JTAG is a powerful interface for low-level debugging and introspection of all kinds of devices — CPUs, FPGAs, MCUs and a whole lot of complex purpose-built chips like RF front-ends. JTAG adapters can be quite obscure, or cost a pretty penny, which is why we’re glad to see that [Adam Taylor] from [ADIUVO] made a tutorial on using your Pi Pico board as a JTAG adapter. This relies on a project called XVC-Pico by [Dhiru Kholia], and doesn’t require anything other than a Pi Pico board itself — the XVC-Pico provides both a RP2040 firmware implementing the XVC (Xilinx Virtual Cable) specification and a daemon that connects to the Pico board and interfaces to tools like Vivado.
First part of the write-up is dedicated to compiling the Pico firmware using a Linux VM. There’s a pre-built
.uf2 binary available in the GitHub repo, however, so you don’t have to do that. Then, he compiles and runs a daemon on the PC where the Pico is connected, connects to that daemon through Vivado, and shows successful single-stepping through code on a MYIR Z-turn board with a Xilinx XC7Z020. It’s worth remembering that, if your FPGA’s (or any other target’s) JTAG logic levels are 1.8V or 2.5V-based, you will need a level shifter between it and the Pi Pico, which is a board firmly in the 3.3V realm.
You just cannot beat the $3 price and the ease of setup. Pi Pico is shaping up to be more and more of a hardware multi-tool. Just a month ago, we covered how the Pico can work as a logic analyzer. A lot of that, we have the PIO peripherals to thank for — an assembly of state machines that even let you “bitbang” high-speed interfaces like DVI. If you’re interested in how PIO functions, there are some good write-ups around here. Lacking a Pi Pico, you can use this board’s bigger sister to interface with JTAG, too.
Board space is a premium on small circuit board designs, and [Alvaro] knows it. So instead of adding a separate programming port, he’s found a niche USB-C feature that lets him use the port that he’s already added both for its primary application and for programming the target microcontroller over JTAG. The result is that he no longer needs to worry about spending precious board space for a tiny programming port; the USB-C port timeshares for both!
In a Twitter thread (Unrolled Link), [Alvaro] walks us through his discovery and progress towards an encapsulated solution. It turns out that the USB-C spec supports a “Debug-Accessory Mode” specification, where some pins are allowed to be repurposed if pins CC1 and CC2 are pulled up to Logic-1. Under these circumstances, the pin functions are released, and a JTAG programmer can step in to borrow them. To expose the port to a programmer, [Alvaro] cooked up a small breakout board with a USB-C plug and separate microcontroller populated on it.
This board also handles a small quirk. Since [Alvaro’s] choice of programming pins aren’t reversible, the USB-C plug will only work one of the two ways it can be plugged in. To keep the user informed, this breakout board sports a red LED for incorrect orientation and a green LED for correct orientation–nifty. While this design quirk sacrifices reversibility, it preserves the USB 2.0 D+ and D- pins while also handling some edge cases with regard to the negotiating for access to the port.
Stick through [Alvaro]’s Twitter thread for progress pics and more details on his rationale behind his pin choices. Who knows? With more eyes on the USB-C feature, maybe we’ll see this sort of programming interface become the norm?
[Alvaro] is no stranger to Hackaday. In fact, take a tour back to our very first Supercon to see him chat about shooting lasers at moving targets to score points on a DEFCON challenge in the past
Over the last year or so we’ve noticed a definite uptick in the number of folks using OpenOCD on the Raspberry Pi. It’s a cheap and convenient solution for poking around with various microcontrollers and embedded devices, but not always the most elegant. Looking to improve on the situation somewhat, [Matthew Mets] has been working on a purpose-built JTAG Hat to clean things up a bit.
Onboard level shifters allow you connect to JTAG and SWD interfaces from 1.8 to 5 V, and if you power the target device from the Pi itself, there’s even support for measuring the voltage and current. To connect up to your target, the open hardware board features a “legacy” pin header perfect for jumper wires, as well as a dedicated 10-pin Cortex Debug Connector. Whether you spin up your own or buy one assembled, it certainly looks like a tool worth having around if you often find yourself working with the appropriate chips.
In addition to the design files for the hardware, [Matthew] has also provided some nice documentation on how to get the software side of things up and running. Starting with a blank SD card, it walks you through the initial setup of the Raspberry Pi all the way through the installation and configuration of a patched version of OpenOCD designed to support the JTAG Hat.
If you spend more time working with 8-bit AVR chips, don’t worry. Last year we covered a similar project to turn everyone’s favorite Linux SBC into an all-in-one microcontroller development powerhouse.
Last Fall [Kevin] wanted to program some newer TPI-only AVRs using an old USBasp he had kicking around his lab. Finding an “odd famine of information” and “forums filled with incorrect information and schematics”, he decided to set the record straight and document things correctly. He sleuthed out the details and succeeded in reprogramming the USBasp, although he did end up buying a second one in the process.
Designers who use AVR microcontrollers have no shortage of programming interfaces — we count at least five different methods: ISP/SPI, JTAG, TPI, PDI, and UPDI. We’re not sure whether this is variety is good or bad, but it is what it is. [Kevin] discovers that for the particular family of Attiny devices he is using, the ATtiny20, TPI is the only option available.
While he normally builds his designs around ARM Cortex-M chips, [Kevin] needed some glue logic and decided to go with an ATtiny20 despite its unique programming requirements. He observes that the price of the ATtiny20, $0.53 last Fall, was cheaper than the equivalent logic gates he needed. This particular chip is also quite small — only 3 mm square (a 20-pin VQFN). We would prefer not to use different MCUs and tool chains on a single board, but sometimes the convenience and economics steer the design in that direction.
If you’re not familiar with the USBasp, our own [Mike Szczys] covered the breaking story over ten years ago. And if you have a lot of free time on your hands, ditch all these nicely packaged solutions and program your chips using an old USB Hub and a 74HCT00 NAND gate as described in this bizarre hack by Teensy developer [Paul Stoffregen].
Have you ever wanted to watch someone reverse engineer a piece of hardware and pick up some tips? You can’t be there while [Jeremy] tears open a Netgear N300 router, but you can see his process step by step in some presentation charts, and you’ll get a few ideas for the next time you want to do something like this.
The first part of the presentation might be a little basic for most Hackaday readers, but presumably, the intended audience might not know much about soldering or multimeters. But we enjoyed the methodology used to work out the UART pins on the board. We would have read the baud rate with the scope, which [Jeremy] does, but he also mentions a script to work it out and create a minicom profile that looked interesting.
Continue reading “Hacking A Netgear Router”
Everyone who builds embedded systems wants tools to help build and debug systems faster, so it isn’t uncommon to see boards outfitted with various tools like serial port sniffers. We’ve seen a few incarnations and the latest is Glasgow. The small board uses an FPGA and claims to do the following:
- UART with automatic baud rate determination
- SPI or I2C
- Read and write common EEPROMs and flash chips
- Read and write common EPROMs including a data rescue function
- Program AVR chips via SPI
- Play back JTAG SVF files
- Debug ARC and some MIPS CPUs
- Program XC9500LX CPLDs
- Communicate to several wireless radios and CPUs
- Do sound synthesis
- Read raw data from floppy drives
The revC board is the first to be relatively functional and sports 16 I/O pins operating at up to 100 MHz, although the documentation hints that 6 MHz might be the top of what’s easily accomplished. The software is written in Python and the iCE40 FPGA toolchain that we’ve talked about many times in the past.
This already looks like a useful tool and the reconfigurable nature of FPGAs makes it a good platform to expand. The documentation discusses the difficulty in debugging things for the board, so the base software offers support such as a built-in logic analyzer to help.
We have seen dev boards become bench tools, like using the iCEstick as a logic analyzer. It’s nice to see dedicated tools like this one built up around the speed and versatility of FPGAs.
Continue reading “Glasgow Uses An FPGA As An Embedded Systems Multitool”
Amateur radio operators have always been at the top of their game when they’ve been hacking radios. A ham license gives you permission to open up a radio and modify it, or even to build a radio from scratch. True, as technology has advanced the opportunities for old school radio hacking have diminished, but that doesn’t mean that the new computerized radios aren’t vulnerable to the diligent ham’s tender ministrations.
A case in point: the Kenwood TH-D74A’s firmware has been dumped and partially decoded. A somewhat informal collaboration between [Hash (AG5OW)] and [Travis Goodspeed (KK4VCZ)], the process that started with [Hash]’s teardown of his radio, seen in the video below. The radio, a tri-band handy talkie with capabilities miles beyond even the most complex of the cheap imports and with a price tag to match, had a serial port and JTAG connector. A JTAGulator allowed him to probe some of the secrets, but a full exploration required spending $140 on a spare PCB for the radio and some deft work removing the BGA-packaged Flash ROM and dumping its image to disk.
[Travis] picked up the analysis from there. He found three programs within the image, including the radio’s firmware and a bunch of strings used in the radio’s UI, in both English and Japanese. The work is far from complete, but the foundation is there for further exploration and potential future firmware patches to give the radio a different feature set.
This is a great case study in reverse engineering, and it’s really worth a trip down the rabbit hole to learn more. If you’re looking for a more formal exploration of reverse engineering, you could do a lot worse than HackadayU’s “Reverse Engineering with Ghidra” course, which just wrapping up. Watch for the class videos soon. Continue reading “High-End Ham Radio Gives Up Its Firmware Secrets”