesn’t mean that the new computerized radios aren’t vulnerable to the diligent ham’s tender ministrations.
A case in point: the Kenwood TH-D74A’s firmware has been dumped and partially decoded. A somewhat informal collaboration between [Hash (AG5OW)] and [Travis Goodspeed (KK4VCZ)], the process that started with [Hash]’s teardown of his radio, seen in the video below. The radio, a tri-band handy talkie with capabilities miles beyond even the most complex of the cheap imports and with a price tag to match, had a serial port and JTAG connector. A JTAGulator allowed him to probe some of the secrets, but a full exploration required spending $140 on a spare PCB for the radio and some deft work removing the BGA-packaged Flash ROM and dumping its image to disk.
[Travis] picked up the analysis from there. He found three programs within the image, including the radio’s firmware and a bunch of strings used in the radio’s UI, in both English and Japanese. The work is far from complete, but the foundation is there for further exploration and potential future firmware patches to give the radio a different feature set.
This is a great case study in reverse engineering, and it’s really worth a trip down the rabbit hole to learn more. If you’re looking for a more formal exploration of reverse engineering, you could do a lot worse than HackadayU’s “Reverse Engineering with Ghidra” course, which just wrapping up. Watch for the class videos soon. Continue reading “High-End Ham Radio Gives Up Its Firmware Secrets”
Hackaday editors Elliot Williams and Mike Szczys check out the week’s awesome hacks. From the mundane of RC controlled TP to a comprehensive look into JTAG for Hackers, there’s something for everyone. We discuss a great guide on the smelly business of resin printing, and look at the misuse of lithium battery protection circuits. There’s a trainable servo, star-tracking space probes, and a deep dive into why bootstrapped ventilator designs are hard.
Take a look at the links below if you want to follow along, and as always tell us what you think about this episode in the comments!
Direct download (~60 MB)
Places to follow Hackaday podcasts:
Continue reading “Hackaday Podcast 062: Tripping Batteries, Ventilator Design, Stinky Prints, And Simon Says Servos”
If you’re reading Hackaday, you’ve almost certainly heard of JTAG. There’s an excellent chance you’ve even used it once or twice to reflash an unruly piece of hardware. But how well do you actually know JTAG? More specifically, do you know how useful it can be when reverse engineering hardware?
Whether you’re a JTAG veteran or a novice, this phenomenal guide written by [wrongbaud] is sure to teach you a thing or two. Starting with a low-level explanation of how the interface actually works, the guide takes you though discovering JTAG ports on unknown targets, the current state-of-the-art in open source tools to interact with the device, and finally shows a real-world example of pulling and analyzing a gadget’s firmware.
There’s no way to do his write-up justice with a breakdown or a summary, so we won’t even try. Just get comfortable, maybe grab a drink, and dive in. It’s certainly not a short read, but there isn’t a wasted word on the page. Every piece of the puzzle, from how to figure out an unlabeled pinout to determining the instruction length, is explained in exactly the amount of detail you’re looking for. This is a guide for hackers written by a hacker, and it shows.
It will probably come as no surprise to find this isn’t the first time [wrongbaud] has done a deep dive like this. Over the last few months we’ve been covering his series of practical reverse engineering guides, and each one has been an invaluable resource. Perfect study guides for when a global pandemic has you stuck in the house.